Monday, June 11, 2018

Exploring the wreck of the OCSEC-2017

The Office of the CSE Commissioner, CSE's soon to be replaced watchdog agency, released its 2016-17 Annual Report back in August 2017. As is traditional, it almost immediately sank from sight and was lost to all human ken. Nearly a year later, I guess it's about time I mounted my annual expedition to see if there's anything worth salvaging from it. With luck, I might manage to raise a few items before the 2017-18 report is launched.

Unlike the 2015-16 report, this report did receive a modicum of media coverage in the immediate wake of its release, specifically on the issue of information-sharing with allies. (See Justin Ling, "Canada still hasn’t developed new rules for intelligence sharing with U.S. and allies," Vice News, 24 August 2017 and Alison Crawford, "Canada's electronic spy agency to get new rules for sharing data with allies," CBC News, 29 August 2017.) But I'm willing to bet there's still lots of material worth examining lying in the forgotten hulk.

So let's get this expedition underway.

Use/retention of private communications up 25,653%

OK, here's something interesting. According to the CSE Commissioner, in 2015-16 CSE used or retained 3,348 "private communications" that were collected under the agency's foreign intelligence program (see page 39 of the report).

In Canadian law, a private communication is a communication with at least one end in Canada. CSE's foreign intelligence program is not allowed to "target" Canadians or any person located in Canada, but if a foreign target of the agency who is located outside Canada communicates with someone inside Canada, CSE is permitted to collect that private communication as long as there is a Ministerial Authorization permitting such collection in place (and, rest assured, there is). The 3,348 figure reported by the Commissioner represents only one portion of the total number of private communications collected or otherwise acquired by CSE under the three parts of its mandate, but it's a potentially important indicator of how often Canadians get pulled into CSE's foreign intelligence collection activities.

I've been using highway signs to depict the private communications numbers reported by the Commissioner. In 2012-13 the number was 66 and in 2013-14 it was 17, later revised to 13. Last year it was 342, which was a bit of a challenge but I did find a suitable highway. This year I've had to improvise...

That's a big number. The Commissioner's report comments that the 2015-16 total is "almost 3,000" higher than the previous year total, which seems like an unusual way to put it since the actual difference is 3,006. Maybe the 2014-15 number was revised too. In any case, the two numbers aren't strictly comparable, as the 2014-15 figure refers to a seven-month period, while the 2015-16 figure covers a full twelve months. To get an apples-to-apples comparison, we need to go back two years to the 13 private communications used or retained over the twelve months of 2013-14.

Those figures show that the number of private communications used or retained by CSE's foreign intelligence program jumped by 25,653% between 2013-14 and 2015-16. That's a comma, not a decimal point: Twenty-five thousand six hundred and fifty-three percent.

So, yeah. Quite a big jump.

We do get an explanation of sorts for the change: "The increase in the number of used or retained private communications remains a consequence of the technical characteristics of certain communications technologies, and CSE’s legal obligations to count private communications in a certain manner."

But that doesn't really answer many questions.

In 2016, when this growth trend first became apparent, I speculated that CSE may be collecting an increasing number of communications transmitted by chat applications such as Facebook Messenger. Because each individual comment in such conversations is a separate transmission, it is likely that each would be considered a separate private communication for legal purposes. Thus, a single conversation lasting a just few minutes might contain dozens of private communications. If this is what explains the dramatic jump in the numbers since 2013-14, there may have been little if any actual increase in the number of persons in Canada whose conversations or other communications are being caught in CSE's dragnet.

That would certainly explain the Commissioner's apparent lack of concern about the numbers.

The current report doesn't confirm that theory (or provide any other intelligible explanation), but it does comment that "the current manner in which CSE counts private communications provides a distorted view of the number of Canadians or persons in Canada that are involved in (i.e., are the other end of) CSE interceptions to obtain foreign intelligence under ministerial authorizations."

And the report provides one additional key piece of information: The 533 private communications that were actually used in CSE's foreign intelligence reporting in 2015-16 (as opposed to temporarily retained for possible future use) appeared in a total of just 20 end product reports. This means that on average 26.65 private communications were cited in each one of those reports. Since some reports almost certainly concerned just a single private communication, many of them are likely to have cited 40 or 50 or more.

