Saturday, June 24, 2017

CSE to get foreign cyber operations mandate

Among the changes that the Liberal government is proposing to make via its Bill C-59, announced on June 20th, are several important measures affecting CSE, including an entirely new statutory basis for the agency, the Communications Security Establishment Act, that will replace the current CSE-related provisions of the National Defence Act. The bill also proposes to eliminate CSE's existing watchdog agency, the Office of the CSE Commissioner (OCSEC), and replace it with two newly created entities, the National Security and Intelligence Review Agency (NSIRA) and the Office of the Intelligence Commissioner, which will also be keeping tabs on CSIS and (in the case of NSIRA) a number of other agencies.

Together, the proposals affecting CSE comprise a wide-ranging and highly consequential set of measures, but probably the most significant item is the plan to give the agency the power to conduct both defensive and "active" (i.e., offensive) cyber operations against foreign targets.

The addition of this foreign cyber operations mandate would represent the most fundamental change in CSE's role in the agency's 70-year history.

When CSE, originally called CBNRC, was created in September 1946, it had two major complementary functions: analysis of foreign communications intercepted by Canada and its allies (communications intelligence, COMINT, which was later broadened into signals intelligence, SIGINT); and protection of Canadian government classified communications (communications security, COMSEC, which was later broadened into information technology security, ITSEC).

Canada and its allies occasionally engaged in black-bag jobs to steal codebooks, tap cables, or plant bugs for intelligence collection, but CSE did not undertake such operations itself. For most of the agency's history, CSE's SIGINT role was entirely passive: it processed and analyzed the radio communications that could be monitored at Canadian and allied intercept sites.

The first big change in that role happened in the wake of the 9/11 attacks, although it had more to do with the advent of the Internet beginning in the 1990s. Passage of the Anti-Terrorism Act gave CSE the authority to conduct the cyberspace version of the black-bag job—Computer Network Exploitation (CNE)—in support of its SIGINT mandate. CSE was empowered not just to intercept communications ("data in motion"), as it had done in traditional SIGINT activities, but to seek out information residing on foreign computer systems ("data at rest") that CSE could gain surreptitious access to. It became a hunter as well as a gatherer.

But while CNE operations entail breaking into computer systems and networks, disabling security features, implanting specialized malware, and of course copying information, all of these activities are undertaken in the name of SIGINT collection. Any damage inflicted is purely incidental—an undesirable side-effect that might lead to exposure and early termination of the operation.

The proposed CSE Act would enable CSE to conduct deliberate Computer Network Attack (CNA) operations, both to defend Canadian IT systems against foreign CNE and CNA operations and to attack foreign IT systems in furtherance of Canadian foreign policy, defence, or security goals. The bill refers to these two types of CNA operation as "defensive cyber operations" and "active cyber operations" respectively. (For more on the relationships between CNE, CNA, and CND—Computer Network Defence—operations, see this discussion.)

With this change, CSE would no longer be simply an intelligence (and ITSEC) agency: it would also be a covert operations agency, able to intervene outside Canada's borders to disrupt, damage, or destroy the computers, IT networks, or electronic information of foreign individuals, groups, or states.

The bill does propose some limits on the way these powers could be used. Cyber operations must be requested or consented to by the Minister of Foreign Affairs and authorized by the Minister of National Defence. In addition, such operations must not "cause, intentionally or by criminal negligence, death or bodily harm to an individual" or "wilfully attempt in any manner to obstruct, pervert or defeat the course of justice or democracy." These are significant limitations.

More destructive cyber operations are still possible outside the context of the CSE Act, but the government has assigned that job to the Canadian Forces.

Even in that respect, however, CSE might still play a critical role. Under the new CSE Act, CSE would be explicitly permitted to provide operational and technical assistance to the Department of National Defence and the Canadian Forces (as it already does for federal law enforcement and security agencies), and cyber assistance provided under this mandate would not be subject to the limitations applied to CSE's own cyber operations.

Whatever the effect of these limitations in practice, to my mind addition of a cyber operations mandate is a huge change in the nature of the agency, and it raises a number of issues.

Most fundamentally, is it in Canada's interest to further normalize the growing use of CNA activities by states? Should CNA be classified as just another tool of statecraft? Should such capabilities be restricted to a deterrent role? Is cyber deterrence, whether through CNA capabilities or more conventional responses, even a practical goal, given difficulties of attribution and the inevitable overlap between CNE and CNA? Would improved defence and resilience be a preferable, or at least sufficient, response or are all three required?

