Saturday, July 11, 2020

Filling in the blanks: Ministerial Authorizations

In this blog post I'm going to try to identify the subject of the three Ministerial Authorizations (MAs) that CSE has used in recent years to enable its SIGINT program to operate.

Since the passage of Bill C-36 in 2001 gave CSE its first statutory mandate, the agency has used MAs to ensure that its SIGINT (and cyber defence activities) can incidentally intercept "private communications" without breaking the law. (For the purposes of the Criminal Code, private communications are communications that begin and/or end in Canada for which a reasonable expectation of privacy exists. Phone calls, e-mails, and text messages with at least one end in Canada are all examples of private communications.) The passage of Bill C-59 in 2019 altered the details of this regime, but its fundamentals remain the same: ministerial authorizations, now called Foreign Intelligence Authorizations and Cybersecurity Authorizations, remain necessary to enable CSE to operate legally.

These MAs have a duration of one year, after which they are renewed or replaced by a new MA. In 2011-12, CSE operated with eight MAs, six to cover SIGINT activities and two to cover cybersecurity activities. Since December 2012, however, CSE has obtained just four MAs per year, three for SIGINT and one for cybersecurity.

What the numbers are now under the new C-59 regime remains to be revealed.

My guess is that the number of Cybersecurity authorizations will increase. The number of SIGINT/Foreign Intelligence authorizations could also do so, but I'm less confident of that. The three SIGINT MAs that CSE standardized on in 2012 already covered every CSE collection activity that might risk the acquisition of a private communication, and it's possible that the Foreign Intelligence MAs will essentially be reflagged versions of those previous MAs. But the new authorizations are potentially broader, as they cover "any activity specified in the authorization in the furtherance of the foreign intelligence aspect of [CSE's] mandate." This includes all acquisition of information for the foreign intelligence program, other than publicly available information for which no reasonable expectation of privacy exists, whether or not private communications are potentially in play. So maybe we'll see more than three.

Presumably we'll find that out whenever the first public report of the new Office of the Intelligence Commissioner appears. CSE could easily have reported the numbers itself in its recent annual report, but that's just not the way the agency rolls.

Anyway. Back to the topic at hand.

CSE does a lot of different kinds of SIGINT collection activity, both directly and through the Canadian Forces Information Operations Group (CFIOG), so it's worth considering how the agency has managed to shoehorn all that stuff into just three annual SIGINT MAs since 2012.

The short answer is that the MAs cover classes of activities rather than individual collection programs.

Unfortunately, all information concerning how those classes are defined has always been withheld by the agency. See, for example, this memo discussing the switch from eight to four MAs in 2012.

Back in 2015 I concluded that one of those MAs was focused on the agency's Computer Network Exploitation (CNE) program, as I explained here.

But I was less sure about the other two SIGINT MAs, speculating that they might be divided between traditional circuit-switched communications, like telephone landlines, and the packet-switched communications used on the Internet.

I now think that was wrong. I recently reviewed this 2013 document and had an epiphany.

See how the telecommunications data collected by CSE is broken down into three broad sources? Computer-based sources—accessible through CNE activities—and two others?

Here's what I think CSE's three SIGINT MAs may be.

The first MA—Radio Frequency Collection—pertains to traffic transmitted through the air (e.g., satellite beams, HF/VHF/UHF or microwave radio traffic, cell phones, etc), which can therefore be collected using antennas, and the second—Cable Access Collection—pertains to traffic transmitted through cable systems, which thus requires hardware or software implants, physical intercept points, or the cooperation of telecommunications carriers for its collection. The third, as I thought before, pertains to CNE activities.

Now, I don't know for certain that these guesses are correct.

But I'm pretty confident that they are, although the wording I chose may or may not be quite right.

And I'm also confident that if CSE were to reveal that those categories are indeed the ones that define its SIGINT MAs, that information would reveal precisely nothing about CSE's sources and methods that the agency's targets don't already either know for a fact or at least take as a given.

Thursday, July 09, 2020

More on the Annual Report

A couple of additional comments on CSE's recent Annual Report (previous comments here):

Among the handful of new things the report tells us is that CSE recently adopted a new five-year plan, CSE 2025, which "lays out CSE’s five-year strategic horizon to guide investments and operations in a way that directs our focus on delivering national-level results and mitigating national-level risks."

