Friday, February 07, 2020

Wark on Canada's Arctic SIGINT mission

An important new article by intelligence historian Wesley Wark tells the story of how Canada's signals intelligence effort came by 1957 to focus almost entirely on the polar basin and the Soviet Arctic, taking the lead on the region for the entire UKUSA community (Wesley Wark, "Favourable geography: Canada’s Arctic signals intelligence mission," Intelligence and National Security, published online 6 February 2020). Wark's article is a must-read for anyone interested in the history of the Canadian signals intelligence effort.

When the Communications Branch of the National Research Council (CBNRC), as CSE was known prior to 1975, was created in 1946, it worked on a variety of minor targets that had been agreed in consultation with its U.K. and U.S. partners, but the Soviet Union was not among them. That changed not long afterwards, but it took a decade for the Soviet north to become the agency's almost exclusive target.

Wark highlights three developments that were necessary to that evolution:
  • Creation of an Arctic intercept capability;
  • Commitment of sufficient resources to CBNRC and the SIGINT program as a whole; and
  • Agreement of the Allies to cede the Arctic mission to Canada.
Each was a struggle, and failure to overcome any one of these challenges "would have doomed the effort." Each is discussed in turn.

(The map above, derived from the one in the article, shows the strategic intercept stations that collected communications in support of CBNRC's SIGINT effort during the post-war period; stations that were used only for radio direction-finding are not shown. See here for the years of operation of the various stations.)

The fact of CBNRC's move to an Arctic focus has been known for some time, but this is the only place where that evolution has been laid out with such clarity and detail, in part because those details have only recently been declassified by the government.

As Wark explains, his account "draws primarily from two recently declassified Canadian narratives," one of which he himself wrote:

(1) Wesley Wark, History of the Canadian Intelligence Community, 1945–1970, Chapter 5, ‘Postwar SIGINT: The Road to the Arctic,’ draft produced for the Privy Council Office, 1998–2002, redacted version obtained through Access to Information (July 2019). Unfortunately eight pages of this chapter (nearly 25%) remain redacted in their entirety while 65% of the 34 pages of this chapter suffer from partial redactions. The history is held by the Privy Council Office, who are responsible for Access decisions.

(2) Kevin O’Neill, History of CBNRC (August 1987), volume I, chapter 5, ‘Interception at Stations,’ redacted version obtained through Access to Information. The history is held by the Communications Security Establishment (CSE).

I made the latter document available for download here. Now, with the gracious agreement of the original Access requestor, Jim Bronskill, I am able to make the former document available as well.

This is the second major contribution that Wark has made in recent months to understanding the history of the Canadian signals intelligence program. The earlier article looked at the CANUSA communications intelligence agreement reached by Canada and the U.S. in 1949. (See Wesley Wark, “The road to CANUSA: how Canadian signals intelligence won its independence and helped create the Five Eyes,” Intelligence and National Security, published online 7 November 2019; mirrored here.)

Now if we could just get him to write the entire history of the agency!

That, however, would require a level of cooperation and transparency by CSE and the broader Canadian intelligence authorities that does not seem to be in the offing. I'd be happy to be proven wrong though.

Wednesday, November 20, 2019

History and its missing contents

It's no secret that the history of intelligence agencies is mostly hidden away in locked cabinets and encrypted data banks.

SIGINT agencies have traditionally been among the most secretive parts of that top-secret world. The darkness shrouding the Second World War SIGINT activities of the countries now known as the Five Eyes began lifting in a significant way only 30 years after the end of that war. Now, 30 years after the end of the Cold War, we are beginning to get a clearer picture of the outlines of SIGINT activities during that era, but huge gaps still remain. And most of the post-9/11 picture is even darker.

The closer we get to examining the present, the more we are forced to rely on information from investigative journalists, leakers, whistleblowers, the cryptic reports of oversight and review bodies, and, erm, researchers of an unusually obsessive nature to shed a glimmer of light on the vast territories of official darkness that swath these agencies.

But this is only a partial and far from satisfactory expedient. Over the longer term to get anywhere near a complete picture we need the agencies themselves to maintain detailed archives and oral history records and to make them available to historians and other researchers in essentially complete and unredacted form.

That, unfortunately, can take many, many decades. We're still waiting to get the full, entirely unredacted picture of the war against Hitler and Tojo. And while there may be little excuse for that, the agencies do have legitimate reasons to remain silent about many aspects of their work. Timidity, inertia, and a lack of resources for declassification also slow the process.

One useful step in the meantime is the production of official agency histories by security-cleared outside historians, often with the assistance of professional in-house staff. This compromise approach provides the historians involved access to complete or near-complete agency records and often to key individuals much earlier than we could otherwise expect.

The trade-off, of course, is that in-house histories are inevitably sanitized, for security purposes at least and for PR purposes at worst, and the picture they present is often distorted — sometimes deliberately — by the absence of still-forbidden topics.

