Tuesday, February 06, 2018

Five Eyes SIGINT governance: Meetings galore

The relationship among the Five Eyes SIGINT agencies is extraordinarily close. It is not that uncommon for intelligence agencies to cooperate with their foreign counterparts in limited ways on specific topics of mutual interest, but the depth and breadth of cooperation among the "Second Parties" to the UKUSA Agreement is truly remarkable.

Each of the five agencies that participate—NSA, GCHQ, CSE, ASD, and GCSB—remains an independent entity under national control and responding to national intelligence priorities, but in many respects they also work as a single, supranational entity, setting common goals, building interoperable systems, and sharing technology, people, and, to an extraordinarily large degree, raw and assessed intelligence.

Born in the darkest days of the Second World War and institutionalized for the post-war era by the BRUSA Agreement (subsequently renamed UKUSA) of 5 March 1946, the UKUSA community has only grown closer and more tightly integrated in the decades up to the present. In addition to the UKUSA Agreement and other, subsidiary agreements (notably the CANUSA Agreement), the allies jointly set common Strategic Directions, adopt Resolutions at consultative meetings, and sign memoranda of understanding on common projects and programs. Personnel serve on exchange inside allied collection, processing, and analysis sites, take training courses at allied facilities, and work in permanent liaison offices established at each other's agencies to ensure continued close cooperation. The agencies are even able to task some of the collection systems operated by their allies. Much of the metadata and in some cases raw content of the SIGINT the agencies collect is made accessible to the partners, and most of the SIGINT reports issued by the agencies—some 500 per day—are shared among the partners.

Senior executives of the agencies consult among themselves whenever major issues arise, hold regular monthly, in some cases weekly, teleconferences, attend annual meetings as a group, and also hold frequent bilateral meetings. Lower-level committees meet regularly to work out specific problems, facilitate specific areas of cooperation, or run shared programs, and regular conferences are held to share information or tradecraft. In the wake of 9/11, as the allies sought to extend their intelligence cooperation even further and move from the traditional ethos of "need to know" to a new one of "need to share", the number and nature of these meetings and conferences proliferated.

The internal newsletter of NSA's Signals Intelligence Division, SID Today, leaked by Edward Snowden, provides some insight into this aspect of UKUSA cooperation. I did a review of the SID Today articles written over the two-year period between June 2003 and May 2005 and found references to 49 conferences or other meetings involving the participation of two or more Five Eyes members. (The source articles can be found here.)

Note that this list contains only those meetings mentioned in SID Today. Thus, in addition to those NSA-related SIGINT meetings that may have gone unmentioned, it excludes all meetings pertaining to the cybersecurity activities of the agencies and most of the bilateral SIGINT meetings in which NSA was not a participant.

Several of the meetings listed (those marked with an asterisk) were described as the first in an ongoing annual series on that topic, demonstrating the extent to which consultation and sharing was expanding at this time. Many of the other meetings listed were already annual.

Broader Five Eyes relationship

The Five Eyes cooperative relationship is no longer merely an arrangement among cryptologic agencies. The partnership may have begun with SIGINT, but extensive intelligence-sharing has also long occurred among the Five Eyes' security-intelligence, human-intelligence, and military-intelligence agencies, both at the operations level and at the level of multi-source assessed intelligence, up to and sometimes including National Intelligence Estimates and equivalent documents. More recently, formal Five Eyes fora have also been created in such areas as law enforcement cooperation and critical infrastructure protection.

Sometimes these fora have also been extended, at least for limited purposes, to include other countries. The SIGINT Seniors Europe and SIGINT Seniors Pacific groupings are example of this development in the signals intelligence sphere.

I imagine the recent report that France has become part of a "Five Eyes plus France" group that meets one or more times a year in Washington (Pierre Tran, "French official details intelligence-sharing relationship with Five Eyes," Defense News, 5 February 2018) is an example of that trend with respect to broader intelligence cooperation. What I do not think it heralds, however, is anything remotely like the deep, wide-ranging, and day-to-day integration of activities that characterizes the unique SIGINT relationship among the UKUSA five.

