Saturday, April 30, 2016

Recent items of interest

Recent news and commentary related to CSE or signals intelligence in general:

- Matthew Braga, "Canada Needs to Revive the Encryption Debate It Had in the 1990s," Motherboard, 26 April 2016.

- "Minister Sajjan delivers keynote address at the 2016 SINET IT Security Entrepreneurs Forum," Government of Canada news release, 20 April 2016. Text of the speech here. [Update 6 May 2016: I don't know where the Minister or his speechwriters got the idea that CSE has been around for "close to 75 years". CSE (then called CBNRC) was born on 1 September 1946, or close to 70 years ago.]

- Alex Boutilier, "Canada’s spies closely watching quantum tech developments," Toronto Star, 20 April 2016.

- Victoria Ahearn, "5 moments from The Good Wife’s visit to Toronto," Canadian Press, 18 April 2016. CSE makes a cameo appearance in the U.S. TV series The Good Wife. But they got the CSE badge wrong (HT to Justin Ling).

- Jordan Pearson & Justin Ling, "Exclusive: How Canadian Police Intercept and Read Encrypted BlackBerry Messages," Motherboard, 14 April 2016. See also Justin Ling & Jordan Pearson, "Exclusive: Canadian Police Obtained BlackBerry’s Global Decryption Key," Vice News, 14 April 2016; Jordan Pearson, "Canada Desperately Needs to Have a Public Debate About Encryption," Motherboard, 14 April 2016; and Justin Ling, "BlackBerry's CEO Won’t Answer Media Calls, Instead He Blogged About Cooperating With Canadian Cops," Vice News, 18 April 2016. Chen's blog post. CSE's March 2011 warning on the (in)security of Blackberry PIN-to-PIN messaging. Chris Parsons on the vulnerability of BlackBerry messages.

- Ben Makuch, "The 'Darth Vader' of Cyberwar Sold Services to Canada," Vice News, 11 April 2016.

- "Spy Shit," Canadaland podcast episode 129, 10 April 2016. Matt Braga and Jesse Brown discuss "the Panama Papers, CSIS, C-51, and Ben Makuch's ongoing battle with the RCMP". Well worth a listen, but the statement (at about 13:50) that the CSE Commissioner has never declared CSE in violation of the law is not correct.

- Leslie Young, "Former CSIS head Richard Fadden says Canada could someday carry out cyber attacks," Global News, 6 April 2016. More here.

- Sunny Dhillon, "Edward Snowden's talk in Vancouver had an 'electric quality'," Globe and Mail, 6 April 2016.

- Ron Deibert, "My conversation with Edward Snowden," Ronald Deibert blog, 3 April 2016. Video here: "Fireside Chat: Ron Deibert, Edward Snowden & Amie Stephanovich," RightsCon, 1 April 2016. Interesting Snowden comment: "It's true, [CSE's] oversight is hideous, because it was never really thought about. But there's a reason for that. In my experience of the Five Eyes, the Canadian intelligence services were always the least aggressive, they were the least adventurous, they didn't really push the legal boundaries. It was difficult to target Canadians, legally and so on and so forth, for surveillance. And it wasn't until the recent government—I'm not Canadian so I'm not going to name [garbled], I believe it was the Harper government—that things really started to change and oversight became much more important because they became much more aggressive in a short period of time."

- Alex Boutilier, "Canada’s spy agencies looking to work together more, say top secret documents," Toronto Star, 2 April 2016.

- Jim Bronskill, "Government instructions to CSIS on bill C-51 to remain largely secret," Canadian Press, 27 March 2016.

- Jim Bronskill, "Federal agencies sharing information under Bill C-51 provisions," Canadian Press, 24 March 2016.

-Ian MacLeod, "Spy agency watchdog ‘in a difficult position’ with huge budget cuts looming," Ottawa Citizen, 24 March 2016. Possibly a sign the government is planning a major overhaul of the various review agencies?

- Colin Freeze, "RCMP, CSIS see no significant support for operations from federal budget," Globe and Mail, 23 March 2016.