Still, the better examples of such histories can contribute a lot to public and scholarly understanding, and so it's good to see that the Five Eyes SIGINT agencies are starting to step up and participate in such initiatives.

NSA has long had an active official history program that has produced a multitude of studies, including American Cryptology During the Cold War, 1945-1989, Thomas R. Johnson's four-part history of American SIGINT up to the fall of the Berlin Wall, which was written for internal use but later had large portions declassified and released to the public. A wide range of other public or subsequently declassified histories have also been written on specific aspects of the agency's history. A guide to the publicly available versions of these documents and other NSA history resources can be found here.

No other Five Eyes agency has anything on the scale of the NSA's program, but an official history of GCHQ (Behind the Enigma: The Authorised History of GCHQ, Britain’s Secret Cyber Intelligence Agency) is currently in the works in the U.K., with publication originally planned for this year but now expected in October 2020. Written by University of Calgary professor John Ferris, the book is designed for public release.

The Australian Signals Directorate also recently commissioned an official history, to be written by Australian National University professor John Blaxland, who previously wrote the official history of the Australian Security Intelligence Organisation. The ASD history is scheduled for release in 2022, coinciding with the agency's 75th anniversary.

Which leaves just the Communications Security Establishment and New Zealand's Government Communications Security Bureau. GCSB hasn't announced a history project yet, as far as I know.


Where is CSE's history project?

What about CSE?

The agency's own 75th anniversary celebrations will be held in 2021. It would be very interesting to know what CSE has in mind for that milestone. Sadly, as far as I know no kind of substantial history is contemplated for release in time for the celebration — or indeed any time afterwards.

CSE has in recent years augmented the brief explanation of its origins posted on its website with two short faux news reels that highlight artifacts related to its history. These videos are interesting and fun to watch, and I hope the agency makes more of them. But they're really just an exercise in profile-raising, intended perhaps to soften the agency's intimidating image and maybe interest a few people in working there. I don't know what effect they're likely to have on the targets of CSE's recruiting efforts — or if 20-somethings have any idea what a news reel even is — but in any case neither CSE nor anyone else would mistake them for an actual history program.

CSE does have a seven-volume in-house history, History of CBNRC (CSE's original name), that covers the 29 years from 1946 to 1975. But 44 years have passed since 1975, and that document was written by retired senior officials, who although they knew their subject intimately had neither the training nor the objectivity of outside historians.

The closest Canadians have come to getting a professional history was in the late 1990s when the Privy Council Office contracted with professor Wesley Wark, then of the University of Toronto, to write an official history of the Canadian intelligence community. Unfortunately, that project fell apart a few years into the effort when the government decided that the document would not be made public.

If there's any bright spot in the Canadian picture, it is that the record on releasing intelligence-related documents in response to Access to Information requests has very gradually been improving, moving from absolutely abysmal in the early years to somewhere between terrible and occasionally useful, although still ridiculously slow and with an appeals process that has now essentially collapsed.

On the useful end of the spectrum, a significant portion of the History of CBNRC has been declassified and released to the public in recent years, still suffering from large redacted sections (including one entire volume) but far more complete than the skeletonized version released in the 1990s. Significant parts of the draft version of Wark's history also have been declassified and released, although again with very significant redactions.

Among other results, these recent releases have enabled Wark to write a fascinating and detailed account, published earlier this month, of the negotiations leading up to the CANUSA communications intelligence agreement reached by the U.S. and Canada in 1949. (See Wesley Wark, “The road to CANUSA: how Canadian signals intelligence won its independence and helped create the Five Eyes,” Intelligence and National Security, published online 7 November 2019; mirrored here.)

For those interested in the history of Canadian intelligence and its signals intelligence effort in particular, that's a highly welcome development.

But such articles are no substitute for an actual, professional, official history of the organization.

So how about it, CSE? Are you going to wait until New Zealand's tiny GCSB beats you to it too?


Update 19 February 2020:
On a related note, A declassification strategy for national security and intelligence records, a discussion paper written by Wesley Wark for the Office of the Information Commissioner (published by the OIC yesterday), is well worth reading.

Saturday, August 24, 2019

History of CBNRC

In August 1987, CSE published an internal, highly classified history of the agency from its founding in 1946 as the Communications Branch of the National Research Council (CBNRC) to its transfer in 1975 to the Department of National Defence and renaming as the Communications Security Establishment.

The History of CBNRC's authors were N. Kevin O'Neill, who had been Director of CBNRC/Chief of CSE from 1971 to 1980, and Ken J. Hughes, a senior COMSEC official. Both had been on the staff of the agency through the entire period covered by the history.

