Tuesday, November 13, 2018

Canadian Centre for Cyber Security to be located at 1625 Vanier Parkway

The new home of the Canadian Centre for Cyber Security (CCCS) will be located in a commercial office building at 1625 Vanier Parkway in Ottawa, ADM of Operations André Boucher revealed in a presentation to the ITAC Cyber Security Technology Summit on October 30th.

The Centre will occupy the top six floors of the currently unoccupied 10-storey building. The building offers space at a rate of $42,500 per floor per month, so it looks like CCCS will pay about $3 million per year for the site.

Assuming 20-25 square metres per employee, the roughly 16,000 square metres of office space on the six floors should be sufficient for pretty much all of the 750 employees the CCCS is currently slated to have.

(For those interested, the image below shows a typical floor plan in the building.)

It is likely, however, that some employees will remain in CSE's Edward Drake building, where specialized labs and higher-security premises already exist. According to Boucher, the Centre's data holdings will remain housed at the CSE campus and/or in the public cloud.

In addition, as the CSE Commissioner reported in 2017, some IT Security personnel currently work face to face with SIGINT personnel in shared workspaces ("When analyzing cyber threat activities, the SIGINT and IT Security branches share tools and workspaces"). It seems unlikely that these common workspaces will end up in the CCCS's lower-security facility.

In September, CCCS Head Scott Jones testified that the Centre was hoping to occupy the same building as the new RCMP National Cybercrime Coordination Unit "so that we can be co-located." Thus, depending on its ultimate size, that unit might also occupy one or two floors in the building. The RCMP's existing cybercrime unit is housed in the force's National Division, which is headquartered at 155 McArthur Avenue, just one door down from 1625 Vanier Parkway. One way or another, therefore, it seems clear that the two organizations will indeed end up as neighbours.

It is not clear whether the other floors of 1625 Vanier Parkway will be occupied at all for the time being. The building has stood vacant—apparently in hopes of acquiring a major government tenant—since its construction was completed in 2015, and its owners may well be willing to wait a few more years to finish leasing it. That would probably be wise, as chances are good that the CCCS has not finished growing and may well be in search of additional space in future years. Alternatively, there is probably more than one Ottawa cybersecurity firm that would be pleased to lease spaces in the same building as CCCS.

Meanwhile, the departure of some 500 CCCS staffers from the Edward Drake building would seem to leave a substantial hole in the occupancy of that nearly brand-new facility.

This will not be a problem, however, as CSE's ongoing expansion was already starting to exceed the limits of the building. With continued growth of the SIGINT side of the organization already on the agenda, it is likely that the impending exile of the IT Security side is coming at just the right time.

Indeed, although the argument that the CCCS needs its own, more publicly accessible facility is reasonably convincing on its own, space considerations may well have been the decisive factor. As in 1956 when CBNRC outgrew the Rideau Annex and 1980 when CSE outgrew the Sir Leonard Tilley building, when the space runs out, it's always the IT Security side that gets the boot.

Friday, October 26, 2018

CSE budget jumps to $682.9 million

The Supplementary Estimates (A) for FY 2018-19, tabled in Parliament yesterday, show a significant proposed increase in CSE's spending authorities of some $58 million, to $682,903,093. The Main Estimates for FY 2018-19, tabled in April, showed a budget of $624.9 million for the agency.

It takes a bit of digging through the documents to get an idea of where the changes took place, but this is roughly how it breaks down:

$624,893,953 (Main Estimates)

+ $1,923,668 (additional funding for Long-Term Accommodation Project)

- $442,771 (transfer to DFATD for liaison offices)

+ $6,941,780 (compensation adjustments)

+ $20,668,322 (operating budget carry-forward)

+ $35,703,582 (establishment of Canadian Centre for Cyber Security)


= $689,688,534

—which for reasons entirely opaque to me is actually $6,785,441 larger than the overall $682,903,093 figure reported in the Supplementary Estimates (A). Perhaps the compensation adjustment figure isn't included in the total for some reason, although that would still leave a discrepancy of over one hundred thousand dollars. I probably missed something somewhere.

In any case, the big additions are the $20.7 million carry-forward from last year's budget and the $35.7 million added for the launch of the Canadian Centre for Cyber Security.