The recent defence policy statement asserts that "a purely defensive cyber posture is no longer sufficient" (resilience doesn't get mentioned in the cyber context). But not everyone is convinced by that claim. As with most issues, Canada's choices are likely to have a marginal influence at best on the future of cyberspace, but that alone is not sufficient reason to abandon self-restraint or efforts to create global rules of the road and preserve the global commons if we believe that Canada's (and the globe's) ultimate interests would best be served by moving in that direction.

Second, even if Canada does choose to arm itself with, and to use, such capabilities, is CSE the right place to lodge them? There is certainly a case to be made for giving the role to CSE. The knowledge and skills required for CNA activities inevitably overlap with those required for CNE (and for CND), and CSE is Canada's centre of expertise in those activities.

But just as there are different imperatives between intelligence-gathering and law enforcement—the reason CSIS was separated from the RCMP in 1984—there are different imperatives between intelligence-gathering and covert operations. One side seeks to preserve its accesses so it can maintain or even improve its intelligence collection; the other seeks to exploit them for operational purposes, even though such operations may burn the accesses in the process. (A similar conflict already exists between the ITSEC side of the organization, which seeks to shut down IT vulnerabilities to protect against intrusions, and the SIGINT side, which may want vulnerabilities it is currently exploiting to remain unrevealed.)

Furthermore, while the job of the intelligence-gatherers is to report the unvarnished truth, uncontaminated as much as possible by policy considerations, the covert operations side of the agency would inevitably become involved in the development and advocacy of operational plans, and in defending the agency's performance in those operations, giving CSE an undesirable stake in its own intelligence reporting.

Can a single agency effectively do two (really three) tasks that are in many ways complementary but also in important ways contradictory while still giving proper attention and weight to each?

I don't think it's impossible to reconcile these imperatives, but I do think it requires delicate balancing and constant vigilance. This is an area to which the proposed review agency and committee of parliamentarians may want to pay on-going attention.

It's also an area where there is probably a role for the central agencies of the government.

I had a chance to ask about cyber operations decision-making during a stakeholders' teleconference about Bill C-59 that CSE invited me to join.

As noted above, the proposed law would require that such operations be requested or consented to by the Minister of Foreign Affairs and authorized by the Minister of National Defence. This arrangement foresees the possibility that the Foreign Affairs Minister might sometimes make a request for a cyber operation in service of Canadian foreign policy interests. But the ministers themselves are not normally going to be sitting around thinking up plans for CSE cyber operations, nor will they be equipped to assess what might be feasible or balance all the considerations that might arise. So who will be doing the proposing, and who will make sure the resulting plans are reconciled with the broader goals and operations of the Canadian government?

The officials who took part in the teleconference acknowledged that CSE would probably often be the agency proposing such operations, but they agreed that there would still need to be some sort of inter-departmental process to ensure that wider factors are considered, including deconfliction with cyber operations that the Canadian Forces might be undertaking (and deconfliction with allied agencies), but also more general considerations. They added, however, that the bill had not yet been passed and might be amended before passage, and that some of these structural questions had not yet been resolved.

For most of its history, CSE laboured under the watchful eye (or heavy thumb, as they may have considered it) of various inter-departmental committees—originally the Communications Research Committee and later the Intelligence Advisory Committee and Security Advisory Committee of the Privy Council Office (PCO). The final form of this system saw the National Security Advisor serving as the deputy minister for CSE for policy purposes. But all of that ended when CSE became a stand-alone agency, with the Chief of CSE serving as the agency's own deputy head, in November 2011. There is no longer any line role for the PCO between CSE and its minister.

But the PCO continues to play a role in coordinating the various elements of the Canadian intelligence community, and in integrating intelligence and defence, security, and foreign policy concerns. And, in my view, it will need to play a very active role in overseeing the planning and conduct of any cyber operations undertaken by CSE and/or the Canadian Forces to ensure that all national policy considerations are taken into account. The PCO is also the place to ensure that the proper balance among CSE's cyber, SIGINT, and ITSEC priorities is maintained.

I also asked the officials what the addition of a cyber operations mandate for CSE might mean for the agency's own structure and resources. Will there be a separate Deputy Chief for Cyber Operations, just as there are Deputy Chiefs for SIGINT and ITSEC? Will CSE be looking to expand its workforce to support the conduct of cyber operations?

According to the officials, those decisions have not yet been made, and the agency did not want to pre-judge the outcome of the legislative process. Still, I'm sure they have some ideas for how it might all work out.

They did say that CSE was likely to enter the cyber operations business only gradually, taking "one step at a time," and adding that "you have to walk before you can run." This would seem to suggest little immediate need for growth on the part of the agency, although the implied eventual goal of "running" opens the door to larger needs over the longer term.

I guess we'll see.

In the meantime, I think it is going to be very interesting watching this soon-to-be three-legged agency relearn how to walk.