Unfortunately, the explanatory sentences that follow explain nothing, other than that CSE intends to pursue the elements of its mandate over the next five years.

Seems like a sound plan.

But they do introduce some interesting language. Most notably, we are told that one the goals of the agency is to provide an information advantage for Canada’s "security, prosperity and competitiveness".

This is a new formulation in CSE's public messaging, and it must be important to the agency as it appears four times in the text of the report and also as a subhead. It also ends up inserted in the mouth of the minister in the press release introducing the report.

The agency's previous watchwords were security, prosperity, and stability (see, e.g., here and here).

I'm not sure what to make of the fact that competitiveness has displaced stability on the agency's list of lodestars—maybe they took a look at the world and gave up on stability?—but it's striking that two of the three words now refer to economic matters.

Economic issues last moved to the top of CSE's agenda in the 1990s, when the end of the Cold War nullified the agency's prior focus on the Soviet Union. They were displaced in their turn after 9/11 by counter-terrorism and support to military operations. The latter topics surely remain high on CSE's to-do list, but it seems likely they no longer hold the all-important position they once did.

Is the economy moving back to the top of the list?

Another new slogan or vision statement or something appears in CSE Chief Shelly Bruce's introductory message at the beginning of the report: "We are one CSE, known and trusted".

I assess with moderate confidence that this is not intended to be a statement of current fact, so presumably it is a goal, meant to highlight the indivisibility of the SIGINT and cybersecurity sides of the agency (and perhaps the new cyber operations part too?) and set a target for the future. It seems to express a hope that the Cyber Centre will become better known and trusted, and that it won't defect to become its own organization but will instead share the benefits of its growing renown and trustedness with the currently little-known and little-trusted SIGINT side.

I could make some sort of comment here about how in my view the agency is not at all likely to become either better known or more trusted as long as it keeps dispensing PR pablum instead of living up to its professed commitment to transparency, but—well, I guess I just did.

Tuesday, June 30, 2020

First CSE annual report released

CSE released its first annual report, covering fiscal year 2019-2020, on June 29th.

For reasons unknown, but presumably better than simply to be gratuitously irritating, the agency chose not to make the document available in a conveniently downloadable form such as a PDF file, publishing it instead as a series of linked webpages. Until they think better of that decision, for the convenience of the human beings in this world I have cobbled those pages together into this ugly but functional PDF. Hey, I may not be in the public service, but I sometimes act as one.

On to business.

This is the first annual report that CSE has published, and what prompted the agency to act now is that s.59 of the CSE Act, which was enacted into law as part of Bill C-59 in 2019, now makes it a legal requirement.

Unfortunately, the Act does not specify how informative the report has to be, and this is not an informative report.

The introductory comments by CSE Chief Shelly Bruce constitute more than one-quarter of the entire text. The rest of the slightly more than 3000-word document is composed largely of basic background information about the agency that is already available on its website, augmented by some brief coverage of the more public-facing activities of the Canadian Centre for Cyber Security, the IT security part of the agency. In short, it covers all the things you don't need a document like this to find out about.

Yes, there are some tidbits of new information in the report. We learn, for example, that the SIGINT side of the agency "provided foreign intelligence reports to more than 2100 clients in over 25 departments and agencies within the Government of Canada" last year. Previously CSE had only acknowledged providing foreign intelligence reports to more than 2000 clients in 23 departments and agencies.

We also learn that CSE's workforce is now 2900 strong. This is an increase of roughly 350 from the headcount of 2549 at the end of the previous fiscal year and an increase of about 540 over the 2361 total in the year before that.

But you won't find those other numbers in this report. There is no acknowledgement that CSE's staff is growing, let alone any explanation for that growth.

Could the answer be all those new people hired or transferred from other departments when the Cyber Centre was created? No clues in this document.

(But, no, it's not. At least not entirely. According to recent testimony by Scott Jones, the Cyber Centre currently has about 800 employees, which is up around 300 from two years ago. The rest of the growth must be on the SIGINT and maybe cyber operations side of the house. Kudos to MP Matthew Green for eliciting this actually useful bit of information.)

