Modernizing to protect Canadians from economic security threats

Letter to The Honourable Dominic LeBlanc, P.C., M.P., Minister of Public Safety regarding the Canadian Security Intelligence Service Act (CSIS Act).

Re: Enabling enhanced threat intelligence sharing with Canadian businesses

Dear Minister Leblanc:

On behalf of Canada’s most innovative and successful businesses, I am pleased to share with you the Business Council of Canada’s (BCC) views on your department’s Canadian Security Intelligence Service Act (CSIS Act) consultation.

The BCC continues to believe that the CSIS Act should be comprehensively reviewed and amended to align the Canadian Security Intelligence Service’s (CSIS) legislative mandate and authorities with expanding expectations for the agency to identify, analyze and disrupt threats to Canada’s economic security.

However, our present submission is limited to the issue within the scope of the consultation that has the most direct relevance to BCC members: whether to authorize CSIS to disclose information to those outside the Government of Canada for the purpose of increasing awareness and resiliency against foreign interference.

BCC members increasingly find themselves in the crosshairs of malicious actors seeking to undermine Canadians’ lives and livelihoods — be it by sabotaging critical infrastructure, disrupting vital supply chains or stealing invaluable proprietary information.

The nefarious methods employed by these actors are wide-ranging, from the use of foreign intelligence officers and corporate insiders to state-affiliated hackers and seemingly benign joint ventures.

Yet, the consequences are the same: diminished economic growth and competitiveness, leading to the loss of good, well-paying jobs; foregone tax revenues to pay for essential public services; as well as lost competitive advantage in advanced industries vital to the country’s national strength.

Government-produced threat intelligence is of increasing value to companies combating malicious actors. The domestic security agencies of Canada’s Five Eyes partners, such as the United States’ Federal Bureau of Investigation (FBI), each possess modern legislative authorities allowing them to proactively share relevant, timely and actionable threat intelligence with their respective business communities. This arms the business community with the intelligence they need to protect their customers, employees and communities from new and emerging economic security threats.

The CSIS Act does not provide CSIS with those same legislative authorities. On the contrary, the CSIS Act presently prohibits CSIS from sharing all but the most generalized information with the private sector.

The only exception is once a national security threat materializes into a security event. At that point, if CSIS can satisfy stringent legal requirements, the agency may rely on its threat reduction mandate to alert a targeted company about the event.

This means of communication — a legislative workaround not designed for sharing threat intelligence with the private sector — is deeply flawed. The restrictive nature of the regime means that these authorities are rarely used. Further, the regime’s reactive nature severely limits the disclosure’s usefulness since the alert is directed towards an individual business and arrives only after such a threat has materialized.

CSIS’ outdated governing legislation therefore represents a considerable gap in Canada’s defences. Despite CSIS possessing the knowledge and expertise to help Canadian companies withstand growing security threats, Canadian businesses are left fending for themselves, putting Canadians’ safety, security and prosperity at risk.

For this reason, the BCC was encouraged when the Government of Canada launched consultations late last year that contemplate the granting of new threat intelligence sharing authorities to CSIS.   

The BCC has repeatedly argued that the Government of Canada should amend the CSIS Act to authorize CSIS to proactively share relevant, timely and actionable threat intelligence with Canadian companies where it is in the public interest and subject to all necessary safeguards and oversight.

With new threat intelligence sharing authorities, CSIS could communicate more specific and tangible information with Canadian companies. This would give business leaders a clearer understanding of the threat’s nature, as well as the protective measures that could be taken to better safeguard their employees, customers, and the communities in which they operate.

The use of new threat intelligence sharing authorities would also benefit the Government of Canada by helping CSIS build greater trust with the private sector. This would encourage business leaders to share more with the Government of Canada about the threats they are observing, which would better inform government policy and improve CSIS’s ability to investigate, analyze and respond to threats.

However, granting CSIS new threat intelligence sharing authorities is only the first step that must be taken to strengthen the resiliency of the Canadian economy. CSIS’s new authorities will only be effective in protecting Canadians’ economic security if they are coupled with a new body to securely receive, translate and disseminate CSIS’s threat intelligence broadly across the Canadian economy.

To facilitate enhanced threat intelligence sharing with the Canadian private sector, the BCC calls for the Government of Canada to stand up a formalized threat intelligence exchange, akin to the United States Government’s Domestic Security Alliance Council (DSAC).

DSAC is a partnership between 700 strategically important American corporations, the FBI, and the Department of Homeland Security (DHS). Through the timely exchange of threat intelligence, DSAC advances the United States Government’s mission of protecting national and economic security, while also assisting the American private sector in protecting their employees, customers and communities.

DSAC member companies benefit from direct engagement with senior FBI and DHS leaders; tailored threat intelligence from the FBI and DHS; and access to a members-only network where private sector and government officials collaborate, resolve problems, and exchange best practices.

CSIS, Public Safety Canada, and the Canadian private sector are well placed to build and operate a similar threat intelligence exchange to ensure that government-produced threat intelligence is securely and efficiently shared with those companies on the frontlines who are protecting Canadians from growing economic security threats.

Minister, thank you for the opportunity to share our views. I look forward to continuing dialogue with you on ways to protect Canadians, now and in the future.

Best regards,

Goldy Hyder

c.c.      David Vigneault
Director of the Canadian Security Intelligence Service

Shawn Tupper
Deputy Minister of Public Safety Canada