A little background on SIGINT end product reports might be helpful here. CSE does not produce extended intelligence assessments — it reports SIGINT facts, such as a single key piece of information overheard in an intercepted phone call. CSE analysts don't sit on such intelligence: they disseminate it to their clients in an individual end product report with as little delay as possible. If 20 or 30 or 40 private communications appear in a single end product report, it is because all of those communications were acquired at essentially the same time. And if this is happening routinely, it's almost certainly because the communications systems that CSE has begun to frequently target routinely generate large numbers of private communications at a time.

Which sounds like chat apps to me.

If these numbers do indicate growing collection of chat-related traffic by CSE, it would appear that the increasing use of encryption in those apps has not had the effect of shutting CSE out of that traffic — at least, not as of 2015-16. Are CSE's targets using insecure messaging apps, or versions that have been "enabled" to undermine their security? Are end-point operations, such as implanting malware on target smartphones, being used to bypass encryption? Given the high level of concern expressed by intelligence and security agencies in recent years about the prospects of "going dark", it will be interesting to see if the number of private communications used by CSE drops off in future reports.

I suspect CSE won't be entirely pleased to see this kind of speculation bandied about — even if my specific guesses are completely off base, which they may well be — so let me just suggest to the agency that if you were instead to declassify figures such as the number of individual persons in Canada who appeared in end product reports that year, the number whose identity information was released to clients at least once, and the total number of reports in which private communications were cited, the public would get figures much better suited to monitoring the privacy implications of CSE's operations, those figures would probably be more reassuring than the ones we get now (and if they're not, all the more reason to release them), and CSE's targets would be denied any basis for speculating as to the types of communications being monitored.

On page 4 of his report, the CSE Commissioner makes a direct plea for greater openness by CSE, highlighting "the need to re-examine what information is able to be disclosed to the public in an effort to promote transparency. Transparency has been a cornerstone of my approach as Commissioner. There have been significant strides in this regard in the United Kingdom and in the United States. It is time to do likewise in Canada."

Seems like a good idea to me.

More to come on the report in future posts (I hope).

Monday, June 04, 2018

Canadian Centre for Cyber Security to absorb CSE IT Security program?

It looks like the new Canadian Centre for Cyber Security (CCCS) announced in the 2018 budget (see p. 205) will be absorbing most, probably all, of the IT Security program at CSE.

[Update 12 June 2018: Confirmed. "From CSE, the entire IT Security branch will be transformed to become part of the Cyber Centre."]

Defence Minister Sajjan recently told The Hill Times (Jolson Lim, "Sajjan to unveil 20-year defence spending plan this spring; says active cybersecurity powers from Bill C-59 will be checked," Hill Times, 28 May 2018; subscribers only) that the CCCS will have a staff of about 750: "The cyber centre will unite approximately 750 employees from existing cybersecurity operations units at Public Safety Canada, Shared Services Canada, and the Communications Security Establishment into one organization, as part of CSE."

That's about one and half times the size of the entire IT Security staff at CSE. The Deputy Chief in charge of IT Security, Scott Jones, recently stated that CSE's ITSEC program has "around 500" employees, although that total would not include ITSEC's share of CSE's policy, administration, and support staff. Add in the (undisclosed number of) employees at Shared Services' Security Operations Centre and Public Safety's Canadian Cyber Incident Response Centre, who are being transferred to CSE to become part of CCCS, and you presumably get somewhat closer to the 750 figure, but substantial new hiring is also likely to be required. The $44.5-million on-going budget boost promised for the CCCS as part of Budget 2018 suggests that as many as 150-200 new employees might be brought on staff.

The U.K.'s National Cyber Security Centre (NCSC) already operates on this model. Created in 2016, the NCSC absorbed GCHQ's existing Communications-Electronics Security Group and merged it with a number of other cyber security organizations from across the U.K. government. Although it has a separate public identity, the NCSC remains an arm of GCHQ.

According to the Defence Minister, the Canadian Centre for Cyber Security will be fully operational by the fall of 2019. Sajjan also stated that the government expects to name the first head of the Centre "this spring", so presumably that announcement is imminent. ITSEC head Scott Jones is the obvious candidate for the job unless he has plans for some other role in the agency or elsewhere.

CSE is currently in the market for a new Chief for the entire agency, but the government hasn't hired from within CSE for that job since Stew Woolner got the position in 1989 so it would be a bit of a surprise if they went that route. Also, although Jones would undoubtedly be well qualified for the job of Chief, Acting Chief Shelly Bruce would likely be the first choice if agency employees were actually in the running.