Not long after the document was written, I and at least one other person formally requested that the releasable portions be made public under Canada's then new Access to Information law. That eventually did occur—after a delay of several years—but the released version was extremely heavily redacted, with perhaps 80-90 percent of the document withheld entirely and most of the rest riddled with additional redactions.

Group and section names and most personal names were redacted. Target names were redacted. All mentions of NSA and GCHQ were redacted (except for one mention of GCHQ that slipped through). Even the name of Kevin O'Neill's co-author was redacted.

There was some useful information left in the sections that remained, but the resulting document was mostly a testament to excessive secrecy.


Second release

More than 25 years later, someone—I don't actually know who—requested a fresh release of the History, and this time a much more significant part of the seven-volume document was released. (I obtained it through the Canadian Foreign Intelligence History Project.)

There are still large portions redacted, including the entirety of Volume II, but a great deal of new and very interesting information about CSE's history was released. I drew on the new release for this discussion of CSE's experimental cable monitoring efforts in the 1970s, for example.

[Update 3 December 2019:

An even more recent release to Wesley Wark (access request A-2018-00065) includes additional previously redacted material in Chapter 11. The rest of the release appears to be identical (although I must admit I haven't examined every word of it). I've changed the links below to copies of the Wark release. Many thanks, Wesley! Bonus: I've uploaded OCRed versions of the files.]


VOLUME I - BASIC SIGINT
[28 MB PDF]

1 Origins and Background
2 SIGINT Policy and Committee Structure
3 Organization and Establishment
4 SIGINT Production Tasks
5 Interception at Stations

VOLUME II - SPECIAL COLLECTION AND ANALYSIS
[Volume not released]

6 Special Collection
7 Signal Analysis
8 Cryptanalysis

VOLUME III - SIGINT SUPPORT AND RELATIONSHIPS
[Part 1 - Chapters 9 to mid-11 (16 MB PDF) & Part 2 - Chapters mid-11 to 13 (15 MB PDF)]

9 Tactical SIGINT and Support to NATO
10 Intelligence Requirements and SIGINT Reporting
11 Liaison with Collaborating Centres
12 SIGINT Equipment and Engineering
13 Mechanization and Computer Developments

VOLUME IV - COMMUNICATIONS AND BASIC COMSEC
[26 MB PDF]

14 Communications
15 COMSEC in Canada before CBNRC
16 COMSEC Policy and Committee Structure
17 Development of COMSEC in CBNRC

VOLUME V - COMSEC TECHNIQUES AND MATERIAL
[24 MB PDF]

18 Provision of COMSEC Advice and Support
19 Production of Keying Material
20 Use of Crypto Equipment in Canada
21 Evaluation of Crypto Equipment
22 Production of Crypto Equipment in Canada
23 COMSEC Monitoring and Analysis
24 TEMPEST

VOLUME VI - ADMINISTRATION
[22 MB PDF]

25 Financial Administration
26 Security
27 Personnel
28 Training

VOLUME VII - CHRONOLOGICAL APPENDIX AND INDEX
[5 MB PDF]

Appendix - Chronological Summary
Index

Sunday, August 18, 2019

Dredging up OCSEC's 2017-18 annual report

In this post, I'm going to write about some of the interesting stuff in the 2017-18 annual report of the Office of the CSE Commissioner (OCSEC), which was released last summer. In particular, I'm going to look at the decline in the number of private communications used or retained by CSE and whether that decline means that the spread of encryption is beginning to have a serious effect on CSE SIGINT operations.

But first a quick aside about the 2018-19 report, which may be about to be released.

In July, as a result of the long-awaited passage of Bill C-59, CSE Commissioner Jean-Pierre Plouffe was reflagged as the Intelligence Commissioner and OCSEC was shut down, with most of its duties reassigned to the brand new National Security and Intelligence Review Agency (NSIRA). This means the 2018-19 report will be the last of its kind.

As far as I can see the government now has just one date left, August 21st, to release that final report before parliament is dissolved for the fall election. If the 2018-19 report does get released a few days from now that probably will mean there isn't anything too newsworthy in it. If, on the other hand, the government hangs on to it until after the election that may be a sign there's something a bit more, er, exciting in it.

CSE nerds may recall that the only other OCSEC report to be withheld through a federal election in recent years, the 2014-15 report, was the one that revealed the only case in which CSE has ever been declared to have violated the law.

Nobody in Ottawa ever clues me in on anything, so I haven't heard anything suggesting that a similar bombshell is inbound this time around. But a delayed release would certainly look suspicious. I guess we'll just have to wait and see what happens.

[Update 22 August 2019: The 2018-19 report did not get tabled on the 21st, so I'm pretty sure we won't be seeing it until sometime after the October election. Makes you wonder if there isn't something embarrassing for the government in it. Hooray for transparency!