I'll look at other parts of the bill that affect CSE, notably the new oversight and review provisions, in a future post.


Wednesday, June 21, 2017

Liberals propose huge changes for CSE

The government's Bill C-59, announced on 20 June 2017, proposes huge changes for Canada's security and intelligence community, including important additions to CSE's mandate and the elimination of its current review agency, the Office of the CSE Commissioner (OCSEC).

The proposal to add explicit defensive and "active" cyber operations mandates to CSE's roles may represent the most fundamental change in the agency's history. The proposed elimination of OCSEC and creation of both the National Security and Intelligence Review Agency and the position of Intelligence Commissioner are also major changes.

I'll be writing more on these and other proposals in the bill, but it will probably take me a few days to get the post together.

So in the meantime, here's CSE's description of the changes.

It's also worth checking out some of the news reporting and commentary on the proposals:


Alex Boutilier, "Spy bill allows government security agency to collect ‘publicly available’ info on Canadians," Toronto Star, 21 June 2017

Justin Ling, "Canada’s cyber spy agency is about to get a major upgrade," Vice News, 21 June 2017

Michael Geist, "Five Eyes Wide Open: How Bill C-59 Mixes Oversight with Expansive Cyber-Security Powers," michaelgeist.ca, 21 June 2017

Alex Boutilier, "Canada’s spies to get green light to launch cyber attacks," Toronto Star, 20 June 2017

Matt Braga, "How, when, and where can Canada's digital spies hack? Government makes some suggestions in CSE Act," CBC News, 20 June 2017

Jim Bronskill, "Security bill limits CSIS disruption powers, boosts review of spy services," Canadian Press, 20 June 2017

Craig Forcese & Kent Roach, "The roses and the thorns of Canada’s new national security bill," Maclean's, 20 June 2017

Wesley Wark, "Liberals’ bold Bill C-59 would redraw the national security landscape," Globe and Mail, 20 June 2017


Update 23 June 2017: A few more items:

Craig Forcese & Kent Roach, "Two of Canada’s foremost experts in national security law give their assessment of Bill C-59: there’s much to like, but also room for improvement," Policy Options, 22 June 2017

Lee Berthiaume, "New national security approach lets electronic spy agency play cyber-offence," Canadian Press, 20 June 2017

Amanda Connolly, "CSE getting 'proactive' mandate overhaul in major national security reform bill," iPolitics, 20 June 2017

Carl Meyer, "Goodale asks Parliament to expand electronic spying powers," National Observer, 20 June 2017


Monday, June 19, 2017

CSE releases report on electoral threats



On June 16th, CSE released Cyber Threats to Canada's Democratic Process, a public report assessing the various ways cyber activities might threaten Canada's electoral system.

CSE has made basic cybersecurity advice publicly available on its website for many years, but this report—which was requested by the Prime Minister in the mandate letter he issued to Minister of Democratic Institutions Karina Gould in February 2017—was the first of its kind by CSE.

The 38-page report discusses three ways in which cyber activities might be used to affect the electoral process: impeding or corrupting the voting process itself; stealing and exploiting information about politicians and political parties; and covertly influencing the public's political views by manipulating traditional and social media.

The document restricts itself to a general overview of the ways in which these threats might manifest themselves in Canada's federal, provincial, and municipal politics, and concludes (among other points) that:
  • Cyber threat activity against the democratic process is increasing around the world, and Canada is not immune. In 2015, during the federal election, Canada’s democratic process was targeted by low-sophistication cyber threat activity. It is highly probable that the perpetrators were hacktivists and cybercriminals, and the details of the most impactful incidents were reported on by several Canadian media organizations.
  • A small number of nation-states have undertaken the majority of the cyber activity against democratic processes worldwide, and we judge that, almost certainly, they are the most capable adversaries.
  • However, to date, we have not observed nation-states using cyber capabilities with the purpose of influencing the democratic process in Canada during an election. We assess that whether this remains the case in 2019 will depend on how Canada’s nation-state adversaries perceive Canada’s foreign and domestic policies, and on the spectrum of policies espoused by Canadian federal candidates in 2019.
  • We expect that multiple hacktivist groups will very likely deploy cyber capabilities in an attempt to influence the democratic process during the 2019 federal election. We anticipate that much of this activity will be low-sophistication, though we expect that some influence activities will be well-planned and target more than one aspect of the democratic process.
  • Regarding Canada’s democratic process at the federal level, we assess that, almost certainly, political parties and politicians, and the media are more vulnerable to cyber threats and related influence operations than the election activities themselves. This is because federal elections are largely paper-based and Elections Canada has a number of legal, procedural, and information technology measures in place.
  • We assess that the threat to Canada’s democratic process at the sub-national level (i.e. provincial/territorial and municipal) is very likely to remain at its current low level. However, some of Canada’s sub-national political parties and politicians, electoral activities, and media are likely to come under increasing threat from nation-states and hacktivists.
All of this is pretty common sense for anyone who's been paying attention to the world for the past couple of years—although it's certainly noteworthy that, to date, CSE has not observed nation-states using cyber capabilities to try to influence Canadian elections.

