Saturday, December 26, 2020

CANUKUS Planning Conference, March 1953

This photo shows the participants in the CANUKUS (Canada-United Kingdom-United States) Planning Conference held in Washington from March 20th to the 25th, 1953 (click photo for higher resolution; source). The conference took place immediately after a BRUSA conference held at the same location, involving the same U.S. and British delegates, from March 2nd to the 19th. (BRUSA was renamed UKUSA later in 1953.)

The photo shows the conference participants assembled at the main entrance of the Naval Security Station building on Nebraska Avenue in Washington, which was still serving as one of the headquarters buildings of the new National Security Agency before its move to Fort Meade. Although dated March 31st, the photo was probably taken earlier in the month while the CANUKUS conference was still underway.

From left to right, front to back, the attendees are: Lieutenant Colonel Glen C. Long, U.S. Army; Major Dolas M. Grosjean, Women's Army Corps, U.S. Army; Clive (Joe) Loehnis, Deputy Director, GCHQ; Rear Admiral Joseph N. Wenger, USN, Vice Director, NSA; Group Captain Douglas M. Edwards, RCAF, Director of Air Intelligence; Brigadier John H. Tiltman, GCHQ, Senior British Liaison Officer at NSA; Edward M. Drake, Director, CBNRC; Victor P. Keay, FBI; Charles P. Collins, CIA; Commander James C. Pratt, RCN, Director of Naval Intelligence; Lieutenant Colonel Layton E. (Joe) Sarantos, Canadian Army, Director of Military Intelligence; Lieutenant Commander Arthur R. Hewitt, RCN, Director of Supplementary Radio Activities; Captain Bernard F. Roeder, USN; Henry J. Dryden, GCHQ; Commander Herbert H. Ridler, RN; Colonel Robert Gifford Yolland, British Army; Lieutenant Colonel Charles M. Townsend, USAF; T. Jaffray Wilkins, CBNRC, Communications Branch Senior Liaison Officer at NSA; Inspector Cecil H. Bayfield, RCMP liaison officer to the FBI; Dr. Louis W. Tordella, NSA; Arthur W. (Bill) Bonsall, GCHQ; Douglas A. P. Davidson, CBNRC; Robert F. Packard, U.S. State Department; William (Bill) Millward, GCHQ; N. Kevin O'Neill, Coordinator Production, CBNRC; and Wing Commander Frederick W. Hudson, RAF. Of the 26 participants shown in the CANUKUS photo, nine were from Canada, eight from Britain, and nine from the United States. The British and American participants had all also attended the earlier BRUSA conference.

Kevin O'Neill, who later became the second Director of CBNRC and the first to hold the title of Chief following the agency's transfer to DND as the Communications Security Establishment, began his SIGINT career at Bletchley Park and served as part of the British liaison team in Washington just after the war. This late 1945 photo shows him sitting in an office probably no more than 30 metres from where he is standing in the CANUKUS photo.

Rival conferences

O'Neill was also the author of the SIGINT section of The History of CBNRC. That document describes the two back-to-back meetings in March 1953 as "rival" conferences.

What was at stake was governance of the UKUSA/CANUKUS partnership — in particular, how the agreements specifying the details of those partnerships were to be modified over time.

The 1946 BRUSA Agreement was strictly a U.S.-U.K. accord. But the 1949 signing of the CANUSA Agreement by Canada and the United States complicated matters. The CANUSA Agreement was modeled closely on BRUSA, and its appendices, which spelled out the details of COMINT cooperation, were based on many of the BRUSA Agreement's appendices. This was especially true of the crucial Appendix B, which specified security procedures and standards for handling and disseminating COMINT. Except for the names of the parties involved, the two Appendix Bs were identical, and the intent of all parties was to keep it that way. But this created the question of which parties would get to decide when changes were to be made.

