Thursday, April 17, 2014

CSEC and the Heartbleed bug

CSEC asserts that it was not aware of the Heartbleed bug until April 7th, the day the public learned of the bug. However, as CBC points out, that was still one day before the Canada Revenue Agency shut down its website in a belated effort to prevent unauthorized data leakage (Valerie Boyer, "CSEC aware of Heartbleed bug day before CRA website shutdown," CBC News, 16 April 2014).

A Bloomberg news report on April 11th claimed that the NSA (and thus, almost certainly, CSEC) has been exploiting the bug for at least two years. The U.S. government has denied that report, claiming that it would have reported the bug if it had been aware of it. It does acknowledge, however, that not all of the cyber security flaws that NSA knows of are disclosed.

Whether or not NSA and CSEC are telling the truth, the issue highlights the conflict of interest that these agencies have between their SIGINT mandates and their IT security mandates.

CSEC's IT security mandate (see National Defence Act para. 273.64(1)(b)) applies only to "electronic information and... information infrastructures of importance to the Government of Canada", so CSEC most likely considers that protection of the average Canadian citizen from cyber security flaws is simply not its job. Indeed, it might well argue that it is not allowed to assist in that regard, as it would not be lawful for the agency to engage in activities outside its statutory mandate.

But even if protection of the public were part of its mandate, there is zero chance that CSEC would reveal a bug that it learned about from its SIGINT allies if those allies wanted the bug to remain secret. And even a Canadian-discovered bug might well be reserved for SIGINT use rather than revealed to the world, or even other Canadian government organizations, for IT security reasons.

The SIGINT side of the house dominates the activities of all the Five Eyes agencies.

That said, CSEC does have a mandate to help secure the Canadian government's cyber infrastructure, and it does make a significant contribution in that regard.

As I understand it, the Government of Canada Computer Incident Response Team (GC CIRT) is the organization directly responsible for responding to threats to Canadian government cyber systems. Formerly part of CSEC, GC CIRT was transferred to Shared Services Canada, the government IT services agency, on November 1st, 2013. CSEC remains mandated to assist in protecting the Government of Canada information infrastructure, however, and the agency has confirmed that it worked with “government departments on mitigation and protection measures to address the Heartbleed bug.” It may well have been CSEC that monitored the exploitation of the flaw on the CRA website, which probably happened on April 7/8th.

Whichever agency ultimately was responsible for protecting Canadian government websites in this case, the overall response does not seem very impressive. You have to wonder why it took so long to react to such a significant security flaw in a site as crucial as Revenue Canada's.

Related news coverage:

- Jordan Press, "Weekend of confusion for Canadians as ‘Heartbleed’ bug forces government website shutdowns," Montreal Gazette, 12 April 2014
- Matt Hartley, "CRA waited days to inform Canadians of SIN leak," Financial Post, 14 April 2014
- Richard Blackwell & Tu Thanh Ha, "Tax agency leaves Heartbleed victims in the dark about stolen data," Globe and Mail, 14 April 2014
- "Heartbleed SIN breach suspect ID'd by RCMP," CBC News, 15 April 2014
- Daniel Leblanc & Tu Thanh Ha, "RCMP charge teen in relation to Heartbleed bug attack on CRA," Globe and Mail, 16 April 2014

Also of interest:

- Canadian Cyber Incident Response Centre Advisory AV14-017, issued 8 April 2014
- CSEC's IT Security Alert 65, issued 10 April 2014

Thursday, April 10, 2014

CSEC roundup 10 April 2014

Recent news and commentary items related to CSEC:

- Jim Bronskill, "Canadian cyberspy agency CSEC fretted about staff after Snowden leaks," Canadian Press, 7 April 2014

- Joe Lofaro, "Canadians ‘should be outraged’ by WiFi spy allegations: Borg," Metro, 3 April 2014

- Trevor Greenway, "Government spying: What’s legal? What’s not?" Metro, 3 April 2014

- Mark Stone, "Think Canadians are Less Immune to Government Spying Than Americans? Think Again," Tech Vibes, 3 April 2014

- Daniel Tencer, "U.S. Pushes Canada To Loosen Privacy Laws," Huffington Post Canada, 3 April 2014. See also Ken Hanley, "Op-Ed: U.S. claims using EU companies to circumvent NSA spying unfair," Digital Journal, 10 April 2014.