In fact, there is no information whatsoever in the report on either the absolute or the relative size of the cyber security effort within CSE's overall staffing and budget. If we in the public want to know what the government plans to spend on cybersecurity next year, i.e., fiscal year 2021-22, we'd better hope that some MP will also want to find out, will get a chance to ask, and will actually get an answer, because otherwise we won't see that information until well after the fact, when it comes out in the Public Accounts in the fall of 2022.

I was under the impression that cyber security was kind of important these days. Shouldn't we at least have some sense of how much the government plans to spend on it?

The lack of transparency in this regard is actually quite new. CSE used to give us the breakdown between planned SIGINT spending and planned cyber security spending in the annual Estimates documents. But they stopped doing that in 2018. Treasury Board's fault, said CSE. Those folks changed the way info is reported in the Estimates. So, OK, fine, that's on Treasury Board. But nothing stops CSE from putting that data in its annual report. Or, better yet, proactively publishing it on their website as soon as the Estimates come out and then, at the end of the year, repeating it in the report.

Is this not being done because it is now supposed to be a security issue? If so, why is it one now when it wasn't in the recent past?

There was in fact a time, not so many years ago, when the Estimates also included data on planned spending in future years; a breakdown into capital, personnel, and operations and maintenance spending; information about major initiatives; and even a modicum of insight into the government's intelligence priorities. Why not put that in the annual report?

How about some information about how CSE plans to organize itself for and actually implement its new cyber operations mandate? This is the biggest change in CSE's mandate since the agency was founded in 1946, and we get little more than a couple of boilerplate sentences. The only thing new here to my eyes is the slightly unsettling phrase "achieve strategic impact" that is used to describe the purpose of CSE cyber operations. Maybe we'll find out more about that when we start being rocked by the tremors.

Here is a redacted version of one of the actual-content-containing annual reports that CSE gives the Minister of National Defence, as released under the Access to Information Act. Even just publishing a skeletonized remnant of the minister's report like this would be more informative than the brochure now on offer.

One final comparison (hat tip to Steven Chase for reminding me of this): Here is the first annual report of the Australian Signals Directorate, CSE's Five Eyes counterpart in Australia, which was published in 2019. All 126 pages of it. Much of the report is weighted toward the cyber security side, to be sure. There's plenty to criticize. But it also contains detailed financial statements. Workforce statistics. And a promise of more detailed reporting in future editions.

Am I disappointed with CSE's desultory offering?

Well, to end this on a positive note, let's just say it's not the worst thing to happen in 2020.

Update 9 July 2020:

Couple more comments here.

Friday, April 17, 2020

Chapters forthcoming

Over the past couple of years I have been invited to write chapters on CSE for two different books, and both are now scheduled for publication in December of this year.

One of the books is Top Secret Canada: Understanding the Canadian Intelligence and National Security Community, edited by Stephanie Carvin, Thomas Juneau, and Craig Forcese. Published by the University of Toronto Press, Top Secret Canada will be "the first book to offer a comprehensive study of the Canadian intelligence community, its different parts and how it functions as a whole. In taking up this important task, the editors and contributors aim to identify the key players, explain their mandates and functions, and assess how they interact with each other."

"Featuring essays by the country’s foremost experts on law, intelligence, and national security"—and, er, also me—"it will be a go-to resource for those seeking to understand Canada’s intelligence community and the challenges it faces both now and into the future."

I think people will find this book a highly useful resource.

Available for pre-order now.

The other book is Big Data Surveillance and Security Intelligence: The Canadian Case, edited by David Lyon and David Murakami Wood. Published by UBC Press, this book looks at "the profound shift to “big data” practices that security agencies have made in recent years, as the increasing volume of information from social media and open sources challenges traditional ways of gathering intelligence."

My contribution is a bit of an outlier since CSE is not actually a security intelligence agency (although of course it does work closely with CSIS) and my chapter, "From 1967 to 2017: CSE's Transition from the Industrial Age to the Information Age," is much more a "history of the present"—how CSE got where it is today—than a discussion of its current Big Data activities. However, I think it does serve as a reasonable lead-in to another chapter in the book, written by Scott Thompson and David Lyon, that does look at CSE and Big Data.

