Tuesday, December 30, 2014

Canadian SIGINT Summaries

Christopher Parsons, a post-doctoral fellow at Citizen Lab, has just started a website called Canadian SIGINT Summaries, where he has begun to provide summaries of leaked or otherwise released government documents about CSE. The site also provides links to the actual documents.

The major topic of the site at the moment is the CSE documents that have been published to date as part of the Snowden revelations. But other Snowden documents that contain significant information about CSE are also discussed.

Parsons intends to add documents released under the Access to Information Act to the site as well.

The site is going to be a tremendously useful resource for anyone interested in Canadian SIGINT.

Bravo zulu!

Monday, December 29, 2014

Another CSE slide deck published

Der Spiegel published a new CSE slide deck on Sunday (part of a large dump of Snowden documents) in conjunction with a story discussing Five Eyes efforts to defeat common encryption methods used on the Internet (Jacob Appelbaum, Aaron Gibson, Christian Grothoff, Andy Müller-Maguhn, Laura Poitras, Michael Sontheimer & Christian Stöcker, "Prying Eyes: Inside the NSA's War on Internet Security," Der Spiegel, 28 December 2014).

The CSE deck, undated but probably from 2012, is titled "TLS Trends: A roundtable discussion on current usage and future directions".

The TLS in question is Transport Layer Security, the latest version of the Secure Sockets Layer protocol that provides encryption for many "secure" web transactions.

Der Spiegel (and other commentators) drew special attention to page 13 of the slides, which purports to list target activity at hockeytalk.com:
Canada's Communications Security Establishment (CSEC) even monitors sites devoted to the country's national pastime: "We have noticed a large increase in chat activity on the hockeytalk sites. This is likely due to the beginning of playoff season," it says in one presentation.

If on-line game chat rooms are sometimes monitored, then I suppose it's not impossible that Hockeytalk is also considered a possible location for communications that may have nothing to do with hockey.

But, really, this sounds more like a made-up example to me, along the lines of Pte. Bloggs and the Fantasians, than a real case.

Of greater interest to me is the frequent use of the word "warranted" in the presentation. As CSE does not obtain warrants for its foreign intelligence and cyber defence operations, this sounds like a reference to "Mandate C" operations, which CSE conducts in support of CSIS and the RCMP (and a few other agencies) and which entail the deliberate (but targeted) surveillance of Canadians or other persons in Canada.

[Update 7 January 2015: An additional possibility is that some of this material is foreign intelligence collected in Canada under warrants that CSIS obtains through section 16 of the CSIS Act.]

[Update 29 December 2014, 7:30 pm: A report in VICE (Patrick McGuire, "We Learned Very Little about Canada’s Cybersurveillance Agency, CSEC, in 2014," VICE, 29 December 2014) also concludes that the Hockeytalk reference was intended to be humourous. An update to the article reports that CSE spokesperson Ryan Foreman assured VICE that the Hockeytalk slide was "obviously fictitious content", adding that "CSE is prohibited by law from directing its foreign intelligence or cyber defence activities at Canadians anywhere in the world or at anyone in Canada."

If there's one thing that we didn't need to learn about CSE in 2014, because we already ought to have known it, it's that they always neglect to mention Mandate C.]

Canada also comes in for a mention in another document released by Der Spiegel, this one describing a German operation against a Taliban commander/narcotics trafficker in Afghanistan that was supported by SIGINT analysts at NSA Georgia (NSAG):
Near-real-time locational data on [redacted] was passed from NSAG to the Germans via the Coalition’s CENTER ICE system.... The use of CENTER ICE was critical to the success of this operation. At NSAG CENTER ICE was manned by a Canadian integree within the Coalition Support Cell. Of note, this was the first time that CENTER ICE has been used at NSAG to support a live operation, in addition to the first time the Germans have used CENTER ICE for coordination such as this.
"CENTER ICE was manned by a Canadian integree..."

There's that hockey thing again!

The Canadian Forces Information Operations Group, the military arm of the Canadian SIGINT community, has a detachment of around 10 personnel working at NSA Georgia.

