Mar 11, 2018

CSE should be allowed to go on the offensive

This piece appeared in The Hill Times on February 26, 2018


I still remember my first day at CSE. I had moved to Ottawa from London (Ontario) where I had been interviewed by CSE representatives and later offered a job.  I knew little of what I was being asked to do since the poster at Western University had said ‘Department of National Defence’, not CSE.   Recall that back in 1982 there was no such thing as the Internet and CSE was not great at putting out information on what it did (to its credit it is better now).  So, when I got to the security briefing in July 1983 I learned about the organisation’s mandate and was, to put it mildly, flabbergasted.

That initial sense of ‘wait, we do what?’ is still shared by many Canadians.  CSE rarely makes the headlines but when it does the news is seldom good.  Allegations are made on what it does badly or how it ‘spies’ on Canadians, and most of the time those allegations are made by people who never worked at CSE, have a very poor knowledge of what it actually does and why, and, frankly, have little business making such comments.  As a former employee, albeit one who left in 2000 and thus fully aware that I am not up on the latest priorities or techniques, I’d like to weigh in on one aspect of its practice, one which has led to some controversy.

What I am referring to is CSE’s cyber activities.  We know that cyber crime and cyber activity is rampant as we are seeing in the allegations swirling around Russian influence in the 2016 US presidential elections.  And we read about the number of phishing attacks that strike computers around the world – perhaps readers of this blog have been victims.  People usually forget that CSE is not tasked solely with collecting signals intelligence (SIGINT) but is also responsible for “ensuring the protection of electronic information and of information infrastructures of importance to the Government of Canada“.  The question is how best to do that.

There is an old saying “the best defence is a good offence”.  I really think this applies to what CSE can and should do when it comes to cyber threats to Canada.  A senior CSE official who, full disclosure, was a workmate of mine decades ago, has stated that CSE has to go beyond purely defensive cyber acts and be allowed to plan and execute offensive operations.  Go for it, I say.

Yes, I am aware of the opposition to much of this.  Some feel CSE cannot be trusted not to use its impressive technology to spy on Canadians.  Others would prefer that we in Canada limit ourselves to thwarting attacks and not put ourselves out there by going after our enemies.  Both arguments are flawed.  First and foremost, CSE does not spy on our citizens.  Full stop.  Even if I haven’t been there for almost twenty years I cannot imagine that the cardinal rule drummed into us as employees about not targeting Canadians or keeping information ‘incidentally’ collected on Canadians in the course of legitimate operations has changed in the intervening years.  So there are mechanisms in place to ensure this does not happen.  Secondly, why would we not want to get ahead of the curve of what nefarious actors are trying to do to us?  Why would we sit back and allow attack after attack?  If CSE can undermine the capabilities of terrorists and states who mean us harm then it absolutely should do so.

We still have an immature discussion on intelligence in Canada and what we want our security agencies to do for us.  We need to move beyond naivete and engage in adult conversation.  The world is not getting any safer any time soon and if we do not adopt a more aggressive stance we will be at greater risk.  CSE is part of the solution, not part of the problem.