As O'Neill related it,
1953 started off with some more rumblings about the desirability of Canada attending UK/US planning conferences where common subjects were involved. The UKUSA partners were planning to discuss their Appendix B on Security, as well as such lesser matters as SACLANT, Weather SIGINT, and counter-intelligence support, some time in March. Canada heard about this in January, and Mr. Glazebrook [the External Affairs officer who chaired the committee in charge of SIGINT policy] took up the question of whether it would not be simpler to deal with changes to Appendix B on a tripartite basis rather than have to handle them in two bilaterals, with the possibility of having to go back and forth between CANUSA and UKUSA Appendices ad nauseam. The Americans (Gen. Canine and V/Adm. Wenger) took the view that since this was a Commonwealth matter, it was up to the UK to decide, and for Britain Sir Eric Jones was adamant that Canada should not be present unless Australia was also.
The question had already been under discussion between the U.S. and Britain during the previous fall as the agenda for the BRUSA conference was being determined. In December, NSA Director Canine asked GCHQ Director Jones for his informal views on the possibility of moving Item 1 of the agenda (Revision of Appendix B - Security) to the "agenda for discussion at tripartite conferences with Canada."

Jones's reply gave two reasons for opposing the inclusion of Canada, one of which was fully redacted from the released record. The second reason, partially redacted, stated: "As the subject matter of Appendix B to the basic BRUSA Agreement has in the past been a matter for discussion between USCIB and LSIB only, it is preferable to maintain that principle and to continue with the arrangement". (USCIB and LSIB, the United States Communications Intelligence Board and the London Signals Intelligence Board, were the policy committees that directed SIGINT policy in the two countries at this time.)

The second reason seems to point to the primary British concern. Avoiding unequal treatment of the Dominions may have been a legitimate concern of the British, but if the exclusion of Australia were really the issue, it seems likely that it could have been resolved by including Australian participation in the conferences. (New Zealand was unmentioned presumably because, although it contributed personnel to the joint British-Australian-New Zealand COMINT centre in Melbourne, it had no COMINT processing organization of its own at this time.)

The real issue for Britain was almost certainly its reluctance to be, in effect, demoted from primary SIGINT partner of the United States to one of two partners of the U.S. having — in nominal terms at least — an equal say over the future evolution of the partnership. Given the importance of the UKUSA partnership to Britain and the great disparity in actual capabilities between GCHQ and CBNRC, this was not a development that the British would have considered either welcome or appropriate.

Britain did agree, however, to consider "the implementation in respect of Canada of paragraphs 11 to 16 inclusive of Appendix Q to the BRUSA SIGINT Agreement" at the tripartite conference to follow, noting that this "particular wording has been agreed in discussions between U.K. and Canadian authorities, and U.K. has already promised Canada to propose it to U.S. as item for discussion at a tripartite conference." (Appendix Q concerned COMINT Collaboration in War.)

The result, according to the History of CBNRC, was
a compromise whereby Washington was the scene of a UKUSA Conference from March 2-19, revising their Appendices B, H, N, P and Q, and reviewing D and O, and a CANUKUS Conference from March 20-25, which dealt with the "lesser" matters such [one line redacted] SACLANT, Wartime Collaboration and Counter-Clandestine SIGINT.
But it was not much of a solution as far as Canada was concerned.
The second lot of proceedings seemed pretty unrealistic, especially since SACLANT and Wartime Collaboration between the US and the Commonwealth had already been dealt with at the UKUSA Conference in their discussions of Appendices P and Q, and the revisions to UKUSA Appendix B had later to be sent to Canada for agreement and incorporation into the corresponding CANUSA Appendix.
Indeed, the tandem-conference experience seems to have been satisfactory to none of the parties. Many tripartite conferences were held among Canada, the United States, and Britain in later years on specific subjects of interest, but the back-to-back UKUSA/CANUKUS conference experiment does not seem to have been repeated.

Subsequent revisions of Appendix B in 1955, 1956, and 1959 were decided by the United States and Britain. Formal or informal consultations on these revisions were sometimes held with Canada ahead of time, but the British position against direct Canadian participation held firm: "Mr. Southam in December 1958 and Mr. Starnes in March/April 1959 took up again the Canadian desire to make Appendix B tripartite; but to no avail, since the British authorities were resolutely opposed to 'triparticity'."