Friday, December 19, 2014

Round up the usual five

The term "Five Eyes" is now well established as a short-hand name for the intelligence and security partnership among the United States, the United Kingdom, Canada, Australia, and New Zealand.

One interesting byproduct of the term has been a proliferation of intergovernmental "Five" committees on topics of common security or intelligence interest.

We now have the Border Five, comprising the customs and border protection agencies of the Five Eyes countries, and the Critical Five, addressing critical infrastructure issues.

There is also the Usual Five (see page 28), a working group on cyber security issues, and the Ottawa Five (see page 79), which presumably first met in Ottawa but now meets at venues all around the world. The latter is "a group of Five Eyes allies that focuses on coordinating international cyber and Internet policy" and discusses "approaches to cyber security issues domestically and internationally" (description from Public Safety Canada documents released through the Access to Information Act; H/T to MZ).

It is heart-warming—or is that heart-bleeding?—to know that our collective efforts to undermine internet security will forever be associated with our own capital city.

The same five countries also cooperate on law enforcement issues, but inexplicably that forum is called the Strategic Alliance Group, which sounds more like a bunch of financial consultants, or maybe tire salesmen. I guess the "Magnificent Five" was taken.

The Strategic Alliance Group is "a formal partnership... dedicated to tackling larger global crime issues, particularly organized crime".

The SAG has a subgroup of its own on cyber issues, the Strategic Alliance Cyber Crime Working Group.

Are there any other "Five" groups out there?


Update 12 May 2015:

Looks like a recent homefield meeting of the Ottawa Five, or maybe another group (the Bullying Five?), here: Mike Blanchfield, "Canada hosted Five Eyes meeting to target global cyberbullies: MacKay," Canadian Press, 11 May 2015.

Update 23 June 2016:

More from the law enforcers: the Five Eyes Law Enforcement Group.

Update 16 December 2016:

Military Five Eyes fora.

Sunday, December 14, 2014

CSE and hacking of telecom operations

More evidence of the extent to which CSE is involved in Five Eyes efforts to hack into the systems of telecommunications providers can be found in this document, which was published by The Intercept in conjunction with its most recent article on the Belgacom penetration (Ryan Gallagher, "Operation Socialist: The Inside Story of How British Spies Hacked Belgium’s Largest Telco," The Intercept, 13 December 2014).

The document is a 2011 joint presentation titled "Automated NOC [Network Operations Centre] Detection" authored by the Head of the GCHQ Network Analysis Centre and a Senior Network Analyst at CSE's own Network Analysis Centre. It discusses the work of the Five Eyes "Network Analysis community" to "automate the detection of Network Operations Centres" in order to facilitate subsequent efforts to hack into those centres.

The presentation reports that
During March 2011 GCHQ Analysts visited CSEC to look at the [sic] using PENTAHO for tradecraft modelling working with CSEC NAC and CSEC/H3 software developers to see if could model NOCTURNAL SURGE in PENTAHO and then implement in OLYMPIA

Only possible to attempt because:
– GCHQ NAC use PENTAHO
– CSEC NAC/H3 use PENTAHO
– CSEC NAC have implemented GCHQ NAC TIDAL SURGE Database Schema (DSD also have this..)
According to the article in The Intercept, NOCTURNAL SURGE is a tool developed by GCHQ "to search for particular engineers and system administrators by finding their IP addresses, unique identifiers that are allocated to computers when they connect to the internet."

OLYMPIA is a more general-purpose CSE-developed tool to help analysts identify potential SIGINT targets and compile information about their communications systems and contacts. It provides automated access to a wide variety of CSE and allied SIGINT and communications databases. (More information here.)

The Intercept report interprets the presentation to mean that "GCHQ refined the NOCTURNAL SURGE system with the help of its Canadian counterparts, who had developed a similar tool, named PENTAHO."

I wonder whether PENTAHO might simply be the data analysis software produced by the company of the same name, but either way the presentation is clear evidence of CSE interest in targeting telecom operators.

A report earlier this month in The Intercept also provided evidence of CSE involvement in such efforts.

Interestingly, CSE's infamous "airport wi-fi" experiment was also conducted by the CSE Network Analysis Centre, which seems to be the go-to place at CSE for anything related to analyzing/monitoring the Internet or computer networks in general.

