Monday, November 13, 2023

The satellite monitoring site that never was



Was Alberta once considered for the location of a satellite monitoring site for CSE? That’s my current working hypothesis. 

An access to information request I recently submitted to the Privy Council Office may eventually provide the evidence to confirm or reject that hypothesis — but only if Ottawa can transcend its reflex for pointless redactions.


During the 1980s, CSE undertook a major effort to modernize the Canadian SIGINT program. Among other initiatives, the agency revitalized its cryptanalytic capabilities, established intercept sites in Canadian diplomatic facilities, began monitoring commercial satellite (COMSAT) communications, and bolstered CSE’s staff by 50%. (You can read more about CSE’s 1980s renaissance here.)

Satellite communications were an increasingly important part of both government and non-government international telecommunications during the 1980s. 

Commercial communications satellite services began in 1965, when an intergovernmental consortium called INTELSAT launched Early Bird, the first commercial communications satellite. Shortly thereafter, NSA and GCHQ set up the ECHELON program to monitor traffic of interest on INTELSAT’s satellites. 

By the 1980s, the growing volume of communications carried by INTELSAT and other commercial and national satellite operators made it desirable to bring the other UKUSA partners into the program. In March 1987, Australia announced plans to construct a satellite monitoring station at Geraldton, Western Australia, and in December 1987, New Zealand announced that it would build a similar station at Waihopai.

For Canada, entry into the satellite monitoring program was understood as a means both of augmenting our contribution to the UKUSA partnership and of collecting intelligence of specific interest to the Canadian government.

Documents recently released to the Canadian Foreign Intelligence History Project (CFIHP) through the Access to Information Act confirm the broad outlines of the Canadian plan. These documents show that the satellite monitoring project was a key element of the renewal plan that CSE pitched to the Interdepartmental Committee on Security and Intelligence (ICSI) in March 1984 in its Strategic Overview of the Cryptologic Program, 1985-1988.

The Strategic Overview document itself is rather heavily redacted, but it does confirm that one of the projects CSE proposed is related to COMSAT collection, and a handwritten annotation notes that this project was approved.

Another document, an External Affairs memo from December 1987, is more revealing, confirming that “ECHELON is a CSE project which was designed to collect Intelsat communications…. Our position on ECHELON has been to support the project as a valuable contribution to the overall Canadian and allied effort.” At the time of that memo, the project was on hold due to legality concerns expressed by the Department of Justice. But those concerns appear to have been resolved not long afterwards, as 1988 documents confirm that the project was back on track. A June 1988 document notes, for example, that “PILGRIM and ECHELON are going forward.” (PILGRIM was the project to operate intercept sites in Canadian diplomatic facilities.) Another document, from March 1988, lists “possible options to address identified intelligence deficiencies," one of which is "greater exploitation of the ECHELON program to yield more Canada-specific information, while contributing to the allied SIGINT effort."

Canadian Forces Station Leitrim, located just south of Ottawa, became the home of Canada's satellite monitoring effort.

Air photos that the author has examined at the National Air Photo Library show that the first satellite monitoring dish was installed at Leitrim between late 1984 and early 1985. A second large dish was installed in 1985-86, followed by a third in 1987 and a fourth in 1989-90. A couple of small dishes were also in place by that time.


This 1988 photo, taken from Leitrim Road, shows the three main dishes then at Leitrim (two of them covered by radomes). A small dish can also be seen between the left-hand radome and the large uncovered dish.


Another site was proposed

The Strategic Overview document reveals, however, that Leitrim was not originally intended to be Canada’s primary satellite monitoring site. The fact that one or more new facilities were envisaged was redacted from the version released to the CFIHP, but a less redacted portion of the document tells the tale:

The risks associated with this initiative relate to the [redacted.] If this does not happen, a COMSAT training and R&D facility to be developed as part of the project at Leitrim will be upgraded to that of a primary facility. The satellite communications which can be collected from this site represent similarly [redacted.]

Another document released to CFIHP also confirms that “Should [redacted element of the plan] fail to happen, a training site planned for C.F.S. Leitrim will be developed into a full-fledged collection station”.

Where might CSE have wanted to monitor satellite communications originally?

Leitrim is in a good location to monitor the INTELSAT satellites stationed over the Atlantic Ocean, which carry communications between the Americas and Europe/Africa. It could also monitor many of the national satellites that serve parts of the Americas, such as Mexico’s Morelos satellites and Brazil’s Brazilsats, both of which systems were established in the 1980s. But it is too far east to monitor the INTELSAT satellites over the mid-Pacific.

Thus, CSE may have wanted to build a separate West Coast site from which to collect satellite traffic between Asia and North/South America. Or it may have sought a single site from which satellites over both the Atlantic and the Pacific — and everywhere in between — could be monitored. 


Alberta bound?

Such a site would have been possible in southern Alberta, although the furthest east of the satellites over the Atlantic and the furthest west of the satellites over the Pacific would not be visible. (The arc of coverage would range from about 175-180 degrees east to 40-55 degrees west.)

