The Communications Security Establishment, Canada's signals-intelligence agency, used its July 6, 2026 annual report to disclose something governments rarely admit in public: it hacked a criminal organization until it stopped functioning. According to the 2025-2026 Annual Report, CSE's cyber-intelligence teams tracked a ransomware-as-a-service (RaaS) group responsible for more than 25 incidents against Canadian transportation, healthcare, pharmaceutical, and business targets, then ran an active cyber operation that "rendered the group's infrastructure inoperable and deleted a large amount of stolen data that was being advertised for sale on the dark web." Separately, the agency confirmed "authorized technical disruptions" against 10 major ransomware gangs during 2025, aimed at making parts of their infrastructure unusable, alongside comparable operations against fentanyl-precursor traffickers and a violent extremist group, as first reported by The Record.
The legal machinery behind the headline
This is not a rogue operation or a policy improvisation. It is the intended output of the CSE Act, which came into force in 2019 as part of Bill C-59. That law split CSE's mandate into five parts, adding "defensive cyber operations" and "active cyber operations" as distinct, ministerially authorized activities — sections 18 and 19 of the Act. Active cyber operations require sign-off from the Minister of National Defence with the consent of the Minister of Foreign Affairs, and section 32 explicitly bars CSE from causing bodily harm or obstructing justice or democracy in the course of such operations, per the Library of Parliament's legislative summary. Oversight sits with the National Security and Intelligence Review Agency (NSIRA), which replaced the old CSE Commissioner model specifically to give these new offensive powers independent scrutiny.
Seven years after that framework was written, the ransomware takedown disclosed this week is the clearest evidence yet that it functions as designed: a bounded, authorized, reviewable state hack against a criminal target outside Canada, executed without collateral harm to domestic systems.
The case for going further — and its limits
Privacy and civil liberties advocates are right to ask hard questions about offensive state hacking, and the strongest version of their case deserves a fair hearing. Active cyber operations happen in secret, are authorized by the executive rather than a court, and by design leave the public unable to verify proportionality in real time — unlike a criminal indictment, there is no adversarial process testing whether the target was correctly identified or whether the method used was the least intrusive available. NSIRA review happens after the fact, and its findings on specific operations are rarely public in enough detail to reassure skeptics. That is a legitimate structural weakness, not a fringe objection.
But the ransomware disclosure also shows the guardrails working in the direction critics say they don't: CSE is disclosing the fact and rough shape of these operations annually, rather than burying them, and doing so through a report that names specific sector impacts (healthcare, transportation, pharmaceutical) rather than vague generalities. Extortion gangs operating RaaS infrastructure are not entitled to due process protections designed for a citizen facing state power — they are foreign criminal enterprises whose "infrastructure" is the tooling of extortion. Deleting stolen data being auctioned on the dark web is a direct victim-protection measure, not a punitive one.
Where the real risk sits: Bill C-22, not CSE's offensive mandate
The more consequential fight over state power and encryption in Canada right now isn't CSE's ransomware operations abroad — it's the domestic Lawful Access Act, 2026 (Bill C-22), which cleared third reading in the House of Commons on June 18, 2026, and now awaits Senate study when Parliament resumes September 21. The bill's Part 2, the Supporting Authorized Access to Information Act, would compel "electronic service providers" to facilitate government access to communications data. The Electronic Frontier Foundation has called it a repackaged version of a bill EFF criticized in 2025, warning it threatens encryption and expands surveillance with insufficient debate on proposed amendments. Canada's own Privacy Commissioner submitted formal advice to the House Standing Committee on Public Safety flagging these concerns during the bill's study, according to the Office of the Privacy Commissioner's parliamentary submission.
The third-reading text does include a carve-out: providers cannot be compelled to decrypt data unless they themselves hold the decryption key, meaning user-applied end-to-end encryption is nominally protected. Whether that carve-out survives contact with implementation regulations — and whether "systemic vulnerability" prohibitions are enforced in practice — is the question that will determine whether C-22 becomes a template other democracies can point to, or a cautionary tale.
The distinction that matters
Canada's offensive ransomware operations and its domestic lawful-access bill get discussed as though they're the same debate about state cyber power. They aren't. One is a foreign-facing, ministerially authorized, NSIRA-reviewed program targeting criminal infrastructure with no domestic surveillance footprint. The other is a domestic data-access regime touching every Canadian's service provider. Policymakers and advocates elsewhere weighing similar tools should keep that line sharp: proportionate authority to disrupt ransomware gangs abroad is a defensible, arguably underused tool against a genuine harm; expanding compelled domestic access is a fundamentally different — and much higher-stakes — proposition that deserves the scrutiny it is currently getting in the Senate.