Tuesday, January 30, 2018

CSE Commissioner calls for changes to Bill C-59

CSE Commissioner Jean-Pierre Plouffe called for changes in Bill C-59 in testimony to the Standing Committee on Public Safety and National Security today.

The Commissioner was accompanied by OCSEC Executive Director Bill Galbraith and special legal advisor Gérard Normand, who also testified. The transcript of the meeting is not yet available, but you can watch the hearing here. (It's also worth watching the testimony by Michael Vonn and Ray Boisvert that follows.)

In a document provided to the committee, the Commissioner called for nine substantive and thirteen technical amendments to the bill. [The original version of this blog post listed only the seven proposals outlined in this earlier submission by the Commissioner, which was the only one available online on January 30th.]

Here are the Commissioner's recommendations:
Substantive recommendations

1. The Intelligence Commissioner (IC) should approve the active cyber operations [and] defensive cyber operations that are authorized by the Minister pursuant to subsections 30(1) and 31(1) of the Communications Security Establishment Act (CSE Act).

2. The IC should have the right to request clarifications with respect to the information presented to him, short of receiving or accessing information that the Minister would not have seen.

3. The IC should be able to conditionally approve authorizations, pursuant to section 13 of the IC Act.

4. The IC should prepare a public annual report to the Prime Minister for him to table in both Houses.

5. Subsection 21(1) of the IC Act should provide that while the decision of the IC must be made within a 30-day period, the reasons could follow later.

6. Regarding subsection 37(3) of the CSE Act, it is suggested that the decision by a Minister to extend, for one more year, an authorization on matters of foreign intelligence or cybersecurity should be reviewable by the IC.

7. Paragraph 273.65(2)(c) of the National Defence Act... states that the Minister needs to be satisfied that "the expected foreign intelligence value of the information that would be derived from the interception justifies it". This has not been replicated in Bill C-59 and should be added.

8. Sections 38 to 40 of the CSE Act provide for a regime dealing with "repeal and amendment" that appears inconsistent and should be re-examined.

9. Subsection 41(2) of the CSE Act should provide that emergency authorizations issued by the Minister in foreign intelligence and cybersecurity matters are reviewable by the IC and base its process on the United Kingdom model under the Investigatory Powers Act 2016.

Technical recommendations

1. The wording in subsection 23(1) of the Intelligence Commissioner Act (IC Act) should be clarified to specify what is included in "all information that was before [the Minister]" that is provided to the Intelligence Commissioner (IC).

2. Regulation-making authority should be inserted in the IC Act to enable the creation of regulations for carrying out the purposes and provisions of the Act, as well as on more specific matters.

3. The Communications Security Establishment Act (CSE Act) and the Canadian Security Intelligence Service Act (CSIS Act) should clearly provide that both the authorization/determination and all information that led to the decision by the Minister should be provided to the IC for the purpose of his review.

4. The wording in section 13 of the IC Act should be amended to state that the IC should review all the information in order to determine whether the conclusions of the Minister are reasonable.

5. Section 25 of the IC Act should clarify the type and nature of the information being contemplated, such as briefings, or backgrounders, to help the IC exercise his role. The word "may" should be replaced by "must" for information requested by the IC.

6. The IC Act should provide that records obtained by the IC in the course of his duties are not under the IC's control, for Access to Information Act and Privacy Act purposes.

7. The wording in subsection 11.03(3) of the CSIS Act should be similar to that in subsections 29(1) of the CSE Act and section 11.23 of the CSIS Act.

8. Some terms found in Bill C-59 should be defined or clarified for the benefit of those responsible for enforcing the legislation, as well as those who will be asked to issue authorizations or approvals.

9. The entity proposed as the IC should be called the "Judicial Intelligence Commissioner" or the "Judicial Commissioner for Intelligence" and the title of the legislation changed to reflect the name.

10. The threshold set out in subsection 11.03(2) of the CSIS Act, is too low and will make the IC's review practically impossible.

