Thursday, September 24, 2015

Filling in the blanks: Analysis of CSE CNE documents

The addition of Computer Network Exploitation (CNE) operations to CSE's range of activities dramatically changed the nature of Canada's signals intelligence agency, but very little information has been released about CSE's CNE operations. Most of what Canadians know about the subject comes from the Snowden documents, but a small amount has come from other sources, including official documents released under the Access to Information Act. These documents are worth a close look, as they sometimes reveal a little more than they appear to at first.

A document recently released to the Globe and Mail is a good example. Called OPS-3-1, Operational Procedures for [Redacted] Activities, and dated 11 December 2012, it is almost certainly the document that spells out CSE's operational policies for CNE.

At least, that's what I think.

The title of the document was redacted from the released version (see graphic above). But the length of the redaction can clearly be seen, as can the small portion of the letter "p" or "q" that remains unredacted in the top line. A test using the same typeface (see text in red) shows that "Computer Network Exploitation (CNE)" fits exactly within the redacted space, with the "p" in computer appearing in exactly the right spot to account for the unredacted letter portion.

"Computer Network Exploitation (CNE)" also fits exactly within the redacted spaces in the body of the document, and the abbreviation CNE fits exactly within the small redacted spaces that refer to the activities. (Note also how, in the final redacted spot shown in this graphic, a small portion of the first letter extends outside the redacted area, indicating that it must be a "C", "G", "O", or "Q".)

The same substitutions also work for the 2011 version of the document (released earlier), even though omission of the word "Operational" from the document's name means that two of the redacted words now have to fit within the top line.

None of the foregoing proves that OPS-3-1 is indeed CSE's Computer Network Exploitation policy document, but I think there can be little doubt that it is.

What does OPS-3-1 tell us?

If OPS-3-1 is indeed CSE's CNE document, then a number of interesting new bits of information can be gleaned from it.

Most notably, comparison with the 2011 version of OPS-3-1, also released in redacted form, indicates that there has recently been a significant change in the approval process for CNE operations.

OPS-3-1 distinguishes between three types of CNE operations for foreign intelligence collection. The factors that distinguish these types from one another have been redacted, but some of the details of the approval processes for the three types remain.

Under the 2012 procedures, the first type of operation—evidently the least sensitive—can be approved at the group director level. These operations probably build on techniques and accesses that are already in place and don't pose any special risks to CSE personnel or capabilities or to the government as a whole.

The second type of operation is divided into four subcategories, two of which can be approved by the relevant group director, while the third requires approval by the Deputy Chief SIGINT and the fourth requires approval by the Chief of CSE (or any senior executive officially designated to carry out the Chief's duties). The document also states that the Chief "must consult with the Minister before approving any particularly sensitive [CNE] operations or those that carry significant risk."

The third type of operation must be personally approved by the Minister, "if required due to sensitivity or significant risk", or by the Chief, "if appropriate" (presumably when the operation is not considered sufficiently sensitive or significantly risky). Even in the latter circumstance, consultation with the Minister appears to be required in most or perhaps all cases. The National Security Advisor must also be informed "as necessary", and all such operations require preparation of a "separate operational security plan".

These approval procedures differ significantly from those in the 2011 version of the document. In the 2011 version, the Chief could approve any operation of the second type, whether sensitive/risky or not, with no obligation for ministerial consultation. Operations of the third type did require ministerial consultation, but it was the National Security Advisor who gave final approval for the operation. The minister had no formal approval role. (The requirement to consult with the minister did imply a certain level of tacit approval, of course, as the minister could certainly intervene to prohibit or modify any plan he didn't agree with.)

CSE's November 2011 transition to stand-alone status, which removed both the Deputy Minister of National Defence and the National Security Advisor from the CSE chain of command, is undoubtedly part of the explanation for the subsequent changes in these approval processes. But the changes were more significant than that. Not only is the minister consulted on a wider range of operations under the new procedures, but approvals formerly given by a senior bureaucrat now require explicit ministerial sign-off.