- Colin Freeze, "B.C. multimillionaire pleads guilty to hacking into U.S. military for China," Globe and Mail, 22 March 2016.

- Kyle Matthews & Chantalle Gonzalez, "Our mission against ISIL has one major flaw — it ignores the Internet," National Post, 22 March 2016.

- Dylan Robertson, "Canada Doubles Spending on Counter-Radicalization," Vice News, 22 March 2016.

- Matthew Braga & Colin Freeze, "Agencies did not get federal authorization to use surveillance devices," Globe and Mail, 11 March 2016.

- Emma Loop, "The Drone And The Damage Done: How Canada’s UAV Operation Wounded Its Own," Buzzfeed, 16 March 2016.

- Karen DeYoung, "Canada to boost its advise-and-train mission, intelligence capabilities in Iraq," Washington Post, 11 March 2016.

- B.C. Civil Liberties Association et al., "The necessary components of an effective and integrated national security accountability framework for Canada," 9 March 2016.

- Susan Lunn, "Ralph Goodale says Ukraine cyberattack caused 'international anxiety'," CBC News, 8 March 2016.

- Alex Boutilier, "Cyber security review still in early days, Public Security officials tell Senate," Toronto Star, 7 March 2016.

- Peter Zimonjic, "CSIS head says new powers to disrupt plots used almost 2 dozen times," CBC News, 7 March 2016.

- Colin Freeze, "Documents reveal CSIS wary of Bill C-51 reforms," Globe and Mail, 3 March 2016. The documents.

- David Christopher, "Adopting the UK model won't be enough for Ralph Goodale to address Canada's spy oversight woes," OpenMedia, 26 February 2016.

- Editorial, "Give Parliament the power to scrutinize spy agencies," Toronto Star, 24 February 2016. Response from CSE Chief Greta Bossenmaier.

- Matthew Braga, "Why Canada isn’t having a policy debate over encryption," Globe and Mail, 23 February 2016.

- Alex Boutilier, "Canada’s spies expecting a budget boost," Toronto Star, 23 February 2016. More on CSE's budget here.

- Amanda Connolly, "‘It’s impossible’ to know impact of CSE metadata glitch: commissioner," iPolitics, 22 February 2016. More here.

- Alex Boutilier, "CSE can assist in ‘threat reduction’ without a warrant, documents show," Toronto Star, 20 February 2016.

- Daniel Lang, "Why don't we charge more people with terrorism?" Toronto Sun, 19 February 2016.

- Lucas Powers, "Apple's encryption battle with the FBI could spill into Canada," CBC News, 19 February 2016.

- Bruce Campion-Smith, "Canada’s spy agency CSIS gears up for expanded role in Islamic State fight," Toronto Star, 18 February 2016.

- Luc Portelance & Ray Boisvert, "It’s time for Canada to get serious about national security," National Post, 16 February 2016. See also Stewart Bell, "Canadian security agencies under strain while threats have ‘seldom been so high,’ former senior officials say," National Post, 16 February 2016.

Also of interest: CSE now has a twitter feed. Maybe this is what the Minister had in mind when he said he has "directed CSE to find new opportunities to communicate with the public more openly about their activities." I can't say it has done much to demystify the place so far. I have a suggestion that I've made in the past, but which I think bears repeating. How about reinstating the degree of public reporting that existed prior to November 2011, when CSE became a stand-alone agency?

Do "old" opportunities not count?

SIGINT history:

The word on the grapevine is that CSE, in a fit of brainlessness some time ago, destroyed the only copies of A History of the Examination Unit: 1941-1945, Gilbert Robinson's July 1945 history of Canada's first cryptanalytic organization. If true, the significantly redacted but still somewhat useful version released many years ago under the Access to Information Act, preserved by me and presumably some other folks, may be all we have left. I'd be very pleased to report that this is not true and the document does still exist in its complete form.

Update 11 November 2016: I'm happy to say that apparently it isn't true: the history does still exist in intact form. Thank goodness! It would be nice to see a more complete version made public.

