Sunday, July 31, 2022

Diversity in the top ranks of CSE

Improving diversity within CSE and other parts of the intelligence community is an ongoing challenge, but with the appointment of the first non-white Canadian to the position of Chief of CSE (effective August 31st), I thought I'd take a look at how things are going at the top level of the agency's hierarchy. As the chart below shows, that group is actually pretty diverse.

Chart showing top executives at CSE
At the top of the chart are incoming CSE Chief Caroline Xavier and, below her, Associate Chief Dan Rogers. The next level shows Deputy Chiefs and equivalents: from left to right, Deputy Chief SIGINT (DC SIGINT) Alia Tayyeb; Canadian Centre for Cyber Security (CCCS) Head Sami Khoury; Acting Deputy Chief Enterprise Technology Services (DC ETS) Darrell Schroer; Acting Deputy Chief Authorities, Compliance and Transparency (DC ACT) Nabih Eldebs; Deputy Chief Strategic Policy, Planning & Partnerships (DC SPPP) Wendy Hadwen; and Deputy Chief Corporate Services (DC CS) Gibby Armstrong. I have also shown the Cyber Centre's Associate Head, Rajiv Gupta. Other CSE officials at Gupta's rank (Director-General) are rarely publicly identified, so that's as far as it is practical to look.

CSE doesn't keep me updated on its executive appointments (or any other matter), so it's possible that some of the incumbents in these positions have changed, but this chart should be pretty close.

Of the nine officials shown in the chart, four are women, and five (three men and two women) are non-white. Some of the officials may also belong to other traditionally excluded or under-represented groups, such as 2SLGBTIQ+ persons, religious minorities, or persons with disabilities, but I have no information about that.


Dwyer straits

Photo of Peter Dwyer
CSE wasn't always as diverse as this. There was a time, in fact, when the battle for diversity in the upper ranks of the agency meant a demand to hire more (white) Canadian men instead of so many (white) British men.

As far as I can tell, CSE never had employment policies as overtly racist as those at GCHQ, which systematically barred all "coloured" people from employment at the agency until the 1980s, or even those at NSA and its predecessors, where, for example, until 1956 almost all African American employees were concentrated in a low-paid, segregated unit dubbed, inevitably, "the Plantation".

But of course a lack of evidence of egregious racism in no way means that no racist or otherwise discriminatory practices existed at CSE. And there is no reason to assume the agency has been any less discriminatory in its practices than the overall public service, or indeed Canadian society in general.

It wasn't until 1977 that CSE even established an advisory position on equal opportunities for women. Like today, about one-third of CSE's staff at that time were women, but they were "concentrated in lower level - lower paying jobs" such as clerical and secretarial work and were rarely promoted to upper management positions. As I noted here, the top echelons of the agency have come a long way in that respect since then.

Statistics on equity, diversity, and inclusion across the entire staff of CSE are hard to come by, but they have started to be reported in recent years. CSE's most recent annual report, for example, published these statistics on employment equity representation versus workforce availability (click image for larger version):

As these numbers show, CSE still has a long way left to go with respect to persons with disabilities and those described as "visible minorities". (The term "visible minorities," the report notes, "is considered outdated. We use it here in the context of the Employment Equity Act, which is currently under review.")

It's also worth recognizing that the "workforce availabilities" shown in CSE's chart relate to the specific occupational categories CSE seeks to fill and thus themselves reflect persisting societal and systemic barriers to inclusion. As target levels they are at best relative measures of progress.

This can be seen in the statistics pertaining to women, who are assessed as having a workforce availability of 35.4% for CSE even though they represent 50.4% of Canada's population and their availability for the public service as a whole is assessed to be 52.7%.

The same point could be made with respect to Indigenous people. While CSE seems to be doing reasonably well, with Indigenous people representing 1.93% of the agency's staff versus a workforce availability of 2.08%, the assessed availability of Indigenous people with respect to the public service as a whole is twice as high (4.0%), suggesting there is a lot of room for growth if obstacles to participation in occupations of interest to CSE were reduced.

NSICOP's study of diversity and inclusion in the Canadian security and intelligence community, published in 2020, provides a useful further discussion of these issues and some additional statistical information, notably representation at the executive level of Canadian S&I agencies in 2017-18. (I'm not sure where the cut-off for this category is in CSE, but it likely includes everyone from the Chief down to the Director-General and, I would guess, Director level.) Interestingly, CSE significantly under-performed in terms of visible minority representation within the executive category at that time.

As the NSICOP report and the CSE annual report both acknowledge, women, Indigenous people, persons with disabilities, and visible minorities are not the only groups relevant to questions of equity, diversity, and inclusion.

