Sunday, October 09, 2016

CSE: What do we know? What do we need to know?

Here's a summary of the presentation I made at the Sécurité internationale, sécurité intérieure: connexions et fractures colloquium at Laval University on October 6th.

[See also the updated and extended version I delivered at the University of Ottawa on November 23rd.]

The Communications Security Establishment: What do we know? What do we need to know?

Some of the people here today will know a great deal about the Communications Security Establishment, but it is likely that most do not know a lot about it, so I'd like to begin with some background information about the agency.

(The photo shows the Edward Drake Building, CSE's new headquarters. Source.)

CSE has a three-part mandate laid out in the National Defence Act.

The SIGINT program addresses all three elements of CSE's mandate and accounts for $421 million of the agency's $584 million budget for FY 2016-17, while the ITSEC program is focused on Mandate B and accounts for $163 million.

The agency recently celebrated its 70th birthday, but its origins lie in the signals intelligence co-operation initiated between the Western allies during the Second World War.

(CSE's first headquarters was located on the third floor of the La Salle Academy, a Catholic boys school in downtown Ottawa, shown on the left. The facility had previously been occupied by one of CSE's wartime predecessor organizations, the Joint Discrimination Unit.)

Although Canada was a very small player in Second World War SIGINT, it participated in the planning that allocated intercept and processing tasks among the allies and shared in the intelligence output. This deep integration of SIGINT activities laid the foundations for the very close co-operation that has persisted to the present.

Lt-Col Ed Drake is circled in red in this photo from a 1944 planning conference. (Source.) Five other Canadians and the British cryptanalyst supplied to Canada to run the Examination Unit (the civilian in the back row) are also in the photo.

The U.S. and U.K. agreed to continue SIGINT cooperation into the post-war era even before the war ended, with the new primary target to be the Soviet Union. The BRUSA (later renamed UKUSA) agreement, the founding document of the post-war partnership, was negotiated in the fall of 1945 and signed on 5 March 1946.

Canada and the other Dominions of the British Empire were not signatories of the agreement, but provision for their participation was written into it, and they agreed to abide by its terms at a conference held in London the month before it was signed. The U.S., represented by STANCIB (the State Department, Army, Navy Communications Intelligence Board), reserved the right to deal directly with Canada, but it agreed to deal with the other dominions through the U.K.

By the time CSE, known originally as the Communications Branch of the NRC, was formally established on 1 September 1946, its position as junior member of a multinational SIGINT conglomerate had thus already been determined.

The CBNRC was transferred to the Department of National Defence and renamed the Communications Security Establishment on 1 April 1975. In November 2011 it became a stand-alone agency, still under the Minister of National Defence but no longer a part of the department.

The radio intercept stations that supplied CBNRC/CSE are operated by the military, currently the Canadian Forces Information Operations Group.

Oh, and there's Ed Drake again.

We turn now to an extremely abbreviated history of the organization:

There was a Cold War, during most of which CSE focused almost exclusively on the Soviet Union.

Then the Cold War ended, and CSE found new targets, principally diplomatic and economic.

And then this happened, and CSE's focus shifted once again.

Which brings us up to the present.

Since 9/11, counter-terrorism has been CSE's top priority, with Support to Military Operations also of increased importance.

The advent of the Internet also had a dramatic effect on the agency's operations, opening whole new avenues for SIGINT operations, including Computer Network Exploitation activities to access "data at rest" on target computer systems.

The Internet soon became the primary hunting ground of the SIGINT partners, and they undertook to Master the Internet.

The post-9/11 era saw the greatest period of growth in CSE's history. Now apparently stabilized at a staff of about 2100–2200, CSE has 2.3 times as many employees as it had prior to 9/11 and 3.5 times as many as it had through most of the Cold War.

Its budget has also grown dramatically in recent years. At $584 million in FY 2016-17, CSE's current budget is 4.3 times as high in inflation-adjusted dollars as its pre-9/11 budget. (The spike to nearly $900 million in 2014-15 was the result of a one-time $300 million payment made when the agency's new headquarters was completed.)

Canada's legacy radio intercept stations—Alert, Gander, Masset, and Leitrim— are still in operation, the first three now operated remotely from Leitrim...

...but the real SIGINT action now takes place in cyberspace. (Source.)

And, inevitably, mixed in among the Internet traffic that CSE monitors is the Internet traffic of Canadians. (This graphic depicts the amount of worldwide Internet traffic that passes through Canada or the United States. Source.)

The intermingling of Canadian Internet traffic with that of the rest of the world means that CSE encounters Canadian communications even when it is trying not to do so. And this raises an important question:

I have three answers to that question.

