Thursday, August 18, 2022

Notes on CSE's 2021-22 Annual Report


CSE's 2021-2022 Annual Report was released on June 28th. At roughly 15,000 words, the report is significantly longer and more informative than last year's, and about five times as long as CSE's first annual report, released in 2020. Although large gaps remain (and to some extent will always remain), this is starting to be a respectable — and useful — document.

Of course, a lot of that text focuses on the cyber security side of the agency, the Canadian Centre for Cyber Security, which accounts for about 30% of CSE's resources. Relatively little discusses the signals intelligence (SIGINT) and cyber operations side, which accounts for the rest.

This is unsurprising, as spying and online covert action need a pretty substantial level of secrecy. But they are also the areas where CSE's activities are most likely to negatively impact the general public, and boilerplate assurances that CSE is prohibited from directing its activities at Canadians are not enough.

For one thing, this prohibition does not apply when CSE is acting under its assistance mandate, providing support to CSIS, the RCMP, CBSA and other law enforcement and security agencies, subject to their authorities. The report has just one sentence referring to CSE's support activities (p. 12).

Also, between incidental collection of communications and bulk collection of metadata, CSE and its Five Eyes partners can collect, analyze, and report a great deal of information related to Canadians in the course of pursuing their non-Canadian targets.

In its classified reporting to the Minister of National Defence the agency provides a wide range of data on the amount of Canadian-related information it acquires and uses. There is no reason why much of that data could not be declassified and reported here, where it would provide useful reassurance of the limited extent to which CSE invades the privacy of Canadians. That's of course unless the data wouldn't actually be reassuring, in which case there's all the more reason why we should see it.

For more on the kinds of information that could be reported, see my comments on last year's report. Some of this information could and probably should be reported by the National Security and Intelligence Review Agency (NSIRA) also, but in that case too it depends on CSE approving its declassification.

One welcome bit of new information in the report is the discussion of active cyber operations (ACO) and defensive cyber operations (DCO) (pp. 13-14), where we learn a little more about the way authorizations work and the types of activities CSE is conducting.

The report confirms, for example, that a single authorization may cover multiple cyber operations and explains that "there are also cases where an Authorization may be anticipatory, with no operations required in the end."

The examples provided of the types of cyber operation that CSE has conducted are much more revealing than anything previously acknowledged by the agency, noting, for example, the use of "active cyber operations capabilities to disrupt the efforts of foreign-based extremists" and "to assist the Canadian Armed Forces in support of their mission." Note, however, that in neither of these cases is it made clear whether the operations mentioned were conducted under CSE's own active cyber authorities or as assistance activities.

The report also reveals that "CSE has embarked on a long-term campaign designed to reduce the ability of cybercrime groups to target Canadians, Canadian businesses and institutions. Working with Canadian and allied partners, CSE has helped reduce the ability of cybercriminals to launch ransomware attacks and to profit from the sale of stolen information."

Overall, then, the section on cyber operations is much more informative than the grudging acknowledgements the agency has made in the past on the subject and presumably reflects a deliberate decision to use the annual report as the place to begin providing at least a sliver of the kind of transparency CSE keeps talking about.

 

Other information

Also nice to see: the pages on SIGINT (11-12) update the statistics on SIGINT reports, clients, and customer departments/agencies introduced last year and add some general information about the kinds of intelligence topics CSE pursues: "CSE intercepts and analyzes electronic communications and other foreign signals to inform the Government of Canada about the activities of foreign entities that seek to undermine Canada’s national security and prosperity.... CSE SIGINT also supports government policy-making in defence, security and international affairs."

Among the (non-exhaustive) examples of intelligence topics given are:

  • activities of hostile states, including cyber threats
  • cybercrime
  • espionage directed against Canada, including economic espionage
  • foreign interference and disinformation campaigns
  • kidnappings of Canadians abroad
  • terrorism and extremism, including ideologically motivated violent extremism (IMVE), and
  • threats to Canadians and Canadian forces abroad

Unmentioned, however, are the sorts of things that fall into the polite-fiction category, where we pretend no one knows we do them even though everyone knows we do, such as intelligence collection on other countries' negotiating positions at international conferences or data relevant to trade policy.

In no case should any of these topics be surprising, however, which underlines the pointlessness of treating broad intelligence priorities (as opposed to specific targets) as a huge secret.

The report also has a short section following up on NSIRA's concerns about CSE's sharing of Canadian Identifying Information (CII) with SIGINT customers (see my earlier post here). "The [NSIRA] review made 11 recommendations to improve our processes for dealing with these requests. Since the review began, CSE has completed 10 out of the 11 recommendations.... The final recommendation, to conduct a Privacy Impact Assessment (PIA) has been launched. We expect to complete the PIA in 2022."

"The review also raised concerns that some disclosures of CII during the period of the review may have been non-compliant. After detailed analysis of CSE’s program, and the disclosures related to 2,351 Canadian identifiers cited in NSIRA’s report, and following consultations with government partners, CSE is satisfied that all but one of those disclosures were compliant. The single disclosure that was not compliant with the Privacy Act has been retracted and the data that was disclosed has been purged by the receiving institution."

Whether an NSIRA examination would draw exactly the same conclusions may be doubted, but I suspect it would agree in the great majority of cases. (NSIRA's original point wasn't that the requests were unjustifiable, but that the case for their justification had not been properly provided.) Still, it's good to see CSE using its annual report to follow up on issues arising from review agency reports.

 

Resources

On p. 56 we learn that CSE now has around 3200 full-time employees, which is up about 200 from the year before. The agency is now about 3 1/2 times as large as it was at the end of the Cold War! And it's still growing.

The promises made in Budget 2022 imply that CSE could be headed to around 4000 employees over the next several years, although some of that possible growth might go to contractors rather than staff. 

But you won't find any forward-looking budget or staffing data here. Nor will you find current budget data, other than the 2021-22 budget authorities number: $859 million. Note, however, that this number should really be $860 million, since it is almost certainly based on the $859,771,899 figure recorded in the 2021-22 Supplementary Estimates (C). Based on past performance, the actual amount that CSE ends up spending during 2021-22 is likely to be somewhat lower than this, but we won't know that number for some time.

Back when CSE was still part of the Department of National Defence, we used to get a lot more budget data about CSE, with spending broken down into salaries and personnel, operations and maintenance, and capital spending, and also projected into future years:

 

But all of that detail ended when CSE became a stand-alone department in 2011, and the agency has never provided any kind of public explanation of why it can no longer release such information.

By contrast, CSE's colleagues at the Australian Signals Directorate (ASD) manage to publish reams of spending data every year with no evident ill effects. Apparently CSE's data is uniquely sensitive in ways that must never be publicly explained.

 

Conclusion

The above griping notwithstanding, I do think this report is a significant improvement on its predecessors. Kudos to CSE for that.

And this year they finally made it available as a PDF as well as a web document! Yay!

 

For a much more comprehensive look at the contents of the report, check out Chris Parsons' post here

See also media coverage by Alex Boutilier and Cat Tunney.

 

Update 20 August 2022:  

The references to "Mandate C' in the original version of this post have been changed to "assistance mandate". As I was gently reminded, the Mandate C nickname dates to the pre-CSE Act period, i.e., before 2019. While fogies like me may still reach for it as a handy shorthand way to refer to CSE's mandate to assist federal law enforcement and security agencies (including, since 2019, the Canadian Forces and the Department of National Defence), when writing for others it's better to be comprehensible and accurate.