Chapter 3: Global Affairs Canada's Facilitation Role
Special Report on the National Security and Intelligence Activities of Global Affairs Canada

Table of Contents

86. Beyond its role in ensuring foreign policy coherence, GAC is an important partner in several of the security and intelligence community's most sens itive activities. The Canadian Security Intelligence Act (CSIS Act) and the Communications Security Establishment Act (CSE Act) grant the Minister of Foreign Affairs a role in the collection of foreign intelligence with in Canada and the conduct of cyber operations. The Department's management of Canada's diplomatic relations and foreign missions, in turn, renders it a player in intelligence collection activities abroad. While GAC is a *** beneficiary of much of the collected information, this function also carries risks. The Minister of Foreign Affairs is responsible for managing the risks these activ ities pose to Canada's bilateral and multilateral relations, international reputation, and the safety and security of Canadian personnel and assets abroad.

87. This chapter examines GAC's role in fac ilitating the activities of its security and intelligence partners. It describes the nature of the activity; the Department's role in the activity; and the governance of the act ivity both across organizations and within the Department.

The collection of foreign intelligence within Canada

Background and authority

88. Section 16 of the CSIS Act is the authority for the collection of foreign intelligence within Canada. ^{Footnote 190} The Act grants the ministers of Foreign Affairs and of National Defence the authority to request the assistance of the Canadian Security Intelligence Service (CSIS) in the collection of informat ion on the capabilities, intentions or activities of foreign states or individuals in relation to the conduct of international affairs or national defence within Canada. ^{Footnote 191} Under this authority, the Minister of Foreign Affairs can request information in support of any matter within their broad mandate. [*** Three sentences were deleted to remove injurious or privileged information. The sentences described types of requested information, techniques and targets. ***] ^{Footnote 192} ^{Footnote 193}

The Department's role

89. [*** This paragraph was revised to remove injurious or privileged information. ***] GAC is one of two possible sources of requests for section 16 intelligence collection. ^{Footnote 194} The Department launches the process, consults with CSIS and then drafts a rationale outlining information on the specific details contained in the rationale. ^{Footnote 195} ^{Footnote 196} ^{Footnote 197} A committee considers the rationale and decides whether to recommend the section 16 target for approval to the requesting minister. Should the Minister of Foreign Affairs agree, the Department prepares the formal request to the Minister of Public Safety. If the Minister of Public Safety consents to the request for assistance, he or she directs CSIS officials to begin collection. Finally, CSIS officials may seek a warrant from the Federal Court incorporating the rationale provided by GAC.

90. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph described targets, collection requirements and risks. ***] ^{Footnote 198}

Interdepartmental governance

91. The governance structure for the section 16 program has evolved considerably since the authority came into force in 1984. The program's initial governance, in place from 1987 to 2008, did not include any formal procedures, oversight committees or criteria against which collection requests were evaluable and approved. ^{Footnote 199} In 2008, officials from participating organizations introduced a formalized governance model, which included a requirement to assess potential subjects against criteria linked to Canada's intelligence priorities and a permanent oversight committee structure (the *** Committee) with the responsibility to evaluate and endorse section 16 rationales before they are submitted for approval to the relevant ministers. ^{Footnote 200} The new system established the Privy Council Office (PCO) as the central governance body for section 16 and as chair of the *** Committee.

92. The governance structure of the section 16 process was further refined in 2020. In December 2020, the *** Committee finalized its terms of reference, which laid out its mandate and membership, and the roles and responsibilities of participating organizations. ^{Footnote 201} The document also outlines the *** Committee's accountability structure. Under this structure, *** committee is responsible for reviewing the committee's operating procedures and information handling and dissemination standards related to section 16, and for discussing issues related to section 16 litigation at the Federal Court. The *** committee meets to review requests, and to discuss section 16 priorities and keep deputy ministers informed of important issues. The *** committee is supposed to meet annually to review the *** requirements and intelligence priorities (although no information was provided to confirm that these meetings take place). The committee also developed standard operating procedures to guide the *** process *** and developed a handling and dissemination standard for intelligence collected under this authority. ^{Footnote 202}