Wednesday, December 23, 2020

First NSIRA annual report released

The first annual report of the National Security and Intelligence Review Agency (NSIRA) was released on December 11th. In many ways the new agency is off to a promising start. But when it comes to information on CSE, the report is a disappointment.

NSIRA was created in 2019, when the National Security Act, 2017 (Bill C-59) was finally done crawling its way through parliament. The new agency took over the duties of the existing watchdog agencies for CSE and CSIS, the Office of the CSE Commissioner (OCSEC) and the Security Intelligence Review Committee (SIRC), but with an expanded mandate that includes examination of the reasonableness and necessity as well as the legality of their activities. It was also given the job of reviewing the other security and intelligence activities across the government of Canada.

The report covers NSIRA's activities during the six months from its July 2019 creation to the end of 2019. Normally we should expect to see NSIRA's annual report sometime in the first half of the year that follows, but since the agency was still in the process of establishing itself and hiring staff, and had to do all that in the middle of a pandemic, it's unsurprising that this first report was delayed to December.

In keeping with the purpose of this site, I'm going to focus primarily on the report's treatment of the Communications Security Establishment. But I'll start with a few comments on the editorial philosophy underlying the report. NSIRA intends to proactively release unclassified versions of each individual review it conducts during the year as soon as they are available, so it is planning to spend less space reporting on those reviews in its annual report and to focus instead on the most significant issues of the year and broad lessons, trends, or themes that may arise. The annual report will also cover other aspects of the agency's operations, such as its complaints investigation function.

This seems like a sound approach to me, and I am especially pleased to see the agency's commitment to the proactive and timely release of the reports on its individual reviews. This has the potential to be a really useful step that, as NSIRA states, could help "to increase transparency and accountability, and to open the door to extensive discussions and debate in the public sphere."

The proof, however, will be in the pudding. This Christmas we got just one pudding, NSIRA’s 2019 Annual Report on the Disclosure of Information under the Security of Canada Information Disclosure Act, which was also released on 11 December.

The value of these releases will depend greatly on the intelligibility of the information provided in them. The need to protect intelligence agency secrets is real, and using a "write-to-release" approach, as NSIRA intends to do, may well be a practical necessity, but NSIRA will have to ensure that the resulting reports are not content-free as well as secret-free. If the end result is the sort of Delphic gibberish that so often characterized the public versions of OCSEC reports, the resulting discussions and debate in the public sphere are unlikely to be any more substantial than they were with OCSEC's reports, which typically were read and sometimes commented upon by me and, um... Hmm. Well, me, at least. Definitely me.

(And to be fair, yes, a few others. There was always a small coterie of the dutiful and the diehard in both academia and the media who could be counted on to read OCSEC's reports, and even, on rare occasions, to write something about one of them. But I doubt any of us disagree about their limited value as a base for public discussion or debate.)

Ultimately, the intelligibility question hinges on the commitment to transparency not just of NSIRA, but of the agencies that NSIRA reviews, as they are the ones who determine what information can be declassified and discussed in public. It was CSE who demanded for years and years that data like the number of Canadians referenced in signals intelligence reports and even words like "metadata", "bulk", "unselected", and "contact chaining" had to remain classified — even when they were already the subject of wide public discussion in other jurisdictions. Through constant pressure OCSEC made considerable progress over the years in expanding the range of what it was permitted to discuss publicly. But if a base for debate was the goal, there was still a long, long way left to go.

What we will need from NSIRA, therefore, is a commitment to engage in an ongoing struggle on this issue. And to consistently keep the public informed.

Happily, it looks like they have already begun to do this. On page 25 of the report we learn that CSE refused to permit NSIRA to reveal the numbers of the various types of ministerial authorizations (MAs) that the agency received under the CSE Act. This is a bad sign for CSE's supposed commitment to greater transparency. (Note to CSE: Invisibility is not the desired end goal of transparency.) But the fact that NSIRA is publicly disputing CSE's position is a very good sign.