All in all, I'd be surprised if Jones is not chosen to head the CCCS. Presumably we'll hear soon.

And maybe we'll learn more about plans for the CCCS when the government finally unveils its promised National Cyber Security Strategy.

Update 12 June 2018: Yup, Jones will be the head of the new centre.

Monday, April 16, 2018

And still darker: CSE stops reporting budget breakdown

The Main Estimates for fiscal year 2018-2019 were tabled today in parliament and — surprise! — CSE reported even less information than it has in the past.

Instead of providing a breakdown of its spending showing the amounts allotted to the Signals Intelligence (SIGINT) program and the Information Technology Security (ITSEC) program, as it has done every previous year since 2012, this year the agency is providing only a single overall figure, with a paraphrase of the agency's motto, "Protect and Provide Information", offered in lieu of any actual explanation. Maybe we should be grateful that at least it wasn't provided in the original Latin.

In correspondence with me, after the original version of this article was posted, CSE said that the reduction in data was prompted by a change in the way the Treasury Board wants to organize this kind of reporting. To demonstrate their continued openness they tweeted the figures for 2018-19: $407,399,615 for the SIGINT program and $217,494,338 for the ITSEC program.

I commend CSE for doing that, but I still think the change is highly regrettable.

According to the agency, in the future the only routine public reporting of these numbers will be through the government's online data portal INFOBASE, where they will appear only sometime after the end of the relevant fiscal year. They will no longer appear in either the Estimates or the Public Accounts, or presumably in any other form of published paper documentation.

Posting out of date numbers on INFOBASE is certainly better than nothing, especially for people like me who study the history of the agency over a timeframe of decades.

But it is not good for people interested in current policy and plans. If you want to know how much the government proposes to spend in a particular year on Canada's cybersecurity, for example, or even whether that spending will be going up or down, you could very well be out of luck.

And that includes the MPs who will be voting to provide those funds, unless they elicit the numbers from CSE in committee testimony or otherwise. CSE promises that it will be providing those numbers to the committee that examines the Estimates. But even if that does happen every year without fail, it is no substitute for publishing them in a formal document available to all.

So, call it inadvertent or incidental, but this is a backward step, away from transparency.

CSE has repeatedly promised in recent years to increase the level of transparency about its operations, and it has been somewhat more open in certain ways.

But it has a long way to go to get back to the level of transparency that existed in 2011, and this is a step in the wrong direction.

Let's review some of the backward steps since 2011.

The last time CSE appeared in the Department of National Defence's Report on Plans and Priorities was in June 2011. A supplementary document called Section IV: Other Items of Interest contained an entire section on CSE. That document has been memory-holed entirely from the government's website, but I saved a copy back then, so you can read CSE's section here.

In that Golden Age of Transparency, CSE reported not only its 2011-12 total budget, but also a breakdown of its budget into Salary and Personnel; Operating and Maintenance; and Capital spending. It also provided projections of all those figures for the following two fiscal years, 2012-13 and 2013-14.

It also provided a list of the key government intelligence priorities that CSE would attempt to cover during the coming fiscal year and a description of some of the initiatives planned for that year, notably occupation of the building that became Pod 1 of CSE's new headquarters complex and the start of construction of the remainder of the complex.

Finally, the section reported the number of civilian full-time equivalent employees (FTEs) the agency would have in 2011-12 and projected numbers for the two following years (although to be fair the latter numbers, which were identical to the 2011-12 numbers, were probably intended just to be placeholders).

All that ended in November 2011 when CSE became a stand-alone agency. It no longer appears in DND's Report on Plans and Priorities (or Departmental Plan, as it is now known). Nor does it publish its own.

Neither does it publish a Departmental Results Report or an Annual Report (although under Bill C-59 there would be an Annual Report of some kind).

CSE did begin appearing under its own name in the Main Estimates documents beginning in 2012-13.

But almost all of the information that appeared in DND's report was gone. What we were left with was little more than a short boilerplate description of the agency, the overall number for the coming fiscal year only, and — the only new piece of information provided — the spending numbers for the SIGINT program and the ITSEC program. So, one step forward and about ten steps backward.

