Cybersecurity Authorization

(section 14 of IC Act)

What does it authorize?

A cybersecurity authorization allows CSE to access the information technology (IT) infrastructures of federal entities, as well as non-federal entities that have been designated as being of importance to the Government of Canada. It also authorizes CSE to acquire information that is stored on or passing through this infrastructure in a way that may contravene Canadian laws and breach the  reasonable expectation of privacy of Canadians or persons in Canada.

Why is it required?

CSE provides advice, guidance and services  to help protect Government of Canada IT systems from hackers and other cyber threats. The CSE mandate includes providing these same services to non-federal entities that have been designated by the Minister of National Defence as being of importance to the Government of Canada — the health, energy and telecommunications sectors, for example.

To understand where and how these important IT systems may be vulnerable, CSE must access and collect information from their infrastructure. While the aim is to protect the IT systems from cyber threats, these activities might nevertheless be contrary to Canadian laws. CSE  activities — especially acquiring information — may risk infringing on the reasonable expectation of privacy of a Canadian or of a person in Canada. The CSE Act requires CSE to obtain a cybersecurity authorization from the  Minister of National Defence prior to conducting the potentially unlawful activities.

Why is the IC's role important?

The IC ensures that CSE cybersecurity activities do not have a disproportionate effect on the rights and privacy interests of Canadians and persons in Canada or respect for the rule of law. The IC's review also ensures that CSE has appropriate and adequate measures in place to limit any impact on the privacy of Canadians.

How does CSE obtain it?

The Chief of CSE submits an application to the Minister of National Defence. The application sets out, among other things, the reasons the cybersecurity authorization is needed, as well as the activities or classes of activities that

CSE wants to carry out. It also identifies Acts of Parliament that may be contravened by CSE when conducting the activities under the authorization. When the authorization relates to accessing a non-federal IT infrastructure, the application must also include a written statement from the owner or operator of the infrastructure requesting CSE to carry out the activities included in the authorization.

The Minister issues the authorization when they have reasonable grounds to believe that the authorization is necessary; the proposed activities are reasonable and proportionate considering the purpose and nature of the activities; and all other statutory conditions have been met.