Sunday, March 11, 2018

INMARSAT monitored at Gander

This map, taken from an NSA document recently published by The Intercept, shows the footprints of the fourth generation INMARSAT satellites, which provide telephone and data services primarily to mobile users (ships, aircraft, and handheld satellite phone users). The map also shows 28 ground locations, evidently depicting the sites where the Five Eyes partners monitor the key spot beams serving regions of interest to those agencies. One of those locations corresponds to CFB Gander, the home of CFS Leitrim Detachment Gander, a Canadian SIGINT site known primarily for its huge FRD-10 antenna array. The Gander detachment is remotely operated from Leitrim, which presumably processes the INMARSAT traffic collected at Gander.

The document is undated, but it was probably produced around 2011 ± 2 years, i.e., after the launch of the three satellites whose footprints are shown on the map but before the next generation of satellites began to join them in orbit.

The 28 ground sites are unlabeled, but it is clear that they are not intended to represent INMARSAT users, who are predominately to be found in ocean areas (at sea or in the air) and in remote, poorly serviced land areas. Instead, they correspond to known Five Eyes SIGINT collection sites, either long-standing intercept stations or known locations of monitoring facilities hidden in embassies.

The intercept stations are Bude, U.K.; Cyprus; Hawaii; Misawa, Japan; Shoal Bay, Australia; Sugar Grove, West Virginia; Waihopai, New Zealand; Yakima, Washington; and Gander. (Sugar Grove and Yakima have since closed, but they were active at the time this map seems to have been produced.)

The remaining 19 locations are all in non-Five Eyes capital cities that are known to host or to have hosted intercept facilities: Algiers, Algeria; Baghdad, Iraq; Bangkok, Thailand; Beijing, China; Bogota, Colombia; Brasilia, Brazil; Caracas, Venezuela; Islamabad, Pakistan; Kinshasa, D.R. Congo; Lusaka, Zambia; Madrid, Spain; Managua, Nicaragua; Manila, Philippines; Mexico City, Mexico; Monrovia, Liberia; Moscow, Russia; Nairobi, Kenya; New Delhi, India; and Port Moresby, Papua New Guinea.

This map of monitoring facilities operated by the Special Collection Service in U.S. diplomatic sites shows that in 2010 the U.S. was present in all but one of these locations, Port Moresby. (One other site, Monrovia, was listed as dormant at that time.) Port Moresby is reported to host an ASD listening post in the Australian High Commission, so in that case the INMARSAT monitoring is probably conducted from that location. Some of the other capital cities shown on the map also host non-U.S. sites in addition to SCS sites, so it is possible that INMARSAT monitoring is conducted by other Five Eyes parties in some of those locations as well.

It is, I think, entirely unsurprising to find evidence that Canada is involved in INMARSAT monitoring. I suspect we've been at it since the 1990s, or even the 1980s, probably using antennas at Leitrim and possibly other locations as well as Gander. INMARSAT communications monitored from Gander probably pertain mainly to the region off Canada's East Coast, and to the Western North Atlantic more generally, where activities such as human and narcotics smuggling and illegal fishing would be considered important targets for intelligence collection.

Wednesday, March 07, 2018

Privacy Commissioner also calls for changes to Bill C-59

Privacy Commissioner Daniel Therrien has also called for changes to Bill C-59.

In a letter dated 5 March 2018, Therrien recommended 11 amendments to the bill, including two pertaining specifically to the CSE Act's provisions on the acquisition and use of "publicly available information":

"RECOMMENDATION 10: That section 24 [of the CSE Act] be amended to add a limit to the activities listed in 24(1) namely: the measures shall be reasonable and proportional in the circumstances, having regard to the reasonable foreseeable effects on Canadians and people in Canada including on their right to privacy"; and

"RECOMMENDATION 11: That the definition of “publicly available information” in section 2 of Part 3 be amended to specify that information is published or broadcast lawfully, and that information obtained through purchase or subscription was legally obtained or created by the vendor."

Explanations for these recommendations can be found in the Commissioner's letter.