93. [*** This paragraph was revised to remove injurious or privileged information. ***] As part of these efforts, the Committee introduced a documented risk assessment process. Until 2020, foreign policy risk assessments for proposed section 16 targets were not documented as part of the rationale or the approval process. ^{Footnote 203} Rather, on deciding to endorse a section 16 target, the committee chair would orally confirm that officials were aware of the risks of undertaking the collection and comfortable with mitigation measures in place. ^{Footnote 204} ^{Footnote 205} In 2020, the Committee formalized the risk assessment process with the introduction of assessments that officials from the requesting department (GAC or the Department of National Defence) and from CSIS were required to complete. ^{Footnote 206} Importantly, however, the results are only considered by the Committee; they are not included by GAC as part of the rationale submitted for Ministerial approval.

Internal governance

94. GAC's role in the section 16 process involves multiple steps, including the initial request, the rationale and the foreign policy risk assessment. While the committee's standard operating procedures provide some detail into GAC's internal processes, including key considerations and consultation requirements for risk assessments, the Department itself does not have any policies, procedures or guidelines governing GAC's role in this process. The Department also does not have any requirements in place for reporting to the Minister of Foreign Affairs on the information collected under section 16, outside of the *** target renewal process.

95. By way of comparison, CSIS has developed a number of policies, procedures and guidance documents on its role and responsibilities under the section 16 process. CSIS's *** is the most relevant. ^{Footnote 207} This document outlines CSIS's foreign intelligence mandate and authority, and the various steps of the section 16 process, including a delineation of roles and responsibilities of various units within CSIS, as well as the program's interdepartmental governance structure. CSIS has also implemented specific policies related to compliance requirements for section 16 activities. ^{Footnote 208} CSIS's section 16 activities are included under its policy ***, which outlines the agency's principles of lawfulness, proportionality and effectiveness that govern its activities, the various operational tools at its disposal, risk factors and potential mitigation measures, and the warrant application process. ^{Footnote 209} Finally, CSIS reports annually to the Minister of Public Safety on a number of operational activities. ^{Footnote 210} Its reporting includes a list of section 16 targets, and the nature and value of intelligence collected against them.

Legal challenges

96. [*** This paragraph was revised to remove injurious or privileged information. ***] In the past three years, the section 16 program has faced legal challenges in the Federal Court that undermine the effectiveness of the program and its ability to provide intelligence of value. Specifically, the Federal Court refused to authorize certain intelligence collection techniques under section 16 warrant applications over concerns that the proposed collection activity would occur outside of Canada, effectively violating the "within Canada" limitation under the Act. ^{Footnote 211} This increased scrutiny and strict interpretation of the "within Canada" limitation by the Federal Court raises concerns about CSIS's continued ability to acquire warrants that will be effective in collecting foreign intelligence. ^{Footnote 212} This challenge will likely worsen as global trends continue.

Active cyber operations

Background and authority

97. The CSE Act granted new authorities to CSE and created a key role for the Minister of Foreign Affairs. One of these new authorities allows CSE to conduct active cyber operations to degrade, disrupt, influence or interfere with the capabilities or intentions of foreign entities. ^{Footnote 213} The Minister of National Defence authorizes these activities through the annual issuance of ministerial authorizations. ^{Footnote 214} Active cyber operations can have broad objectives, including in pursuit of Canada's foreign, defence or security interests. They also carry important foreign policy risks, including potential damage to Canada's bilateral or multilateral relations, or potential violations of the country's international legal commitments in cyberspace. ^{Footnote 215} In recognition of the foreign policy implications of these activities, the Act stipulates that the Minister of National Defence may issue this authorization only if the Minister of Foreign Affairs has requested or consented to its issue. ^{Footnote 216}