The document's ultimate value is likely to depend on whether it succeeds in kick-starting action on the part of Canadian political parties and others to actually reduce Canada's future vulnerability to such threats.

This document explicitly is not an action plan to accomplish that goal.

However, the Minister's mandate letter did direct her also to "ask CSE to offer advice to Canada’s political parties and Elections Canada on best practices when it comes to cyber security," and CSE does plan to do that. (In fact, Elections Canada is already a recipient of CSE's cyber defence advice and services.) The agency will discuss the findings of the report with all federal political parties that wish to participate at a meeting to be held next Tuesday, June the 20th.

According to a background briefing that CSE kindly invited me to take part in (along with a number of other researchers), the agency will explore with the parties whether it would be useful to provide further, more detailed advice or training to some or all of them. One possibility would be to provide training to IT staffers at CSE's Information Technology Security Learning Centre. Perhaps more likely, however, would simply be provision of advice on the kinds of services parties should contract for in the private sector.

CSE will not be providing actual cyber defence services to the political parties, however.

The government considers Canada's democratic institutions to be "of importance to the Government of Canada", which gives CSE a legal mandate to provide IT security advice and guidance to those parties under s.273.64(1)(b) of the National Defence Act (i.e., CSE's Mandate B). But provision of actual protective services is restricted to the IT systems and networks of the government of Canada itself.

Nonetheless, a CSE official did confirm that warnings would be provided if, for example, the SIGINT side of the agency detected a foreign actor stealing data from a political party's computer system. Notification would come through the Public Safety Department's Canadian Cyber Incident Response Centre (CCIRC), which is responsible for assistance to critical infrastructure operators outside the federal government. Such notifications are routinely provided to CCIRC partners in such cases, according to the official.

[Update 20 June 2017: Under Bill C-59, which was announced and given first reading today, the government proposes to give CSE the power to also provide cybersecurity services to protect non-federal information infrastructures designated "of importance" to the government of Canada. Thus, the agency might in the future be able to provide such a service to political parties, if they request it.]

I also asked why CSE was the agency given the job of making the threat assessment in the first place. As the report itself acknowledges, the cyber threat to electoral systems is just one aspect, albeit a very important one, of a broader set of activities that could be used to undermine or improperly influence an election, including traditional espionage, propaganda, disinformation, covert funding, and blackmail or other coercion. Furthermore, as the report also acknowledges, the perpetrators of such actions can be purely domestic Canadian actors—the activities of which CSE should have very little insight into—as well as foreign actors.

Thus, it seems to me that, in both respects, the Canadian Security Intelligence Service would have been a more appropriate agency to make such an assessment, although it would certainly have needed to draw on CSE's cyber expertise when considering those aspects of the issue.

The response, which I didn't find entirely satisfying, was simply that CSE is the agency with the greatest expertise on cyber threat questions. Well, yes, indisputably, but that doesn't answer the points outlined in the paragraph above.

Ultimately, of course, the reason CSE produced the report is that the Prime Minister and the Minister of Democratic Institutions asked it to.

Unsurprisingly, Australia is also concerned about the possibility of interference in its electoral system, and its political parties are also receiving advice from that country's SIGINT/IT Security agency. However, as indicated in this report (Ronald Mizen, "Political parties vulnerable to state sponsored cyber attacks," Financial Review, 16 June 2017), the Australians may also consider providing funding to political parties to help them secure their systems.

Might Canada also consider putting money on the table? An interesting thought.


News coverage of the CSE report:

Lee Berthiaume, "Canada's spy agency expects cyberattacks during 2019 federal election," Canadian Press, 16 June 2017

Alex Boutilier, "Canada’s political parties, media vulnerable to foreign hacks, spy agency says," Toronto Star, 16 June 2017

Daniel Leblanc, "Spy agency to school political parties on cyberthreats," Globe and Mail, 16 June 2017

Justin Ling, "“Low sophistication” actors took aim at the last Canadian election," Vice News, 16 June 2017

Alex Boutilier, "Despite risk of cyber attacks, political parties still handle Canadians’ data with no rules in place," Toronto Star, 19 June 2017


