Wednesday, January 12, 2022

A year of Canadian SIGINT history posts

2021 was the Communications Security Establishment's 75th anniversary year. Every day during that year, I posted a Tweet highlighting an item related to Canada's SIGINT activities that had taken place on that date, using the hashtag #CSE75. Most of the items related directly to CSE (or to CBNRC, the Communications Branch of the National Research Council, as CSE was known until 1 April 1975), but there were also a lot about Canada's broader SIGINT history, including many related to the Second World War and even earlier.

It was my hope that, in addition to being interesting in themselves, these Tweets might encourage, or maybe shame, CSE itself to be more open about its past. 

The agency did add a small amount of material about its history to its website during the year, making related Twitter posts using the bilingual hashtag #CSE75CST. But I'm quite sure my efforts had nothing to do with any of that (except for the fact that a number of CSE's items clearly drew in part from information previously published on this blog).

You can still find my #CSE75 posts on Twitter, but I thought it might be interesting and maybe in some way useful to compile them in one place here. They're pretty much as I originally posted them, but I have taken advantage of the blog format to spell out some of the acronyms, correct a couple of typos, and add a bit more explanatory text in a few places.

My plan with #CSE75 was to post something interesting about Canada's SIGINT history for each day of the year. The result is not a comprehensive list of the most important developments in that history. In many cases multiple important events have occurred on the same day of the year, and in other cases the month or year of an event may be publicly known but the exact date is not. Many key developments are more in the nature of processes, to which it is difficult or perhaps meaningless to assign a date. And of course many of the most important events are probably ones of which we in the public are not even aware. 

In some cases I had to stretch a bit to find something interesting to report for a specific date, resorting, e.g., to examples of routine activities by or related to the agency that occurred on that date. But I think those items also help illuminate Canada's SIGINT history.

With those caveats in place, here's the list:

Read more »

Wednesday, December 22, 2021

NSIRA 2020 Annual Report

NSIRA's 2020 Annual Report was tabled on December 10th, 2021. 

I'll try to write a post on the CSE-related items in the report eventually, but in the meantime you can find the great bulk of what I'd probably say—and a lot of additional insights—in Chris Parsons' commentary here. Chris also addresses the non-CSE-related parts of the report, so at his site you get a full-service analysis!

Thursday, December 09, 2021

CSE 2020-2021 Annual Report

CSE's 2020-2021 Annual Report was released on 28 June 2021, and although I discussed the document on Twitter then, it's about time I got around to commenting on it on this blog as well.


Improvement over 2019-2020 report

CSE's 2020-2021 report is considerably more informative than its 2019-2020 report, which was the agency's first attempt at responding to the CSE Act's requirement to produce one. The new report contains about two and a half times as much text as the first one, and while that may be no guarantee of more signal among the noise, in this case it's fair to say that there has actually been some improvement.

As before, however, most of the information provided relates to CSE's cyber security efforts, which account for only about 30% of the agency's resources. The remaining 70% of CSE's resources go to CSE's signals intelligence (SIGINT) side, about which the agency prefers to say as little as possible. Even less is said about CSE's new cyber operations mandate.

SIGINT and cyber operations 

It's inevitable that much about intelligence-gathering and covert-action kinds of activities must remain secret, but the paucity of information here is still disappointing.

CSE's cyber operations mandate was granted only in 2019, and how those powers are used will form a key part of Canada's contribution to determining the future of cyberspace. We already knew that some number of such operations had been authorized; the only new thing we learn in this report is that some have actually been conducted. (More recently, CSE has acknowledged that cyber criminal activity was one of the targets of those cyber operations.)

By contrast, partner agencies such as NSA, GCHQ and Australia's ASD have given specific examples of the operations they undertake, and some of those governments engage in detailed public discussions of appropriate strategies, laws, and norms for cyberspace.

Information on CSE's SIGINT activities is also pretty scant. 

Last year, the National Security and Intelligence Review Agency (NSIRA) decided against publishing a number of statistics about CSE's SIGINT program that formerly had been published by OCSEC, CSE's previous review agency. Since the publication of those statistics had in all cases been approved by CSE, it is evident that no security grounds would prevent their publication by CSE itself. Surely, therefore, CSE's report contains that information at least.

I jest of course.

Read more »

Friday, December 03, 2021

Recent book chapters

In addition to Stress Tested, I have also contributed chapters to two other books published in the last year.

I wrote the chapter on the Communications Security Establishment for Top Secret Canada: Understanding the Canadian Intelligence and National Security Community, "the first book to offer a comprehensive study of the Canadian intelligence community, its different parts and how it functions as a whole." 

The CSE chapter provides a basic introduction to the agency, its mandate and resources, and some of the important questions about its operations and how they do or don't relate to Canadians.

Published by the University of Toronto Press in March 2021, the book is currently on sale at the UTP website for half price.

I also contributed a chapter to Big Data Surveillance and Security Intelligence: The Canadian Case, which was published by the University of British Columbia Press in December 2020.

As I noted here, my contribution is a bit of an outlier since CSE is not actually a security intelligence agency (although of course it does work closely with CSIS), and my chapter, "From 1967 to 2017: CSE's Transition from the Industrial Age to the Information Age," is much more a "history of the present"—how CSE got where it is today—than a discussion of its current Big Data activities. 

However, I think it does serve as a reasonable lead-in to another chapter in the book, written by Scott Thompson and David Lyon, that does look at CSE and Big Data.

The book can be purchased at the UBC Press website. Alternatively, you can download a rather messy and inconvenient—but free—open-access version of the book using the link near the bottom of this page.

Monday, November 29, 2021

Stress Tested

An open-access PDF version of the book Stress Tested: The COVID-19 Pandemic and Canadian National Security is now available at this link

Edited by Leah West, Thomas Juneau, and Amarnath Amarasingam and published by the University of Calgary Press, Stress Tested addresses "topics including supply chain disruptions, infrastructure security, the ethics of surveillance within the context of pandemic response, the threats and potential threats of digital misinformation and fringe beliefs, and the challenges of maintaining security and intelligence operations during an ongoing pandemic," all with a focus on Canada's experience. 

It looks like there's a lot of interesting reading in the book — and once you're done with that you can also check out the chapter that I contributed, "Collection and Protection in the Time of Infection: The Communications Security Establishment during the COVID-19 Pandemic" (pages 127-144). 

The friendly folks at CSE were, as usual, parsimonious with the information, but I wrote some stuff anyway. 

You can find more information about the book, and order a hard copy, here


Update 3 December 2021: See here for other recent CSE-related chapters I've written.

Saturday, June 26, 2021

NSIRA review calls into question legality of identity disclosures

On June 18th, the National Security and Intelligence Review Agency (NSIRA) released the public version of its report on a review the agency conducted in 2020 of CSE's disclosure of Canadian Identity Information to government of Canada clients. NSIRA concluded that CSE’s disclosure regime "may not be in compliance with the Privacy Act", and thus the review agency "submitted a compliance report" to the Minister of National Defence. Although couched in tentative terms, this conclusion is probably about as close as NSIRA is likely to get to saying that CSE broke the law.

OCSEC, the agency that reviewed CSE prior to NSIRA's creation in 2019, made a similar finding only once in its 23 years of existence. That case concerned metadata sharing with foreign partners. It's starting to look like NSIRA, which is still less than two years old, may be considerably more inclined to call out activities that it feels fall short of legal compliance than OCSEC was.

What is the significance of "Canadian Identity Information"?