The Department's role

98. In the two years since the authority has been in place, GAC's role has been to contribute to the development of ministerial authorizations and provide foreign policy risk assessments. The Minister of National Defence issued CSE's first authorization for active cyber operations in 2019. ^{Footnote 217} CSE officials developed this ministerial authorization in close consultation with GAC . ^{Footnote 218} In recognition of the potential risks posed by this new authority, the authorization ***. ^{Footnote 219} At the operational level, GAC is responsible for providing foreign policy risk assessments in writing to CSE for each planned active cyber operation. ^{Footnote 220} GAC's risk assessment considers the operation's potential impact on Canadian interests, its compliance with international law and cyber norms, its alignment with broader foreign policy interests and the nature of the target ***. ^{Footnote 221} Between 2019 and 2020, CSE planned four active cyber operations and carried out one. ^{Footnote 222}

Interdepartmental governance

99. In August 2019, the Minister of Foreign Affairs directed GAC officials to work with CSE to develop a formal governance mechanism to ensure CSE's cyber operations align with Canada's foreign policy and international legal obligations. ^{Footnote 223} In the subsequent year, officials from both organizations built on their existing consultation mechanism to create the CSE-GAC Active Cyber Operations/Defensive Cyber Operations Working Group and a comprehensive governance framework for consultation on cyber operations (GAC and CSE's consultation mechanism and CSE's defensive cyber operations are discussed at paragraphs 62-64). ^{Footnote 224} The working group is the central forum for communication and collaboration on active and defensive cyber operations, including for the development of ministerial authorizations. CSE and GAC co-chair regular working group meetings, which are held at the director general-level. The group includes representation from CSE ***, the Department of Justice, the Department's legal services unit, and various units with the Department. Over the course of its work, the working group developed a governance framework for the conduct of cyber operations. The framework outlines the procedures for the provision of GAC's foreign policy risk assessments ***. ^{Footnote 225}

100. The National Security and Intelligence Review Agency (NSIRA) conducted a review of CSE's ministerial authorizations and ministerial orders in 2019. As part of this review, it examined the ministerial authorization process for CSE's active cyber operations and made one finding and one recommendation relevant to the governance of that process. Specifically, NSIRA found that CSE and GAC did not sufficiently document their consultation on letters of consent from the Minister of Foreign Affairs to the Minister of National Defence. The agency recommended that CSE ensure the consultation process with GAC for cyber operations be documented "as precisely as possible to allow for an easy verification of its compliance with the sequencing required in the Act." ^{Footnote 226}

Internal governance

101. Documentation on GAC's internal governance of its role in cyber operations is contained in the working group's governance framework. As mentioned, the document outlines ***. The document also includes GAC's internal foreign policy risk assessment chart, which lists the Department's key risk considerations, namely domestic and international legal obligations, the impact on bilateral and multilateral relations and reputation, and the possible threat posed to GAC's network of missions and personnel abroad. ^{Footnote 227} The document also lists the divisions to be consulted in the process, including the Department of Justice, the Department's legal services unit, *** and various groups within the Department. The Department has not developed other policies, procedures or guidance on its role in CSE's active cyber operations. The Department does not have any requirements to report to the Minister on its activities with respect to active cyber operations; however, it produced its first Annual Foreign Cyber Operations Report for 2021, which was briefed to the Minister in March 2022. ^{Footnote 228}

102. By way of comparison, CSE's internal governance for cyber operations is a combination of internal oversight committees, policies and a comprehensive risk assessment framework. First, the Cyber Operations Group and the Cyber Management Group oversee CSE's cyber operations. ^{Footnote 229} These are executive bodies, at the director - and director general-level respectively, that review and approve cyber operation plans and risk assessments. The Director of *** and the Deputy Chief of Signals Intelligence chair the respective committees, and membership depends on ***. Participants are responsible for representing concerns and considerations from their respective areas of expertise, provide a challenge function for operations, and communicate decisions or information to relevant parts of the organization. CSE's Mission Policy Suite: Cyber Operations, in turn, explains the agency's authorities and core principles, provides guidance on the conduct of cyber operations, describes the broader governance framework surrounding these activities, and explains the agency's compliance and review responsibilities. ^{Footnote 230} Finally, CSE's SIGINT [signals intelligence] Operations Risk Acceptance Form outlines the agency's comprehensive risk assessment process. The form includes requirements for records of consultation with relevant internal and external stakeholders, and questions on privacy protection, compliance and various risk factors.