Update 25 May 2022: Here it is, entirely unredacted.

Saturday, April 16, 2016

Canada and cyber war

Should Canada have an offensive cyber war capability? Comments by former National Security Advisor Richard Fadden, who retired at the end of March, suggest that Canadians need to debate this question.

[Update 10 June 2017: The Liberal government's defence policy statement, Strong, Secure, Engaged, released on June 7th, announced that the Canadian Forces will indeed acquire an offensive cyber capability:
"We will assume a more assertive posture in the cyber domain by hardening our defences, and by conducting active cyber operations against potential adversaries in the context of government-authorized military missions. Cyber operations will be subject to all applicable domestic law, international law, and proven checks and balances such as rules of engagement, targeting and collateral damage assessments." (p. 15)]

[Update 23 June 2017: The Liberals also plan to give CSE an offensive cyber capability.]

Fadden raised the issue in a recent wide-ranging interview with Tom Clark of Global News. (You can watch the interview here.)

The discussion unfortunately conflated the concepts of cyber attack (also known as Computer Network Attack) and cyber spying (Computer Network Exploitation). Chinese cyber espionage operations against Canadian targets were described as "cyber attacks", for example, as if the operations were attempting to destroy or damage Canadian data or systems, or even the physical infrastructure they control, rather than simply trying to steal information.

This blog does not endorse pedantry for the sake of pedantry, but in this case a little terminological clarity would be helpful.

Computer Network Operations are commonly divided into three kinds of activity: Computer Network Attack (CNA), Computer Network Defence (CND), and Computer Network Exploitation (CNE). Stealing information falls into the category of Computer Network Exploitation.

As the diagram above shows, there are important overlaps between these three activities. CNE can be used to find vulnerabilities in an adversary's systems and prepare the ground for CNA. CNA can contribute to the effectiveness of CND. CND can collect information about adversary capabilities that can be used to support CNE operations.

All three activities draw on the same kinds of capabilities and can be used to support the others.

But there is still a crucial distinction to be drawn between cyber espionage and cyber war. One is spying, and Canada—through CSE—is already deeply engaged in it. The other seeks to damage or destroy data or information systems or even, potentially, to destroy physical objects and kill people. Cyber warfare can range from simple disruption, interfering with the communications of a terrorist organization for example, to total war.

Should Canada develop a cyber war capability?

“It may well be that in some circumstances it’s something that we’d want to do,” Fadden suggests in the interview.

But he also says it would be "expensive and dangerous", and he argues for greater emphasis on CND: "Personally I think we should be better at defensive. Really develop our capacity to resist these attacks and to make sure that people understand the level of threat that we’re under."

So, put him down—tentatively at least—as a cyber war skeptic.

It all sounds very hypothetical.

But I suspect Fadden chose to raise the issue because Canada is moving rapidly towards creating a CNA capability, and it is doing so largely in the dark, with very little public awareness or debate.

NITRO ZEUS: CNA against Iran

Recent revelations about U.S. and Israeli contingency plans for a major cyber war campaign against Iran highlight the extent to which CNA capabilities are moving from the theoretical to the real.

The Stuxnet worm, which the U.S. and Israel used to damage and delay Iran's uranium enrichment program, is the best-known example of a state-sponsored CNA operation.

But Stuxnet was only the tip of the iceberg. According to the New York Times (David E. Sanger & Mark Mazzetti, "U.S. Had Cyberattack Plan if Iran Nuclear Dispute Led to Conflict," New York Times, 16 February 2016), preparations were made for a much wider range of attacks against Iran's "air defenses, communications systems and crucial parts of its power grid" in the event that the dispute over Iran's nuclear program escalated into open use of force.

Preparations for the campaign, codenamed NITRO ZEUS, began in early 2009, and ultimately involved "thousands of American military and intelligence personnel, spending tens of millions of dollars and placing electronic implants in Iranian computer networks to “prepare the battlefield,” in the parlance of the Pentagon."