Canadian Identity Information (CII) is any specific piece of information that can identify a Canadian citizen, permanent resident, or corporation incorporated in Canada, including but not limited to names, phone numbers, email addresses, IP addresses, and identifiers such as passport numbers. Except when operating under Part C of its mandate (discussed below), CSE is only permitted to target foreign entities (persons, groups, corporations) located outside Canada. But sometimes the information obtained by that targeting, or by various types of untargeted collection, contains information about Canadians, potentially including identity information. A foreign target might communicate with a person in Canada, for example, or two foreign entities might discuss information pertaining to a Canadian. Such information may be used in CSE foreign intelligence or cybersecurity reports or otherwise retained by the agency if it is assessed as being "essential" to "international affairs, defence, security or cybersecurity". But normally CII may only be included in those reports if it is "suppressed", which means replaced in the report by a generic reference such as "a Canadian person" or "a Canadian company". Client departments can request that CSE provide them with the information that was suppressed if they have the lawful authority and a suitable operational justification for receiving it.

CII releases were insufficiently justified

NSIRA looked at CSE's record of disclosing CII to Canadian government clients from 1 July 2018 to 31 July 2019, and it did not like what it saw. Over that thirteen-month period, CSE received requests from 15 departments for disclosure of a total of 3708 Canadian identifiers that had been suppressed in reports by CSE or its Five Eyes partners; 3671 (99%) of the identifiers were disclosed to the requesters.

After a closer examination of a sample of the requests accounting for 2351 identifiers, NSIRA found "69% [of the requests] to be justified, 28% to be insufficiently justified to warrant the release of CII, 2% that could not be evaluated, and 1% that CSE denied." (Note that NSIRA did not conclude that these 28% could not be justified, but simply that they had not been sufficiently justified.) NSIRA also found information disclosed by CSE that hadn't even been requested: "NSIRA observed cases where CSE disclosed Canadians’ names and other personal information even when the recipient only asked CSE for a company’s identity."

Disclosures to CSIS, the RCMP, and the Canadian Border Services Agency (CBSA), which accounted for about half of the sample, were considered by NSIRA to be generally appropriate, "with some exceptions." This suggests, however, that half or more of the releases to the 12 other client departments were not considered sufficiently justified. NSIRA recommended that CSE cease disclosing CII to clients other than CSIS, the RCMP, and the CBSA until it addressed the findings and recommendations contained in the review. Such clients would include major intelligence consumers such as Global Affairs Canada and the Privy Council Office, as well as lesser users like Innovation, Science and Economic Development Canada.

Section 16 reporting

Some of the CII released by CSE was derived from information collected in support of CSIS Act s.16 collection of foreign intelligence within Canada. This information is normally collected under the aegis of Federal Court warrants issued to CSIS, and in some cases CSIS asks CSE to help with its collection or processing. CSE sometimes also reports some of the resulting information through its own foreign intelligence reporting channels. If, for example, a CSIS s.16 operation is established to monitor the communications of the South Korean embassy for economic intelligence purposes, as was done in the 1990s, it is CSE that does most or perhaps all of the processing and reporting of the resulting intelligence.

According to NSIRA, the procedures that CSIS uses to limit the release of CII acquired under s.16 are significantly stricter than those applied by CSE in its releases, and as far as NSIRA could tell the Court was not aware that CSE's laxer practices were also being applied to the information collected under its warrants. NSIRA therefore recommended that the Federal Court be fully informed of CSE’s disclosure practices and that, in the interim, CSE cease disclosing CII collected under s.16. In January 2021, CSIS did give the Court a copy of NSIRA's classified report. What happened in the interim and what actions the Court may subsequently have taken are not revealed.

Misleading statements to parliament

NSIRA also commented that CSE's 2018 testimony about s.16 activities to a parliamentary committee was "not a complete representation of the lifecycle of information collected by CSE in its assistance", in that it failed to acknowledge CSE's use of information collected through CSIS s.16 activities. CSE's resort to what I call "secret asterisks" in its public statements about Mandate C activities has long been a source of fulminations on this blog, so it's good to see some attention to this aspect of CSE's public communications.

CSE's response

According to NSIRA, CSE accepted all of the recommendations made in the report. An unclassified version of CSE's response was helpfully made available with the report.

It is evident from that response, however, that CSE disputed NSIRA's characterization of its disclosure practices, arguing that CSE's actions were actually fully compliant with the Privacy Act. It is unclear whether the Minister of National Defence, who forwarded NSIRA's compliance report and CSE's response to Attorney General David Lametti, agreed with CSE's position on the issue or simply washed his hands of it (as he so often seems to do). We also have no information about what the Attorney General did with this information.

It may be that CSE felt a bit blindsided by NSIRA's conclusions. In its defence the agency noted that, "In his final 2018-2019 review, the [CSE] Commissioner confirmed that CSE’s disclosures of CII complied with the law and were done in accordance with ministerial direction."

But it's worth recognizing that even that review expressed serious concerns about CSE's CII practices:

In just under 20 percent of requests, clients provided operational justifications that were generic. CSE explained that generic justifications had been developed in discussion with clients and tested over time. CSE also explained that its analysts learn its clients’ mandates, authorities and requirements. However, the Commissioner’s office believes these generic requests could not be described as robust, as required by CSE policy, because they did not provide an important element required for approving a client’s disclosure request: the requestor’s specific reason for the Canadian identity information. CSE believes these generic requests meet the minimum requirements of policy. However, because the requests contain generic justifications that did not sufficiently outline the requirement for the suppressed information, they failed to meet the Commissioner’s office’s expectations for justifications of Canadian identity information disclosures.

For reference, this is what a Request for Release of Suppressed Information form looks like for CII suppressed in foreign intelligence reports (or at least what it looked like in 2014):

The redacted section contains 13 possible generic justifications for why the requested information is required, the first of which (we know from an earlier release) is "capabilities/intentions/activities of a foreign person, state, organization or terrorist group relating to international affairs, defence or security". The requestor is asked to mark those justifications that apply with an X.

If the process for the release of suppressed information still uses this form or something much like it, then frankly it's not obvious to me how any of the other 80% of requests (or 69% of requests by NSIRA's count) provide robust, specific justifications either. Maybe in those cases the necessary details were provided in the answers to questions 2 and 3.

One nice thing about CSE's response: for the first time since 2011, the agency seems to have given us a reasonably accurate list of the broad Canadian intelligence priorities the agency responds to: "from support to Canadian military operations, [to intelligence about] espionage, terrorism and kidnappings to geostrategic concerns, cyber threats, foreign interference and global crises, among others."

Now, these may all sound rather obvious, and that's exactly what they are, but that hasn't stopped CSE from treating them like life-and-death national secrets in the recent past, so maybe we can take this step as a small sign of progress in the agency's long struggle to learn the difference between things that really do need to be secret and everything else.

Back to the report...

It would be useful if the full list of recommendations made by NSIRA were clearly laid out in the report, in as close to the original wording as declassification permits, to help the public keep track of them. According to the background notes on NSIRA's website, NSIRA made 11 recommendations in this review. It is possible to work out the gist of six or so of these recommendations from the text of the public version, but the rest have been left as a mystery. Maybe the others were rolled into the recommendations provided, but who can tell?

When NSIRA promised to proactively release public versions of its classified reports instead of force researchers to go through the tediously slow and frustrating Access to Information process in order to get a usefully detailed view of what the review agency had to say, I was hopeful that a major improvement in transparency was on the way. The unclassified version that NSIRA released is considerably more detailed than the summaries that were formerly published in OCSEC's annual reports, and it's notable that it includes the first published data on the number of CII items disclosed by CSE (as opposed to the number of requests). This is to NSIRA's and CSE's credit. Kudos also for publishing the report as a searchable PDF and making an unclassified version of CSE's response available. But in the absence of a proper summary of the report's findings and recommendations, it looks like people like me will still be stuck using the Access road.

[Update 22 December 2021: NSIRA's 2020 Annual Report, released on December 10th, reproduces all 11 of the review's recommendations in slightly sanitized but still useful form. It also does this for the other reviews completed during the year, along with the target agency's responses up to that point. NSIRA also states in the report that it "intends to publish and track such information from all reviews on its website." It's great to see NSIRA adopt this approach, and I hope (and expect) that in future NSIRA will also reproduce its recommendations in the released versions of its individual reviews.]