In May 2021, a senior official from CSE's SIGINT branch, Artur Wilczynski, was appointed Assistant Deputy Minister, Senior Advisor for People, Equity, Diversity and Inclusion as part of "a focused effort to bolster a welcoming and inclusive community at CSE, to identify and break down systemic barriers to full participation, and to help empower historically discriminated against groups within the Public Service." Prior to his retirement earlier this summer, Wilczynski oversaw the production of CSE's first equity, diversity, and inclusion guide, which incorporates this broader understanding of equity-deserving groups, including the 2SLGBTIQ+ community, religious minorities, the neurodivergent, and others.

This episode of the Intrepid podcast, featuring Wilczynski and Nabih Eldebs (then the Director General of Policy, Disclosure and Review at CSE), is also a good source of information on the recent state of play at the agency. 



Obviously, the presence of women and non-white people in key leadership positions at CSE does not mean that problems of systemic discrimination and under-representation no longer exist at the agency, or even necessarily that meaningful progress is being made. And it would certainly be a mistake to use year-to-year changes in appointments to upper executive positions as a measure of the agency's overall progress or lack thereof. But representation does matter. The agency seems to be making good-faith (if undoubtedly imperfect) efforts to improve its performance on these issues at all levels of the organization, and in that context the fact that the top levels of CSE are visibly diverse sends an important message of hope that all Canadians can find a home at the agency.


Friday, July 08, 2022

Xavier to be next Chief of CSE

On 8 July 2022, Prime Minister Trudeau appointed Caroline Xavier to be the next Chief of CSE, effective 31 August 2022. Xavier will replace incumbent Shelly Bruce, who is retiring.

Xavier is the third woman in a row to be appointed to the job of Chief. (But fret not, guys, there were eight men in a row before that, so it's way too early to consider yourselves hard done by.) She will also be the first racialized Canadian to get the job. Xavier was born in Montreal to parents who came to Canada from Haiti. According to the CBC, when she gave this interview on diversity and equity in the public service in 2020, she was "the only Black person serving as an associate deputy minister in the federal government."

Working at CSE will be something of a homecoming for Xavier, who served as Director, IM/IT Infrastructure and Operational Services in the Chief Information Officer Branch of the agency from 2004 to 2006. She also has experience working with the intelligence community at the Privy Council Office. Although currently the Associate Deputy Minister of Immigration, Refugees and Citizenship, from 2017 to 2020 she was the Assistant Secretary to the Cabinet, Security and Intelligence, where "she was responsible for advising and supporting the National Security and Intelligence Advisor on security, intelligence and emergency management issues. Ms. Xavier was the Co-Chair to the Cabinet Committee on Global Affairs and Public Security, and also served as secretary to Cabinet Committee on Incident Response Group." (See her bios here and here.)

The first four chiefs of CSE, who collectively ran CSE for 53 years, were all hired from inside the closed confines of the SIGINT world. The appointment of Ian Glen in 1999 ended that tradition, and for the next 19 years succeeding chiefs were all drawn from outside the agency. Then, in 2018, the job went back in-house when Shelly Bruce was given the nod, capping a career spent almost entirely inside the agency.

As Bruce's time in office seemed likely to end soon, I had been wondering recently, would the government again choose a chief from in-house (in which case, Dan Rogers, who was recently appointed to the position of Associate Chief, seemed like a plausible candidate) or would it revert to hiring from outside the agency? As it turns out, the decision was a bit of both.

As a former CSE employee who has spent most of her public service career in other parts of the government, and who has recent experience near the top of the Canadian security and intelligence community, Xavier should bring the advantages of both backgrounds to the job — familiarity with CSE, its activities, and its place in the Canadian and Five Eyes communities, and deep knowledge of, and connections to, the broader public service and government policy world.

Xavier will become the 11th Chief in CSE's 76-year history. The previous chiefs were:

  • Edward M. Drake (1946 - 1971)
  • N. Kevin O'Neill (1971 - 1980)
  • Peter R. Hunt (1980 - 1989)
  • A. Stewart Woolner (1989 - 1999)
  • D. Ian Glen (1999 - 2001)
  • Keith Coulter (2001 - 2005)
  • John L. Adams (2005 - 2012)
  • John Forster (2012 - 2015)
  • Greta Bossenmaier (2015 - 2018)
  • Shelly Bruce (2018 - 2022)

Sunday, June 19, 2022

NSIRA report on Avoiding Complicity in Mistreatment by Foreign Entities

On May 19th, NSIRA released the declassified version of its Review of Departmental Frameworks for Avoiding Complicity in Mistreatment by Foreign Entities (NSIRA Review 2019-06). Ministerial directions were issued to a number of Canadian departments and agencies in 2011 and, later, in 2017 on managing the risks of information sharing with other countries; these MDs were subsequently replaced by the provisions of the Avoiding Complicity in Mistreatment by Foreign Entities Act in 2019. NSIRA's review looked specifically at the actions taken by the six departments and agencies that received the 2017 MD, including CSE, which unsurprisingly is the agency I'm going to focus on here.