The operation was envisaged as an adjunct, or possibly an alternative, to a traditional military campaign against Iran. Bringing Israel on board was seen in part as a means of restraining the Netanyahu government from launching a unilateral attack that might prematurely foreclose options for resolving the dispute diplomatically. (More about NITRO ZEUS here.)

Unlike traditional military contingency plans, which normally don't involve actual operations within the target country prior to a decision to go to war, preparations for cyber operations require prior entry into the systems that ultimately would be attacked in order to choose targets, ensure access at the moment of attack, and maximize the effects of the operation. Thus, although the cyber warfare plan was never executed, preparations within the Iranian cyber infrastructure undoubtedly took place.

Similar contingency plans are probably also in place for other potential adversaries such as China and Russia.

As a close NSA ally and a significant CNE player in its own right—one that we know had active operations in Iran at the time NITRO ZEUS preparations were apparently underway—CSE could not fail to be aware at some level of the presence of the U.S.-Israeli operation, although almost certainly not of its details. If nothing else, NSA would have wanted to ensure that CSE's CNE operations did not interfere with or accidentally expose the NITRO ZEUS preparations.

But there is no evidence of any direct Canadian involvement in the NITRO ZEUS preparations, and there's little reason to expect there would have been any Canadian involvement.


This 2013 NSA document describing the state of NSA-CSE cooperation confirms that the two agencies work together on CNE operations in the Middle East, among other regions, but it contains no suggestion that they collaborate on CNA operations.

There are many reasons why the U.S. might want to minimize the number of additional players whose participation would complicate as sensitive and tightly-held a CNA operation as NITRO ZEUS.

But the most important roadblock to such collaboration, at least as far as CSE is concerned, is that CSE has had little or no mandate to conduct CNA activities (although it has shown interest in such capabilities; see p. 22 here).

[Update 19 April 2016: An even better example can be found on p. 23 of this presentation, where CSE says "We will seek the authority to conduct a wide spectrum of Effects operations in support of our mandates."]

The 2015 passage of Bill C-51 has probably opened the way for CSE participation in small-scale CNA activities such as efforts to disrupt the operations of terrorist organizations. Since such activities can now be conducted by CSIS under the "disruption" powers granted to the agency in Bill C-51, CSE's Mandate C, which authorizes it to assist CSIS operations, should provide a legal basis for CSE participation in limited CNA activities under CSIS auspices.

Those powers are unlikely to extend to outright cyber warfare, however. Large-scale activities against the armed forces or domestic infrastructure of an adversary state on the scale of the NITRO ZEUS plan would probably require a different set of authorities.

The Canadian Forces and cyber war

Although CSE's CNE operators might be called upon to provide advice and assistance, large-scale offensive cyber operations would probably be executed by the Canadian Forces acting under the laws of war.

In the United States, a similar division of roles has already been formalized, with the Pentagon's Cyber Command, created in 2010, now responsible for CNA. Although run by the same officer who serves as Director of the NSA and able to draw upon NSA knowledge and resources, Cyber Command is a military organization under military command.

Canada does not yet have a direct equivalent to Cyber Command, but the development of CNA authorities and capabilities has been under discussion within the Canadian Forces for a long time.

A draft strategy paper called on the Canadian Forces to develop the ability to conduct offensive computer operations as long ago as July 2000 (Jim Bronskill, “Cyber-attack capability in military’s plans?” Edmonton Journal, 11 March 2001). [Update 19 April 2016: I am reminded by a reader that early discussions of these issues can be found in documents dating to the mid-1990s.]

But few if any steps were taken in the direction of creating an actual CNA capability for many years. A December 2009 report by DND's Centre for Operational Research and Analysis (CF Cyber Operations in the Future Cyber Environment Concept) confirmed that the CF's network operations were still "not established to conduct offensive network operations".

There is reason to believe, however, that this situation has begun to change.

In April 2011, DND created the position of Director General Cyber to help "develop the military’s future cyber capabilities", potentially including offensive capabilities (Chris Thatcher, "Operationalizing the cyber domain," Vanguard, 26 June 2013).

