On November 4th, the National Security and Intelligence Committee of
Parliamentarians (NSICOP) released the public version of its report on the security and intelligence activities of Global Affairs Canada (GAC),
otherwise known as the Department of Foreign Affairs, Trade and Development.
There's a lot of new information in the report about GAC's role in the
Canadian intelligence community as overseer, facilitator, collector, assessor,
and consumer of intelligence. It's well worth reading.
In the following, I'll focus on what the report says about how Global
Affairs works with the Communications Security Establishment.
GAC–CSE relationship
On page 24 (PDF page 33), NSICOP describes the
overall relationship between CSE and Global Affairs:
GAC's
collaboration with CSE ... dates back to the creation of CSE in 1946. GAC has
long been a client of CSE's foreign intelligence collection ***. While GAC has
had a formal consultation role for some of CSE's most sensitive activities
since 2002, the coming into force of the CSE Act in 2019 provided GAC a more
significant role in CSE's new authorities for cyber operations.
(NSICOP uses "***" to indicate where information
that was in the classified version of the report has been redacted.)
GAC
and CSE formalized their cooperation with the signing of a General Framework
Agreement in 2009. The agreement recognized the organizations' cooperation in
the collection of foreign intelligence, their long-standing collaboration on
the implementation of Canada's Export Control legislation, and their response
and handling of cyber incidents targeting GAC. (p 24/PDF 33)
Take note of that mention of "the organizations' cooperation in the
collection of foreign intelligence"; we'll return to that point later on.
Computer Network Exploitation
Next we get a quick look at GAC's oversight of CSE computer hacking
operations used to collect intelligence from information technology systems and
networks, more formally known as Computer Network Exploitation (CNE).
All mentions of CNE are redacted from NSICOP's report, but it is clear from
the context that CNE is the subject. (For more fun with CNE redactions, see here.)
The first formal agreement
on consultation between CSE and GAC concerned the agency's *** activities.
These activities use *** for the purpose of collecting foreign intelligence. In
2002, GAC and CSE signed a memorandum of understanding under which CSE would
inform GAC prior to undertaking its most *** outside of Canada. (p 24/PDF 33)
The CNE memorandum of understanding was signed by the Minister of National
Defence on 23 April 2002.
The agreement also granted
GAC a role in challenging CSE's conduct of certain activities ***. While the
2002 memorandum of understanding remains in place, the two organizations
streamlined elements of the agreement in 2015. (p 24-25/PDF 33-34)
GAC's role is to make sure the potential risks/rewards of CNE operations are
assessed in the context of Canada's overall foreign policy.
Foreign relationships
CSE is also required to consult GAC before entering
into any arrangements with foreign states or institutions. Since the 2019 entry
into force of the CSE Act, it has been a statutory requirement that the
Minister of National Defence consult the Minister of Foreign Affairs before
approving such arrangements.
Given
the recent nature of this authority, CSE has not consulted GAC prior to
entering into such an arrangement at the time of writing. (p 25/PDF 34)
Defensive cyber operations (DCO)
The CSE Act also requires the Minister of National Defence to consult the
Minister of Foreign Affairs prior to issuing an authorization for defensive
cyber operations (DCO). DCOs are cyber operations designed to protect Canadian
government networks or systems designated as being of importance to the
government.
The Minister of National
Defence issued the first authorization for defensive cyber operations in ***
2019. CSE officials developed this authorization in consultation with GAC. (p
26/PDF 35)
Although redacted here, the date of the authorization was 5 September 2019,
as reported by NSICOP in its February 2022 cybersecurity report (p 77/PDF 89).
The November report provides some additional details on GAC's contribution:
At
the operational level, GAC provides foreign policy risk assessments for all of
CSE's planned defensive cyber operations. As part of its assessment of the
proposed operation, GAC considers potential implications for Canadian
interests, the operation's compliance with international law and cyber norms,
alignment with broader foreign policy interests, the nature of the target (***)
and whether the operations ***. (p 26/PDF 35)
Also interesting is this bit of news:
Between *** and *** , CSE
planned but did not conduct any defensive cyber operations, because separate
defensive cyber measures taken by CSE obviated the need for the planned cyber
operations. (p 26/PDF 35)
It would be even more interesting, of course, if unredacted dates were provided.
Fortunately, NSICOP's February 2022 report (p 96/PDF 108) did provide that
information, stating that no DCOs were conducted during the first two
DCO authorization periods (i.e., from September 2019 to August 2021).
That report also informed us that, "in the first year, normal cyber
defence activities successfully mitigated the threat and obviated the need for
a separate operation and in the second year, planned operations had not
proceeded to the operational stage." (p 96/PDF 108)
It would be interesting to know if any DCOs have yet been conducted.