The Commissioner Therrien also expressed his support for one of the recommendations made by the CSE Commissioner in January:

"We note that, in his brief provided to the Committee on December 6, 2017, the Commissioner for CSE recommended that the Intelligence Commissioner 'should approve the active cyber operations in addition to the defensive cyber operations that are authorized by the Minister pursuant to subsections 30(1) and 31(1) of the proposed Communications Security Establishment Act.' We agree with this recommendation, as it addresses a gap in the Intelligence Commissioner's authority to approve activities under all CSE mandates."

News coverage:

Alex Boutilier, "Ottawa’s privacy watchdog wants limits on spies’ information collecting powers," Toronto Star, 8 March 2018.

Wednesday, February 28, 2018

CSE wins big in 2018 budget

The 2018 budget, tabled by the Finance Minister on February 27th, promises some big spending boosts for the Communications Security Establishment over the next five years, with additional money pledged for both the IT Security and the SIGINT programs.

For starters, the government is promising to spend $507.7 million over the next five years, and $108.8 million per year thereafter, to fund a new National Cyber Security Strategy (NCSS). $155.2 million of that sum, and $44.5 million per year ongoing, will be provided to CSE to create a new Canadian Centre for Cyber Security (see pages 203-205):
By consolidating operational cyber expertise from across the federal government under one roof, the new Canadian Centre for Cyber Security will establish a single, unified Government of Canada source of unique expert advice, guidance, services and support on cyber security operational matters, providing Canadian citizens and businesses with a clear and trusted place to turn to for cyber security advice. In order to establish the Canadian Centre for Cyber Security, the Government will introduce legislation to allow various Government cyber security functions to consolidate into the new Centre. Federal responsibility to investigate potential criminal activities will remain with the RCMP.
To carry out its responsibilities, the RCMP will get a new National Cybercrime Coordination Unit funded to the tune of $116.0 million over five years, and $23.2 million per year after that.

The rest of the NCSS money, $236.5 million over five years and $41.2 million per year after that, will go "to further support Canada’s new National Cyber Security Strategy." At the moment, however, it appears that none of that additional money will flow CSE's way.

Even more money will be provided to "modernize/enhance the Government’s digital services" (see page 206): "$2.2 billion over six years, starting in 2018–19, with $349.8 million per year thereafter, [will be spent] to improve the management and provision of IT services and infrastructure within the Government of Canada, and to support related cyber security measures." Most of that cash will be going to Shared Services Canada, but an unspecified portion of it is promised to CSE.

[Update 28 February 2018: According to the Defence Minister's office, CSE will receive a total of $16 million over six years from this funding.]

Meanwhile, new money is also promised to the SIGINT program (see page 208): "In order to keep pace with rapid technological change that can challenge its ability to effectively collect foreign signals intelligence, the Government proposes to provide the Communications Security Establishment $225 million over four years, starting in 2020–21, and $62.1 million ongoing, to ensure this capability is preserved."

If these promised budget boosts are fully implemented, the new IT Security and SIGINT money will eventually total an extra $106.6 million a year for CSE, plus whatever money comes from the digital services initiative and any additional National Cyber Security Strategy money that ends up in CSE's coffers. [The information I received from the Minister's office indicates that these amounts will be minimal.] If no other changes are made to CSE's budget in the interim, this would represent an increase about 18%—large, but not quite of the scale of the increase (25%) the agency received in the immediate wake of 9/11.

Even at 18%, it is likely that the new funding will mean significant new growth in CSE's staff. Currently at about 2300 employees, the agency could eventually grow to 2700 or even more, although it is possible that a significant number of those bodies might end up working for contractors instead and thus wouldn't appear on the employee rolls. The SIGINT side alone could easily expand by 300 people, which would enable development of a significant Computer Network Attack capability as well as support growth of more traditional intelligence-gathering activities.

These are pretty big numbers.

For now, however, most of the money exists only in the political fantasyland of distant budget-year promises. We probably won't even know what all of this means for the fiscal year about to start until the 2018-19 Main Estimates are released, which, according to this new thing called Interim Estimates, could be as late as mid-April. Stay tuned for that.