CSE's public affairs people somehow managed to call this "enhanced" reporting. I suppose that's what public affairs people get paid to do, but for an agency that wants Canadians to take a lot of what they say on trust, this was not their finest hour.

Among the information that was no longer reported was the number of FTEs, but that loss at least was mitigated by the fact that CSE's staff numbers were still being reported on a monthly basis by the Treasury Board Secretariat.

But then that ended in February 2016.

I don't think that change, which affected reporting on staff numbers at all government departments and agencies, was prompted by CSE, and when I had a chance in November 2016 to ask Dom Rochon, CSE's Deputy Chief, Policy and Communications, whether CSE would consider publishing the figures itself, he seemed open to the idea. But it hasn't happened.

So that went dark too.

(To be fair, out of date annual figures are available on INFOBASE.)

And now we're losing formal, and timely, publication of the SIGINT/ITSEC breakdown.

As one who has often seen important information posted and then later removed from government websites, I find its promised publication after the fact in online form, while much better than nothing, far from entirely reassuring. If MPs insist on getting the numbers on the record at the beginning of every fiscal year at committee that will help a great deal.

But it would be better, and much more reliable, to simply publish them as before. Is this really so hard to do?

[This post was updated on 18 April 2018 in light of the information provided by CSE.]

Monday, April 09, 2018

The hunt for GHOSTHUNTER

In September 2016, The Intercept published this image taken by a U.S. photoreconnaissance satellite of an unidentified city. An ellipse overlaid on the image showed the estimated location of a target Very Small Aperture Terminal (VSAT) satellite dish as determined by the GHOSTHUNTER program. (You can read more about GHOSTHUNTER in The Intercept's article: Ryan Gallagher, "Inside Menwith Hill: The NSA’s British Base at the Heart of U.S. Targeted Killing," The Intercept, 6 September 2016).

A couple of days ago I decided it might be interesting to determine exactly where that city is. Knowing its location might enable us to discover which satellite — probably one of the massive ORION satellites in geosynchronous orbit — had produced the VSAT location estimate, and it would also enable us to make an accurate measurement of the ellipse. The location might also provide some insight into the kinds of targets these capabilities were being used against.

But how to identify the city? My first thought was to use the shadows in the image. The exact date and time the image was taken (28 January 2009 at 05:16Z, with Z meaning Greenwich Mean Time) is shown on the image, and so is a north arrow. I figured measuring the direction of the shadows should enable me to determine a more or less north-south line on the globe along which the city ought to be located. The tricky part is that the satellite photo was taken from an angle (which means, for example, that the streets don't intersect at right angles in the image, even though it seems likely that they do in real life), making it difficult to measure the angle of the shadows accurately.

Skewing the image to make the street layout rectangular produced the image shown above, from which I determined the direction of the sun to be around 126.5 degrees, probably plus or minus at least a couple of degrees because of the imprecision of the whole process.

That measurement in turn produced an estimated line of location that extended along the western shores of the Caspian Sea down through Azerbaijan and western Iran and across the eastern part of the Arabian peninsula, curving a bit to the east as it proceeded southwards.

That seemed like a pretty good place to start, so I fired up Google Earth and had a look.

Sadly, nothing I could find looked like the city in the photo. In fact, none of the cities near my search line featured architecture remotely resembling that in the image, with its numerous open courtyards and long sections of roof constructed of multiple vaults in series. Clearly something was off.

So on to Plan B: Widen the search area and find the cities with that kind of architecture.

I did find similar-looking vaulted roofs in parts of eastern Iran. But there was still no city that really resembled the target.

Herat, in Afghanistan, however, was another matter. Although still not the right city, it was much, much closer to the right style. So it was time to take a closer look at Afghanistan.

Home, home in Zaranj

A point-by-point search of small cities in western Afghanistan led eventually to Zaranj, in the southwestern part of the country just a couple of kilometres from the border with Iran.

Here you can see the spy satellite image overlaid on the Google Earth image. It's a match!

...about 1000 km to the east of my initial line of search. So, what went wrong with the shadow method? It turns out the spy satellite image was not only skewed, it was also stretched along the east-west axis. As can be seen in the formerly circular logos in this version, the image had to be compressed to match the underlying Google Earth photo. That changes the angle of the shadows, which now indicate the direction of the sun to be about 135 degrees, not 126.5. A search along the line determined by that information, through western Afghanistan and Pakistan's Balochistan province, would have sped things up considerably. But I don't see any way to have determined the necessary correction ahead of time.

