Sunday, March 29, 2015

NSA mapped Canadian VPNs

I'm late to blogging about this one (no slight intended to the Globe and Mail):

Earlier this month the Globe and Mail reported on a leaked document showing that NSA's mapping of Virtual Private Networks (VPNs) includes the VPNs of major Canadian companies (Colin Freeze & Christine Dobby, "NSA trying to map Rogers, RBC communications traffic, leak shows," Globe and Mail, 17 March 2015):
The U.S. National Security Agency has been trying to map the communications traffic of corporations around the world, and a classified document reveals that at least two of Canada’s largest companies are included.

A 2012 presentation by a U.S. intelligence analyst, a copy of which was obtained by The Globe and Mail, includes a list of corporate networks that names Royal Bank of Canada and Rogers Communications Inc.

The presentation, titled “Private Networks: Analysis, Contextualization and Setting the Vision,” is among the NSA documents taken by former contractor Edward Snowden. It was obtained by The Globe from a confidential source.

Canada’s biggest bank and its largest wireless carrier are on a list of 15 entities that are visible in a drop-down menu on one of the presentation’s 40 pages. It shows part of an alphabetical list of entries beginning with the letter “R” that also includes two U.K.-headquartered companies – Rolls Royce Marine and Rio Tinto – and U.S.-based RigNet, among other global firms involved in telecom, finance, oil and manufacturing.

The document does not say what data the NSA has collected about these firms, or spell out the agency’s objective. A comparison of this document with previous Snowden leaks suggests it may be a preliminary step in broad efforts to identify, study and, if deemed necessary, “exploit” organizations’ internal communication networks.

Christopher Parsons, a researcher at the University of Toronto’s Citizen Lab, who reviewed the leaked document with The Globe, said the activity described could help determine useful access points in the future: “This is preparing the battlefield so it could later be used.

“This is … watching communications come in and out of a network and saying, ‘Okay, these are the places we need to go in.’”
The Globe and Mail has not published the presentation, and the newspaper is being mysterious about the provenance of the document, citing only a "confidential source". (Previous Canadian releases of documents from the Snowden archive have been co-ordinated with Glenn Greenwald or other journalists at The Intercept, but there is no evidence of that co-ordination in this instance.)

[Update: However, this single page, previously released by Greenwald, appears to come from the same document. H/T to FVEYdocs.org.]

Some background information on the NSA's efforts to map and monitor VPNs can be found in this separate document, published in December by Der Spiegel. Interesting tidbit: Page 26 appears to show collection of the communications of the United Nations Assistance Mission for Iraq (UNAMI).

As the Globe and Mail reported, the presence of Rogers and RBC on the NSA's list of VPNs raises questions about the extent to which NSA may be monitoring the communications of Canadian corporations and persons.

Freeze and Dobby note—with a link to this blog (thanks!)—that "Today, under the terms of a 66-year old reciprocal accord, Washington and Ottawa agree to refrain from spying on the communications of each other’s citizens and entities."

To the best of my knowledge, there is no explicit no-targeting accord within the CANUSA agreement itself. (The text has never been released.)

But there is certainly a common understanding among the members of the Five Eyes community that they will not target each other in their routine operations. This understanding is part of the overall amalgam of resolutions, common strategic directions, agreed procedures, and established practices that have grown out of the UKUSA agreement and subsidiary agreements such as CANUSA.

However, as I noted here, that understanding is "more what you'd call 'guidelines' than actual rules".

For one thing, the prohibition doesn't apply if the monitored party agrees to the targeting, which is not likely to occur on a blanket basis, but almost certainly does in more limited contexts. Second, it doesn't apply to "incidental" (i.e., non-targeted) collection, which under some programs can capture nearly everything transmitted. Third, it is well understood by all parties that all reserve the right to secretly target one another when "national interests" dictate that that's desirable.

As the CSE Commissioner stated in one of his classified reports (later released under ATIP), "The UKUSA and CANUSA Agreements do not refer to specific protections; for example, the agreements do not refer to the terms 'privacy' or 'personal information'." However, the "cooperative agreements and resolutions" among the parties "include a commitment by the Five-Eyes to respect the privacy of each others’ citizens, and to act in a manner consistent with each others’ policies relating to privacy. It is recognized, however, that each of the Five-Eyes is an agency of a sovereign nation that may derogate from the agreements, if it is judged necessary for their respective national interests."

The classification markings on the G&M's VPN document evidently indicated that it was releasable to Canada, which shows that NSA did not feel any need to hide the VPN mapping from Canada. So in this case we're not looking at the U.S. government going behind the back of the Canadian government to secretly target Canadians.

But that may be little consolation to Rogers, RBC, and the other Canadian corporations and individuals whose VPN communications may have been, or may in the future be, collected by NSA as a result of this mapping.