The government's decision to dedicate significant additional resources to national cyber security and to concentrate that effort in one organization, much as the British and some of our other allies have done, is a good one, I think. As to whether it will be sufficient to address the threat, I have no idea. I assume we'll get some more details of what precisely is proposed whenever the National Cyber Security Strategy itself is released.

I'm undecided on the question of whether CSE should be the agency where the national cyber security effort is concentrated. CSE certainly has most of the expertise on this subject now, and to the extent that cyber security draws on intelligence-gathering efforts to detect, attribute, and counter such activities its involvement may be essential. But CSE's other mandates also pull it in the opposite direction, away for example from initiatives that might have the effect of making cyberspace as a whole a more secure place.

The fact that the same budget is promising to boost the SIGINT program—so as to preserve and/or increase Canada's ability to conduct its own Computer Network Exploitation and Attack operations—throws this whole aspect into rather stark relief. Intelligence-gathering is certainly valuable. The net benefits of CNA I'm less convinced about.

But as to whether those various imperatives are best balanced within a single agency or among two or even three agencies at the Cabinet/PCO level is, I think, a serious question that we seem at the moment to be answering by default.

News coverage:

Alex Boutilier, "Liberals pitch $500 million cyber security plan," Toronto Star, 27 February 2018.

Murray Brewster, "Federal budget shores up cyber defences but is silent on new jets and warships," CBC News, 27 February 2018.

Carl Meyer, "Budget targets 'increasingly sophisticated' cyber attacks on government," National Observer, 27 February 2018.

Jim Bronskill & Lee Berthiaume, "New federal cybersecurity strategy follows 'overlap, lack of clarity'," Canadian Press, 28 February 2018.

Monday, February 26, 2018

Canada's initial post-war SIGINT targets

When CSE, then called the Communications Branch of the National Research Council (CBNRC), began operations in September 1946, it had four SIGINT targets.

Set in consultation with Canada's U.S. and U.K. allies, those initial targets were selected primarily to provide a range of different training opportunities for the new agency. As the official History of CBNRC described it, "The basic purpose of these tasks was to provide initial training in producing intelligence from a variety of foreign communications and cipher systems."

Kurt Jensen's 2008 book Cautious Beginnings: Canadian Foreign Intelligence, 1939-51 identified those initial targets in general terms: "The cryptanalysis unit would focus on Europe, the Far East, and South America. The prime decryption assignments were in the French, Spanish, and Chinese languages, with only the latter representing a departure from wartime interests."

In fact, there was one other significant language in use... Portuguese.

Brazilian Portuguese.

The released versions of the History of CBNRC, particularly the 2015 release, provide a number of details about those initial tasks, but the identities of specific countries/languages tasked are redacted, meaning you have to work a bit to figure them out.

The best clues are to be found in the 2015 document's largely unredacted index, which has four significant gaps where the entries for Brazilian, Chinese, French, and Spanish used to be. As it happens, the 1990s release of the History redacted the names of those entries but not the lists of locations where the terms actually appear in the text. Thus, it is possible to check hypothesized names against the redacted terms in the 2015 text to see if their length and context make sense.

In the case of French, it is even possible to find the term unredacted in certain paragraphs (those that discuss bilingualism in the public service). The fact that no other term in those paragraphs matches the Fairley-to-GCCS gap in the index confirms that the redacted entry is indeed French. Chinese also appears once in the text in similar circumstances.

Collateral information, such as Marcel Roussin's background as a specialist in Latin American diplomatic history, is also helpful for solidifying the identifications.

With the four broad targets identified it is possible to fill in several of the blanks in the document, which in turn reveals a number of additional interesting details about these tasks:
  • The Spanish task was focused on Spanish naval forces and depended to a significant degree on traffic collected by GCHQ. This quickly proved to be a problem. Higher priorities forced GCHQ to drop its coverage of the Spanish target by the beginning of 1947, leading CBNRC to abandon the Spanish task not long afterward. (It was replaced by CBNRC's first Russian task.)
  • The French task focused on French military (i.e., army) and naval traffic. The Examination Unit had done a lot of work on both Vichy French and Free French systems during the war, so this was an area where Canada already had some experience. The French task also suffered from reductions in collection by GCHQ, however, and in October 1950 the decision was made to phase it out in favour of more Russian work.
  • The focus of the Brazilian task is not clear. It may have included diplomatic or commercial traffic instead of or in addition to service traffic. The Brazilian task remained active until November 1956.
  • The Chinese task, which seems to have consisted mostly of civil traffic, was the last to go, being dropped in November 1957. The end of the Chinese task coincided with CBNRC's decision, taken in conjunction with NSA and GCHQ, to focus the Canadian SIGINT effort from that time on almost entirely on the Soviet Arctic.

