Saturday, May 27, 2023

Even independent special rapporteurs do it

From Independent Special Rapporteur David Johnston's First Report:
We continued to receive documents, both as suggested by the Canadian Security and [sic] Intelligence Service (CSIS), the Canadian Security Establishment (CSE), or the Privy Council’s Office (PCO), and also as a result of our follow-up requests.
See also Everyone does it, media edition, Even NSA does it, Part I and Part II, Even GCHQ does it, and Even official historians do it.

Friday, March 17, 2023

BCCLA posts CSE documents

Yesterday, the British Columbia Civil Liberties Association (BCCLA) posted an important collection of 284 documents relating to the operations of the Communications Security Establishment. The documents provide a unique window into the ways the statutory provisions governing CSE were interpreted and operationalized by the agency in the period between 2001, when CSE's first statutory mandate was added to the National Defence Act, and the 2019 entry into force of the CSE Act. They also provide rare insight into the way CSE's signals intelligence (SIGINT) and information technology security (ITSEC) programs actually work.

In 2013, in the wake of the Snowden revelations, the BCCLA took the government to court, alleging that CSE’s bulk collection of metadata and incidental collection of private communications violated Canadians’ Charter rights to privacy. The case, which went on for several years, took place behind closed doors, and is likely ultimately to have played an important role in the government's decision to enact a number of reforms to CSE's powers and the oversight and review mechanisms for the agency in the CSE Act and other parts of Bill C-59, passed in 2019. (You can read more about the litigation here.)

During the course of the litigation, the BCCLA was provided with a large body of documents concerning CSE's operations. Although heavily redacted in many parts, these documents contained a lot of never previously revealed information about the agency's activities, with particular emphasis on the rules and procedures governing the collection and handling of communications and other information concerning persons located in Canada and Canadians located anywhere by CSE's signals intelligence (SIGINT) and information technology security (ITSEC) programs.

Unfortunately, they were provided under a confidentiality undertaking that prevented the BCCLA from making them public. However, in 2017 I made an access to information request for the documents, and eventually, following an appeal to the Information Commissioner, they were provided to me with no additional redactions. The government then released the BCCLA from its undertaking.

Now the BCCLA has made the collection, comprising over 4,900 pages of documents, available for download on its website. You can find the links at the end of Greg McMullen's guide to their contents.

I've also put together some introductory notes here.

The following key operational policy documents are included in the collection:

OPS-1, Protecting the Privacy of Canadians and Ensuring Legal Compliance in the Conduct of CSEC Activities (AGC 0022)

OPS-1-1, Operational Procedures for the Release of Suppressed Information from SIGINT Reports (AGC 0020) (28 September 2012 version) and OPS-1-1, Policy on Release of Suppressed Information (AGC 0253) (14 November 2014 version)

OPS-1-6, Operational Procedures for Naming and Releasing identities in Cyber Defence Reports (AGC 0011)

OPS-1-7, Operational Procedures for Naming in SIGINT Reports (AGC 0019)

OPS-1-8, Operational Procedures for Policy Compliance Monitoring to Ensure Legal Compliance and the Protection of the Privacy of Canadians (AGC 0024)

OPS-1-10, Operational Procedures for Metadata Analysis [redacted] (AGC 0012)

OPS-1-11, Retention Schedules for SIGINT Data (AGC 0007)

OPS-1-13, Operational Procedures Related to Canadian [redacted] Collection Activities (AGC 0023)

OPS-1-15, Operational Procedures for Cyber Defence Activities Using System Owner Data (AGC 0018)

OPS-1-16, Policy on Metadata Analysis for Foreign Intelligence Purposes (AGC 0279)

OPS-3-1, Operational Procedures for [redacted; probably "Computer Network Exploitation"] Activities (AGC 0026)

OPS-6, Policy on Mistreatment Risk Management (AGC 0266).

These twelve operational policy documents provide the most detailed window into the policies that govern CSE's operations ever made available to the public. It is important to note that all were superseded in 2018 when CSE introduced an entirely rewritten Mission Policy Suite in preparation for the passage of the CSE Act. However, it is likely that most of the details of those policies remain unchanged, so the documents also provide the best currently available insight into the likely parameters of present operational policies at the agency.

