Monday, September 19, 2016

Everyone does it, media edition

From today's Globe and Mail editorial on cybersecurity:
The former head of the Canadian Security Establishment, the electronic spy agency, recently argued in a Canadian Global Affairs Institute policy paper that the military should have the authority to go on the cyber offensive.
Other recent media examples:

- Toronto Star

- National Post/Ottawa Citizen

- CBC News

- Canadian Press

- Vice News

See also Even NSA does it, Part I and Part II and Even GCHQ does it.

Thursday, September 01, 2016

Marking 70 years of eavesdropping in Canada

As the Communications Security Establishment turns 70, Bill Robinson looks at how the agency has evolved over the years — growing its staff, adapting to new technologies and changing its targets.

(Published on, 1 September 2016)

On Sept. 1, Canada's electronic eavesdropping agency, the Communications Security Establishment (CSE), will celebrate its seventieth birthday. The 62 civilians who showed up for work on Sept. 3, 1946 (the 1st was a Sunday and the 2nd was Labour Day) would hardly recognize the 2,100-person cyberspy agency that CSE has become today. But while much has changed, many of CSE's fundamental features have been in place since the beginning.

The original name of Canada's signals intelligence (SIGINT) agency was the Communications Branch of the National Research Council (CBNRC). Authorized to grow to 179 employees, CBNRC was the peacetime incarnation of the Joint Discrimination Unit, a small civilian–military organization that had itself evolved from the civilian Examination Unit, Canada's first code-breaking agency, and the SIGINT processing units established by the three military services.

Today CSE occupies a brand-new billion-dollar glass-walled complex with its own supercomputer centre and attached data warehouse in suburban Ottawa. CBNRC's original accommodations were less luxurious. Housed on the top floor of the La Salle Academy, a Catholic boys' school in downtown Ottawa, Canada's most secret intelligence agency shared its quarters not only with the teachers and students of the school but with a professional theatre company that used the school auditorium as a playhouse. CBNRC staffers would come downstairs during their lunch hours to eavesdrop on up-and-coming actors like Christopher Plummer and William Shatner rehearsing their parts.

Like its wartime predecessors, CBNRC was envisaged from the start as a contribution to a transnational SIGINT collection, processing, and reporting conglomerate rather than a free-standing agency that focused primarily on monitoring Canadian targets for Canadian customers. By contributing to the collective pool of Allied intelligence, Canada gained access to a much wider array of information than it could ever obtain on its own.

Although Canada was not a signatory of the BRUSA (later renamed UKUSA) Agreement that extended U.S. and UK SIGINT cooperation into the postwar era, provision for cooperation with Canada and other British dominions was explicitly written into its terms, and the Canadian government had agreed to contribute a string of radio intercept stations and to coordinate its cryptanalytic activities with those of its partners even before the agreement was formally signed on March 5, 1946. A Canada–U.S. agreement, signed in 1949, further cemented Canada's role in the eavesdropping alliance. Australia and, later, New Zealand were also integrated into the network, creating the five-nation partnership now known as the Five Eyes.

The Soviet Union was the primary target of the partners, but attention was also directed at other countries of interest. CBNRC's initial targets, located in Europe, South America, and the Far East, were set in consultation with Britain and the U.S., and much of the work depended on the traffic collected by those allies. Canada's own intercept sites focused primarily on the Soviet Union and provided their traffic mainly to the U.S. and UK for processing.

The SIGINT allies made steady progress against Soviet communications in the first few years, and it seemed likely that the dramatic successes of the war, when the U.S. and Britain were able to read many of Germany and Japan's most secret messages, would be repeated. But the Soviets soon learned of the allies' successes and moved quickly to improve the security of their own systems. In 1948, just as the Cold War seemed about to go hot, the growing cryptanalytic window into the Soviet Union went dark. It would be 30 years before the allies of the UKUSA Agreement regained significant access to Soviet high-level encrypted communications.

The birth of metadata collection

Unable to read the Soviets' most secret messages, the UKUSA allies resorted to plain-language (unencrypted) communications and traffic analysis, the study of the external features of messages such as sender, recipient, length, date and time of transmission—what today we call metadata. By compiling, sifting, and fusing a myriad of apparently unimportant facts from the huge volume of low-level Soviet civilian and military communications, it was possible to learn a great deal about the USSR's armed forces, the Soviet economy, and other developments behind the Iron Curtain without breaking Soviet codes. Plain language and traffic analysis remained key sources of intelligence on the Soviet Bloc for much of the Cold War.

But it took a lot of people to process all that material. The U.S. and UK SIGINT agencies, NSA and GCHQ, expanded rapidly during the 1950s, and CBNRC did likewise, growing from 200 employees in 1950 to 600 by the end of the decade and refocusing almost exclusively on the Soviet Union and the Arctic. The Canadian cryptanalytic program, originally CBNRC's primary activity, was largely abandoned in 1957. Instead of reading top-secret dispatches from Khrushchev to his generals, CBNRC analysts processed reams of unencrypted teletype and Morse Code messages and wrote reports on gold production in Siberia, aircraft factories in Ukraine, and air defence operations in the Soviet Arctic. Canadian intercept sites tracked the movements of Soviet aircraft inside Soviet airspace by listening in on the messages passed between the USSR's own radar stations.

At the beginning of the 1970s, following the launch of the CANYON series of eavesdropping satellites by the U.S., CSE set up a special unit of Russian-language transcribers to help process the masses of voice intercepts that began pouring in from short-range radio systems and microwave lines that had previously been beyond the range of the eavesdroppers.