I'm a bit surprised we didn't see any transfer of funds from the Department of Public Safety and Shared Services Canada accompanying the transfer of personnel and duties from those departments to CSE. Maybe that will come later.

Recent CSE testimony suggests the agency now has roughly 2500 people, up from 2300, which if accurate is presumably primarily a result of these transfers.

The new figure makes CSE's budget about 4.1 times as large (after inflation) as it was prior to 9/11.

[I've updated the figures above a couple of times in the hour since first making this post, but I still can't make them add up.]

Tuesday, October 02, 2018

Canadian Centre for Cyber Security launched

Defence Minister Harjit Sajjan announced the official launch of the Canadian Centre for Cyber Security (CCCS) on October 1st.

The Centre, which I blogged about earlier here, was created by amalgamating Public Safety Canada's Canadian Cyber Incident Response Centre (CCIRC) and Get Cyber Safe public awareness program, elements of the Shared Services Canada Security Operations Centre, and the entire IT Security branch of CSE. The CCCS will remain a component of CSE, but it will have its own head (former Deputy Chief IT Security Scott Jones), its own public identity, and, as of 2019, its own headquarters building in the National Capital Region.

The separate building will enable the Centre to interact more with industry and the public, Jones told the Standing Committee on Public Safety and National Security on September 20th:
[W]e're making sure that we have a facility where people can come in and work. If you come and visit CSE now, we take all of your technology away because you're entering a top secret building. The cyber centre will not be that way. The physical facility for this will be a place where people can come and collaborate and, frankly, bring their stuff so we can see how it works and we can work together on things.
Jones anticipates that the RCMP's new National Cybercrime Coordination Unit, although not a part of the CCCS, will be co-located in the same building.

Not mentioned, although perhaps also a factor in the decision to house the Centre in a separate facility, is the possibility that CSE's new headquarters building, which was itself completed only in 2015, may have been running out of space as a result of anticipated staff increases in both the cybersecurity and the SIGINT sides of the agency.

[Update 13 November 2018: The new facility will be located at 1625 Vanier Parkway.]

You can read more about the Centre and its launch here and here.

News coverage:

Jim Bronskill, "New cybersecurity centre assesses threats to Canadian electoral system," Canadian Press, 1 October 2018.

Howard Solomon, "Canadian Centre for Cyber Security opens, to be focus for federal safety efforts," IT World Canada, 1 October 2018.

Thursday, July 19, 2018

OCSEC-2018 report released

The 2017-18 annual report of the Office of the CSE Commissioner (OCSEC) was made public on July 18th.

To sum it up in a sentence, CSE didn't do anything egregiously wrong in the last year, at least as far as OCSEC is concerned. So, good news there.

Of course, as a result it's pretty much a certainty that this report will soon join its predecessors lost in the depths of obscurity. That's a shame, because as always, there's some information worth salvaging from it.

Unlike the 2016-17 report, which I only got around to revisiting in the past two months, I'll try to explore this one over the next few days and weeks.

Monday, July 09, 2018

OCSEC-2017, part II: The circumstances are always exceptional

Welcome to stage two of our expedition to the wreck of the OCSEC 2016-2017 annual report, as we return to the site of the report's disappearance to see what else of interest may be down there. (See stage one here.)

Ooh, here's a neat little artefact! CSE has been spying on citizens or other residents of its Five Eyes allies.

For decades there has been a persistent rumour among the more conspiracy-minded of spy agency watchers that the Five Eyes agencies evade the legal limits placed on spying on their own citizens and within their own borders by getting their partner agencies to do this spying for them. And for just as long, those agencies have been dismissing that claim as a load of paranoid nonsense. Which, to be fair, it mostly is.

Twenty years ago the first CSE Commissioner addressed this concern in his 1997-98 annual report, assuring his readers that
CSE undertakes explicitly to treat the communications of Second Party nationals in a manner consistent with the procedures issued by the agency of that country, provided such procedures do not contravene the laws of Canada. This is a reciprocal undertaking to ensure that the Second Parties do not target each others’ communications or circumvent their own legislation by targeting communications at each others’ behest.
In more recent years, however, those agencies and their watchdogs have occasionally conceded, grudgingly, that, OK, yes, once in a while the allies do direct their surveillance capabilities at one another, and that in some of those cases the information thus collected is in fact passed on to the ally that was targeted.

