Wednesday, February 25, 2015

Bcc: CSE



The CBC and The Intercept have published new reports on the collection by CSE's cyberdefence program of e-mail and website contacts between Canadians and the federal government (Amber Hildebrandt, Michael Pereira & Dave Seglins, "CSE monitors millions of Canadian emails to government," CBC News, 25 February 2015; Ryan Gallagher & Glenn Greenwald, "Canadian Spies Collect Domestic Emails in Secret Security Sweep," The Intercept, 25 February 2015).

As explained in the CBC report,
A top-secret document written by Communications Security Establishment (CSE) analysts sheds new light on the scope of the agency’s domestic email collection as part of its mandate to protect government computers. ...

The surveillance service vacuums in about 400,000 emails to and from the government every day and then scans them using a tool called PonyExpress to look for any suspicious links or attachments, according to the top-secret document.

That automated system sifts through them and detects about 400 potentially suspect emails each day — about 146,000 a year. That system sends alerts to CSE analysts, who then can take a closer look at the email to see if it poses any threat.

Only about four emails per day — about 1,460 a year — are serious enough to warrant CSE security analysts contacting the government departments potentially affected. ...

CSE holds on to emails for “days to months,” while metadata -- the details about who sent it, when and where -- is kept for “months to years,” according to the document. The agency also records metadata about visits to government websites.
The number of e-mails said to be serious enough to take action on (~1460/year) corresponds well to the range for e-mails "used or retained" by the CSE cyberdefence program (1000-3996/year) that I reported here based on analysis of CSE documents released under the Access to Information Act.

As the CBC notes, the number of e-mails and other contacts monitored and the number ultimately flagged for action are likely to have increased since the 2010 document was written. In 2010 CSE routinely monitored only its own communications and those of the Department of National Defence and the Department of Foreign Affairs. It has since also become responsible for monitoring communications to the rest of the Government of Canada through the Shared Services Canada network. However, the Access documents suggest that, as of a year or two ago, the total number used or retained per year remained lower than 4000.

The CSE document that today's reports are based on, another one of the Five Eyes documents leaked by Edward Snowden, can be found here. (Be sure to check the second half of the file, where the speaker's notes accompanying the powerpoint slides were also reproduced.)

The CBC also published a very interesting set of CSE responses to questions that its reporters put to the agency. (But don't expect all the questions to be answered.)

The activities revealed in today's reports are the kinds of things we would expect a cyberdefence program to do, and the CBC was right, I think, to report the information without trying to make a scandal out of it. That said, there are legitimate questions about how much information concerning Canadians' interactions with their government is retained by CSE, how long that information can be held, and what purposes that information can be used for, and the CBC was also right to report those questions‐and CSE's partial responses.

Update 1 March 2015:

Further coverage/commentary:

- Nicole Bogart, "CSE monitors your emails to the government: What you need to know," Global News, 25 February 2015

- Adrian Lee, "So, when do we start caring about privacy?" Maclean's, 25 February 2015

- Craig Desson, "Leaked files show Canadian spy agency struggling with flood of data," Toronto Star, 26 February 2015

- Ken Hanly, "Op-Ed: Canadian spy agency collects Canadian emails to government sites," Digital Journal, 26 February 2015

Tuesday, February 24, 2015

CSE 2015-16 budget $538 million

The Main Estimates for fiscal year 2015-2016, which were tabled in parliament today, show that CSE's budget is projected to be $538 million in the coming year.

The agency's 2015-16 budget is down significantly from its 2014-15 budget, but the difference is almost entirely due to the one-time $300-million payment made to the builders of CSE's new headquarters complex on its completion last year. As the Main Estimates note, "Following delivery of CSE's new facility in 2014–15 and its associated one-time contract costs, [the 2015-16 budget will feature] a combined reduction in funding of $306.7 million for operating and accommodations".

CSE's 2014-15 budget authority currently stands at $849 million, although it is possible that not all of that sum will be spent by the end of the fiscal year. If the $306.7 million reduction is excluded, the current budget and the coming budget are almost identical, and the amount that is actually spent in the coming year could well be higher.

Although CSE's budget transparency declined significantly after it became a stand-alone agency in 2011, one point of new information did begin to be regularly reported by the government: the breakdown in CSE's budget between its two main activities, the SIGINT program and the Information Technology Security (ITS) program.

According to the Main Estimates, in 2015-16 the SIGINT program will account for $388 million, or 72%, of CSE's budget, while the ITS program will account for $150 million, or 28%.

For comparison, here is the breakdown in previous years:

2014-15: 72/28
2013-14: 68/32
2012-13: 69/31

These numbers suggest that, despite increasing concern about Canada's vulnerability to cyberattacks and cyberespionage, CSE's SIGINT program has been growing faster than the ITS program in recent years. However, such numbers are likely to fluctuate quite significantly from year to year as capital spending related to specific projects starts and stops, so it is probably too early to draw conclusions about overall trends.

The ITS program (then known as COMSEC) accounted for only about 20% of CSE personnel in the mid-1970s, whereas the figure now is probably about 25%, so the long-term trend has been a gradual increase in the relative size of the ITS program.

Sunday, February 22, 2015

Minor budget boost for CSE

The Supplementary Estimates (C), which were tabled in parliament on February 19th, show that CSE's budget authority for the current fiscal year (2014-15) has been boosted by an additional $610,528, for a total budget authority of $849,407,283. (Previous discussion of the 2014-15 budget here and here.)

The primary cause of the latest boost is a $600,000 transfer from the Department of National Defence in return for "the permanent transfer of two generators to Canadian Forces Base Trenton". The two generators in question are presumably the large containerized generators that used to supply back-up power to CSE's high-performance computing centre, the new headquarters building's Pod 1. I noted the recent disappearance of those two generators here.

