Monday, April 16, 2018

And still darker: CSE stops reporting budget breakdown

The Main Estimates for fiscal year 2018-2019 were tabled today in parliament and — surprise! — CSE reported even less information than it has in the past.

Instead of providing a breakdown of its spending showing the amounts allotted to the Signals Intelligence (SIGINT) program and the Information Technology Security (ITSEC) program, as it has done every previous year since 2012, this year the agency is providing only a single overall figure, with a paraphrase of the agency's motto, "Protect and Provide Information", offered in lieu of any actual explanation. Maybe we should be grateful that at least it wasn't provided in the original Latin.

In correspondence with me, after the original version of this article was posted, CSE said that the reduction in data was prompted by a change in the way the Treasury Board wants to organize this kind of reporting. To demonstrate their continued openness they tweeted the figures for 2018-19: $407,399,615 for the SIGINT program and $217,494,338 for the ITSEC program.

I commend CSE for doing that, but I still think the change is highly regrettable.

According to the agency, in the future the only routine public reporting of these numbers will be through the government's online data portal INFOBASE, where they will appear only sometime after the end of the relevant fiscal year. They will no longer appear in either the Estimates or the Public Accounts, or presumably in any other form of published paper documentation.

Posting out of date numbers on INFOBASE is certainly better than nothing, especially for people like me who study the history of the agency over a timeframe of decades.

But it is not good for people interested in current policy and plans. If you want to know how much the government proposes to spend in a particular year on Canada's cybersecurity, for example, or even whether that spending will be going up or down, you could very well be out of luck.

And that includes the MPs who will be voting to provide those funds, unless they elicit the numbers from CSE in committee testimony or otherwise. CSE promises that it will be providing those numbers to the committee that examines the Estimates. But even if that does happen every year without fail, it is no substitute for publishing them in a formal document available to all.

[Update 21 June 2018: Aaaaand the first test of this system is now complete and it has already failed, at least as far as the public record is concerned.]

So, call it inadvertent or incidental, but this is a backward step, away from transparency.

CSE has repeatedly promised in recent years to increase the level of transparency about its operations, and it has been somewhat more open in certain ways.

But it has a long way to go to get back to the level of transparency that existed in 2011, and this is a step in the wrong direction.

Let's review some of the backward steps since 2011.

The last time CSE appeared in the Department of National Defence's Report on Plans and Priorities was in June 2011. A supplementary document called Section IV: Other Items of Interest contained an entire section on CSE. That document has been memory-holed entirely from the government's website, but I saved a copy back then, so you can read CSE's section here.

In that Golden Age of Transparency, CSE reported not only its 2011-12 total budget, but also a breakdown of its budget into Salary and Personnel; Operating and Maintenance; and Capital spending. It also provided projections of all those figures for the following two fiscal years, 2012-13 and 2013-14.

It also provided a list of the key government intelligence priorities that CSE would attempt to cover during the coming fiscal year and a description of some of the initiatives planned for that year, notably occupation of the building that became Pod 1 of CSE's new headquarters complex and the start of construction of the remainder of the complex.

Finally, the section reported the number of civilian full-time equivalent employees (FTEs) the agency would have in 2011-12 and projected numbers for the two following years (although to be fair the latter numbers, which were identical to the 2011-12 numbers, were probably intended just to be placeholders).

All that ended in November 2011 when CSE became a stand-alone agency. It no longer appears in DND's Report on Plans and Priorities (or Departmental Plan, as it is now known). Nor does it publish its own.

Neither does it publish a Departmental Results Report or an Annual Report (although under Bill C-59 there would be an Annual Report of some kind).

CSE did begin appearing under its own name in the Main Estimates documents beginning in 2012-13.

But almost all of the information that appeared in DND's report was gone. What we were left with was little more than a short boilerplate description of the agency, the overall number for the coming fiscal year only, and — the only new piece of information provided — the spending numbers for the SIGINT program and the ITSEC program. So, one step forward and about ten steps backward.

CSE's public affairs people somehow managed to call this "enhanced" reporting. I suppose that's what public affairs people get paid to do, but for an agency that wants Canadians to take a lot of what they say on trust, this was not their finest hour.

Among the information that was no longer reported was the number of FTEs, but that loss at least was mitigated by the fact that CSE's staff numbers were still being reported on a monthly basis by the Treasury Board Secretariat.

But then that ended in February 2016.

I don't think that change, which affected reporting on staff numbers at all government departments and agencies, was prompted by CSE, and when I had a chance in November 2016 to ask Dom Rochon, CSE's Deputy Chief, Policy and Communications, whether CSE would consider publishing the figures itself, he seemed open to the idea. But it hasn't happened.

So that went dark too.

(To be fair, out of date annual figures are available on INFOBASE.)

And now we're losing formal, and timely, publication of the SIGINT/ITSEC breakdown.

As one who has often seen important information posted and then later removed from government websites, I find its promised publication after the fact in online form, while much better than nothing, far from entirely reassuring. If MPs insist on getting the numbers on the record at the beginning of every fiscal year at committee that will help a great deal.

But it would be better, and much more reliable, to simply publish them as before. Is this really so hard to do?

[This post was updated on 18 April 2018 in light of the information provided by CSE.]

Monday, April 09, 2018

The hunt for GHOSTHUNTER

In September 2016, The Intercept published this image taken by a U.S. photoreconnaissance satellite of an unidentified city. An ellipse overlaid on the image showed the estimated location of a target Very Small Aperture Terminal (VSAT) satellite dish as determined by the GHOSTHUNTER program. (You can read more about GHOSTHUNTER in The Intercept's article: Ryan Gallagher, "Inside Menwith Hill: The NSA’s British Base at the Heart of U.S. Targeted Killing," The Intercept, 6 September 2016).