The current DG Cyber (or DG Cyber Warfare, or DG Cyberspace) is Brigadier General Frances J. Allen, a former Commander of the Canadian Forces Information Operations Group (CFIOG) and an early advocate of CNA capabilities for the CF. (Allen wrote a paper recommending the development of CNA capabilities in 2002 when she was still a lieutenant-colonel. [Update 22 April 2016: I mistakenly said major originally.] [Update 1 April 2024: As I discovered recently when looking through the publications on the Canadian Forces College website, there are actually two versions of Allen's paper available: the other one, presumably the earlier of the two, does indeed list her rank as major.])

More recently, in September 2015, Defence Minister Jason Kenney implied that such a capability either already exists or soon would, saying, "I think you can reasonably assume that when the military develops a command, it has to have the capability to be both offensive and defensive. Potentially hostile countries need to know that, if they are going to launch cyber attacks against our critical systems, Canada and its allies have the capacity to retaliate." (Justin Ling, "Canada’s Defense Minister Talks Fighting the Islamic State, Arming the Kurds, and Cyber Warfare," Vice News, 28 September 2015)

DG Cyber is not a command as such, but Kenney's comments do suggest that Canada may be close to fielding operational CNA capabilities.

The appointment in early 2015 of a Canadian Forces liaison officer to the U.S. Cyber Command also suggests the potential existence of Canadian CNA capabilities.

The discussion document prepared by the government for the current defence policy review (Defence Policy Review: Public Consultation Document 2016) is uninformative about the state of Canada's current cyber warfare capabilities, but it does at least admit that the question is one that needs to be addressed:
Cyber capabilities can be used to disrupt threats at their source, and can offer alternative options that can be utilized with less risk to personnel and that are potentially reversible and less destructive than traditional uses of force to achieve military objectives. Some of our key allies, such as the US and the UK, have stated that they are developing cyber capabilities to potentially conduct both defensive and offensive military activities in cyberspace. We must consider how to best position the Canadian military to operate effectively in this domain.

[Update 10 June 2017: As noted above, the new defence policy statement, released on 7 June 2017, states that the Canadian Forces will acquire offensive cyber warfare capabilities.
Defence can be affected by cyber threats at home and abroad – from attempts to steal sensitive information from our internal networks, to cyber attacks on the Canadian Armed Forces on deployed operations, to the use of cyberspace by terrorist organizations to spread disinformation, recruit fighters and finance their operations. Indeed, there has been a steady increase in the number of state and non-state actors developing the capability to conduct disruptive cyber operations. The Defence team works closely with the Communications Security Establishment, Public Safety Canada, Global Affairs Canada and Shared Services Canada on cyber issues. To date, this work has focused on strengthening the defence of important military systems, network monitoring and control, building the future cyber force, and integrating defensive cyber operations into broader military operations. However, a purely defensive cyber posture is no longer sufficient. Accordingly, we will develop the capability to conduct active cyber operations focused on external threats to Canada in the context of government-authorized military missions. The employment of this capability will be approved by the Government on a mission-by-mission basis consistent with the employment of other military assets, and will be subject to the same rigour as other military uses of force. Cyber operations will be subject to all applicable domestic and international law, and proven checks and balances such as rules of engagement, targeting and collateral damage assessments. (p. 72)]

CNA versus ISIS

CSE and/or the Canadian Forces may already be operating offensively in the cyber domain in a limited way, conducting CNA operations against the Islamic State.

Fadden floated this possibility in a hypothetical way in his interview with Global:
If we have Canadian troops somewhere around the world, Iraq as an example, and they can use somewhat offensive cyber initiatives in order to reduce the threat that they and allies are facing, I would say that’s not an unreasonable thing for the public service to pull together and ask the government if they want to do.
My own suspicion (see Murray Brewster, "Canada's electronic spy service to take more prominent role in ISIS fight," Canadian Press, 18 February 2016) is that this possibility is considerably less hypothetical than Fadden's comments suggested. The only thing that has been confirmed to date, however, is that CSE is playing a force protection role in Operation Impact.

