National Security Review in the 2020s

Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of the National Security and Intelligence Review Agency.

Justice Canada

Learning Day

National Security Review in the 2020s

Craig ForceseFootnote 1

29 Jan 2020

Let me begin by thanking you for your invitation to this 2020 Learning Day. I am here as a stand-in for Murray Rankin, chair of the National Security and Intelligence Review Agency – or NSIRA. Let me say, however, I am not purporting to represent the collective position of NSIRA. This is not, in other words, an institutional presentation – but rather that of an academic lawyer who happens to be an NSIRA member. And of course, I must skate always on the unclassified side of the line.

What I'd like to do for 30 minutes is to talk a little bit about how I approach the purpose of national security law, and what I see to be some of the chief challenges in that space in 2020. I want to then talk about how I have come to conceive of national security review – a function performed by NSIRA, among others – in relation to these challenges. In so doing, I will pose questions which I will not attempt to answer in full. I'm hoping after my comments, I might ask for your reaction to some of these questions and observations.

Purpose of national security law

Turning to my first theme: let me assert the purpose of the national security system in a liberal democracy. That purpose is the identification and minimization of national security threats in a manner conserving the state's capacity to identify and foil future threats. Activities taken in pursuit of these objectives must be lawful, effective, efficient, proportionate to the threat, and necessary in the context. Ideally, national security law is the set of rules that ensures the national security system meets these standards.

And that brings me to a few comments on contemporary challenges in national security system, and by extension national security law. I shall propose a subset of five challenges. These are: The Feast and Famine of Rapid Technological Change; The Speed of the Flash-to-Bang Cycle; Institutional Skepticism; Legacy Hangovers; and, The Peaceable Dominion Problem

1. The Feast and Famine of Rapid Technological Change

The challenges posed by the dizzying pace of technological change – and especially technological change in the communications area – are obvious. Most famous is the cyber arms race between collectors of information and defenders of privacy.

And the most emphatic manifestation of that arms race is the so-called "going dark" phenomenon; that is, the proliferation of encryption protecting the content of communication, even in circumstances where lawful access regimes permit its intercept by the state.

The flipside of this going dark "famine" is the feast of data – especially various forms of metadata – coughed up through our interaction with technology – and especially, the portable monitoring devices we call 'smart phones'.

That feast is, however, often in the hands of the private sector, not directly in the possession of the state. This is a point emphasized recently by MI5's director general, who noted his agency would need to enter partnerships with private sector partners to learn more about MI5's approximately 3,000 targets.Footnote 2

The national security law challenges are, therefore, acute. Is there a legal solution to the technological problem of encryption, one that squares the circle between lawful, proportionate, and necessary access by the state, on the one hand, with communication security protection against nefarious actors, on the other? There may be ways to salami-slice this issue, but so far what is an acute operational issue has found no echo in law reform.

Is there also a manner for the state to marshal the sea of data accumulated by the private sector while observing these same criteria of lawful, effective, efficient, proportionate to the threat, and necessary in the context. Can this be done while preserving the core ingredient of privacy – that is, the right to be left alone -- which the Supreme Court has recognized includes anonymity?

2. The Speed of the Flash-to-Bang Cycle

The communications revolution may be the single most important reason for the speed of today's flash-to-bang cycle. That is, the time between the germination of a threat to the manifestation of the injury. Established expectations about, for example, radicalization to violence, what it requires, and how long it takes, are no longer quite as certain as was once the case, in today's social media frenzy. Cyber threats join more kinetic dangers as a source of anxiety for the Internet of Things. And barriers to entry for threat actors fall – individuals wield capacities that would have been unimaginable for even states not so many years ago. These new challenges arise as dangerous geopolitical competition re-emerges in today's complex international environment.

3. Institutional Skepticism

Meanwhile, even as the technological and security environment becomes more complex, the public in liberal democracies expresses suspicion of public institutions. The concept of a "deep state" is not confined to some dark corner of the internet. It is embodied by public unease over periodic security sector scandals, some real and some the product of a visceral distrust, or of an honest misunderstanding, facilitated by the general low level of national security familiarity outside of a narrow subset of the population.

Reputation management or response within the security and intelligence community may provoke a negative feedback loop as wagon-circling provokes even more suspicion, and agencies miscalibrate, viewing transparency as the villain rather than a means of curating greater public understanding.