11. The Minister responsible for the IC Act should be the Prime Minister.

12. The period of validity for authorizations issued under subsections 30(1) and 31(1) of the CSE Act [i.e., defensive and active cyber operation authorizations] should be up to 6 months.

13. Section 10 of the IC Act should clarify that the concept of legal advisor is covered by the term "person having specialized knowledge".
The terms that the Commissioner recommended be defined are:
a. "information" (as used throughout the CSE Act);
b. "acquire", "collection" and "interception" (as used in the CSE Act, as well as the CSIS Act; the term "interception" is defined in the Criminal Code but is problematic with respect to the foreign intelligence collection process);
c. "disclosure" and "disseminate" (as used in the CSE Act);
d. "predominantly" (as used in the CSIS Act);
e. "publicly available dataset" (this term is defined in the CSIS Act but the definition is circular)
As can be seen, the CSE Commissioner's recommendations were limited to matters concerning the role of the proposed Intelligence Commissioner, which the CSE Commissioner will become if the bill is passed.

Several of the Commissioner's recommendations paralleled those made by various other commentators, including the authors of the Canadian Internet Policy and Public Interest Clinic (CIPPIC) and Citizen Lab report on the bill. (I'm currently a Citizen Lab Research Fellow and was one of the five co-authors of the report.)

Especially notable were the Commissioner's recommendations that ministerial authorizations for active and defensive cyber operations be subject to the approval of the Intelligence Commissioner and that the Commissioner be able to specify conditions when approving authorizations, both of which were also recommended in the CIPPIC/Citizen Lab report (recommendations #5 and #9).

In response to a question, the Commissioner and his legal advisor also expressed general agreement with the CIPPIC/Citizen Lab report's recommendation (#6) that the Intelligence Commissioner provide written reasons for all decisions.

The Commissioner's appearance before the committee was limited to one hour, which is a great shame as a productive discussion could easily have gone on for several hours, but at least the Commissioner and the subsequent witnesses were given a respectful hearing and the questions asked of them were constructive. I honestly don't understand how the previous government found that kind of basic decency so difficult to display.

News coverage/commentary:

Alex Boutilier, "Electronic spy agency watchdog asks for more powers," Toronto Star, 30 January 2018.

Craig Forcese, "The (Quasi) Judicialization of CSE Cyber Operations (Active & Defensive)," National Security Law blog, 31 January 2018.

Monday, January 22, 2018

ATipper #11: JRO Strategic Research Contexts

Another item from the Access to Information files:

According to access release A-2016-00068, CSE's Joint Research Office, which conducts research in support of both the SIGINT program and the IT Security program, groups its efforts into "Strategic Research Contexts".

As of 2014, the JRO had 20 SRCs:

The subjects of two of the SRCs, R5 and R9, were redacted from the release.

Fortunately, a list of the 19 SRCs that existed in 2013 has already been published, so those who are curious can discover for themselves what the big secrets were. (See page 4.)

Friday, January 19, 2018

RIP Carl Freeland

The last surviving original staff member of CSE, Carl Freeland, passed away on January 13th.

Freeland served in the Canadian Army during the Second World War and was assigned to the Army's No. 1 Discrimination Unit (DU). 1 DU, a number of other service units, and parts of the Examination Unit, Canada's original code-breaking bureau, were later combined to become the Joint Discrimination Unit, which went on to form the basis of Canada's post-war SIGINT agency, known as the Communications Branch of the National Research Council (CBNRC) when it was created in 1946 and later renamed the Communications Security Establishment.

According to his obituary, Freeland's "proficiency in typing resulted in his assignment" to the DU.

He went on to spend his entire career at CBNRC/CSE, serving as the agency's liaison officer to GCHQ (CANSLO/L) in the mid-1970s, and finally retiring in 1985.

My condolences to his family and friends.

Monday, December 18, 2017

Citizen Lab, CIPPIC analysis of the CSE Act

Citizen Lab and the Canadian Internet Policy and Public Interest Clinic (CIPPIC) published a report today on the CSE-related provisions of Bill C-59, the Trudeau government's sweeping new national security legislation. I contributed, in a small way, as one of the five authors of the piece.