- "Hey CSEC, stop spying on me," editorial, Globe and Mail, 2 April 2014

- David Christopher, "Canada talks back about secret spying," rabble.ca, 19 March 2014

- Jim Bronskill, "ISPs Handing Over Data To Spies? Surprisingly, They Don't Want To Say," Canadian Press, 27 March 2014

- Christopher Parsons, "Accountability and Government Surveillance," Technology, Thoughts & Trinkets blog, 27 March 2014. Parsons reports on the government's response, or lack thereof, to a series of questions from MP Charmaine Borg concerning subscriber-related information obtained from telecommunications service providers. Full text of the responses from government departments here. As Parsons notes, CSEC's response (see page 66) was limited to uninformative boilerplate. Other coverage: Colin Freeze, "Border agency asked for Canadians’ telecom info 18,849 times in one year," Globe and Mail, 27 March 2014; Michael Geist, "Who Needs Lawful Access?: Cdn Telcos Hand Over Data on Thousands of Subscribers Without a Warrant," Michael Geist blog, 26 March 2014

- Derek James, "Bill C-13: Tories trying again to open door to undue state intrusion," Toronto Star, 26 March 2014

Also of interest, commentary related to Bill S-4, the new Digital Privacy Act (government backgrounder here):
- Michael Geist, "Why the Digital Privacy Act Undermines Our Privacy: Bill S-4 Risks Widespread Warrantless Disclosure," Michael Geist blog, 10 April 2014
- Tim Banks, "Canada’s Digital Privacy Rethink: Fines, Enforceable Compliance Agreements and More!" Privacy and Data Security Law blog, 9 April 2104

March 2014 CSEC staff size

2171.

(If you click through on the link and get a different figure, it's probably because the Canada Public Service Agency has updated its website; they update the numbers once a month.)

Thursday, April 03, 2014

CSEC Chief testifies to National Defence committee

CSEC Chief John Forster and Minister of National Defence Rob Nicholson testified to the House of Commons Standing Committee on National Defence on April 3rd. (Audio available here; the transcript of the testimony won't be available for some time.)

[Update 28 April 2014: Transcript available here.]

Nicholson and Forster were originally scheduled to appear before the committee on March 6th, but that session was cancelled at the last minute, leaving observers wondering if Forster would appear before the committee at all.

It's reassuring to see that Forster's testimony did eventually take place.

The scheduled topics of discussion included questions related to the Supplementary Estimates (C) (and the activities in general) of the Department of National Defence as well as questions related to CSEC, so only part of the committee's time was dedicated to CSEC. But a lot of the discussion during the session did focus on CSEC.

Some detailed questions were posed by NDP defence critic Jack Harris and his colleague Elaine Michaud (although not perhaps the ones I or other outside observers might have asked), and some were also asked by Liberal Joyce Murray, but I don't think any especially new or enlightening information was provided by Forster or Nicholson in response. In some cases, Forster was unwilling even to provide information that has already been made public. Forster was very reluctant to confirm, for example, that one of the forms of support that CSEC may provide to federal law enforcement and security agencies is to intercept the communications of specific Canadians in cases where those agencies have a warrant to obtain those communications. (See here for confirmation of that role.)

We also got some softball questions from the government members. Ragging the puck is about all that government members are useful for on these committees, so I guess we shouldn't be too disappointed if that's all they do. Hope you enjoy your gold-plated pensions.

All in all, the meeting didn't do a lot to validate the government's claim that the National Defence committee is capable of performing genuine oversight over CSEC, but at least it was a start.

Let's hope the committee's "study of Communications Security Establishment Canada intelligence-gathering policies and practices" amounts to more than just this one part of one meeting.

Update 5 April 2014:

News coverage:

Colin Freeze, "CSEC dodges questions on relationship with Big Three telecom companies," Globe and Mail, 4 April 2014.

Update 10 April 2014: See excerpt of Harris's subsequent e-mail comments to Freeze here: "What happened on Thursday certainly couldn't pass for parliamentaey oversight when MP's can't get straight answers on straightforward questions."