Wednesday, June 27, 2018

Bruce appointed Chief of CSE

Shelly Bruce has been appointed Chief of CSE effective immediately.

Bruce was appointed Associate Chief in November 2017 and has been serving as acting Chief of the agency since May 23rd, when the previous Chief, Greta Bossenmaier, was appointed National Security and Intelligence Advisor. Prior to serving as Associate Chief—a position that only occasionally appears on the CSE organization chart—Bruce spent eight years as the Deputy Chief in charge of the SIGINT side of the agency. (More on Bruce's bio here.)

Bruce is the 10th Chief CSE/Director CBNRC, and the first chosen from within the ranks of the agency since 1989:
  • Edward M. Drake (1946 - 1971)
  • N. Kevin O'Neill (1971 - 1980)
  • Peter R. Hunt (1980 - 1989)
  • A. Stewart Woolner (1989 - 1999)
  • D. Ian Glen (1999 - 2001)
  • Keith Coulter (2001 - 2005)
  • John L. Adams (2005 - 2012)
  • John Forster (2012 - 2015)
  • Greta Bossenmaier (2015 - 2018)
  • Shelly Bruce (2018 - )
The five Chiefs before Bruce were all brought in from outside the agency, a practice that presumably was begun to bring an outsider's perspective into CSE and perhaps encourage a somewhat less insular agency culture. Ministers typically develop very little in-depth knowledge of the workings of the agency and they may also have seen outside Chiefs as a safeguard against being bamboozled by the bureaucrats when they came to him for approval of this or that policy or proposal.

If that was the concern, however, it seems to be absent now. Not only was the new Chief hired from the inside, but CSE's promotion to stand-alone agency in 2011 removed both the Deputy Minister of National Defence and the National Security Advisor (as the position was then known) from the direct CSE chain of command. Both positions are filled by public servants, to be sure, but neither was beholden to the agency, and thus both were in a position to take a somewhat more skeptical view of its claims. I don't much fancy the Minister's chances if the agency should ever decide to "blind him with science" as the saying goes.

Not that I'm saying we should expect that from Bruce.

And the Minister won't be entirely defenceless in any case. The National Security and Intelligence Advisor is still in a position to comment on much of what CSE says and does, and having just been Chief herself, Bossenmaier will certainly know what's really going on there. The new National Security and Intelligence Committee of Parliamentarians, the CSE Commissioner, and, once Bill C-59 is passed, the upgraded watchdog agencies should also help the Minister stay apprised of what's going on.

Is it possible the government feels CSE now has enough outside eyes on it and no longer needs to put itself through the process of training a new Chief every few years?

Whatever the reason, it's clear that Bruce will be able to hit the ground running, and that has to be seen as a good thing by the agency as it prepares to adapt to its new C-59 authorities, including the power to conduct computer network attack operations, while standing up the new Canadian Centre for Cyber Security and managing on-going growth.

Monday, June 11, 2018

Exploring the wreck of the OCSEC-2017

The Office of the CSE Commissioner, CSE's soon to be replaced watchdog agency, released its 2016-17 Annual Report back in August 2017. As is traditional, it almost immediately sank from sight and was lost to all human ken. Nearly a year later, I guess it's about time I mounted my annual expedition to see if there's anything worth salvaging from it. With luck, I might manage to raise a few items before the 2017-18 report is launched.

Unlike the 2015-16 report, this report did receive a modicum of media coverage in the immediate wake of its release, specifically on the issue of information-sharing with allies. (See Justin Ling, "Canada still hasn’t developed new rules for intelligence sharing with U.S. and allies," Vice News, 24 August 2017 and Alison Crawford, "Canada's electronic spy agency to get new rules for sharing data with allies," CBC News, 29 August 2017.) But I'm willing to bet there's still lots of material worth examining lying in the forgotten hulk.

So let's get this expedition underway.

Use/retention of private communications up 25,653%

OK, here's something interesting. According to the CSE Commissioner, in 2015-16 CSE used or retained 3,348 "private communications" that were collected under the agency's foreign intelligence program (see page 39 of the report).

In Canadian law, a private communication is a communication with at least one end in Canada. CSE's foreign intelligence program is not allowed to "target" Canadians or any person located in Canada, but if a foreign target of the agency who is located outside Canada communicates with someone inside Canada, CSE is permitted to collect that private communication as long as there is a Ministerial Authorization permitting such collection in place (and, rest assured, there is). The 3,348 figure reported by the Commissioner represents only one portion of the total number of private communications collected or otherwise acquired by CSE under the three parts of its mandate, but it's a potentially important indicator of how often Canadians get pulled into CSE's foreign intelligence collection activities.

I've been using highway signs to depict the private communications numbers reported by the Commissioner. In 2012-13 the number was 66 and in 2013-14 it was 17, later revised to 13. Last year it was 342, which was a bit of a challenge but I did find a suitable highway. This year I've had to improvise...

That's a big number. The Commissioner's report comments that the 2015-16 total is "almost 3,000" higher than the previous year total, which seems like an unusual way to put it since the actual difference is 3,006. Maybe the 2014-15 number was revised too. In any case, the two numbers aren't strictly comparable, as the 2014-15 figure refers to a seven-month period, while the 2015-16 figure covers a full twelve months. To get an apples-to-apples comparison, we need to go back two years to the 13 private communications used or retained over the twelve months of 2013-14.