Sunday, June 11, 2017

Canadian Forces to get offensive cyber capability — but questions remain

The Liberal government's defence policy statement, Strong, Secure, Engaged, released on June 7th, confirms that the Canadian Forces will acquire an offensive cyber capability:
We will assume a more assertive posture in the cyber domain by hardening our defences, and by conducting active cyber operations against potential adversaries in the context of government-authorized military missions. Cyber operations will be subject to all applicable domestic law, international law, and proven checks and balances such as rules of engagement, targeting and collateral damage assessments. (p. 15)
A slightly more expansive description is provided on p. 72 of the document:
Defence can be affected by cyber threats at home and abroad — from attempts to steal sensitive information from our internal networks, to cyber attacks on the Canadian Armed Forces on deployed operations, to the use of cyberspace by terrorist organizations to spread disinformation, recruit fighters and finance their operations. Indeed, there has been a steady increase in the number of state and non-state actors developing the capability to conduct disruptive cyber operations.

The Defence team works closely with the Communications Security Establishment, Public Safety Canada, Global Affairs Canada and Shared Services Canada on cyber issues. To date, this work has focused on strengthening the defence of important military systems, network monitoring and control, building the future cyber force, and integrating defensive cyber operations into broader military operations.

However, a purely defensive cyber posture is no longer sufficient. Accordingly, we will develop the capability to conduct active cyber operations focused on external threats to Canada in the context of government-authorized military missions. The employment of this capability will be approved by the Government on a mission-by-mission basis consistent with the employment of other military assets, and will be subject to the same rigour as other military uses of force. Cyber operations will be subject to all applicable domestic and international law, and proven checks and balances such as rules of engagement, targeting and collateral damage assessments.
Although few actual details are provided about either cyber operations or planned signals intelligence capabilities in general, the statement does report that:
  • The Canadian Forces will "Acquire joint signals intelligence capabilities that improve the military’s ability to collect and exploit electronic signals intelligence on expeditionary operations" and will "Improve cryptographic capabilities, information operations capabilities, and cyber capabilities to include: cyber security and situational awareness projects, cyber threat identification and response, and the development of military-specific information operations and offensive cyber operations capabilities able to target, exploit, influence, and attack in support of military operations." (p. 41)
  • "The Defence team will increase its intelligence capacity, and will examine its capabilities to understand and operate in the information environment, in support of the conduct of information and influence operations." (p. 66)
  • "[W]e will acquire an airborne intelligence surveillance and reconnaissance platform that will enhance the ability of our Special Operations Forces to improve their understanding of the operational environment." (p. 103)
  • "The Government will provide $4.6 billion for joint capability projects in domains such as cyber, intelligence as well as joint command and control over the next 20 years. This includes... $1.2 billion over the next 20 years for five new equipment projects and one information technology project. For example, the Combined Joint Intelligence Modernization project will provide a modern deployable intelligence centre for land-based operations, building on the lessons learned in recent operations." (p. 103)
  • "To better leverage cyber capabilities in support of military operations, the Defence team will: 87. Protect critical military networks and equipment from cyber attack by establishing a new Cyber Mission Assurance Program that will incorporate cyber security requirements into the procurement process. 88. Develop active cyber capabilities and employ them against potential adversaries in support of government-authorized military missions. 89. Grow and enhance the cyber force by creating a new Canadian Armed Forces Cyber Operator occupation to attract Canada’s best and brightest talent and significantly increasing the number of military personnel dedicated to cyber functions. [Question: Will this new occupation supplement the existing Communicator Research occupation or absorb and replace it?] 90. Use Reservists with specialized skill-sets to fill elements of the Canadian Armed Forces cyber force." (p. 73)
  • With respect to the last of these items, the Canadian Forces will "Assign Reserve Force units and formations new roles that provide full-time capability to the Canadian Armed Forces through part-time service, including: ... • Cyber Operators; • Intelligence Operators; ... and • Linguists" and "Enhance existing roles assigned to Reserve Force units and formations, including: • Information Operations (including Influence Activities)" (p. 69).
These details are welcome, but it seems to me that a number of important questions remain either unresolved or ambiguous in the defence policy statement.

Most importantly, at several points the document characterizes offensive cyber activities as taking place solely in the context of "government-authorized military missions", which would seem to mean that offensive cyber activities will be restricted to just a few specifically designated operations, such as Op Impact or Op Reassurance. Employment of cyber capabilities is to be approved by the government "on a mission-by-mission basis consistent with the employment of other military assets".

But "mission" could actually have a much broader meaning.

The document also outlines eight "core missions" of the Canadian Forces, covering everything that our military forces do (p. 82). These missions include detecting, deterring, and defending against threats to or attacks on Canada; detecting, deterring, and defending against threats to or attacks on North America in partnership with the United States; leading and/or contributing forces to NATO and coalition efforts to deter and defeat adversaries, including terrorists; leading and/or contributing to international peace operations and stabilization missions with the United Nations, NATO, and other multilateral partners; and providing assistance to civil authorities and law enforcement, including counter-terrorism, in support of national security and the security of Canadians abroad.