Was such a site under consideration? Another document released to the CFIHP suggests it may have been.

The document is a list of intelligence-related files held by the Privy Council Office. Among other topics, the list contains several pages of CSE-related files, including two sets of files, both established in 1986, called “Collection Sites — Alberta”.

It is very unlikely that these files refer to radio collection sites. Canada hasn’t had a radio collection site in Alberta since the Canadian Army’s Grande Prairie site was closed in 1947, and I can’t imagine any reason why CSE would have considered opening a new radio collection site in the province in the 1980s. One of the main goals of CSE’s modernization project was to move the agency away from its overreliance on radio collection: the same year these files were opened the major radio collection site at Inuvik was closed.

Consideration of possible locations for a satellite monitoring site thus seems like a much more likely explanation for these files. In September I submitted an access to information request asking for the records in the files to be released. Now we wait to see what PCO and CSE will agree to release.


But why wait?

In the meantime, it’s fun to speculate as to where an Alberta satellite collection site might have been built had the plan gone ahead.

My wild ass guess is that Canadian Forces Base Suffield, the largest army training area in Canada, was CSE’s main candidate. Located about 50 km northwest of Medicine Hat, the 2,700-sq-km base also hosts DRDC Suffield (formerly called Defence Research Establishment Suffield).

Building the site at Suffield would have made the CSE station quite similar to NSA’s Yakima Research Station, one of the first ECHELON sites, which was located at the U.S. Army’s 1,300-sq-km Yakima Training Center in Washington state from 1974 until roughly 2013, when its functions were transferred to Buckley Air Force Base (now Buckley Space Force Base).

CSE may have hoped that if it built the site on a base like Suffield, its true purpose would go unnoticed. Like Yakima, Suffield would have provided a location big enough to keep the dishes largely away from prying eyes on land already owned by the Department of National Defence and with support services already available. Construction of the dishes could have been explained as communications research work associated with Defence Research Establishment Suffield, while the existing civilian and military workforce at the base would have enabled the mostly military intercept staff to hide in plain sight, at least potentially drawing much less attention than a newly constructed free-standing site would have.

The base was also well served by high-capacity telecommunications, being directly on the route of the Trans-Canada Microwave System.

So Suffield seems like a natural candidate.


As I said, however, this is all wild ass speculation. It may well be that Suffield was never under consideration. It could even be that the “Collection Sites — Alberta” files are unrelated to CSE’s satellite monitoring proposals.

As far as we know, no collection site of any kind has been built in Alberta since the 1940s. There is some reason to believe that in 1992 CSE investigated the possibility of building a separate satellite monitoring station in Ontario, at the former National Research Council radio observatory site at Lake Traverse, Algonquin Park. But nothing came of that either.

In the end, Leitrim became CSE’s primary satellite monitoring site, and it remains the primary site today. Documents confirm that INTELSAT monitoring associated with the ECHELON program went ahead, but it seems that it did so without the construction of a separate satellite monitoring site in Alberta or anywhere else.

Will PCO and CSE release any additional information that sheds light on what CSE proposed, what did and didn’t occur, and why these decisions were made some 35-40 years ago? That remains to be seen.


Friday, November 10, 2023

CSE budget authority tops $1 billion

Planned additions to CSE's fiscal year 2023-24 budget authority that were announced in the Supplementary Estimates (B), tabled in parliament on November 9th, will push the amount of money the agency is authorized to spend this year above the $1 billion mark for the first time in the agency's history.

The changes proposed would result in a $15,196,568 net increase in CSE's 2023-24 budget authority, boosting the total figure from $984,855,602 to $1,000,052,170. 

Notable increases include a $10,771,964 top-up for the ongoing operations of the Canadian Centre for Cyber Security; $1,592,171 for the Interim Quantum Safe Capability project; $1,500,000 for advertising programs; and $1,176,929 to "enhance national security through an academic research initiative" (part of a project originally announced in Budget 2022).

The full list of changes, including an increase in funding for statutory programs and various transfers between departments, can be found in the estimates document. 

Normally, there is a small shortfall between the amount of money CSE is authorized to spend in a fiscal year and the final amount actually spent during that year, so it is possible that the agency's spending ultimately will fall somewhat short of the $1 billion milestone this year. However, there will also be another opportunity for CSE to receive a boost in spending authority before the end of the fiscal year (the Supplementary Estimates (C), expected in February 2024), so the final figure is very much up in the air.

Cyber operations spending revealed

Meanwhile, there has been a change in the way CSE's past spending is reported in the online GC InfoBase

In previous years, CSE's spending was broken down into two major programs: Foreign Signals Intelligence and Cyber Security. But the spending for the most recent year for which numbers are available (FY 2022-23) is broken into four programs (click image for a better view): $336,912,405.10 for Foreign Signals Intelligence, $9,145,757.10 for Foreign Cyber Operations, $280,703,287.42 for Operations Enablement, and $304,486,444.45 for Cyber Security.