One of the other benefits that I had hoped to enjoy as a result of proactive release was greater timeliness. In this case, the original classified report was submitted to the Minister of National Defence on 25 November 2020, which means it took nearly seven months for this summary to be released. Yes, there's a pandemic going on. But let's hope post-COVID releases will be able to reduce that lag time considerably.

News coverage and commentary:

Jim Bronskill, "Canada's cyberspy agency may have broken privacy law, intelligence watchdog says," Canadian Press, 18 June 2021.

Alex Boutilier, "Spy agency may have broken privacy laws in sharing Canadians' information, watchdog says," Toronto Star, 18 June 2021.

Christopher Parsons, "NSIRA Calls CSE’s Lawfulness Into Question," Technology, Thoughts & Trinkets blog, 18 June 2021.

Intrepid podcast: Episode 161: Review of Review: NSIRA Calls Out CSE and CSIS, uploaded 30 June 2021.

Update 28 June 2021: The original version of this post stated that the CII requests that NSIRA examined were made over a four-year one-month period. While NSIRA did look at some of CSE's disclosure practices over that longer period, the statistics pertaining to identifiers requested and disclosed covered just thirteen months, from 1 July 2018 to 31 July 2019.

Sunday, March 28, 2021

Spy agencies, COVID-19, and parking lots

In Canada and many other countries around the world, most government agencies reacted to COVID-19 by directing the bulk of their employees to work from home. But this option was not available for the majority of those working for intelligence agencies because most of their work is too highly classified to be done outside special high-security offices known as secure compartmented information facilities (SCIFs). So I was curious how Canadian agencies such as CSE and CSIS, and CSE's Five Eyes counterparts, addressed this problem. Did they keep a large part of their workforce at home at various points during the pandemic? Did they move people to off-hour times such as weekends and nights? How long did these changes go on for?

When you ask Canadian agencies questions like these the OPSEC klaxons sound, public affairs officials cry out in terror and are suddenly silenced, and a great and impenetrable darkness falls over the land. It can be pretty awkward. But it occurred to me that publicly available satellite photos might provide at least partial answers to some of these mysteries. Specifically, satellite photos of agency parking lots. As it turns out, you can learn a fair bit about how these agencies responded to COVID-19 by looking at their parking lots.

For this blog post I analyzed satellite photos of the parking lots at CSE headquarters, CSIS headquarters, Canadian Forces Station Leitrim, NSA Fort Meade, and GCHQ Cheltenham. With the exception of CSE (which uses a parking garage for most of its parking), roughly the same pattern can be seen at all of these sites: a sharp reduction in parking lot use around late March 2020 as the first wave of the pandemic struck, greater but still reduced occupancy in May and June 2020, and a return to full lots by the end of the summer of 2020. There is very little evidence of reduced parking lot use during the winter 2020/2021 wave of the pandemic.

PARKINT complications

Before we get into all that, though, we need to consider the connection between parking lot occupancy and building occupancy.

The first thing to recognize is that very few buildings have enough parking spaces for everyone who works in the building. Most of these agencies maintain at least a small 24/7 operations capability, which means not everyone is in the building at the same time. And even on the main Monday to Friday day shift, some percentage of the workforce is typically expected to take public transit, walk, ride a bike, carpool, or otherwise get to work without taking up a space in the parking lot. In some cases the parking available on site is insufficient even for that lower level of demand, and some of the workforce ends up parking on neighbourhood streets, sometimes leading to local tensions.

A second complication is that there is no standard ratio between the number of people in a building and the number of parking spaces provided. Agencies whose sites are located far from most housing and are poorly served by public transit may provide parking for nearly everyone who works there. Those located in cities well served by transit, on the other hand, may insist that a large percentage of their workers leave the car at home. Even agencies located beside one another, like CSE and CSIS, may differ in the amount of parking they provide per employee.

Third, if a reduction in the number of people working in the office frees up parking spots, employees who ordinarily would not have driven may switch to their cars to take advantage of the availability of spots. This tendency is likely to have been especially strong during the pandemic, when many people will have wanted to avoid using public transit. As a result, the number of people occupying a building can probably drop quite significantly before the parking lot becomes less than completely occupied.

This also means, however, that if large vacancies do appear in the parking lot, it's a safe bet that a very substantial reduction has taken place in the number of people coming in to the office at that time.

What is more difficult to decide is whether those reductions reflect a switch to work at home or just a change in the specific hours of the day being spent at the office. Satellite photos are typically taken within a few hours of mid-day and it is rare to get more than one photo on any given day, so evidence of reassignment to other shifts is mostly indirect. The question can be answered in part, however, by checking whether significant changes have occurred in daytime attendance on weekends.

Finally, a significant part of the agency's parking may be provided by parking garages, which obviously pose a major problem for analyses based on satellite photos. As mentioned above, this was specifically a problem for assessing CSE.

Suitable imagery

Another problem is accessing suitable imagery. Satellite images like those available on Google Earth are typically very high in resolution, making individual vehicles easy to count, but such images are not updated nearly often enough. The latest Google Earth imagery for Ottawa, for example, dates from 2018. You can easily purchase more up to date imagery from commercial providers, but that option is not available to those who, like me, are working with a budget of zero.

Fortunately, there is a class of regularly updated, lower-resolution, free imagery available that is suitable for our purposes — if barely. At 10 metres per pixel, individual vehicles cannot be seen in Sentinel-2 images, but it is usually possible to tell the difference between occupied and unoccupied parking lots, as can be seen in these images of the lots at NSA headquarters. (See map showing the lots here.)

Even better is the 3-metre imagery collected by the Planetscope Dove satellites, which Planet Labs makes available to university-affiliated researchers through its Education and Research Program.

In principle, publicly available synthetic aperture radar (SAR) imagery could also be used to assess parking lot occupancy, and because SAR images are not dependent on daylight and thus can be taken at different times of the day, such images might be helpful in determining whether a significant part of an agency's workforce had switched to working at night. However, a brief survey of available Sentinel-1 SAR imagery did not turn up any images useful for this project.

Assessing the data

OK, so let's get on with it.

Stretching outwards from the main NSA headquarters buildings at Fort Meade, Maryland, is a vast expanse of parking lots covering around 30 hectares and containing roughly 10,000 parking spots. On normal weekdays, those lots are filled to full capacity, as demonstrated by the Planet Labs image below, taken on Monday, 16 March 2020, just as the pandemic's first wave was beginning to strike with force but before the U.S. government had begun telling its employees to stay out of the office.

By contrast, by the time the Planet Labs photo below was taken on Thursday, April 2nd, parking lot occupancy at NSA had plummeted by perhaps 80 percent, where it remained until roughly the end of June. This suggests that at least 8,000 (and probably actually many more) NSA employees, military personnel, and contractors who normally would have been in the buildings were told to stay home during this period.

Or maybe not to stay home, but instead to move from their normal daytime hours of work to different hours when fewer people would be in the complex. Like the other Five Eyes agencies, some parts of NSA run 24 hours a day, seven days a week, and thus there are always some vehicles in the agency's parking lot, but the overall number of shift workers is small in comparison to the day workers.

Imagery taken over the last year confirms that weekend parking lot occupancy has remained at its normal low level throughout the pandemic, indicating that there was no significant shift of Monday to Friday work to the weekends at NSA. However, the unusual distribution of vehicles in the lots during weekday images such as the one taken on April 2nd suggests that more than one large daily shift may have been used from Mondays to Fridays during the first wave of the pandemic. When parking lots are mostly empty you expect to see the vehicles that are there clustered around the entrances to the buildings, but as can be seen in the April image many are a considerable distance from the doors. This probably means there were already a lot of vehicles in the lot when the drivers of the ones seen in the image arrived to start their shifts. This pattern was evident in all the weekday images taken in the April to June period. According to this report, some elements of the U.S. intelligence community did adopt a two-shift day during the early months of the pandemic. It looks like NSA may have been one of those agencies.