A happy thought: Like OCSEC's reports, by law NSIRA's annual reports have to be tabled within 15 sitting days of being submitted to the government. However, since NSIRA's reports will cover calendar years and thus probably will be completed around March of the following year, this should mean they get released sometime during the spring sitting instead of routinely getting delayed into the summer and potentially withheld through elections (now normally held in the fall).]

In the meantime, the possibility that the 2018-19 report could drop in just a matter of days has reminded me that I still haven't said much about the 2017-18 report, which was tabled in parliament over a year ago on July 18th, 2018.

So back to that report:


Private communications decline to 954

In its 2017-18 report OCSEC reported for the fifth year in a row the number of recognized "private communications" that were acquired by CSE under Part A of its mandate ("Mandate A") and subsequently used in SIGINT reporting or otherwise retained as "essential" for foreign intelligence purposes. The 2017-18 report revealed that 954 private communications were used or retained during the period from July 2016 to June 2017 inclusive.

As the table below shows, this was a 70% decline from the previous year's total, which was 3348, but it was still much higher than the totals in any of the years before that. The 2017-18 report and the previous one also reported how many of those private communications were actually used in end-product reports (EPRs), and that number too declined in the most recent period, from 533 to 261 (51%). These declines occurred despite the fact that, as the Commissioner also reported, the overall number of private communications intercepted "continued to increase substantially."



So this is the overall picture that confronts us: The increase in the number of PCs used or retained between 2013-14 and 2015-16 was truly eye-popping. But now, although the total number of PCs collected continued to grow in 2016-17, we're faced with a sudden significant drop in the number used or retained.

What is going on here?

Well, let's unpack the data a bit first.

In Canadian law a private communication (PC) is an oral or electronic communication between two or more persons, regardless of nationality, where at least one of the communicants is physically located in Canada at the time of the communication. (The legal definition is a little more complicated, excluding broadcasting and other forms of public communication for example, but that's the gist.) The interception of PCs is illegal except under certain specific circumstances provided for in the Criminal Code.

One of these exceptions covers CSE's Mandate A activities when it is operating under a ministerial authorization issued for that purpose. Mandate A is CSE's mandate to acquire foreign intelligence, which is "information or intelligence about the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group, as they relate to international affairs, defence or security." In keeping with this definition, Mandate A ministerial authorizations are restricted to collection activities directed at non-Canadian targets physically located outside of Canada: CSE is not legally permitted to direct its Mandate A activities at persons in Canada (or Canadians anywhere).

So how does CSE end up with PCs acquired under Mandate A? The answer is actually pretty simple. All communications have at least two ends. Sometimes the non-targeted end of a foreign communication that CSE collects turns out to be in Canada. This is called "incidental" collection. Because one end is in Canada, such communications are legally PCs, but their collection is permitted as long as one of the aforementioned authorizations is in place. (And it always is.)

When a CSE foreign intelligence analyst examines an intercepted communication they try to establish the location of the communicants in order to determine whether it is a PC. Recognized PCs collected under Mandate A can only be retained by CSE if they are determined by the analyst to be essential to international affairs, defence, or security. Some of the retained PCs end up quoted or otherwise cited in the end-product reports provided to CSE's SIGINT clients, while others may be retained for background information or because their importance is unclear. These are the PCs whose use or retention is reported by OCSEC. Retained PCs must be reassessed for essentiality after an undisclosed interval and are normally ultimately deleted unless they have been used in an EPR.

This is not the only way in which CSE can end up in possession of Canadian-related communications, however. The agency also sometimes collects communications in which the non-targeted end turns out to be a Canadian located abroad. Because in this case none of the participants in the communication are located in Canada, these communications are not PCs and are not counted in the total reported by OCSEC. Stored communications such as texts and e-mails acquired by CSE from computer hacking activities or company databases are also not counted as PCs, even if one of the communicants was located in Canada when the communication was originally sent. Canadian communications acquired by allies and subsequently provided to CSE are also not considered to be PCs. (Such collection is said to be "exceptional", but it does occur.) Finally, CSE acquires PCs and other Canadian-related communications incidentally in the course of its Mandate B (IT security) activities and intentionally in the course of its Mandate C (support to federal law enforcement and security agencies) activities. None of these numbers are publicly reported.

The private-communications-collected-by-CSE-in-the-course-of-Mandate-A-activities numbers do, however, provide important, if only partial, insight into the nature and evolution of CSE's collection of Canadian communications in the course of its foreign intelligence activities. So let's turn back to the numbers.


Smartphones and instant messaging

As I've argued before, the major jump in the number of used/retained PCs between 2013-14 and 2015-16 was probably a consequence of changes in the types of communications most commonly being intercepted. My guess is that the rise of smartphones and consequently mobile messaging applications accounts for most of the difference. Since each separate comment posted in a message app probably counts as a separate private communication, just one single extended conversation monitored by CSE might be counted as dozens or even hundreds of PCs.