The collection also contains numerous other documents, training materials, and briefing decks that provide further insight into CSE policies and activities. These include:

- The Ministerial Directive issued by the Minister of National Defence on CSE use of metadata (both the 9 March 2005 version (AGC 0004) and the 21 November 2011 version (AGC 0017)).

- The Ministerial Directive on the Integrated SIGINT Operational Model (AGC 0076), which governs CSE's relationship with Canadian military SIGINT activities.

- Examples of the annual Ministerial Authorizations issued under the pre-2019 system to authorize CSE collection activities risking the inadvertent collection of Canadian private communications. Examples of the background memos provided to the Minister of National Defence to explain proposed Ministerial Authorizations are also in the collection.

- CSE's classified Annual Reports to the Minister of National Defence for fiscal years 2010-11, 2011-12, 2012-13, and 2013-14.

- Copies of many of the memoranda of understanding between CSE and client departments on the provision of SIGINT services.

- Subsidiary policy and procedure documents on a wide range of subjects, such as Producing Gists for Indications and Warning Purposes (AGC 0134), Targeting Identifiers for [Foreign Intelligence] under Mandate A (AGC 0135), and Foreign Assessments and Protected Entities (AGC 0136).

- Two training manuals for CSE employees: SIGINT 101 Orientation Program (AGC 0182), an introduction to CSE's SIGINT program, and DGI [Director General Intelligence] Familiarization Manual (AGC 0193), an introduction to work as a SIGINT analyst at CSE.

- Numerous classified reports from CSE's pre-2019 watchdog body, the Office of the Communications Security Establishment Commissioner (OCSEC), and CSE's responses to those reports. These include OCSEC's 2015 review of CSE's metadata activities (AGC 0278), which examines a series of failures by CSE to protect information about Canadians in metadata shared with foreign partners. This report is the best source of information available on those events, which led to the only declaration that CSE had failed to comply with the law that OCSEC ever issued.

In addition to broader policy questions, the documents are an unparalleled source of background information about aspects of CSE's activities. For example, one OCSEC review (AGC 0110) describes the nature of the Client Relations Officer (CRO) system that CSE uses to deliver SIGINT products to many of its government clients. Another (AGC 0179) contains the first data ever released to the public on the percentage of requests made by SIGINT clients for Canadian Identity Information that were approved by CSE (1113 of 1119, or more than 99%). In 2021, the National Security and Intelligence Review Agency (NSIRA), which replaced OCSEC in 2019, was able to release additional data on CSE's approval rate for requests, possibly in part because the BCCLA release had already established that such data could be declassified.

In other cases the documents provide insight into aspects of CSE's activities that the agency is still redacting from NSIRA reports. For example, pages 19-21 of this NSIRA report released in 2021 discussed a flawed policy related to privacy protection that was later rescinded by CSE, but NSIRA was evidently unable to include any information about the nature of the policy in its report. The key details of the policy in question can be found on pages 30-31 of OPS-1-7, Operational Procedures for Naming in SIGINT Reports (AGC 0019).

In other cases, one can observe the evolution of CSE policies over time. For example, in document AGC 0182 (p. 99) it is explained that "we [CSE] do not have to protect the privacy of non-Canadians in Canada. This means that in reports we can name people who are in Canada and who fall into certain categories like holding work or student visas, or who are illegal immigrants." But document AGC 0206 (p. 122) reports that this policy was changed in April 2014, with CSE's privacy policies now covering all persons in Canada. (Given the timing of this change, it's likely that it was made in response to the BCCLA's legal action.)

The documents are also a gold mine of information on the official definitions of key terms used by CSE, encompassing concepts such as Canadian Privacy-Related Information, Metadata, and Contact Chaining. The BCCLA has put together a guide to many of those terms here (but note that their glossary is "a work in progress and not intended as a formal dictionary").

Some of the documents in the BCCLA collection have previously been released to individual requesters through the Access to Information Act. But in many cases the versions released were significantly more heavily redacted than the versions provided to the BCCLA. (The parts of the documents pertaining to CSE's mandate to provide support to federal law enforcement and security agencies are an exception, however, as those parts were redacted in their entirety from the BCCLA documents as "not relevant" to their case.) In addition, in many cases documents released to individual requesters are never published or otherwise made accessible to other researchers or the general public. 

The BCCLA collection is unique in providing systematic access to these documents for online research and downloading.