By contrast, images from July and August show much higher occupancy in the NSA lot, perhaps 80%, which is still significantly below the pre-pandemic level but suggests that the workforce was back to a single main shift by this time. Weekday use of the lot increased further in September, rising to essentially full occupancy by the end of that month. It has remained there ever since, showing no reduction even during the peak of the winter 2020-21 wave of the pandemic.

As noted above, the relationship between parking lot occupancy and building occupancy is not straightforward. Despite the lot being full, occupancy of the buildings may still have been quite a lot below normal during this later period. It is safe to say, however, that no fewer than 10,000 people were in the complex during normal weekday hours during this period, and the number was almost certainly much closer to normal occupancy than that.

(What is that normal occupancy? If I had to guess, I'd say probably around 15,000, give or take a few thousand. But that is just a guess.)

Evidently, by the time the second wave was taking place, NSA felt that physical distancing measures and modifications to work stations and/or work practices were sufficient to enable a large percentage of its workforce to return to the office safely.


A broadly similar pattern can be seen at GCHQ's headquarters building, commonly called the Doughnut, in Cheltenham, U.K. The Doughnut is surrounded by about 7.5 hectares of parking containing around 3,000 parking spots (see map). Prior to the pandemic, all of those spots would be filled on a normal workday, as shown in the Planet Labs image on the left from Friday, 6 March 2020.

By the time the Planet Labs image on the right was taken, on Thursday, 26 March, parking lot occupancy had fallen to about 50%, which probably corresponded to a drop of more than 50% in the workforce in the building at any time. In mid- to late June we see parking lot use start to climb again, rising to around 80% in mid-September and perhaps 95% at the beginning of October.

Due to frequent cloud cover and low light levels, good imagery is somewhat sparse during the subsequent winter months, but the GCHQ parking lots appear to be 100% occupied no later than Thursday, 26 November, and they seem to have remained that way throughout the following months. Like NSA, there is no sign of a significant shift to weekend work at any point during the pandemic. Also like NSA, the fact that the GCHQ parking lots are back to full occupancy does not necessarily mean that the full workforce is back to normal work hours in the building. It is likely, however, that the great majority were back during most of this period.

Canadian sites

The headquarters of the Canadian Security Intelligence Service, located at the corner of Blair and Ogilvie roads in east Ottawa, has about 3 hectares of parking, but the odd shape of the lot limits its capacity to about 900 vehicles (see map). Planet Labs imagery from Monday, 16 March 2020 (left), shows the lot more or less fully occupied, but by Friday, 27 March (right), occupancy had fallen to roughly 60%, suggesting an even deeper reduction in the number of personnel in the building.

Occupancy of the lot remained at that lower level until the summer, when it began to rise again. By early July, up to 90% of the lot was typically filled, and since the fall it has been back to essentially 100% full, which may or may not mean that occupancy of the building returned to normal.

The response of the Integrated Terrorism Assessment Centre (ITAC), a multi-agency organization with offices inside the CSIS building, may give an idea of how the changes in parking lot occupancy corresponded to workforce attendance at the office. ITAC reduced the number of people working in its spaces by as much as 80% during the early days of the pandemic. By the summer of 2020, the number of people working in ITAC spaces was back to half its normal level, and by the fall, following renovations to improve the safety of the centre, three-quarters or more of the personnel were back. The reductions in the CSIS workforce may not have been quite as sharp as those of ITAC, but as the parking imagery confirms, it is likely that they followed a broadly similar trajectory.

[Update 29 March 2021: Stephanie Carvin confirms that CSIS headquarters was back to 80% of normal staffing by January 2021.]

The Edward Drake Building, the headquarters of the Communications Security Establishment (CSE), is located beside the CSIS headquarters, just to its west (see map). Most of the parking at CSE is provided by an 800-car parking garage, which of course largely eliminates the value of satellite imagery for analyzing parking at the agency.

Fortunately, not all is lost. CSE's garage is too small to accommodate all the people who normally want to drive their vehicles to work, so parking has tended to overflow into the residential neighbourhood to the west of the complex, sparking complaints by residents and enforcement actions by city bylaw officers. In an attempt to reduce this problem, CSE opened a 440-car overflow parking lot on Enigma Private (see map) just north of the CSE/CSIS complex in January 2020, about two months before the pandemic hit. As it is considerably further from the building, this lot is likely to fill up last — which opens the possibility of observing occupancy drops at CSE as well.

Complicating the issue, however, is that CSE was also in the course of moving most of the 800 staff members of the Canadian Centre for Cyber Security, CSE's cyber security arm, to a separate building at 1625 Vanier Parkway. Moreover, because many of those employees work on less classified, and sometimes even unclassified, projects, it has also been possible for a significant part of their work to be performed at home, freeing up space at the Vanier Parkway building for other CSE employees who do need office spaces to do classified work but do not necessarily need the highly secure SCIF spaces required by most of the SIGINT part of the agency.

Nonetheless, there are probably as many as 1,500 CSE employees or contractors who would seek to work inside the Drake building during normal Monday to Friday hours if they could. Unless a lot of those people are using public transit, that's a lot more than an 800-vehicle garage is likely to be able to accommodate. Thus, the use or non-use of the overflow lot may give some indication of limits on building occupancy during the pandemic.

And what do the pictures show? This Planet Labs image from 5 November 2020 is fairly typical: the overflow lot, visible at the top of the picture, does not appear to be in use (compare to the CSIS lot also visible). It is possible, however, that a few vehicles are present in the lot.

The bottom line is that there does not seem to have been extensive use of this lot by CSE during most of the pandemic. This suggests that CSE did manage to significantly reduce the number of people using the building during peak hours, although it doesn't tell us what combination of working from home, working in the Vanier Parkway building, or moving to different work hours was used to accomplish this, or how those measures may have varied over time.

To my mind, the most intriguing phenomenon turns up during the winter of 2020/21. By December 2020, after the snow starts to arrive, it is clear that the overflow lot is being plowed. This suggests it was in use at least somewhat by that time or at least that CSE expected it to be imminently in use. The plowing continues in January but then abruptly stops, with the lot appearing completely snow-covered for the last two-thirds of the month. The same pattern appears in February: plowed for the first third of the month and then a snow-covered wasteland for the rest. It gets plowed again at the beginning of March, and from that point on appears to be in consistent use.

January 2021 was the worst month to date for new COVID-19 cases in Ottawa, so it may be that the agency implemented additional peak-hours reductions in occupancy of the building during that month, and perhaps February as well, and thus didn't need the lot during those months. That theory doesn't explain why the lot was cleared in early February, however. Maybe the agency's snow-clearing contract specified a minimum number of days of work per month and the contractor plowed the lot until those days were used up whether the lot was in use or not.

Complicating analysis of this question is the fact that the winter imagery was frequently difficult to interpret, due to lower light levels, fewer clear days, and less contrast between snow-covered vehicle roofs and parking lots that themselves might have some snow on them. The CSIS lot seemed less affected by this problem, possibly because it is more sheltered from blowing snow.

What about the CFIOG workforce at the intercept station at CFS Leitrim? Satellite imagery shows there are around 500-550 parking spots at Leitrim, of which 350-400 were typically in use on pre-pandemic weekdays. There is little affordable housing near the station and it doesn't have good transit connections, so unlike the other sites discussed here, the number of cars in its lots is probably pretty close to the number of people working at the station at that moment. Imagery from the pandemic period suggests that the CFIOG reduced peak-hours staffing at the station by as much as 40% from late March to May 2020, with occupancy returning to 80% or 90% of normal levels only in the fall. This was probably mostly accomplished by moving people to non-peak-hours shifts in the evening and overnight, a change that presumably was easier to implement with the predominantly military personnel at Leitrim than it would have been at other sites. As with CSE, the winter imagery was often too poor for clear interpretation.