CSE comes out looking good in this report. While NSIRA noted deficiencies in the way many of the six organizations handled this issue and made a series of recommendations applicable to all of them, CSE was broadly seen as having done well in meeting its obligations.

I have to say I don't find this result greatly surprising, as two and a half decades of review by OCSEC and now NSIRA have made CSE highly conscious of the importance of ensuring that ministerial directions and other legal requirements are clearly reflected in internal policies and procedures and that compliance with those policies and procedures is effectively monitored and documented.

(This is not to suggest that reviews no longer find matters of this kind — they're still among the most common issues raised by CSE's watchdogs. But the agency has come a long way over the years in aligning its policy regime and paperwork with actual existing practice.)

What I mostly want to highlight about this report is not compliance questions, but the evidence it provides of the long way CSE has yet to go on the transparency front.

Let's look specifically at page 22 of NSIRA's report, where the annex related to CSE begins. 

 For reasons mysterious to me, CSE evidently insisted on redacting the following non-secrets: 


● that CSE's process under the 2011 Ministerial Directive excluded review of normal information-sharing with the Five Eyes;


● that prior to 2017, CSE's ITS (i.e., cyber) side and its SIGINT side each conducted Mistreatment Risk Assessments (MRAs); 


● that the Corporate and Operational Policy Section of CSE, which now performs these assessments for the entire agency, is or at least was known internally by the alphanumeric designator D2 (and, more specifically, the sub-unit responsible was D2A);


● and that the CSE branch that contains D2 is Policy and Communications, under the direction of the Deputy Chief, Policy and Communications (DC PC) (listed as Director General, Policy and Communications (DG PC) in the out-of-date chart shown below).


Was it really necessary for CSE to insist on redacting all that information from NSIRA's report? If it was, then maybe they shouldn't have revealed it all already.


Something useful is learned

Happily, it's not all blank spaces and black holes.

On the useful information front, I've wondered for some time how CSE finessed the Five Eyes issue in the years since the 2017 Ministerial Directive appeared, since that version and the subsequent 2019 Avoiding Complicity Act contain no Five Eyes exception. 

Here the report is actually quite helpful. Although it doesn't make the Five Eyes connection explicit, the report reveals that CSE does two types of mistreatment risk assessment: case-specific ones and annual ones, the latter of which are "used to exclude countries from the normal MRA process".

I don't think there's much question which countries' boxes get ticked every year for that.

Friday, May 27, 2022

Intelligence Commissioner 2021 Annual Report

The 2021 annual report of the Office of the Intelligence Commissioner (ICO) was tabled in Parliament on May 5th. From the perspective of this blog, the most interesting news in the report was that one of the three Foreign Intelligence Authorizations (FIAs) granted to CSE by the Minister of National Defence in 2021 was only "partially" approved by the Intelligence Commissioner (IC). This marks the first time since the 2019 passage of the National Security Act, 2017, which created the current oversight regime, that an FIA has not been fully approved.

FIAs enable CSE to conduct its foreign intelligence program by legalizing aspects of its SIGINT collection activities that would otherwise be illegal, such as intercepting "private communications" or breaking into computer systems to steal information. CSE typically receives three FIAs per year, each valid for a one-year period. The exact subjects of those FIAs are classified, but collectively they cover the full range of CSE collection activities, probably grouped into computer network exploitation, various kinds of radio intercept activities, and cable collection operations. The authorizations are vital to CSE because, without them, the agency would be unable to collect intelligence under its foreign intelligence mandate without running the risk of violating the law.

FIAs are issued by the Defence Minister, but they only come into force if the Minister's decision is approved as "reasonable" by the IC. In 2021, for the first time, the IC did not fully approve one of CSE's FIAs. In the case of one particular activity covered by one of the FIAs, the Commissioner judged that "the Minister's conclusions lacked information on the nature of the activity described and on how such activity would be reasonable and proportionate. The IC was of the view that the Minister’s conclusions did not bear the essential elements of reasonableness: justification, transparency, intelligibility and did not establish whether they were justified in relation to the relevant factual and legal contexts." As a result, the IC "determined that he must not approve the Foreign Intelligence Authorization relating to this specific activity."










So, what exactly was the CSE activity that didn't make the cut? Those of you who are familiar with watchdog reports will know better than to expect the IC to reveal that information to us — or, perhaps more correctly, know better than to expect CSE to permit the IC to reveal it to us. Whether the activity in question is a secret legitimately worth keeping or one of those everyone-knows-we-do-it-but-we-obstinately-refuse-to-admit-it secrets we may never know.