Enjoy!

Update 23 August 2023: You can download individual documents (as opposed to the batches available from the BCCLA) at this GitHub site.

Thursday, December 08, 2022

NSICOP report on Global Affairs Canada

On November 4th, the National Security and Intelligence Committee of Parliamentarians (NSICOP) released the public version of its report on the security and intelligence activities of Global Affairs Canada (GAC), otherwise known as the Department of Foreign Affairs, Trade and Development.

There's a lot of new information in the report about GAC's role in the Canadian intelligence community as overseer, facilitator, collector, assessor, and consumer of intelligence. It's well worth reading.

In the following, I'll focus on what the report says about how Global Affairs works with the Communications Security Establishment.

 

GAC–CSE relationship

On page 24 (PDF page 33), NSICOP describes the overall relationship between CSE and Global Affairs:

GAC's collaboration with CSE ... dates back to the creation of CSE in 1946. GAC has long been a client of CSE's foreign intelligence collection ***. While GAC has had a formal consultation role for some of CSE's most sensitive activities since 2002, the coming into force of the CSE Act in 2019 provided GAC a more significant role in CSE's new authorities for cyber operations.

(NSICOP uses "***" to indicate where information that was in the classified version of the report has been redacted.)

GAC and CSE formalized their cooperation with the signing of a General Framework Agreement in 2009. The agreement recognized the organizations' cooperation in the collection of foreign intelligence, their long-standing collaboration on the implementation of Canada's Export Control legislation, and their response and handling of cyber incidents targeting GAC. (p 24/PDF 33)

Take note of that mention of "the organizations' cooperation in the collection of foreign intelligence"; we'll return to that point later on.

 

Computer Network Exploitation

Next we get a quick look at GAC's oversight of CSE computer hacking operations used to collect intelligence from information technology systems and networks, more formally known as Computer Network Exploitation (CNE).

All mentions of CNE are redacted from NSICOP's report, but it is clear from the context that CNE is the subject. (For more fun with CNE redactions, see here.)

The first formal agreement on consultation between CSE and GAC concerned the agency's *** activities. These activities use *** for the purpose of collecting foreign intelligence. In 2002, GAC and CSE signed a memorandum of understanding under which CSE would inform GAC prior to undertaking its most *** outside of Canada. (p 24/PDF 33)

The CNE memorandum of understanding was signed by the Minister of National Defence on 23 April 2002.

The agreement also granted GAC a role in challenging CSE's conduct of certain activities ***. While the 2002 memorandum of understanding remains in place, the two organizations streamlined elements of the agreement in 2015. (p 24-25/PDF 33-34)

GAC's role is to make sure the potential risks/rewards of CNE operations are assessed in the context of Canada's overall foreign policy.

 

Foreign relationships

CSE is also required to consult GAC before entering into any arrangements with foreign states or institutions. Since the 2019 entry into force of the CSE Act, it has been a statutory requirement that the Minister of National Defence consult the Minister of Foreign Affairs before approving such arrangements.

Given the recent nature of this authority, CSE has not consulted GAC prior to entering into such an arrangement at the time of writing. (p 25/PDF 34)

 

Defensive cyber operations (DCO)

The CSE Act also requires the Minister of National Defence to consult the Minister of Foreign Affairs prior to issuing an authorization for defensive cyber operations (DCO). DCOs are cyber operations designed to protect Canadian government networks or systems designated as being of importance to the government.

The Minister of National Defence issued the first authorization for defensive cyber operations in *** 2019. CSE officials developed this authorization in consultation with GAC. (p 26/PDF 35)

Although redacted here, the date of the authorization was 5 September 2019, as reported by NSICOP in its February 2022 cybersecurity report (p 77/PDF 89).

The November report provides some additional details on GAC's contribution:

At the operational level, GAC provides foreign policy risk assessments for all of CSE's planned defensive cyber operations. As part of its assessment of the proposed operation, GAC considers potential implications for Canadian interests, the operation's compliance with international law and cyber norms, alignment with broader foreign policy interests, the nature of the target (***) and whether the operations ***. (p 26/PDF 35)

Also interesting is this bit of news:

Between *** and *** , CSE planned but did not conduct any defensive cyber operations, because separate defensive cyber measures taken by CSE obviated the need for the planned cyber operations. (p 26/PDF 35)

It would be even more interesting, of course, if unredacted dates were provided. Fortunately, NSICOP's February 2022 report (p 96/PDF 108) did provide that information, stating that no DCOs were conducted during the first two DCO authorization periods (i.e., from September 2019 to August 2021).