Interestingly, in no case is there any evidence that a significant amount of work was moved to weekends at any of these sites. Spreading five days of work across seven would seem like an easy way to reduce the number of people in the buildings at any time, but no, weekends appear to be sacrosanct.


Analysis of satellite photos of the parking lots at CSE headquarters, CSIS headquarters, Canadian Forces Station Leitrim, NSA Fort Meade, and GCHQ Cheltenham showed clear evidence of staffing changes at most of these sites in response to the COVID-19 pandemic. With the exception of CSE, where use of a parking garage complicates the question, roughly the same pattern was seen at all of these sites: a sharp reduction in parking lot use (implying even deeper reductions in peak-hour building occupancy) around late March 2020 as the first wave of the pandemic struck; greater but still reduced parking lot occupancy in May and June 2020; and a return to full lots by the end of the summer of 2020. There was very little evidence of reduced parking lot use during the winter 2020/2021 wave of the pandemic. However, the winter imagery was more difficult to interpret, particularly for CSE and Leitrim, so this observation is necessarily more tentative.

There are undoubtedly easier ways for intelligence agencies — and even individuals who aren't working from home on a zero-dollar budget — to answer these questions. For example, a couple of days of surveillance sitting in a car in the shopping centre lot across from the CSE and CSIS buildings would get you a much more accurate estimate of the number of people working in those buildings and their various hours of work. Commercially available smartphone location and activity data would probably also reveal a great deal, and the smartphone data potentially available to intelligence agencies could be even more revealing. Access to higher-resolution satellite imagery would also be very helpful.

Still, as this blog post shows, even relatively low-resolution satellite imagery can provide some intriguing insight into the ways Canadian and partner intelligence agencies responded to COVID-19.

This research was undertaken as part of my research fellowship with the Citizen Lab, at the Munk School of Global Affairs and Public Policy, University of Toronto. Planet Labs imagery was accessed with the assistance of Citizen Lab director Ron Deibert. All Planet Labs Imagery © 2021 Planet Labs Inc.

Saturday, December 26, 2020

CANUKUS Planning Conference, March 1953

This photo shows the participants in the CANUKUS (Canada-United Kingdom-United States) Planning Conference held in Washington from March 20th to the 25th, 1953 (click photo for higher resolution; source). The conference took place immediately after a BRUSA conference held at the same location, involving the same U.S. and British delegates, from March 2nd to the 19th. (BRUSA was renamed UKUSA later in 1953.)

The photo shows the conference participants assembled at the main entrance of the Naval Security Station building on Nebraska Avenue in Washington, which was still serving as one of the headquarters buildings of the new National Security Agency before its move to Fort Meade. Although dated March 31st, the photo was probably taken earlier in the month while the CANUKUS conference was still underway.

From left to right, front to back, the attendees are: Lieutenant Colonel Glen C. Long, U.S. Army; Major Dolas M. Grosjean, Women's Army Corps, U.S. Army; Clive (Joe) Loehnis, Deputy Director, GCHQ; Rear Admiral Joseph N. Wenger, USN, Vice Director, NSA; Group Captain Douglas M. Edwards, RCAF, Director of Air Intelligence; Brigadier John H. Tiltman, GCHQ, Senior British Liaison Officer at NSA; Edward M. Drake, Director, CBNRC; Victor P. Keay, FBI; Charles P. Collins, CIA; Commander James C. Pratt, RCN, Director of Naval Intelligence; Lieutenant Colonel Layton E. (Joe) Sarantos, Canadian Army, Director of Military Intelligence; Lieutenant Commander Arthur R. Hewitt, RCN, Director of Supplementary Radio Activities; Captain Bernard F. Roeder, USN; Henry J. Dryden, GCHQ; Commander Herbert H. Ridler, RN; Colonel Robert Gifford Yolland, British Army; Lieutenant Colonel Charles M. Townsend, USAF; T. Jaffray Wilkins, CBNRC, Communications Branch Senior Liaison Officer at NSA; Inspector Cecil H. Bayfield, RCMP liaison officer to the FBI; Dr. Louis W. Tordella, NSA; Arthur W. (Bill) Bonsall, GCHQ; Douglas A. P. Davidson, CBNRC; Robert F. Packard, U.S. State Department; William (Bill) Millward, GCHQ; N. Kevin O'Neill, Coordinator Production, CBNRC; and Wing Commander Frederick W. Hudson, RAF. Of the 26 participants shown in the CANUKUS photo, nine were from Canada, eight from Britain, and nine from the United States. The British and American participants had all also attended the earlier BRUSA conference.

Kevin O'Neill, who later became the second Director of CBNRC and the first to hold the title of Chief following the agency's transfer to DND as the Communications Security Establishment, began his SIGINT career at Bletchley Park and served as part of the British liaison team in Washington just after the war. This late 1945 photo shows him sitting in an office probably no more than 30 metres from where he is standing in the CANUKUS photo.

Rival conferences

O'Neill was also the author of the SIGINT section of The History of CBNRC. That document describes the two back-to-back meetings in March 1953 as "rival" conferences.

What was at stake was governance of the UKUSA/CANUKUS partnership — in particular, how the agreements specifying the details of those partnerships were to be modified over time.

The 1946 BRUSA Agreement was strictly a U.S.-U.K. accord. But the 1949 signing of the CANUSA Agreement by Canada and the United States complicated matters. The CANUSA Agreement was modeled closely on BRUSA, and its appendices, which spelled out the details of COMINT cooperation, were based on many of the BRUSA Agreement's appendices. This was especially true of the crucial Appendix B, which specified security procedures and standards for handling and disseminating COMINT. Except for the names of the parties involved, the two Appendix Bs were identical, and the intent of all parties was to keep it that way. But this created the question of which parties would get to decide when changes were to be made.

As O'Neill related it,
1953 started off with some more rumblings about the desirability of Canada attending UK/US planning conferences where common subjects were involved. The UKUSA partners were planning to discuss their Appendix B on Security, as well as such lesser matters as SACLANT, Weather SIGINT, and counter-intelligence support, some time in March. Canada heard about this in January, and Mr. Glazebrook [the External Affairs officer who chaired the committee in charge of SIGINT policy] took up the question of whether it would not be simpler to deal with changes to Appendix B on a tripartite basis rather than have to handle them in two bilaterals, with the possibility of having to go back and forth between CANUSA and UKUSA Appendices ad nauseam. The Americans (Gen. Canine and V/Adm. Wenger) took the view that since this was a Commonwealth matter, it was up to the UK to decide, and for Britain Sir Eric Jones was adamant that Canada should not be present unless Australia was also.
The question had already been under discussion between the U.S. and Britain during the previous fall as the agenda for the BRUSA conference was being determined. In December, NSA Director Canine asked GCHQ Director Jones for his informal views on the possibility of moving Item 1 of the agenda (Revision of Appendix B - Security) to the "agenda for discussion at tripartite conferences with Canada."

Jones's reply gave two reasons for opposing the inclusion of Canada, one of which was fully redacted from the released record. The second reason, partially redacted, stated: "As the subject matter of Appendix B to the basic BRUSA Agreement has in the past been a matter for discussion between USCIB and LSIB only, it is preferable to maintain that principle and to continue with the arrangement". (USCIB and LSIB, the United States Communications Intelligence Board and the London Signals Intelligence Board, were the policy committees that directed SIGINT policy in the two countries at this time.)

The second reason seems to point to the primary British concern. Avoiding unequal treatment of the Dominions may have been a legitimate concern of the British, but if the exclusion of Australia were really the issue, it seems likely that it could have been resolved by including Australian participation in the conferences. (New Zealand was unmentioned presumably because, although it contributed personnel to the joint British-Australian-New Zealand COMINT centre in Melbourne, it had no COMINT processing organization of its own at this time.)