The H3 unit, on the other hand, seems to be a software development shop. H3 also turns up in this document.


(H/T to Ron Deibert.)

Wednesday, December 10, 2014

CSE and supercomputers

Who has the most powerful supercomputers in Canada?

According to the well-known Top500 list, the top supercomputers in Canada in terms of peak processing speed are operated by SOSCIP/LKSAVI/University of Toronto, “IT Service Provider C”, SciNet/University of Toronto/Compute Canada, and Calcul Canada/Calcul Québec/Université de Sherbrooke.

SOSCIP frequently boasts that its supercomputer “is the fastest in Canada on the TOP500 list of the world's top supercomputers”.

But there is at least one Canadian institution that doesn’t report its computer capabilities to the Top500 list: the Communications Security Establishment.

[Update 13 August 2015: However, its computers do occasionally turn up on the list described as classified "Government" systems, etc., as noted here.]

In 1985, when CSE entered the supercomputing business, the Cray X-MP/11 it acquired was definitely the most powerful computer in the country.

But that was a long time ago, and today that computer is just a piece of computer history.

Still, it is likely that CSE’s subsequent supercomputer acquisitions, including successive generations of Cray products, have kept the agency at or near the top of the Canadian list ever since.

In general terms, this is no secret.

In 2004, member of parliament David Price, noting the post-9/11 computer purchases made by CSE, asked CSE Chief Keith Coulter if “we are still one of the top ones… in the world with the system that we do have.” Coulter’s reply was, “Yes. Top in the world? We're definitely one of the top in the country. The National Security Agency has more computing power than any organization in the world.”

CSE remains coy about the exact nature of its high performance computing capabilities, but as recently as 2013 it was willing to state that “CSEC is Canada's centre for high performance computing”, operating “state-of-the-art equipment”. Its recruiting site currently states that CSE operates “some of the most powerful computers in Canada”, and until 2010 job notices specified that CSE “computer scientists utilize a variety of computer systems including SUN, HP and IBM servers, personal computers, DEC systems, and state-of-the-art computers such as the Cray.”

More specific claims occasionally turn up in news articles about the agency.

In 2012, it was reported that CSE’s new headquarters would house “the three most powerful supercomputers in Canada”. And a QMI Agency report in 2013 stated that CSE’s new headquarters will house “the country’s five most powerful computers”.

In neither case were these claims attributed to a specific source, and CSE has never confirmed either claim, but it is difficult to believe that these reporters would have reported such specific information if they hadn’t heard it directly from what they considered to be an inside source.

The level of performance required to rank as the country’s most powerful computer is a constantly moving target, of course, but the claims seem entirely plausible.

In 2011, CSE completed a brand-new high-performance computing centre, the Mid-Term Accommodation Project, now known as Pod 1 of CSE’s new headquarters complex.

Pod 1 was a very expensive building for its size, costing $61.5 million according to CSE. A simple high-security office building of the same size would have cost about $25 million to build, so it’s probably a safe assumption that, in addition to covering the cost of electrical distribution systems, uninterruptible power supplies, and cooling systems required by a data centre, the building’s budget also covered the purchase of some pretty significant computer capabilities.

It is also likely that substantial additional computer money has been made available since. CSE has not lacked for funds in recent years (see here and here), and there’s no reason to build a state-of-the-art computing centre if it’s not going to contain state-of-the-art computers.

As the news articles suggest, the building may well contain multiple high performance systems. (In addition, the data storage systems in the separate data warehouse also built at CSE’s new complex might also be considered a form of supercomputer.)

As the systems on the Top500 list show, a variety of different manufacturers produce supercomputing systems, and it is possible, perhaps even likely, that CSE has obtained systems from more than one company. It seems certain, however, that one or more Cray systems continue to be in use at CSE.

Cray has maintained a close relationship with the major Five Eyes SIGINT agencies throughout the history of the various companies that have borne that name, and as noted above, CSE was acknowledging its own continuing relationship with Cray as recently as 2010.