That report also informed us that, "in the first year, normal cyber defence activities successfully mitigated the threat and obviated the need for a separate operation and in the second year, planned operations had not proceeded to the operational stage." (p 96/PDF 108)

It would be interesting to know if any DCOs have yet been conducted.

 

S.16 activities

Under s.16 of the CSIS Act, CSIS can collect foreign intelligence "within Canada" on request of either the Defence Minister or the Foreign Affairs Minister. This might entail monitoring the communications of an embassy in Ottawa, for example.

CSE often helps with technology, processing, and reporting of the intelligence that results from s.16 collection, and GAC plays a role as a requestor, assessor of foreign policy risk, and intelligence client.

In 2008, officials from participating organizations introduced a formalized governance model [for the s.16 program], which included a requirement to assess potential subjects against criteria linked to Canada's intelligence priorities and a permanent oversight committee structure (the *** Committee) with the responsibility to evaluate and endorse section 16 rationales before they are submitted for approval to the relevant ministers. (p 38/PDF 46)

All information about the committee, including its name, is redacted from NSICOP's report.

By contrast, a 2015 report by OCSEC, CSE's first watchdog agency, described the committee structure in detail, and this information was later released mostly unredacted to reporter Colin Freeze via Access to Information request A-2015-00082.

Some of the details may have changed since then, but if the information was releasable at that time, why not now?

 

Active cyber operations (ACO)

The CSE Act also "allows CSE to conduct active cyber operations to degrade, disrupt, influence or interfere with the capabilities or intentions of foreign entities." (p 41/PDF 49)

In recognition of the foreign policy implications of these activities, the Act stipulates that the Minister of National Defence may issue this authorization only if the Minister of Foreign Affairs has requested or consented to its issue. (p 41/PDF 49)

Note that this differs from DCOs, which require only consultation with the Foreign Affairs Minister.

"The Minister of National Defence issued CSE's first authorization for active cyber operations in 2019" (p 41/PDF 49), i.e., shortly after the CSE Act came into force.

The 2019 Annual Report (p. 25) of the National Security and Intelligence Review Agency (NSIRA) also confirmed that an ACO authorization was issued that year.

But NSICOP's report goes on to provide considerably more information than was released previously:

Between 2019 and 2020, CSE planned four active cyber operations and carried out one. (p 41/PDF 49)

The ACO that was carried out sought to "disrupt the activities of terrorists and violent extremists." (p 41/PDF 49)

The three ACOs not conducted sought "to disrupt foreign cyber threats to the 2019 federal election"; "to counter the dissemination by specific terrorist groups of extremist material on-line"; and "to mitigate threats posed by foreign cybercriminal groups targeting Canadians". (p 41-42/PDF 49-50)

The election-related ACO was not conducted "because no specific state-led operations were detected", while the other two did not get done "due to operational restrictions arising from COVID". (p 41-42/PDF 49-50)

(For more on the effect of the COVID-19 pandemic on the Canadian security and intelligence community, see this book.)

In August 2019, the Minister of Foreign Affairs directed GAC officials to work with CSE to develop a formal governance mechanism to ensure CSE's cyber operations align with Canada's foreign policy and international legal obligations. (p 42/PDF 50)

This led, in 2020, to the creation of "the CSE–GAC Active Cyber Operations/Defensive Cyber Operations Working Group and a comprehensive governance framework for consultation on cyber operations". (p 42/PDF 50)

The report also reveals that, inside CSE, "the Cyber Operations Group and the Cyber Management Group oversee CSE's cyber operations. These are executive bodies, at the director- and director general-level respectively, that review and approve cyber operation plans and risk assessments. The Director of *** and the Deputy Chief of Signals Intelligence chair the respective committees, and membership depends on ***." (p 43/PDF 51)

This is the first official confirmation, I think, that CSE's cyber operations are lodged in the agency's SIGINT branch.

Interestingly, NSIRA also recently looked at the GACCSE relationship with respect to the governance of ACO/DCO activities.