For example, in his 2013-14 annual report (page 24) the current CSE Commissioner acknowledged that "each partner is an agency of a sovereign nation that may derogate from the agreements and resolutions, if it is judged necessary for their respective national interests." He went on to reassure his readers (page 25), however, that CSE
policies and procedures state that collection activities are not to be directed at second party nationals located anywhere, or against anyone located in second party territory. Document review, discussions in interviews and written answers suggest that [CSE] conducts its foreign signals intelligence activities in a manner that is consistent with the agreements it has with its second party partners to respect the privacy of the partners’ citizens, and to follow the partners’ policies in this regard.
In the 2015-16 report, a little bit more was revealed about how our Second Party partners don't consider themselves quite as entirely bound by this rule as our own upstanding CSE folks do. As the Commissioner noted (page 16), in "exceptional circumstances, one of CSE’s partners may acquire and report on information about a Canadian or a person in Canada." He then explained (page 17) that these exceptional circumstances were now occurring regularly enough that CSE had established a special mechanism to transfer the material — which probably mostly concerned Canadians involved in extremist-related activities in Syria and elsewhere — from the allied agencies that had collected it onward to CSIS.

This year it was CSE's turn in the spotlight (pages 16-17):
CSE policies and procedures state that collection activities are not to be directed at Five Eyes nationals located anywhere, or against anyone located in Five Eyes territory. Nevertheless, it is recognized that each of the Five Eyes partners is an agency of a sovereign nation that may deviate from these agreements if it is deemed necessary for their respective national interests. Accordingly, in such exceptional circumstances it may become necessary for CSE to acquire information involving Five Eyes nationals or a foreigner on Five Eyes territory. [emphasis added]
What followed should probably be described as exceptionally unsurprising. It turns out that circumstances have once again been exceptional and CSE has indeed been targeting Five Eyes nationals and/or territory.

In retrospect, it is tempting to conclude that the Commissioners' 1997-98 and 2013-14 statements were exceptionally disingenuous. But it is also possible that agency practices have been evolving at a rather rapid pace. The 2016-17 report notes (page 18) that "In 2015, CSE updated its policy [with respect to such monitoring] to more effectively respond to operational requirements and emergencies, and formalized certain existing practices."

In any case, if there's a Disingenuity Prize to be awarded, my vote would have go to John Forster, who as Chief of CSE assured the Senate in November 2012 that "I would no more target an American than they would a Canadian." This masterpiece of Schrödingerian superposition managed to be both exceptionally misleading and completely truthful at the same time. You have to admire the beauty of that, even as you remind yourself never to take a word these guys say at face value.

Still, we work with the information that we can dredge up, so back to the 2016-17 report.

In what was the first direct review undertaken of such targeting, the Commissioner looked at "all CSE-initiated activities involving Five Eyes nationals or a foreigner on Five Eyes territory" during the 20-month period from January 2015 to August 2016, amounting to a total of 11 "cases".

Eleven is a very small number, and while it is always possible that these 11 cases involved significantly more than 11 individuals, it's likely that the overall total was pretty small.

Still, this is not "incidental" collection of information obtained in the course of monitoring non-Five Eyes targets that we're talking about here: this is the deliberate targeting of allied nationals and/or territory, so even if the numbers are small it's potentially an explosive topic.

Given that possibility, before the Toddler in Chief fires up his Twitter account let's quickly note that this is not about the Canadian Deep State spying on Donald J. Trump. As sensible as it might be for the Canadian government to seek whatever advance warning it can get of the latest absurdities percolating in the Oval Office, a) the activities described in this report took place ca. 5 to 25 months before Trump took office, and b) there is not the slightest chance that the CSE Commissioner would have been permitted to reveal them if they involved anything liable to prompt awkward exchanges with the United States or other Five Eyes allies.

The Commissioner chooses his own topics to review and report, but it is the government that decides what information is declassified, so if anything truly embarrassing had been going on, people like me would still be wondering what the Commissioner meant by "certain activities" undertaken by CSE, not discussing the details of the targeting of Five Eyes partners. It is a safe bet that the U.S. and the other Five Eyes allies were well aware of the activities reported in this document.