It is surely no coincidence that Cray Inc. is currently looking for a Customer Service Systems Engineer to “provide hardware and software technical support and maintenance for Cray Inc. massively parallel (MPP) computer systems” at a “classified account headquartered in Ottawa, Canada”. According to the notice, Canadian citizenship is “a must” for the job, as is a “Top Secret (SBI) security clearance”.

Cray’s ad doesn’t reveal the name of its customer, but there’s only one Canadian agency that belongs to the Cray Users Group.

CSE’s Australian counterpart, the Australian Signals Directorate (previously known as the Defence Signals Directorate), acknowledged purchasing a $14.5 million Cray system in 2010.

Although no details of that system were released, at that cost and date it was probably a medium-sized XE6 system, or something with comparable performance, with a theoretical peak processing speed on the order of 300 teraFLOPS and consuming around 0.9 megawatts of electrical power. (This is a guess based on the reported performance and $45 million cost of the larger Cray Cielo system purchased by the U.S. that year.) If so, it was the most powerful supercomputer in Australia at the time and would have been roughly on par with the top publicly acknowledged supercomputer in Canada that same year.

[Update 13 August 2015: Alternatively, it may have been a Cray XMT system, discussed here.]



Did CSE purchase something similar, or more powerful, for its new high performance computing centre in 2011?

The two cooling towers on the roof of Pod 1 provide a bit of a clue (photo courtesy of Chuck Clark).

The two towers, built by Evapco, appear to be from the company’s AT-112-514 to 112-914 series, which means that each tower is capable of providing 494–574 tons of nominal cooling. If both towers were in full use, this would provide cooling for equipment consuming roughly 3.5 to 4 megawatts, of which the IT load might comprise around 3 megawatts. (At least, that’s what I think can be concluded; I would be grateful if readers would correct any errors in the preceding.)

If these conclusions are correct, then Pod 1 has the capability of supporting a much more capable computer system, or set of systems, than that apparently purchased by ASD in 2010. (Moreover, there is space available in the enclosure on the roof for an additional cooling tower, suggesting that the building was designed to accommodate even greater cooling capacity if it is ever required.)

If the building was using its full two-tower cooling capacity in 2011, it would have been capable of supporting the equivalent of the entire “Hopper” system, with a theoretical peak performance of 1289 teraFLOPS, or three copies of the “Gaea C2” system, each with a theoretical peak performance of 716 teraFLOPS. The latter would certainly have been the three most powerful supercomputers in Canada at the time.

Of course, it is likely that the systems actually in use in Pod 1 require less than the maximum amount of cooling that the facility is capable of providing—quite possibly a lot less.

The site that hosts the #1 and #3 Canadian systems on the current Top500 list was built to accommodate a 4-megawatt load, about the same as Pod 1, but those two systems currently require only about 1.3 megawatts (plus whatever cooling and other support load is required at various times).

Further complicating analysis based on power consumption is the fact that the ratio of performance to electrical consumption in supercomputer systems is very sensitive to the design and especially to the date of construction of the system. The #3 computer mentioned above, about 37% as fast as the #1 system but about five years older, requires more than three times as much power as the #1 system requires (more than eight times as much per calculation).

Overall, however, I suspect that these factors increase the likelihood that CSE has the country’s top supercomputers.

Given Pod 1’s more recent construction, and CSE’s generous budgets in recent years, it seems likely both that CSE’s systems are more up to date and thus more power-efficient than the #3 system mentioned above and that Pod 1’s capacity is more fully utilized than the SciNet site’s.

Tuesday, December 09, 2014

November 2014 CSE staff size

2254, another new high.

(If you click through on the link and get a different figure, it's probably because the Canada Public Service Agency has updated its website; they update the numbers once a month.)

Friday, December 05, 2014

CSE and NTAT cooperation

One of the NSA documents released in conjunction with The Intercept's new article on Five Eyes cellphone monitoring programs (Ryan Gallagher, "Operation Auroragold: How the NSA Hacks Cellphone Networks Worldwide," The Intercept, 4 December 2014) lists examples of CSEC cooperation with the (NSA?) Network Analysis Tradecraft Advancement Team (NTAT).

According to The Intercept, the document dates from 2010.

Update 10 December 2014:

Marc Thibodeau, "Cellulaires sous haute surveillance," La Presse, 9 décembre 2014.