Security officials in Canada will soon have the ability to launch cyber attacks against foreign actors, including terror groups and even other governments.
The move is part of a much broader series of updates to national security legislation announced Tuesday, and shifts Canada’s Communications Security Establishment (CSE) to a much more offensive posture when it comes to dealing with threats in cyberspace.
At the moment, CSE does not have the authority to take action online outside of Government of Canada networks to deter cyber threats against the country. But once this new legislation passes, CSE employees will be allowed to conduct both “defensive cyber operations” and “active cyber operations,” including operations that “advance national objectives.”
“Currently we only have a defensive shield,” said Defence Minister Harjit Sajjan on Tuesday. “We have to wait to be hit.”
The targets of the “active cyber operations” (in other words, attacks) could include foreign groups, organizations, states and individuals who are involved in terrorist activity, are attempting to compromise national security, trying to disable key infrastructure, or spying on Canadians.
— CSE_CST (@cse_cst) June 20, 2017
CSE could, for example, move to disable a foreign server that was attempting to steal private information from a Government of Canada network. The agency could also hack into, and disable, networks being used by terrorist groups to recruit fighters within our borders.
“The proposed CSE Act will eliminate the ambiguities about what we are permitted and authorized to do in cyber space,” CSE noted.
Before any of these new powers are exercised, however, the legislation states that CSE would need to get the green light from the highest levels of government. Canadian-led cyber attacks would require the direct approval of both the defence minister and the minister of foreign affairs.
Defensive cyber operations, meanwhile, will require the approval of the defence minister and “consultation” with the foreign affairs minister. CSE would also be required to report the outcomes of all these activities to both ministers.
WATCH: Defence minister prioritizes cyber warfare in new defence policy
Strict no-go zones are also built into the legislation. CSE would be prohibited from directing cyber operations activities at “Canadians, any person in Canada, or the global information infrastructure in Canada,” for example.
None of the activities would be permitted to cause death or bodily harm, and CSE could not attempt to “obstruct, pervert or defeat the course of justice or democracy.”
The idea that Canada should become more actively engaged in cyber warfare is not new. The government’s recent defence policy review made it explicitly clear that Canada’s military feels that “a purely defensive cyber posture is no longer sufficient” given the explosive growth in online threats.
As a result, the review noted, “we will develop the capability to conduct active cyber operations focused on external threats to Canada in the context of government-authorized military missions.”
Such cyber-based military missions, carried out with CSE’s help, would be subject to “all applicable domestic and international law, and proven checks and balances such as rules of engagement, targeting and collateral damage assessments,” the document added.
In the spring of 2016, former CSIS director Richard Fadden also acknowledged that cyber attacks were something that Canada might need to launch in “some circumstances.”
WATCH: Former national security advisor talks Canada’s cyber warfare capability
“If we have Canadian troops somewhere around the world, Iraq as an example, and they can use somewhat offensive cyber initiatives in order to reduce the threat that they and allies are facing, I would say that’s not an unreasonable thing for the public service to pull together and ask the government if they want to do,” Fadden said.