Interestingly, however, in its 2020 annual report (released to the public in December 2021), the National Security and Intelligence Review Agency (NSIRA) also raised concerns about an unidentified CSE activity that at least conceivably could be the same program.

In that case, NSIRA recommended that "CSE should seek a fulsome legal assessment on activities authorized by a specific Foreign Intelligence Authorization prior to undertaking any collection activities under this ministerial authorization (MA)." In its response to NSIRA, CSE accepted the recommendation "in principle" but seemed to suggest that it had already done sufficient legal assessment of the activity.

Similarly, in declining to approve the particular activity that was of concern to the IC, the Commissioner stated (among other points) that the Minister's conclusions "did not establish whether they were justified in relation to the relevant ... legal contexts."

NSIRA also appears to have been concerned about the reasonableness and proportionality of CSE's planned activities, as CSE's response to NSIRA specifically noted CSE's belief that, in its view, the activities were "reasonable and proportionate". For its part, the IC stated that "the Minister's conclusions lacked information ... on how such activity would be reasonable and proportionate."

Were the two watchdog agencies talking about the same proposed activity?

We don't know. But if they were (and this is just an "if"), a couple of points are worth noting.

First, as the NSIRA report reveals, the activity in question is something comparatively new to CSE, "enabled since the CSE Act" (which was passed in 2019), and it had not yet begun operations at the time of NSIRA's examination. This suggests the possibility that it also may not have been in operation during the time the IC looked at it, which would mean that CSE did not have to shut down an active program when the authorization for it was refused. (This might also explain why no additional or amended FIA was presented to the IC later in the year to get the activity back in operation — it wasn't ready to go anyway.)

It might seem strange that an authorization would be sought for a program that isn't ready to go into operation, but it has been known to happen under the previous (pre-2019) ministerial authorization regime. Presumably, the goal of such early approvals is to have the authorization already in place when the program is ready to begin, and perhaps also to check whether the program is in fact likely to receive authorization before a large amount of time and money has been expended on its development and installation.

The second point worth noting is that this may represent a concrete example of NSIRA and the IC working together, sharing information and highlighting issues of importance or concern to one another. This information sharing, although limited largely to certain types of formal reporting, was one of the benefits that was foreseen when the new review and oversight regime was created in 2019.

The IC report contains a brief description of how this kind of cooperation works: "The IC must provide a copy of his or her decisions to NSIRA in order to assist it in fulfilling its review mandate. In addition, the IC is entitled to receive a copy of certain reports, or parts of reports, prepared by NSICOP and NSIRA, if they relate to the IC’s powers, duties or functions."

It goes on to add: "In 2021, the IC received one such report from NSIRA."

But if that report had anything to do with the CSE foreign intelligence authorization discussed here, they're not telling us.

Presumably CSE at least knows whether there is a link between the two watchdogs' concerns. If they are linked, maybe CSE has now revisited its somewhat dismissive response to NSIRA's recommendation.


Partially reasonable

As I noted above, this was the first time that the IC approved an FIA only in part. But it didn't come as a complete surprise, as the possibility of such a decision was flagged in both of the IC's previous reports: in both documents, the table summarizing the Commissioner's decisions contained a column labeled "Partially Reasonable" that clearly implied partial rejections were possible.

If you look up the Intelligence Commissioner Act, you will see that s.20(1) offers the Commissioner just two courses of action: approving the authorization or not approving the authorization. It doesn't say anything about approving most of the bits while rejecting other bits. So, in all honesty, I don't understand the statutory basis for this procedure.

But the Intelligence Commissioner obviously does see a basis for this approach, CSE shows no sign of disagreeing with him, and other people who — very much unlike me — have an actual understanding of Canadian national security law and statutory interpretation are comfortable with it too. So I classify this in the category of things-that-clearly-work-that-way-even-though-I-don't-really-understand-why.

And it does seem like a practical approach. It would obviously be undesirable to have large, multi-program authorizations like these refused every time there was a problem with one small element within them. We also wouldn't want the IC to be tempted — or to feel pressured — to let legitimate concerns about particular programs slide for fear of the broad disruption that a refusal might cause. 

An alternative approach would be to require a separate FIA for each separate information collection activity that CSE wished to conduct. But depending on how those activities were broken down, that could lead to a significantly large number of authorizations, each of which would need to be reviewed and signed by the Minister and then considered by the Commissioner. That would create a great deal of additional paperwork, but it's not clear that it would have any actual advantages over the current approach.


More transparency to come?

Last year's IC report promised that "the ICO will explore the possibility of publishing redacted and translated versions of the IC’s decisions on the ICO website." This year's report contains an update on that initiative, noting that "the ICO has made considerable efforts to publish the IC’s decisions on the ICO website. The ICO is working towards having the decisions available online as soon as feasible."