S.16 activities
Under s.16 of the CSIS Act, CSIS can collect foreign intelligence
"within Canada" on request of either the Defence Minister or the
Foreign Affairs Minister. This might entail monitoring the communications of an
embassy in Ottawa, for example.
CSE often helps with technology, processing, and reporting of the intelligence that results from s.16 collection, and GAC plays a role as a requestor, assessor of foreign policy
risk, and intelligence client.
In
2008, officials from participating organizations introduced a formalized
governance model [for the s.16 program], which included a requirement to assess
potential subjects against criteria linked to Canada's intelligence priorities
and a permanent oversight committee structure (the *** Committee) with the
responsibility to evaluate and endorse section 16 rationales before they are
submitted for approval to the relevant ministers. (p 38/PDF 46)
All information about the committee, including its name, is redacted from
NSICOP's report.
By contrast, a 2015 report by OCSEC, CSE's first watchdog agency, described
the committee structure in detail, and this information was later released
mostly unredacted to reporter Colin Freeze via Access to Information request
A-2015-00082.
Some of the details may have changed since then, but if the information was
releasable at that time, why not now?
Active cyber operations (ACO)
The CSE Act also "allows CSE
to conduct active cyber operations to degrade, disrupt, influence or interfere
with the capabilities or intentions of foreign entities." (p 41/PDF 49)
In recognition of the
foreign policy implications of these activities, the Act stipulates that the
Minister of National Defence may issue this authorization only if the Minister
of Foreign Affairs has requested or consented to its issue. (p 41/PDF 49)
Note that this differs from DCOs, which require only consultation with the Foreign Affairs Minister.
"The Minister of National Defence issued CSE's first authorization for
active cyber operations in 2019" (p 41/PDF 49), i.e., shortly after the CSE Act came into force.
The 2019 Annual Report (p. 25) of the
National Security and Intelligence Review Agency (NSIRA) also confirmed that an
ACO authorization was issued that year.
But NSICOP's report goes on to provide considerably more information than was
released previously:
Between 2019 and 2020, CSE
planned four active cyber operations and carried out one. (p 41/PDF 49)
The ACO that was carried out sought to "disrupt the activities of
terrorists and violent extremists." (p 41/PDF 49)
The three ACOs not conducted sought "to disrupt foreign cyber threats
to the 2019 federal election"; "to counter the dissemination by
specific terrorist groups of extremist material on-line"; and "to
mitigate threats posed by foreign cybercriminal groups targeting
Canadians". (p 41-42/PDF 49-50)
The election-related ACO was not conducted "because no specific
state-led operations were detected", while the other two did not get done
"due to operational restrictions arising from COVID". (p 41-42/PDF
49-50)
(For more on the effect of the COVID-19 pandemic on the Canadian security and
intelligence community, see this book.)
In August 2019, the
Minister of Foreign Affairs directed GAC officials to work with CSE to develop
a formal governance mechanism to ensure CSE's cyber operations align with
Canada's foreign policy and international legal obligations. (p 42/PDF 50)
This led, in 2020, to the creation of "the CSE–GAC Active Cyber
Operations/Defensive Cyber Operations Working Group and a comprehensive
governance framework for consultation on cyber operations". (p 42/PDF 50)
The report also reveals that, inside CSE, "the
Cyber Operations Group and the Cyber Management Group oversee CSE's cyber
operations. These are executive bodies, at the director- and director
general-level respectively, that review and approve cyber operation plans and
risk assessments. The Director of *** and the Deputy Chief of Signals Intelligence
chair the respective committees, and membership depends on ***." (p 43/PDF
51)
This is the first official confirmation, I think,
that CSE's cyber operations are lodged in the agency's SIGINT branch.
Interestingly, NSIRA also recently looked at the GAC–CSE relationship with respect to the governance of ACO/DCO
activities.
Among other findings, NSIRA stated that "CSE
and GAC have not established a threshold to determine how to identify and
differentiate between a pre-emptive Defensive Cyber Operation and an Active
Cyber Operation, which can lead to the insufficient involvement of GAC if the
operation is misclassified as defensive." (p 69/PDF 77)
In total, NSIRA made nine recommendations for improvements
relating to "engaging other departments to ensure an operation’s alignment
with broader Government of Canada priorities; demarcating an ACO from a
pre-emptive DCO; assessing each operation’s compliance with international law;
and communicating with each other any newly acquired information that is
relevant to the risk level of an operation." (p 21/PDF 29)
The full set of findings and recommendations can be
found on pages 69-71 (PDF 77-79) of NSIRA's report.
