Friday, December 19, 2014

Round up the usual five

The term "Five Eyes" is now well established as a short-hand name for the intelligence and security partnership among the United States, the United Kingdom, Canada, Australia, and New Zealand.

One interesting byproduct of the term has been a proliferation of intergovernmental "Five" committees on topics of common security or intelligence interest.

We now have the Border Five, comprising the customs and border protection agencies of the Five Eyes countries, and the Critical Five, addressing critical infrastructure issues.

There is also the Usual Five (see page 28), a working group on cyber security issues, and the Ottawa Five (see page 79), which presumably first met in Ottawa but now meets at venues all around the world. The latter is "a group of Five Eyes allies that focuses on coordinating international cyber and Internet policy" and discusses "approaches to cyber security issues domestically and internationally" (description from Public Safety Canada documents released through the Access to Information Act; H/T to MZ).

It is heart-warming—or is that heart-bleeding?—to know that our collective efforts to undermine internet security will forever be associated with our own capital city.

The same five countries also cooperate on law enforcement issues, but inexplicably that forum is called the Strategic Alliance Group, which sounds more like a bunch of financial consultants, or maybe tire salesmen. I guess the "Magnificent Five" was taken.

The Strategic Alliance Group is "a formal partnership... dedicated to tackling larger global crime issues, particularly organized crime".

The SAG has a subgroup of its own on cyber issues, the Strategic Alliance Cyber Crime Working Group.

Are there any other "Five" groups out there?

Sunday, December 14, 2014

CSE and hacking of telecom operations

More evidence of the extent to which CSE is involved in Five Eyes efforts to hack into the systems of telecommunications providers can be found in this document, which was published by The Intercept in conjunction with its most recent article on the Belgacom penetration (Ryan Gallagher, "Operation Socialist: The Inside Story of How British Spies Hacked Belgium’s Largest Telco," The Intercept, 13 December 2014).

The document is a 2011 joint presentation titled "Automated NOC [Network Operations Centre] Detection" authored by the Head of the GCHQ Network Analysis Centre and a Senior Network Analyst at CSE's own Network Analysis Centre. It discusses the work of the Five Eyes "Network Analysis community" to "automate the detection of Network Operations Centres" in order to facilitate subsequent efforts to hack into those centres.

The presentation reports that
During March 2011 GCHQ Analysts visited CSEC to look at the [sic] using PENTAHO for tradecraft modelling working with CSEC NAC and CSEC/H3 software developers to see if could model NOCTURNAL SURGE in PENTAHO and then implement in OLYMPIA

Only possible to attempt because:
– GCHQ NAC use PENTAHO
– CSEC NAC/H3 use PENTAHO
– CSEC NAC have implemented GCHQ NAC TIDAL SURGE Database Schema (DSD also have this..)
According to the article in The Intercept, NOCTURNAL SURGE is a tool developed by GCHQ "to search for particular engineers and system administrators by finding their IP addresses, unique identifiers that are allocated to computers when they connect to the internet."

OLYMPIA is a more general-purpose CSE-developed tool to help analysts identify potential SIGINT targets and compile information about their communications systems and contacts. It provides automated access to a wide variety of CSE and allied SIGINT and communications databases. (More information here.)

The Intercept report interprets the presentation to mean that "GCHQ refined the NOCTURNAL SURGE system with the help of its Canadian counterparts, who had developed a similar tool, named PENTAHO."

I wonder whether PENTAHO might simply be the data analysis software produced by the company of the same name, but either way the presentation is clear evidence of CSE interest in targeting telecom operators.

A report earlier this month in The Intercept also provided evidence of CSE involvement in such efforts.

Interestingly, CSE's infamous "airport wi-fi" experiment was also conducted by the CSE Network Analysis Centre, which seems to be the go-to place at CSE for anything related to analyzing/monitoring the Internet or computer networks in general.

The H3 unit, on the other hand, seems to be a software development shop. H3 also turns up in this document.


(H/T to Ron Deibert.)

Wednesday, December 10, 2014

CSE and supercomputers

Who has the most powerful supercomputers in Canada?

According to the well-known Top500 list, the top supercomputers in Canada in terms of peak processing speed are operated by SOSCIP/LKSAVI/University of Toronto, “IT Service Provider C”, SciNet/University of Toronto/Compute Canada, and Calcul Canada/Calcul Québec/Université de Sherbrooke.

