In this Expert Series episode, we meet with Caroline Xavier, Chief of the Communications Security Establishment Canada (CSE) to discuss emerging cyber and foreign interference threats Canada faces, CSE’s ability to counter these threats through active and defensive cyber operations and cooperation with allies, and ways Canadians can protect themselves from increasingly aggressive foreign threat actors.
Encompassed within CSE’s mandate are vast capabilities designed to protect Canadian democratic processes and defence and security interests from foreign interference – capabilities now more critical than ever before in the context of current geopolitical tensions.
What do you believe is the current greatest threat posed by hostile state cyber capabilities to Canadian defence and security interests?
Since 2017, we have been talking about threats especially in cyberspace, and we have put out a series of publications related to these emerging threats. Since we have started publishing national cyber threat assessments or threats to democratic processes in 2017, we have been stating that we have seen the People’s Republic of China (PRC), Russia, Iran, and North Korea as strategic threats with strategic interests in Canada.
More recently, our focus has tended to be around the PRC and Russia. The focus on Russia is because of the war in Ukraine. Regarding the PRC, it has outpaced what other nations are doing with regards to potential interest in Canada. We recently put out a publication about the PRC’s interest and what we are observing as widespread targeting by the PRC. We see them as a serious threat from a cyber perspective to critical infrastructure, as well as foreign or malign influence and foreign interference. We are really cognizant of the fact that it can happen at all levels of government and industry.
This is why we felt it was important to put out this publication. This is not to say that we are not concerned about other actors, but from a host state nations perspective, those would be the ones identified as the more worrisome ones.
In 2019, the Communications Security Establishment (CSE) Act granted the CSE the ability to conduct active cyber operations. How do you believe this has shifted CSE’s ability to disrupt foreign threats targeting Canada?
The Act was a real opportunity for us to ensure that we have all the tools to be on equal footing with our allies. The addition of the foreign cyber operations, which is one of the major parts that got added to the Act in 2019, allows us to do active cyber operations or defensive cyber operations. This was a great add-on, both because we could continue to demonstrate that we are an effective partner to our allies, but more importantly, adds defensive tools to the national security apparatus. It ensures that we are able to protect Canada.
We have been able to use these foreign cyber operations. These authorities give us the ability to degrade, disrupt, influence, respond, or interfere with foreign actors who may have an interest to do harm towards Canada, or potentially be cyber criminals who want to cause economic or reputational damage to entities in Canada or towards Canada. In particular, we see this when Canada is more present on the world stage. As we continue to voice what our values are and be there for allies, we see ourselves potentially becoming a target, especially when you are next to the U.S. Having said that, these new additions have allowed us to demonstrate that we are capable of helping our partners, and more importantly, defending Canada.
We currently have three active cyber operations and one defensive cyber operation authority. More information about this is in our recently published annual report. I am really proud of the work we have tried to demonstrate around the use of these new tools. We try to share what we can, within reason, because ultimately, the intent is to continue to do what we do while protecting our equities. Even then, the annual report does a good job of sharing what the elements are of these new authorities that we have.
How do you see this shift shaping CSE’s ability to become a more active partner and how has it affected its intelligence cooperation relationships with other Five Eyes’ countries?
These authority changes in 2019 have really helped shift the ground. To be clear, we are almost 80 years old and have had a partnership with the Five Eyes’ for over 77 years. As a result, we have gotten quite good at foreign intelligence and collection. When we added these additional authorities in 2019, we found it helpful to be able to learn from others and how they’ve been using it. For example, how do we establish our governance or risk framework? We can learn from our allies in a way that we can improve the way we use our authorities, but more importantly, continue to be a valuable partner for our allies.
The CSE is really gaining a great reputation in continuing to do the intelligence work we do with our allies, but also in partnering with them from a cyber defence and security perspective. Colleagues like the UK acknowledge us as being at the top of the pack in cybersecurity and cyber defence. So, our goal is to continue to be our best selves in terms of what we bring to the table, and we are being recognized for that. The way in which our restructured authorities work allows us to be flexible and agile and really be responsive to various threats that we’re feeling from a Canadian perspective, but also to be helpful to allies when they need us.
Are there any other mechanisms or aspects of CSE’s mandate that you would like to highlight as a critical part of Canadian defence and security interests?
CSE has five parts to its mandate. There are those that fall under foreign cyber operations, such as defensive cyber operations and active cyber operations, as well as foreign intelligence collection. Another part is our cybersecurity mandate of which the Canadian Center for Cybersecurity is part of. What people underestimate is how valuable having all these parts under one agency is. The fact that I can do cybersecurity informed by foreign intelligence is extremely helpful to do our mandate more effectively and more efficiently.