Presumably the delay is primarily the result of CSE's on-going reluctance to countenance the publication of any information the public might find remotely informative. It will be interesting to see what, if anything, is eventually permitted to appear on the ICO website. Among other possibilities, maybe at that point we'll learn if this year's partial rejection was related to the same program that prompted concerns at NSIRA.


Media coverage

As far as I can tell, the ICO report received no media coverage.

But Christopher Parsons' detailed Twitter thread looking at aspects of the report is well worth reading. See also this update to the thread, in which the ICO explains the statutory basis for its approach to authorizations. 

Since Chris's Twitter posts don't last forever, he has generously suggested that I also reproduce the ICO's reply here:

Wednesday, May 25, 2022

History of the Examination Unit

Set up during the Second World War and housed in the National Research Council, the Examination Unit (XU) was Canada's first cryptanalytic agency.

The XU was shut down in the closing days of the war, but elements of it were combined with related armed services SIGINT units to create the Joint Discrimination Unit, which evolved in 1946 into Canada's post-war SIGINT agency, the Communications Branch of the NRC (CBNRC), now known as the Communications Security Establishment. The XU was thus a direct ancestor of today's CSE.

A classified internal history of the XU was compiled under the editorship of Gilbert de B. Robinson, a Canadian mathematician who helped to establish the unit, worked on its staff, and served as its final director.

That 222-page document has long sat available in full to researchers on the shelves of Library and Archives Canada, but the only copy accessible on the Internet (through this blog) was a highly redacted version released more than 30 years ago through an Access to Information request. 

That sad state of affairs ends today. Here is the document in its entirety:

A History of the Examination Unit, 1941-1945 (61 MB PDF)

My thanks to the family of Examination Unit staff member David Hayne for sharing the hard copy with me.

Wednesday, January 12, 2022

A year of Canadian SIGINT history posts

2021 was the Communications Security Establishment's 75th anniversary year. Every day during that year, I posted a Tweet highlighting an item related to Canada's SIGINT activities that had taken place on that date, using the hashtag #CSE75. Most of the items related directly to CSE (or to CBNRC, the Communications Branch of the National Research Council, as CSE was known until 1 April 1975), but there were also a lot about Canada's broader SIGINT history, including many related to the Second World War and even earlier.

It was my hope that, in addition to being interesting in themselves, these Tweets might encourage, or maybe shame, CSE itself to be more open about its past. 

The agency did add a small amount of material about its history to its website during the year, making related Twitter posts using the bilingual hashtag #CSE75CST. But I'm quite sure my efforts had nothing to do with any of that (except for the fact that a number of CSE's items clearly drew in part from information previously published on this blog).

You can still find my #CSE75 posts on Twitter, but I thought it might be interesting and maybe in some way useful to compile them in one place here. They're pretty much as I originally posted them, but I have taken advantage of the blog format to spell out some of the acronyms, correct a couple of typos, and add a bit more explanatory text in a few places.

My plan with #CSE75 was to post something interesting about Canada's SIGINT history for each day of the year. The result is not a comprehensive list of the most important developments in that history. In many cases multiple important events have occurred on the same day of the year, and in other cases the month or year of an event may be publicly known but the exact date is not. Many key developments are more in the nature of processes, to which it is difficult or perhaps meaningless to assign a date. And of course many of the most important events are probably ones of which we in the public are not even aware. 

In some cases I had to stretch a bit to find something interesting to report for a specific date, resorting, e.g., to examples of routine activities by or related to the agency that occurred on that date. But I think those items also help illuminate Canada's SIGINT history.

With those caveats in place, here's the list:

Read more »

Wednesday, December 22, 2021

NSIRA 2020 Annual Report

NSIRA's 2020 Annual Report was tabled on December 10th, 2021. 

I'll try to write a post on the CSE-related items in the report eventually, but in the meantime you can find the great bulk of what I'd probably say—and a lot of additional insights—in Chris Parsons' commentary here. Chris also addresses the non-CSE-related parts of the report, so at his site you get a full-service analysis!

Thursday, December 09, 2021

CSE 2020-2021 Annual Report

CSE's 2020-2021 Annual Report was released on 28 June 2021, and although I discussed the document on Twitter then, it's about time I got around to commenting on it on this blog as well.


Improvement over 2019-2020 report

CSE's 2020-2021 report is considerably more informative than its 2019-2020 report, which was the agency's first attempt at responding to the CSE Act's requirement to produce one. The new report contains about two and a half times as much text as the first one, and while that may be no guarantee of more signal among the noise, in this case it's fair to say that there has actually been some improvement.