A couple of days ago I decided it might be interesting to determine exactly where that city is. Knowing its location might enable us to discover which satellite — probably one of the massive ORION satellites in geosynchronous orbit — had produced the VSAT location estimate, and it would also enable us to make an accurate measurement of the ellipse. The location might also provide some insight into the kinds of targets these capabilities were being used against.

But how to identify the city? My first thought was to use the shadows in the image. The exact date and time the image was taken (28 January 2009 at 05:16Z, with Z meaning Greenwich Mean Time) is shown on the image, and so is a north arrow. I figured measuring the direction of the shadows should enable me to determine a more or less north-south line on the globe along which the city ought to be located. The tricky part is that the satellite photo was taken from an angle (which means, for example, that the streets don't intersect at right angles in the image, even though it seems likely that they do in real life), making it difficult to measure the angle of the shadows accurately.

Skewing the image to make the street layout rectangular produced the image shown above, from which I determined the direction of the sun to be around 126.5 degrees, probably plus or minus at least a couple of degrees because of the imprecision of the whole process.

That measurement in turn produced an estimated line of location that extended along the western shores of the Caspian Sea down through Azerbaijan and western Iran and across the eastern part of the Arabian peninsula, curving a bit to the east as it proceeded southwards.

That seemed like a pretty good place to start, so I fired up Google Earth and had a look.

Sadly, nothing I could find looked like the city in the photo. In fact, none of the cities near my search line featured architecture remotely resembling that in the image, with its numerous open courtyards and long sections of roof constructed of multiple vaults in series. Clearly something was off.

So on to Plan B: Widen the search area and find the cities with that kind of architecture.

I did find similar-looking vaulted roofs in parts of eastern Iran. But there was still no city that really resembled the target.

Herat, in Afghanistan, however, was another matter. Although still not the right city, it was much, much closer to the right style. So it was time to take a closer look at Afghanistan.

Home, home in Zaranj

A point-by-point search of small cities in western Afghanistan led eventually to Zaranj, in the southwestern part of the country just a couple of kilometres from the border with Iran.

Here you can see the spy satellite image overlaid on the Google Earth image. It's a match!

...about 1000 km to the east of my initial line of search. So, what went wrong with the shadow method? It turns out the spy satellite image was not only skewed, it was also stretched along the east-west axis. As can be seen in the formerly circular logos in this version, the image had to be compressed to match the underlying Google Earth photo. That changes the angle of the shadows, which now indicate the direction of the sun to be about 135 degrees, not 126.5. A search along the line determined by that information, through western Afghanistan and Pakistan's Balochistan province, would have sped things up considerably. But I don't see any way to have determined the necessary correction ahead of time.

Anyway, we now have a spy satellite photo newly identified to be of Zaranj.

Perhaps unsurprisingly, Zaranj turns out to be the kind of burg where a lot of activity that might be of interest to intelligence agencies takes place. This 2012 article, titled "The Scariest Little Corner of the World" (Luke Mogelson, New York Times Magazine, 18 October 2012), takes a fascinating look at the city and the region around it. Between the Hazaras, Tajiks, Pashtuns, Uzbeks, Afghan Baluchis, other Afghans, Pakistani Baluchis, other Pakistanis, Iranian Baluchis, other Iranians, Indians, Americans, other NATO forces, and, going back a ways, the Soviets, a lot has been going on. I won't even try to summarize it all here.

Analysis of the ellipse

As noted above, the ellipse on the photo shows the estimated location of a VSAT satellite dish that the NSA or other SIGINT agencies were monitoring and wanted to geolocate. Several candidate dishes that were found within the ellipse are highlighted, but it is not clear whether any of these dishes were singled out as probably being the target dish.

The long axis of the ellipse is oriented towards the southeast at an angle of about 134 degrees, which is quite close to the direction of the sun at the time the photo was taken, but that's just a coincidence. What is probably not a coincidence is that it also points pretty much exactly in the direction of the U.S. ORION 2 geosynchronous SIGINT satellite.

[Update 11 April 2018: Actually, it probably is a coincidence. As Marco Langbroek helpfully pointed out, the ellipse probably represents the location estimated by monitoring the VSAT dish from two SIGINT satellites at the same time, which means it very likely doesn't point in the direction of either one of them. As he noted, this document confirms that two satellites are used when making such estimates. So, sadly, it may not be possible to determine precisely which of the geosynchronous SIGINT satellites were involved in this case.

But Marco was able to identify the photoreconnaissance satellite involved: "I could positively identify the optical reconnaissance satellite that made the photographic image as USA 129 (1996-072A), a classified KH-11 "Keyhole" electro-optical reconnaissance satellite that made a pass over Zaranj at the given date and time based on amateur tracking data." Thanks, Marco!]

The size of the resulting ellipse will vary in each particular case according to the geometry of the intercepts and other factors, but this example gives an indication of how precisely SIGINT satellites can geolocate a transmitting VSAT dish. As measured in Google Earth, the ellipse is around 207 metres wide by 465 metres long, and thus covers an area of about 75,600 square metres, roughly seven and a half hectares. The data box attached to the ellipse originally provided a figure, redacted by The Intercept, for CEP, which is an abbreviation for circular error probable. This probably means that the ellipse depicts the area within which the dish was estimated to have a 50% chance of being located.

That's pretty impressive precision when you consider that these satellites orbit at an altitude of nearly 36,000 km and the slant range to their targets is even greater.

There may be other details that can be learned from a close examination of this image, but those are the obvious ones that come to my mind. Suggestions for other points [and other corrections] would be welcomed.

Nearly half a century after the first geosynchronous SIGINT satellite was launched (CANYON 1 on 6 August 1968), it's nice to learn a little bit more about how they operate.