The times they are a-changing

Pressures were building for change, however.

In 1974, CBNRC was outed in the media and became the target of probing questions in the House of Commons. A year later it was given a new home in the Department of National Defence and a new name, the Communications Security Establishment.

At the same time, the growing capabilities of eavesdropping satellites, photoreconnaissance satellites, and, with the advent of the supercomputer, the code-breakers at NSA and GCHQ gave the UKUSA allies an increasingly complete picture of developments in the Soviet Bloc. Plain language and traffic analysis, CSE's specialties, declined in importance, while the deepening Cold War tensions at the end of the decade placed the agency under pressure to step up its contributions to the UKUSA effort.

The response was the first significant increase in CSE's staff since the 1950s. During the 1980s and early 1990s CSE grew by 50 percent, topping out at just over 900 employees. The agency also hired a new team of code-breakers, purchased a Cray supercomputer to support them, installed satellite monitoring dishes at the Leitrim intercept station, and established covert monitoring sites in Canadian embassies around the world. The focus of the agency's efforts remained on the Soviet target, but other issues, such as Sikh extremism, also appeared on the target list.

End of the Cold War, start of a new vision of 'safety'

The Cold War ended just as CSE was completing its build-up. In 1989 the Berlin Wall came down, and by the end of 1991 the Soviet Union had disintegrated. Many of CSE's most important targets disappeared. History itself, according to the famous claim, had come to an end.

For the first time since the end of the Second World War the Canadian government was forced to confront the question, what foreign intelligence does Canada need? With economic competition widely expected to dominate future relations among states, "prosperity issues" topped the list of priorities that emerged.

CSE's continued access to the UKUSA network and the new capabilities it had acquired in the 1980s positioned it well for the new era. Instead of facing cuts like CSIS and the Canadian Forces (and indeed most of the federal government as the Chretien government sought to eliminate a sizeable budget deficit), CSE underwent only minor reductions, ending the 1990s with the same number of employees as it had at the beginning of the decade.

The picture was not entirely rosy, however. The Internet had arrived as a significant player in global communications, and CSE lacked the legal authority to intercept communications that might involve Canadians. The growing use of fibre optic cables and the spread of encryption led to renewed fears of going dark. The UKUSA SIGINT agencies began to consider the merits of actively hunting intelligence through computer hacking (computer network exploitation, or CNE) rather than passively gathering whatever information happened to come their way.

In 2000, CSE set a new vision for itself: “to be the agency that masters the global information network to enhance Canada’s safety and prosperity.”

Safety would soon become the dominant priority.

Turning points: The War on Terror and the Internet

When history resumed on that bright September morning in 2001, counter-terrorism and support to military operations in Afghanistan became CSE's highest priority. The Anti-Terrorism Act gave CSE a statutory mandate for the first time and empowered it to conduct CNE operations and to intercept communications involving Canadians (when the actual targets of the intercepts were foreigners located outside of Canada). The doors to the treasury also opened, and recruiting began for the largest expansion in the agency's history. By the time it finished in 2013, CSE had more than doubled, growing to more than 2,100 employees.

Osama bin Laden may have been the indirect father of that dramatic growth, but something else was also going on: CSE and its Five Eyes partners had decided to become the Masters of the Internet.

Bank robbers go where the money is; SIGINT agencies go where the data is. Increasingly, that means the Internet. Canada's legacy intercept stations—Alert, Gander, Masset, and Leitrim—are still in operation, the U.S. eavesdropping satellites are busy tracking mobile phones in Syria and Yemen, but the real action takes place in the global network of fibre-optic cables and packet-switching routers that comprise the physical infrastructure of cyberspace. CSE maintains that "the Five-Eyes alliance is more valuable now than at any other time in history, given the increasingly complex technological challenges faced by the partners."

Traffic analysis—now called data mining—is back, with vast quantities of metadata collected to sift and prioritize the staggering flood of plain-language communications coursing through the cables. Encrypted communications are also collected—and decrypted when feasible and judged worth the effort. In many cases, it's not. Worries about going dark have surfaced once again as encrypted Internet services gradually spread. But don't expect encryption to put an end to SIGINT. Increased reliance on CNE is likely to be the response.

Cyber warfare also looms on the horizon. CSE may already be using computer network attack techniques to help CSIS disrupt threats to Canadian security. However, true cyber warfare is likely to be a mission of the armed forces, as it is in the United States. In July, former CSE Chief John Adams called publicly for the acquisition of offensive cyber warfare capabilities by the Canadian Forces.

Another new factor is the presence of Canadians in CSE's hunting grounds. CSE was unable to assist during the FLQ crisis in 1970—it had no capability to monitor Canadians. In the post-2001 era, that is no longer true: the Internet traffic of Canadians mixes with that of everybody else, and CSE encounters it even when it is trying not to. When operating under judicial warrants obtained by CSIS or the RCMP, it deliberately goes after Canadian communications. CSE also passes on information about Canadians collected by its Five Eyes partners.

A special watchdog—the CSE Commissioner—was established in 1996 to monitor the legality of CSE's activities. Over the years, Commissioners have often reported weaknesses in the measures the agency takes to protect Canadian privacy, but only once, last year, has a Commissioner declared CSE in non-compliance with the law.

Whether CSE's watchdog is an adequate safeguard for the privacy of Canadians is a matter of continuing debate. One thing, however, is clear: As CSE enters its 71st year, the days when its gaze faced exclusively outward are gone for good.