The Globe and Mail also published a follow-up article:

Colin Freeze & Christine Dobby, "Reports of NSA spying on Canadian companies fuel calls for more transparency," Globe and Mail, 17 March 2015.

See also:

Colin Freeze & Christine Dobby, "Watchdog presses Ottawa for strong rules on sharing surveillance data," Globe and Mail, 18 March 2015.

Friday, March 27, 2015

CSE and Bill C-51

Must-read from Citizen Lab Director Ron Deibert ("Who Knows What Evils Lurk in the Shadows?" Canadian International Council opencanada.org, 27 March 2015):
Many stakeholders and experts have weighed in on various aspects of C-51 as the proposed legislation has touched off a vigorous public debate. I am going to focus on issues around the role of Canada’s Communications Security Establishment (CSE), our country’s main signals intelligence (SIGINT) agency and the subject of significant media coverage since June 2013 and the disclosures of former National Security Agency (NSA) contractor Edward Snowden.

As one of Canada’s principal security and intelligence agencies, CSE would factor into C-51 in a substantial way. One of the most contentious parts of C-51, the Information Sharing Act, would relax rules on information sharing among at least 17 government agencies, CSE included. As the lead agency charged with gathering intelligence from the global information infrastructure (i.e. the Internet and all Internet-connected systems), protecting Canadian networks from threats abroad, and providing “technical assistance” to Canada’s other security agencies, CSE will be front and centre around the “big data” analysis opened up by C-51 and would take on an even more prominent role than it has today around our security, foreign intelligence, and law enforcement. In order to make an informed opinion, it is imperative that Canadians understand how this highly classified agency operates, what are the statutory limits to its authority, and how it will change should C-51 pass into law.
Go read the whole piece.

Wednesday, March 25, 2015

A very Canadian Glomar

Back in the 1970s, the United States pioneered the "Glomar response"—neither confirming nor denying a fact or the existence of certain information—in response to enquiries about this very interesting operation. Canadian authorities also routinely use the Glomar response on intelligence-related and other sensitive matters.

But the CBC's recent reporting on CSE plans and capabilities has elicited a uniquely Canadian variation on the Glomar response: "Not necessarily".

As in this statement:
The leaked materials are dated documents, and some explored possible ideas to better protect the Government of Canada’s information systems while also seeking cost efficiencies. As a result, information in these documents does not necessarily reflect current CSE practices or programs, or the degree to which CSE has visibility into global or Canadian infrastructures.
Maybe it does reflect current CSE practices and maybe it doesn't. Who can say?

I like this approach. It has a very Canadian ring to it, redolent of a former prime minister's historic pledge: "Not necessarily conscription, but conscription if necessary."

It works a lot better, in my opinion, than then-National Security Advisor Stephen Rigby's attempt last year to establish the "I [Stephen Rigby] am not persuaded" response, which was put on full display here:
I would say in responding to some of the media reports that I am not totally persuaded that CSEC has tapped into airport Wi-Fi. ...

The controls, checks and accountabilities that are currently present for both CSIS and CSEC are reasonably robust. To a certain extent, there's been a lot of public debate about some of the actions of our security agencies as a result of Mr. Snowden's disclosures. I'm not persuaded at the end of the day that all of them are 100 per cent accurate.
Lest readers think that Mr. Rigby is entirely unpersuadable, it should be noted that during the same hearing he did declare himself "persuaded" by the government's reasons for appealing Justice Richard Mosley's damning 2013 ruling on CSIS 30-08 warrants—which was eventually upheld.


Monday, March 23, 2015

CBC on CSE cyberwarfare plans and capabilities



The CBC has a major new release on CSE's cyberwarfare plans and capabilities today (Amber Hildebrandt, Michael Pereira & Dave Seglins, "Communication Security Establishment's cyberwarfare toolbox revealed: Mexico, North Africa, Middle East among targets of cyber-spy hacking," CBC News, 23 March 2015):
Top-secret documents obtained by the CBC show Canada's electronic spy agency has developed a vast arsenal of cyberwarfare tools alongside its U.S. and British counterparts to hack into computers and phones in many parts of the world, including in friendly trade countries like Mexico and hotspots like the Middle East.

The little known Communications Security Establishment wanted to become more aggressive by 2015, the documents also said.

Revelations about the agency's prowess should serve as a "major wakeup call for all Canadians," particularly in the context of the current parliamentary debate over whether to give intelligence officials the power to disrupt national security threats, says Ronald Deibert, director of the Citizen Lab, the respected internet research group at University of Toronto's Munk School of Global Affairs.

"These are awesome powers that should only be granted to the government with enormous trepidation and only with a correspondingly massive investment in equally powerful systems of oversight, review and public accountability," says Deibert.