The decision to kick decision-making on such operations upstairs to the minister may reflect a growing recognition of the sensitivity of CNE operations. As the Snowden revelations subsequently showed, such operations can be highly embarrassing when information about the operation leaks and the target is revealed to be a friendly nation such as Brazil. Operations against a Five Eyes partner would be even more sensitive, and presumably would be contemplated only if the potential payoff were considered to significantly outweigh the risks. Operations that involved the physical installation and maintenance of equipment outside Canada might have the potential to place personnel at risk as well.

Another interesting revelation is that CSE conducts CNE operations not only under its foreign intelligence mandate (Mandate A), but also under its support to federal law enforcement and security agencies mandate (Mandate C). In other words, persons in Canada, and Canadians abroad, are also potentially the target of CSE CNE operations, as long as CSE has received a lawful request from one of these agencies.

This is perhaps not surprising, as CSE can presumably use any of its capabilities in support of such agencies when those agencies have suitable legal authority, but it is significant nonetheless. CNE capabilities are potentially extremely intrusive, and even ostensibly less-intrusive CNE techniques such as metadata collection and analysis can have major privacy implications. Furthermore, it is not clear what warrant requirements exist for the use of some of these techniques, or even whether the government considers a warrant necessary for some of them, and the rules that govern CSE use and retention of Canadian data collected directly or incidentally through these techniques are for the most part equally unclear.

The OPS-3-1 documents may fill in a couple of these details. The 2011 version of the document notes, for example, that "All Mandate C [CNE] activities are conducted from Canada." This appears to be a reference to CSIS's DIFTS warrants for monitoring Canadians abroad, which specified that CSE's contribution would be conducted from within Canada. The 2012 version of the document has a similar statement, but "from Canada" has been redacted ("All [CNE] activities conducted under part (c) of CSEC's Mandate are conducted [redacted].").

With the passage of Bill C-44, it is possible that this requirement no longer applies.

CSE can also conduct CNE operations in support of CSIS foreign-intelligence collection within Canada (e.g., monitoring foreign diplomats in Canada), which is governed by s.16 of the CSIS Act. The 2011 version of OPS-3-1 reports that "The CSIS-CSEC Liaison Officer must approve the release of reports derived from collection obtained pursuant to Section 16 of the CSIS Act." (The 2012 version is identical, but redacts the words "CSIS-CSEC Liaison Officer".)

Similarly, CSE use of traffic collected in the course of other Mandate C operations, whether conducted on behalf of CSIS or other agencies, must be "approved by the agency for which CSEC provided support."

The 2011 document also has a section detailing how "Solicitor-Client Communications", which presumably are occasionally collected during such operations, are to be handled. But the contents of the section have been withheld. The 2012 document appears to have this section as well, but all references to solicitor-client communications have been redacted from this version.

Ministerial Authorizations

CSE's Ministerial Authorizations (MAs) are also worth examining.

Ministerial Authorizations are granted to authorize the agency to conduct activities that risk the interception of "private communications", i.e., communications with at least one end in Canada. CSE currently obtains three SIGINT MAs and one IT Security MA annually.

The memos to the minister requesting the 2012-13 versions of these MAs have been released under the Access Act, although in very highly redacted form. Not much can be learned from the sadly depleted remains of the documents that were released, but they do show that of the three SIGINT MAs requested that year, only one pertained to OPS-3-1. It seems reasonable to conclude that this one MA covers CNE activities, and perhaps even that the MA is specifically dedicated to such activities. (Since CNE involves hacking-style operations to actively collect "data at rest" or enable more traditional "passive" collection, it is quite distinct from the traditional kind of SIGINT activities that agencies such as CSE used to focus on.) The other two MAs probably cover those more traditional activities: collection of circuit-switched communications, such as those carried by land-line telephone networks, and collection of packet-switched communications, such as e-mails, referred to respectively by the Five Eyes agencies as DNR and DNI collection. (See, for example, the discussion in this NSA document.)

[Update 6 December 2022: As I wrote here, I now think it more likely that those other two MAs covered "Radio Frequency Collection" and "Cable Access Collection". The MA regime changed significantly in 2019 when the CSE Act entered into force, but typically there are still three "Foreign Intelligence Authorizations" issued every year, and seems likely to me that they still break down CSE's collection activities similarly.]

As can be seen in the excerpts below, fill-in-the-blanks analysis would seem to confirm that the MA that cites OPS-3-1 does indeed concern CNE operations (or at least that such an interpretation is plausible).