Could offensive cyber activities be authorized in support of wide-ranging, fundamental "missions" such as these?

Such a reading may seem implausibly broad.

But on page 60 the document states the Canadian Forces "will ensure that new challenges in the space and cyber domains do not threaten Canadian defence and security objectives and strategic interests, including the economy."

It will take a lot more than cyber operations against ISIS to protect the Canadian economy — or defend a wide range of other Canadian defence and security objectives and strategic interests — from cyber threats.

The document also states that Canada has a "responsibility to contribute to efforts to deter aggression by potential adversaries in all domains", including specifically the cyber domain (p. 50). That's a much broader goal than anything that can be accomplished in the context of a particular expeditionary operation. And it implies an ongoing, continuous mission, not a temporary activity that can be expected to end when this or that operation wraps up in a matter of months or a few years.

A broader reading of "mission" is also necessary if Canada's cyber forces are to take on the sort of roles assigned their Five Eyes partners, notably U.S. Cyber Command.

It would be nice to know just how wide the range of cyber missions envisaged by the government could be.

Another question relates to the role of the Communications Security Establishment.

Will all offensive cyber operations — other than those conducted domestically — be undertaken by military cyber operators (presumably members of the Canadian Forces Information Operations Group) acting under military command? Or will CSE have a role as well?

The CFIOG normally works very closely with CSE (in fact, under its direction much of the time), and CSE's expertise on cyber defence and cyber espionage activities would be of direct relevance to any offensive operations the Canadian Forces might undertake. CSE is also likely to have its own expertise on offensive operations that it may use for computer network defence purposes and may also provide from time to time in support of CSIS "disruption" activities.

So to what extent might CSE be called upon to provide support to the Canadian Forces for the conduct of offensive cyber operations? And to what extent might CSE conduct its own operations? This document is silent on those questions.

[Update 20 June 2017: Bill C-59, which was announced and given first reading today, answers some of these questions. The government is proposing to give CSE the power to conduct both "defensive cyber operations" to help protect systems and networks "of importance" to the government of Canada and "active cyber operations" (i.e., offensive cyber operations) against foreign individuals, groups, or states for defence, foreign policy, or security purposes. The bill would also explicitly enable CSE to provide technical and operational assistance to the Canadian Forces and Department of National Defence, including for cyber operations.]


For some earlier comments that I made on Canada and cyber war, see here.


Update 18 June 2017:

This article (Murray Brewster, "Civilian oversight key to offensive cyber operations, says expert," CBC News, 18 June 2017) suggests that the Special Operations Forces sub-unit that the government will "examine establishing" in the Reserve Force will be tasked with developing "offensive cyber capabilities, particularly in the area of information operations". I don't think that's what the government is considering doing.

As noted above, the new defence policy does call for recruiting Reserve Force cyber operators and assigning cyber and intelligence roles to certain unnamed Reserve Force units and formations, as well as enhancing the information operations role of the Reserves, but I think it's a stretch to suggest that the Special Forces unit under consideration would take on cyber war, or information operations in general, as a primary function.



Sunday, April 23, 2017

CANUSA Agreement declassified

In 1949, Canada and the United States signed the CANUSA Agreement, codifying the extraordinarily close cooperation between the two countries on communications intelligence collection, processing, and dissemination.

The agreement was laid out in a Top Secret codeword-classified exchange of letters between G.G. (Bill) Crean, the Chairman of the Communications Research Committee (the interdepartmental committee that governed Canadian SIGINT policy), and Major General Charles P. Cabell, the Chairman of the equivalent U.S. body, the United States Communications Intelligence Board.

It was based closely on the U.S.-U.K. BRUSA Agreement of 1946, which was later renamed the UKUSA Agreement and is considered the foundational document of the Five Eyes SIGINT alliance.

The UKUSA Agreement was declassified and published online in 2010 along with most of its appendices and annexures, although some had significant redactions.

The CANUSA Agreement, by contrast, remained classified—until now.

Here is the full text of the agreement, minus as many as 83 pages of appendices and annexures, as released under Access to Information request A-2016-00131.

Kudos to the Communications Security Establishment for finally releasing this important historical document.

I usually leach off other people's access requests for the documents I cite on this blog, but in this case I put up my own five bucks to make a formal request since the public shaming I tried in January didn't seem to be working any better than the gentle persuasion I tried in November.

And, to be clear, the five bucks was only partly successful.

I asked for the appendices and annexures to the agreement to be released as well, but evidently that proposition was too great a shock to the system over there. This, despite the fact that (as I pointed out here) the 27 March 1953 version of Appendix B has been available online since 2015.