Tuesday, February 06, 2018

Five Eyes SIGINT governance: Meetings galore

The relationship among the Five Eyes SIGINT agencies is extraordinarily close. It is not that uncommon for intelligence agencies to cooperate with their foreign counterparts in limited ways on specific topics of mutual interest, but the depth and breadth of cooperation among the "Second Parties" to the UKUSA Agreement is truly remarkable.

Each of the five agencies that participate—NSA, GCHQ, CSE, ASD, and GCSB—remains an independent entity under national control and responding to national intelligence priorities, but in many respects they also work as a single, supranational entity, setting common goals, building interoperable systems, and sharing technology, people, and, to an extraordinarily large degree, raw and assessed intelligence.

Born in the darkest days of the Second World War and institutionalized for the post-war era by the BRUSA Agreement (subsequently renamed UKUSA) of 5 March 1946, the UKUSA community has only grown closer and more tightly integrated in the decades up to the present. In addition to the UKUSA Agreement and other, subsidiary agreements (notably the CANUSA Agreement), the allies jointly set common Strategic Directions, adopt Resolutions at consultative meetings, and sign memoranda of understanding on common projects and programs. Personnel serve on exchange inside allied collection, processing, and analysis sites, take training courses at allied facilities, and work in permanent liaison offices established at each other's agencies to ensure continued close cooperation. The agencies are even able to task some of the collection systems operated by their allies. Much of the metadata and in some cases raw content of the SIGINT the agencies collect is made accessible to the partners, and most of the SIGINT reports issued by the agencies—some 500 per day—are shared among the partners.

Senior executives of the agencies consult among themselves whenever major issues arise, hold regular monthly, in some cases weekly, teleconferences, attend annual meetings as a group, and also hold frequent bilateral meetings. Lower-level committees meet regularly to work out specific problems, facilitate specific areas of cooperation, or run shared programs, and regular conferences are held to share information or tradecraft. In the wake of 9/11, as the allies sought to extend their intelligence cooperation even further and move from the traditional ethos of "need to know" to a new one of "need to share", the number and nature of these meetings and conferences proliferated.

The internal newsletter of NSA's Signals Intelligence Division, SID Today, leaked by Edward Snowden, provides some insight into this aspect of UKUSA cooperation. I did a review of the SID Today articles written over the two-year period between June 2003 and May 2005 and found references to 49 conferences or other meetings involving the participation of two or more Five Eyes members. (The source articles can be found here.)

Note that this list contains only those meetings mentioned in SID Today. Thus, in addition to those NSA-related SIGINT meetings that may have gone unmentioned, it excludes all meetings pertaining to the cybersecurity activities of the agencies and most of the bilateral SIGINT meetings in which NSA was not a participant.

Several of the meetings listed (those marked with an asterisk) were described as the first in an ongoing annual series on that topic, demonstrating the extent to which consultation and sharing was expanding at this time. Many of the other meetings listed were already annual.

Broader Five Eyes relationship

The Five Eyes cooperative relationship is no longer merely an arrangement among cryptologic agencies. The partnership may have begun with SIGINT, but extensive intelligence-sharing has also long occurred among the Five Eyes' security-intelligence, human-intelligence, and military-intelligence agencies, both at the operations level and at the level of multi-source assessed intelligence, up to and sometimes including National Intelligence Estimates and equivalent documents. More recently, formal Five Eyes fora have also been created in such areas as law enforcement cooperation and critical infrastructure protection.

Sometimes these fora have also been extended, at least for limited purposes, to include other countries. The SIGINT Seniors Europe and SIGINT Seniors Pacific groupings are example of this development in the signals intelligence sphere.