Ministerial Directives

Ministerial Directives (MDs) are also important. MDs provide direction to CSE on how to conduct its activities. While MAs pertain to techniques/activities that may involve the interception of private communications, MDs mostly concern specific programs, which may utilize more than one of the techniques covered by MAs. MDs may also relate to policy areas such as privacy that pertain to CSE's activities more generally. Thus, MDs and MAs do not necessarily correspond directly to one another. Nonetheless, it is likely that there is at least one Ministerial Directive that pertains directly to CNE activities.

That MD, I would guess, is the Ministerial Directive on [redacted] signed on 20 November 2012.

Note how the portions of the characters that extend from the redaction box at the bottom of the excerpt (the bottoms of two p's or q's and the bottoms of the parentheses) are consistent with "Computer Network Exploitation (CNE)".

Like OPS-3-1, the Ministerial Directive states that CSE conducts CNE activities under both Mandate A and Mandate C: "CSE also conducts [redacted] in Canada in support of, and at the request of, federal law enforcement and security agencies.”

Also of interest is the fact that the 2012 version was the first update of the directive since 2002. That earlier MD, issued by Defence Minister David Pratt on 14 January 2002, may have been the first Ministerial Directive specifically on the CNE program, and may actually have established the program.

CSE would certainly have been interested in CNE activities prior to 2002, and probably had started to move in the direction of establishing a CNE capability. NSA's Tailored Access Operations unit was created in 1997, and CSE would certainly have been aware of the potential of such operations by that date.

But in the late 1990s CSE was hamstrung by tight or even shrinking budgets, and it also faced limitations on what it could legally do.

In 2000-01, the agency reviewed its programs and settled on a new vision of its mission: “to be the agency that masters the global information network to enhance Canada’s safety and prosperity”. But it took until December 2001, with the post-9/11 passage of Bill C-36, for that new mandate ("To acquire and use information from the global information infrastructure") to be enshrined in law and accompanied by suitable legal powers.

The global information infrastructure was defined to include "electromagnetic emissions, communications systems, information technology systems and networks, and any data or technical information carried on, contained in or relating to those emissions, systems or networks."

As Lieutenant-Colonel Frances J. Allen (now a brigadier-general and recently appointed Director General Cyber at DND) wrote in 2002, passage of this law provided "a legal framework through which CSE, the CF, or both could undertake intelligence gathering using CNE techniques."

The post-9/11 world also brought new money into the CSE budget, a one-time cash infusion of $37 million, announced in October 2001, and then a 25% budget increase, announced in December 2001 and effective April 2002. (Additional increases came in later years.)

January 2002 thus seems like a plausible moment for the CNE program to have been established.

The Department of National Defence's 2002-03 Departmental Performance Report subsequently confirmed that CSE created "a new and strengthened technical capacity to gather intelligence from the global information infrastructure" during that year. This "technical capacity" may well have been the CNE program.


Most of the foregoing analysis is based to one degree or another on guesswork, and even if that guesswork is correct it doesn't add up to a whole lot of new hard information. But we may know a bit more about the origins, operations, and control of CSE's CNE program than was hitherto realized.

Monday, September 14, 2015

August 2015 CSE staff size

2023. Still dropping.

Peak Spook (2254) was reached in November 2014.

Now down more than 10% from that figure.

(If you click through on the link and get a different figure, it's probably because the Canada Public Service Agency has updated its website; they update the numbers once a month.)

Saturday, September 12, 2015

Even NSA does it

Friday, September 11, 2015

CFS Alert growing in importance?

This L.A. Times report on intelligence-gathering in the Arctic (Brian Bennett & W.J. Hennigan, "U.S. builds up Arctic spy network as Russia and China increase presence," Los Angeles Times, 7 September 2015) suggests that Canadian Forces Station Alert is growing in importance as concern about the region increases:
As China and Russia boost their military presence in the resource-rich far north, U.S. intelligence agencies are scrambling to study potential threats in the Arctic for the first time since the Cold War, a sign of the region's growing strategic importance.

Over the last 14 months, most of the 16 U.S. intelligence agencies have assigned analysts to work full time on the Arctic. The Office of the Director of National Intelligence recently convened a "strategy board" to bring the analysts together to share their findings.

