Canada's signals intelligence agency has done something unusual: it told the public what it actually does. The Communications Security Establishment's annual report acknowledges conducting offensive cyber operations against drug trafficking networks, violent extremists, and at least one ransomware gang throughout 2025—a level of operational transparency that would have been unthinkable a decade ago.

The disclosure matters less for what it reveals about Canadian capabilities than for what it signals about the normalization of state-sponsored hacking in Western democracies.

From defense to offense

For most of its existence, the CSE operated in the shadows of its more famous cousins—the NSA, GCHQ, the Australian Signals Directorate. Its mandate was collection and defense: intercept foreign communications, protect government networks. The 2019 expansion of its legal authorities to conduct "active cyber operations" changed the calculus, but the agency remained characteristically Canadian about discussing it—which is to say, it didn't.

This year's report breaks that pattern. The agency explicitly claims credit for disrupting criminal infrastructure, degrading extremist communications, and—most notably—going after ransomware operators who have made critical infrastructure their preferred target. The specifics remain classified, but the admission itself is the message.

The Five Eyes factor

Canada's disclosure follows similar moves by partner agencies. The UK's National Cyber Force has grown increasingly vocal about its offensive mandate. The NSA's Cyber Command regularly briefs Congress on operations against Russian and Chinese threat actors. Australia's ASD has acknowledged targeting ISIS communications infrastructure.

What's emerging is a coordinated rhetorical strategy: democratic states want their adversaries—and their citizens—to know they're no longer playing defense. The hope is that public acknowledgment creates deterrence. The risk is that it accelerates an already chaotic cyber arms race where norms remain dangerously undefined.

The ransomware exception

The targeting of ransomware gangs represents a particular evolution. These groups operate in a gray zone—criminal enterprises, often tolerated by host governments, that cause billions in economic damage but rarely trigger traditional national security responses. By publicly claiming operations against them, Canada is asserting that ransomware has crossed a threshold from law enforcement problem to intelligence target.

This shift has been building since the Colonial Pipeline attack in 2021, but state acknowledgment remains rare. Most counter-ransomware operations happen through quieter channels: FBI seizures, Treasury sanctions, diplomatic pressure on Russia to rein in its hackers-for-hire. Canada is betting that sunlight works better.

Our take

There's something refreshing about a spy agency admitting it spies offensively. The alternative—maintaining the fiction that Western democracies only defend while authoritarian states attack—has always been intellectually dishonest. But transparency about capabilities is not the same as accountability for their use. Canada has told us it hacks criminals; it hasn't told us what oversight governs those operations, what collateral damage is acceptable, or what happens when an offensive operation goes wrong. The disclosure is progress. It's not yet maturity.