4. Legacy Hangovers

Each state's system of law has its own internal logic that seems at times idiosyncratic, and each seemingly idiosyncratic system is idiosyncratic in its own way. A national security system, ours included, exhibits path dependency. Ours was built in response to what I call, tongue in cheek, "original sin": the misdeeds of the RCMP Security Service in the 1970s, and the post-McDonald Commission response. That system was built on a division of labour between: a CSIS carefully codified in statute law; a CSE that went from an entity governed by royal prerogative to one likewise carefully governed by statute law; and, an RCMP with the powers of police constables, but circumscribed by an increasingly complex system of criminal and constitutional law. If we were to start from scratch, I doubt the system we would design now would look much like the one we have inherited. That path dependency can produce ruts that make real innovation difficult, especially given my final challenge:

5. The Peaceable Dominion Problem

The challenges we face as a national security system require a degree of nimbleness, and not just operational nimbleness – they require legal nimbleness. How to accomplish legal nimbleness in a system based on the rule of law? You can only stretch ancient statutory text so far to fit new circumstances. Law reform is usually an urgent need. But in our peaceable dominion, national security law reform is near the bottom of most government's priority lists.

In Canada, it is vanishingly rare to see national security lawmaking normalized as a policy driven exercise. Almost exceptionally, the National Security Act 2017 (bill C-59) was the product of a normalized policy and legislative process, and it is creative law-making.

But it will stale-date – indeed probably already is stale-dating. Certainly, there are novel issues raised by implementation of this complex Act. I have come to view legal uncertainty as poison to an effective national security system, built on the rule of law. So how do we develop in this peaceable dominion the tradition found in some other jurisdictions of annualized law reform, rather than generational, updates? Five-year reviews, I believe, are a terrible vessel for that.

Review and oversight

Having set the stage with five challenges to the national security system, let me shift gears and talk about 21st century review and where it is situated in this conversation. Just to understand our vocabulary, by review I mean after-the-fact assessment of agency conduct to gauge compliance with law or ministerial direction (what I call "propriety review"), or to evaluate necessity, reasonableness, efficacy, and proportionality (what I call "efficacy review").

1. Where have we come from?

The period between 1984 to 2019, I call the McDonald Commission-era. During this period, review was built around:

  • the Security Intelligence Review Committee (SIRC) (and by the 1990s, the CSE Commissioner);
  • an Inspector-General's office to serve as the eyes and ears of the Minister in CSIS (abolished in 2012);
  • subject-matter specific roles for three officers of Parliament, as a relatively modest part of their mandates (privacy and information commissioners; and the auditor general);
  • a half-hearted extension of the review model to the RCMP in 2013 (again, as a relatively minor part of the revamped RCMP Civilian Review and Complaints Commission's mandate); and,
  • periodic commissions of inquiry grappling with cross-government preoccupations that the standing review bodies were unable or unwilling to address, but these judicial commissions ceased to exist upon the termination of their mandates, ensuring that their recommendations gathered dust.

The initial McDonald Commission-era model was ahead of its time – and SIRC was the inspiration for review reform in northern Europe especially. But the European agencies generally leap-frogged some of the more impairing aspects of the Canadian model.

By the early 2000s, the shortcomings of the Canadian system were generally well-understood: uncertain roles of the CSIS Inspector General vs SIRC; the stovepiping of review bodies by agency and their siloing, making it difficult for each review body to coordinate with the others, even as the agencies they reviewed operated increasingly hand-in-glove; serious resource constraints limiting the reach and effectiveness of these review bodies; incredibly expensive, lengthy, resource-sapping and quasi-adversarial commissions of inquiry, creating a boil of scandal through the 2000s; a general lack of confidence amongst civil society about the review system, ably assisted by periodic controversy about the caliber and conduct of, especially, some SIRC members (including one who later died in a Panamanian prison, after his resignation).

To this list of limitations, I would add: a review system geared more to "whack a mole" issue-to issue-reviews rather than strategic thinking about the role of review in advancing the efficacy of the broader national security system writ large; that is, outside of commissions of inquiry, a near exclusive focus on propriety review with little attention to efficacy review.

In these respects, the Canadian system began to look antiquated as compared to: the Inspectors General models in Australia and New Zealand; the Intelligence and Security Committee of Parliament, plus the Investigatory Powers Commissioner's Office, in the United Kingdom; or the web of Inspectors General, Congressional oversight (now admittedly undergoing its own strains), and the Privacy and Civil Liberties Oversight Board, in the United States.