No explanation of these categories is provided, so we are on our own to interpret what they mean. I think what's going on is this: The Cyber Security program covers the spending of the Canadian Centre for Cyber Security (the Cyber Centre), as it did in the past. The other three programs cover the spending that used to be reported simply as the Foreign Signals Intelligence (SIGINT) program.

The change was probably made to enable spending on CSE's Foreign Cyber Operations, which comprise the Active Cyber Operations (ACO) and Defensive Cyber Operations (DCO) that were added to CSE's mandate in 2019, to be reported as a separate program. The tricky part is that these activities mostly use the same IT systems and knowledge base and even a lot of the same personnel as CSE's SIGINT activities. They also both benefit from the same administrative and security services, maintenance activities, and office accommodations provided by the agency. It looks to me like these common services are now reported as the Operations Enablement program. It's possible that certain common services also used by the Cyber Centre are listed in that program as well, just to make things more confusing, but I'm guessing that probably isn't the case.

The remaining two programs probably list just the resources dedicated specifically to SIGINT and to cyber operations, possibly just the direct personnel costs for the staff assigned to the SIGINT production chain on the one hand and those assigned to ACO/DCO activities on the other, as measured in full-time equivalents (FTEs). 

Whatever their exact composition, the two spending numbers associated with these programs, $336.9 million and $9.1 million, respectively, would appear to indicate that as of 2022-23 the Foreign Cyber Operations program was only about 1/37th the size of the SIGINT program. In FTE terms, that might translate to something like 60 people in cyber operations. (If more than just direct personnel costs are counted for these programs, the number of people involved would be lower, possibly as low as 30 for cyber operations.)

I would offer kudos to CSE for its willingness to see this information published, but frankly I'm going to wait until next year when we see whether this exercise in transparency continues.

Friday, October 13, 2023

The Seven Ages of Canadian SIGINT

In July 2023, I presented a paper titled "The Seven Ages of Canadian SIGINT" to the 2023 annual conference of the North American Society for Intelligence History. I've done some minor updates and revisions to the paper since then (and it remains a work in progress), but I'm happy to share it here with others who may be interested.

I've reproduced the paper's introduction (minus a couple of endnotes) below. The full paper can be downloaded as a PDF here.


The Seven Ages of Canadian SIGINT

Canada's signals intelligence (SIGINT) program has long served as the country's primary contribution to and justification for membership in the Five Eyes intelligence community. Deep integration with the SIGINT organizations of the United Kingdom and the United States in particular runs as a common thread throughout the history of the program, but Canada's national SIGINT effort has evolved in response to changing national priorities, availability of resources, legal authorities, and technological developments, as well as partnership considerations. This paper outlines the development of Canada's national SIGINT agency, the Communications Security Establishment (known as CBNRC, the Communications Branch of the National Research Council, from 1946 to 1975), and its predecessors, describing seven stages of its evolution from 1941 to the present. These comprise: the Second World War origins of Canadian national SIGINT; CBNRC's post-war creation and search for a role; the agency's mid-Cold War focus on Arctic SIGINT; the effort to revitalize CSE during the 1980s; the post-Cold War interregnum; the rise of the Internet and the Global War on Terror era; and CSE's 2019 transformation into a cyber operations agency.

A single paper can provide only an overview – little more than a sketch map – of the many significant changes that Canadian SIGINT has undergone over this more than 80-year period. Such a map is also limited by the large regions of that history that remain classified by the Canadian government and thus inaccessible to public researchers. In this respect, we don’t necessarily even know what may be missing. 

On the other hand, some regions are already reasonably well mapped. Much of the documentation on the Second World War origins of the Canadian SIGINT program has been declassified, along with some on its early Cold War evolution, and scholarship has built an increasingly detailed picture of developments during those periods, although it is fair to say that significant gaps remain.

Attempts to examine later periods are much scarcer, but useful documentation relating to those periods is beginning to be released. The efforts of Alan Barnes and the Canadian Foreign Intelligence History Project (CFIHP) are especially notable in this regard. Many of the documents cited in this paper were obtained through the CFIHP.

Open sources are sometimes also of help. Because its capabilities are constrained by factors like radio propagation characteristics, computational power, and numbers of personnel, SIGINT is much more susceptible to open-source investigation than human intelligence. When an intercept station was built, where it is located, and what kind of antennas it has can reveal a lot about SIGINT targets and capabilities. 

Canada’s long integration with the SIGINT programs of its major allies the United States and the United Kingdom is also helpful, as information revealed about those programs may tell us a lot about Canada’s program too. Leaked information, although usually incomplete and sometimes inaccurate or misleading, can also fill crucial gaps in the map, at least tentatively.