As before, however, most of the information provided relates to CSE's cyber security efforts, which account for only about 30% of the agency's resources. The remaining 70% of CSE's resources go to CSE's signals intelligence (SIGINT) side, about which the agency prefers to say as little as possible. Even less is said about CSE's new cyber operations mandate.

SIGINT and cyber operations 

It's inevitable that much about intelligence-gathering and covert-action kinds of activities must remain secret, but the paucity of information here is still disappointing.

CSE's cyber operations mandate was granted only in 2019, and how those powers are used will form a key part of Canada's contribution to determining the future of cyberspace. We already knew that some number of such operations had been authorized; the only new thing we learn in this report is that some have actually been conducted. (More recently, CSE has acknowledged that cyber criminal activity was one of the targets of those cyber operations.)

By contrast, partner agencies such as NSA, GCHQ and Australia's ASD have given specific examples of the operations they undertake, and some of those governments engage in detailed public discussions of appropriate strategies, laws, and norms for cyberspace.

Information on CSE's SIGINT activities is also pretty scant. 

Last year, the National Security and Intelligence Review Agency (NSIRA) decided against publishing a number of statistics about CSE's SIGINT program that formerly had been published by OCSEC, CSE's previous review agency. Since the publication of those statistics had in all cases been approved by CSE, it is evident that no security grounds would prevent their publication by CSE itself. Surely, therefore, CSE's report contains that information at least.

I jest of course.

Read more »

Friday, December 03, 2021

Recent book chapters

In addition to Stress Tested, I have also contributed chapters to two other books published in the last year.

I wrote the chapter on the Communications Security Establishment for Top Secret Canada: Understanding the Canadian Intelligence and National Security Community, "the first book to offer a comprehensive study of the Canadian intelligence community, its different parts and how it functions as a whole." 

The CSE chapter provides a basic introduction to the agency, its mandate and resources, and some of the important questions about its operations and how they do or don't relate to Canadians.

Published by the University of Toronto Press in March 2021, the book is currently on sale at the UTP website for half price.

I also contributed a chapter to Big Data Surveillance and Security Intelligence: The Canadian Case, which was published by the University of British Columbia Press in December 2020.

As I noted here, my contribution is a bit of an outlier since CSE is not actually a security intelligence agency (although of course it does work closely with CSIS), and my chapter, "From 1967 to 2017: CSE's Transition from the Industrial Age to the Information Age," is much more a "history of the present"—how CSE got where it is today—than a discussion of its current Big Data activities. 

However, I think it does serve as a reasonable lead-in to another chapter in the book, written by Scott Thompson and David Lyon, that does look at CSE and Big Data.

The book can be purchased at the UBC Press website. Alternatively, you can download a rather messy and inconvenient—but free—open-access version of the book using the link near the bottom of this page.

Monday, November 29, 2021

Stress Tested

An open-access PDF version of the book Stress Tested: The COVID-19 Pandemic and Canadian National Security is now available at this link

Edited by Leah West, Thomas Juneau, and Amarnath Amarasingam and published by the University of Calgary Press, Stress Tested addresses "topics including supply chain disruptions, infrastructure security, the ethics of surveillance within the context of pandemic response, the threats and potential threats of digital misinformation and fringe beliefs, and the challenges of maintaining security and intelligence operations during an ongoing pandemic," all with a focus on Canada's experience. 

It looks like there's a lot of interesting reading in the book — and once you're done with that you can also check out the chapter that I contributed, "Collection and Protection in the Time of Infection: The Communications Security Establishment during the COVID-19 Pandemic" (pages 127-144). 

The friendly folks at CSE were, as usual, parsimonious with the information, but I wrote some stuff anyway. 

You can find more information about the book, and order a hard copy, here


Update 3 December 2021: See here for other recent CSE-related chapters I've written.

Saturday, June 26, 2021

NSIRA review calls into question legality of identity disclosures

On June 18th, the National Security and Intelligence Review Agency (NSIRA) released the public version of its report on a review the agency conducted in 2020 of CSE's disclosure of Canadian Identity Information to government of Canada clients. NSIRA concluded that CSE’s disclosure regime "may not be in compliance with the Privacy Act", and thus the review agency "submitted a compliance report" to the Minister of National Defence. Although couched in tentative terms, this conclusion is probably about as close as NSIRA is likely to get to saying that CSE broke the law.

OCSEC, the agency that reviewed CSE prior to NSIRA's creation in 2019, made a similar finding only once in its 23 years of existence. That case concerned metadata sharing with foreign partners. It's starting to look like NSIRA, which is still less than two years old, may be considerably more inclined to call out activities that it feels fall short of legal compliance than OCSEC was.

What is the significance of "Canadian Identity Information"?