My brief contribution is in no way a substitute for the comprehensive history of CSE that I think the agency should be contracting with someone other than me to write, but it does contain what I think are some pretty interesting details that haven't been published previously.

Also available for pre-order.

Friday, February 07, 2020

Wark on Canada's Arctic SIGINT mission

An important new article by intelligence historian Wesley Wark tells the story of how Canada's signals intelligence effort came by 1957 to focus almost entirely on the polar basin and the Soviet Arctic, taking the lead on the region for the entire UKUSA community (Wesley Wark, "Favourable geography: Canada’s Arctic signals intelligence mission," Intelligence and National Security, published online 6 February 2020). Wark's article is a must-read for anyone interested in the history of the Canadian signals intelligence effort.

When the Communications Branch of the National Research Council (CBNRC), as CSE was known prior to 1975, was created in 1946, it worked on a variety of minor targets that had been agreed in consultation with its U.K. and U.S. partners, but the Soviet Union was not among them. That changed not long afterwards, but it took a decade for the Soviet north to become the agency's almost exclusive target.

Wark highlights three developments that were necessary to that evolution:
  • Creation of an Arctic intercept capability;
  • Commitment of sufficient resources to CBNRC and the SIGINT program as a whole; and
  • Agreement of the Allies to cede the Arctic mission to Canada.
Each was a struggle, and failure to overcome any one of these challenges "would have doomed the effort." Each is discussed in turn.

(The map above, derived from the one in the article, shows the strategic intercept stations that collected communications in support of CBNRC's SIGINT effort during the post-war period; stations that were used only for radio direction-finding are not shown. See here for the years of operation of the various stations.)

The fact of CBNRC's move to an Arctic focus has been known for some time, but this is the only place where that evolution has been laid out with such clarity and detail, in part because those details have only recently been declassified by the government.

As Wark explains, his account "draws primarily from two recently declassified Canadian narratives," one of which he himself wrote:

(1) Wesley Wark, History of the Canadian Intelligence Community, 1945–1970, Chapter 5, ‘Postwar SIGINT: The Road to the Arctic,’ draft produced for the Privy Council Office, 1998–2002, redacted version obtained through Access to Information (July 2019). Unfortunately eight pages of this chapter (nearly 25%) remain redacted in their entirety while 65% of the 34 pages of this chapter suffer from partial redactions. The history is held by the Privy Council Office, who are responsible for Access decisions.

(2) Kevin O’Neill, History of CBNRC (August 1987), volume I, chapter 5, ‘Interception at Stations,’ redacted version obtained through Access to Information. The history is held by the Communications Security Establishment (CSE).

I made the latter document available for download here. Now, with the gracious agreement of the original Access requestor, Jim Bronskill, I am able to make the former document available as well.

This is the second major contribution that Wark has made in recent months to understanding the history of the Canadian signals intelligence program. The earlier article looked at the CANUSA communications intelligence agreement reached by Canada and the U.S. in 1949. (See Wesley Wark, “The road to CANUSA: how Canadian signals intelligence won its independence and helped create the Five Eyes,” Intelligence and National Security, published online 7 November 2019; mirrored here.)

Now if we could just get him to write the entire history of the agency!

That, however, would require a level of cooperation and transparency by CSE and the broader Canadian intelligence authorities that does not seem to be in the offing. I'd be happy to be proven wrong though.

Wednesday, November 20, 2019

History and its missing contents

It's no secret that the history of intelligence agencies is mostly hidden away in locked cabinets and encrypted data banks.

SIGINT agencies have traditionally been among the most secretive parts of that top-secret world. The darkness shrouding the Second World War SIGINT activities of the countries now known as the Five Eyes began lifting in a significant way only 30 years after the end of that war. Now, 30 years after the end of the Cold War, we are beginning to get a clearer picture of the outlines of SIGINT activities during that era, but huge gaps still remain. And most of the post-9/11 picture is even darker.