Details of the CSE’s capabilities are revealed in several top-secret documents analyzed by CBC News in collaboration with The Intercept, a U.S. news website co-founded by Glenn Greenwald, the journalist who obtained the documents from U.S. whistleblower Edward Snowden.
There's a lot in the CBC report that I won't try to summarize here. Go read it.

See also this sidebar: Amber Hildebrandt, Michael Pereira & Dave Seglins, "From hacking to attacking, a look at Canada's cyberwarfare tools: The secret techniques developed by the Communications Security Establishment," CBC News, 23 March 2015.

A couple of short videos are also part of the package:

- Cyberwarfare toolbox revealed

- Disruption possibilities


There is a great deal of additional information on EONBLUE and many other topics in the documents that the CBC based its reporting on, which it released with mostly minor redactions:



- CASCADE: Joint Cyber Sensor Architecture

- NSA memo on intelligence relationship with CSE

- CSEC Cyber Threat Capabilities

- Cyber Threat Detection

- CSEC SIGINT Cyber Discovery

CSE's response to CBC's questions, a much less informative document, was also published.

The NSA memo on the intelligence relationship with CSE was also released in redacted form by the CBC in December 2013 as part of these two stories. The redactions in the current version are nearly identical, but this time it is clearer that the document is actually four pages long.

The current version also briefly left unredacted the fact that the "unique geographic access to areas unavailable to the U.S." that CSE provides to its U.S. partner is our "sites in the PRC", the People's Republic of China.


Update 6:00 pm 23 March 2015:

Coverage/commentary:

- Christopher Parsons, "Canada has a spy problem," National Post, 23 March 2015.

- Nick Taylor-Vaisey, "QP Live: The CSE is no longer a secret," Maclean's, 23 March 2015.

- Martin Anderson, "‘Create unrest’: Canada’s CSE agency includes ‘false flag’ operations as part of newly-revealed cyberwarfare scope," The Stack, 23 March 2015.

- Nestor E. Arellano, "Leaked documents reveal Canada’s cyber warfare tools," IT World Canada, 23 March 2015.

Update 10 pm:

Further CBC coverage:

- Dave Seglins, "Canada's cyberwarfare capabilities revealed," segment on The National, 23 March 2015.

- The Intercept reporter Ryan Gallagher interviewed on As It Happens, 23 March 2015 (interview begins at 9:00 minutes). The Intercept's own coverage of the story is here.

Update 24 March 2015:

Added link to FVEYdocs.org copy of the slightly less redacted version of the NSA-CSE relationship document originally released by CBC yesterday.

Update 25 March 2015:

- Amber Hildebrandt, "CSE spying in Mexico: Espionage aimed at friends 'never looks good'," CBC News, 25 March 2015.

- Iain Thomson, "Snowden dump details Canadian spies running false flag ops online," The Register, 24 March 2015.

Update 28 March 2015:

Christopher Parsons analyzes the newly released documents here: "Five New Additions to the SIGINT Summaries," Technology, Thoughts & Trickets blog, 27 March 2015.

Saturday, March 14, 2015

Does CSE comply with the law?

The Prime Minister and his ministers frequently reassure Canadians that they need not worry about the potential for misuse of CSE’s highly intrusive eavesdropping powers because the CSE Commissioner reviews CSE’s compliance with the law and has always declared CSE to be in compliance.

This April 2014 statement by then-Defence Minister Rob Nicholson is a good example:
Since 1996, a fully independent CSE commissioner—a series of esteemed retired or supernumerary judges—has regularly reviewed CSE activities for compliance with the law. The commissioner and his full-time staff and expert consultants have full access to all CSE personnel, systems, and documents. In more than 17 years, the commissioner has never found CSE to have acted unlawfully.
[As of January 2016, however, they'll have to stop saying "never" if they want to continue making such assurances.]

Such statements artfully avoid the fact that CSE is able to collect and analyze a surprisingly large amount of information about Canadians entirely legally, at least in the view of the government and the Commissioner. (Others are not so sure about the legality of such activities; see here and here for a couple of different views.)

But, still, the CSE Commissioner’s annual affirmation ought to have some reassurance value.

At least, it would if it actually meant what the government would like you to think it means.

If they had to guess, most people would probably imagine that the process of compliance monitoring looks something like this:

The CSE Commissioner examines CSE's activities during the year under review, determines whether or not they comply with the law, and reports his conclusions.



The reality is a bit more… complex.

A look at the reporting done by CSE Commissioners over the history of their operations suggests that the actual process looks more like this (click on flowchart to see larger version):



The following notes, keyed to the numbers in brackets in the flowchart, provide further explanation and some actual examples:

1: The first question facing the Commissioner is whether to even look at a particular activity of the agency. No review body can examine every activity undertaken at every moment by the agency it watches. CSE Commissioners prioritize the activities they review to try to cover the most significant risks, and anything not on their list during the current set of reviews goes unexamined.