Dirty deeds done at government rates

It is also positive that, although it wasn't able to give us the numbers, NSIRA was able to tell us that MAs were indeed signed in 2019 for both active, i.e., offensive, cyber operations (ACO) and defensive cyber operations (DCO). I think this is the first time that fact has been confirmed. CSE's cyber operations powers, which represent a fundamental change in the agency's role, were only granted to CSE in 2019, and knowing the MA numbers would provide some minimal sense of how much CSE is ramping up those activities.
The review agency also notes that it "considers our reviews of ACO/DCO actions to be particularly important. Unlike in the case of CSIS [threat reduction measures], CSE has no statutory obligation to notify NSIRA when it undertakes ACO/DCO activities. NSIRA intends, however, to focus proactively on these activities." The report's endnotes also contain this warning: "Under the governing statutory framework, it ... seems likely that ACO/DCO activities undertaken by CSE must accord with relevant international law." I suspect we'll be hearing more about this issue eventually.

Foreign intelligence and cybersecurity MAs

CSE also refused to permit NSIRA to report the number of foreign intelligence and federal and non-federal cybersecurity MAs granted in 2019. These MAs are also new, but the numbers of similar MAs were reported by OCSEC, NSIRA's predecessor, in each of the prior 6 years. Not any more, says CSE.

[Update 21 February 2021: The Intelligence Commissioner's Annual Report 2019, released in January 2021, gave us the total number of foreign intelligence and cybsersecurity authorizations issued in 2019: five. It also told us that four were year-long authorizations and one was for six months only. Which pretty much answers our overall numbers questions. Under the previous system of MAs, there were 3 one-year-long SIGINT MAs and 1 one-year-long cybersecurity MA issued every year. We know from NSIRA's report that there were at least two cybersecurity MAs this time, one for federal government infrastructures and one for the new category of non-federal infrastructures (presumably the six-month authorization), so it looks like the 2019 numbers were three SIGINT MAs, one federal cybersecurity MA, and one non-federal cybersecurity MA. My guess is that the last number, the number of non-federal MAs could vary by quite a lot from year to year, but the other ones aren't likely to change much. We'll see.]

These MAs are supposed to cover all CSE information collection activities that "might otherwise contravene an act of Parliament or interfere with the reasonable expectation of privacy of a Canadian or any person in Canada." So it is intriguing that the report tells us that NSIRA's future review of CSE collection techniques "will start by focusing on certain collection techniques that are authorized under a ministerial authorization and comparing them to techniques that are authorized through other channels." Just what are these other channels? Is this a reference to "publicly available information" or is there something else squeaking through here somehow? They're not suggesting that intercepts of communications involving persons in Canada that are passed to CSE by allies are exempt from expectations of privacy, are they? I for one will be interested to see what emerges from this investigation.

Missing information

Meanwhile, a whole lot of other items of information previously reported by OCSEC are also missing from this report, notably data on CSE's use of private communications (PCs), i.e. communications with at least one end in Canada.

The missing data includes:
  • The number of recognized PCs retained for possible use under CSE's foreign intelligence program.
  • The number of those PCs used in CSE SIGINT reporting.
  • The number of reports PCs were used in.
  • The number of PCs retained by CSE at the end of the review period.
  • The percentage change in the total number of recognized PCs intercepted by CSE's foreign intelligence program.
  • The number of PCs "with substantive content" used or retained by CSE's cybersecurity program.
Also missing:
  • The number of requests made by Canadian government clients for disclosure of Canadian Identity Information (CII) cited in reports by CSE or Five Eyes partners.
  • The number of requests for CII made by Five Eyes partners.
  • The number of requests made by other states.
The report does tell us the number of privacy incidents added to CSE's Privacy Incidents File in 2019: 123. But it doesn't explain why this is nearly three times as many as the 44 reported in the last OCSEC report. Nor do we get the number in the Second Party [Privacy] Incidents File.

NSIRA does recommend, however, that "CSE should examine the totality of all privacy incidents with the view to identifying systemic trends or areas of weakness in existing policy and/or practice that may reduce privacy incidents." So maybe NSIRA wants to know why the number went up too.