In my past work, I have said that by the time of the 2006 Arar Commission report, it was clear that the McDonald Commission-era review structure was not fit for purpose in an increasingly complex national security environment. This was a comment never intended to diminish the considerable work of high quality done during the McDonald Commission-era. It reflected, however, my opinion that severe structural constraints created a review system more impaired than was truly acceptable.

2. Where are we now?

We are now in a post-McDonald Commission-era period, because of both bill C-22 (creating the National Security and Intelligence Committee of Parliamentarians – or NSICoP) and bill C-59 (which, among many other things, constituted NSIRA). For shorthand, I shall call this the post-Goodale era, since I believe former Minister Goodale deserves considerable credit for the process culminating in these changes.

So, what qualities characterize the post-Goodale period of review? The most significant change is, of course, the abolition of a stovepiped and siloed system of review. Rather than indexed to each agency, the remaining, revamped review bodies now have a subject-matter jurisdiction tied to intelligence and national security functions, regardless of location in government.

They can, put another way, follow the thread of a national security and intelligence review wherever it leads in government, regardless of department. This is, in other words, the all-of-government review that the Arar Commission called for in 2006, albeit structured in a different manner than Justice O'Connor imagined.

In terms of mandate, both NSICoP and NSIRA may embrace both efficacy and propriety review. NSIRA's mandate, for instance, reaches both legal and ministerial direction compliance, but also review for reasonableness and necessity.

Certainly, on the NSIRA side, available resources will permit a considerable scaling up of staffing, and therefore of review activities. This is very welcome, given the number of reports NSIRA is obliged to prepare, and the size of the community it is expected to review.

Moreover, NSIRA retains a complaints function for the chief agencies in the national security system, and for security clearance denials.

In principle, NSIRA and NSICoP now have sufficient subject matter remit that they could perform the roles off-shored to judicial commissions of inquiry in the 2000s. And they arrive at a time when the general attitude about national security and secrecy is undergoing a shift. Under the umbrella of the government's transparency commitment, it is possible now for national security and intelligence agencies and their review bodies to be public-facing in a way that reconciles secrecy with public credibility. I'll come back to this.

This is, in other words, a time of opportunity. This is more than a rebranding. It is a reconstitution of the Canadian system of national security review. The question now is "in what direction should it move?" Or put another way, how would we measure "success" of the new review model?

3. Where do we want to be?

Let me suggest 7 indicia of success, not necessarily to advance an argument in favour of them, but to generate discussion.

First, and most obviously:

1. Do the review bodies see things that the agencies they review do not?

When CSIS directors said, as they always did, "SIRC makes us better", what did that mean? (And I shall assume it was not just strategic flattery). My sense, confirmed informally, is that it meant the review body saw weaknesses that CSIS did not see. It was a canary in the coal mine. An early warning system is very valuable, so how does one institutionalize this? I think much shall turn on review professionalism, to which I'll return in a moment.

2. More narrowly, in serving as this canary, can the review bodies resolve differences on legality with the agencies and their legal advisors?

Too often in the past, there was no resolution of differences of view on the law. And these disputes festered, producing recurring uncertainty. Should the review bodies begin triggering the Federal Court's reference jurisdiction (in s.18.3 of the Federal Courts Act) to put these questions in front of a court competent to decide them, as the Information Commissioner has on occasion?

3. Speaking now in broader terms, should the review bodies capitalize on their "forest" rather than mere "trees" vantage point?

NSIRA and NSICoP are unusually well-positioned to straddle the security and intelligence community and to understand how best practices in one place could inform those in another, in a systemic way. More than canaries, they can be pollinating bees. How active should the review bodies be in serving as bees?

The "necessity" and "reasonableness" remit of NSIRA and the NSICoP efficacy role are natural gateways to this effort. But would too active a cross-pollination role risk compromising the propriety review function? That is, in advancing fixes to hard dilemmas, would review bodies tarnish their ability to perform a cold-eyed assessment of agency activities undertaken as part of proposed solutions. I think not, personally, but it should be done carefully.

4. On a related theme, can review bodies serve as gad flies attracting attention to current shortcomings in the national security system in a way that facilitates solutions?