Anyway, we now have a spy satellite photo newly identified to be of Zaranj.

Perhaps unsurprisingly, Zaranj turns out to be the kind of burg where a lot of activity that might be of interest to intelligence agencies takes place. This 2012 article, titled "The Scariest Little Corner of the World" (Luke Mogelson, New York Times Magazine, 18 October 2012), takes a fascinating look at the city and the region around it. Between the Hazaras, Tajiks, Pashtuns, Uzbeks, Afghan Baluchis, other Afghans, Pakistani Baluchis, other Pakistanis, Iranian Baluchis, other Iranians, Indians, Americans, other NATO forces, and, going back a ways, the Soviets, a lot has been going on. I won't even try to summarize it all here.

Analysis of the ellipse

As noted above, the ellipse on the photo shows the estimated location of a VSAT satellite dish that the NSA or other SIGINT agencies were monitoring and wanted to geolocate. Several candidate dishes that were found within the ellipse are highlighted, but it is not clear whether any of these dishes were singled out as probably being the target dish.

The long axis of the ellipse is oriented towards the southeast at an angle of about 134 degrees, which is quite close to the direction of the sun at the time the photo was taken, but that's just a coincidence. What is probably not a coincidence is that it also points pretty much exactly in the direction of the U.S. ORION 2 geosynchronous SIGINT satellite.

[Update 11 April 2018: Actually, it probably is a coincidence. As Marco Langbroek helpfully pointed out, the ellipse probably represents the location estimated by monitoring the VSAT dish from two SIGINT satellites at the same time, which means it very likely doesn't point in the direction of either one of them. As he noted, this document confirms that two satellites are used when making such estimates. So, sadly, it may not be possible to determine precisely which of the geosynchronous SIGINT satellites were involved in this case.

But Marco was able to identify the photoreconnaissance satellite involved: "I could positively identify the optical reconnaissance satellite that made the photographic image as USA 129 (1996-072A), a classified KH-11 "Keyhole" electro-optical reconnaissance satellite that made a pass over Zaranj at the given date and time based on amateur tracking data." Thanks, Marco!]

The size of the resulting ellipse will vary in each particular case according to the geometry of the intercepts and other factors, but this example gives an indication of how precisely SIGINT satellites can geolocate a transmitting VSAT dish. As measured in Google Earth, the ellipse is around 207 metres wide by 465 metres long, and thus covers an area of about 75,600 square metres, roughly seven and a half hectares. The data box attached to the ellipse originally provided a figure, redacted by The Intercept, for CEP, which is an abbreviation for circular error probable. This probably means that the ellipse depicts the area within which the dish was estimated to have a 50% chance of being located.

That's pretty impressive precision when you consider that these satellites orbit at an altitude of nearly 36,000 km and the slant range to their targets is even greater.

There may be other details that can be learned from a close examination of this image, but those are the obvious ones that come to my mind. Suggestions for other points [and other corrections] would be welcomed.

Nearly half a century after the first geosynchronous SIGINT satellite was launched (CANYON 1 on 6 August 1968), it's nice to learn a little bit more about how they operate.

Sunday, March 11, 2018

INMARSAT monitored at Gander

This map, taken from an NSA document recently published by The Intercept, shows the footprints of the fourth generation INMARSAT satellites, which provide telephone and data services primarily to mobile users (ships, aircraft, and handheld satellite phone users). The map also shows 28 ground locations, evidently depicting the sites where the Five Eyes partners monitor the key spot beams serving regions of interest to those agencies. One of those locations corresponds to CFB Gander, the home of CFS Leitrim Detachment Gander, a Canadian SIGINT site known primarily for its huge FRD-10 antenna array. The Gander detachment is remotely operated from Leitrim, which presumably processes the INMARSAT traffic collected at Gander.

The document is undated, but it was probably produced around 2011 ± 2 years, i.e., after the launch of the three satellites whose footprints are shown on the map but before the next generation of satellites began to join them in orbit.

The 28 ground sites are unlabeled, but it is clear that they are not intended to represent INMARSAT users, who are predominately to be found in ocean areas (at sea or in the air) and in remote, poorly serviced land areas. Instead, they correspond to known Five Eyes SIGINT collection sites, either long-standing intercept stations or known locations of monitoring facilities hidden in embassies.