Another aspect of our mandate is communication security as part of our Information Assurance Program. We worry about cryptology and official intelligence, but all of these are part of our Information Assurance Program, which gives us the ability to be able to defend against over 6 billion malicious actions per day of government systems that we protect. This allows us to better understand the various threats that are coming towards Canada and Canadian systems, and to advise critical infrastructure partners, stakeholders, and Canadians.
This is all on top of building the relationships we have with international partners, both the Five Eyes and non-Five Eyes, because we have great relationships outside of them, especially in the cybersecurity space.
I want people to walk away understanding that the value that we have as Canada is having all of this under one agency. It allows us to have flexibility and leverage our foreign intelligence and cybersecurity mandate in both directions to be able to do a better job for protecting Canada. That is something that I am really proud of.
The final part of our mandate that goes under discussed is the ability to assist others. This looks like assisting the Canadian Armed Forces, our law enforcement partners such as the Royal Canadian Mounted Police (RCMP), or our Canadian Security Intelligence Service (CSIS) colleagues, because we are Canada’s national technical authority and technical cyber authority. Sometimes there are things that only we can do, and we are there to support them.
Recently, we have seen even at the domestic level how hostile state actors are coupling computer network attacks and the weaponization of emerging technologies with information warfare. The Canadian Center for Cybersecurity recently warned about an AI bots arm operated by individuals affiliated with Russia today that has been used to spread Russian propaganda to Canadian audiences on social media. In such cases, how does CSE work to combat dis- and mis-information without publicly disclosing sensitive information that could put Canadian security at risk?
Mis- and dis-information is probably one of those other threats that is going to be with us for some time. In our recent threats to democratic processes assessment that was published in December 2023, we highlight that mis- and dis-information is expected in our upcoming election. It is what we have seen in many elections around the world and really is pervasive. Now, we see that artificial intelligence is going to amplify that and make this worse. It will bring forward more deep fakes, or the ability to mimic people’s voices and create fraud and deceiving elements from a criminality perspective.
One of the things we promote is that the way in which to combat mis- and dis-information has to be a whole-of-society plan. It cannot be something that only CSE is responsible for or only the security intelligence community. It has to be all of us engaged in recognizing that this is a threat. We can do our part to get Canadians to think critically about the information that they’re ingesting or the information that they’re looking at online, and questioning it.
One of the things we have done on behalf of the Government of Canada is run their mis- and dis-information campaign. This gives Canadians a better sense of how mis- and dis-information is something that can happen in all areas of our lives and to really be critical about what they are looking at. A recent campaign was all about questioning information that was raising your eyebrows. If it is raising your eyebrow, you should be concerned about whether or not it is factual. It is okay to question some of the information. Go look for additional sources of information. Education is a big part of trying to mitigate against the risk of mis- and dis-information.
In addition to education, we use our tools like foreign cyber operations to disrupt an actor in the foreign space that may be trying to use mis- and dis-information maliciously. We can also co-badge, where we will do a co-publication with many other allies and highlight something that we feel is of concern from mis- and dis-information. We will continue to put up publications like the one we put out in December, to educate people that mis- and dis-information is pervasive and we should be quite worried.
We also know that nation states are using this as part of Information Operations. So again, as part of our national cyber threat assessments, and a new one will be published before the end of 2024, I expect we will talk about mis- and dis-information again, recognizing that it is not going away anytime soon. It will continue to need a whole-of-society effort to manage it, and calling it out where at all possible.
One area we have seen many of these threats emerge is in elections and other democratic processes. How is CSE preparing to combat influence operations targeting Canadian democratic processes that may emerge in advance of critical elections throughout the rest of 2024 and 2025?
We put out publications. In the most recent December 2023 publication, we talked about threats to the democratic process. We have four of those publications now that focus specifically on general elections and what we observe in general elections globally to help us do better in Canada or mitigate the risks we see coming our way.
Another thing we do is work closely with various electoral bodies across the country. We work specifically with Canada Elections, but also at the provincial level. Provinces, territories, and municipalities also have elections, and so we really do our part to ensure that we are seen as a partner that helps add rigour and robustness to their systems.
We also put out ongoing publications to educate Canadians. In the last election, we put out pamphlets geared towards voters, candidates, and electoral parties, to educate them that they are targets when it comes to elections. We also give them some tips and tricks and things to be wary of while they’re reading various campaigns. This again links back to the mis- and dis-information we spoke about previously: always be worried that a candidate could be perhaps taken and misrepresented through mis- and dis-information.