If this is the case, then the huge increase in PCs used or retained in recent years is almost certainly primarily due to this change in communications technology and does not imply a huge—or even necessarily any—increase in the number of Canadians and other persons in Canada whose communications are getting caught in CSE's dragnet.

Although he hasn't confirmed that messaging apps are the explanation, the CSE Commissioner has more or less confirmed that the answer is something along these lines, describing the increase as "a consequence of the technical characteristics of certain communications technologies, and CSE’s legal obligations to count private communications in a certain manner" and adding that "the current manner in which CSE counts private communications provides a distorted view of the number of Canadians or persons in Canada that are involved".

It is possible, however, that there also was at least some increase in the number of Canadians or other persons in Canada whose communications were collected by CSE after 2014. While messaging apps are almost certainly the primary explanation for the jump, the timing of the increase might also be related to the resumption in mid-2015 (under a new, undisclosed name) of Domestic Interception of Foreign Telecommunications and Search (DIFTS) warrants, which enable CSIS to ask CSE to monitor specific Canadians abroad.

Neo-DIFTS intercepts would not appear directly in these statistics even if one end was in Canada, because collection for CSIS is a Mandate C activity. But such intercepts might enable the identification of new foreign targets, such as ISIS members involved in efforts to recruit Canadians, and those recruiters could then be targeted under Mandate A and possibly be monitored communicating with additional, previously unidentified Canadians. So it is not inconceivable that the advent of neo-DIFTS warrants led indirectly to at least a small increase in PCs collected under Mandate A.

In any case, since smartphones seem to have been ISIS's main mode of communications, many Canadians had travelled to Syria and Iraq to support the organization, active efforts were underway by ISIS to recruit others to come or to engage in attacks or other activities in Canada, and the Canadian Forces were participating in the anti-ISIS coalition, it seems plausible that ISIS members were among CSE's key targets throughout this period and that they may well have been responsible for many of the messaging-app PCs intercepted by the agency.


Why the drop?

So why did we see the sizable drop in used/retained PCs in the 2017-18 report?

It's risky to draw sweeping conclusions from a change reflected in just a single year's data, but assuming the phenomenon is real, three not necessarily mutually exclusive possible explanations come to my mind.

The first is that successes in the battle against ISIS, both on the ground and in cyberspace, have led to a significant decline in the number of ISIS members communicating with persons in Canada. ISIS was indeed coming under very heavy pressure during the period covered by this data, although it hadn't yet lost its control over large parts of Syria and Iraq. However, recent reports suggest that ISIS is still engaged in extensive online organizing and recruiting activity. Moreover, the substantial overall increase in PCs collected (as opposed to used or retained) in 2016-17 also suggests that a decline in targeted traffic—whether ISIS-related or otherwise—is not the primary explanation.

The second possibility is that the nature of the traffic has been changing, such that it now contains a significantly lower proportion of PCs that are of intelligence interest. This might be a result of a decline in the number of new individuals in Canada interested in communicating with ISIS, for example. It seems unlikely, however, that ISIS traffic involving persons in Canada would still be growing substantially under such circumstances, and even more unlikely that the great majority of that traffic would be of no intelligence interest. A more plausible possibility along these lines, perhaps, is that CSE's collection priorities have started to shift dramatically towards non-ISIS targets of various kinds whose communications with persons in Canada contain a much lower proportion of intelligence-related traffic.

The third possibility is that we are beginning to see the effects of the spread of encrypted messaging in recent years. Telegram, launched in 2013, is reported to have been widely adopted by ISIS members and supporters by 2016, largely on account of the end-to-end encryption capabilities that users can choose to utilize in its Secret Chat function. WhatsApp, which currently has more than 1.5 billion users, finished implementation of end-to-end encryption by default for all users in April 2016. Other apps also have or are moving to adopt similar technologies to various degrees.

If monitoring of messaging apps does explain the great increase in the number of PCs used or retained between 2013-14 and 2015-16, then the subsequent spread of encryption on those apps might well explain much of the 70% drop in the number of PCs used or retained in 2016-17. Interestingly, and perhaps not entirely coincidentally, an RCMP document prepared in early 2018 asserted that "Approximately 70 per cent of all communications intercepted by CSIS and the RCMP are now encrypted".

If this third explanation is correct, then the increasingly widespread use of encryption in messaging apps is starting to have a significant effect on CSE SIGINT operations.

It doesn't necessarily follow that seeking to limit encryption or to mandate government backdoors would be an appropriate or effective response to this development, however. (For more on encryption policy, see Lex Gill, Tamir Israel, and Christopher Parsons, Shining a Light on the Encryption Debate: A Canadian Field Guide, Citizen Lab and the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic, May 2018.)

