John Adams on Snowden, CSEC, and Civilian Review

The Snowden disclosures brought unprecedented scrutiny to the highly secretive activities of Western electronic surveillance agencies. While most of the attention has been focused on the National Security Agency in the U.S. and the Government Communications Headquarters in the U.K., Canada has also played a role through its own eavesdropping agency, the Communications Security Establishment Canada. John Adams served as CSEC’s chief between 2005 and 2012.

Mr. Adams was a panelist at the CIC Toronto Branch conference The Electronic Surveillance State. IRDTP Fellow Scott Young spoke to him there about Snowden, the activities of CSEC, and the challenge of maintaining adequate civilian review.

How would you describe CSEC’s mandate?

Well, it’s described in legislation. It’s a three-part mandate. The first part is the signals intelligence. That is gathering information from a global information infrastructure to provide information to meet the demands of the government’s priorities for intelligence. That’s the first role. The second role is to defend information and systems important to the government. And the third role is to work with and apply their technical skills to assist our federal police forces and our other security agencies.

How has that role evolved in terms of the impact of new and emerging technologies and potential threats?

I wouldn’t call it a ‘shift’, but certainly the emphasis has changed from what used to be listening, to now using the technologies that are available to us in order to, to the extent that is within the letter of the law, monitor electronic information. So it becomes very much more a computer network operation than it ever was before. And that is basically post 9/11, because after 9/11 the legislation came out and it gave CSEC authority in that area. Prior to that, CSEC had no authority in that area simply because the fear always was that we could not spy or touch Canadians. And in the communication network business, you don’t know where the communications are going and you might touch a Canadian. So since 9/11 there was a major re-emphasis on computer network operations.

In terms of CSEC review, could you describe the current review process with the CSEC Commissioner?

Well, the Commissioner has a two-fold responsibility. The first is obviously to make absolutely certain that CSEC operates within the letter of the law. The focus in that instance is generally on privacy. He watches that we do not abuse Canadians’ privacy. The second thing he is responsible for is that if there are any concerns, complaints. He receives them, deals with them and takes action accordingly. He is effectively an instrument of Parliament.

And do you think that review process is adequate or sufficient to monitor CSEC at this time?

I think it is. Now, is it perfect? It’s composed of human beings. Anything that has got human beings in it isn’t perfect. Is it adequate? Does it do what it is intended to do? I think it does. That is not universally agreed. But I certainly think it does, yes. Now I must tell you that there is a lot of concern about how CSEC has grown. So has the CSE Commissioner grown. His office has grown as CSEC has sort of doubled in budget and size. So has the Commissioner. So in fact while he can’t do everything, review everything that needs to be reviewed, he certainly has the capacity to review the key components on CSEC’s activities.

Are there small incremental steps in which you would advise the Commissioner’s office be augmented or improved?

No. I don’t think that review is the problem. I really feel that the challenge that CSEC and probably the government has, if they agree it is a challenge, is somehow to bring some public accountability or at least some light to the public with respect to what it is they do and don’t do. And in that regard the Commissioner, he does publish his reports, but the report that the public sees that goes to Parliament is in fact an unclassified report, which is rather difficult. It’s such a difficult business to try to explain to an unclassified audience. So I would hope that there might be a mechanism, and I will speak to it today a little bit. I won’t give details. Because that’s not for me to say, this is a government issue. But I think they should try harder to see if there isn’t someway to incorporate more conversation between what CSEC does and the public. The Commissioner does not do that, other than he publishes his report.

Earlier this month your successor, John Forster, testified in front of the Senate Standing Committee on National Security and Defence. In that hearing Senator Dallaire pointed out that the Committee has no classified clearance and so was unable to ask questions that were of a delicate or secure nature. Furthermore, Liberal MP Wayne Easter has advocated for more parliamentary review. To that end, would you consider it possible that there could be a more parliamentary role in reviewing CSEC?

I wouldn’t say that it wasn’t possible for sure. I think it was the national security advisor Stephen Rigby that answered that question [in front of the Senate Standing Commission on National Security and Defence], and what Stephen said was the same thing I would say. Of course, it could be accommodated, but you have to make certain that you accommodate the impact that it would have on the Commissioner and possibly CSEC if it is going to expand its concern to the CSIS organization as well. So I wouldn’t say that’s not impossible. In fact I am on record as saying that I think it might be a good mechanism to get a little bit of public exposure to CSEC. I think it is an option. And I think that’s what he is looking for. I think that the implication coming out of the Senate Committee on National Security and Defence was that they have inclinations that way as well. So I don’t not agree that that is a possibility. Not disagree that that is a possibility, I do agree that it is a possibility.