The report also notes that NSIRA warned CSE during its review that one method used to mitigate privacy incidents "did not appear to meet legal and Ministerial Authorization criteria and has the potential to engage section 8 of the Charter." According to the report, CSE decided in November 2019 to "rescind the practice" in question, but NSIRA nonetheless recommended that "CSE should rescind this policy, or obtain a legal opinion on the lawfulness of this practice."

Presumably we will receive updates of CSE's responses to NSIRA recommendations in future annual reports.

OCSEC made a regular practice of doing this (although often in rather vague terms), but in another case where information that used to be reported has for the moment ceased to appear, the NSIRA report fails to follow up on the status of the ten OCSEC recommendations that the last OCSEC report said CSE was working on.

All in all, there's a lot of information about CSE that was provided in the last OCSEC annual report that is not in this successor report.

Unlike the MA situation, in most of these cases, I would assume, this is not because CSE has suddenly insisted on withholding it.

And maybe it's not gone for good. It may be that some of this information will appear during the year as NSIRA releases specific reports about its individual reviews. I certainly hope that's the case.

But it is not at all clear that any more releases (beyond those reviews mentioned in the report) are coming from OCSEC's final year/NSIRA's first year. Nor is it evident that NSIRA intends in future years to continue collecting and reporting the data missing from this report.

So, is NSIRA off to a good start or not?

In many ways I think it is, but with respect to reporting on CSE, the picture is mixed, and it's not possible to be certain at this point.

Update 20 February 2021: Leah West and I discuss the NSIRA report and the recent report of the Intelligence Commissioner with Stephanie Carvin on Episode 148 of the Intrepid Podcast.

Thursday, November 19, 2020

National Cyber Threat Assessment 2020 released

CSE's Cyber Centre released its second report on cyber threats to Canada, National Cyber Threat Assessment 2020, on 18 November 2020. The new report comes two years after the agency's first report on the topic, which I blogged about here.

"Key Judgements" in the report are as follows:
  • "The number of cyber threat actors is rising, and they are becoming more sophisticated. ..."

  • "Cybercrime continues to be the cyber threat that is most likely to affect Canadians and Canadian organizations. ..."

  • "We judge that ransomware directed against Canada will almost certainly continue to target large enterprises and critical infrastructure providers. ..."

  • "While cybercrime is the most likely threat, the state-sponsored programs of China, Russia, Iran, and North Korea pose the greatest strategic threats to Canada. ..."

  • "State-sponsored actors are very likely attempting to develop cyber capabilities to disrupt Canadian critical infrastructure, such as the supply of electricity, to further their goals. We judge that it is very unlikely, however, that cyber threat actors will intentionally seek to disrupt Canadian critical infrastructure and cause major damage or loss of life in the absence of international hostilities. Nevertheless, cyber threat actors may target critical Canadian organizations to collect information, pre-position for future activities, or as a form of intimidation."

  • "State-sponsored actors will almost certainly continue to conduct commercial espionage against Canadian businesses, academia, and governments to steal Canadian intellectual property and proprietary information. ..."

  • "Online foreign influence campaigns are almost certainly ongoing and not limited to key political events like elections. Online foreign influence activities are a new normal, and adversaries seek to influence domestic events as well as impact international discourse related to current events. We assess that, relative to some other countries, Canadians are lower-priority targets for online foreign influence activity. However, Canada’s media ecosystem is closely intertwined with that of the United States and other allies, which means that when their populations are targeted, Canadians become exposed to online influence as a type of collateral damage."
Most of these judgements seem like fairly common sense—or what would be common sense if there actually were such a thing—and they're not wildly different from most of the ones in the first report.

But there are some interesting changes in detail.

This year's report cites China, Russia, Iran, and North Korea by name. Canada and its Five Eyes partners have been calling out these states increasingly often in the past two years so it's not especially surprising to see them named here now, but it is still a welcome development to see growing transparency around these issues. Also welcome would be a detailed statement of the government of Canada's views on the legal and ethical bounds on state behaviour in cyberspace, as has long been promised by the department of Global Affairs but has yet to appear.