That particular horse probably got out by mistake, but it's not going to go back in the barn, pardners. Why pretend otherwise?

Another point: I also asked for the release of "all subsequent modified or amended versions of that agreement up to the present day."

We know from this document that the agreement was "revised slightly in 1960", but we don't know in what way.

And we still don't. Maybe the 1960 version was somewhere in those 83 pages that CSE redacted.

On the plus side, the Dominion is safe from whatever ill consequences would ensue if that specific 57-year-old horse ever got out.

But enough with the nay-saying.

At the risk of riding my metaphor off in all directions, I shouldn't look a gift (or, technically, five-dollar) horse in the mouth.

The CANUSA Agreement has finally been released into the wild. And that's a good thing.

Sunday, April 09, 2017

CBNRC's mini-SHAMROCK



From August 1945 to May 1975 the NSA's SHAMROCK program collected most of the cable traffic passing between the United States and international locations and processed their contents for foreign intelligence — and occasionally domestic intelligence — purposes. Public outrage following the program's exposure in the mid-1970s led to the passage of the 1978 Foreign Intelligence Surveillance Act.

Just before that all happened, however, Canada sought to establish its own mini-SHAMROCK program.

Canadian government documents indicate that in the early 1970s the Communications Branch of the National Research Council (CBNRC, as CSE was called in those days) set up a test cable monitoring operation in Montreal. The Canadian program, which has not previously been revealed, was run in cooperation with the Canadian Overseas Telecommunications Corporation (COTC), the Crown corporation that had a monopoly on overseas telephone, telex, and telegram services from Canada at that time. (COTC was renamed Teleglobe Canada in 1975 and was later privatized, eventually becoming part of Tata Communications.)

Canada had long been a regular consumer of the cable traffic collected on international circuits around the world by its U.S. and U.K. allies, but its own SIGINT activities were focused almost entirely on the radio communications of the Soviet Union, particularly those in the Arctic.

At the beginning of the 1970s, this posture was seen as not fully meeting Canadian needs.

CBNRC reportedly was unable to contribute much during the October Crisis in 1970, as it had virtually no capacity to monitor Canadian communications. Ottawa wanted desperately to know more about "revolutionary elements" in Canada, including any links they might have to other countries. Intelligence consumers were also interested in more Canadian-related foreign and economic intelligence than we could get from our allies.

The documentary evidence is sparse, but a pilot project for monitoring cross-border cable communications appears to have been set up at COTC's Montreal facilities, which were the gateway for Canadian transatlantic communications, in 1971 or perhaps a little earlier.

A draft memorandum on "The Canadian Intelligence Program" written for the Cabinet Committee on Security and Intelligence in April 1972 reported that "a survey is being carried out to determine the value of arrangements with the Canadian Overseas Telecommunications Corporation by which we would have the opportunity to examine messages between Canada and locations abroad which would (1) clarify links between revolutionary activities abroad, (2) provide information concerning known revolutionary elements, and (3) contribute intelligence about foreign and economic affairs of direct interest to Canada."



Later that month, CBNRC sought approval to convert the test operation to full operational status during the coming fiscal year, 1973-74. But with the intelligence program review still underway and fiscal pressures being felt all across the government, the Cabinet declined to give the project the go ahead that year.

The following two excerpts tell that part of the tale.

In the first, Intelligence Advisory Committee chairman A.F. (Bert) Hart discusses CBNRC's proposal for funds "for additional activities related to placing two test operations (Moscow and COTC Montreal) on a full operational basis in the fiscal year 1973/74" and comments that the plan may have to be revised.



(The Moscow operation, Canada's first intercept site inside an embassy, was unrelated to the COTC project.)

The second excerpt, taken from the History of CBNRC, shows that the Cabinet did in fact decline to approve the extra expenditures required to go fully operational that year.



The decision to restrict the SIGINT budget to Level A presumably meant that the COTC Montreal operation did not go fully operational in 1973-74, unless internal budget reallocations or Supplementary Estimates later provided for it.

The proposal was not dead, however, and it is possible that the budget planning for 1974-75 approved an operational capability. The available records don't answer this question.

Either way, though, it was moot.

On 14 January 1974, the Protection of Privacy Act received Royal Assent, adding Section VI (Invasion of Privacy) to the Criminal Code, and trampling CBNRC's mini-SHAMROCK proposal in the process.