Canadian Identity Information (CII) is any specific piece of information that can identify a Canadian citizen, permanent resident, or corporation incorporated in Canada, including but not limited to names, phone numbers, email addresses, IP addresses, and identifiers such as passport numbers. Except when operating under Part C of its mandate (discussed below), CSE is only permitted to target foreign entities (persons, groups, corporations) located outside Canada. But sometimes the information obtained by that targeting, or by various types of untargeted collection, contains information about Canadians, potentially including identity information. A foreign target might communicate with a person in Canada, for example, or two foreign entities might discuss information pertaining to a Canadian. Such information may be used in CSE foreign intelligence or cybersecurity reports or otherwise retained by the agency if it is assessed as being "essential" to "international affairs, defence, security or cybersecurity". But normally CII may only be included in those reports if it is "suppressed", which means replaced in the report by a generic reference such as "a Canadian person" or "a Canadian company". Client departments can request that CSE provide them with the information that was suppressed if they have the lawful authority and a suitable operational justification for receiving it.

CII releases were insufficiently justified

NSIRA looked at CSE's record of disclosing CII to Canadian government clients from 1 July 2018 to 31 July 2019, and it did not like what it saw. Over that thirteen-month period, CSE received requests from 15 departments for disclosure of a total of 3708 Canadian identifiers that had been suppressed in reports by CSE or its Five Eyes partners; 3671 (99%) of the identifiers were disclosed to the requesters.

After a closer examination of a sample of the requests accounting for 2351 identifiers, NSIRA found "69% [of the requests] to be justified, 28% to be insufficiently justified to warrant the release of CII, 2% that could not be evaluated, and 1% that CSE denied." (Note that NSIRA did not conclude that these 28% could not be justified, but simply that they had not been sufficiently justified.) NSIRA also found information disclosed by CSE that hadn't even been requested: "NSIRA observed cases where CSE disclosed Canadians’ names and other personal information even when the recipient only asked CSE for a company’s identity."

Disclosures to CSIS, the RCMP, and the Canadian Border Services Agency (CBSA), which accounted for about half of the sample, were considered by NSIRA to be generally appropriate, "with some exceptions." This suggests, however, that half or more of the releases to the 12 other client departments were not considered sufficiently justified. NSIRA recommended that CSE cease disclosing CII to clients other than CSIS, the RCMP, and the CBSA until it addressed the findings and recommendations contained in the review. Such clients would include major intelligence consumers such as Global Affairs Canada and the Privy Council Office, as well as lesser users like Innovation, Science and Economic Development Canada.

Section 16 reporting

Some of the CII released by CSE was derived from information collected in support of CSIS Act s.16 collection of foreign intelligence within Canada. This information is normally collected under the aegis of Federal Court warrants issued to CSIS, and in some cases CSIS asks CSE to help with its collection or processing. CSE sometimes also reports some of the resulting information through its own foreign intelligence reporting channels. If, for example, a CSIS s.16 operation is established to monitor the communications of the South Korean embassy for economic intelligence purposes, as was done in the 1990s, it is CSE that does most or perhaps all of the processing and reporting of the resulting intelligence.

According to NSIRA, the procedures that CSIS uses to limit the release of CII acquired under s.16 are significantly stricter than those applied by CSE in its releases, and as far as NSIRA could tell the Court was not aware that CSE's laxer practices were also being applied to the information collected under its warrants. NSIRA therefore recommended that the Federal Court be fully informed of CSE’s disclosure practices and that, in the interim, CSE cease disclosing CII collected under s.16. In January 2021, CSIS did give the Court a copy of NSIRA's classified report. What happened in the interim and what actions the Court may subsequently have taken are not revealed.

Misleading statements to parliament

NSIRA also commented that CSE's 2018 testimony about s.16 activities to a parliamentary committee was "not a complete representation of the lifecycle of information collected by CSE in its assistance", in that it failed to acknowledge CSE's use of information collected through CSIS s.16 activities. CSE's resort to what I call "secret asterisks" in its public statements about Mandate C activities has long been a source of fulminations on this blog, so it's good to see some attention to this aspect of CSE's public communications.

CSE's response

According to NSIRA, CSE accepted all of the recommendations made in the report. An unclassified version of CSE's response was helpfully made available with the report.

It is evident from that response, however, that CSE disputed NSIRA's characterization of its disclosure practices, arguing that CSE's actions were actually fully compliant with the Privacy Act. It is unclear whether the Minister of National Defence, who forwarded NSIRA's compliance report and CSE's response to Attorney General David Lametti, agreed with CSE's position on the issue or simply washed his hands of it (as he so often seems to do). We also have no information about what the Attorney General did with this information.

It may be that CSE felt a bit blindsided by NSIRA's conclusions. In its defence the agency noted that, "In his final 2018-2019 review, the [CSE] Commissioner confirmed that CSE’s disclosures of CII complied with the law and were done in accordance with ministerial direction."