SOSCIP frequently boasts that its supercomputer “is the fastest in Canada on the TOP500 list of the world's top supercomputers”.

But there is at least one Canadian institution that doesn’t report its computer capabilities to the Top500 list: the Communications Security Establishment.

In 1985, when CSE entered the supercomputing business, the Cray X-MP/11 it acquired was definitely the most powerful computer in the country.

But that was a long time ago, and today that computer is just a piece of computer history.

Still, it is likely that CSE’s subsequent supercomputer acquisitions, including successive generations of Cray products, have kept the agency at or near the top of the Canadian list ever since.

In general terms, this is no secret.

In 2004, member of parliament David Price, noting the post-9/11 computer purchases made by CSE, asked CSE Chief Keith Coulter if “we are still one of the top ones… in the world with the system that we do have.” Coulter’s reply was, “Yes. Top in the world? We're definitely one of the top in the country. The National Security Agency has more computing power than any organization in the world.”

CSE remains coy about the exact nature of its high performance computing capabilities, but as recently as 2013 it was willing to state that “CSEC is Canada's centre for high performance computing”, operating “state-of-the-art equipment”. Its recruiting site currently states that CSE operates “some of the most powerful computers in Canada”, and until 2010 job notices specified that CSE “computer scientists utilize a variety of computer systems including SUN, HP and IBM servers, personal computers, DEC systems, and state-of-the-art computers such as the Cray.”

More specific claims occasionally turn up in news articles about the agency.

In 2012, it was reported that CSE’s new headquarters would house “the three most powerful supercomputers in Canada”. And a QMI Agency report in 2013 stated that CSE’s new headquarters will house “the country’s five most powerful computers”.

In neither case were these claims attributed to a specific source, and CSE has never confirmed either claim, but it is difficult to believe that these reporters would have reported such specific information if they hadn’t heard it directly from what they considered to be an inside source.

The level of performance required to rank as the country’s most powerful computer is a constantly moving target, of course, but the claims seem entirely plausible.

In 2011, CSE completed a brand-new high-performance computing centre, the Mid-Term Accommodation Project, now known as Pod 1 of CSE’s new headquarters complex.

Pod 1 was a very expensive building for its size, costing $61.5 million according to CSE. A simple high-security office building of the same size would have cost about $25 million to build, so it’s probably a safe assumption that, in addition to covering the cost of electrical distribution systems, uninterruptible power supplies, and cooling systems required by a data centre, the building’s budget also covered the purchase of some pretty significant computer capabilities.

It is also likely that substantial additional computer money has been made available since. CSE has not lacked for funds in recent years (see here and here), and there’s no reason to build a state-of-the-art computing centre if it’s not going to contain state-of-the-art computers.

As the news articles suggest, the building may well contain multiple high performance systems. (In addition, the data storage systems in the separate data warehouse also built at CSE’s new complex might also be considered a form of supercomputer.)

As the systems on the Top500 list show, a variety of different manufacturers produce supercomputing systems, and it is possible, perhaps even likely, that CSE has obtained systems from more than one company. It seems certain, however, that one or more Cray systems continue to be in use at CSE.

Cray has maintained a close relationship with the major Five Eyes SIGINT agencies throughout the history of the various companies that have borne that name, and as noted above, CSE was acknowledging its own continuing relationship with Cray as recently as 2010.

It is surely no coincidence that Cray Inc. is currently looking for a Customer Service Systems Engineer to “provide hardware and software technical support and maintenance for Cray Inc. massively parallel (MPP) computer systems” at a “classified account headquartered in Ottawa, Canada”. According to the notice, Canadian citizenship is “a must” for the job, as is a “Top Secret (SBI) security clearance”.

Cray’s ad doesn’t reveal the name of its customer, but there’s only one Canadian agency that belongs to the Cray Users Group.

CSE’s Australian counterpart, the Australian Signals Directorate (previously known as the Defence Signals Directorate), acknowledged purchasing a $14.5 million Cray system in 2010.

Although no details of that system were released, at that cost and date it was probably a medium-sized XE6 system, or something with comparable performance, with a theoretical peak processing speed on the order of 300 teraFLOPS and consuming around 0.9 megawatts of electrical power. (This is a guess based on the reported performance and $45 million cost of the larger Cray Cielo system purchased by the U.S. that year.) If so, it was the most powerful supercomputer in Australia at the time and would have been roughly on par with the top publicly acknowledged supercomputer in Canada that same year.



