Canada quietly extended its cyber defence umbrella to Ukraine, Latvia after Russian invasion: report

The Canadian government has quietly designated Ukraine and Latvia's networks as "systems of importance," extending the services of its cyber intelligence agency to cover the two eastern European countries.

According to the Communications Security Establishment's annual report, Defence Minister Anita Anand signed two ministerial orders last year to bring the electronic information and network systems of Ukraine and Latvia under Canada's defence umbrella.

The orders were signed on March 17, 2022, less than a month after Russia's unprovoked invasion of Ukraine.

CSE, Canada's foreign signals intelligence agency, confirms this is the first time a minister has used their powers under the CSE Act to designate entities outside Canada as systems of importance.

"The designations allow CSE to provide cyber security assistance to help protect the designated entities," says the CSE report, made public Thursday.

"The orders are still in effect and CSE's assistance is ongoing."

CSE spokesperson Robyn Hawco said she couldn't discuss specific measures the agency is pursuing for "reasons of operation security." The report said only that CSE's cyber centre has notified Ukraine of hostile cyber activities against its national infrastructure and points of vulnerability.

Hawco said the CSE Act only allows the agency to employ defensive cyber operations to protect systems of importance — not active operations. Through active operations, the CSE goes on the offensive to disrupt foreign online threats.

Leah West, a professor of national security law at Carleton University, said the protections CSE likely is providing wouldn't meet Russia's threshold for retaliation. And Canada extending its cyber defences to Ukraine does not trigger any NATO obligations, she added. 

CSE's aid won't "pull us into the conflict," West said. "It gives us the authority to help." 

CSE has deployed some of its personnel to Latvia to help defend against cyber threats and identify threat activity on the country's critical networks, says the report.

Hawco said there have been six trips since the spring of 2022 and deployments are ongoing.

"Together, the teams are conducting binational defensive cyber-threat hunting operations — in other words, proactively searching for cyber threats to critical Latvian infrastructure. They identified threats and improved procedures over the course of the deployments," she said.

"Latvia is a vital NATO ally. This assistance is helping protect Latvian partners from malicious cyber threats and making it clear to allies across the region that Canada will support them in defending and deterring against Russian aggression."

2.3 trillion malicious attacks last year: report

In 2021, the federal government released a statement on international law in cyberspace which clearly asserts that the rules-based international order extends into the online environment.

"Canada believes that international law provides essential parameters for States' behaviour in cyberspace and will continue to help ensure global stability and security," it says.

Anand authorized four foreign cyber operations in 2022 — three intended to disrupt adversaries and one to protect systems from malicious activity. That's the largest number in a single year since the CSE Act came into force in 2019. 

While the report doesn't specify the types of operations CSE was running last year, the report says the agency has used its active operations to disrupt the activities of cybercrime groups.

It also says it has used that offensive power to "remove harmful terrorist content disseminated online by foreign, ideologically-motivated extremists. This disruption fractured the extremists' group cohesion and significantly reduced their online reach and ability to recruit new members."

CSE said it thwarted  2.3 trillion malicious actions aimed at government networks during the last fiscal year, an average of 6.3 billion a day.