Drawing on all these sources, it is possible to sketch a rough map of the entire Canadian SIGINT program, albeit with notable blank spots. A map so constructed is more descriptive than explanatory. With only limited access to the documentary record, it is harder to determine why decisions were made than to detect their effects in the physical world. But, for all its limitations, such a map should prove useful to readers seeking to better understand the nature and role of the Canadian SIGINT program and the major trends and developments during its history, and it could help them to orient their own research, place information in context, and better define areas that may be of further interest. That’s the purpose I hope this paper will serve. In my own research I often find myself immersed in minor details of Canada’s SIGINT history.  Much more rarely do I pull back and try to examine the bigger picture those details portray. In that respect, writing this paper has been useful for me at least.

Download the full paper here.

Tuesday, October 10, 2023

Call for papers: Canadian intelligence history


"Canadian Intelligence History at the Crossroads," a conference on the history of Canadian intelligence activities and organizations, will be held at the Canadian War Museum in Ottawa on 3-5 October 2024. 

The following is the call for papers issued by the conference organizing committee:


In partnership with the Greg Centre for War and Society, the North American Society for Intelligence History (NASIH), and the Canadian Association for Security and Intelligence Studies, we are proud to announce a conference on Canadian intelligence history in the fall of 2024. The conference is timed to reflect on a landmark change in Canadian intelligence practice. The year 2024 will mark the 40th anniversary of the birth of the Canadian Security Intelligence Service (CSIS).

We are soliciting individual paper, panel, and roundtable proposals on any relevant aspect of Canadian intelligence history, including the broader societal context, relationships with allied partners, and comparative studies.

Each paper proposal should include both a 250-word abstract and a one-page CV that highlights relevant knowledge. A panel proposal should include: a panel outline (that includes the chair, commentator, and three paper titles); three abstract proposals of 250 words each; and a one-page CV from all participants. All documents should be included in one e-mail. A roundtable proposal should include four to six speakers. Each speaker should provide a title and a 100-word abstract. A one-page CV for each participant must also be included. All of this must be contained in one e-mail. Please e-mail all proposals to Dr. Steve Hewitt at Proposals will be considered starting in January 2024.

The conference will also include sessions devoted to intelligence history scholarship by undergraduate and graduate students. Interested students are encouraged to submit individual paper proposals to include a 500-word abstract and a one-page letter of reference from a member of their department. Proposals for student papers should be e-mailed to Dr. Timothy Sayle at by June 30, 2024. Student participants will be notified by early September 2024 if their papers have been selected.

Saturday, May 27, 2023

Even independent special rapporteurs do it

From Independent Special Rapporteur David Johnston's First Report:
We continued to receive documents, both as suggested by the Canadian Security and [sic] Intelligence Service (CSIS), the Canadian Security Establishment (CSE), or the Privy Council’s Office (PCO), and also as a result of our follow-up requests.
See also Everyone does it, media edition, Even NSA does it, Part I and Part II, Even GCHQ does it, and Even official historians do it.

Friday, March 17, 2023

BCCLA posts CSE documents

Yesterday, the British Columbia Civil Liberties Association (BCCLA) posted an important collection of 284 documents relating to the operations of the Communications Security Establishment. The documents provide a unique window into the ways the statutory provisions governing CSE were interpreted and operationalized by the agency in the period between 2001, when CSE's first statutory mandate was added to the National Defence Act, and the 2019 entry into force of the CSE Act. They also provide rare insight into the way CSE's signals intelligence (SIGINT) and information technology security (ITSEC) programs actually work.

In 2013, in the wake of the Snowden revelations, the BCCLA took the government to court, alleging that CSE’s bulk collection of metadata and incidental collection of private communications violated Canadians’ Charter rights to privacy. The case, which went on for several years, took place behind closed doors, and is likely ultimately to have played an important role in the government's decision to enact a number of reforms to CSE's powers and the oversight and review mechanisms for the agency in the CSE Act and other parts of Bill C-59, passed in 2019. (You can read more about the litigation here.)

During the course of the litigation, the BCCLA was provided with a large body of documents concerning CSE's operations. Although heavily redacted in many parts, these documents contained a lot of never previously revealed information about the agency's activities, with particular emphasis on the rules and procedures governing the collection and handling of communications and other information concerning persons located in Canada and Canadians located anywhere by CSE's signals intelligence (SIGINT) and information technology security (ITSEC) programs.

Unfortunately, they were provided under a confidentiality undertaking that prevented the BCCLA from making them public. However, in 2017 I made an access to information request for the documents, and eventually, following an appeal to the Information Commissioner, they were provided to me with no additional redactions. The government then released the BCCLA from its undertaking.

Now the BCCLA has made the collection, comprising over 4,900 pages of documents, available for download on its website. You can find the links at the end of Greg McMullen's guide to their contents.

I've also put together some introductory notes here.