In addition to relying on U.S. spy satellites orbiting overhead and Navy sensors deep in the frigid waters, the analysts process raw intelligence from a recently overhauled Canadian listening post near the North Pole and a Norwegian surveillance ship called the Marjata, which is now being upgraded at a U.S. Navy shipyard in southern Virginia.


To help keep watch, Canada has refurbished a listening post called CFS Alert at the northern tip of Ellesmere Island, about 500 miles from the North Pole. It was once part of the Distant Early Warning line, a system of radar stations that watched for incoming Russian bombers or missiles.

"It was thought to be a relic of the Cold War," said Rob Huebert, a professor in Arctic affairs at the University of Calgary. "Now it is a critical element of an intelligence system that monitors a part of the world that few have access to."

About 100 intelligence officers stationed at CFS Alert, which stands for Canadian Forces Station, try to intercept Russian aircraft and submarine communications and other signals intelligence. Canada shares the take with U.S. intelligence agencies.
It's hard to know how seriously to take all this.

Unless Bennett and Hennigan have scooped us all on the goings on at Alert, the actual number of military and civilian personnel at Alert is only around 77, of whom just 5 to 10 work in operations. And the latter personnel are only there as technicians to keep the equipment running. Communicator Research personnel have not been routinely deployed to Alert for some 18 years, and there are no "intelligence officers" there. All of the processing and analysis work is done remotely from CFS Leitrim, in Ottawa, as it has been since completion of the "remoting" project in 1997.

Alert also has never been a part of the DEW Line (or the North Warning System for that matter). But it does provide SIGINT-based tip-offs about Russian training flights in the Arctic to NORAD. Colonel Steven Moritsugu, the Commander of the Canadian Forces Information Operations Group (CFIOG), recently acknowledged Alert's contribution to NORAD in testimony to the House of Commons National Defence Committee:
The signals intelligence capability, which is provided by what we call our uniquely advantageous location at Canadian Forces Station Alert, contributes to the defence of North America by providing an important intelligence input to the Canadian Armed Forces and to our binational North American Aerospace Defense Command, or NORAD. ...

Our main reason for having the station there would be the defence of Canada, the defence of the homeland, and the defence of North America.

Our primary sharing is with NORAD.
I'm not sure what the L.A. Times means by a "recent overhaul" of the station either, although there does seem to have been a minor increase in the number of personnel posted at Alert in recent years. The number of people at the station bottomed out at around 53 in 2008 following an effort to cut costs and civilianize a lot of the workforce; the current total, as noted above, is around 77 (although the RCAF's Alert web page, which hasn't been updated for some time, still says 55, plus 4 Environment Canada employees).

The explanation for the increase could be as simple as fluctuations in the number of temporary personnel present at the station for specific research projects. Underwater acoustic monitoring research has long been conducted at Alert, for example, and Col. Moritsugu's reluctance to talk about that subject in his recent testimony suggests that such activities may still be underway.

What there doesn't seem to have been in recent years is a significant increase in the signals intelligence activities at the station.

That said, there is little doubt that interest in the kinds of SIGINT that Alert can produce will have grown in recent years.

The changes underway in Arctic intelligence-gathering may not be quite as dramatic as suggested in this article, or in James Bamford's similar piece in May ("Frozen Assets," Foreign Policy, 11 May 2015), but we can pretty safely conclude that the Canadian government won't be shutting the place down any time soon.

Update 2 February 2016:

Still just 79 personnel at the station: Matthew Fisher, "Canada’s ‘frozen chosen’ at top of the world have been in the dark since Oct 14," National Post, 1 February 2016

Monday, September 07, 2015

Recent items of interest

Recent news and commentary related to CSE or signals intelligence in general (catching up from the beginning of the summer):

- Doug Saunders, "How do you spot the next terrorist?" Globe and Mail, 15 August 2015.

- Mike Zajko, "Canada’s cyber security and the changing threat landscape," Intermediation blog, 8 August 2015.

- Christopher Parsons & Tamir Israel, "Canada’s Quiet History of Weakening Communications Encryption," Telecom Transparency Project, 7 August 2015.

- Graham Templeton, "When Canada Learned It Had Spies," Motherboard, 5 August 2015. More about the original documentary here and here.