The first answer is the one you usually get from CSE or government ministers and members of parliament—often these exact words. This prohibition is indeed written into the National Defence Act, not this precise formulation, but words to the same effect.

However, there are several important exceptions to this absolute-sounding rule:

First, the rule prohibits only activities "directed at" specific Canadians or persons in Canada. Thus, for example, bulk collection of metadata, because it is not collected with any specific target in mind, is permitted—even if, as in the "Airport wi-fi" case, all of the metadata in question relates to persons in Canada.

"Incidental" collection of Canadian communications (collected when one of CSE's foreign targets communicates with a Canadian) is also permitted.

Targeted collection of Canadian communications is permitted under Mandate C (i.e., when a federal law enforcement or security agency requests such collection and has lawful authority for the request).

Finally, CSE is permitted to receive Canadian communications collected and forwarded by its SIGINT allies, although it is not permitted to request the targeting of Canadians. CSE recently formalized procedures for providing such intercepts to CSIS.

None of these exceptions opens the door to unlimited mass surveillance of all Canadians, and such information as we have suggests that the amount of Canadian-related information collected by CSE is, with the exception of metadata, mostly very limited.

But the information we have is itself very incomplete, and a surprisingly large amount of legal surveillance could be hidden behind the details that remain redacted.

This leads to my third answer: We don't know.

We don't know the full meaning of "directed at" as the government understands the term. CSE modified its activities following a 2012 court case that rejected an attempt by CSIS to broaden the meaning of the term, which suggests that, at that time at least, CSE was operating with an excessively permissive understanding of its meaning.

Furthermore, the question of "directed at" could become less and less meaningful as CSE and its SIGINT allies move towards a "collect it all" posture. "Collect it all" is more an aspiration than a reality at the moment, but growth in monitoring and storage capabilities could make it more feasible as time goes on.

An unknown amount of activity could also be underway to analyze metadata or other non-content data on behalf of CSIS or the RCMP. Such processing might fall beneath the threshold considered to require a judicial warrant, and thus would be subject to much less stringent limits. Canadian communications that are not considered "private communications" under the Criminal Code might also be subject to looser rules.

The potential for larger-than-realized access to Canadian-related information through allied collection and sharing also needs to be recognized.

Finally, it might also be questioned whether CSE actually obeys the various rules that limit the extent to which it is legally permitted to monitor Canadians.

This leads to my next question:

I have four answers to this question.

The notable exception occurred in 2015 when the CSE Commissioner declared CSE in violation of the law. (The decision was reported to the public in 2016).

The complications arise because not every instance in which CSE fails or may have failed to follow legal requirements is assessed by the Commissioner as formal non-compliance (see my somewhat tongue in cheek discussion here).

Here's the short explanation of that.

It's worth noting that these are mostly fairly minor incidents. There's no systematic program of monitoring Canadians hiding among these items, although some of the disagreements over legal interpretations do touch on CSE's core activities.

Over the years, CSE Commissioners have recommended a long list of amendments that would clear up these interpretation issues and place CSE on a sounder legal footing. The government promised action on a number of amendments as long ago as 2007, but nine years later we're still waiting.

A broader question relates to uncertainties in the proper interpretation of the laws that pertain to CSE's activities. In this respect, not even CSE really knows if it obeys the law. In many cases, the courts have simply not addressed these questions.

This could change as a result of the BCCLA and CCLA court challenges currently underway.

My final thought with respect to CSE and the law is, why wouldn't we expect it obey the law (at least, as the agency understands it)?

There is every reason to believe that compliance with the law is a fundamental part of CSE's ethos, and if the government wanted the agency to do something not currently legal, it could probably manage to make it legal. It's the government that writes the laws after all, although that power is somewhat checked by the courts.

The question of whether the government will grant itself additional "lawful access" powers is currently back on the parliamentary agenda.

The question of compliance with the law is certainly important.

But, for me, the greater concern is what's being done, or could be done, entirely within the law.

It may be that CSE's activities related to Canadians are comparatively minor and tightly constrained. But they might also be quite a lot larger than the information that is currently public suggests. We just don't know.

And the potential for excessive, intrusive surveillance will only grow in the future.

Which leads to my final question:

I don't have a lot of answers to this question.

Maybe we can rely on "sunny ways"?

(The photo shows Prime Minister Trudeau addressing CSE employees at the Edward Drake Building in June 2016. To the best of my knowledge, this was the first time a prime minister visited CSE.)

More seriously, a number of proposals have been made to improve the oversight/review mechanisms and reform the legal regime pertaining to CSE and other members of the Canadian intelligence community.

I will now punt this question to people who know what they are talking about, such as Kent Roach and Craig Forcese.

Thank you.


Post a Comment

<< Home