Did CSE purchase something similar, or more powerful, for its new high performance computing centre in 2011?

The two cooling towers on the roof of Pod 1 provide a bit of a clue (photo courtesy of Chuck Clark).

The two towers, built by Evapco, appear to be from the company’s AT-112-514 to 112-914 series, which means that each tower is capable of providing 494–574 tons of nominal cooling. If both towers were in full use, this would provide cooling for equipment consuming roughly 3.5 to 4 megawatts, of which the IT load might comprise around 3 megawatts. (At least, that’s what I think can be concluded; I would be grateful if readers would correct any errors in the preceding.)

If these conclusions are correct, then Pod 1 has the capability of supporting a much more capable computer system, or set of systems, than that apparently purchased by ASD in 2010. (Moreover, there is space available in the enclosure on the roof for an additional cooling tower, suggesting that the building was designed to accommodate even greater cooling capacity if it is ever required.)

If the building was using its full two-tower cooling capacity in 2011, it would have been capable of supporting the equivalent of the entire “Hopper” system, with a theoretical peak performance of 1289 teraFLOPS, or three copies of the “Gaea C2” system, each with a theoretical peak performance of 716 teraFLOPS. The latter would certainly have been the three most powerful supercomputers in Canada at the time.

Of course, it is likely that the systems actually in use in Pod 1 require less than the maximum amount of cooling that the facility is capable of providing—quite possibly a lot less.

The site that hosts the #1 and #3 Canadian systems on the current Top500 list was built to accommodate a 4-megawatt load, about the same as Pod 1, but those two systems currently require only about 1.3 megawatts (plus whatever cooling and other support load is required at various times).

Further complicating analysis based on power consumption is the fact that the ratio of performance to electrical consumption in supercomputer systems is very sensitive to the design and especially to the date of construction of the system. The #3 computer mentioned above, about 37% as fast as the #1 system but about five years older, requires more than three times as much power as the #1 system requires (more than eight times as much per calculation).

Overall, however, I suspect that these factors increase the likelihood that CSE has the country’s top supercomputers.

Given Pod 1’s more recent construction, and CSE’s generous budgets in recent years, it seems likely both that CSE’s systems are more up to date and thus more power-efficient than the #3 system mentioned above and that Pod 1’s capacity is more fully utilized than the SciNet site’s.

Tuesday, December 09, 2014

November 2014 CSE staff size

2254, another new high.

(If you click through on the link and get a different figure, it's probably because the Canada Public Service Agency has updated its website; they update the numbers once a month.)

Friday, December 05, 2014

CSE and NTAT cooperation

One of the NSA documents released in conjunction with The Intercept's new article on Five Eyes cellphone monitoring programs (Ryan Gallagher, "Operation Auroragold: How the NSA Hacks Cellphone Networks Worldwide," The Intercept, 4 December 2014) lists examples of CSEC cooperation with the (NSA?) Network Analysis Tradecraft Advancement Team (NTAT).

According to The Intercept, the document dates from 2010.

Update 10 December 2014:

Marc Thibodeau, "Cellulaires sous haute surveillance," La Presse, 9 décembre 2014.


Wednesday, November 26, 2014

Deibert on cybersecurity and democratic values

Must-read article from Citizen Lab's Ron Deibert on the dangers posed by putting cyberfoxes in charge of hen house security ("The Cyber Security Syndrome," OpenCanada.org, 25 November 2014):
What do we mean when we say “cyber security?” What is it, exactly, that we are securing? And for whom? Are we securing the Internet as a whole — that vast global information infrastructure that envelops the planet, from the code to satellites, the handheld devices, and everything in between?

Or, instead, do we mean ‘we protect our nation’s cyberspace first and others second, if at all’? Do we regard other nations’ networks as fair game to be “exploited” in order to gain competitive advantage?

The tension between these points of view is not unique to cyber security, but reflects a deeper tension at the heart of global politics today: between a slowly emerging sense of global responsibility and citizenship on the one hand, and the old Westphalian nation-state system on the other.

While the rift runs deep at the extremes, these competing worldviews can be reconciled. Indeed, for human rights to achieve their promise they must be entrenched across the globe by sovereign democratic states. Governments that are premised on human rights and the rule of law need agencies to domestically enforce the law while guarding their citizens from extremism or international violence.