103. CSE's ministerial authorization for active cyber operations describes in detail the agency's reporting requirements to the Minister of National Defence and the Minister of Foreign Affairs. ^{Footnote 231} The authorization requires the Chief of CSE to update the Minister of National Defence every three months on CSE's active cyber operations. The Minister of National Defence can share this information with the Minister of Foreign Affairs. The authorization also requires CSE to provide the Minister of National Defence with a report on the outcome of the activities carried out under the authorization, including the number of operations conducted, the value of those operations and any serious implementation challenges, within 90 days after the expiry of the authorization. CSE also provides this report to the Minister of Foreign Affairs.

***

Background and authority

104. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph described a program. ***]. ^{Footnote 232} ^{Footnote 233} ^{Footnote 234} ^{Footnote 235}

105. GAC states that it derives its authority for the program from the Crown prerogative. [*** This rest of this paragraph was deleted to remove injurious or privileged information. The paragraph described an authority. ***]. ^{Footnote 236} ^{Footnote 237}

The Department's role

106. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph described the department's role. ***]. ^{Footnote 238}

107. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph described the department's role. ***]. ^{Footnote 239} ^{Footnote 240}

108. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph described the department's role. ***]. ^{Footnote 241}

Governance

109. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph described governance mechanisms. ***]. ^{Footnote 242} ^{Footnote 243}

110. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph described governance mechanisms. ***]. ^{Footnote 244} ^{Footnote 245} ^{Footnote 246}

Internal governance

111. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph noted that the Department does not have any policies, procedures or documents to govern its involvement, and does not have any reporting requirements to the Minister. ***]. ^{Footnote 247}

112. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph noted challenges regarding the management of risk. ***]. ^{Footnote 248} ^{Footnote 249} ^{Footnote 250}

113. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph described how another organization approached the management of risk. ***]. ^{Footnote 251} ^{Footnote 252} ^{Footnote 253} ^{Footnote 254} ^{Footnote 255}

The future ***

114. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph noted the Department's failure to inform the Minister of important issues. ***]. ^{Footnote 256} ^{Footnote 257} ^{Footnote 258} ^{Footnote 259} ^{Footnote 260}

Logistical support ***

Background and authority

115. The final element of GAC's facilitation role concerns the Department's infrequent but critical provision *** The Department's authority to provide this support derives from the Crown prerogative.

***

116. GAC provides ***. ^{Footnote 261} ^{Footnote 262}

117. GAC has no written policies, procedures or guidelines in place to govern its provision of *** with one partial exception. In 2021 , the Department developed a one-page document outlining the internal process ***. ^{Footnote 263} ***. ^{Footnote 264}

***

118. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph described a process. ***]. ^{Footnote 265} ^{Footnote 266}

119. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph described GAC's role in a process, and that it lacked policies or procedures to manage its role. ***]. ^{Footnote 267}

***

120. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph described GAC's role in a process, and that it lacked policies or procedures to manage its role. ***]. ^{Footnote 268} ^{Footnote 269} ^{Footnote 270}

***

121. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph described GAC's role in a process, and that it lacked policies or procedures to manage its role. ***]. ^{Footnote 271} ^{Footnote 272} ^{Footnote 273}

Footnotes

Footnote 190

Canadian Security Intelligence Seivice Act (CSIS Act) (R.S.C., 1985, c. C-23), s. 16 .

Return to footnote 190 referrer

Footnote 191

Subsection 16(3) of the Act specifies that the Minister must personally request the assistance from CSIS in writing. CSIS Act (R.S.C., 1985, c. C-23), ss. 16 and 16(3).

Return to footnote 191 referrer

Footnote 192

GAC, *** Transition briefing to IFM, August 1, 2019.

Return to footnote 192 referrer

Footnote 193

PCO, ***, January 20, 2021.

Return to footnote 193 referrer

Footnote 194

Both the Minister of National Defence and the Minister of Foreign Affairs may request CSIS to assist in the collection of foreign intelligence within Canada, ***. CSIS, CSIS Comments on NSICOP Review, undated.