The intercept stations are Bude, U.K.; Cyprus; Hawaii; Misawa, Japan; Shoal Bay, Australia; Sugar Grove, West Virginia; Waihopai, New Zealand; Yakima, Washington; and Gander. (Sugar Grove and Yakima have since closed, but they were active at the time this map seems to have been produced.)

The remaining 19 locations are all in non-Five Eyes capital cities that are known to host or to have hosted intercept facilities: Algiers, Algeria; Baghdad, Iraq; Bangkok, Thailand; Beijing, China; Bogota, Colombia; Brasilia, Brazil; Caracas, Venezuela; Islamabad, Pakistan; Kinshasa, D.R. Congo; Lusaka, Zambia; Madrid, Spain; Managua, Nicaragua; Manila, Philippines; Mexico City, Mexico; Monrovia, Liberia; Moscow, Russia; Nairobi, Kenya; New Delhi, India; and Port Moresby, Papua New Guinea.

This map of monitoring facilities operated by the Special Collection Service in U.S. diplomatic sites shows that in 2010 the U.S. was present in all but one of these locations, Port Moresby. (One other site, Monrovia, was listed as dormant at that time.) Port Moresby is reported to host an ASD listening post in the Australian High Commission, so in that case the INMARSAT monitoring is probably conducted from that location. Some of the other capital cities shown on the map also host non-U.S. sites in addition to SCS sites, so it is possible that INMARSAT monitoring is conducted by other Five Eyes parties in some of those locations as well.

It is, I think, entirely unsurprising to find evidence that Canada is involved in INMARSAT monitoring. I suspect we've been at it since the 1990s, or even the 1980s, probably using antennas at Leitrim and possibly other locations as well as Gander. INMARSAT communications monitored from Gander probably pertain mainly to the region off Canada's East Coast, and to the Western North Atlantic more generally, where activities such as human and narcotics smuggling and illegal fishing would be considered important targets for intelligence collection.

Wednesday, March 07, 2018

Privacy Commissioner also calls for changes to Bill C-59

Privacy Commissioner Daniel Therrien has also called for changes to Bill C-59.

In a letter dated 5 March 2018, Therrien recommended 11 amendments to the bill, including two pertaining specifically to the CSE Act's provisions on the acquisition and use of "publicly available information":

"RECOMMENDATION 10: That section 24 [of the CSE Act] be amended to add a limit to the activities listed in 24(1) namely: the measures shall be reasonable and proportional in the circumstances, having regard to the reasonable foreseeable effects on Canadians and people in Canada including on their right to privacy"; and

"RECOMMENDATION 11: That the definition of “publicly available information” in section 2 of Part 3 be amended to specify that information is published or broadcast lawfully, and that information obtained through purchase or subscription was legally obtained or created by the vendor."

Explanations for these recommendations can be found in the Commissioner's letter.

The Commissioner Therrien also expressed his support for one of the recommendations made by the CSE Commissioner in January:

"We note that, in his brief provided to the Committee on December 6, 2017, the Commissioner for CSE recommended that the Intelligence Commissioner 'should approve the active cyber operations in addition to the defensive cyber operations that are authorized by the Minister pursuant to subsections 30(1) and 31(1) of the proposed Communications Security Establishment Act.' We agree with this recommendation, as it addresses a gap in the Intelligence Commissioner's authority to approve activities under all CSE mandates."

News coverage:

Alex Boutilier, "Ottawa’s privacy watchdog wants limits on spies’ information collecting powers," Toronto Star, 8 March 2018.

Wednesday, February 28, 2018

CSE wins big in 2018 budget

The 2018 budget, tabled by the Finance Minister on February 27th, promises some big spending boosts for the Communications Security Establishment over the next five years, with additional money pledged for both the IT Security and the SIGINT programs.

For starters, the government is promising to spend $507.7 million over the next five years, and $108.8 million per year thereafter, to fund a new National Cyber Security Strategy (NCSS). $155.2 million of that sum, and $44.5 million per year ongoing, will be provided to CSE to create a new Canadian Centre for Cyber Security (see pages 203-205):
By consolidating operational cyber expertise from across the federal government under one roof, the new Canadian Centre for Cyber Security will establish a single, unified Government of Canada source of unique expert advice, guidance, services and support on cyber security operational matters, providing Canadian citizens and businesses with a clear and trusted place to turn to for cyber security advice. In order to establish the Canadian Centre for Cyber Security, the Government will introduce legislation to allow various Government cyber security functions to consolidate into the new Centre. Federal responsibility to investigate potential criminal activities will remain with the RCMP.
To carry out its responsibilities, the RCMP will get a new National Cybercrime Coordination Unit funded to the tune of $116.0 million over five years, and $23.2 million per year after that.