But also fundamental to a liberal democratic society is that these agencies be highly accountable, transparent to democratically elected representatives, and unleashed to act only in tightly circumscribed ways; loosen those checks and balances, and you begin to unravel what it means to be a liberal democracy in the first place.
Worth reading the whole piece.

Thursday, November 20, 2014

Liaison office concerns

Jim Bronskill has written an interesting piece on the problems CSE's liaison officers have been experiencing in recent years ("Poor training, communication bedevilled Canada's Five Eyes liaisons: evaluation," Canadian Press, 19 November 2014):
Lack of training, poor communication with head office and sketchy expectations hampered the Canadian liaison teams embedded in the electronic spy agencies of Ottawa's Five Eyes partners, says a newly declassified evaluation.

The Ottawa-based Communications Security Establishment's foreign relations program is key to helping the spy service do its work, given the importance of relations with counterparts in the United States, Britain, Australia and New Zealand, the internal evaluation concludes.

But it calls for several changes to "achieve greater effectiveness and efficiencies."

The Canadian Press obtained a heavily censored copy of the August 2012 evaluation — originally classified "Secret/Canadian Eyes Only" — under the Access to Information Act.

...

CSE has special liaison offices at the U.S. National Security Agency and Britain's Government Communications Headquarters, as well as one in Canberra that provides representation to the electronic spy services of Australia and New Zealand.

In turn, Canada hosts members of the four foreign agencies.

The study found advance briefings for Canadian liaison staff sent overseas was largely limited to information about living and working abroad.

"Operational training offered to posted employees is scarce and self-initiated," the evaluation report says.

Staff heading to the foreign posts had to book meetings with CSE directors or enrol in internal courses. However, some noted that formal classroom training was not necessarily helpful.

"Rather, they felt that spending some time working with various operational areas during the pre-posting phase was often very beneficial."

In addition, liaison directors "seldom received feedback" on the initial planning documents they submitted to superiors.

Once on the job, the directors felt they were "often ill-informed" about developments at CSE headquarters. Management at CSE also expressed a desire for better communication. A senior manager lamented that information he received from one foreign post in particular was often either already known or outdated by the time it was sent to CSE.

"Because these employees are out of the country, it is very important that they have effective and reliable communications available to them," the report says.

CSE employees who took the foreign positions essentially gave up their previous jobs and CSE didn't have a formal process for reintegrating them into the Ottawa fold once their posting was done, it adds.

Upon return, posted employees "are often required to fill positions unrelated to their area of expertise and the experience and knowledge gained from the foreign posting are not exploited."

CSE spokesman Ryan Foreman said most of the evaluation's recommendations had been implemented, with the rest expected to be complete later this year.
Also interesting is this fact box on CSE's liaison offices, which reports the dates when the liaison offices were established. The years when the offices were established were already known, but the month of establishment was known only in the case of the office at GCHQ.

Here's a list of the Canadian Special Liaison Officers (CANSLOs) to NSA and GCHQ I compiled several years ago. The names of the more recent CANSLOs don't seem to be available, but every now and then one turns up.

I have also written a bit on the 2009 establishment of the CANSLO/C-W in Canberra. The first CANSLO/C-W was (evidently) a woman, but no names have been released so far.

Back in the old days, the job of CANSLO/W was often given to mid-ranking officers who were considered destined for greater things. The last two Chiefs of CSE to come from inside the ranks of the agency, Peter Hunt and Stew Woolner, both served as CANSLO/W earlier in their careers. (Since 1999, all Chiefs have been selected from outside the agency.)

The CANSLO/L slot, on the other hand, gained a reputation as a plum posting for senior officers just prior to retirement.

Undoubtedly there were exceptions to those patterns even then; it would be interesting to know if they continue to some degree today.

The liaison offices normally have several people posted to them, not just the liaison officer. During the Cold War period, there were (I believe) about four people at the NSA office and two at the GCHQ office. No information on the current size of these offices has been made public.

[Update 14 December 2014: Actually, the "CSEC 101: Foundational Learning Curriculum" document, released last year to Globe and Mail reporter Colin Freeze, indicates that the CANSLO/L office at GCHQ had three people assigned to it as of January 2013 (see page 447). The number of people at the CANSLO/W office at NSA is redacted but was at least six (see page 444). CSE "integrees" are not included in these figures.]

By contrast, in 2008 the NSA's liaison office at CSE had 12 people attached to it. It is possible, however, that this total included NSA "integrees" serving on exchange with CSE.