Even universal adoption of secure encryption isn't going to solve the much broader problem of cybersecurity, and for the same reason it isn't going to mean the end of SIGINT.

But it could certainly mean large changes in the focus of SIGINT activities, just as the Soviet adoption of highly secure encryption for their high-echelon communications in 1948 led to sweeping changes in the organization and activities of the UKUSA SIGINT agencies through the 1950s.

Of course, it is also conceivable that some combination of all three possibilities, and perhaps other factors, has played a role in the drop. It will be very interesting to see where the numbers go when the 2017-18 data is released in the forthcoming 2018-19 report. Will they go back up, implying the 2016-17 numbers were just a blip? Or will the decline continue, suggesting that encryption really is starting to bite?


Maybe time to release different data

It occurs to me that CSE might be less than entirely happy to see this kind of speculation bandied about in a public forum, even if it turns out to be wildly incorrect. But I don't have a lot of sympathy for the agency on this question.

What I and other CSE watchers in Canada are really interested in is how many Canadians and other persons in Canada end up with their communications collected by CSE, and how many of those have their communications featured in reports to CSE SIGINT clients.

The only reason we find ourselves (possibly) with some insight into the types of communications being monitored and whether encryption is having a significant effect is that the agency has been forcing us to work with an imperfect proxy, the number of PCs used or retained.

If CSE instead permitted OCSEC and in future NSIRA to report the number of Canadians/persons in Canada who feature in such reports, we'd have a number much more useful for privacy-tracking purposes and much less useful for speculating about communications methods and the consequences of encryption or even about the capabilities of CSE in general.

Given that this number would refer only to incidental collection and would not include targeted domestic monitoring under CSIS or RCMP warrants, is there really a credible argument that ISIS or Al Qaeda or the SVR or the GRU or the Chinese MSS etc, etc could look at that number—let's say it's 20—and draw some sort of useful conclusion as to whether or not its own particular contacts were being watched?

Ideally, such reporting should be expanded to include all Canadians/persons in Canada appearing in foreign intelligence reports, not just those resulting from CSE's own collection of PCs, and maybe also an additional number for Canadians/persons in Canada appearing in IT Security reports.

I suspect CSE would also benefit from this approach since the number of Canadians/persons in Canada appearing in SIGINT reporting is very likely quite low and would probably be highly reassuring to the Canadian public.

(Alternatively, if the number is actually quite a bit larger than we've been led to expect, such that the Canadian public might actually be somewhat shocked by it, then in my view it's long past time to admit that, explain the reasons that supposedly justify it, and earn an honest social license to operate instead of one based on deception. Personally, I doubt this is what has being going on, but if CSE would give us the numbers there would be much less room for dark speculations.)

Show us the numbers!


Sunday, July 28, 2019

CSE Act comes into force 1 August 2019

The Communications Security Establishment Act (CSE Act) comes into force on the 1st of August (see Order in Council 2019-1091). The Act modifies CSE's powers in a number of significant ways, most notably mandating it to conduct computer network attack operations for both defensive and offensive purposes.

The new Act, Part 3 of Bill C-59, replaces Part V.1 of the National Defence Act, which was CSE's original statutory mandate, enacted as part of Bill C-36 in December 2001. That original statute enshrined in law the three-part mandate that CSE was already operating under based on classified directives, authorizing A) the production of signals intelligence (SIGINT) for foreign intelligence purposes; B) the protection of Canadian government communications and information technology systems and other systems "of importance to" the government of Canada; and C) the provision of operational and technical assistance to federal law enforcement and security agencies.

It also created a ministerial authorization regime that made it legal for the agency to undertake Part A and B activities that resulted in the interception of "private communications" as long those activities were not directed at persons in Canada or Canadians anywhere. This change was essential to enable CSE to process Internet-based communications. The statute also opened the way for CSE to engage in hacking, or computer network exploitation (CNE), operations.

The new CSE Act now coming into force adds a fourth part, informally referred to as Part D, to CSE's mandate: the conduct of computer network attack (CNA) operations against foreign targets, both "defensive cyber operations" to protect IT infrastructures of importance to Canada and "active cyber operations" to advance Canadian interests in general. Such operations will also be possible through Part C of CSE's mandate in support of the Canadian Forces/Department of National Defence, using CF/DND legal authorities, and were already possible in support of CSIS "threat disruption" activities, based on CSIS authorities.



This CSE chart (modified by me to add the mandate letters) shows the four parts of the agency's mandate under the CSE Act. Note, however, that the graphic's description of active cyber operations ("interfere with foreign online efforts that threaten Canada"), while possibly correct when such operations were restricted to support for CSIS, is much more limited than what is actually permitted by the CSE Act ("degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security").