Extremist Travellers phone home?

So what are we looking at here? Almost certainly not the Five Eyes partners spying on each other's political leaders or trade negotiators. In fact, for once the CSE Commissioner gives us a pretty clear indication (page 16): whereas last year's review examined the procedures used when CSE's partners "acquire and report information about Canadians located outside of Canada, for example, because they are known to be engaging in or supporting terrorist activities," this year's review looks at "the exceptional circumstances where CSE acquired information and reported on similar activities involving Five Eyes nationals."

With Canada actively involved in recent years in the battle against ISIS, and with all of the partners keenly interested in the activities of their nationals who have gone abroad to fight for that or other extremist causes and who may be seeking to radicalize others still at home, it seems that there is now tacit agreement among the partners that it's OK to target the nationals of the others when you encounter them in the course of counter-terrorism investigations.

If this is indeed what's going on, it may well be a reasonable exception to make under these specific, limited circumstances. But it should also raise some warning flags.

What is being done with the information collected by and shared among those allies, and perhaps beyond them, remains an issue. It is one thing to kill someone who is clearly part of an enemy armed force in an active theatre of war, even though they may be a citizen of your country. But what if, freed from past pledges not to monitor partner nationals, the U.S. targets a Canadian thought to be radicalizing other Westerners who is hiding out in Libya, where Canada is not at war but U.S. drone strikes are actively killing extremist supporters? Do we have an official position on that? What about the use of such information for arrest and subsequent torture? Presumably it is not the view of the government that it's open season on all Canadian "extremists" — convicted by spy agencies, not by courts — once they are outside our borders.

In 2015, Canada resumed the practice of requesting Five Eyes assistance when Canadians travelling outside Canada are monitored under CSIS warrants, even though this identifies those Canadians to our partners, who may then choose to do their own monitoring of those individuals for their own purposes, be they intelligence collection, rendition, or death. The Commissioner made a nod toward these concerns on page 18 of his report:
While not directly related to this review, the Commissioner again encouraged the Minister to address an outstanding July 2013 recommendation to issue a new ministerial directive to provide general direction to CSE on its foreign signals intelligence information-sharing activities with its Five Eyes partners.... The office was informed that a new ministerial directive is being developed that will explicitly acknowledge the risks associated with this type of sharing, given that CSE cannot, for reasons of sovereignty, demand that its Five Eyes partners account for any use of such information.
As of August 2017, however, no such directive had yet appeared, although a more limited directive on Avoiding Complicity in Mistreatment by Foreign Entities was signed in November 2017.

Another red flag concerns the possibility that the purposes of such monitoring may expand. Protecting against terrorism may be a reasonable and limited reason for bending the rules against monitoring each other's nationals, but how about preventing the proliferation of weapons of mass destruction? That's pretty important. How about stopping child sexual exploitation? Or disrupting the deadly fentanyl trade? Where do you stop?

Counter-intelligence? Tax evasion? Illegal downloading?

Disloyalty to the President?

To be clear, we are a long, long way from a panoptical world where surveillance laws no longer matter because the other Five Eyes agencies are spying on everybody for us. We are not even remotely close to that world, and we probably never will be. We have many safeguards against it.

But you can see it from here, far away down there at the bottom of the slope we now seem to have stepped upon. Our footing seems pretty secure way up here, but we should probably tread carefully.

Wednesday, June 27, 2018

Bruce appointed Chief of CSE

Shelly Bruce has been appointed Chief of CSE effective immediately.

Bruce was appointed Associate Chief in November 2017 and has been serving as acting Chief of the agency since May 23rd, when the previous Chief, Greta Bossenmaier, was appointed National Security and Intelligence Advisor. Prior to serving as Associate Chief—a position that only occasionally appears on the CSE organization chart—Bruce spent eight years as the Deputy Chief in charge of the SIGINT side of the agency. (More on Bruce's bio here.)