As the Commissioner’s 2003-04 report explained,
I can report that the activities of CSE that my office reviewed during the past year complied with the law and with ministerial authority. It is important to place this assertion in context. It should not be taken to mean that I am certifying that all CSE’s activities in 2003-2004 were lawful. I cannot make this assertion, because I did not review all their activities—and no independent reviewer could. However, my office reviews a wide range of activities in considerable depth, based on our assessment of where the risks of unlawful activity are likely to be greatest. This is the appropriate context for the assurance my work provides.
Although not repeated in every report, the same caveat applies to every year's work by the Commissioner.

An example of one of the questions the CSE Commissioner has chosen not to address is CSE’s cooperation with CSIS to “craft” the affidavit and oral testimony that CSE provided to the Federal Court of Canada in 2009 in support of a CSIS application for a warrant to monitor Canadians traveling abroad. Justice Richard Mosley declared that CSIS’s failure to disclose to the court that the assistance of Second Parties would be sought in the execution of such warrants was a breach of its “duty of candour” to the court. He did not specifically characterize CSE’s behaviour, but he did note CSE official James D. Abbott's acknowledgement that his testimony was “‘crafted’ with legal counsel to exclude any reference to the role of the second parties”.

Is it legal to withhold relevant information from a judge in order to get a warrant approved? The CSE Commissioner has chosen not to report on this question.

2: The Commissioner’s ability to review CSE relies on the agency keeping meticulous records of its activities, and Commissioners frequently recommend ways to improve CSE’s record-keeping. Nonetheless, sometimes CSE’s records are missing or insufficient to enable the Commissioner to properly assess the legality of a CSE activity, as noted here:
[A]s I and my predecessors have noted in previous reports, inadequate or missing information in CSEC’s corporate records can impair my ability to conduct reviews and to determine whether CSEC’s activities comply with the law. This has left me, in some instances, in a position of providing only a negative assurance to the Minister that I have no evidence of non-compliance with the law, rather than providing positive assurance, supported by evidence of compliance.
A specific example of this problem was cited in the 2012-13 annual report:
I had no concern with respect to the majority of the CSEC activities reviewed. However, a small number of records suggested the possibility that some activities may have been directed at Canadians, contrary to law. A number of CSEC records relating to these activities were unclear or incomplete. After in-depth and lengthy review, I was unable to reach a definitive conclusion about compliance or non-compliance with the law.
3: The position of CSE Commissioner is occupied by a retired or supernumerary judge, but the Commissioner's office does not function as a court and the Commissioner is not empowered to make legal determinations. When the Commissioner concludes that an activity does not comply with the law but CSE and its Department of Justice legal advisors insist that it does, the Commissioner does not declare CSE non-compliant. Instead, he either refrains from issuing an assessment or bases his assessment on the CSE/DOJ interpretation pending further discussion.

In 2006-07, for example, the Commissioner reported that
a detailed examination of CSE’s response to RCMP requests for intelligence-related information identified two issues of concern that required further legal study by CSE. The first was whether mandate (a) was the appropriate authority in all instances for CSE to provide intelligence support to the RCMP in the pursuit of its domestic criminal investigations. Pending a re-examination of this issue by CSE, no assessment was made of the lawfulness of CSE’s activities in support of this agency under mandate (a) as currently interpreted and applied by CSE.
In a separate, and still ongoing, case, the Commissioners have provided annual assessments of legality, but those assessments have been based on the government's interpretation of the law:
With respect to my reviews of CSE activities carried out under ministerial authorization, I note that I concluded on their lawfulness in light of the Department of Justice interpretation of the applicable legislative provisions.
4: As in any large organization, incidents occasionally occur in which policies are violated despite CSE’s efforts to ensure compliance. Ministerial directives with respect to privacy protection are sometimes violated, for example. The Commissioner has sometimes reported such violations, but in the absence of evidence that the violation was intentional on the part of the agency or the result of gross negligence [or lack of "due diligence"], he does not declare CSE in non-compliance because of such incidents. For example, in 2013-14 the Commissioner reported that
during my review I found instances where procedures relating to the identification of private communications were not followed correctly by CSEC employees. In one instance, a private communication was recognized but, contrary to policy, that communication was incorrectly marked for retention even though it had not been assessed as essential to international affairs, defence or security. In another situation, CSEC identified several private communications, but did not mark them for retention or deletion until several weeks after they were identified. In addition, there were other instances of analysts retaining foreign intelligence private communications—in some cases, for several months—that had been, but no longer were, essential to international affairs, defence or security.
In none of these cases was CSE itself declared to be in non-compliance with the law.