I imagine the recent report that France has become part of a "Five Eyes plus France" group that meets one or more times a year in Washington (Pierre Tran, "French official details intelligence-sharing relationship with Five Eyes," Defense News, 5 February 2018) is an example of that trend with respect to broader intelligence cooperation. What I do not think it heralds, however, is anything remotely like the deep, wide-ranging, and day-to-day integration of activities that characterizes the unique SIGINT relationship among the UKUSA five.

Tuesday, January 30, 2018

CSE Commissioner calls for changes to Bill C-59

CSE Commissioner Jean-Pierre Plouffe called for changes in Bill C-59 in testimony to the Standing Committee on Public Safety and National Security today.

The Commissioner was accompanied by OCSEC Executive Director Bill Galbraith and special legal advisor Gérard Normand, who also testified. The transcript of the meeting is not yet available, but you can watch the hearing here. (It's also worth watching the testimony by Michael Vonn and Ray Boisvert that follows.)

In a document provided to the committee, the Commissioner called for nine substantive and thirteen technical amendments to the bill. [The original version of this blog post listed only the seven proposals outlined in this earlier submission by the Commissioner, which was the only one available online on January 30th.]

Here are the Commissioner's recommendations:
Substantive recommendations

1. The Intelligence Commissioner (IC) should approve the active cyber operations [and] defensive cyber operations that are authorized by the Minister pursuant to subsections 30(1) and 31(1) of the Communications Security Establishment Act (CSE Act).

2. The IC should have the right to request clarifications with respect to the information presented to him, short of receiving or accessing information that the Minister would not have seen.

3. The IC should be able to conditionally approve authorizations, pursuant to section 13 of the IC Act.

4. The IC should prepare a public annual report to the Prime Minister for him to table in both Houses.

5. Subsection 21(1) of the IC Act should provide that while the decision of the IC must be made within a 30-day period, the reasons could follow later.

6. Regarding subsection 37(3) of the CSE Act, it is suggested that the decision by a Minister to extend, for one more year, an authorization on matters of foreign intelligence or cybersecurity should be reviewable by the IC.

7. Paragraph 273.65(2)(c) of the National Defence Act... states that the Minister needs to be satisfied that "the expected foreign intelligence value of the information that would be derived from the interception justifies it". This has not been replicated in Bill C-59 and should be added.

8. Sections 38 to 40 of the CSE Act provide for a regime dealing with "repeal and amendment" that appears inconsistent and should be re-examined.

9. Subsection 41(2) of the CSE Act should provide that emergency authorizations issued by the Minister in foreign intelligence and cybersecurity matters are reviewable by the IC and base its process on the United Kingdom model under the Investigatory Powers Act 2016.

Technical recommendations

1. The wording in subsection 23(1) of the Intelligence Commissioner Act (IC Act) should be clarified to specify what is included in "all information that was before [the Minister]" that is provided to the Intelligence Commissioner (IC).

2. Regulation-making authority should be inserted in the IC Act to enable the creation of regulations for carrying out the purposes and provisions of the Act, as well as on more specific matters.

3. The Communications Security Establishment Act (CSE Act) and the Canadian Security Intelligence Service Act (CSIS Act) should clearly provide that both the authorization/determination and all information that led to the decision by the Minister should be provided to the IC for the purpose of his review.

4. The wording in section 13 of the IC Act should be amended to state that the IC should review all the information in order to determine whether the conclusions of the Minister are reasonable.

5. Section 25 of the IC Act should clarify the type and nature of the information being contemplated, such as briefings, or backgrounders, to help the IC exercise his role. The word "may" should be replaced by "must" for information requested by the IC.

6. The IC Act should provide that records obtained by the IC in the course of his duties are not under the IC's control, for Access to Information Act and Privacy Act purposes.

7. The wording in subsection 11.03(3) of the CSIS Act should be similar to that in subsections 29(1) of the CSE Act and section 11.23 of the CSIS Act.

8. Some terms found in Bill C-59 should be defined or clarified for the benefit of those responsible for enforcing the legislation, as well as those who will be asked to issue authorizations or approvals.