The closer we get to examining the present, the more we are forced to rely on information from investigative journalists, leakers, whistleblowers, the cryptic reports of oversight and review bodies, and, erm, researchers of an unusually obsessive nature to shed a glimmer of light on the vast territories of official darkness that swath these agencies.

But this is only a partial and far from satisfactory expedient. Over the longer term to get anywhere near a complete picture we need the agencies themselves to maintain detailed archives and oral history records and to make them available to historians and other researchers in essentially complete and unredacted form.

That, unfortunately, can take many, many decades. We're still waiting to get the full, entirely unredacted picture of the war against Hitler and Tojo. And while there may be little excuse for that, the agencies do have legitimate reasons to remain silent about many aspects of their work. Timidity, inertia, and a lack of resources for declassification also slow the process.

One useful step in the meantime is the production of official agency histories by security-cleared outside historians, often with the assistance of professional in-house staff. This compromise approach provides the historians involved access to complete or near-complete agency records and often to key individuals much earlier than we could otherwise expect.

The trade-off, of course, is that in-house histories are inevitably sanitized, for security purposes at least and for PR purposes at worst, and the picture they present is often distorted — sometimes deliberately — by the absence of still-forbidden topics.

Still, the better examples of such histories can contribute a lot to public and scholarly understanding, and so it's good to see that the Five Eyes SIGINT agencies are starting to step up and participate in such initiatives.

NSA has long had an active official history program that has produced a multitude of studies, including American Cryptology During the Cold War, 1945-1989, Thomas R. Johnson's four-part history of American SIGINT up to the fall of the Berlin Wall, which was written for internal use but later had large portions declassified and released to the public. A wide range of other public or subsequently declassified histories have also been written on specific aspects of the agency's history. A guide to the publicly available versions of these documents and other NSA history resources can be found here.

No other Five Eyes agency has anything on the scale of the NSA's program, but an official history of GCHQ (Behind the Enigma: The Authorised History of GCHQ, Britain’s Secret Cyber Intelligence Agency) is currently in the works in the U.K., with publication originally planned for this year but now expected in October 2020. Written by University of Calgary professor John Ferris, the book is designed for public release.

The Australian Signals Directorate also recently commissioned an official history, to be written by Australian National University professor John Blaxland, who previously wrote the official history of the Australian Security Intelligence Organisation. The ASD history is scheduled for release in 2022, coinciding with the agency's 75th anniversary.

Which leaves just the Communications Security Establishment and New Zealand's Government Communications Security Bureau. GCSB hasn't announced a history project yet, as far as I know.

Where is CSE's history project?

What about CSE?

The agency's own 75th anniversary celebrations will be held in 2021. It would be very interesting to know what CSE has in mind for that milestone. Sadly, as far as I know no kind of substantial history is contemplated for release in time for the celebration — or indeed any time afterwards.

CSE has in recent years augmented the brief explanation of its origins posted on its website with two short faux news reels that highlight artifacts related to its history. These videos are interesting and fun to watch, and I hope the agency makes more of them. But they're really just an exercise in profile-raising, intended perhaps to soften the agency's intimidating image and maybe interest a few people in working there. I don't know what effect they're likely to have on the targets of CSE's recruiting efforts — or if 20-somethings have any idea what a news reel even is — but in any case neither CSE nor anyone else would mistake them for an actual history program.

CSE does have a seven-volume in-house history, History of CBNRC (CSE's original name), that covers the 29 years from 1946 to 1975. But 44 years have passed since 1975, and that document was written by retired senior officials, who although they knew their subject intimately had neither the training nor the objectivity of outside historians.

The closest Canadians have come to getting a professional history was in the late 1990s when the Privy Council Office contracted with professor Wesley Wark, then of the University of Toronto, to write an official history of the Canadian intelligence community. Unfortunately, that project fell apart a few years into the effort when the government decided that the document would not be made public.

If there's any bright spot in the Canadian picture, it is that the record on releasing intelligence-related documents in response to Access to Information requests has very gradually been improving, moving from absolutely abysmal in the early years to somewhere between terrible and occasionally useful, although still ridiculously slow and with an appeals process that has now essentially collapsed.