Bruce is the 10th Chief CSE/Director CBNRC, and the first chosen from within the ranks of the agency since 1989:
  • Edward M. Drake (1946 - 1971)
  • N. Kevin O'Neill (1971 - 1980)
  • Peter R. Hunt (1980 - 1989)
  • A. Stewart Woolner (1989 - 1999)
  • D. Ian Glen (1999 - 2001)
  • Keith Coulter (2001 - 2005)
  • John L. Adams (2005 - 2012)
  • John Forster (2012 - 2015)
  • Greta Bossenmaier (2015 - 2018)
  • Shelly Bruce (2018 - )
The five Chiefs before Bruce were all brought in from outside the agency, a practice that presumably was begun to bring an outsider's perspective into CSE and perhaps encourage a somewhat less insular agency culture. Ministers typically develop very little in-depth knowledge of the workings of the agency and they may also have seen outside Chiefs as a safeguard against being bamboozled by the bureaucrats when they came to him for approval of this or that policy or proposal.

If that was the concern, however, it seems to be absent now. Not only was the new Chief hired from the inside, but CSE's promotion to stand-alone agency in 2011 removed both the Deputy Minister of National Defence and the National Security Advisor (as the position was then known) from the direct CSE chain of command. Both positions are filled by public servants, to be sure, but neither was beholden to the agency, and thus both were in a position to take a somewhat more skeptical view of its claims. I don't much fancy the Minister's chances if the agency should ever decide to "blind him with science" as the saying goes.

Not that I'm saying we should expect that from Bruce.

And the Minister won't be entirely defenceless in any case. The National Security and Intelligence Advisor is still in a position to comment on much of what CSE says and does, and having just been Chief herself, Bossenmaier will certainly know what's really going on there. The new National Security and Intelligence Committee of Parliamentarians, the CSE Commissioner, and, once Bill C-59 is passed, the upgraded watchdog agencies should also help the Minister stay apprised of what's going on.

Is it possible the government feels CSE now has enough outside eyes on it and no longer needs to put itself through the process of training a new Chief every few years?

Whatever the reason, it's clear that Bruce will be able to hit the ground running, and that has to be seen as a good thing by the agency as it prepares to adapt to its new C-59 authorities, including the power to conduct computer network attack operations, while standing up the new Canadian Centre for Cyber Security and managing on-going growth.

Monday, June 11, 2018

Exploring the wreck of the OCSEC-2017

The Office of the CSE Commissioner, CSE's soon to be replaced watchdog agency, released its 2016-17 Annual Report back in August 2017. As is traditional, it almost immediately sank from sight and was lost to all human ken. Nearly a year later, I guess it's about time I mounted my annual expedition to see if there's anything worth salvaging from it. With luck, I might manage to raise a few items before the 2017-18 report is launched.

Unlike the 2015-16 report, this report did receive a modicum of media coverage in the immediate wake of its release, specifically on the issue of information-sharing with allies. (See Justin Ling, "Canada still hasn’t developed new rules for intelligence sharing with U.S. and allies," Vice News, 24 August 2017 and Alison Crawford, "Canada's electronic spy agency to get new rules for sharing data with allies," CBC News, 29 August 2017.) But I'm willing to bet there's still lots of material worth examining lying in the forgotten hulk.

So let's get this expedition underway.

Use/retention of private communications up 25,653%

OK, here's something interesting. According to the CSE Commissioner, in 2015-16 CSE used or retained 3,348 "private communications" that were collected under the agency's foreign intelligence program (see page 39 of the report).

In Canadian law, a private communication is a communication with at least one end in Canada. CSE's foreign intelligence program is not allowed to "target" Canadians or any person located in Canada, but if a foreign target of the agency who is located outside Canada communicates with someone inside Canada, CSE is permitted to collect that private communication as long as there is a Ministerial Authorization permitting such collection in place (and, rest assured, there is). The 3,348 figure reported by the Commissioner represents only one portion of the total number of private communications collected or otherwise acquired by CSE under the three parts of its mandate, but it's a potentially important indicator of how often Canadians get pulled into CSE's foreign intelligence collection activities.

I've been using highway signs to depict the private communications numbers reported by the Commissioner. In 2012-13 the number was 66 and in 2013-14 it was 17, later revised to 13. Last year it was 342, which was a bit of a challenge but I did find a suitable highway. This year I've had to improvise...