The remainder of the budget boost comes from a $10,527 transfer from Public Works and Government Services for "reimbursement of funds for the transformation of pay administration".

The document also provides for a $1 appropriation to "authorize" the abovementioned transfers. To the best of my knowledge, this last is a form of a ritual sacrifice to the Gods of fiscal management.

Friday, February 13, 2015

January 2015 CSE staff size

2179: another decline, but quite possibly reflecting normal fluctuation.

(If you click through on the link and get a different figure, it's probably because the Canada Public Service Agency has updated its website; they update the numbers once a month.)

Wednesday, February 11, 2015

Recent items of interest

Recent CSE-related news/commentary items:

- Justin Ling, "Bankers Tell Canadian Government They Want Spy Briefs Too," Vice, 10 February 2015.

- Christopher Parsons, "Six New Additions to the SIGINT Summaries," Technology, Thoughts & Trinkets blog, 6 February 2015.

- Colin Freeze, "Canadian agencies use data stolen by foreign hackers, memo reveals," Globe and Mail, 6 February 2015.

- Alex Boutilier, "Canadian military wants to be ‘main player’ in global intelligence, document shows," Toronto Star, 6 February 2015.

- Jim Bronskill, "Supreme Court to weigh legality of CSIS’s overseas spying," Canadian Press, 5 February 2015.

- Glenn Greenwald, "Western Spy Agencies Secretly Rely on Hackers for Intel and Expertise," The Intercept, 4 February 2015.

- Justin Ling, "The Harper Government Still Thinks CSE Is Acting Legally," Vice, 4 February 2015.

Also of interest are these two articles analyzing Five Eyes (including CSE) malware activities (h/t to Bruce Schneier):

- Claudio Guarnieri, "Everything we know of NSA and Five Eyes malware," nex.sx blog, 27 January 2015.

- MH, "If the NSA has been hacking everything, how has nobody seen them coming?" thinkst thoughts blog, 27 January 2015.

EONBLUE: CSE cyber threat detection system "deployed across the globe"



Matthew Braga has written a very interesting and informative report on CSE's EONBLUE cyber threat detection system ("How Canadian Spies Infiltrated the Internet's Core to Watch What You Do Online," Motherboard, 11 February 2015):
[A]t over 200 locations around the world, spies from Canada's cyberintelligence agency have been monitoring huge volumes of global internet traffic travelling across the internet's core.

​From these locations, Communications Security Establishment (CSE) can track who is accessing websites and files of interest. Its analysts can also log email addresses, phone numbers and even the content of unencrypted communications—and retain encrypted communication for later study, too—as well as intercept passwords and login details for later access to remote servers and websites.

​But perhaps more importantly, tapping into global internet traffic is a means for CSE to monitor, and also exploit, an ever growing list of digital threats, such as vulnerabilities in networks and computers and the spread of malware as well as botnets and the computers under their control. In the process, analysts can keep tabs on both friendly and foreign governments conducting covert cyber attacks and infiltration of their own.

Such vast access to the backbone of the internet is achieved through a program called EONBLUE. According to documents disclosed by whistleblower Edward Snowden, ​and published by Der Spiegel last month, the program is designed to "track known threats," "discover unknown threats," and provide "defence at the core of the Internet.” ...

While the locations of EONBLUE sites are not disclosed in the documents, one slide makes reference to the internet's "core" and describes EONBLUE's ability to "scale to backbone internet speeds"—implying possible access to telecom operators, data centers, undersea cables and other infrastructure providers worldwide.

Such access would mean that much, if not all of the data, travelling through a location tapped by CSE could be subject to surveillance. Though the agency maintains it cannot legally track Canadians at home or abroad it is hard to fathom how such data could be exempt.
And in fact it wouldn't be exempt. CSE can and does monitor Canadian communications and other Canadian data that pass through its foreign-intelligence and cyber-threat collection sensors, and it is entirely legal for it to do so as long as that data wasn't specifically targeted for collection on the basis of its being Canadian or being related to a specific Canadian or person in Canada (i.e., the National Defence Act requires only that CSE's Mandate (a) and (b) activities "not be directed at Canadians or any person in Canada" [emphasis added]). If CSE targets material on some other basis and some percentage of the information pulled in turns out to be Canadian-related, as inevitably some will, that is considered "incidental" collection, which is permitted under the law as long as a suitable Ministerial Authorization is in place.

(I'm not saying that incidental collection is not an issue worthy of concern, by the way—just pointing out that the government, which wrote the law specifically to permit this kind of activity, is not breaking the law when it engages in it.)

It is also worth noting that CSE does have the ability to target Canadians when it is operating under its Mandate (c), i.e., providing support to federal law enforcement or security agencies, but in that case the targeted Canadian must be the subject of a judicial warrant obtained by one of those agencies.

More from Braga:
One slide suggests that EONBLUE sits on-top of existing collection programs, such as SPECIALSOURCE, and ​sometimes referred to as Special Source Operations (SSO)—a term that has been used in other documents to indicate direct access to fibre-optic cables and ISPs.

In other words, CSE’s partner agencies—or another division within CSE itself—are likely responsible for gaining physical access to internet infrastructure, and then making that data available to programs such as EONBLUE.
I think that's correct. Note also that the slide (which is reproduced in Braga's article) shows that EONBLUE is also deployed at "CANDLEGLOW (FORNSAT)", which apparently refers to CSE's foreign satellite monitoring activities at CFS Leitrim, just south of Ottawa.