The following key operational policy documents are included in the collection:

OPS-1, Protecting the Privacy of Canadians and Ensuring Legal Compliance in the Conduct of CSEC Activities (AGC 0022)

OPS-1-1, Operational Procedures for the Release of Suppressed Information from SIGINT Reports (AGC 0020) (28 September 2012 version) and OPS-1-1, Policy on Release of Suppressed Information (AGC 0253) (14 November 2014 version)

OPS-1-6, Operational Procedures for Naming and Releasing identities in Cyber Defence Reports (AGC 0011)

OPS-1-7, Operational Procedures for Naming in SIGINT Reports (AGC 0019)

OPS-1-8, Operational Procedures for Policy Compliance Monitoring to Ensure Legal Compliance and the Protection of the Privacy of Canadians (AGC 0024)

OPS-1-10, Operational Procedures for Metadata Analysis [redacted] (AGC 0012)

OPS-1-11, Retention Schedules for SIGINT Data (AGC 0007)

OPS-1-13, Operational Procedures Related to Canadian [redacted] Collection Activities (AGC 0023)

OPS-1-15, Operational Procedures for Cyber Defence Activities Using System Owner Data (AGC 0018)

OPS-1-16, Policy on Metadata Analysis for Foreign Intelligence Purposes (AGC 0279)

OPS-3-1, Operational Procedures for [redacted; probably "Computer Network Exploitation"] Activities (AGC 0026)

OPS-6, Policy on Mistreatment Risk Management (AGC 0266).

These twelve operational policy documents provide the most detailed window into the policies that govern CSE's operations ever made available to the public. It is important to note that all were superseded in 2018 when CSE introduced an entirely rewritten Mission Policy Suite in preparation for the passage of the CSE Act. However, it is likely that most of the details of those policies remain unchanged, so the documents also provide the best currently available insight into the likely parameters of present operational policies at the agency.

The collection also contains numerous other documents, training materials, and briefing decks that provide further insight into CSE policies and activities. These include:

- The Ministerial Directive issued by the Minister of National Defence on CSE use of metadata (both the 9 March 2005 version (AGC 0004) and the 21 November 2011 version (AGC 0017)).

- The Ministerial Directive on the Integrated SIGINT Operational Model (AGC 0076), which governs CSE's relationship with Canadian military SIGINT activities.

- Examples of the annual Ministerial Authorizations issued under the pre-2019 system to authorize CSE collection activities risking the inadvertent collection of Canadian private communications. Examples of the background memos provided to the Minister of National Defence to explain proposed Ministerial Authorizations are also in the collection.

- CSE's classified Annual Reports to the Minister of National Defence for fiscal years 2010-11, 2011-12, 2012-13, and 2013-14.

- Copies of many of the memoranda of understanding between CSE and client departments on the provision of SIGINT services.

- Subsidiary policy and procedure documents on a wide range of subjects, such as Producing Gists for Indications and Warning Purposes (AGC 0134), Targeting Identifiers for [Foreign Intelligence] under Mandate A (AGC 0135), and Foreign Assessments and Protected Entities (AGC 0136).

- Two training manuals for CSE employees: SIGINT 101 Orientation Program (AGC 0182), an introduction to CSE's SIGINT program, and DGI [Director General Intelligence] Familiarization Manual (AGC 0193), an introduction to work as a SIGINT analyst at CSE.

- Numerous classified reports from CSE's pre-2019 watchdog body, the Office of the Communications Security Establishment Commissioner (OCSEC), and CSE's responses to those reports. These include OCSEC's 2015 review of CSE's metadata activities (AGC 0278), which examines a series of failures by CSE to protect information about Canadians in metadata shared with foreign partners. This report is the best source of information available on those events, which led to the only declaration that CSE had failed to comply with the law that OCSEC ever issued.

In addition to broader policy questions, the documents are an unparalleled source of background information about aspects of CSE's activities. For example, one OCSEC review (AGC 0110) describes the nature of the Client Relations Officer (CRO) system that CSE uses to deliver SIGINT products to many of its government clients. Another (AGC 0179) contains the first data ever released to the public on the percentage of requests made by SIGINT clients for Canadian Identity Information that were approved by CSE (1113 of 1119, or more than 99%). In 2021, the National Security and Intelligence Review Agency (NSIRA), which replaced OCSEC in 2019, was able to release additional data on CSE's approval rate for requests, possibly in part because the BCCLA release had already established that such data could be declassified.

In other cases the documents provide insight into aspects of CSE's activities that the agency is still redacting from NSIRA reports. For example, pages 19-21 of this NSIRA report released in 2021 discussed a flawed policy related to privacy protection that was later rescinded by CSE, but NSIRA was evidently unable to include any information about the nature of the policy in its report. The key details of the policy in question can be found on pages 30-31 of OPS-1-7, Operational Procedures for Naming in SIGINT Reports (AGC 0019).

In other cases, one can observe the evolution of CSE policies over time. For example, in document AGC 0182 (p. 99) it is explained that "we [CSE] do not have to protect the privacy of non-Canadians in Canada. This means that in reports we can name people who are in Canada and who fall into certain categories like holding work or student visas, or who are illegal immigrants." But document AGC 0206 (p. 122) reports that this policy was changed in April 2014, with CSE's privacy policies now covering all persons in Canada. (Given the timing of this change, it's likely that it was made in response to the BCCLA's legal action.)

