John Forster, Chief of the Communications Security Establishment (CSE), Canada: Exclusive Interview

An exclusive interview with John Forster, head of cybersecurity in Canada, on sharing intelligence through ‘5 Eyes’ and why Canada protects its citizens not only from cyber threats but also from the security services themselves.
Like every country in the world, Canada takes its online security seriously, yet the Canadians have not one but two primary concerns. One is to protect its own government and infrastructures – like many nations. Equal to that concern is the determination to protect not only Canada’s citizens but also their privacy.
It could be argued that respecting the private citizen’s privacy too much will simply hamper security services operating in the cloud and through social media to detect national threats. To the Canadians this is a price worth paying and, in a post-Snowden world, it is a view more countries may come to consider.
The CSE is prohibited by law from directing its foreign intelligence activities at anyone in Canada. This extends to Canadians living anywhere in the world. CSE is itself overseen by an independent CSE Commissioner and staff who constantly and thoroughly scrutinise CSE’s activities. To date it has never found that CSE has acted unlawfully but has praised its culture of respect for Canadians’ privacy.
The Big Move
Operating within those constraints, John Forster heads up an organisation that is about to face a new challenge to go with the constant challenge of tackling cybersecurity. He explains what that entails:
‘This is a time of great change for the organization. We are preparing to move into a new facility that will fundamentally change how we work. While there is always some anxiety with any change, I believe there is a growing sense of anticipation and excitement across the organization.
‘We are moving from a collection of six different sites – several are terribly outdated and were designed for an organization about half our size – to a single facility with state-of-the-art technology built for our purposes. Over the months leading up to the move, we have been undertaking many initiatives to prepare for our transition into the new facility and manage this significant change.’
What is CSE For?
There are around 2200 staff in CSE, who will soon be in a new purpose-built facility with cutting-edge technology. At their head is John Forster, a man who has been a Canadian public servant for over 30 years. What does he see as his primary role?
‘As the Chief of CSE, it is a pleasure to lead an exceptional organization and work with some of the brightest public servants in Canada. I see my role in helping to create an organization and climate where their talents, expertise and commitment can flourish for the benefit of Canada.
‘To do that we need clarity of mandate; a vision of what we need to do to be successful five years from now; an environment that supports innovation and collaboration; a facility and technology that allows us to excel in meeting the needs of our clients and partners; a policy framework and culture of lawfulness and protecting the privacy of Canadians; and a commitment to recruit, retain and develop the skills and people we need to succeed.
‘Delivering on our mission to protect Canadians from global threats, while at the same time managing a significant transition in the organization is both daunting and exciting.’
The Scale of the Challenge
Forster is under no illusion about the sheer volume of the global threats CSE faces. ‘The scale is enormous, and it grows as the use of technology grows. There are 60,000 new malicious programs identified every day. And one in every 200 emails contains malicious software – malware. Canadian government departments are subject to millions of cyber intrusion attempts on a daily basis.
‘Cyber threat actors are constantly probing government systems and networks, looking for vulnerabilities. These activities are becoming more frequent and more sophisticated.’
While the threat environment is constantly changing and evolving, Forster has growing concern over the evolution of cyber capabilities for both disruptive and destructive purposes. The CSE response is both national and international. At the national level CSE works closely with the Department of Public Safety and keeps the government constantly updated on threats.
5 Eyes
Along with every other cyber professional, Forster sees cybersecurity as a global issue. To that end Canada works with various bodies within the UN. It is also part of the ‘5 Eyes’ intelligence sharing partnership, made up of Canada, the USA, the United Kingdom, Australia and New Zealand. Forster explains the advantages:
‘Canadians benefit greatly from this long-standing partnership. This relationship provides the government of Canada with valuable intelligence that serves to protect Canadians at home and around the world. Intelligence gathered and shared among this trusted alliance greatly improves and advances Canada’s cybersecurity posture.’
One of the challenges they face is dealing with a technology in constant evolution. Forster sensibly points out that it is hard to predict how technology will evolve but he does see trends for the next five years. Chief among these is the continuing shift to mobile computing. Alongside this is the migration of more data and services to the cloud.
Unlike Professor Jill Slay but more like Brigadier General Touhill, John Forster thinks the cloud is here to stay:
‘I don’t think it’s a matter of some solutions or technologies having to disappear. It’s really about ensuring that those solutions have strong security features, and that those security features continue to evolve with the threats. Users need to be aware that along with convenience, comes a need to be much more vigilant and aware of security issues when using these tools.
‘As technology evolves, along with the capabilities of on-line criminals, hackers, state actors and others, on-line security must also continue to stay ahead. Cybersecurity requires constant assessment and evolution.’
Shared Services Canada
One of the ways in which CSE has helped Canada’s cybersecurity evolve is to work with the government on the consolidation of government IT infrastructure under what it calls Shared Services Canada (SSC). SSC now provides IT services and support 43 departments and agencies. At the same time it is working to reduce the number of government data centres and to consolidate email systems.
Security is ‘baked in’ to the design and procurement of the new government email system, so it should have more consistent security and fewer vulnerabilities from the design onward. Similarly, security requirements are being embedded into the procurement process as SSC transforms and modernizes the government’s IT landscape.
Get Cyber Safe
There are several aspects that make Forster optimistic for the future, and one is that he sees the public becoming more aware of their own security issues. He sees this as a combination of people becoming more cybersecurity conscious as well as there being more platforms for people to learn how to effectively secure their own cyberspace. One of these platforms is a uniquely Canadian one, as he explains:
‘Public Safety Canada’s “Get Cyber Safe” campaign is informing Canadians about cyber security issues and encourages citizens to protect themselves online and to use proper tools and programs to secure their daily on-line activities.’
The Canadian private citizen is clearly always at the forefront of the CSE’s work, alongside that of the Canadian government itself. Forster explains how that all dovetails together:
‘Protecting the privacy of Canadians is our most important principle. And our IT security role of protecting government information systems helps protect the privacy of all Canadians.
‘The government of Canada offers more that 130 online services and Canadians expect their government to protect their information. When people share information with the federal government, we help ensure that their information and the networks that contain it are safe and secure.’
Making Cybercriminals Pay
While it is obviously at one level a battle of competing technologies between cyber criminals on the one hand and government cybersecurity experts on the other, John Forster has an interesting view on how this battle can also be viewed, as he explained:
‘We have framed the cybersecurity issue as one based on technology. But this is also about economics. The cost to undertake malicious cyber activity is low while the payoff can be high. That’s simple math that encourages criminals, terrorists and nation-states to use cyber methods to achieve their objectives.
‘So our job is to make it difficult and more expensive for them to undertake any of those malicious cyber activities. Whether it’s through better defences that require more sophisticated and expensive tools, supporting the Royal Canadian Mounted Police in pursuing cyber criminals or preventing foreign states from exploiting our systems, our actions need to increase the cost to our adversaries.’
The Individual Responsibility
Ultimately, Forster and his department at CSE see this as a responsibility of the citizen as we use the internet more and more:
‘The benefits of technology are obvious: it has opened up new ways of working, living and connecting with each other. We communicate in ways that were unimaginable even a decade ago. The challenge is that rapidly changing technology makes it difficult to fully understand the implications around security.
‘But, at the same time, the public awareness of cybersecurity issues will encourage improved security. At the end of the day technology will be driven by what we, as consumers, demand and I hope to see consumers demanding more security features. Certainly we are working to ensure that the government of Canada, as a large consumer of technology, demands those security features of our products.’