But it's worth recognizing that even that review expressed serious concerns about CSE's CII practices:

In just under 20 percent of requests, clients provided operational justifications that were generic. CSE explained that generic justifications had been developed in discussion with clients and tested over time. CSE also explained that its analysts learn its clients’ mandates, authorities and requirements. However, the Commissioner’s office believes these generic requests could not be described as robust, as required by CSE policy, because they did not provide an important element required for approving a client’s disclosure request: the requestor’s specific reason for the Canadian identity information. CSE believes these generic requests meet the minimum requirements of policy. However, because the requests contain generic justifications that did not sufficiently outline the requirement for the suppressed information, they failed to meet the Commissioner’s office’s expectations for justifications of Canadian identity information disclosures.

For reference, this is what a Request for Release of Suppressed Information form looks like for CII suppressed in foreign intelligence reports (or at least what it looked like in 2014):

The redacted section contains 13 possible generic justifications for why the requested information is required, the first of which (we know from an earlier release) is "capabilities/intentions/activities of a foreign person, state, organization or terrorist group relating to international affairs, defence or security". The requestor is asked to mark those justifications that apply with an X.

If the process for the release of suppressed information still uses this form or something much like it, then frankly it's not obvious to me how any of the other 80% of requests (or 69% of requests by NSIRA's count) provide robust, specific justifications either. Maybe in those cases the necessary details were provided in the answers to questions 2 and 3.

One nice thing about CSE's response: for the first time since 2011, the agency seems to have given us a reasonably accurate list of the broad Canadian intelligence priorities the agency responds to: "from support to Canadian military operations, [to intelligence about] espionage, terrorism and kidnappings to geostrategic concerns, cyber threats, foreign interference and global crises, among others."

Now, these may all sound rather obvious, and that's exactly what they are, but that hasn't stopped CSE from treating them like life-and-death national secrets in the recent past, so maybe we can take this step as a small sign of progress in the agency's long struggle to learn the difference between things that really do need to be secret and everything else.

Back to the report...

It would be useful if the full list of recommendations made by NSIRA were clearly laid out in the report, in as close to the original wording as declassification permits, to help the public keep track of them. According to the background notes on NSIRA's website, NSIRA made 11 recommendations in this review. It is possible to work out the gist of six or so of these recommendations from the text of the public version, but the rest have been left as a mystery. Maybe the others were rolled into the recommendations provided, but who can tell?

When NSIRA promised to proactively release public versions of its classified reports instead of force researchers to go through the tediously slow and frustrating Access to Information process in order to get a usefully detailed view of what the review agency had to say, I was hopeful that a major improvement in transparency was on the way. The unclassified version that NSIRA released is considerably more detailed than the summaries that were formerly published in OCSEC's annual reports, and it's notable that it includes the first published data on the number of CII items disclosed by CSE (as opposed to the number of requests). This is to NSIRA's and CSE's credit. Kudos also for publishing the report as a searchable PDF and making an unclassified version of CSE's response available. But in the absence of a proper summary of the report's findings and recommendations, it looks like people like me will still be stuck using the Access road.

[Update 22 December 2021: NSIRA's 2020 Annual Report, released on December 10th, reproduces all 11 of the review's recommendations in slightly sanitized but still useful form. It also does this for the other reviews completed during the year, along with the target agency's responses up to that point. NSIRA also states in the report that it "intends to publish and track such information from all reviews on its website." It's great to see NSIRA adopt this approach, and I hope (and expect) that in future NSIRA will also reproduce its recommendations in the released versions of its individual reviews.]

One of the other benefits that I had hoped to enjoy as a result of proactive release was greater timeliness. In this case, the original classified report was submitted to the Minister of National Defence on 25 November 2020, which means it took nearly seven months for this summary to be released. Yes, there's a pandemic going on. But let's hope post-COVID releases will be able to reduce that lag time considerably.

News coverage and commentary:

Jim Bronskill, "Canada's cyberspy agency may have broken privacy law, intelligence watchdog says," Canadian Press, 18 June 2021.

Alex Boutilier, "Spy agency may have broken privacy laws in sharing Canadians' information, watchdog says," Toronto Star, 18 June 2021.

Christopher Parsons, "NSIRA Calls CSE’s Lawfulness Into Question," Technology, Thoughts & Trinkets blog, 18 June 2021.

Intrepid podcast: Episode 161: Review of Review: NSIRA Calls Out CSE and CSIS, uploaded 30 June 2021.

Update 28 June 2021: The original version of this post stated that the CII requests that NSIRA examined were made over a four-year one-month period. While NSIRA did look at some of CSE's disclosure practices over that longer period, the statistics pertaining to identifiers requested and disclosed covered just thirteen months, from 1 July 2018 to 31 July 2019.