PILGRIM's progress
Getting back to NSICOP, the next two pages of the committee's report (p 44-45/PDF
52-53) discuss a program that is ostensibly so secret that all information is
redacted except for one sentence: "GAC states that it derives its
authority for the program from the Crown prerogative." (p 44/PDF 52)
This is clearly the program — known at one time as PILGRIM — for the operation of CSE
intercept facilities inside Canadian diplomatic missions, our equivalent of U.S.
Special Collection Service sites.
Presumably it was this program that NSICOP was alluding to when (as I noted
at the beginning of this post) it mentioned GAC and CSE's "cooperation in
the collection of foreign intelligence". (p 24/PDF 33)
All of the Five Eyes partners operate such intercept sites, known
collectively under the coverterm STATEROOM, but the official policy is to
pretend no one knows Canada does this sort of thing, so even the fact of its
existence remains classified. That rare allusion is as close as we get to an
official confirmation.
Still, NSICOP did manage to flag some concerns about GAC's role in the
program in its descriptions of three of the redactions (p 45/PDF 53):
1. "The paragraph noted that the Department does not have any policies,
procedures or documents to govern its involvement, and does not have any
reporting requirements to the Minister".
2. "The paragraph noted challenges regarding the management of
risk."
3. "The paragraph noted the Department's failure to inform the Minister
of important issues."
One of the report's four recommendations was probably aimed in part at this
program:
R3. [NSICOP recommends that
the] Minister of Foreign Affairs put in place comprehensive governance
mechanisms for the Department's security and intelligence activities and for
those that it supports or contributes to at partner organizations. Those
mechanisms should better document processes and decision points to strengthen
accountability and institutional memory. (p 95/PDF 102)
Intelligence Access and Countermeasures section
A few pages after the intercept sites discussion — past another almost
entirely redacted part called "Logistical Support ***" that probably
discusses GAC's occasional provision of support to Five Eyes partner HUMINT
agencies like MI6 and the CIA — is a chapter on GAC's own intelligence
activities.
There is a lot of very useful and rarely if ever reported information in
there about what Global Affairs itself does in this field, but for my purposes
I want to highlight just one aspect:
In 2017, GAC established a
division within the Intelligence Bureau responsible for the management of
highly classified communications at missions abroad. This Intelligence Access
and Countermeasures section works closely with CSE to accredit and protect
GAC's signals intelligence secure areas. (p 51-52/PDF 59-60)
("Signals intelligence secure area" (SSA),
by the way, is the Canadian SIGINT community's equivalent for what in the U.S. is
known as a secure compartmented information facility, or SCIF.)
NSICOP's description of the Intelligence Access and Countermeasures section gives
the impression that it deals only with GAC's own communications, and maybe it
does do only that. But the fact that "Intelligence Access" is included
in the section's name may indicate that it also looks after the intercept sites
at the missions, which of course also would be located in SSAs.
A probably much less likely theory is that the unit is also mandated to conduct close-access operations, which are designed to enable SIGINT
collection by placing antennas or other collection systems in close proximity
to targeted information technology systems and/or installing hardware or software
implants directly in them.
The foreign intelligence collection authorities
granted to CSE in the CSE Act
are broad enough to encompass close-access activities:
The
foreign intelligence aspect of the Establishment’s mandate is to acquire,
covertly or otherwise, information from or through the global information
infrastructure, including by engaging or interacting with foreign entities
located outside Canada or by using any other method of acquiring information,
and to use, analyse and disseminate the information for the purpose of
providing foreign intelligence, in accordance with the Government of Canada’s
intelligence priorities. (s.16)
And the agency could, with Global Affairs' agreement,
deputize GAC personnel to conduct such operations on its behalf.
However, heads far wiser than mine consider it all but inconceivable
that any Canadian government would ever muster the will to attempt such
inherently perilous operations, with their potential for embarrassing exposure and,
worse, risk to the life or liberty of the individuals participating.
Also, we might expect there to be a lot more discussion of the topic in this report if the section's role really did extend that far. (That
said, it's not impossible that there is such a discussion buried in the redacted parts of the report concerning intercept sites.)
I'm probably letting my imagination run away with me when it comes to close-access ops. But I'll keep pondering
that imponderable because certain comments made by CSE's former Deputy Chief SIGINT way back in 2007 leave me strongly inclined to believe that CSE would very much like the government to conduct such operations for it.
There is a lot of other valuable information about GAC's intelligence role
in this report, but that pretty much covers the CSE-related aspects.
Redactio
ad absurdum
I will make one final complaint about pointless redactions, however. On pages
75-78 (PDF 83-86) there is a case study of a kidnapping incident involving a
Canadian from which almost all personal details have been redacted.
Maybe it's intended as a privacy thing, but it only takes about a minute on
Google to fill in all those blanks.