The rest of the NCSS money, $236.5 million over five years and $41.2 million per year after that, will go "to further support Canada’s new National Cyber Security Strategy." At the moment, however, it appears that none of that additional money will flow CSE's way.

Even more money will be provided to "modernize/enhance the Government’s digital services" (see page 206): "$2.2 billion over six years, starting in 2018–19, with $349.8 million per year thereafter, [will be spent] to improve the management and provision of IT services and infrastructure within the Government of Canada, and to support related cyber security measures." Most of that cash will be going to Shared Services Canada, but an unspecified portion of it is promised to CSE.

[Update 28 February 2018: According to the Defence Minister's office, CSE will receive a total of $16 million over six years from this funding.]

Meanwhile, new money is also promised to the SIGINT program (see page 208): "In order to keep pace with rapid technological change that can challenge its ability to effectively collect foreign signals intelligence, the Government proposes to provide the Communications Security Establishment $225 million over four years, starting in 2020–21, and $62.1 million ongoing, to ensure this capability is preserved."

If these promised budget boosts are fully implemented, the new IT Security and SIGINT money will eventually total an extra $106.6 million a year for CSE, plus whatever money comes from the digital services initiative and any additional National Cyber Security Strategy money that ends up in CSE's coffers. [The information I received from the Minister's office indicates that these amounts will be minimal.] If no other changes are made to CSE's budget in the interim, this would represent an increase about 18%—large, but not quite of the scale of the increase (25%) the agency received in the immediate wake of 9/11.

Even at 18%, it is likely that the new funding will mean significant new growth in CSE's staff. Currently at about 2300 employees, the agency could eventually grow to 2700 or even more, although it is possible that a significant number of those bodies might end up working for contractors instead and thus wouldn't appear on the employee rolls. The SIGINT side alone could easily expand by 300 people, which would enable development of a significant Computer Network Attack capability as well as support growth of more traditional intelligence-gathering activities.

These are pretty big numbers.

For now, however, most of the money exists only in the political fantasyland of distant budget-year promises. We probably won't even know what all of this means for the fiscal year about to start until the 2018-19 Main Estimates are released, which, according to this new thing called Interim Estimates, could be as late as mid-April. Stay tuned for that.

The government's decision to dedicate significant additional resources to national cyber security and to concentrate that effort in one organization, much as the British and some of our other allies have done, is a good one, I think. As to whether it will be sufficient to address the threat, I have no idea. I assume we'll get some more details of what precisely is proposed whenever the National Cyber Security Strategy itself is released.

I'm undecided on the question of whether CSE should be the agency where the national cyber security effort is concentrated. CSE certainly has most of the expertise on this subject now, and to the extent that cyber security draws on intelligence-gathering efforts to detect, attribute, and counter such activities its involvement may be essential. But CSE's other mandates also pull it in the opposite direction, away for example from initiatives that might have the effect of making cyberspace as a whole a more secure place.

The fact that the same budget is promising to boost the SIGINT program—so as to preserve and/or increase Canada's ability to conduct its own Computer Network Exploitation and Attack operations—throws this whole aspect into rather stark relief. Intelligence-gathering is certainly valuable. The net benefits of CNA I'm less convinced about.

But as to whether those various imperatives are best balanced within a single agency or among two or even three agencies at the Cabinet/PCO level is, I think, a serious question that we seem at the moment to be answering by default.

News coverage:

Alex Boutilier, "Liberals pitch $500 million cyber security plan," Toronto Star, 27 February 2018.

Murray Brewster, "Federal budget shores up cyber defences but is silent on new jets and warships," CBC News, 27 February 2018.

Carl Meyer, "Budget targets 'increasingly sophisticated' cyber attacks on government," National Observer, 27 February 2018.

Jim Bronskill & Lee Berthiaume, "New federal cybersecurity strategy follows 'overlap, lack of clarity'," Canadian Press, 28 February 2018.