Turning to the Snowden allegations, although they have primarily focused on GCHQ and the NSA, what was your initial reaction to the realization of what Snowden had done?

Well, it was shock and concern because there is, in the business I was a part of, the major concern about the insider threat. And who knows what motivates some of these young people? Snowden clearly was a disgruntled, concerned, young man and he went about doing what he thought had to be done. Do I agree with what he did? I certainly don’t agree with what he did. Do I agree that he had some concerns? Sure, I suspect he must have had some concerns. Do I agree he fully understood the organization well enough to do what he did? I don’t, my guess would be no. But it was concern and shock because insider concerns are always major concerns.

Following up on that question, there have obviously been some revelations about CSEC’s own activities. What was your reaction to the Canadian allegations?

Well, it would have been one of serious concern because it brought information to light that I suspect CSEC thinks was misinterpreted. The most recent deck concerning the so-called ‘airport incident’, was very misleading and that hurts. The challenge that CSEC faces, and John Forster spoke to it to the Senate committee, is that it’s very difficult to explain again in an unclassified manner. But as he pointed out, the idea was not to spy on Canadians or to surveil Canadians, and they didn’t do that. But then to explain what they did do is pretty tough to do without disclosing what they were trying to develop. That deck was probably no more than folks that are working on proposals as to how they might study and learn more about the GII and the networks they’re in so that they could use that to do what they really wanted to do, which was to surveil people who are a threat to Canada.

Has Snowden at all changed the way CSEC would operate? Would you anticipate any internal changes at CSEC, or is it simply business as usual?

No, I think that it won’t be business as usual. They will be far more careful with respect to what they say and what they don’t say. I don’t think there’s any question about that. I think they [CSEC] too, though I don’t think they would welcome it, but I think that what it is going to force them to do is be a little bit more forthcoming perhaps, to the extent they can, given that they clearly can’t be so forthcoming that it impacts on their ability to do their business. But my guess is that they are going to have to be a bit more forthcoming.

Is this just an impossible dilemma, where CSEC cannot explain its activities in a classified manner to a degree of transparency that is sufficient for Canadians?

I think it is a real challenge. That’s why I say if they do introduce either an all-party group of legislators and give them some clearance so that they can be briefed. Then they, as representatives of their caucuses, and in turn the caucuses of their constituents, can go back then and reassure caucuses. And in turn their caucuses can reassure Canadians and say, “We’re comfortable with what CSEC is doing. It is important for the country and it is not an abuse of our privacy or of our civil rights.” But that’s clearly a government decision. Having said all of that, I am not suggesting that the CSE Commissioner is not capable of doing what he is doing. Let me emphasize that there are only, as I think the Commissioner himself has said, two thousand people, roughly, in CSEC, and they are not all doing the things that people would be concerned about. That’s point one. Point two, the commissioner has developed a degree of expertise over the years, and that’s the beauty of having an organization like his, a degree of expertise in the business that they are very familiar with what CSEC does. He knows where to go and the questions to ask. And I assure you that in my humble opinion they are doing as much as needs to be done from the point of view of ensuring that CSEC is not abusing their authority, their technical capacity, and therefore not impinging on the civil liberties of Canadians.

You’ve already alluded that since 9/11, CSEC’s mandate has had to adjust with new and emerging technologies, so in looking at CSEC’s mandate for the foreseeable future, how do you feel about the progress and the ability of CSEC to maintain the security of Canadians both at home and abroad?

It had better be good, and it has to get better, because if you ask most leaders of most western countries what their major concern is, it would be the cyber threat. How do you deal with the cyber threat? In our case, with CSEC. Does CSEC do it alone? No, they don’t; obviously they do it in conjunction with other countries. One of the concerns I have with the Snowden disclosures is the impact it might have on that collaborative arrangement. Particularly the Five Eyes, which would include the United States, Great Britain, Australia, New Zealand and ourselves. One worries about what impact these disclosures may have had on that collective. But whatever it is, we are going to have to adjust because clearly we have got to be able to deal with that cyber threat.

If you’re asking me whether CSEC capable of dealing with the cyber threat, I can tell you that it’s a catch-up game. They [our opponents] take a step forward; we take a step forward. It will go on for a long time, and I think without that capacity Canada would be very vulnerable. And in turn, other countries would be very vulnerable because in the cyber world you are only as strong as your weakest link. If they get in through you and then export themselves to other countries, that would be a problem. So I would think that CSEC is going to have to continue to grow and have to continue to apply itself to that cyber threat.