Jul 09, 2018

CSIS is damned if it does and damned if it doesn’t

This piece was published in The Hill Times on July 2, 2018

Here is a fundamental question for Canadians: what do you want from your security intelligence service?   What are your expectations of CSIS, an agency of several thousand civil servants which has been plying its trade for more than three decades in the shadows of our society to do its part to keep us safe?  Even if much of what it does remains out of the public light, what do you think of its role and its activities so far?  Is it doing well?  Badly? Somewhere in between?

If you work for CSIS you could be excused for thinking that Canadians want to have their cake and eat it too when it comes to national security and CSIS’s responsibility for protecting it.  This view comes out clearly- or perhaps better said ‘clear as mud’ – in the wake of two recent stories in the Canadian media.  In both instances CSIS is taken to task for its activities: in one case for what it did and in the other for what it didn’t do.  Allow me to explain.

The Security Intelligence Review Committee (SIRC), a body created when CSIS itself saw the light of day (in fact the CSIS Act devotes as much space to SIRC as it does to what CSIS does), and which is responsible for overseeing CSIS, issued two releases that for many Canadians seem, at least on the surface, to blame the national spy service for doing too much and too little simultaneously.  Those that toil for our national security service are probably scratching their heads as to what this all means.

In the first report, SIRC noted that CSIS had ended its investigations into right-wing extremism ten months before the January 2017 massacre by Alexandre Bissonnette at a Quebec City mosque.  According to CSIS, the activities of these groups “amounted to – or were close to – lawful protest, advocacy or dissent, not threats to national security” and were being monitored by law enforcement anyway, thus calling into question what CSIS could contribute to the overall picture.  As a consequence it downed tools – this was the right response at the time.  And yet the attack in Quebec occurred and some might ask why CSIS was not better prepared to identify and help stop it.

On the other side of the coin, SIRC noted that CSIS had not deleted data on Canadians – email addresses, phone numbers – that was not specifically tied to a national security investigation.  A later Globe and Mail editorial decried that ” CSIS has not yet gone far enough in its obligation to respect the rights and privacy of Canadians.”  The implication is that the Service has inordinate powers but must use them judiciously to safeguard our collective rights.

I could respond that most Canadians have a lot more to be worried about how FaceBook and Google handle their privacy than they do about CSIS but I am pretty sure that argument will get me nowhere.  In any event, the Service has been chastised for doing too much and perhaps too little, resulting on the one hand in the potential bogey man of Big Brother and on the other in the deaths of six Canadians.  What is going on at CSIS?

Simply stated, CSIS is doing what it can given its legal mandate, its current resources and a constantly changing and challenging threat environment.  In order to find and interdict the Alexandre Bissonnettes of our world it needs enough people and tools to wade through tonnes of data: these threats rarely identify themselves.  Of course it must operate within both the letter and the spirit of Canadian law and the Charter of Rights and Freedoms, but it has to be allowed to be proactive and creative in its actions.

As CSIS rarely defends itself publicly, although the Globe editorial did note that Director David Vigneault “respectfully disagreed” with the SIRC findings on data collection, and I am not a spokeperson for the Service, as a former employee allow  me nevertheless to weigh in on this.  Those whom we entrust with national security do their utmost to keep us safe and they take their responsibilities seriously.  They have neither the time nor the inclination to collect and retain information maliciously or for questionable motives.  They do their jobs diligently and with a view to knowing as much as possible about threats.  This task necessitates data and if we want them to be as good as they can be they have to be sanctioned to find and keep such data.

In the wake of the next successful attack – and yes there will be one notwithstanding the efforts of CSIS  – will Canadians be ok if one of the factors in the failure to prevent it was a lack of data?  I don’t think so.  Yes, we can have an efficient and professional security service and a right to privacy and undue intrusion into our lives (that CSIS has your phone number does not constitute such an intrusion in my books: so does the phone company).  We need to talk more about these issues and that conversation has to be a reasoned – and not emotional – one.