According to the History of CBNRC, nobody had asked CBNRC what effect the new act might have on SIGINT collection:

"in 1971 the [Director of Communications Security (DCS), the External Affairs official in charge of the Canadian SIGINT program], without any discussion with CBNRC, assured his Under-Secretary, and through him his Minister, that the clause in the current draft bill on Protection of Privacy which forbade the interception of "private" communications in and out of Canada would not have any bad effects on Canadian intelligence. This official opinion was to wipe out for the remainder of CB's existence traffic useful in such studies as [redacted]."



Additional details of the story can be found in other sections of the History:

"Legislation in Canada and the US affected CB's activities in a more basic way. A Protection of Privacy Bill was being drafted by the Canadian Department of Justice in 1971. The Department of External Affairs queried some aspects of the draft bill which might affect legitimate intelligence interests adversely. Copies of the queries, which went out over the signature of the Under-Secretary of State for External Affairs (USSEA), went to the Cabinet Secretary, the Chief of the Defence Staff (CDS) and the Director General of the Security Service (DGSS) in the RCMP, but not to Director CB. After receiving answers from Justice, the USSEA told his Minister in June that "radio communications would not come within the prohibition" against the interception of "private communications". Also, the "use or disclosure" of communications intercepted outside Canada would not constitute an offence, because such an act would not be "wilful", as being based on selection from a mass of material picked up without any "mens rea". He also told his Minister that relevant information would be made available to intelligence authorities (presumably including CB), even if obtained for specifically security purposes under a warrant issued by the Solicitor General. However, these did not all turn out to be the interpretations of several subsequent Solicitors General and Ministers of Justice."




One of the effects of the Protection of Privacy Act was to end CBNRC access to telephone, telegram, and telex messages with one or more ends in Canada, as these were by definition "private communications". CBNRC was prohibited both from collecting the messages itself and from asking its allies to collect the traffic for it.



(Under the Department of Justice's current interpretation of the law, CSE is in fact permitted to receive one-end Canadian traffic intercepted by Canada's allies. However, it is not permitted to ask those allies to target the communications of specific Canadians or persons in Canada except when it is at the request of a federal law enforcement or security agency operating under a warrant. Whether the same interpretations were applied in 1974 is not clear.)

The paragraph 4.25 that was cited in the preceding excerpt summed up the situation in 1975, as CBNRC became CSE: "[T]hings were still humming in most areas except in the ability to produce SIGINT on the subject [redacted; presumably "International Trade", but possibly also the collection of intelligence on "revolutionary elements"] which had been given a high priority by the intelligence community. Here unfortunately a strict interpretation of the new Protection of Privacy Act meant that the main source of information on this subject, that is [redacted] was now regarded as taboo. Some work was beginning to be done on selected foreign [redacted] but this new plant only reached its full flowering after the conversion from CBNRC to CSE, and so will have to be matter for a later history."



(The final sentence of this excerpt may or may not apply to the private communications issue: it could be a reference to the expansion in collection from embassy sites that began in the early 1980s.)

By mid-1975, it was not just CSE's mini-SHAMROCK program that was dead: the original U.S. SHAMROCK program had itself been shut down, although elements of it would soon enough be started up again following the passage of the Foreign Intelligence Surveillance Act.

It's likely that CSE did get permission to access cross-border traffic for certain purposes later in the 1970s or the years that followed. Communications that transited through Canada on their way between Europe and the Far East may have been considered fair game, for example. Such communications were a significant source of revenue for COTC, or Teleglobe Canada as it was known by then.

But it wasn't until the passage of the Anti-Terrorism Act in 2001 that CSE regained broad-based access for foreign intelligence purposes to communications that begin or end in Canada (and, even then, only when collected in the course of targeting non-Canadians located outside Canada).

Saturday, February 25, 2017

CSE 2017-18 budget to be $596 million

The 2017-18 Main Estimates, tabled in parliament on February 23rd, show a projected 2017-18 CSE budget of $595,983,723.

As the document shows, the budget projected for 2017-18 is slightly higher than the $583.6 million that was originally projected for the current fiscal year (2016-17) and slightly lower than the $599.8 million 2016-17 "to date" figure, which reflects additions made to CSE's budget authorities during the fiscal year. It is $23.6 million lower than the $619.5 million that was actually spent in 2015-16.

After accounting for inflation, this would suggest that CSE's 2017-18 budget will be roughly 7% smaller than it was in 2015-16.

CSE's actual spending in 2017-18 could well turn out to be greater than its 2015-16 spending, however. The agency has received large in-year budget top-ups every year for the last seven years.

Thus, it may be safer to say that CSE's budget appears to have stabilized for the moment at the roughly $600 million level, but with significant year-to-year fluctuations.

That level is about 4.4 times as high, after adjusting for inflation, as CSE's pre-9/11 budget.

According to the Main Estimates, 72% of the money will go to CSE's SIGINT program, while the IT Security program will account for the remaining 28%.