The active element of the Part D mandate changes CSE from a traditional SIGINT and IT security agency into a cyber covert action agency as well. As I and others have argued, this is a watershed moment in CSE's history, and care needs to be taken to use this new capability responsibly and ensure that Canada is not contributing to the foreclosure of options for a more stable and secure cyberspace commons. I think we would come to regret the latter result.

That said, it is probably true that development of a certain level of such capabilities is an inevitable evolution, and it may be that keeping them (largely) inside CSE will act as a damper on how frequent or widespread their offensive use by Canada becomes. The powerful SIGINT side of the agency will not want to see hard-earned intelligence accesses burned in the name of ephemeral gains or marginal matters. Protection of SIGINT accesses and sources has been the Prime Directive of the SIGINT agency ethos since signals intelligence began, and I suspect it is hard-coded into most of the people who work there, including notably career SIGINTer Shelly Bruce, the current Chief.


Foreign Intelligence and Cybersecurity Authorizations

The CSE Act also broadens the ministerial authorization regime to cover almost all information acquired by CSE. Other than publicly available information that doesn't include information for which a Canadian or a person in Canada has a reasonable expectation of privacy, CSE will not be permitted to acquire any information unless an applicable Foreign Intelligence or Cybersecurity Authorization has been issued by the Minister.

Moreover, a quasi-judicial oversight official called the Intelligence Commissioner (IC) will now have to approve each authorization in order for it to become valid. This new office, which will also oversee certain datasets for CSIS, was created by Part Two of Bill C-59. The position is now occupied by Jean-Pierre Plouffe, who was the CSE Commissioner until that office was disestablished, also by C-59.

A minor amendment proposed by the Senate would have empowered the Intelligence Commissioner to provide suggestions on how to modify a Foreign Intelligence or Cybersecurity authorization in cases where the original version was rejected by the Commissioner, but this amendment was rejected by the government and was not included in the final version of the bill.

The creation of the Intelligence Commissioner's office is significant in that it marks the first time CSE has been made directly subject to external oversight, as opposed to external review. (See here for a description of the difference between oversight and review in official Canadian parlance.)

Credit for this development probably goes mostly to the British Columbia Civil Liberties Association, which in 2013 took the federal government to court, arguing that CSE's collection of Canadian-related communications and metadata in the absence of any form of judicial authorization violated the Charter rights of Canadians. That case is still inching its way through the Federal Court, and the government evidently hopes that creation of the Intelligence Commissioner position has placed the legality of CSE's operations on a sounder footing.


National Security and Intelligence Review Agency

Bill C-59 also created a new National Security and Intelligence Review Agency (NSIRA) that replaces SIRC and the CSE Commissioner for reviewing the activities of CSIS and CSE. It will also review the national security and intelligence activities of other departments and agencies of the government, including the RCMP, the Canada Border Services Agency, the Department of National Defence, Global Affairs Canada, and the Department of Justice.

With the creation of NSIRA, the Office of the Intelligence Commissioner, and, in 2017, the National Security and Intelligence Committee of Parliamentarians (NSICOP), the review and oversight structures monitoring the Canadian intelligence community have been entirely revamped and significantly expanded.

The government has given NSIRA a very promising start by appointing retiring MP and NSICOP member Murray Rankin, law professor Craig Forcese, and the four remaining members of SIRC as the initial members of NSIRA. Forcese's work on national security law issues over the last several years has been exemplary, and I have no doubt that he will do an excellent job. Although a strong supporter of most aspects of C-59 during the two-year debate over the bill, he was in no way an uncritical cheerleader. Among other issues, Forcese made a particular point of warning parliament that the CSE Act's silence on international law could end up gutting the agency's newly created cyber operations powers:
[U]nless you amend bill C-59, you can... kiss those defensive and active cyber powers away. Unless, that is, you just want to plow ahead and see what the Intelligence Commissioner, the new National Security and Intelligence Review Agency, and the National Security and Intelligence Committee of Parliamentarians have to say about this issue. This, in my view, would be insane, since a quick flick of the legislative pen could cure this problem for you, CSE.
(See Does CSE risk a Re X moment? for more details.)

The government ignored Forcese on this point and passed the cyber powers provisions unamended. It will be interesting to see what happens if NSIRA does take up the question now that Forcese is on the committee.


Transparency

Another notable development, courtesy of s.59 of the CSE Act, is that CSE will now be obligated to "publish an annual report" within three months of the end of each fiscal year (i.e., before July 1st). The Act doesn't actually state that this report must be made public, but that's probably considered implicit in the word "publish". In any case, there doesn't seem to be any doubt that the agency will indeed be producing a public annual report.

What remains to be seen is how informative the new annual report will be. The Act doesn't provide any details about the contents of the report except that it must cover CSE's "activities during that fiscal year".

In several ways, CSE has become significantly less transparent since it became a stand-alone agency in November 2011. Let's hope the annual report not only reverses that trend, but sets a new standard perceptibly above what the agency considered acceptable for release just eight years ago.

