Thursday, September 24, 2015

Filling in the blanks: Analysis of CSE CNE documents

The addition of Computer Network Exploitation (CNE) operations to CSE's range of activities dramatically changed the nature of Canada's signals intelligence agency, but very little information has been released about CSE's CNE operations. Most of what Canadians know about the subject comes from the Snowden documents, but a small amount has come from other sources, including official documents released under the Access to Information Act. These documents are worth a close look, as they sometimes reveal a little more than they appear to at first.

A document recently released to the Globe and Mail is a good example. Called OPS-3-1, Operational Procedures for [Redacted] Activities, and dated 11 December 2012, it is almost certainly the document that spells out CSE's operational policies for CNE.

At least, that's what I think.



The title of the document was redacted from the released version (see graphic above). But the length of the redaction can clearly be seen, as can the small portion of the letter "p" or "q" that remains unredacted in the top line. A test using the same typeface (see text in red) shows that "Computer Network Exploitation (CNE)" fits exactly within the redacted space, with the "p" in computer appearing in exactly the right spot to account for the unredacted letter portion.



"Computer Network Exploitation (CNE)" also fits exactly within the redacted spaces in the body of the document, and the abbreviation CNE fits exactly within the small redacted spaces that refer to the activities. (Note also how, in the final redacted spot shown in this graphic, a small portion of the first letter extends outside the redacted area, indicating that it must be a "C", "G", "O", or "Q".)



The same substitutions also work for the 2011 version of the document (released earlier), even though omission of the word "Operational" from the document's name means that two of the redacted words now have to fit within the top line.

None of the foregoing proves that OPS-3-1 is indeed CSE's Computer Network Exploitation policy document, but I think there can be little doubt that it is.


What does OPS-3-1 tell us?

If OPS-3-1 is indeed CSE's CNE document, then a number of interesting new bits of information can be gleaned from it.

Most notably, comparison with the 2011 version of OPS-3-1, also released in redacted form, indicates that there has recently been a significant change in the approval process for CNE operations.

OPS-3-1 distinguishes between three types of CNE operations for foreign intelligence collection. The factors that distinguish these types from one another have been redacted, but some of the details of the approval processes for the three types remain.

Under the 2012 procedures, the first type of operation—evidently the least sensitive—can be approved at the group director level. These operations probably build on techniques and accesses that are already in place and don't pose any special risks to CSE personnel or capabilities or to the government as a whole.

The second type of operation is divided into four subcategories, two of which can be approved by the relevant group director, while the third requires approval by the Deputy Chief SIGINT and the fourth requires approval by the Chief of CSE (or any senior executive officially designated to carry out the Chief's duties). The document also states that the Chief "must consult with the Minister before approving any particularly sensitive [CNE] operations or those that carry significant risk."

The third type of operation must be personally approved by the Minister, "if required due to sensitivity or significant risk", or by the Chief, "if appropriate" (presumably when the operation is not considered sufficiently sensitive or significantly risky). Even in the latter circumstance, consultation with the Minister appears to be required in most or perhaps all cases. The National Security Advisor must also be informed "as necessary", and all such operations require preparation of a "separate operational security plan".

These approval procedures differ significantly from those in the 2011 version of the document. In the 2011 version, the Chief could approve any operation of the second type, whether sensitive/risky or not, with no obligation for ministerial consultation. Operations of the third type did require ministerial consultation, but it was the National Security Advisor who gave final approval for the operation. The minister had no formal approval role. (The requirement to consult with the minister did imply a certain level of tacit approval, of course, as the minister could certainly intervene to prohibit or modify any plan he didn't agree with.)

CSE's November 2011 transition to stand-alone status, which removed both the Deputy Minister of National Defence and the National Security Advisor from the CSE chain of command, is undoubtedly part of the explanation for the subsequent changes in these approval processes. But the changes were more significant than that. Not only is the minister consulted on a wider range of operations under the new procedures, but approvals formerly given by a senior bureaucrat now require explicit ministerial sign-off.