Among other findings, NSIRA stated that "CSE and GAC have not established a threshold to determine how to identify and differentiate between a pre-emptive Defensive Cyber Operation and an Active Cyber Operation, which can lead to the insufficient involvement of GAC if the operation is misclassified as defensive." (p 69/PDF 77)

In total, NSIRA made nine recommendations for improvements relating to "engaging other departments to ensure an operation’s alignment with broader Government of Canada priorities; demarcating an ACO from a pre-emptive DCO; assessing each operation’s compliance with international law; and communicating with each other any newly acquired information that is relevant to the risk level of an operation." (p 21/PDF 29)

The full set of findings and recommendations can be found on pages 69-71 (PDF 77-79) of NSIRA's report.

 

PILGRIM's progress

Getting back to NSICOP, the next two pages of the committee's report (p 44-45/PDF 52-53) discuss a program that is ostensibly so secret that all information is redacted except for one sentence: "GAC states that it derives its authority for the program from the Crown prerogative." (p 44/PDF 52)

This is clearly the program known at one time as PILGRIM for the operation of CSE intercept facilities inside Canadian diplomatic missions, our equivalent of U.S. Special Collection Service sites.

Presumably it was this program that NSICOP was alluding to when (as I noted at the beginning of this post) it mentioned GAC and CSE's "cooperation in the collection of foreign intelligence". (p 24/PDF 33)

All of the Five Eyes partners operate such intercept sites, known collectively under the coverterm STATEROOM, but the official policy is to pretend no one knows Canada does this sort of thing, so even the fact of its existence remains classified. That rare allusion is as close as we get to an official confirmation.

Still, NSICOP did manage to flag some concerns about GAC's role in the program in its descriptions of three of the redactions (p 45/PDF 53):

1. "The paragraph noted that the Department does not have any policies, procedures or documents to govern its involvement, and does not have any reporting requirements to the Minister".

2. "The paragraph noted challenges regarding the management of risk."

3. "The paragraph noted the Department's failure to inform the Minister of important issues."

One of the report's four recommendations was probably aimed in part at this program:

R3. [NSICOP recommends that the] Minister of Foreign Affairs put in place comprehensive governance mechanisms for the Department's security and intelligence activities and for those that it supports or contributes to at partner organizations. Those mechanisms should better document processes and decision points to strengthen accountability and institutional memory. (p 95/PDF 102)

 

Intelligence Access and Countermeasures section

A few pages after the intercept sites discussion — past another almost entirely redacted part called "Logistical Support ***" that probably discusses GAC's occasional provision of support to Five Eyes partner HUMINT agencies like MI6 and the CIA — is a chapter on GAC's own intelligence activities.

There is a lot of very useful and rarely if ever reported information in there about what Global Affairs itself does in this field, but for my purposes I want to highlight just one aspect:

In 2017, GAC established a division within the Intelligence Bureau responsible for the management of highly classified communications at missions abroad. This Intelligence Access and Countermeasures section works closely with CSE to accredit and protect GAC's signals intelligence secure areas. (p 51-52/PDF 59-60)

("Signals intelligence secure area" (SSA), by the way, is the Canadian SIGINT community's equivalent for what in the U.S. is known as a secure compartmented information facility, or SCIF.)

NSICOP's description of the Intelligence Access and Countermeasures section gives the impression that it deals only with GAC's own communications, and maybe it does do only that. But the fact that "Intelligence Access" is included in the section's name may indicate that it also looks after the intercept sites at the missions, which of course also would be located in SSAs.

A probably much less likely theory is that the unit is also mandated to conduct close-access operations, which are designed to enable SIGINT collection by placing antennas or other collection systems in close proximity to targeted information technology systems and/or installing hardware or software implants directly in them.

The foreign intelligence collection authorities granted to CSE in the CSE Act are broad enough to encompass close-access activities:

The foreign intelligence aspect of the Establishment’s mandate is to acquire, covertly or otherwise, information from or through the global information infrastructure, including by engaging or interacting with foreign entities located outside Canada or by using any other method of acquiring information, and to use, analyse and disseminate the information for the purpose of providing foreign intelligence, in accordance with the Government of Canada’s intelligence priorities. (s.16)

And the agency could, with Global Affairs' agreement, deputize GAC personnel to conduct such operations on its behalf.