As Ron Deibert writes,
Agencies like CSE are critical to public safety, foreign policy, and national security. It is essential that they are well-equipped and trained. However, their extraordinary and far-reaching capabilities and activities present enormous governance challenges for liberal democratic societies. Much of CSE’s activities are shrouded in secrecy — the most highly classified of any Canadian government agency. There are obvious good reasons for that secrecy. But government secrecy without strong independent oversight is a recipe for the abuse of power.

The 75-page report looks at CSE's broad existing powers and the extraordinary new powers that would be granted by C-59, and asks questions about how well those powers would be constrained by the oversight and review measures proposed in the bill.

You can read a brief introduction to the report here. The full document is here.

News coverage:

Alex Boutilier, "Canada’s electronic spies will be able to launch cyber attacks with little oversight, report warns," Toronto Star, 18 December 2017

Jim Bronskill, "'Case not made' for Liberal bill's problematic cyberspy powers, researchers say," Canadian Press, 18 December 2017

Chris Arsenault, "Canada’s spies are on the verge of new offensive powers for cyber attacks," Vice News, 18 December 2017

Editorial, "New powers for Canadian spy agency alarming," Toronto Star, 20 December 2017

Update 1 February 2018:

See also Lex Gill, Tamir Israel, and Christopher Parsons, "Government’s Defence of Proposed CSE Act Falls Short," Citizen Lab blog, 30 January 2018.

Wednesday, November 08, 2017

My work here is not done

I don't consider it my personal mission to make Canadians more aware of the existence and activities of the Communications Security Establishment. But I've always thought it would be a Good Thing if Canadians were more aware of CSE, and I felt it was possible that this blog might make a small contribution towards that end.

Well, if it has made any contribution, it certainly has been a small one.

A recent poll conducted for CSE found that,
On an unaided basis, only 3% of respondents correctly name “CSE” or the "Communications Security Establishment” as the government agency responsible for intercepting and analyzing foreign communications and helping protect the government’s computer networks. The Canadian Security Intelligence Service (CSIS) is much more commonly named as the agency described (mentioned by 22%).
Also, that 3% figure is only considered correct within plus or minus 2.8 percentage points 19 times out of twenty. In other words, it's pretty much within the margin of error.

As Jim Bronskill notes, there was a time not so long ago when CSE would have been thrilled to be so completely unknown ("Only three per cent of people surveyed could name Canada's cyberspy agency," National Post, 8 November 2017).

Times have certainly changed. CSE is a lot more interested in publicity than it used to be.

But of course there's still an awful lot they aren't keen to talk about. (See my comments on transparency here.)

Friday, October 27, 2017

CSE budget authority increased to $629 million

The Supplementary Estimates (B) for 2017-18, tabled yesterday in parliament, indicate that CSE's budget authority for this fiscal year is now $629,474,710, which is up $33,490,987 from the original estimate of $595,983,723.

Aside from a carry forward of $21,601,037 in unexpended funds from the previous fiscal year, the bulk of the increase comes in the form of $11,677,230 added "to maintain the Government of Canadaʼs information technology security posture".

An additional $574,970 is added to cover increased statutory spending, while $362,250 is transferred to Global Affairs to cover the cost of "administrative support to departmental staff located at liaison offices abroad". Several other departments are making similar transfers, so the latter item is probably part of a wider decision to compensate Global Affairs for the support it is providing rather than a sign of expanded foreign liaison arrangements on CSE's part.

If CSE managed to spend its entire $629 million budget authority this year, the result would be the second-largest budget in its history (the largest one if you exclude FY 2014-15, which was boosted by a one-time payment of $300 million made when the agency's new headquarters was completed).

But it is quite common for significant sums to go unspent, so the final total is likely to be pretty close to the amounts spent in fiscal years 2015-16 and 2016-17 ($620 million and $615 million respectively).