- "Extract of Pages from the CSE intranet, 2014,", 3 August 2015. Some very interesting information in this material obtained through the Access to Information Act, including the fact that CSE's intranet provides "clocks" showing the time of day at CSE and five of its partner agencies: the other four members of the Five Eyes and a fifth agency, the identity of which is redacted. (See page 187.) Who is the secret partner? ISNU seems like the likely candidate, but that's just a guess.

- Duncan Campbell, "GCHQ and Me: My Life Unmasking British Eavesdroppers," The Intercept, 3 August 2015. The story of one of the pioneers of public investigation of signals intelligence. Long a personal inspiration to me, Duncan was recently a co-author of a report that I also worked on.

- Justin Ling, "Anonymous Vows to Keep Leaking Canadian Spy Secrets Over Police Shooting," Vice News, 28 July 2015. The main part of the story concerns a document about CSIS foreign stations that was leaked by Anonymous. However, in a video accompanying the leak the group also claimed that "shortly after [the Conservatives won] a majority in 2011, the NSA discovered that Stephen Harper had grown a bit too big for his Christian britches. He and the Canadian [sic] Security Establishment were attempting to spy on their Five Eyes partners in the US. Obama's top intelligence officials were furious when they caught CSE in the act. They vowed to kill off Harper's number one priority, the KXL pipeline." No evidence was provided for this assertion, however. See also Adrian Humphreys, "Anonymous says it hacked Canada’s security secrets in retaliation for police shooting of B.C. activist," National Post, 25 July 2015; Claire Wählen, "‘Anonymous’ starts slow leaking of cabinet confidences, CSE spy attempts," iPolitics, 27 July 2015; and "Anonymous CSIS document leak probed by RCMP, CSE," CBC News, 28 July 2015. Related: "Exclusive Interview: #Anonymous’ #OpCyberPrivacy Celebrates #AntiCanadaDay on #CanadaDay," The Cryptosphere, 1 July 2015.
[Update 26 September 2015: Anonymous now claims it was CSIS, not CSE, that was caught spying on the U.S.]

- Jim Bronskill, "File breach at electronic spy agency prompts mandatory privacy training," Canadian Press, 27 July 2015.

- Alex Boutilier, "A Canadian Snowden? CSE warns of “insider threats”," Toronto Star, 26 July 2015.

- Scott Vrooman, "Canada's electronic spy agency fears threat of informed public," Toronto Star, 22 July 2015 (video).

- Susana Mas, "Steven Blaney announces new funding for cyber security," CBC News, 22 July 2015. Truly the Groundhog Day of national security stories.

- "Minister Fantino and Minister Aglukkaq Announce Upgrades to Northern Defence Infrastructure in Alert and Iqaluit," News Release, Department of National Defence, 15 July 2015. "In Alert, the water treatment system will be upgraded with a new 257,000-litre tank part – along with repairs to the flooring and the structure of the water treatment plant building." Who says the government never provides information to the media?

- Justin Ling, "Canadian Police, Spies Eyed Hacking Team Tech — and the Law Now Makes it Easier to Acquire," Vice News, 13 July 2015.

- Wesley Wark, "The summer of cyber attacks," Ottawa Sun, 3 July 2015.

- Jim Bronskill, "Government abruptly drops Supreme Court appeal on overseas CSIS spying," Canadian Press, 7 July 2015. When the government launched its Supreme Court appeal of Justice Mosley's 2013 ruling, it wanted the Court to clarify "the scope of the Federal Court's jurisdiction under s. 21 of the CSIS Act to issue warrants governing the interception of communications of Canadians by foreign agencies at Canada's request" and to determine whether such warrants are even "required". (It had earlier advanced the theory that such warrants are not required.) It also told the Court that the Canadian public is "entitled to know what constraints are imposed on CSIS in this regard." The legal situation changed somewhat following the passage of Bills C-44 and C-51, but, as Bronskill's article notes, the question of when warrants are needed remains: "With the government now abandoning the case, the court won’t have an opportunity to set out “when CSIS is going to need to get these warrants in the first place,” said Carmen Cheung, senior counsel at the British Columbia Civil Liberties Association." Maybe the government has decided that this is something they would rather not know, because they might not like the answer?