Return to footnote 194 referrer

Footnote 195

PCO, *** Committee, "Annex C: Standard Operating Procedures," Terms of Reference, December 17, 2020.

Return to footnote 195 referrer

Footnote 196

CSIS, ***, 2014.

Return to footnote 196 referrer

Footnote 197

PCO, ***, 2020.

Return to footnote 197 referrer

Footnote 198

GAC, ***, 2015.

Return to footnote 198 referrer

Footnote 199

PCO, "Memorandum for the Prime Minister: ***, 2008.

Return to footnote 199 referrer

Footnote 200

PCO, "Memorandum for the Prime Minister: ***, 2008.

Return to footnote 200 referrer

Footnote 201

PCO, *** Committee, Terms of Reference, December 17, 2020

Return to footnote 201 referrer

Footnote 202

PCO, *** Committee, "Annex C: Standard Operating Procedures," Terms of Reference, December 17, 2020; PCO,Section 16 CSIS Act Handling and Dissemination Standard, November 2, 2020

Return to footnote 202 referrer

Footnote 203

The Committee received a number of briefing notes from GAC *** for the *** in relation to upcoming *** Committee meetings. None of the documents include information on the foreign policy risks of undertaking section 16 collection against proposed targets.

Return to footnote 203 referrer

Footnote 204

Scenario notes for the Chair of the *** Committee includes a series of discussion prompts prior to the Committee's endorsement of a rationale. [*** One sentence was deleted to remove injurious or privileged information. The sentence described priorities, value of collection and risks.***] PCO, Assistant Deputy Minister Scenario Note Binder for Assistant Deputy Minister *** Committee ***; PCO, Assistant Deputy Minister Scenario Note *** Committee ***; PCO, Record of Discussion from Assistant Deputy Minister *** Committee ***; and PCO, Assistant Deputy Minister Scenario Note *** Committee ***.

Return to footnote 204 referrer

Footnote 205

PCO, Scenario note for the Assistant Deputy Minister for *** Committee meeting ***.

Return to footnote 205 referrer

Footnote 206

PCO, *** Committee, "Annex C: Standard Operating Procedures," Terms of Reference, December 17, 2020.

Return to footnote 206 referrer

Footnote 207

CSIS, ***, 2014.

Return to footnote 207 referrer

Footnote 208

CSIS, ***, 2020.

Return to footnote 208 referrer

Footnote 209

CSIS, CSIS Policy: ***, 2014.

Return to footnote 209 referrer

Footnote 210

CSIS, 2019-2020 Annual Report to the Minister on Operational Activities, December 7, 2020.

Return to footnote 210 referrer

Footnote 211

Decisions from Justices Noel (2018), O'Reilly (2020) and Gleeson (2020) have all considered the issue of the "within Canada" limitation under section 16 of the CSIS Act. Justices Noel and Gleeson in particular have placed considerable emphasis on Parliament's intent behind the "within Canada" limitation, noting that it limits collection activities to that which occurs within Canada. The Attorney General has appealed the decisions. See: Justice Noel, In the Matter of an Application by *** for Warrants Pursuant to Sections 16 and 21 of the Canadian Security Intelligence Service Act RSC 1985, c. C-23 and in the Matter of ***, February 2018; Justice O'Reilly, In the matter of an Application by X for warrants pursuant to sections 16 and 21 of the Canadian Security Intelligence Service Act, RSC 1985, c. C-23 and in the Matter of X, June 16, 2020; Justice Gleeson, In the matter of an Application by X for warrants pursuant to sections 16 and 21 of the Canadian Security Intelligence Service Act, RSC 1985, c. C-23 and in the Matter of X, July 27, 2020.

Return to footnote 211 referrer

Footnote 212

Department of Justice, ***, 2020.

Return to footnote 212 referrer

Footnote 213

CSE Act (S.C. 2019, c. 13, s. 76), s. 19; and GAC, "Memorandum for Action to the Minister of Foreign Affairs Authorizing Cyber Operations," August 19, 2020.