The decision to kick decision-making on such operations upstairs to the minister may reflect a growing recognition of the sensitivity of CNE operations. As the Snowden revelations subsequently showed, such operations can be highly embarrassing when information about the operation leaks and the target is revealed to be a friendly nation such as Brazil. Operations against a Five Eyes partner would be even more sensitive, and presumably would be contemplated only if the potential payoff were considered to significantly outweigh the risks. Operations that involved the physical installation and maintenance of equipment outside Canada might have the potential to place personnel at risk as well.

Another interesting revelation is that CSE conducts CNE operations not only under its foreign intelligence mandate (Mandate A), but also under its support to federal law enforcement and security agencies mandate (Mandate C). In other words, persons in Canada, and Canadians abroad, are also potentially the target of CSE CNE operations, as long as CSE has received a lawful request from one of these agencies.

This is perhaps not surprising, as CSE can presumably use any of its capabilities in support of such agencies when those agencies have suitable legal authority, but it is significant nonetheless. CNE capabilities are potentially extremely intrusive, and even ostensibly less-intrusive CNE techniques such as metadata collection and analysis can have major privacy implications. Furthermore, it is not clear what warrant requirements exist for the use of some of these techniques, or even whether the government considers a warrant necessary for some of them, and the rules that govern CSE use and retention of Canadian data collected directly or incidentally through these techniques are for the most part equally unclear.

The OPS-3-1 documents may fill in a couple of these details. The 2011 version of the document notes, for example, that "All Mandate C [CNE] activities are conducted from Canada." This appears to be a reference to CSIS's DIFTS warrants for monitoring Canadians abroad, which specified that CSE's contribution would be conducted from within Canada. The 2012 version of the document has a similar statement, but "from Canada" has been redacted ("All [CNE] activities conducted under part (c) of CSEC's Mandate are conducted [redacted].").

With the passage of Bill C-44, it is possible that this requirement no longer applies.

CSE can also conduct CNE operations in support of CSIS foreign-intelligence collection within Canada (e.g., monitoring foreign diplomats in Canada), which is governed by s.16 of the CSIS Act. The 2011 version of OPS-3-1 reports that "The CSIS-CSEC Liaison Officer must approve the release of reports derived from collection obtained pursuant to Section 16 of the CSIS Act." (The 2012 version is identical, but redacts the words "CSIS-CSEC Liaison Officer".)

Similarly, CSE use of traffic collected in the course of other Mandate C operations, whether conducted on behalf of CSIS or other agencies, must be "approved by the agency for which CSEC provided support."

The 2011 document also has a section detailing how "Solicitor-Client Communications", which presumably are occasionally collected during such operations, are to be handled. But the contents of the section have been withheld. The 2012 document appears to have this section as well, but all references to solicitor-client communications have been redacted from this version.


Ministerial Authorizations

CSE's Ministerial Authorizations (MAs) are also worth examining.

Ministerial Authorizations are granted to authorize the agency to conduct activities that risk the interception of "private communications", i.e., communications with at least one end in Canada. CSE currently obtains three SIGINT MAs and one IT Security MA annually.

The memos to the minister requesting the 2012-13 versions of these MAs have been released under the Access Act, although in very highly redacted form. Not much can be learned from the sadly depleted remains of the documents that were released, but they do show that of the three SIGINT MAs requested that year, only one pertained to OPS-3-1. It seems reasonable to conclude that this one MA covers CNE activities, and perhaps even that the MA is specifically dedicated to such activities. (Since CNE involves hacking-style operations to actively collect "data at rest" or enable more traditional "passive" collection, it is quite distinct from the traditional kind of SIGINT activities that agencies such as CSE used to focus on.) The other two MAs probably cover those more traditional activities: collection of circuit-switched communications, such as those carried by land-line telephone networks, and collection of packet-switched communications, such as e-mails, referred to respectively by the Five Eyes agencies as DNR and DNI collection. (See, for example, the discussion in this NSA document.)