The real issue for Britain was almost certainly its reluctance to be, in effect, demoted from primary SIGINT partner of the United States to one of two partners of the U.S. having — in nominal terms at least — an equal say over the future evolution of the partnership. Given the importance of the UKUSA partnership to Britain and the great disparity in actual capabilities between GCHQ and CBNRC, this was not a development that the British would have considered either welcome or appropriate.

Britain did agree, however, to consider "the implementation in respect of Canada of paragraphs 11 to 16 inclusive of Appendix Q to the BRUSA SIGINT Agreement" at the tripartite conference to follow, noting that this "particular wording has been agreed in discussions between U.K. and Canadian authorities, and U.K. has already promised Canada to propose it to U.S. as item for discussion at a tripartite conference." (Appendix Q concerned COMINT Collaboration in War.)

The result, according to the History of CBNRC, was
a compromise whereby Washington was the scene of a UKUSA Conference from March 2-19, revising their Appendices B, H, N, P and Q, and reviewing D and O, and a CANUKUS Conference from March 20-25, which dealt with the "lesser" matters such [one line redacted] SACLANT, Wartime Collaboration and Counter-Clandestine SIGINT.
But it was not much of a solution as far as Canada was concerned.
The second lot of proceedings seemed pretty unrealistic, especially since SACLANT and Wartime Collaboration between the US and the Commonwealth had already been dealt with at the UKUSA Conference in their discussions of Appendices P and Q, and the revisions to UKUSA Appendix B had later to be sent to Canada for agreement and incorporation into the corresponding CANUSA Appendix.
Indeed, the tandem-conference experience seems to have been satisfactory to none of the parties. Many tripartite conferences were held among Canada, the United States, and Britain in later years on specific subjects of interest, but the back-to-back UKUSA/CANUKUS conference experiment does not seem to have been repeated.

Subsequent revisions of Appendix B in 1955, 1956, and 1959 were decided by the United States and Britain. Formal or informal consultations on these revisions were sometimes held with Canada ahead of time, but the British position against direct Canadian participation held firm: "Mr. Southam in December 1958 and Mr. Starnes in March/April 1959 took up again the Canadian desire to make Appendix B tripartite; but to no avail, since the British authorities were resolutely opposed to 'triparticity'."

Wednesday, December 23, 2020

First NSIRA annual report released

The first annual report of the National Security and Intelligence Review Agency (NSIRA) was released on December 11th. In many ways the new agency is off to a promising start. But when it comes to information on CSE, the report is a disappointment.

NSIRA was created in 2019, when the National Security Act, 2017 (Bill C-59) was finally done crawling its way through parliament. The new agency took over the duties of the existing watchdog agencies for CSE and CSIS, the Office of the CSE Commissioner (OCSEC) and the Security Intelligence Review Committee (SIRC), but with an expanded mandate that includes examination of the reasonableness and necessity as well as the legality of their activities. It was also given the job of reviewing the other security and intelligence activities across the government of Canada.

The report covers NSIRA's activities during the six months from its July 2019 creation to the end of 2019. Normally we should expect to see NSIRA's annual report sometime in the first half of the year that follows, but since the agency was still in the process of establishing itself and hiring staff, and had to do all that in the middle of a pandemic, it's unsurprising that this first report was delayed to December.

In keeping with the purpose of this site, I'm going to focus primarily on the report's treatment of the Communications Security Establishment. But I'll start with a few comments on the editorial philosophy underlying the report. NSIRA intends to proactively release unclassified versions of each individual review it conducts during the year as soon as they are available, so it is planning to spend less space reporting on those reviews in its annual report and to focus instead on the most significant issues of the year and broad lessons, trends, or themes that may arise. The annual report will also cover other aspects of the agency's operations, such as its complaints investigation function.

This seems like a sound approach to me, and I am especially pleased to see the agency's commitment to the proactive and timely release of the reports on its individual reviews. This has the potential to be a really useful step that, as NSIRA states, could help "to increase transparency and accountability, and to open the door to extensive discussions and debate in the public sphere."

The proof, however, will be in the pudding. This Christmas we got just one pudding, NSIRA’s 2019 Annual Report on the Disclosure of Information under the Security of Canada Information Disclosure Act, which was also released on 11 December.

The value of these releases will depend greatly on the intelligibility of the information provided in them. The need to protect intelligence agency secrets is real, and using a "write-to-release" approach, as NSIRA intends to do, may well be a practical necessity, but NSIRA will have to ensure that the resulting reports are not content-free as well as secret-free. If the end result is the sort of Delphic gibberish that so often characterized the public versions of OCSEC reports, the resulting discussions and debate in the public sphere are unlikely to be any more substantial than they were with OCSEC's reports, which typically were read and sometimes commented upon by me and, um... Hmm. Well, me, at least. Definitely me.

(And to be fair, yes, a few others. There was always a small coterie of the dutiful and the diehard in both academia and the media who could be counted on to read OCSEC's reports, and even, on rare occasions, to write something about one of them. But I doubt any of us disagree about their limited value as a base for public discussion or debate.)

Ultimately, the intelligibility question hinges on the commitment to transparency not just of NSIRA, but of the agencies that NSIRA reviews, as they are the ones who determine what information can be declassified and discussed in public. It was CSE who demanded for years and years that data like the number of Canadians referenced in signals intelligence reports and even words like "metadata", "bulk", "unselected", and "contact chaining" had to remain classified — even when they were already the subject of wide public discussion in other jurisdictions. Through constant pressure OCSEC made considerable progress over the years in expanding the range of what it was permitted to discuss publicly. But if a base for debate was the goal, there was still a long, long way left to go.

What we will need from NSIRA, therefore, is a commitment to engage in an ongoing struggle on this issue. And to consistently keep the public informed.

Happily, it looks like they have already begun to do this. On page 25 of the report we learn that CSE refused to permit NSIRA to reveal the numbers of the various types of ministerial authorizations (MAs) that the agency received under the CSE Act. This is a bad sign for CSE's supposed commitment to greater transparency. (Note to CSE: Invisibility is not the desired end goal of transparency.) But the fact that NSIRA is publicly disputing CSE's position is a very good sign.

Dirty deeds done at government rates

It is also positive that, although it wasn't able to give us the numbers, NSIRA was able to tell us that MAs were indeed signed in 2019 for both active, i.e., offensive, cyber operations (ACO) and defensive cyber operations (DCO). I think this is the first time that fact has been confirmed. CSE's cyber operations powers, which represent a fundamental change in the agency's role, were only granted to CSE in 2019, and knowing the MA numbers would provide some minimal sense of how much CSE is ramping up those activities.
The review agency also notes that it "considers our reviews of ACO/DCO actions to be particularly important. Unlike in the case of CSIS [threat reduction measures], CSE has no statutory obligation to notify NSIRA when it undertakes ACO/DCO activities. NSIRA intends, however, to focus proactively on these activities." The report's endnotes also contain this warning: "Under the governing statutory framework, it ... seems likely that ACO/DCO activities undertaken by CSE must accord with relevant international law." I suspect we'll be hearing more about this issue eventually.

Foreign intelligence and cybersecurity MAs

CSE also refused to permit NSIRA to report the number of foreign intelligence and federal and non-federal cybersecurity MAs granted in 2019. These MAs are also new, but the numbers of similar MAs were reported by OCSEC, NSIRA's predecessor, in each of the prior 6 years. Not any more, says CSE.