The documents are also a gold mine of information on the official definitions of key terms used by CSE, encompassing concepts such as Canadian Privacy-Related Information, Metadata, and Contact Chaining. The BCCLA has put together a guide to many of those terms here (but note that their glossary is "a work in progress and not intended as a formal dictionary").

Some of the documents in the BCCLA collection have previously been released to individual requesters through the Access to Information Act. But in many cases the versions released were significantly more heavily redacted than the versions provided to the BCCLA. (The parts of the documents pertaining to CSE's mandate to provide support to federal law enforcement and security agencies are an exception, however, as those parts were redacted in their entirety from the BCCLA documents as "not relevant" to their case.) In addition, in many cases documents released to individual requesters are never published or otherwise made accessible to other researchers or the general public. 

The BCCLA collection is unique in providing systematic access to these documents for online research and downloading.


Update 23 August 2023: You can download individual documents (as opposed to the batches available from the BCCLA) at this GitHub site.

Thursday, December 08, 2022

NSICOP report on Global Affairs Canada

On November 4th, the National Security and Intelligence Committee of Parliamentarians (NSICOP) released the public version of its report on the security and intelligence activities of Global Affairs Canada (GAC), otherwise known as the Department of Foreign Affairs, Trade and Development.

There's a lot of new information in the report about GAC's role in the Canadian intelligence community as overseer, facilitator, collector, assessor, and consumer of intelligence. It's well worth reading.

In the following, I'll focus on what the report says about how Global Affairs works with the Communications Security Establishment.


GAC–CSE relationship

On page 24 (PDF page 33), NSICOP describes the overall relationship between CSE and Global Affairs:

GAC's collaboration with CSE ... dates back to the creation of CSE in 1946. GAC has long been a client of CSE's foreign intelligence collection ***. While GAC has had a formal consultation role for some of CSE's most sensitive activities since 2002, the coming into force of the CSE Act in 2019 provided GAC a more significant role in CSE's new authorities for cyber operations.

(NSICOP uses "***" to indicate where information that was in the classified version of the report has been redacted.)

GAC and CSE formalized their cooperation with the signing of a General Framework Agreement in 2009. The agreement recognized the organizations' cooperation in the collection of foreign intelligence, their long-standing collaboration on the implementation of Canada's Export Control legislation, and their response and handling of cyber incidents targeting GAC. (p 24/PDF 33)

Take note of that mention of "the organizations' cooperation in the collection of foreign intelligence"; we'll return to that point later on.


Computer Network Exploitation

Next we get a quick look at GAC's oversight of CSE computer hacking operations used to collect intelligence from information technology systems and networks, more formally known as Computer Network Exploitation (CNE).

All mentions of CNE are redacted from NSICOP's report, but it is clear from the context that CNE is the subject. (For more fun with CNE redactions, see here.)

The first formal agreement on consultation between CSE and GAC concerned the agency's *** activities. These activities use *** for the purpose of collecting foreign intelligence. In 2002, GAC and CSE signed a memorandum of understanding under which CSE would inform GAC prior to undertaking its most *** outside of Canada. (p 24/PDF 33)

The CNE memorandum of understanding was signed by the Minister of National Defence on 23 April 2002.

The agreement also granted GAC a role in challenging CSE's conduct of certain activities ***. While the 2002 memorandum of understanding remains in place, the two organizations streamlined elements of the agreement in 2015. (p 24-25/PDF 33-34)

GAC's role is to make sure the potential risks/rewards of CNE operations are assessed in the context of Canada's overall foreign policy.


Foreign relationships

CSE is also required to consult GAC before entering into any arrangements with foreign states or institutions. Since the 2019 entry into force of the CSE Act, it has been a statutory requirement that the Minister of National Defence consult the Minister of Foreign Affairs before approving such arrangements.

Given the recent nature of this authority, CSE has not consulted GAC prior to entering into such an arrangement at the time of writing. (p 25/PDF 34)


Defensive cyber operations (DCO)

The CSE Act also requires the Minister of National Defence to consult the Minister of Foreign Affairs prior to issuing an authorization for defensive cyber operations (DCO). DCOs are cyber operations designed to protect Canadian government networks or systems designated as being of importance to the government.

The Minister of National Defence issued the first authorization for defensive cyber operations in *** 2019. CSE officials developed this authorization in consultation with GAC. (p 26/PDF 35)

Although redacted here, the date of the authorization was 5 September 2019, as reported by NSICOP in its February 2022 cybersecurity report (p 77/PDF 89).