9. The entity proposed as the IC should be called the "Judicial Intelligence Commissioner" or the "Judicial Commissioner for Intelligence" and the title of the legislation changed to reflect the name.

10. The threshold set out in subsection 11.03(2) of the CSIS Act, is too low and will make the IC's review practically impossible.

11. The Minister responsible for the IC Act should be the Prime Minister.

12. The period of validity for authorizations issued under subsections 30(1) and 31(1) of the CSE Act [i.e., defensive and active cyber operation authorizations] should be up to 6 months.

13. Section 10 of the IC Act should clarify that the concept of legal advisor is covered by the term "person having specialized knowledge".
The terms that the Commissioner recommended be defined are:
a. "information" (as used throughout the CSE Act);
b. "acquire", "collection" and "interception" (as used in the CSE Act, as well as the CSIS Act; the term "interception" is defined in the Criminal Code but is problematic with respect to the foreign intelligence collection process);
c. "disclosure" and "disseminate" (as used in the CSE Act);
d. "predominantly" (as used in the CSIS Act);
e. "publicly available dataset" (this term is defined in the CSIS Act but the definition is circular)
As can be seen, the CSE Commissioner's recommendations were limited to matters concerning the role of the proposed Intelligence Commissioner, which the CSE Commissioner will become if the bill is passed.

Several of the Commissioner's recommendations paralleled those made by various other commentators, including the authors of the Canadian Internet Policy and Public Interest Clinic (CIPPIC) and Citizen Lab report on the bill. (I'm currently a Citizen Lab Research Fellow and was one of the five co-authors of the report.)

Especially notable were the Commissioner's recommendations that ministerial authorizations for active and defensive cyber operations be subject to the approval of the Intelligence Commissioner and that the Commissioner be able to specify conditions when approving authorizations, both of which were also recommended in the CIPPIC/Citizen Lab report (recommendations #5 and #9).

In response to a question, the Commissioner and his legal advisor also expressed general agreement with the CIPPIC/Citizen Lab report's recommendation (#6) that the Intelligence Commissioner provide written reasons for all decisions.

The Commissioner's appearance before the committee was limited to one hour, which is a great shame as a productive discussion could easily have gone on for several hours, but at least the Commissioner and the subsequent witnesses were given a respectful hearing and the questions asked of them were constructive. I honestly don't understand how the previous government found that kind of basic decency so difficult to display.

Update 26 February 2018:

On 23 February, the CSE Commissioner submitted a number of additional recommendations to the standing committee examining Bill C-59, including two more pertaining to the CSE Act part of the bill:

1. "Amend the provisions falling under the Procedure part of the CSE Act (sections 34 to 37) to ensure that the Intelligence Commissioner can review the full content of an authorization."

2. "Amend subsections 27(1), 30(1) and 31(1) of the CSE Act to ensure that the Minister can issue authorizations that will be lawful “despite any other law, including that of any foreign state” as opposed to the current and more limiting wording of “despite any other Act of Parliament or of any foreign state”. Proceed to amend subsections 28(1) and (2) of the same Act accordingly, save for the reference to foreign state."

The Commissioner's submission contains brief explanations of each of the recommendations.

The cyber operations aspect of the second issue was also recently raised by Craig Forcese ("Does CSE risk a Re X moment with the current drafting in C-59?" National Security Law blog, 2 February 2018).

News coverage/commentary:

Alex Boutilier, "Electronic spy agency watchdog asks for more powers," Toronto Star, 30 January 2018.

Craig Forcese, "The (Quasi) Judicialization of CSE Cyber Operations (Active & Defensive)," National Security Law blog, 31 January 2018.

Monday, January 22, 2018

ATipper #11: JRO Strategic Research Contexts

Another item from the Access to Information files:

According to access release A-2016-00068, CSE's Joint Research Office, which conducts research in support of both the SIGINT program and the IT Security program, groups its efforts into "Strategic Research Contexts".

As of 2014, the JRO had 20 SRCs:

The subjects of two of the SRCs, R5 and R9, were redacted from the release.

Fortunately, a list of the 19 SRCs that existed in 2013 has already been published, so those who are curious can discover for themselves what the big secrets were. (See page 4.)