Another potentially good bit of news on the transparency front was the government's appointment earlier this month of an 11-member National Security Transparency Advisory Group (NS-TAG). The mandate of the new committee is to advise the government how to:
  • Infuse transparency into Canada's national security policies, programs, best practices, and activities in a way that will increase democratic accountability;
  • Increase public awareness, engagement, and access to national security and related intelligence information;
  • Promote transparency while ensuring the safety and security of Canadians.
Godspeed on that!


All in all, there are some big changes now underway in CSE and the wider Canadian intelligence community thanks to the passage of C-59, and the potential for additional important changes is at least on the horizon.


Update 6 August 2019:

Some earlier news reporting/commentary featuring Public Safety Minister Ralph Goodale's sadly mistaken comments on CSE cyber powers...

Rachel Emmanuel, "New law says security agencies can launch cyber-counterattacks to foreign threats," Globe and Mail, 19 June 2019.

...and Tim McSorley's commentary in response:

Tim McSorley, "Who reviews cyber attacks in Canada? We need answers." Medium, 26 June 2019.

The bottom line here is that Goodale, if he was quoted correctly (and it appears he was), was deeply confused about the role, or more precisely the lack thereof, of the Intelligence Commissioner.

CSE is not his direct responsibility—that's Defence Minister Sajjan's job—but senior ministers on the security and intelligence file should not be making mistakes as basic as this. He's normally a very capable minister, so I expect this was just a temporary lapse.

Friday, April 19, 2019

Another "secret" revealed



In February 2007, CSE Chief John Adams revealed that "in the time between the end of the cold war and 2001, CSE’s reporting concentrated mostly on prosperity issues."

But the agency did not entirely abandon its Cold War-era targets, as this slide from an NSA presentation on its Second Party partners confirms.

The presentation can be found in this document (pages 85-94), part of a set of documents recently released by the U.S. government to Privacy International and Yale Law School’s Media Freedom & Information Access Clinic. Although undated, the presentation appears to come from around 1993, give or take a year or so.

As can be seen, the first item listed under "Targets" on the slide — CIS — is unredacted. CIS, of course, is the Commonwealth of Independent States, the loose association of former Soviet republics that arose out of the ashes of the Soviet Union.

There's nothing at all surprising about the fact that CSE was monitoring targets within the CIS in the 1990s. The Soviet Union was CSE's primary target during the Cold War, and the expertise and language skills of its staff remained dominated by that legacy for many years afterwards.

And there was a lot that was worth watching in the CIS area in the immediate post-Soviet years, not the least being the fate of the former Soviet nuclear arsenal, which ended up scattered among four independent states in the wake of the break up. There's still a lot worth watching.

What is a bit surprising, however, is that the CIS's identity as a CSE target was left unredacted in this release. Of the four agencies described in the presentation (GCHQ, DSD, GCSB, and CSE), this is the only unredacted item on any of the target lists.

— Which if nothing else reinforces the absurdity of redacting the even more obvious fact that Canada monitors the communications of Russian military aircraft that approach North American airspace.

Wednesday, April 10, 2019

Psst. It's the Russians!


The photo above shows the Deputy Commander of NORAD presenting a commemorative plaque to CFS Leitrim thanking our SIGINT folks for their "outstanding operational support critical to the NORAD mission and unwavering dedication to perimeter security". Featured on the plaque is a photo of a Russian Tupolev BEAR under escort by NORAD fighters.

Considering that such intercepts have been freely publicized by Canada and the U.S. for the last 60 years or so, I suspect the fact that Russian aircraft are normally the ones involved will not come as a huge surprise to the Canadian public or indeed anyone else — and especially not to the Russians, who after all are typically the guest of honour on these occasions.

I'm just going to leave this here for the benefit of whatever blinkered securocrat decided that the nationality of these aircraft is some kind of national secret that needed to be redacted from the report of the National Security and Intelligence Committee of Parliamentarians (NSICOP) released yesterday:




Despite the occasional incomprehensible redaction (and a substantial number of other, sometimes understandable, ones), there's a lot of interesting material in the 140-page NSICOP report, which is the first annual report that the new committee has produced.

It's unfortunate therefore that the PDF provided by the government isn't electronically searchable. Compiling the document from scanned images was probably a security measure designed to guarantee that no redacted information can be recovered from the final document. That's sensible enough.

But it is possible to OCR the document afterwards to make it user-friendly as well as secure. It's not that hard.

As a public service, I hereby offer for free download what apparently no one in government thinks is possible, or at least worth doing: a searchable version of the report.


Update 13 April 2019:

For a valuable commentary on the NSICOP report itself, see Stephanie Carvin, "A much-needed review of Canada’s security and intelligence operations arrives," Open Canada, 12 April 2019.