The report's warning about the threat to Canada's electricity supply and other elements of critical infrastructure is also more detailed than in the past. On page 21 the document specifies that, in the agency's judgement, "state-sponsored actors are very likely attempting to develop the additional cyber capabilities required to disrupt the supply of electricity in Canada."

These activities, and similar ones targeting other aspects of critical infrastructure, pose a very serious threat to Canadians (although it should be recognized, as the report itself emphasizes, that such preparations probably do not imply any imminent intent to attack those systems).

Here I think it would be useful for the Cyber Centre not simply to warn Canadians about such threats, but also to explain what the government is doing and plans to do about them. Protecting the electricity supply is not something the average denizen of this land can contribute to; it's a job for the electricity industry and for the government, working together. But it would be useful for the rest of us to know what the plan is—maybe not in a threat assessment document, but somewhere.

The government does publish general cyber security strategy documents, such as this National Cyber Security Action Plan, every now and then. And the Cyber Centre publishes detailed alerts and guidance about very specific issues, which are of course a crucial part of the service the Centre provides. But if we're going to be told that the electricity supply is potentially at risk it would be nice to know a bit more concrete information about the plan to protect it—and maybe to receive some assurances that prevention, mitigation, and recovery plans are actually being put in place.

At the moment, we don't even know such basic information as the total amount of money the government is spending on cyber security this year, or even the amount the Cyber Centre spends. A figure for the Cyber Centre's spending in the last fiscal year, 2019-20, will presumably be reported soon in the next edition of the Public Accounts, but no information is made available on current spending, or on the amounts envisaged for future years.

[Update 2 December 2020: Actually, it's even worse than that: the "program spending" numbers that would tell us how much CSE spends on cyber security were last reported in the Public Accounts in 2018, covering fiscal year 2017-18. For now at least the breakdown still shows up online in the government's Infobase data, evidently updated sometime around the time the latest Public Accounts come out. But as far as I can tell there is no longer any document that formally reports this data to parliament or the public.]

This, however, is a topic for a different report.

The National Cyber Threat Assessment 2020 is a useful and informative document that is well worth giving a close read.

The plan at the moment is to update it again in two years' time, although officials at the Centre say that timeline could change if circumstances warrant.

In addition to the assessment, the Centre also released an updated version of its companion document, An Introduction to the Cyber Threat Environment, intended to provide "baseline knowledge about the cyber threat environment, including cyber threat actors and their motivations, sophistication, techniques, tools, and the cyber threat surface."

Media coverage:

Alex Boutilier, "Cyber defence agency says hostile states are developing ways to disrupt Canada’s power grid," Toronto Star, 18 November 2020.

Jim Bronskill, "Canada's cybersecurity agency warns of online threats that exploit COVID-19 fears," Canadian Press, 18 November 2020.

David Ljunggren, "‘State-sponsored actors’ could target Canada’s power grid, intelligence agency warns," Reuters, 18 November 2020.

Catharine Tunney, "State-sponsored actors 'very likely' looking to attack electricity supply, says intelligence agency," CBC News, 18 November 2020.

Rachel Aiello, "Cybersecurity agency calls out four countries as the 'greatest strategic threats' to Canada," CTV News, 18 November 2020.

Christopher Nardi, "China, Russia, Iran and North Korea are Canada's 'greatest strategic threat': CSE report," National Post, November 2020.

Marc Montgomery, "Canadian security agency warns of ‘state-sponsored’ cyber threats," Radio Canada International, 19 Novemer 2020.

Also highly recommended: Twitter commentary on the report by Citizen Lab's Chris Parsons.
You can also listen to Chris being interviewed about the report by Leah West for the Intrepid Podcast here.

Thursday, November 12, 2020

Even official historians do it

From Behind the Enigma, the recently released official history of GCHQ by Canadian John Ferris:
In 2003, the United States cut military cooperation over Canada's opposition to the invasion of Iraq, but not with the Canadian Security Establishment (CSE).
See also Everyone does it, media edition, Even NSA does it, Part I and Part II, and Even GCHQ does it.