The U.S. recently acknowledged that its own forces have begun using cyber warfare capabilities against ISIS (Phil Stewart & David Alexander, "U.S. waging cyber war on Islamic State, commandos active," Reuters, 29 February 2016), and, unlike the NITRO ZEUS plan, it seems likely that a Canadian contribution to CNA operations against ISIS would be welcomed by the U.S.

[Update 10 June 2017: Whatever the record to date may have been, Defence Minister Sajjan has now confirmed that such operations may be undertaken in the future (Cormac MacSweeney, "Canada's military will soon be able to disrupt ISIS: defence minister," News 1130, 8 June 2017):
A day after releasing his sweeping new policy for the future of the nation’s military, the federal defence minister says the new cyber team for the Canadian Armed Forces will be able to disrupt terror organizations like ISIS. As the military looks to expand its role, the new defence policy from the government is giving the Armed Forces the power to engage in cyber attacks, and hire a team of new cyber operators. Defence Minister Harjit Sajjan says this is a key move to respond to ever changing threats facing our country. “We need to make sure that we always stay ahead of our adversaries on this.” Sajjan adds this team will be used to disrupt ISIS in our mission in Iraq. “Making sure that we can shut down IED and devices so that our troops, as they drive down the road, that they don’t explode.” He adds cyber attacks can be used to prevent Islamic State agents from using the Internet to teach someone how to make something like an improvised explosive device. “A facilitator that’s teaching other people online how to build IED’s that potentially might, threaten our soldiers — being able to shut that down for the sake of safety of our troops. Those are the thing we’re talking about,” adds Sajjan.]

The bigger picture

The development and spread of cyber warfare capabilities poses significant new security problems for Canada and other countries.

In principle, CNA operations can be very precise and limited, but they may also have the potential to produce indiscriminate nationwide or even global effects, destroying or disabling vital infrastructure, paralyzing government operations and economic activity, and causing significant civilian casualties.

The potentially game-changing nature of cyber warfare capabilities has been compared to that of nuclear weapons.

There are of course many important differences between cyber weapons and nuclear weapons. Nuclear weapons pose a true existential threat to human civilization. Cyber weapons might cause catastrophic damage in a worst-case scenario, but they are more likely to be used like conventional weapons to produce much more limited and localized (although not necessarily entirely predictable) effects.

Still, a world with widespread cyber weaponry could prove highly unstable. Cyber weapons pose a significant attribution problem (how do you know who's actually attacking you?), and the barriers to the acquisition of cyber weapons are low, meaning a wide range of states, groups, and even individuals may be able to develop significant cyber capabilities. In addition, the effectiveness of cyber capabilities may depend on maintaining access to and even deliberately introducing vulnerabilities into potential target systems during peacetime, which could end up increasing the likelihood of hostilities. Finally, the huge range of possible damage levels in cyber warfare and the overlap between CNA and CNE activities mean there is no clear threshold between cyber peace and cyber war, and thus the possibility of blundering into an unintended conflict is potentially very high. With no clear agreement on cyber rules of the road, there are many ways even a CNA strategy focused on deterrence could fail catastrophically.

It is not necessary to frame the risks posed by cyber warfare in apocalyptic terms to nonetheless recognize that, as Fadden suggested, CNA activities could be both expensive and dangerous. A focus on defence and resilience may well be the best path to take.

At the very least, Canadians should have an open debate on the pros and cons of taking the cyber war path before the government launches us down that road.

Update 22 June 2016: More from a somewhat less skeptical-sounding Fadden here: Murray Brewster, "Former CSIS head says Canada should have its own cyber-warriors," CBC News, 22 June 2016. Transcript of Fadden's remarks to CBC The Current, 22 June 2016.

Update 26 August 2016: Former CSE Chief John Adams joins the debate, calling for the development of offensive cyber war capabilities for the Canadian Forces: John Adams, "Canada and Cyber," Canadian Global Affairs Institute, July 2016.

Update 11 June 2017: Some comments on the policy on Canadian Forces offensive cyber operations unveiled in the June 2017 defence policy statement.