Similarly, although it is illegal for CSE to intercept “private communications” except when it has a Ministerial Authorization to do so, when such interceptions inadvertently occurred during the five years between the first appointment of a CSE Commissioner and the establishment of the Ministerial Authorization regime in 2001, CSE was not declared to be in violation of the law because, the Commissioner reported, the agency's extensive efforts to prevent such interceptions demonstrated that it did not intend to act unlawfully:
Despite the efficiencies inherent in new technologies, CSE is still likely to receive inadvertently some small amount of Canadian communications. Moreover, each new collection system or technique that comes on stream seems to bring with it this potential. However, CSE is well aware that it must continually upgrade its capabilities to screen out Canadian communications or risk acting unlawfully if it does not make every effort to do so.
5: Commissioners have also demonstrated that they will not declare CSE in violation of the law if CSE has agreed to cease or to appropriately modify a practice that the Commissioner believed to be non-compliant. For example,
I am able to report that, overall, the activities of CSE examined during this reporting period complied with the law, with one qualification. It concerned a condition of an information technology security ministerial authorization, which CSE has already undertaken to rectify.
Similarly, when CSE eventually agreed to modify its practices in the Mandate (a) versus Mandate (c) question cited in point 3 above, the Commissioner dropped the issue without ever pronouncing publicly on the compliance of CSE’s activities prior to the change:
In his 2007–2008 Annual Report, Commissioner Gonthier stated that pending a re-examination of the legal issues raised, no assessment would be made of the lawfulness of CSEC's activities in support of the RCMP under the foreign signals intelligence part of CSEC's mandate. He also noted that CSEC's support to CSIS raised similar issues.… Subsequent to these reviews and statements in the annual reports, the Chief of CSEC suspended these activities. CSEC then made significant changes to related policies, procedures and practices.… Because of the significant changes made by CSEC to these activities and the positive results of this review, I am of the view that CSEC has addressed the previous findings and recommendations.
[The Commissioner's practice of not reporting non-compliance as long as the activity in question had been halted by CSE was departed from dramatically in January 2016, however, when Commissioner Plouffe reported CSE to be in non-compliance with the law despite the fact that the agency had already ended the activity.]

6: CSE Commissioners have also shown that they will not declare CSE in non-compliance as long as the government has promised to make amendments to the law to clarify that the activities in question are indeed authorized under the law—no matter how many years may go by with no evidence of the government actually taking steps to implement that promise.

See, for example, this statement:
At the end of the 2008–2009 reporting period, I continue to apply the interim solution put in place by my predecessors: that is, to review CSEC's foreign intelligence collection activities under ministerial authorizations on the basis of the [National Defence Act] as it is interpreted by Justice Canada. However, in some important respects, I disagree with that interpretation—as have both my predecessors.

In April 2006, my immediate predecessor noted in his last report as CSE Commissioner that "my one regret will be if I leave this position without a resolution of the legal interpretation issues that have bedevilled this office since December 2001." In my 2007–2008 report, I noted the Government had indicated that legislative amendments would be brought forward "in due course". This has yet to occur. I want to emphasize, however, that the length of time that has passed without producing amended legislation puts at risk the integrity of the review process.
That was written in 2009. As of March 2015 those promised amendments are still nowhere to be seen. The current Commissioner continues to apply the “interim” solution of assessing compliance based on the government's interpretation, and the firm warning of the 2008-09 report has withered into little more than a pro forma acknowledgement:
Since the enactment of Part V.1 of the National Defence Act in December 2001, all CSE Commissioners have voiced concerns that certain fundamental provisions in the legislation lack clarity. In 2007, the government committed to amending the legislation to clarify these ambiguities. It is hoped that this can be resolved in the near future.
Fourteen years after the problematic provisions were enacted, Commissioners continue to assess CSE as being in compliance while they await amendments that never arrive.

What would it take to declare CSE in non-compliance?

Given the system in place, what would it take for a CSE Commissioner to actually declare CSE to be in non-compliance with the law?

Based on the model above, the Commissioner would have to choose to examine the activity, sufficient records would have to exist to support a compliance judgement, the Commissioner would have to conclude that the activity violates the law, CSE and the Department of Justice would have to agree with that conclusion, CSE would have to affirm, or the Commissioner would have to demonstrate, that the activity was authorized by the agency [or that it had been permitted to occur due to a lack of due diligence], CSE would have to declare that it intends to continue doing it, and the government would have to refuse to promise to amend the law (at some undefined point in the future) in order to permit the activity. If all those conditions were met, and the Commissioner subsequently reported the issue to the Attorney-General, and no promise (sincere or otherwise) to change either the activity or the law were forthcoming following that step, then and only then would he report to the public that CSE was not in compliance with the law.