However, heads far wiser than mine consider it all but inconceivable that any Canadian government would ever muster the will to attempt such inherently perilous operations, with their potential for embarrassing exposure and, worse, risk to the life or liberty of the individuals participating.

Also, we might expect there to be a lot more discussion of the topic in this report if the section's role really did extend that far. (That said, it's not impossible that there is such a discussion buried in the redacted parts of the report concerning intercept sites.)

I'm probably letting my imagination run away with me when it comes to close-access ops. But I'll keep pondering that imponderable because certain comments made by CSE's former Deputy Chief SIGINT way back in 2007 leave me strongly inclined to believe that CSE would very much like the government to conduct such operations for it.

 

There is a lot of other valuable information about GAC's intelligence role in this report, but that pretty much covers the CSE-related aspects.

 

Redactio ad absurdum

I will make one final complaint about pointless redactions, however. On pages 75-78 (PDF 83-86) there is a case study of a kidnapping incident involving a Canadian from which almost all personal details have been redacted.

Maybe it's intended as a privacy thing, but it only takes about a minute on Google to fill in all those blanks.


Thursday, August 18, 2022

Notes on CSE's 2021-22 Annual Report


CSE's 2021-2022 Annual Report was released on June 28th. At roughly 15,000 words, the report is significantly longer and more informative than last year's, and about five times as long as CSE's first annual report, released in 2020. Although large gaps remain (and to some extent will always remain), this is starting to be a respectable — and useful — document.

Of course, a lot of that text focuses on the cyber security side of the agency, the Canadian Centre for Cyber Security, which accounts for about 30% of CSE's resources. Relatively little discusses the signals intelligence (SIGINT) and cyber operations side, which accounts for the rest.

This is unsurprising, as spying and online covert action need a pretty substantial level of secrecy. But they are also the areas where CSE's activities are most likely to negatively impact the general public, and boilerplate assurances that CSE is prohibited from directing its activities at Canadians are not enough.

For one thing, this prohibition does not apply when CSE is acting under its assistance mandate, providing support to CSIS, the RCMP, CBSA and other law enforcement and security agencies, subject to their authorities. The report has just one sentence referring to CSE's support activities (p. 12).

Also, between incidental collection of communications and bulk collection of metadata, CSE and its Five Eyes partners can collect, analyze, and report a great deal of information related to Canadians in the course of pursuing their non-Canadian targets.

In its classified reporting to the Minister of National Defence the agency provides a wide range of data on the amount of Canadian-related information it acquires and uses. There is no reason why much of that data could not be declassified and reported here, where it would provide useful reassurance of the limited extent to which CSE invades the privacy of Canadians. That's of course unless the data wouldn't actually be reassuring, in which case there's all the more reason why we should see it.

For more on the kinds of information that could be reported, see my comments on last year's report. Some of this information could and probably should be reported by the National Security and Intelligence Review Agency (NSIRA) also, but in that case too it depends on CSE approving its declassification.

One welcome bit of new information in the report is the discussion of active cyber operations (ACO) and defensive cyber operations (DCO) (pp. 13-14), where we learn a little more about the way authorizations work and the types of activities CSE is conducting.

The report confirms, for example, that a single authorization may cover multiple cyber operations and explains that "there are also cases where an Authorization may be anticipatory, with no operations required in the end."

The examples provided of the types of cyber operation that CSE has conducted are much more revealing than anything previously acknowledged by the agency, noting, for example, the use of "active cyber operations capabilities to disrupt the efforts of foreign-based extremists" and "to assist the Canadian Armed Forces in support of their mission." Note, however, that in neither of these cases is it made clear whether the operations mentioned were conducted under CSE's own active cyber authorities or as assistance activities.

The report also reveals that "CSE has embarked on a long-term campaign designed to reduce the ability of cybercrime groups to target Canadians, Canadian businesses and institutions. Working with Canadian and allied partners, CSE has helped reduce the ability of cybercriminals to launch ransomware attacks and to profit from the sale of stolen information."

Overall, then, the section on cyber operations is much more informative than the grudging acknowledgements the agency has made in the past on the subject and presumably reflects a deliberate decision to use the annual report as the place to begin providing at least a sliver of the kind of transparency CSE keeps talking about.