The November report provides some additional details on GAC's contribution:

At the operational level, GAC provides foreign policy risk assessments for all of CSE's planned defensive cyber operations. As part of its assessment of the proposed operation, GAC considers potential implications for Canadian interests, the operation's compliance with international law and cyber norms, alignment with broader foreign policy interests, the nature of the target (***) and whether the operations ***. (p 26/PDF 35)

Also interesting is this bit of news:

Between *** and *** , CSE planned but did not conduct any defensive cyber operations, because separate defensive cyber measures taken by CSE obviated the need for the planned cyber operations. (p 26/PDF 35)

It would be even more interesting, of course, if unredacted dates were provided. Fortunately, NSICOP's February 2022 report (p 96/PDF 108) did provide that information, stating that no DCOs were conducted during the first two DCO authorization periods (i.e., from September 2019 to August 2021).

That report also informed us that, "in the first year, normal cyber defence activities successfully mitigated the threat and obviated the need for a separate operation and in the second year, planned operations had not proceeded to the operational stage." (p 96/PDF 108)

It would be interesting to know if any DCOs have yet been conducted.


S.16 activities

Under s.16 of the CSIS Act, CSIS can collect foreign intelligence "within Canada" on request of either the Defence Minister or the Foreign Affairs Minister. This might entail monitoring the communications of an embassy in Ottawa, for example.

CSE often helps with technology, processing, and reporting of the intelligence that results from s.16 collection, and GAC plays a role as a requestor, assessor of foreign policy risk, and intelligence client.

In 2008, officials from participating organizations introduced a formalized governance model [for the s.16 program], which included a requirement to assess potential subjects against criteria linked to Canada's intelligence priorities and a permanent oversight committee structure (the *** Committee) with the responsibility to evaluate and endorse section 16 rationales before they are submitted for approval to the relevant ministers. (p 38/PDF 46)

All information about the committee, including its name, is redacted from NSICOP's report.

By contrast, a 2015 report by OCSEC, CSE's first watchdog agency, described the committee structure in detail, and this information was later released mostly unredacted to reporter Colin Freeze via Access to Information request A-2015-00082.

Some of the details may have changed since then, but if the information was releasable at that time, why not now?


Active cyber operations (ACO)

The CSE Act also "allows CSE to conduct active cyber operations to degrade, disrupt, influence or interfere with the capabilities or intentions of foreign entities." (p 41/PDF 49)

In recognition of the foreign policy implications of these activities, the Act stipulates that the Minister of National Defence may issue this authorization only if the Minister of Foreign Affairs has requested or consented to its issue. (p 41/PDF 49)

Note that this differs from DCOs, which require only consultation with the Foreign Affairs Minister.

"The Minister of National Defence issued CSE's first authorization for active cyber operations in 2019" (p 41/PDF 49), i.e., shortly after the CSE Act came into force.

The 2019 Annual Report (p. 25) of the National Security and Intelligence Review Agency (NSIRA) also confirmed that an ACO authorization was issued that year.

But NSICOP's report goes on to provide considerably more information than was released previously:

Between 2019 and 2020, CSE planned four active cyber operations and carried out one. (p 41/PDF 49)

The ACO that was carried out sought to "disrupt the activities of terrorists and violent extremists." (p 41/PDF 49)

The three ACOs not conducted sought "to disrupt foreign cyber threats to the 2019 federal election"; "to counter the dissemination by specific terrorist groups of extremist material on-line"; and "to mitigate threats posed by foreign cybercriminal groups targeting Canadians". (p 41-42/PDF 49-50)

The election-related ACO was not conducted "because no specific state-led operations were detected", while the other two did not get done "due to operational restrictions arising from COVID". (p 41-42/PDF 49-50)

(For more on the effect of the COVID-19 pandemic on the Canadian security and intelligence community, see this book.)

In August 2019, the Minister of Foreign Affairs directed GAC officials to work with CSE to develop a formal governance mechanism to ensure CSE's cyber operations align with Canada's foreign policy and international legal obligations. (p 42/PDF 50)

This led, in 2020, to the creation of "the CSE–GAC Active Cyber Operations/Defensive Cyber Operations Working Group and a comprehensive governance framework for consultation on cyber operations". (p 42/PDF 50)

The report also reveals that, inside CSE, "the Cyber Operations Group and the Cyber Management Group oversee CSE's cyber operations. These are executive bodies, at the director- and director general-level respectively, that review and approve cyber operation plans and risk assessments. The Director of *** and the Deputy Chief of Signals Intelligence chair the respective committees, and membership depends on ***." (p 43/PDF 51)

This is the first official confirmation, I think, that CSE's cyber operations are lodged in the agency's SIGINT branch.

Interestingly, NSIRA also recently looked at the GACCSE relationship with respect to the governance of ACO/DCO activities.

Among other findings, NSIRA stated that "CSE and GAC have not established a threshold to determine how to identify and differentiate between a pre-emptive Defensive Cyber Operation and an Active Cyber Operation, which can lead to the insufficient involvement of GAC if the operation is misclassified as defensive." (p 69/PDF 77)

In total, NSIRA made nine recommendations for improvements relating to "engaging other departments to ensure an operation’s alignment with broader Government of Canada priorities; demarcating an ACO from a pre-emptive DCO; assessing each operation’s compliance with international law; and communicating with each other any newly acquired information that is relevant to the risk level of an operation." (p 21/PDF 29)

The full set of findings and recommendations can be found on pages 69-71 (PDF 77-79) of NSIRA's report.