In short, the likelihood that a CSE Commissioner will ever declare that CSE is not in compliance with the law, no matter how often those laws may be transgressed in practice, is practically nil.

[But never say never! In January 2016, the CSE Commissioner deviated dramatically from this "model" and did declare CSE to be in non-compliance even though the violation was deemed to have been unintentional and the activity had already been halted. There's no way to tell at this point whether that was a one-time event or it heralds a more permanent change in the Commissioners' approach to compliance assessment.

Until that picture becomes clearer, I won't make any change to the compliance flowchart—which was always a bit tongue-in-cheek anyway—that accompanies this article.]

I should probably make it clear at this point that I don’t believe CSE does intentionally break the law—as it and its Department of Justice advisors understand the law—as a normal part of its operations. I believe that compliance with the law is a fundamental part of CSE’s ethos, and I think the activities of the CSE Commissioner have done a lot to reinforce that ethos and ensure that it is followed in practice.

For me, a much bigger concern is the amount of information that can be collected, one way or another, without violating the law, and the potential for that information, although it may not be misused now, to be misused sometime in the future. Consider, for example, the fact that no laws were broken—according to the CSE Commissioner—by the extensive collection and analysis of Canadian communications metadata revealed in the “Airport Wi-Fi” story.

Whether or not you agree that legal compliance is ultimately not the key issue, however, know this:

While the Prime Minister and his ministers are no longer able (as of January 2016) to claim that all CSE Commissioners have always declared CSE’s activities to be in compliance with the law, they will undoubtedly reach for similar claims, such as "CSE has never intentionally broken the law" or, assuming there are clean reports in future years, "the most recent Commissioner's report has affirmed that all of CSE's activities were in compliance with the law."

But the reality of that assurance will always be a whole lot more hedged and contingent and qualified than the government would like you to think it is.


Update 29 January 2016: The conclusion to this post was amended and the comments in brackets added to the body of the post following the release of the CSE Commissioner's 2014-15 Annual Report.

CFIOG Commander testifies to SCND

Colonel Steven Moritsugu, who replaced Col. F.J. Allen as Commander of the Canadian Forces Information Operations Group (CFIOG) last year, testified before the Standing Committee on National Defence on February 18th. The committee is studying the "Defence of North America", and Col. Moritsugu's mission was to explain the role of CFS Alert and the CFIOG more generally.

Among his other comments, Moritsugu talked briefly about the support Alert and other signals intelligence stations provide to NORAD:
Our main reason for having the station there would be the defence of Canada, the defence of the homeland, and the defence of North America.

Our primary sharing is with NORAD. From my perspective, we figure out what's going on. We produce that intelligence. How our national command might then decide to share that or any other source of intelligence with somebody else, because we have a common problem we're dealing with, on a case-by-case basis, is echelons above me. Here's the information into the hopper, and somebody else decides whether my information or some other bit of information needs to be shared with somebody other than the people we regularly share with, and that is ourselves and NORAD.
Ever wonder how NORAD interceptors so often manage to meet those Russian bomber training flights before they even enter NORAD radar coverage? Now you know.

Moritsugu also described the HF direction-finding role of the stations at Alert, Masset, and Gander, and reported that the direction-finding system was involved in five search and rescue events in 2014:
Other services or the joint rescue coordination centre would call upon us when they know there's a ship or an airplane out there that somebody has lost contact with and has reported as potentially being lost. Our role then is to locate their radio signal and attempt to triangulate it so that we have an idea of where they are. Sometimes, because of the fact that we have very good radio receivers, it's possible for us to hear signals that other people cannot hear. For example, a normal base station or airport has lost contact with some airplane or some ship. They're still talking, but nobody is hearing them. They ask us to listen, and when we turn and look in that direction it is often possible to pick up signals and determine that they're actually not lost, that they're just out of communications.

In 2014, for example, there were only five instances where we were asked to do so. In three of them there was no actual emergency, but we were able to determine that this person was talking, but they weren't answering because they couldn't hear them. We could hear them, and it wasn't an emergency. On two of them, we did help to locate that the person was declaring an emergency, and we were able to say “they're about here”, which makes it easier for search and rescue to go find them.
Interestingly, Moritsugu did not include Leitrim in the list of stations participating in HFDF operations. Does this mean the Pusher array at Leitrim is no longer operational? Or is it just that the Leitrim array was never equipped for netted operations with the others?

He also reported that CFIOG currently has about 900 people. That's the same size as the CFIOG establishment in 2005, although back then the organization was reportedly not at full strength.

The full transcript of Moritsugu's testimony can be read here.

Thursday, March 12, 2015

February 2015 CSE staff size

2175: pretty much the same as last month.

(If you click through on the link and get a different figure, it's probably because the Canada Public Service Agency has updated its website; they update the numbers once a month.)