We also work collaboratively with many partners to ensure that we learn from their election. As you know, this is a year of many elections, including in the U.S. We stay in partnership with many of our allies and see what they have learned and what new threats they have seen. Even if it is not in the current publication, we will continue to remain updated as to what is going on from a threat perspective.
The current foreign interference inquiry will also be a helpful reminder to Canadians, but also a helpful reminder to us, to ensure that we are doing our part to continue to ensure that we are providing good information sessions to members of parliament. There have been a few of these that we have held, including with the work we are doing on the Security and Intelligence Threats to Elections (SITE) Task Force, made up of ourselves, CSIS, the RCMP, and Global Affairs. We work together to give our best advice to a panel that will eventually continue to do what it needs to do to advise Canadians if they need to be concerned about anything in the upcoming election.
Generally, we do that work all year long. We do not wait for election season to identify what the threats might be, and do our part to educate Canadians and the government so that they can put in place the necessary steps and mitigate the threats coming our way.
Targets of foreign threat actors are becoming increasingly varied and affecting every sector of Canadian society. How do you see CSE’s response strategies revolving in response to this? Will this require more public outreach and awareness?
The answer is yes: we need more public outreach and awareness. I think we are well on our way to that, but there is so much more work to do because you can just never do enough. We do feel that there is so much work we need to do with the private sector and in particular, critical infrastructure. To do that, especially with critical infrastructure, we cannot do the heavy lifting on our own, and to get the nation to be cyber resilient and cyber smart has to be a team sport.
With that, we need to continue to establish better partnerships with some of our critical infrastructure. We have done that over the past few years, but in particular over the last year, we have made some really big efforts with the energy sector, financial sectors, and we already had a great relationship with our telecommunication sectors. These are seen as critical infrastructures that are really important to Canadians, in addition to our health sector, where we want to continue to have them become more resilient from a cyber perspective.
When you think of the CrowdStrike incident, you can see how important the private sector is in building that cyber resiliency. I am happy it was not a cyber incident itself, but the reality is this shows how important the partnerships we have with the private sector are, and the necessity of having the private sector step up and build in cyber resiliency and security by default. These are the conversations we continue to have with our partners especially from a North American perspective with the U.S., recognizing that security needs to be baked into the things the private sector is rolling out. I think there is a lot to be learned from the CrowdStrike incident, both for us as an agency, but also as nations. We rely on them as much as they rely on us, and we will do our best to provide our best advice.
Already, we do this in what we call pre-ransomware notifications. Some work that we do with our American colleagues is to contact over 500 organisations and tell them that we see something is about to happen to your organization, and you have the potential to be impacted by a ransomware attack. We have been able to prevent that when they have taken our call and heeded our recommendations, so we have saved quite a bit of money from an economical impact. That is just one example of the many things we need to continue doing in support of the private sector, but with the private sector.
Do you have any final thoughts as to what Canadians can do to better protect themselves from being taken advantage of by foreign threat actors?
It is always about going back to the basics. During our campaigns, especially during Cyber Awareness Month in October, we just remind Canadians of how important the basic cyber hygiene tips we have are. This looks like changing your password periodically, using multi-factor authentication, making sure your phone operating system is up to date. We say this for the health of our Canadians to be able to recognize that cyber threats are amongst us. Do not click on every text message that tells you the Canadian Revenue Agency (CRA) is after you. There is quite a bit of fraud that happens through phishing exercises that people have fallen for and are vulnerable to. A lot of the campaigns we run also recognize there is a generational element to educate people. We use a lot of partners to help us do that, and are good at reaching people at different parts of our society.
This is also just an opportunity to remember that Canada is not immune. Deep fakes and generative AI will bring with great opportunities that we want to see implemented in Canada. However, we also should recognize that we have to do our best to mitigate the risks that could come with that. I would recommend that you continue to educate yourselves, subscribe to some of our alerts. I would really highly recommend that especially as small or medium enterprises, but generally all businesses, you should read the advice we put out on a regular basis in an automated manner. You can find us on cyber.gc.ca and subscribe to our social media platforms. I am hopeful that this conversation today is another way we can reach as many people as possible to help them know that we are here to help and want to do our part, but it will take all of us to make Canada as resilient as it can be.
My final thought is that security comes in layers. We can never guarantee 0% risk, so it is always trying to approach things in a layered approach. What are the additional steps I have taken, whether it is protecting my handheld, phone, and mobile all the way to what I need to do for my business? It is like an onion – you are not letting anybody come into the corner without crying a little bit first.