Return to footnote 213 referrer

Footnote 214

CSE, "CSE Act: Ministerial Authorizations for CSE Cyber Operations," August 2019.

Return to footnote 214 referrer

Footnote 215

GAC, ***, 2020; Communications Security Establishment Act (CSE Act) (S.C. 2019, c. 13, s. 76), s. 30(2).

Return to footnote 215 referrer

Footnote 216

CSE Act (S.C. 2019, c. 13, s. 76), s. 30(2).

Return to footnote 216 referrer

Footnote 217

CSE, End of Authorization Report for the Minister of National Defence Active Cyber Operations Authorizations for *** Activities ***, 2020.

Return to footnote 217 referrer

Footnote 218

GAC, ***, 2020.

Return to footnote 218 referrer

Footnote 219

*** CSE, End of Authorization Report for the Minister of National Defence Active Cyber Operations Authorizations for *** Activities ***, 2020.

Return to footnote 219 referrer

Footnote 220

CSE, "Annex A: Governance Framework," CSE-GAC ACO/DCO Working Group - Terms of Reference, October 2020

Return to footnote 220 referrer

Footnote 221

CSE, "Annex A: Governance Framework," CSE-GAC ACO/DCO Working Group - Terms of Reference, October 2020

Return to footnote 221 referrer

Footnote 222

CSE, End of Authorization Report for the Minister of National Defence Active Cyber Operations Authorizations for *** Activities ***, 2020. CSE conducted one active cyber operation to disrupt the activities of terrorists and violent extremists. CSE planned but did not conduct three other active cyber operations: to disrupt foreign cyber threats to the 2019 federal election, which was not conducted because no specific state-led operations were detected; to counter the dissemination by specific terrorist groups of extremist material on-line, which was not conducted due to operational restrictions arising from COVID; and to mitigate threats posed by foreign cybercriminal groups targeting Canadians, which was not conducted due to operational restrictions arising from COVID.

Return to footnote 222 referrer

Footnote 223

GAC, "Memorandum for Action to the Minister of Foreign Affairs Authorizing Cyber Operations" August 19, 2020.

Return to footnote 223 referrer

Footnote 224

CSE, CSE-GAC ACO/DCO Working Group - Terms of Reference, October 2020.

Return to footnote 224 referrer

Footnote 225

*** CSE, "Annex A: Governance Framework," CSE-GAC ACO/DCO Working Group - Terms of Reference, October 2020.

Return to footnote 225 referrer

Footnote 226

National Security and Intelligence Review Agency, Review of the Communications Security Establishment's (CSE) Ministerial Authorizations and Ministerial Orders under the CSE Act, 2019, p. 4.

Return to footnote 226 referrer

Footnote 227

CSE, "Appendix 2: GAC Internal Cyber Operations Foreign Policy Risk Assessment Process Chart," CSE-GAC ACO/DCO Working Group - Terms of Reference, October 2020.

Return to footnote 227 referrer

Footnote 228

GAC, Global Affairs Canada 2021 Annual Foreign Cyber Operations Report: Executive Summary, undated 2021

Return to footnote 228 referrer

Footnote 229

CSE, *** Terms of Reference, September 2019.

Return to footnote 229 referrer

Footnote 230

CSE, Mission Policy Suite: Cyber Operations, September 22, 2020.

Return to footnote 230 referrer

Footnote 231

CSE, "Communications Security Establishment Active Cyber Operations Authorization for *** Activities," Active cyber operations ministerial authorization, August 2020.

Return to footnote 231 referrer

Footnote 232

[*** Two sentences were deleted to remove injurious or privileged information. ***]

Return to footnote 232 referrer

Footnote 233

[*** Two sentences were deleted to remove injurious or privileged information. ***]

Return to footnote 233 referrer

Footnote 234

[*** Three sentences were deleted to remove injurious or privileged information. ***]

Return to footnote 234 referrer

Footnote 235

[*** One sentence was deleted to remove injurious or privileged information. ***] .

Return to footnote 235 referrer

Footnote 236

[*** Two sentences were deleted to remove injurious or privileged information. ***]

Return to footnote 236 referrer

Footnote 237