Fantino names Russia as cyber threat

Defence Minister Jason Kenney and his sidekick Associate Defence Minister Julian Fantino testified to the Standing Committee on National Defence about the Supplementary Estimates (C) on March 11th (transcript not yet available, but you can watch the proceedings here). The hearing covered both the Department of National Defence's vote and that of the Communications Security Establishment. (The CSE entry in the Supplementary Estimates (C) was discussed previously here.)

CSE's new Chief, Greta Bossenmaier, was in attendance at the hearing, but it was Associate Minister Fantino who addressed CSE issues, making a brief statement and later answering a question about CSE's personnel system. Whether Fantino serves as the minister for CSE in all respects may be in doubt, but it is evident that he is now acting as the public face of ministerial accountability for the agency.

Fantino's brief statement starts at about 14 minutes 15 seconds into the hearing. The only especially notable point, from my point of view, is the part (at ca. 15:30) where he cites Russia as a cyber threat, the first time, I believe, that Russia has been identified by name by the government:
Government of Canada networks are attacked millions of times every single day. Some of these provoking acts are done by foreign states, like Russia, which seek to expand their influence at the expense of Canadian interests.
Fantino's statement also confirmed that the two generators for which CSE received $600,000 were no longer needed by the agency as a result of the completion of its new headquarters.

The sole CSE-related question during the hearing concerned the $10,527 transfer from Public Works and Government Services for "reimbursement of funds for the transformation of pay administration" (at ca. 1:18:20). Fantino indicated that the transfer was made because, for security reasons, CSE is opting out of a new government-wide pay system and will instead continue to administer its own pay.

Tuesday, March 10, 2015

Recent items of interest

Recent news and commentary items related to CSE, signals intelligence, and related issues:

- Daniel Therrien, "Without big changes, Bill C-51 means big data," Globe and Mail, 6 March 2015.

- "Lee Berthiaume, "All Canadians would be trapped in anti-terror legislation's 'web', warns privacy commissioner," Ottawa Citizen, 6 March 2015.

- Scott Vrooman, "Why is oversight of Canada's snooping apparatus so useless?" Toronto Star, 5 March 2015. Youtube commentary on the CSE Commissioner by comedian Scott Vrooman. See also Vrooman's earlier Youtube commentary, "We need a restraining order on our spies," Toronto Star, 25 February 2015.

- "Snowden Live: Canada and the Security State," 4 March 2015. Video Q&A with Edward Snowden followed by panel discussion with Dave Seglins, Andrew Clement, and Laura Tribe. Organized by Canadian Journalists for Free Expression.

- Amber Hildebrandt, "Edward Snowden archive aims to 'piece together the bigger picture'," CBC News, 4 March 2015.

- Andrea Bellemare, "The apps Edward Snowden recommends to protect your privacy online," CBC News, 4 March 2015.

- Tanya Talaga & Alex Boutilier, "Edward Snowden warns of perils in Canada’s proposed anti-terror law," Toronto Star, 4 March 2015.

- Colin Freeze, "The Globe adopts encrypted technology in effort to protect whistle-blowers," Globe and Mail, 4 March 2015.

- Jim Bronskill, "Work on better spy monitoring still underway four years after promise: feds," Canadian Press, 25 February 2015.

- "Canadian media largely ignored major Snowden story," Eyeing the Five blog, 25 February 2015.

- Craig Forcese, "Bill C-51: Does it Reach Protest and Civil Disobedience?" National Security Law blog, 19 February 2015.

- Jean Chretien, Joe Clark, Paul Martin & John Turner, "A close eye on security makes Canadians safer," Globe and Mail, 19 February 2015.

- Editorial, "Heed this call for better oversight of Canada’s spy services," Toronto Star, 19 February 2015.

- Shawn McCarthy, "‘Anti-petroleum’ movement a growing security threat to Canada, RCMP say," Globe and Mail, 17 February 2015.

- Alex Boutilier, "NSA offered help hours after Ottawa attack," Toronto Star, 15 February 2015.


Snowden Archive

As noted above, Canadian Journalists for Free Expression has launched a great new resource for those interested in Five Eyes signals intelligence, a searchable archive of all the Snowden documents that have been made public: Snowden Surveillance Archive. Well worth checking out.

Other potentially useful compilations of the Snowden documents include:
  • FVEYdocs.org. Also searchable, with a highly useful search feature: snippets are provided showing the context of the words searched for and their location within the documents.
  • NSA Primary Sources. Hosted by the Electronic Freedom Foundation. Very basic search function, but a nice, easy to use chronological listing by release date.
  • The NSA Archive. Hosted by the American Civil Liberties Union. Searchable. Collection also includes a lot of officially released U.S. government documents.
  • IC Off The Record. Not to be confused with the official government site IC On The Record, IC Off The Record is a parody site that also contains a wide range of real information about the U.S. intelligence community.
  • Canadian SIGINT Summaries. Unlike the other sites, this site focuses only on documents related to CSE. Helpful summaries and explanations of the documents are provided.