- "Federal intelligence agency [CSE] denies its website was hacked," CTV News, 2 July 2015. Earlier: "Cyberattack takes down CSIS website," CTV News, 29 June 2015. Just a DDoS attack, so no need to hyperventilate...

- Dave Pugliese, "Federal departments jockey to take over former e-spy headquarters," Ottawa Citizen, 1 July 2015.

- Jenna McLaughlin, "Canadian Surveillance Agency Says Snowden Leaks Were Damaging, Because We Say So," The Intercept, 1 July 2015.

- Christopher Parsons, "Industry Canada Transparency Report Guidelines Intensely Problematic," Telecom Transparency Project, 30 June 2015. The Guidelines.

- Justin Ling, "New WikiLeaks Documents Allege ‘Economic Espionage’ Against France By US and Allies," Vice News, 29 June 2015.

- Paul Heinbecker & Daniel Livermore, "Who speaks for Canada, spies or diplomats?" Globe and Mail, 29 June 2015.

- "CSE says Snowden leaks eroding spy agency's long-term advantage over terrorists," Canadian Press, 26 June 2015.

- Craig Forcese, "One Warrant to Rule Them All: Re-Conceiving the Judicialization of Extraterritorial Intelligence Collection," National Security Law blog, 24 June 2015.

- Jim Bronskill, "Spies wanted mere info-sharing tweaks, government ushered in total overhaul," Canadian Press, 24 June 2015.

- Craig Forcese, "Stumbling toward Total Information Awareness: The Security of Canada Information Sharing Act," National Security Law blog, 24 June 2015.

- Ben Makuch & Justin Ling, "Anonymous Claims Responsibility for Cyber Attack on Canadian Government Websites," Vice News, 17 June 2015.

- Craig Forcese, "Cops without Borders: The RCMP's long anti-terror arm," National Security Law blog, 13 June 2015.

- Christopher Parsons, "‘Defending the Core’ of the Network: Canadian vs. American Approaches," Telecom Transparency Project, 10 June 2015. EONBLUE compared to U.S. approaches.

- Steven Chase, "Canada vastly expands data collection of travellers, boosts spy agency budget," Globe and Mail, 4 June 2015.

- Two Years After Snowden: Protecting Human Rights in an Age of Mass Surveillance, Privacy International & Amnesty International, 4 June 2015.

- Christopher Parsons, "New Update to the SIGINT Summaries," Technology, Thoughts & Trinkets blog, 2 June 2015.

Not in the news: The CSE Commissioner's 2014-2015 annual report. Normally, it would have been made public by now, but I suppose it can't be tabled in parliament while that august institution is technically dissolved.

Or maybe there's actually something newsworthy in it for a change.

SIGINT history

Former CSE employee Ron Lawruk recently published a book about his time working at the agency: Out of the Shadows: The Life of a CSE Canadian Intelligence Officer, Friesen Press, 2015. I haven't read it yet, so can't pronounce an opinion on it, but it is clear that he's not a critic of his former employer. From the book's website:
In this first-hand account as an intelligence officer with the Communications Security Establishment at the Canadian Department of National Defense, author Ronald Lawruk describes the Cold War years with an insider’s perspective. The nature of his work required him to be highly secretive—he could not share a whiff of it to anyone, even his wife. Even so, there are plenty of laughs amid tense tales of real-life war games in the frozen Arctic and briefings from high level government officials. From Ottawa to Washington to Moscow, Out of the Shadows: The Life of a CSE Canadian Intelligence Officer will change the way you think about Canadian intelligence and heighten your awareness of current Arctic sovereignty issues.
More info here.

Also of interest, Radio-Canada has made a number of espionage-related items from its archives available on-line (all in French, of course). Highlights include:

- "Le Centre de sécurité et des télécommunications," Radio-Canada, 20 mars 1989 (video).

- "Les révélations de Mike Frost," Radio-Canada, 20 octobre 1994 (radio).

- "Le Centre de recherche informatique de Montréal," Radio-Canada, 13 novembre 1999 (video).

- "Les plus grandes oreilles du monde!" Radio-Canada, 12 mai 2000 (video). Includes interviews with CSE whistleblowers Mike Frost and Fred Stock.