That's a big number. The Commissioner's report comments that the 2015-16 total is "almost 3,000" higher than the previous year total, which seems like an unusual way to put it since the actual difference is 3,006. Maybe the 2014-15 number was revised too. In any case, the two numbers aren't strictly comparable, as the 2014-15 figure refers to a seven-month period, while the 2015-16 figure covers a full twelve months. To get an apples-to-apples comparison, we need to go back two years to the 13 private communications used or retained over the twelve months of 2013-14.

Those figures show that the number of private communications used or retained by CSE's foreign intelligence program jumped by 25,653% between 2013-14 and 2015-16. That's a comma, not a decimal point: Twenty-five thousand six hundred and fifty-three percent.

So, yeah. Quite a big jump.

We do get an explanation of sorts for the change: "The increase in the number of used or retained private communications remains a consequence of the technical characteristics of certain communications technologies, and CSE’s legal obligations to count private communications in a certain manner."

But that doesn't really answer many questions.

In 2016, when this growth trend first became apparent, I speculated that CSE may be collecting an increasing number of communications transmitted by chat applications such as Facebook Messenger. Because each individual comment in such conversations is a separate transmission, it is likely that each would be considered a separate private communication for legal purposes. Thus, a single conversation lasting a just few minutes might contain dozens of private communications. If this is what explains the dramatic jump in the numbers since 2013-14, there may have been little if any actual increase in the number of persons in Canada whose conversations or other communications are being caught in CSE's dragnet.

That would certainly explain the Commissioner's apparent lack of concern about the numbers.

The current report doesn't confirm that theory (or provide any other intelligible explanation), but it does comment that "the current manner in which CSE counts private communications provides a distorted view of the number of Canadians or persons in Canada that are involved in (i.e., are the other end of) CSE interceptions to obtain foreign intelligence under ministerial authorizations."

And the report provides one additional key piece of information: The 533 private communications that were actually used in CSE's foreign intelligence reporting in 2015-16 (as opposed to temporarily retained for possible future use) appeared in a total of just 20 end product reports. This means that on average 26.65 private communications were cited in each one of those reports. Since some reports almost certainly concerned just a single private communication, many of them are likely to have cited 40 or 50 or more.

A little background on SIGINT end product reports might be helpful here. CSE does not produce extended intelligence assessments — it reports SIGINT facts, such as a single key piece of information overheard in an intercepted phone call. CSE analysts don't sit on such intelligence: they disseminate it to their clients in an individual end product report with as little delay as possible. If 20 or 30 or 40 private communications appear in a single end product report, it is because all of those communications were acquired at essentially the same time. And if this is happening routinely, it's almost certainly because the communications systems that CSE has begun to frequently target routinely generate large numbers of private communications at a time.

Which sounds like chat apps to me.

If these numbers do indicate growing collection of chat-related traffic by CSE, it would appear that the increasing use of encryption in those apps has not had the effect of shutting CSE out of that traffic — at least, not as of 2015-16. Are CSE's targets using insecure messaging apps, or versions that have been "enabled" to undermine their security? Are end-point operations, such as implanting malware on target smartphones, being used to bypass encryption? Given the high level of concern expressed by intelligence and security agencies in recent years about the prospects of "going dark", it will be interesting to see if the number of private communications used by CSE drops off in future reports.

I suspect CSE won't be entirely pleased to see this kind of speculation bandied about — even if my specific guesses are completely off base, which they may well be — so let me just suggest to the agency that if you were instead to declassify figures such as the number of individual persons in Canada who appeared in end product reports that year, the number whose identity information was released to clients at least once, and the total number of reports in which private communications were cited, the public would get figures much better suited to monitoring the privacy implications of CSE's operations, those figures would probably be more reassuring than the ones we get now (and if they're not, all the more reason to release them), and CSE's targets would be denied any basis for speculating as to the types of communications being monitored.

On page 4 of his report, the CSE Commissioner makes a direct plea for greater openness by CSE, highlighting "the need to re-examine what information is able to be disclosed to the public in an effort to promote transparency. Transparency has been a cornerstone of my approach as Commissioner. There have been significant strides in this regard in the United Kingdom and in the United States. It is time to do likewise in Canada."

Seems like a good idea to me.

More to come on the report in future posts (I hope).

Update 9 July 2018:

Stage two here.