SIGINT history

And for those interested in earlier times, Jerry Proc has a new webpage discussing the history of the DOT's Ottawa Monitoring Station, which intercepted German naval communications during the Second World War.

One of Jerry's primary sources was this webpage by Ernie Brown, who actually served at the station. For more on Brown, see Andrew King, "How Ottawa's project ULTRA helped Alan Turing crack Nazi code," Ottawa Citizen, 16 February 2015.

Helen Leadbetter is another veteran of the SIGINT war against the U-boats who has recently appeared in the media:
- "The Imitation Game's real-life history has link to Canada," Canadian Press, 1 February 2015.
- "Helen Leadbetter, 92, reveals secret story told in The Imitation Game," CBC News, 16 February 2015.

The Imitation Game itself is an entertaining movie, but unfortunately it bears at most a passing resemblance to the actual story.

Sunday, March 01, 2015

The Fifth Estate: The Espionage Establishment

On January 9th, 1974, the CBC broadcast a documentary about the Canadian intelligence community entitled "The Fifth Estate: The Espionage Establishment." Unrelated to the investigative journalism program The Fifth Estate, which wasn't created until a year later, the documentary contained extensive details of the U.S. Central Intelligence Agency's activities around the world, discussed Canada's cooperation with the CIA, and outed the CIA's Chief of Station in Ottawa.

It also revealed to the Canadian public and parliament that Canada had a signals intelligence agency, the Communications Branch of the National Research Council (CBNRC). The documentary included an extensive interview with NSA whistleblower Perry Fellwock (using the pseudonym Winslow Peck), who had earlier named CBNRC to the U.S. counterculture magazine Ramparts, in which he explained the nature of the National Security Agency and discussed CBNRC's role as a partner in the UKUSA SIGINT community.

CBNRC's exposure led to immediate questioning in parliament by Conservative and NDP MPs and wide coverage in Canadian newspapers, and it is thought to have played an important role in the Trudeau government's 1975 transfer of the agency to the Department of National Defence, where it received its current name, the Communications Security Establishment.

Although it took almost a decade for the government to formally acknowledge, in late 1983, CSE's signals intelligence role, the 1974 broadcast marked the beginning of public and parliamentary discussion of the agency and Canada's role in the SIGINT community and thus, in a sense, the beginning of public oversight over the agency.

CSE itself has a slightly garbled version of the story on its website:
In 1974 the television program "The Fifth Estate" broadcast an exposé of Canadian involvement in signals intelligence. The program revealed the existence of the hitherto low-profile CBNRC, and explored the nature of its signals intelligence program and its US partners. The Fifth Estate's revelations were raised in the House of Commons over the next week. As a result of the unwelcome publicity, the government soon transferred Canada's SIGINT and Communications Security organization to the Department of National Defence portfolio, and renamed it the Communications Security Establishment (CSE).
I have pointed out on more than one occasion that the documentary had no relation to "the television program 'The Fifth Estate'", but our listening agency just isn't listening on that subject. Maybe I need to send an e-mail to some department of the government.

As far as I know, the documentary was never re-broadcast, and it does not appear to be available for viewing.

[Update 23 November 2018: As noted below in the comments, the documentary can now be viewed online.]

A transcript of the program does exist, however.

And here it is:

The Fifth Estate: The Espionage Establishment (produced and directed by William Macadam; research directed by James R. Dubro).

Update 2 March 2015:

While we're on the subject of garbles on the CSE website, let's consider another portion of the same web page:
On September 27, 2007, the Treasury Board Secretariat of Canada approved the registration of a new applied title for the organization. This change was made in order to become compliant with the federal government's Federal Identity Program (FIP), which requires all departments and agencies have the word 'Canada' as part of their corporate title. From this point forward, the organization became known as Communications Security Establishment, with an abbreviation of CSE. It is important to note that while the applied title changed, the legal title remains Communications Security Establishment and continues to be used for all legal documents.
Now, this passage actually made some sense in the days when it read "From this point forward, the organization became known as Communications Security Establishment Canada, with an abbreviation of CSEC." But last summer CSE quietly reverted to its legal name, the Communications Security Establishment, for its public identification purposes, and apparently somebody at CSE thought the best way to update the explanation was simply to delete the word Canada.

So now hapless readers get informed that Canada's SIGINT agency, renamed CSE in 1975, became known as CSE in 2007, but this was only a change in applied title, since its legal name remained CSE.

Does anybody there read the stuff they post?

Let's not even talk about the hopelessly outdated "Quick Facts about CSE" at the bottom of the web page.