Spy agency chief says new powers would help stop cyberattacks before they happen
Communications Security Establishment Chief Greta Bossenmaier speaks with Public Safety and Emergency Preparedness Minister Ralph Goodale as they wait to appear before the Standing Committee on Public Safety and National Security, in Ottawa on Thursday, November 30, 2017. (Adrian Wyld / THE CANADIAN PRESS)
Lee Berthiaume, The Canadian Press
Published Thursday, March 22, 2018 4:14PM EDT
Last Updated Friday, March 23, 2018 6:29AM EDT
OTTAWA -- The head of Canada's cyberspy agency says new powers proposed by the Trudeau government would let her institution stop cyberattacks before they are launched -- instead of having to sit back and wait for them to happen.
Communications Security Establishment chief Greta Bossenmaier made the comments to a parliamentary committee on Thursday as she revealed the agency has been working overtime to block attacks on federal networks.
"We're now blocking over one billion malicious attempts to compromise government systems on average every day," Bossenmaier said during an appearance alongside Defence Minister Harjit Sajjan. "One billion attempts."
That equates to more than 11,500 every second, which the committee was told includes everything from minor pokes to assess the strength of a system, to malware, to dedicated hacking.
That is where the Trudeau government's proposed national security legislation, Bill C-59, would come in, Bossenmaier said, and help nip some of those attacks in the bud by giving the CSE the power to launch offensive cyber operations.
"Instead of sort of standing back with a shield to try to protect against these billion malicious attempts per day and waiting for them to happen, we could actually go and say: 'Let's try to stop that cyberattack even from happening'," she said.
"So there could be a server outside that we know is now trying to infiltrate a Canadian system and steal Canadians' information, we could through this legislation ΓÇª stop that attack before it actually gets to our shores."
That ability to stop an attack before it happens is only one potential use for the CSEs' proposed new powers; the agency could also halt a terrorist attack and support military operations.
But the move toward government-authorized cyberattacks has raised numerous questions: What if, for example, Russia or China were behind an attack? How much information does the CSE need before acting against a potential threat?
A December report by leading Canadian cybersecurity researchers, said there is no clear rationale for expanding the CSE's mandate to conduct offensive operations.
It said the scope of the planned authority is not clear, nor does the legislation require that the target of the CSE's intervention pose a meaningful threat to Canada's security interests.
NDP public safety critic Matthew Dube, meanwhile, flagged a potential grey area when it comes to offensive cyber operations against foreign countries.
"It feels like there might be a slippery slope there in terms of international law as to what is military action and what is not," he said.
The committee was told that the new law includes strict approval processes and oversight provisions when it comes to offensive operations, and that the law specifically forbids any action against Canadians or targets in Canada.
Sajjan said the proposed powers bring Canada in line with its closest allies, but he acknowledged that the government is, in some ways, still feeling its way through the issue.
"There is this nebulous feel because it is cyber and we need to be far better at understanding how these attacks occur, what their intent is, and then how do you deal with it," he told reporters after the committee meeting.
Bossenmaier and Sajjan also faced questions Thursday about the CSE capturing information about Canadians, including whether it would be allowed to use the type of data purportedly obtained by Cambridge Analytica from Facebook users.
The committee was told that while the law does let the CSE use publicly available information about Canadians, it can only do so in very strict circumstances and that the exemption does not apply to data obtained illegally.