[Update 21 February 2021: The Intelligence Commissioner's Annual Report 2019, released in January 2021, gave us the total number of foreign intelligence and cybsersecurity authorizations issued in 2019: five. It also told us that four were year-long authorizations and one was for six months only. Which pretty much answers our overall numbers questions. Under the previous system of MAs, there were 3 one-year-long SIGINT MAs and 1 one-year-long cybersecurity MA issued every year. We know from NSIRA's report that there were at least two cybersecurity MAs this time, one for federal government infrastructures and one for the new category of non-federal infrastructures (presumably the six-month authorization), so it looks like the 2019 numbers were three SIGINT MAs, one federal cybersecurity MA, and one non-federal cybersecurity MA. My guess is that the last number, the number of non-federal MAs could vary by quite a lot from year to year, but the other ones aren't likely to change much. We'll see.]

These MAs are supposed to cover all CSE information collection activities that "might otherwise contravene an act of Parliament or interfere with the reasonable expectation of privacy of a Canadian or any person in Canada." So it is intriguing that the report tells us that NSIRA's future review of CSE collection techniques "will start by focusing on certain collection techniques that are authorized under a ministerial authorization and comparing them to techniques that are authorized through other channels." Just what are these other channels? Is this a reference to "publicly available information" or is there something else squeaking through here somehow? They're not suggesting that intercepts of communications involving persons in Canada that are passed to CSE by allies are exempt from expectations of privacy, are they? I for one will be interested to see what emerges from this investigation.

Missing information

Meanwhile, a whole lot of other items of information previously reported by OCSEC are also missing from this report, notably data on CSE's use of private communications (PCs), i.e. communications with at least one end in Canada.

The missing data includes:
  • The number of recognized PCs retained for possible use under CSE's foreign intelligence program.
  • The number of those PCs used in CSE SIGINT reporting.
  • The number of reports PCs were used in.
  • The number of PCs retained by CSE at the end of the review period.
  • The percentage change in the total number of recognized PCs intercepted by CSE's foreign intelligence program.
  • The number of PCs "with substantive content" used or retained by CSE's cybersecurity program.
Also missing:
  • The number of requests made by Canadian government clients for disclosure of Canadian Identity Information (CII) cited in reports by CSE or Five Eyes partners.
  • The number of requests for CII made by Five Eyes partners.
  • The number of requests made by other states.
The report does tell us the number of privacy incidents added to CSE's Privacy Incidents File in 2019: 123. But it doesn't explain why this is nearly three times as many as the 44 reported in the last OCSEC report. Nor do we get the number in the Second Party [Privacy] Incidents File.

NSIRA does recommend, however, that "CSE should examine the totality of all privacy incidents with the view to identifying systemic trends or areas of weakness in existing policy and/or practice that may reduce privacy incidents." So maybe NSIRA wants to know why the number went up too.

The report also notes that NSIRA warned CSE during its review that one method used to mitigate privacy incidents "did not appear to meet legal and Ministerial Authorization criteria and has the potential to engage section 8 of the Charter." According to the report, CSE decided in November 2019 to "rescind the practice" in question, but NSIRA nonetheless recommended that "CSE should rescind this policy, or obtain a legal opinion on the lawfulness of this practice."

Presumably we will receive updates of CSE's responses to NSIRA recommendations in future annual reports.

OCSEC made a regular practice of doing this (although often in rather vague terms), but in another case where information that used to be reported has for the moment ceased to appear, the NSIRA report fails to follow up on the status of the ten OCSEC recommendations that the last OCSEC report said CSE was working on.

All in all, there's a lot of information about CSE that was provided in the last OCSEC annual report that is not in this successor report.

Unlike the MA situation, in most of these cases, I would assume, this is not because CSE has suddenly insisted on withholding it.

And maybe it's not gone for good. It may be that some of this information will appear during the year as NSIRA releases specific reports about its individual reviews. I certainly hope that's the case.

But it is not at all clear that any more releases (beyond those reviews mentioned in the report) are coming from OCSEC's final year/NSIRA's first year. Nor is it evident that NSIRA intends in future years to continue collecting and reporting the data missing from this report.

So, is NSIRA off to a good start or not?

In many ways I think it is, but with respect to reporting on CSE, the picture is mixed, and it's not possible to be certain at this point.

Update 20 February 2021: Leah West and I discuss the NSIRA report and the recent report of the Intelligence Commissioner with Stephanie Carvin on Episode 148 of the Intrepid Podcast.

Thursday, November 19, 2020

National Cyber Threat Assessment 2020 released

CSE's Cyber Centre released its second report on cyber threats to Canada, National Cyber Threat Assessment 2020, on 18 November 2020. The new report comes two years after the agency's first report on the topic, which I blogged about here.

"Key Judgements" in the report are as follows:
  • "The number of cyber threat actors is rising, and they are becoming more sophisticated. ..."

  • "Cybercrime continues to be the cyber threat that is most likely to affect Canadians and Canadian organizations. ..."

  • "We judge that ransomware directed against Canada will almost certainly continue to target large enterprises and critical infrastructure providers. ..."

  • "While cybercrime is the most likely threat, the state-sponsored programs of China, Russia, Iran, and North Korea pose the greatest strategic threats to Canada. ..."

  • "State-sponsored actors are very likely attempting to develop cyber capabilities to disrupt Canadian critical infrastructure, such as the supply of electricity, to further their goals. We judge that it is very unlikely, however, that cyber threat actors will intentionally seek to disrupt Canadian critical infrastructure and cause major damage or loss of life in the absence of international hostilities. Nevertheless, cyber threat actors may target critical Canadian organizations to collect information, pre-position for future activities, or as a form of intimidation."

  • "State-sponsored actors will almost certainly continue to conduct commercial espionage against Canadian businesses, academia, and governments to steal Canadian intellectual property and proprietary information. ..."

  • "Online foreign influence campaigns are almost certainly ongoing and not limited to key political events like elections. Online foreign influence activities are a new normal, and adversaries seek to influence domestic events as well as impact international discourse related to current events. We assess that, relative to some other countries, Canadians are lower-priority targets for online foreign influence activity. However, Canada’s media ecosystem is closely intertwined with that of the United States and other allies, which means that when their populations are targeted, Canadians become exposed to online influence as a type of collateral damage."
Most of these judgements seem like fairly common sense—or what would be common sense if there actually were such a thing—and they're not wildly different from most of the ones in the first report.

But there are some interesting changes in detail.

This year's report cites China, Russia, Iran, and North Korea by name. Canada and its Five Eyes partners have been calling out these states increasingly often in the past two years so it's not especially surprising to see them named here now, but it is still a welcome development to see growing transparency around these issues. Also welcome would be a detailed statement of the government of Canada's views on the legal and ethical bounds on state behaviour in cyberspace, as has long been promised by the department of Global Affairs but has yet to appear.

The report's warning about the threat to Canada's electricity supply and other elements of critical infrastructure is also more detailed than in the past. On page 21 the document specifies that, in the agency's judgement, "state-sponsored actors are very likely attempting to develop the additional cyber capabilities required to disrupt the supply of electricity in Canada."

These activities, and similar ones targeting other aspects of critical infrastructure, pose a very serious threat to Canadians (although it should be recognized, as the report itself emphasizes, that such preparations probably do not imply any imminent intent to attack those systems).

Here I think it would be useful for the Cyber Centre not simply to warn Canadians about such threats, but also to explain what the government is doing and plans to do about them. Protecting the electricity supply is not something the average denizen of this land can contribute to; it's a job for the electricity industry and for the government, working together. But it would be useful for the rest of us to know what the plan is—maybe not in a threat assessment document, but somewhere.

The government does publish general cyber security strategy documents, such as this National Cyber Security Action Plan, every now and then. And the Cyber Centre publishes detailed alerts and guidance about very specific issues, which are of course a crucial part of the service the Centre provides. But if we're going to be told that the electricity supply is potentially at risk it would be nice to know a bit more concrete information about the plan to protect it—and maybe to receive some assurances that prevention, mitigation, and recovery plans are actually being put in place.