 

Other information

Also nice to see: the pages on SIGINT (11-12) update the statistics on SIGINT reports, clients, and customer departments/agencies introduced last year and add some general information about the kinds of intelligence topics CSE pursues: "CSE intercepts and analyzes electronic communications and other foreign signals to inform the Government of Canada about the activities of foreign entities that seek to undermine Canada’s national security and prosperity.... CSE SIGINT also supports government policy-making in defence, security and international affairs."

Among the (non-exhaustive) examples of intelligence topics given are:

  • activities of hostile states, including cyber threats
  • cybercrime
  • espionage directed against Canada, including economic espionage
  • foreign interference and disinformation campaigns
  • kidnappings of Canadians abroad
  • terrorism and extremism, including ideologically motivated violent extremism (IMVE), and
  • threats to Canadians and Canadian forces abroad

Unmentioned, however, are the sorts of things that fall into the polite-fiction category, where we pretend no one knows we do them even though everyone knows we do, such as intelligence collection on other countries' negotiating positions at international conferences or data relevant to trade policy.

In no case should any of these topics be surprising, however, which underlines the pointlessness of treating broad intelligence priorities (as opposed to specific targets) as a huge secret.

The report also has a short section following up on NSIRA's concerns about CSE's sharing of Canadian Identifying Information (CII) with SIGINT customers (see my earlier post here). "The [NSIRA] review made 11 recommendations to improve our processes for dealing with these requests. Since the review began, CSE has completed 10 out of the 11 recommendations.... The final recommendation, to conduct a Privacy Impact Assessment (PIA) has been launched. We expect to complete the PIA in 2022."

"The review also raised concerns that some disclosures of CII during the period of the review may have been non-compliant. After detailed analysis of CSE’s program, and the disclosures related to 2,351 Canadian identifiers cited in NSIRA’s report, and following consultations with government partners, CSE is satisfied that all but one of those disclosures were compliant. The single disclosure that was not compliant with the Privacy Act has been retracted and the data that was disclosed has been purged by the receiving institution."

Whether an NSIRA examination would draw exactly the same conclusions may be doubted, but I suspect it would agree in the great majority of cases. (NSIRA's original point wasn't that the requests were unjustifiable, but that the case for their justification had not been properly provided.) Still, it's good to see CSE using its annual report to follow up on issues arising from review agency reports.

 

Resources

On p. 56 we learn that CSE now has around 3200 full-time employees, which is up about 200 from the year before. The agency is now about 3 1/2 times as large as it was at the end of the Cold War! And it's still growing.

The promises made in Budget 2022 imply that CSE could be headed to around 4000 employees over the next several years, although some of that possible growth might go to contractors rather than staff. 

But you won't find any forward-looking budget or staffing data here. Nor will you find current budget data, other than the 2021-22 budget authorities number: $859 million. Note, however, that this number should really be $860 million, since it is almost certainly based on the $859,771,899 figure recorded in the 2021-22 Supplementary Estimates (C). Based on past performance, the actual amount that CSE ends up spending during 2021-22 is likely to be somewhat lower than this, but we won't know that number for some time.

Back when CSE was still part of the Department of National Defence, we used to get a lot more budget data about CSE, with spending broken down into salaries and personnel, operations and maintenance, and capital spending, and also projected into future years:

 

But all of that detail ended when CSE became a stand-alone department in 2011, and the agency has never provided any kind of public explanation of why it can no longer release such information.

By contrast, CSE's colleagues at the Australian Signals Directorate (ASD) manage to publish reams of spending data every year with no evident ill effects. Apparently CSE's data is uniquely sensitive in ways that must never be publicly explained.

 

Conclusion

The above griping notwithstanding, I do think this report is a significant improvement on its predecessors. Kudos to CSE for that.

And this year they finally made it available as a PDF as well as a web document! Yay!

 

For a much more comprehensive look at the contents of the report, check out Chris Parsons' post here

See also media coverage by Alex Boutilier and Cat Tunney.

 

Update 20 August 2022:  

The references to "Mandate C' in the original version of this post have been changed to "assistance mandate". As I was gently reminded, the Mandate C nickname dates to the pre-CSE Act period, i.e., before 2019. While fogies like me may still reach for it as a handy shorthand way to refer to CSE's mandate to assist federal law enforcement and security agencies (including, since 2019, the Canadian Forces and the Department of National Defence), when writing for others it's better to be comprehensible and accurate.