PILGRIM's progress

Getting back to NSICOP, the next two pages of the committee's report (p 44-45/PDF 52-53) discuss a program that is ostensibly so secret that all information is redacted except for one sentence: "GAC states that it derives its authority for the program from the Crown prerogative." (p 44/PDF 52)

This is clearly the program known at one time as PILGRIM for the operation of CSE intercept facilities inside Canadian diplomatic missions, our equivalent of U.S. Special Collection Service sites.

Presumably it was this program that NSICOP was alluding to when (as I noted at the beginning of this post) it mentioned GAC and CSE's "cooperation in the collection of foreign intelligence". (p 24/PDF 33)

All of the Five Eyes partners operate such intercept sites, known collectively under the coverterm STATEROOM, but the official policy is to pretend no one knows Canada does this sort of thing, so even the fact of its existence remains classified. That rare allusion is as close as we get to an official confirmation.

Still, NSICOP did manage to flag some concerns about GAC's role in the program in its descriptions of three of the redactions (p 45/PDF 53):

1. "The paragraph noted that the Department does not have any policies, procedures or documents to govern its involvement, and does not have any reporting requirements to the Minister".

2. "The paragraph noted challenges regarding the management of risk."

3. "The paragraph noted the Department's failure to inform the Minister of important issues."

One of the report's four recommendations was probably aimed in part at this program:

R3. [NSICOP recommends that the] Minister of Foreign Affairs put in place comprehensive governance mechanisms for the Department's security and intelligence activities and for those that it supports or contributes to at partner organizations. Those mechanisms should better document processes and decision points to strengthen accountability and institutional memory. (p 95/PDF 102)


Intelligence Access and Countermeasures section

A few pages after the intercept sites discussion — past another almost entirely redacted part called "Logistical Support ***" that probably discusses GAC's occasional provision of support to Five Eyes partner HUMINT agencies like MI6 and the CIA — is a chapter on GAC's own intelligence activities.

There is a lot of very useful and rarely if ever reported information in there about what Global Affairs itself does in this field, but for my purposes I want to highlight just one aspect:

In 2017, GAC established a division within the Intelligence Bureau responsible for the management of highly classified communications at missions abroad. This Intelligence Access and Countermeasures section works closely with CSE to accredit and protect GAC's signals intelligence secure areas. (p 51-52/PDF 59-60)

("Signals intelligence secure area" (SSA), by the way, is the Canadian SIGINT community's equivalent for what in the U.S. is known as a secure compartmented information facility, or SCIF.)

NSICOP's description of the Intelligence Access and Countermeasures section gives the impression that it deals only with GAC's own communications, and maybe it does do only that. But the fact that "Intelligence Access" is included in the section's name may indicate that it also looks after the intercept sites at the missions, which of course also would be located in SSAs.

A probably much less likely theory is that the unit is also mandated to conduct close-access operations, which are designed to enable SIGINT collection by placing antennas or other collection systems in close proximity to targeted information technology systems and/or installing hardware or software implants directly in them.

The foreign intelligence collection authorities granted to CSE in the CSE Act are broad enough to encompass close-access activities:

The foreign intelligence aspect of the Establishment’s mandate is to acquire, covertly or otherwise, information from or through the global information infrastructure, including by engaging or interacting with foreign entities located outside Canada or by using any other method of acquiring information, and to use, analyse and disseminate the information for the purpose of providing foreign intelligence, in accordance with the Government of Canada’s intelligence priorities. (s.16)

And the agency could, with Global Affairs' agreement, deputize GAC personnel to conduct such operations on its behalf.

However, heads far wiser than mine consider it all but inconceivable that any Canadian government would ever muster the will to attempt such inherently perilous operations, with their potential for embarrassing exposure and, worse, risk to the life or liberty of the individuals participating.

Also, we might expect there to be a lot more discussion of the topic in this report if the section's role really did extend that far. (That said, it's not impossible that there is such a discussion buried in the redacted parts of the report concerning intercept sites.)

I'm probably letting my imagination run away with me when it comes to close-access ops. But I'll keep pondering that imponderable because certain comments made by CSE's former Deputy Chief SIGINT way back in 2007 leave me strongly inclined to believe that CSE would very much like the government to conduct such operations for it.


There is a lot of other valuable information about GAC's intelligence role in this report, but that pretty much covers the CSE-related aspects.


Redactio ad absurdum

I will make one final complaint about pointless redactions, however. On pages 75-78 (PDF 83-86) there is a case study of a kidnapping incident involving a Canadian from which almost all personal details have been redacted.

Maybe it's intended as a privacy thing, but it only takes about a minute on Google to fill in all those blanks.