At the moment, we don't even know such basic information as the total amount of money the government is spending on cyber security this year, or even the amount the Cyber Centre spends. A figure for the Cyber Centre's spending in the last fiscal year, 2019-20, will presumably be reported soon in the next edition of the Public Accounts, but no information is made available on current spending, or on the amounts envisaged for future years.

[Update 2 December 2020: Actually, it's even worse than that: the "program spending" numbers that would tell us how much CSE spends on cyber security were last reported in the Public Accounts in 2018, covering fiscal year 2017-18. For now at least the breakdown still shows up online in the government's Infobase data, evidently updated sometime around the time the latest Public Accounts come out. But as far as I can tell there is no longer any document that formally reports this data to parliament or the public.]

This, however, is a topic for a different report.

The National Cyber Threat Assessment 2020 is a useful and informative document that is well worth giving a close read.

The plan at the moment is to update it again in two years' time, although officials at the Centre say that timeline could change if circumstances warrant.

In addition to the assessment, the Centre also released an updated version of its companion document, An Introduction to the Cyber Threat Environment, intended to provide "baseline knowledge about the cyber threat environment, including cyber threat actors and their motivations, sophistication, techniques, tools, and the cyber threat surface."

Media coverage:

Alex Boutilier, "Cyber defence agency says hostile states are developing ways to disrupt Canada’s power grid," Toronto Star, 18 November 2020.

Jim Bronskill, "Canada's cybersecurity agency warns of online threats that exploit COVID-19 fears," Canadian Press, 18 November 2020.

David Ljunggren, "‘State-sponsored actors’ could target Canada’s power grid, intelligence agency warns," Reuters, 18 November 2020.

Catharine Tunney, "State-sponsored actors 'very likely' looking to attack electricity supply, says intelligence agency," CBC News, 18 November 2020.

Rachel Aiello, "Cybersecurity agency calls out four countries as the 'greatest strategic threats' to Canada," CTV News, 18 November 2020.

Christopher Nardi, "China, Russia, Iran and North Korea are Canada's 'greatest strategic threat': CSE report," National Post, November 2020.

Marc Montgomery, "Canadian security agency warns of ‘state-sponsored’ cyber threats," Radio Canada International, 19 Novemer 2020.

Also highly recommended: Twitter commentary on the report by Citizen Lab's Chris Parsons.
You can also listen to Chris being interviewed about the report by Leah West for the Intrepid Podcast here.

Thursday, November 12, 2020

Even official historians do it

From Behind the Enigma, the recently released official history of GCHQ by Canadian John Ferris:
In 2003, the United States cut military cooperation over Canada's opposition to the invasion of Iraq, but not with the Canadian Security Establishment (CSE).
See also Everyone does it, media edition, Even NSA does it, Part I and Part II, and Even GCHQ does it.

Tuesday, October 20, 2020

Five Eyes Minus One: Thinking the Unthinkable

The following is a brief I wrote to accompany my presentation at the Understanding the Five Eyes twitter conference hosted by the University of Ottawa's Centre for International Policy Studies on September 30th. (Check the CIPS blog to see the very interesting briefs contributed by the other conference presenters.)

The US National Security Agency (NSA) is by far the largest and best-resourced of the Five Eyes SIGINT partners. The four other members of the partnership, the UK's Government Communications Headquarters (GCHQ), Canada's Communications Security Establishment (CSE), the Australian Signals Directorate (ASD), and New Zealand's Government Communications Security Bureau (GCSB), have always been fiercely protective of their unique relationship with NSA. But there's no guarantee that the Five Eyes relationship will always be there.

What would happen if the US were to withdraw significant SIGINT cooperation or otherwise become an untenable partner? If the other SIGINT partners were to continue working together — call it the Commonwealth SIGINT Organization (CSO) — what capabilities would they have?

Global reach for collection

The impact of such a break would certainly be very large, but the assets and resources available to the CSO agencies would remain substantial.
Such capabilities would include:
  • Radio monitoring sites that provide global intercept and direction-finding capabilities for traditional long-range HF targets.

  • Satellite monitoring sites that provide complete coverage of the geostationary satellite belt. (Only a limited number of satellites can be monitored at any time and not all spot beams can be covered, but this is also true of the Five Eyes as a whole.)

  • Fibre-optic cable access points in the U.K., Oman, and (reportedly) Singapore that provide significant access to global Internet traffic. Arrangements with specific telecommunications carriers almost certainly provide significant additional access.

  • Diplomatic facilities, providing potential locations for intercept operations, operated by one or more CSO members in almost all countries. Not all of these locations are suitable for such activities, and the proportion where they exist is probably quite small, but all four CSO members have active intercept programs from diplomatic facilities. They also monitor foreign diplomatic facilities on their soil.

  • Computer Network Exploitation (CNE) programs operated by all four agencies. Such activities are inherently global in reach. As the spread of encryption makes "data in transit" increasingly difficult to exploit, it is likely that acquisition of "data at rest" continues to grow in importance. At least three of the four agencies also operate offensive cyber operations programs.
Significant resources

Despite differing organizational structures and limited transparency, it is possible (with just a moderate amount of hand-waving) to get a rough sense of the size and budget of the CSO agencies relative to those of the NSA.
These numbers suggest that the CSO's resources might be as much as 1/4 the size of those of NSA. (Note, however, that significant US SIGINT capabilities provided by other agencies, most notably CIA SIGINT activities and NRO-funded SIGINT satellites, are not included here.)

Statistics on SIGINT report production by these agencies in 2011-12, while also incomplete, suggest a combined CSO output on the order of 1/5 of the US output (~30,000 from the CSO agencies vs ~150,000 by the US), which is broadly consistent with the resource picture above.

In combination, these CSO capabilities would exceed the national SIGINT efforts of all but the US, China and Russia, and would likely surpass China and Russia in at least some respects (e.g. geographical reach).

Post-break relationship with NSA

The effectiveness of the CSO would also depend on the nature of its post-break relationship with the NSA.
  • A complete cessation of cooperation would be challenging, as it would entail the loss of all access to US collection assets, acquired data, reporting, technology, and expertise.

  • Even more challenging would be a hostile break featuring not only a termination of cooperation but an actively adversarial relationship going forward. This is probably the least likely scenario, however, and would probably occur only in the context of a much more general break in relations with the US, with the resulting economic and security concerns dwarfing those related to intelligence cooperation.

  • More likely, perhaps, would be the replacement of the existing partnership by a more limited, transactional relationship similar to those between NSA and Third-Party countries. In this case, the CSO agencies would have much to offer—not only continued access to some or all CSO resources and output but also continued hosting of two of the three mission ground stations for US high-altitude SIGINT satellites—and the partnership might expect to retain access to NSA resources and outputs at levels comparable to those provided by the CSO.
CSO relationship with Third Parties

To bolster its reach and capabilities, the CSO would likely seek to maintain or extend its Third-Party relations with capable partners such as France, Germany, the Netherlands, other members of the Maximator Group, and/or other potential partners such as Japan and India.
However, few potential partners would be likely to risk their existing relationship with NSA, or their country's broader security relationship with the US, to work with the CSO if the US were opposed to that cooperation. The American position would thus be crucial. If the US were in the process of withdrawing cooperation with some or all of those countries as well, many might be keen to deepen ties with the most capable global intelligence partnership available to them.


With a substantial combined workforce with leading-edge skills and long experience in working together, an extensive installed intercept network with global reach and interoperability, sophisticated independent CNE capabilities, and, potentially, the option to expand existing cooperative arrangements with several significant Third-Party SIGINT agencies, the CSO members might be expected to retain a SIGINT capability surpassed only by those of the US and (in at least some measures) China and Russia. Their combined potential would be even more significant if, to continue benefitting from CSO capabilities, NSA retained some form of Third-Party relationship with its former partners following the break.