Tuesday, October 20, 2020

Five Eyes Minus One: Thinking the Unthinkable

The following is a brief I wrote to accompany my presentation at the Understanding the Five Eyes twitter conference hosted by the University of Ottawa's Centre for International Policy Studies on September 30th. (Check the CIPS blog to see the very interesting briefs contributed by the other conference presenters.)

The US National Security Agency (NSA) is by far the largest and best-resourced of the Five Eyes SIGINT partners. The four other members of the partnership, the UK's Government Communications Headquarters (GCHQ), Canada's Communications Security Establishment (CSE), the Australian Signals Directorate (ASD), and New Zealand's Government Communications Security Bureau (GCSB), have always been fiercely protective of their unique relationship with NSA. But there's no guarantee that the Five Eyes relationship will always be there.

What would happen if the US were to withdraw significant SIGINT cooperation or otherwise become an untenable partner? If the other SIGINT partners were to continue working together — call it the Commonwealth SIGINT Organization (CSO) — what capabilities would they have?

Global reach for collection

The impact of such a break would certainly be very large, but the assets and resources available to the CSO agencies would remain substantial.
Such capabilities would include:
  • Radio monitoring sites that provide global intercept and direction-finding capabilities for traditional long-range HF targets.

  • Satellite monitoring sites that provide complete coverage of the geostationary satellite belt. (Only a limited number of satellites can be monitored at any time and not all spot beams can be covered, but this is also true of the Five Eyes as a whole.)

  • Fibre-optic cable access points in the U.K., Oman, and (reportedly) Singapore that provide significant access to global Internet traffic. Arrangements with specific telecommunications carriers almost certainly provide significant additional access.

  • Diplomatic facilities, providing potential locations for intercept operations, operated by one or more CSO members in almost all countries. Not all of these locations are suitable for such activities, and the proportion where they exist is probably quite small, but all four CSO members have active intercept programs from diplomatic facilities. They also monitor foreign diplomatic facilities on their soil.

  • Computer Network Exploitation (CNE) programs operated by all four agencies. Such activities are inherently global in reach. As the spread of encryption makes "data in transit" increasingly difficult to exploit, it is likely that acquisition of "data at rest" continues to grow in importance. At least three of the four agencies also operate offensive cyber operations programs.
Significant resources

Despite differing organizational structures and limited transparency, it is possible (with just a moderate amount of hand-waving) to get a rough sense of the size and budget of the CSO agencies relative to those of the NSA.
These numbers suggest that the CSO's resources might be as much as 1/4 the size of those of NSA. (Note, however, that significant US SIGINT capabilities provided by other agencies, most notably CIA SIGINT activities and NRO-funded SIGINT satellites, are not included here.)

Statistics on SIGINT report production by these agencies in 2011-12, while also incomplete, suggest a combined CSO output on the order of 1/5 of the US output (~30,000 from the CSO agencies vs ~150,000 by the US), which is broadly consistent with the resource picture above.

In combination, these CSO capabilities would exceed the national SIGINT efforts of all but the US, China and Russia, and would likely surpass China and Russia in at least some respects (e.g. geographical reach).

Post-break relationship with NSA

The effectiveness of the CSO would also depend on the nature of its post-break relationship with the NSA.
  • A complete cessation of cooperation would be challenging, as it would entail the loss of all access to US collection assets, acquired data, reporting, technology, and expertise.

  • Even more challenging would be a hostile break featuring not only a termination of cooperation but an actively adversarial relationship going forward. This is probably the least likely scenario, however, and would probably occur only in the context of a much more general break in relations with the US, with the resulting economic and security concerns dwarfing those related to intelligence cooperation.