In other words, what role for the review bodies in overcoming some of the challenges to the national security system I have identified? Are they confined to simply spotting problems or can they also facilitate solutions? Does solution-finding risk investing the review bodies in policy deliberations? I think generally, there are tools relevant to this question possessed by review bodies that have rarely – if ever – been used; for instance, the departmental review power now in s.31 of the NSIRA Act. When and for what purpose should those tools be used?

5. In doing all these things, can the review bodies devise recommendations that are implementable?

It is one thing to propose sweeping change, it is quite another to imagine implementable change. I'd say too many judicial commissions of inquiry have proposed recommendations that would require heroic effort to implement. Heroism is usually in short-supply thereafter, and the recommendations that the government does accept may be the most banal. Learning from this, how detailed and precise should review body recommendations be? Should review bodies rank recommendations by priority? I'll add: what does it mean when an agency says it accepts a recommendation? Should review bodies then track and audit implementation?

6. Can the review bodies do any of this without public confidence?

Review bodies are, effectively, the proxy of the public (and Parliament). They must be credible in an era of institutional suspicion. To do that, they must do more than provide what one veteran of the Arar Commission called "opaque assurances of propriety and effectiveness" to the public. Instead, review body assurances must, as that person argued, be "informative, to the greatest extent possible without jeopardizing national security".Footnote 3 It should not go unmentioned that the preamble to C-59 talks about: "enhanced accountability and transparency [as being] vital to ensuring public trust and confidence in Government of Canada institutions that carry out national security or intelligence activities".

Can the review bodies meet a standard of what I call bounded transparency – transparent enough to satisfy the public interest, but not so transparent as to prejudice national security?

And more than transparency, I'd add: can they meet standards of responsiveness? NSIRA's predecessors had begun to fall behind their international counterparts who released reports on a regular basis, not just relatively undetailed summaries in annual reports, usually then lost from the public gaze.

And on the complaints side of the house, does it matter that the Act talks about the investigation – not the adjudication of complaints? How might the current lengthy, quasi-judicial model of complaints resolution – now measured in years – be streamlined to meet the range of procedural fairness expectations, including the admonishment against undue delays?

7. Probably most critically, can the review bodies build a model of review professionalism that allows them to perform all these roles?

To accomplish anything on this list of possible markers of success, a review body surely must personify "professionalism". Professionalism has many guises – but I find instructive the professionalism code devised by the Inspectors General in the United States, that sets standards for independence, staff qualifications, direction and control, reporting, confidentiality, quality assurance, and coordination (not least, coordination between reviewing entities that may have overlapping mandates. How do review bodies avoid the Ottawa disease of turf-defending and jurisdiction-wrangling?)

These US standards signal the desire, and I have reason to believe, the reality of diligence and competence, and I imagine such standards provide comfort to those who are reviewed.

So how does a review body train-up and maintain a professional cadre of reviewers able to meet these standards? And then, especially, how do they do so in the new technological environment? Not least, how does a review body ensure it is high-tech, an issue of considerable discussion among our international counterparts. Are we competent to understand datasets in the CSIS context, or SIGINT methodologies in the CSE world? Do we understand, really, the implications of 5G? Can the review body itself marshal machine-learning – in order to understand machine-learning deployed by agencies? How will we address ourselves, more generally, as review bodies on the question of ethical AI?

More prosaic, but so very critical, is the human resources side of professionalism. How does a review body's professionalism culture gel, to avoid individual idiosyncrasy driving the culture of a relatively small agency? How do we staff-up and become part of the career path of talented public servants, a place that mentors and facilitates career advancement?

And what role for members? For NSIRA, should there be a vision of the expertise the seven members should have, as a collective? What skill set should be found, cumulatively, among the members? Should members play a detailed, in-the-weeds role in review, and not just complaints? What considerations of diversity should apply in terms of the membership?

Now, I'll not attempt to answer these questions – I shall hold my powder dry. But all these questions – and more – require asking and answering. If one cannot answer them, I think it is very hard to respond to the larger question "how do you measure the success of a review body?"

And there is considerable risk, if one has no clear answer to this larger question, that the positive impact of a review body in contributing to a robust national security system in a rights-observing liberal democracy will be, at best, episodic and uneven. That is why in this new period of reconstituted review, review bodies shall need to ask strategic questions, including those I have proposed today.

Thank you.

Date modified: