Saturday, August 24, 2019

History of CBNRC

In August 1987, CSE published an internal, highly classified history of the agency from its founding in 1946 as the Communications Branch of the National Research Council (CBNRC) to its transfer in 1975 to the Department of National Defence and renaming as the Communications Security Establishment.

The History of CBNRC's authors were N. Kevin O'Neill, who had been Director of CBNRC/Chief of CSE from 1971 to 1980, and Ken J. Hughes, a senior COMSEC official. Both had been on the staff of the agency through the entire period covered by the history.

Not long after the document was written, I and at least one other person formally requested that the releasable portions be made public under Canada's then new Access to Information law. That eventually did occur—after a delay of several years—but the released version was extremely heavily redacted, with perhaps 80-90 percent of the document withheld entirely and most of the rest riddled with additional redactions.

Group and section names and most personal names were redacted. Target names were redacted. All mentions of NSA and GCHQ were redacted (except for one mention of GCHQ that slipped through). Even the name of Kevin O'Neill's co-author was redacted.

There was some useful information left in the sections that remained, but the resulting document was mostly a testament to excessive secrecy.

Second release

More than 25 years later, someone—I don't actually know who—requested a fresh release of the History, and this time a much more significant part of the seven-volume document was released.

There are still large portions redacted, including the entirety of Volume II, but a great deal of new and very interesting information about CSE's history was released. I drew on the new release for this discussion of CSE's experimental cable monitoring efforts in the 1970s, for example.

For those interested, I have reproduced the table of contents of the History below and added links to the six volumes that were released as a result of access request A-2015-00045:

[26 MB PDF]

1 Origins and Background
2 SIGINT Policy and Committee Structure
3 Organization and Establishment
4 SIGINT Production Tasks
5 Interception at Stations

[Volume not released]

6 Special Collection
7 Signal Analysis
8 Cryptanalysis

[28 MB PDF]

9 Tactical SIGINT and Support to NATO
10 Intelligence Requirements and SIGINT Reporting
11 Liaison with Collaborating Centres
12 SIGINT Equipment and Engineering
13 Mechanization and Computer Developments

[24 MB PDF]

14 Communications
15 COMSEC in Canada before CBNRC
16 COMSEC Policy and Committee Structure
17 Development of COMSEC in CBNRC

[22 MB PDF]

18 Provision of COMSEC Advice and Support
19 Production of Keying Material
20 Use of Crypto Equipment in Canada
21 Evaluation of Crypto Equipment
22 Production of Crypto Equipment in Canada
23 COMSEC Monitoring and Analysis

[20 MB PDF]

25 Financial Administration
26 Security
27 Personnel
28 Training

[5 MB PDF]

Appendix - Chronological Summary

Update 25 August 2019: Link to Volume III corrected.

Sunday, August 18, 2019

Dredging up OCSEC's 2017-18 annual report

In this post, I'm going to write about some of the interesting stuff in the 2017-18 annual report of the Office of the CSE Commissioner (OCSEC), which was released last summer. In particular, I'm going to look at the decline in the number of private communications used or retained by CSE and whether that decline means that the spread of encryption is beginning to have a serious effect on CSE SIGINT operations.

But first a quick aside about the 2018-19 report, which may be about to be released.

In July, as a result of the long-awaited passage of Bill C-59, CSE Commissioner Jean-Pierre Plouffe was reflagged as the Intelligence Commissioner and OCSEC was shut down, with most of its duties reassigned to the brand new National Security and Intelligence Review Agency (NSIRA). This means the 2018-19 report will be the last of its kind.

As far as I can see the government now has just one date left, August 21st, to release that final report before parliament is dissolved for the fall election. If the 2018-19 report does get released a few days from now that probably will mean there isn't anything too newsworthy in it. If, on the other hand, the government hangs on to it until after the election that may be a sign there's something a bit more, er, exciting in it.

CSE nerds may recall that the only other OCSEC report to be withheld through a federal election in recent years, the 2014-15 report, was the one that revealed the only case in which CSE has ever been declared to have violated the law.

Nobody in Ottawa ever clues me in on anything, so I haven't heard anything suggesting that a similar bombshell is inbound this time around. But a delayed release would certainly look suspicious. I guess we'll just have to wait and see what happens.

[Update 22 August 2019: The 2018-19 report did not get tabled on the 21st, so I'm pretty sure we won't be seeing it until sometime after the October election. Makes you wonder if there isn't something embarrassing for the government in it. Hooray for transparency!

A happy thought: Like OCSEC's reports, by law NSIRA's annual reports have to be tabled within 15 sitting days of being submitted to the government. However, since NSIRA's reports will cover calendar years and thus probably will be completed around March of the following year, this should mean they get released sometime during the spring sitting instead of routinely getting delayed into the summer and potentially withheld through elections (now normally held in the fall).]

In the meantime, the possibility that the 2018-19 report could drop in just a matter of days has reminded me that I still haven't said much about the 2017-18 report, which was tabled in parliament over a year ago on July 18th, 2018.

So back to that report:

Private communications decline to 954

In its 2017-18 report OCSEC reported for the fifth year in a row the number of recognized "private communications" that were acquired by CSE under Part A of its mandate ("Mandate A") and subsequently used in SIGINT reporting or otherwise retained as "essential" for foreign intelligence purposes. The 2017-18 report revealed that 954 private communications were used or retained during the period from July 2016 to June 2017 inclusive.

As the table below shows, this was a 70% decline from the previous year's total, which was 3348, but it was still much higher than the totals in any of the years before that. The 2017-18 report and the previous one also reported how many of those private communications were actually used in end-product reports (EPRs), and that number too declined in the most recent period, from 533 to 261 (51%). These declines occurred despite the fact that, as the Commissioner also reported, the overall number of private communications intercepted "continued to increase substantially."

So this is the overall picture that confronts us: The increase in the number of PCs used or retained between 2013-14 and 2015-16 was truly eye-popping. But now, although the total number of PCs collected continued to grow in 2016-17, we're faced with a sudden significant drop in the number used or retained.

What is going on here?

Well, let's unpack the data a bit first.

In Canadian law a private communication (PC) is an oral or electronic communication between two or more persons, regardless of nationality, where at least one of the communicants is physically located in Canada at the time of the communication. (The legal definition is a little more complicated, excluding broadcasting and other forms of public communication for example, but that's the gist.) The interception of PCs is illegal except under certain specific circumstances provided for in the Criminal Code.

One of these exceptions covers CSE's Mandate A activities when it is operating under a ministerial authorization issued for that purpose. Mandate A is CSE's mandate to acquire foreign intelligence, which is "information or intelligence about the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group, as they relate to international affairs, defence or security." In keeping with this definition, Mandate A ministerial authorizations are restricted to collection activities directed at non-Canadian targets physically located outside of Canada: CSE is not legally permitted to direct its Mandate A activities at persons in Canada (or Canadians anywhere).

So how does CSE end up with PCs acquired under Mandate A? The answer is actually pretty simple. All communications have at least two ends. Sometimes the non-targeted end of a foreign communication that CSE collects turns out to be in Canada. This is called "incidental" collection. Because one end is in Canada, such communications are legally PCs, but their collection is permitted as long as one of the aforementioned authorizations is in place. (And it always is.)

When a CSE foreign intelligence analyst examines an intercepted communication they try to establish the location of the communicants in order to determine whether it is a PC. Recognized PCs collected under Mandate A can only be retained by CSE if they are determined by the analyst to be essential to international affairs, defence, or security. Some of the retained PCs end up quoted or otherwise cited in the end-product reports provided to CSE's SIGINT clients, while others may be retained for background information or because their importance is unclear. These are the PCs whose use or retention is reported by OCSEC. Retained PCs must be reassessed for essentiality after an undisclosed interval and are normally ultimately deleted unless they have been used in an EPR.

This is not the only way in which CSE can end up in possession of Canadian-related communications, however. The agency also sometimes collects communications in which the non-targeted end turns out to be a Canadian located abroad. Because in this case none of the participants in the communication are located in Canada, these communications are not PCs and are not counted in the total reported by OCSEC. Stored communications such as texts and e-mails acquired by CSE from computer hacking activities or company databases are also not counted as PCs, even if one of the communicants was located in Canada when the communication was originally sent. Canadian communications acquired by allies and subsequently provided to CSE are also not considered to be PCs. (Such collection is said to be "exceptional", but it does occur.) Finally, CSE acquires PCs and other Canadian-related communications incidentally in the course of its Mandate B (IT security) activities and intentionally in the course of its Mandate C (support to federal law enforcement and security agencies) activities. None of these numbers are publicly reported.

The private-communications-collected-by-CSE-in-the-course-of-Mandate-A-activities numbers do, however, provide important, if only partial, insight into the nature and evolution of CSE's collection of Canadian communications in the course of its foreign intelligence activities. So let's turn back to the numbers.

Smartphones and instant messaging

As I've argued before, the major jump in the number of used/retained PCs between 2013-14 and 2015-16 was probably a consequence of changes in the types of communications most commonly being intercepted. My guess is that the rise of smartphones and consequently mobile messaging applications accounts for most of the difference. Since each separate comment posted in a message app probably counts as a separate private communication, just one single extended conversation monitored by CSE might be counted as dozens or even hundreds of PCs.

If this is the case, then the huge increase in PCs used or retained in recent years is almost certainly primarily due to this change in communications technology and does not imply a huge—or even necessarily any—increase in the number of Canadians and other persons in Canada whose communications are getting caught in CSE's dragnet.

Although he hasn't confirmed that messaging apps are the explanation, the CSE Commissioner has more or less confirmed that the answer is something along these lines, describing the increase as "a consequence of the technical characteristics of certain communications technologies, and CSE’s legal obligations to count private communications in a certain manner" and adding that "the current manner in which CSE counts private communications provides a distorted view of the number of Canadians or persons in Canada that are involved".

It is possible, however, that there also was at least some increase in the number of Canadians or other persons in Canada whose communications were collected by CSE after 2014. While messaging apps are almost certainly the primary explanation for the jump, the timing of the increase might also be related to the resumption in mid-2015 (under a new, undisclosed name) of Domestic Interception of Foreign Telecommunications and Search (DIFTS) warrants, which enable CSIS to ask CSE to monitor specific Canadians abroad.

Neo-DIFTS intercepts would not appear directly in these statistics even if one end was in Canada, because collection for CSIS is a Mandate C activity. But such intercepts might enable the identification of new foreign targets, such as ISIS members involved in efforts to recruit Canadians, and those recruiters could then be targeted under Mandate A and possibly be monitored communicating with additional, previously unidentified Canadians. So it is not inconceivable that the advent of neo-DIFTS warrants led indirectly to at least a small increase in PCs collected under Mandate A.

In any case, since smartphones seem to have been ISIS's main mode of communications, many Canadians had travelled to Syria and Iraq to support the organization, active efforts were underway by ISIS to recruit others to come or to engage in attacks or other activities in Canada, and the Canadian Forces were participating in the anti-ISIS coalition, it seems plausible that ISIS members were among CSE's key targets throughout this period and that they may well have been responsible for many of the messaging-app PCs intercepted by the agency.

Why the drop?

So why did we see the sizable drop in used/retained PCs in the 2017-18 report?

It's risky to draw sweeping conclusions from a change reflected in just a single year's data, but assuming the phenomenon is real, three not necessarily mutually exclusive possible explanations come to my mind.

The first is that successes in the battle against ISIS, both on the ground and in cyberspace, have led to a significant decline in the number of ISIS members communicating with persons in Canada. ISIS was indeed coming under very heavy pressure during the period covered by this data, although it hadn't yet lost its control over large parts of Syria and Iraq. However, recent reports suggest that ISIS is still engaged in extensive online organizing and recruiting activity. Moreover, the substantial overall increase in PCs collected (as opposed to used or retained) in 2016-17 also suggests that a decline in targeted traffic—whether ISIS-related or otherwise—is not the primary explanation.

The second possibility is that the nature of the traffic has been changing, such that it now contains a significantly lower proportion of PCs that are of intelligence interest. This might be a result of a decline in the number of new individuals in Canada interested in communicating with ISIS, for example. It seems unlikely, however, that ISIS traffic involving persons in Canada would still be growing substantially under such circumstances, and even more unlikely that the great majority of that traffic would be of no intelligence interest. A more plausible possibility along these lines, perhaps, is that CSE's collection priorities have started to shift dramatically towards non-ISIS targets of various kinds whose communications with persons in Canada contain a much lower proportion of intelligence-related traffic.

The third possibility is that we are beginning to see the effects of the spread of encrypted messaging in recent years. Telegram, launched in 2013, is reported to have been widely adopted by ISIS members and supporters by 2016, largely on account of the end-to-end encryption capabilities that users can choose to utilize in its Secret Chat function. WhatsApp, which currently has more than 1.5 billion users, finished implementation of end-to-end encryption by default for all users in April 2016. Other apps also have or are moving to adopt similar technologies to various degrees.

If monitoring of messaging apps does explain the great increase in the number of PCs used or retained between 2013-14 and 2015-16, then the subsequent spread of encryption on those apps might well explain much of the 70% drop in the number of PCs used or retained in 2016-17. Interestingly, and perhaps not entirely coincidentally, an RCMP document prepared in early 2018 asserted that "Approximately 70 per cent of all communications intercepted by CSIS and the RCMP are now encrypted".

If this third explanation is correct, then the increasingly widespread use of encryption in messaging apps is starting to have a significant effect on CSE SIGINT operations.

It doesn't necessarily follow that seeking to limit encryption or to mandate government backdoors would be an appropriate or effective response to this development, however. (For more on encryption policy, see Lex Gill, Tamir Israel, and Christopher Parsons, Shining a Light on the Encryption Debate: A Canadian Field Guide, Citizen Lab and the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic, May 2018.)

Even universal adoption of secure encryption isn't going to solve the much broader problem of cybersecurity, and for the same reason it isn't going to mean the end of SIGINT.

But it could certainly mean large changes in the focus of SIGINT activities, just as the Soviet adoption of highly secure encryption for their high-echelon communications in 1948 led to sweeping changes in the organization and activities of the UKUSA SIGINT agencies through the 1950s.

Of course, it is also conceivable that some combination of all three possibilities, and perhaps other factors, has played a role in the drop. It will be very interesting to see where the numbers go when the 2017-18 data is released in the forthcoming 2018-19 report. Will they go back up, implying the 2016-17 numbers were just a blip? Or will the decline continue, suggesting that encryption really is starting to bite?

Maybe time to release different data

It occurs to me that CSE might be less than entirely happy to see this kind of speculation bandied about in a public forum, even if it turns out to be wildly incorrect. But I don't have a lot of sympathy for the agency on this question.

What I and other CSE watchers in Canada are really interested in is how many Canadians and other persons in Canada end up with their communications collected by CSE, and how many of those have their communications featured in reports to CSE SIGINT clients.

The only reason we find ourselves (possibly) with some insight into the types of communications being monitored and whether encryption is having a significant effect is that the agency has been forcing us to work with an imperfect proxy, the number of PCs used or retained.

If CSE instead permitted OCSEC and in future NSIRA to report the number of Canadians/persons in Canada who feature in such reports, we'd have a number much more useful for privacy-tracking purposes and much less useful for speculating about communications methods and the consequences of encryption or even about the capabilities of CSE in general.

Given that this number would refer only to incidental collection and would not include targeted domestic monitoring under CSIS or RCMP warrants, is there really a credible argument that ISIS or Al Qaeda or the SVR or the GRU or the Chinese MSS etc, etc could look at that number—let's say it's 20—and draw some sort of useful conclusion as to whether or not its own particular contacts were being watched?

Ideally, such reporting should be expanded to include all Canadians/persons in Canada appearing in foreign intelligence reports, not just those resulting from CSE's own collection of PCs, and maybe also an additional number for Canadians/persons in Canada appearing in IT Security reports.

I suspect CSE would also benefit from this approach since the number of Canadians/persons in Canada appearing in SIGINT reporting is very likely quite low and would probably be highly reassuring to the Canadian public.

(Alternatively, if the number is actually quite a bit larger than we've been led to expect, such that the Canadian public might actually be somewhat shocked by it, then in my view it's long past time to admit that, explain the reasons that supposedly justify it, and earn an honest social license to operate instead of one based on deception. Personally, I doubt this is what has being going on, but if CSE would give us the numbers there would be much less room for dark speculations.)

Show us the numbers!

Sunday, July 28, 2019

CSE Act comes into force 1 August 2019

The Communications Security Establishment Act (CSE Act) comes into force on the 1st of August (see Order in Council 2019-1091). The Act modifies CSE's powers in a number of significant ways, most notably mandating it to conduct computer network attack operations for both defensive and offensive purposes.

The new Act, Part 3 of Bill C-59, replaces Part V.1 of the National Defence Act, which was CSE's original statutory mandate, enacted as part of Bill C-36 in December 2001. That original statute enshrined in law the three-part mandate that CSE was already operating under based on classified directives, authorizing A) the production of signals intelligence (SIGINT) for foreign intelligence purposes; B) the protection of Canadian government communications and information technology systems and other systems "of importance to" the government of Canada; and C) the provision of operational and technical assistance to federal law enforcement and security agencies.

It also created a ministerial authorization regime that made it legal for the agency to undertake Part A and B activities that resulted in the interception of "private communications" as long those activities were not directed at persons in Canada or Canadians anywhere. This change was essential to enable CSE to process Internet-based communications. The statute also opened the way for CSE to engage in hacking, or computer network exploitation (CNE), operations.

The new CSE Act now coming into force adds a fourth part, informally referred to as Part D, to CSE's mandate: the conduct of computer network attack (CNA) operations against foreign targets, both "defensive cyber operations" to protect IT infrastructures of importance to Canada and "active cyber operations" to advance Canadian interests in general. Such operations will also be possible through Part C of CSE's mandate in support of the Canadian Forces/Department of National Defence, using CF/DND legal authorities, and were already possible in support of CSIS "threat disruption" activities, based on CSIS authorities.

This CSE chart (modified by me to add the mandate letters) shows the four parts of the agency's mandate under the CSE Act. Note, however, that the graphic's description of active cyber operations ("interfere with foreign online efforts that threaten Canada"), while possibly correct when such operations were restricted to support for CSIS, is much more limited than what is actually permitted by the CSE Act ("degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security").

The active element of the Part D mandate changes CSE from a traditional SIGINT and IT security agency into a cyber covert action agency as well. As I and others have argued, this is a watershed moment in CSE's history, and care needs to be taken to use this new capability responsibly and ensure that Canada is not contributing to the foreclosure of options for a more stable and secure cyberspace commons. I think we would come to regret the latter result.

That said, it is probably true that development of a certain level of such capabilities is an inevitable evolution, and it may be that keeping them (largely) inside CSE will act as a damper on how frequent or widespread their offensive use by Canada becomes. The powerful SIGINT side of the agency will not want to see hard-earned intelligence accesses burned in the name of ephemeral gains or marginal matters. Protection of SIGINT accesses and sources has been the Prime Directive of the SIGINT agency ethos since signals intelligence began, and I suspect it is hard-coded into most of the people who work there, including notably career SIGINTer Shelly Bruce, the current Chief.

Foreign Intelligence and Cybersecurity Authorizations

The CSE Act also broadens the ministerial authorization regime to cover almost all information acquired by CSE. Other than publicly available information that doesn't include information for which a Canadian or a person in Canada has a reasonable expectation of privacy, CSE will not be permitted to acquire any information unless an applicable Foreign Intelligence or Cybersecurity Authorization has been issued by the Minister.

Moreover, a quasi-judicial oversight official called the Intelligence Commissioner (IC) will now have to approve each authorization in order for it to become valid. This new office, which will also oversee certain datasets for CSIS, was created by Part Two of Bill C-59. The position is now occupied by Jean-Pierre Plouffe, who was the CSE Commissioner until that office was disestablished, also by C-59.

A minor amendment proposed by the Senate would have empowered the Intelligence Commissioner to provide suggestions on how to modify a Foreign Intelligence or Cybersecurity authorization in cases where the original version was rejected by the Commissioner, but this amendment was rejected by the government and was not included in the final version of the bill.

The creation of the Intelligence Commissioner's office is significant in that it marks the first time CSE has been made directly subject to external oversight, as opposed to external review. (See here for a description of the difference between oversight and review in official Canadian parlance.)

Credit for this development probably goes mostly to the British Columbia Civil Liberties Association, which in 2013 took the federal government to court, arguing that CSE's collection of Canadian-related communications and metadata in the absence of any form of judicial authorization violated the Charter rights of Canadians. That case is still inching its way through the Federal Court, and the government evidently hopes that creation of the Intelligence Commissioner position has placed the legality of CSE's operations on a sounder footing.

National Security and Intelligence Review Agency

Bill C-59 also created a new National Security and Intelligence Review Agency (NSIRA) that replaces SIRC and the CSE Commissioner for reviewing the activities of CSIS and CSE. It will also review the national security and intelligence activities of other departments and agencies of the government, including the RCMP, the Canada Border Services Agency, the Department of National Defence, Global Affairs Canada, and the Department of Justice.

With the creation of NSIRA, the Office of the Intelligence Commissioner, and, in 2017, the National Security and Intelligence Committee of Parliamentarians (NSICOP), the review and oversight structures monitoring the Canadian intelligence community have been entirely revamped and significantly expanded.

The government has given NSIRA a very promising start by appointing retiring MP and NSICOP member Murray Rankin, law professor Craig Forcese, and the four remaining members of SIRC as the initial members of NSIRA. Forcese's work on national security law issues over the last several years has been exemplary, and I have no doubt that he will do an excellent job. Although a strong supporter of most aspects of C-59 during the two-year debate over the bill, he was in no way an uncritical cheerleader. Among other issues, Forcese made a particular point of warning parliament that the CSE Act's silence on international law could end up gutting the agency's newly created cyber operations powers:
[U]nless you amend bill C-59, you can... kiss those defensive and active cyber powers away. Unless, that is, you just want to plow ahead and see what the Intelligence Commissioner, the new National Security and Intelligence Review Agency, and the National Security and Intelligence Committee of Parliamentarians have to say about this issue. This, in my view, would be insane, since a quick flick of the legislative pen could cure this problem for you, CSE.
(See Does CSE risk a Re X moment? for more details.)

The government ignored Forcese on this point and passed the cyber powers provisions unamended. It will be interesting to see what happens if NSIRA does take up the question now that Forcese is on the committee.


Another notable development, courtesy of s.59 of the CSE Act, is that CSE will now be obligated to "publish an annual report" within three months of the end of each fiscal year (i.e., before July 1st). The Act doesn't actually state that this report must be made public, but that's probably considered implicit in the word "publish". In any case, there doesn't seem to be any doubt that the agency will indeed be producing a public annual report.

What remains to be seen is how informative the new annual report will be. The Act doesn't provide any details about the contents of the report except that it must cover CSE's "activities during that fiscal year".

In several ways, CSE has become significantly less transparent since it became a stand-alone agency in November 2011. Let's hope the annual report not only reverses that trend, but sets a new standard perceptibly above what the agency considered acceptable for release just eight years ago.

Another potentially good bit of news on the transparency front was the government's appointment earlier this month of an 11-member National Security Transparency Advisory Group (NS-TAG). The mandate of the new committee is to advise the government how to:
  • Infuse transparency into Canada's national security policies, programs, best practices, and activities in a way that will increase democratic accountability;
  • Increase public awareness, engagement, and access to national security and related intelligence information;
  • Promote transparency while ensuring the safety and security of Canadians.
Godspeed on that!

All in all, there are some big changes now underway in CSE and the wider Canadian intelligence community thanks to the passage of C-59, and the potential for additional important changes is at least on the horizon.

Update 6 August 2019:

Some earlier news reporting/commentary featuring Public Safety Minister Ralph Goodale's sadly mistaken comments on CSE cyber powers...

Rachel Emmanuel, "New law says security agencies can launch cyber-counterattacks to foreign threats," Globe and Mail, 19 June 2019.

...and Tim McSorley's commentary in response:

Tim McSorley, "Who reviews cyber attacks in Canada? We need answers." Medium, 26 June 2019.

The bottom line here is that Goodale, if he was quoted correctly (and it appears he was), was deeply confused about the role, or more precisely the lack thereof, of the Intelligence Commissioner.

CSE is not his direct responsibility—that's Defence Minister Sajjan's job—but senior ministers on the security and intelligence file should not be making mistakes as basic as this. He's normally a very capable minister, so I expect this was just a temporary lapse.

Friday, April 19, 2019

Another "secret" revealed

In February 2007, CSE Chief John Adams revealed that "in the time between the end of the cold war and 2001, CSE’s reporting concentrated mostly on prosperity issues."

But the agency did not entirely abandon its Cold War-era targets, as this slide from an NSA presentation on its Second Party partners confirms.

The presentation can be found in this document (pages 85-94), part of a set of documents recently released by the U.S. government to Privacy International and Yale Law School’s Media Freedom & Information Access Clinic. Although undated, the presentation appears to come from around 1993, give or take a year or so.

As can be seen, the first item listed under "Targets" on the slide — CIS — is unredacted. CIS, of course, is the Commonwealth of Independent States, the loose association of former Soviet republics that arose out of the ashes of the Soviet Union.

There's nothing at all surprising about the fact that CSE was monitoring targets within the CIS in the 1990s. The Soviet Union was CSE's primary target during the Cold War, and the expertise and language skills of its staff remained dominated by that legacy for many years afterwards.

And there was a lot that was worth watching in the CIS area in the immediate post-Soviet years, not the least being the fate of the former Soviet nuclear arsenal, which ended up scattered among four independent states in the wake of the break up. There's still a lot worth watching.

What is a bit surprising, however, is that the CIS's identity as a CSE target was left unredacted in this release. Of the four agencies described in the presentation (GCHQ, DSD, GCSB, and CSE), this is the only unredacted item on any of the target lists.

— Which if nothing else reinforces the absurdity of redacting the even more obvious fact that Canada monitors the communications of Russian military aircraft that approach North American airspace.

Wednesday, April 10, 2019

Psst. It's the Russians!

The photo above shows the Deputy Commander of NORAD presenting a commemorative plaque to CFS Leitrim thanking our SIGINT folks for their "outstanding operational support critical to the NORAD mission and unwavering dedication to perimeter security". Featured on the plaque is a photo of a Russian Tupolev BEAR under escort by NORAD fighters.

Considering that such intercepts have been freely publicized by Canada and the U.S. for the last 60 years or so, I suspect the fact that Russian aircraft are normally the ones involved will not come as a huge surprise to the Canadian public or indeed anyone else — and especially not to the Russians, who after all are typically the guest of honour on these occasions.

I'm just going to leave this here for the benefit of whatever blinkered securocrat decided that the nationality of these aircraft is some kind of national secret that needed to be redacted from the report of the National Security and Intelligence Committee of Parliamentarians (NSICOP) released yesterday:

Despite the occasional incomprehensible redaction (and a substantial number of other, sometimes understandable, ones), there's a lot of interesting material in the 140-page NSICOP report, which is the first annual report that the new committee has produced.

It's unfortunate therefore that the PDF provided by the government isn't electronically searchable. Compiling the document from scanned images was probably a security measure designed to guarantee that no redacted information can be recovered from the final document. That's sensible enough.

But it is possible to OCR the document afterwards to make it user-friendly as well as secure. It's not that hard.

As a public service, I hereby offer for free download what apparently no one in government thinks is possible, or at least worth doing: a searchable version of the report.

Update 13 April 2019:

For a valuable commentary on the NSICOP report itself, see Stephanie Carvin, "A much-needed review of Canada’s security and intelligence operations arrives," Open Canada, 12 April 2019.

Monday, April 08, 2019

Cyber Threats to Canada's Democratic Process report updated

CSE released the 2019 update to its report on Cyber Threats to Canada's Democratic Process today. (See post on the original 2017 report here.)

As with the 2017 document, the report discusses the kinds of cyber threats Canadian democracy is likely to face but does not name specific actors, other than to cite a few publicly known cases as examples. It looks at three ways in which cyber activities might be used to affect the electoral process: impeding or corrupting the election process itself; stealing and exploiting information about politicians and political parties; and working covertly to influence voters' opinions and behaviours. (The last category is a slightly retooled version of the 2017 category, which focused on "the media".)

The report also provides some new and very interesting data on the ways these kinds of threats to democratic processes have been changing around the world over recent years.

According to CSE,
The proportion of national elections targeted by foreign cyber threat activity has more than doubled since 2015. When looking at economically advanced democracies similar to Canada, such as members of the Organization for Economic Cooperation and Development (OECD), Figure 5 below shows that the proportion of elections targeted by cyber threat activity has more than tripled. In fact, half of all OECD countries holding national elections in 2018 had their democratic process targeted by cyber threat activity.
The agency also reports that
voters now represent the single largest target of cyber threat activity against democratic processes, accounting for more than half of global activity in 2018. This shift seems to have started in 2016, which is likely due in part to the perceived success among cyber threat actors of Russia’s cyber interference activity against the 2016 United States presidential election.
Both sets of trend data were compiled by CSE using both open source and classified information. I'm not aware of anything comparable published by anyone else (not that I necessarily would be), so the report might be useful for other countries looking to assess trends in this area as well.

It would be interesting to know more about the quantity and quality of the data used and other methodological issues.


The main conclusions presented in the report are that 1) some degree of foreign cyber interference is very likely to be present in the 2019 election and 2) the primary focus of such activities is very likely to be influencing voter ideas and decisions:
We judge it very likely that Canadian voters will encounter some form of foreign cyber interference related to the 2019 federal election. However, at this time, it is improbable that this foreign cyber interference will be of the scale of Russian activity against the 2016 United States presidential election.

We judge it very likely that foreign cyber interference against Canada would resemble activity undertaken against other advanced democracies in recent years. Foreign adversaries have attempted to sway the ideas and decisions of voters by focusing on polarizing social and political issues, promoting the popularity of one party over another, or trying to shape the public statements and policy choices of a candidate.
This is valuable to know, even if it's probably not going to surprise anyone who has been paying attention to these issues.

The key question is, how many people actually are paying attention?

The only really effective defence we are likely to be able to build against the folly and nonsense — whether foreign or domestic in origin — that so frequently flashes across our phones and computer screens these days is a public that has mustered the wit and the will to apply the critical thinking skills needed to separate signal from noise.

This report may help a little in that regard, but it is not (nor was it designed to be) a plan to help create that more enlightened and capable citizenry.

We're still waiting for that plan, but in the meantime it would help if we had a political class that consistently called out and denounced hateful nonsense rather than retweeting, pandering, or dogwhistling to it.

News coverage:

Jim Bronskill, "Canada can expect election meddling, but not on scale seen in U.S.," Canadian Press, 8 April 2019.

Rachel Aiello, "Foreign interference in 2019 election 'very likely': report," CTV News, 8 April 2019.

Alex Boutilier, Marco Chown, Craig Silverman & Jane Lytvynenko, "Canadian political parties already targeted by foreign hacking, electronic spy agency says," Toronto Star, 8 April 2019.

Janice Dickson, "Foreign interference ‘very likely’ in Canada’s 2019 election, federal security agency warns," Globe and Mail, 8 April 2019.

Catherine Tunny, "Canadians, politicians targeted by foreign interference, electronic spy agency says," CBC News, 8 April 2019.

Amanda Connolly, "Canada likely to face foreign meddling in election but unlikely on scale of 2016 Russian interference: report," Global News, 8 April 2019.

Ian Austen, "Canada, Rebuking Tech Giants, Braces for Possible Election Interference," New York Times, 8 April 2019.

You can also watch the press conference with Democratic Institutions Minister Karina Gould, Defence Minister Harjit Sajjan, and CSE Chief Shelly Bruce that accompanied the release of the report here.

Tuesday, March 26, 2019

ATIPical story: U.S. releases partial CANUSA appendices

Another milestone has been reached in the effort to piece together the CANUSA agreement, the 1949 accord that spelled out the parameters of Canada–U.S. cooperation in communications intelligence collection and processing within the overall UKUSA relationship.

In April 2017 I got CSE to release the text of the CANUSA agreement via our Access to Information and Privacy (ATIP) legislation. But our government refused to release a single word of the voluminous appendices that flesh out the details of the agreement.

Fortunately, not that long afterwards, in July 2017, Privacy International and Yale Law School’s Media Freedom & Information Access Clinic filed a lawsuit in the United States seeking detailed information about the full range of intelligence-sharing arrangements among the UKUSA partners.

And, what do you know, among the hundreds of pages of documents now released as a result of that suit (see the documents available here and here) is the CANUSA agreement—including a significant portion of its appendices.

It's buried among the documents in this State Department release, but for your convenience I have extracted just the CANUSA portion and made it available here as a searchable PDF.

Whereas CSE released not a comma of the CANUSA appendices in response to my request, the State Department released some 45 pages either fully or partially. I guess it helps to have some high-powered lawyers on side when requesting information from government.

Not everything was better in the U.S. release, however. CSE to its credit was willing to release the entire text of the agreement itself, while the U.S. chose to wholly redact paragraphs 7 and 9 of it.

Which means if you want to read the full text of the exchange of letters that comprised the agreement itself, you have to go back to CSE's version here.

Don't these people ever talk to each other?

It's also worth noting that the version of Appendix B that has now been released by the U.S. is considerably less complete than the version that was already available on the NSA's own website, which as I noted here has been online since 2015. Still, the newly released Appendix B is a substantially revised version dating from 1 July 1959, whereas the online version is from 27 March 1953, so there's value in having both.

Petit à petit l'oiseau fait son nid.

Update 31 March 2019: As it turns out, the 1 July 1959 version of UKUSA Appendix B was also released recently, in only slightly redacted form. Since the CANUSA Appendix B was intended to be identical in all significant respects to the UKUSA version so that the procedures spelled out in the two documents would also be identical, it is possible to use the UKUSA text to reconstruct most of the redacted parts of the CANUSA appendix.

Which is what I have now done here.