  • More likely, perhaps, would be the replacement of the existing partnership by a more limited, transactional relationship similar to those between NSA and Third-Party countries. In this case, the CSO agencies would have much to offer—not only continued access to some or all CSO resources and output but also continued hosting of two of the three mission ground stations for US high-altitude SIGINT satellites—and the partnership might expect to retain access to NSA resources and outputs at levels comparable to those provided by the CSO.
CSO relationship with Third Parties

To bolster its reach and capabilities, the CSO would likely seek to maintain or extend its Third-Party relations with capable partners such as France, Germany, the Netherlands, other members of the Maximator Group, and/or other potential partners such as Japan and India.
However, few potential partners would be likely to risk their existing relationship with NSA, or their country's broader security relationship with the US, to work with the CSO if the US were opposed to that cooperation. The American position would thus be crucial. If the US were in the process of withdrawing cooperation with some or all of those countries as well, many might be keen to deepen ties with the most capable global intelligence partnership available to them.


With a substantial combined workforce with leading-edge skills and long experience in working together, an extensive installed intercept network with global reach and interoperability, sophisticated independent CNE capabilities, and, potentially, the option to expand existing cooperative arrangements with several significant Third-Party SIGINT agencies, the CSO members might be expected to retain a SIGINT capability surpassed only by those of the US and (in at least some measures) China and Russia. Their combined potential would be even more significant if, to continue benefitting from CSO capabilities, NSA retained some form of Third-Party relationship with its former partners following the break.

Tuesday, September 29, 2020

Second World War origins of Canadian post-war SIGINT cooperation

A fascinating new article on the Second World War origins of Canadian post-war SIGINT cooperation was published in May in the journal Intelligence and National Security (Maria A. Robson: The third eye: Canada’s development of autonomous signals intelligence to contribute to Five Eyes intelligence sharing).

Robson argues that the Canadian SIGINT program has supplied three core benefits for Canada: "first, directly bolstering Canadian national security, second, indirectly bolstering it through increased knowledge of threats to Canada stemming from partners’ intelligence products, and third, alliance tending: producing a product of value to ensure inclusion in postwar intelligence alliances." The last of these, ensuring inclusion in what became the Five Eyes intelligence partnership, she identifies as the dominant driver of Canada's decision to create a post-war Canadian SIGINT organization. 

Drawing on archival research (including previously unreported material from the UK National Archives) and previous scholarship by Wesley Wark, Kurt Jensen, and others, the article also adds to our knowledge of Canada's efforts to insinuate itself into the wartime signals intelligence partnership as an independent — albeit always minor — player capable of dealing directly with both London and Washington.

Well worth reading!

Monday, September 14, 2020

One CSE, known and trusted by declining numbers of people

Back in July, shortly after CSE released its first annual report, I commented that the agency's new catchphrase, "We are one CSE, known and trusted," seemed more an aspiration than a statement of fact.


On September 4th, CSE quietly dropped the results of its latest public opinion poll, and it turns out the agency is even less known than it was back in 2017, when CSE's first poll determined it was almost entirely unknown.

Trust in CSE has also declined. 

CSE's plan, it seems to me, has been to let the spy side of the agency leach off the goodwill generated by the cybersecurity side while saying as little as possible about what the former 70% of the agency actually does. But that approach may be at risk of backfiring, serving instead to undermine trust in the Cyber Centre by making it look like a sort of stalking horse for the shadowy spies.

My firmly held (and frequently stated) belief is that greater transparency by CSE is the key to helping the agency become both better known and more trusted. 

Unfortunately, despite its substantial PR staff, the agency has become less transparent in recent years, and its annual report — a glorified brochure — was a wasted opportunity.

So my advice to CSE is stop playing the PR games and start doing a better job of living up to your professed commitment to transparency. 

Release of the poll was mandatory, so that act in itself was no great step for transparency. But I do give points to the agency for tweeting it out, which it didn't have to do. 

Tweeting it at 4:01 pm on a Friday though? Maybe there was a good reason for that, but it sure looks like old-school PR bullshit.

Maybe not the best way to get better known and trusted.

Update 15 September 2020: The media takes note:

And CSE weighs in too:

Apropos of nothing, I wonder if there's an emoji for extended bitter laughter followed by sudden bursting into tears...