On the useful end of the spectrum, a significant portion of the History of CBNRC has been declassified and released to the public in recent years, still suffering from large redacted sections (including one entire volume) but far more complete than the skeletonized version released in the 1990s. Significant parts of the draft version of Wark's history also have been declassified and released, although again with very significant redactions.

Among other results, these recent releases have enabled Wark to write a fascinating and detailed account, published earlier this month, of the negotiations leading up to the CANUSA communications intelligence agreement reached by the U.S. and Canada in 1949. (See Wesley Wark, “The road to CANUSA: how Canadian signals intelligence won its independence and helped create the Five Eyes,” Intelligence and National Security, published online 7 November 2019; mirrored here.)

For those interested in the history of Canadian intelligence and its signals intelligence effort in particular, that's a highly welcome development.

But such articles are no substitute for an actual, professional, official history of the organization.

So how about it, CSE? Are you going to wait until New Zealand's tiny GCSB beats you to it too?

Update 19 February 2020:
On a related note, A declassification strategy for national security and intelligence records, a discussion paper written by Wesley Wark for the Office of the Information Commissioner (published by the OIC yesterday), is well worth reading.

Saturday, August 24, 2019

History of CBNRC

In August 1987, CSE published an internal, highly classified history of the agency from its founding in 1946 as the Communications Branch of the National Research Council (CBNRC) to its transfer in 1975 to the Department of National Defence and renaming as the Communications Security Establishment.

The History of CBNRC's authors were N. Kevin O'Neill, who had been Director of CBNRC/Chief of CSE from 1971 to 1980, and Ken J. Hughes, a senior COMSEC official. Both had been on the staff of the agency through the entire period covered by the history.

Not long after the document was written, I and at least one other person formally requested that the releasable portions be made public under Canada's then new Access to Information law. That eventually did occur—after a delay of several years—but the released version was extremely heavily redacted, with perhaps 80-90 percent of the document withheld entirely and most of the rest riddled with additional redactions.

Group and section names and most personal names were redacted. Target names were redacted. All mentions of NSA and GCHQ were redacted (except for one mention of GCHQ that slipped through). Even the name of Kevin O'Neill's co-author was redacted.

There was some useful information left in the sections that remained, but the resulting document was mostly a testament to excessive secrecy.

Second release

More than 25 years later, someone—I don't actually know who—requested a fresh release of the History, and this time a much more significant part of the seven-volume document was released. (I obtained it through the Canadian Foreign Intelligence History Project.)

There are still large portions redacted, including the entirety of Volume II, but a great deal of new and very interesting information about CSE's history was released. I drew on the new release for this discussion of CSE's experimental cable monitoring efforts in the 1970s, for example.

[Update 3 December 2019:

An even more recent release to Wesley Wark (access request A-2018-00065) includes additional previously redacted material in Chapter 11. The rest of the release appears to be identical (although I must admit I haven't examined every word of it). I've changed the links below to copies of the Wark release. Many thanks, Wesley! Bonus: I've uploaded OCRed versions of the files.]

[28 MB PDF]

1 Origins and Background
2 SIGINT Policy and Committee Structure
3 Organization and Establishment
4 SIGINT Production Tasks
5 Interception at Stations

[Volume not released]

6 Special Collection
7 Signal Analysis
8 Cryptanalysis

[Part 1 - Chapters 9 to mid-11 (16 MB PDF) & Part 2 - Chapters mid-11 to 13 (15 MB PDF)]

9 Tactical SIGINT and Support to NATO
10 Intelligence Requirements and SIGINT Reporting
11 Liaison with Collaborating Centres
12 SIGINT Equipment and Engineering
13 Mechanization and Computer Developments

[26 MB PDF]

14 Communications
15 COMSEC in Canada before CBNRC
16 COMSEC Policy and Committee Structure
17 Development of COMSEC in CBNRC

[24 MB PDF]

18 Provision of COMSEC Advice and Support
19 Production of Keying Material
20 Use of Crypto Equipment in Canada
21 Evaluation of Crypto Equipment
22 Production of Crypto Equipment in Canada
23 COMSEC Monitoring and Analysis

[22 MB PDF]

25 Financial Administration
26 Security
27 Personnel
28 Training

[5 MB PDF]

Appendix - Chronological Summary