[Update 6 December 2022: As I wrote here, I now think it more likely that those other two MAs covered "Radio Frequency Collection" and "Cable Access Collection". The MA regime changed significantly in 2019 when the CSE Act entered into force, but typically there are still three "Foreign Intelligence Authorizations" issued every year, and seems likely to me that they still break down CSE's collection activities similarly.]

As can be seen in the excerpts below, fill-in-the-blanks analysis would seem to confirm that the MA that cites OPS-3-1 does indeed concern CNE operations (or at least that such an interpretation is plausible).









Ministerial Directives

Ministerial Directives (MDs) are also important. MDs provide direction to CSE on how to conduct its activities. While MAs pertain to techniques/activities that may involve the interception of private communications, MDs mostly concern specific programs, which may utilize more than one of the techniques covered by MAs. MDs may also relate to policy areas such as privacy that pertain to CSE's activities more generally. Thus, MDs and MAs do not necessarily correspond directly to one another. Nonetheless, it is likely that there is at least one Ministerial Directive that pertains directly to CNE activities.

That MD, I would guess, is the Ministerial Directive on [redacted] signed on 20 November 2012.



Note how the portions of the characters that extend from the redaction box at the bottom of the excerpt (the bottoms of two p's or q's and the bottoms of the parentheses) are consistent with "Computer Network Exploitation (CNE)".

Like OPS-3-1, the Ministerial Directive states that CSE conducts CNE activities under both Mandate A and Mandate C: "CSE also conducts [redacted] in Canada in support of, and at the request of, federal law enforcement and security agencies.”

Also of interest is the fact that the 2012 version was the first update of the directive since 2002. That earlier MD, issued by Defence Minister David Pratt on 14 January 2002, may have been the first Ministerial Directive specifically on the CNE program, and may actually have established the program.

CSE would certainly have been interested in CNE activities prior to 2002, and probably had started to move in the direction of establishing a CNE capability. NSA's Tailored Access Operations unit was created in 1997, and CSE would certainly have been aware of the potential of such operations by that date.

But in the late 1990s CSE was hamstrung by tight or even shrinking budgets, and it also faced limitations on what it could legally do.

In 2000-01, the agency reviewed its programs and settled on a new vision of its mission: “to be the agency that masters the global information network to enhance Canada’s safety and prosperity”. But it took until December 2001, with the post-9/11 passage of Bill C-36, for that new mandate ("To acquire and use information from the global information infrastructure") to be enshrined in law and accompanied by suitable legal powers.

The global information infrastructure was defined to include "electromagnetic emissions, communications systems, information technology systems and networks, and any data or technical information carried on, contained in or relating to those emissions, systems or networks."

As Lieutenant-Colonel Frances J. Allen (now a brigadier-general and recently appointed Director General Cyber at DND) wrote in 2002, passage of this law provided "a legal framework through which CSE, the CF, or both could undertake intelligence gathering using CNE techniques."

The post-9/11 world also brought new money into the CSE budget, a one-time cash infusion of $37 million, announced in October 2001, and then a 25% budget increase, announced in December 2001 and effective April 2002. (Additional increases came in later years.)

January 2002 thus seems like a plausible moment for the CNE program to have been established.

The Department of National Defence's 2002-03 Departmental Performance Report subsequently confirmed that CSE created "a new and strengthened technical capacity to gather intelligence from the global information infrastructure" during that year. This "technical capacity" may well have been the CNE program.


Conclusion

Most of the foregoing analysis is based to one degree or another on guesswork, and even if that guesswork is correct it doesn't add up to a whole lot of new hard information. But we may know a bit more about the origins, operations, and control of CSE's CNE program than was hitherto realized.

1 Comments:

Anonymous Anonymous said...

I enjoyed your "fill-in-the-blanks analysis", this kind of approach is similar to something I have in the works. I'll shoot you a message if I ever get round to actually doing it.

Regards,
@EdmoOnSecurity

October 10, 2015 1:44 pm  

Post a Comment

<< Home