Those figures show that the number of private communications used or retained by CSE's foreign intelligence program jumped by 25,653% between 2013-14 and 2015-16. That's a comma, not a decimal point: Twenty-five thousand six hundred and fifty-three percent.

So, yeah. Quite a big jump.

We do get an explanation of sorts for the change: "The increase in the number of used or retained private communications remains a consequence of the technical characteristics of certain communications technologies, and CSE’s legal obligations to count private communications in a certain manner."

But that doesn't really answer many questions.

In 2016, when this growth trend first became apparent, I speculated that CSE may be collecting an increasing number of communications transmitted by chat applications such as Facebook Messenger. Because each individual comment in such conversations is a separate transmission, it is likely that each would be considered a separate private communication for legal purposes. Thus, a single conversation lasting a just few minutes might contain dozens of private communications. If this is what explains the dramatic jump in the numbers since 2013-14, there may have been little if any actual increase in the number of persons in Canada whose conversations or other communications are being caught in CSE's dragnet.

That would certainly explain the Commissioner's apparent lack of concern about the numbers.

The current report doesn't confirm that theory (or provide any other intelligible explanation), but it does comment that "the current manner in which CSE counts private communications provides a distorted view of the number of Canadians or persons in Canada that are involved in (i.e., are the other end of) CSE interceptions to obtain foreign intelligence under ministerial authorizations."

And the report provides one additional key piece of information: The 533 private communications that were actually used in CSE's foreign intelligence reporting in 2015-16 (as opposed to temporarily retained for possible future use) appeared in a total of just 20 end product reports. This means that on average 26.65 private communications were cited in each one of those reports. Since some reports almost certainly concerned just a single private communication, many of them are likely to have cited 40 or 50 or more.

A little background on SIGINT end product reports might be helpful here. CSE does not produce extended intelligence assessments — it reports SIGINT facts, such as a single key piece of information overheard in an intercepted phone call. CSE analysts don't sit on such intelligence: they disseminate it to their clients in an individual end product report with as little delay as possible. If 20 or 30 or 40 private communications appear in a single end product report, it is because all of those communications were acquired at essentially the same time. And if this is happening routinely, it's almost certainly because the communications systems that CSE has begun to frequently target routinely generate large numbers of private communications at a time.

Which sounds like chat apps to me.

If these numbers do indicate growing collection of chat-related traffic by CSE, it would appear that the increasing use of encryption in those apps has not had the effect of shutting CSE out of that traffic — at least, not as of 2015-16. Are CSE's targets using insecure messaging apps, or versions that have been "enabled" to undermine their security? Are end-point operations, such as implanting malware on target smartphones, being used to bypass encryption? Given the high level of concern expressed by intelligence and security agencies in recent years about the prospects of "going dark", it will be interesting to see if the number of private communications used by CSE drops off in future reports.

I suspect CSE won't be entirely pleased to see this kind of speculation bandied about — even if my specific guesses are completely off base, which they may well be — so let me just suggest to the agency that if you were instead to declassify figures such as the number of individual persons in Canada who appeared in end product reports that year, the number whose identity information was released to clients at least once, and the total number of reports in which private communications were cited, the public would get figures much better suited to monitoring the privacy implications of CSE's operations, those figures would probably be more reassuring than the ones we get now (and if they're not, all the more reason to release them), and CSE's targets would be denied any basis for speculating as to the types of communications being monitored.

On page 4 of his report, the CSE Commissioner makes a direct plea for greater openness by CSE, highlighting "the need to re-examine what information is able to be disclosed to the public in an effort to promote transparency. Transparency has been a cornerstone of my approach as Commissioner. There have been significant strides in this regard in the United Kingdom and in the United States. It is time to do likewise in Canada."

Seems like a good idea to me.

More to come on the report in future posts (I hope).

Update 9 July 2018:

Stage two here.

Monday, June 04, 2018

Canadian Centre for Cyber Security to absorb CSE IT Security program?

It looks like the new Canadian Centre for Cyber Security (CCCS) announced in the 2018 budget (see p. 205) will be absorbing most, probably all, of the IT Security program at CSE.

[Update 12 June 2018: Confirmed. "From CSE, the entire IT Security branch will be transformed to become part of the Cyber Centre."]

Defence Minister Sajjan recently told The Hill Times (Jolson Lim, "Sajjan to unveil 20-year defence spending plan this spring; says active cybersecurity powers from Bill C-59 will be checked," Hill Times, 28 May 2018; subscribers only) that the CCCS will have a staff of about 750: "The cyber centre will unite approximately 750 employees from existing cybersecurity operations units at Public Safety Canada, Shared Services Canada, and the Communications Security Establishment into one organization, as part of CSE."

That's about one and half times the size of the entire IT Security staff at CSE. The Deputy Chief in charge of IT Security, Scott Jones, recently stated that CSE's ITSEC program has "around 500" employees, although that total would not include ITSEC's share of CSE's policy, administration, and support staff. Add in the (undisclosed number of) employees at Shared Services' Security Operations Centre and Public Safety's Canadian Cyber Incident Response Centre, who are being transferred to CSE to become part of CCCS, and you presumably get somewhat closer to the 750 figure, but substantial new hiring is also likely to be required. The $44.5-million on-going budget boost promised for the CCCS as part of Budget 2018 suggests that as many as 150-200 new employees might be brought on staff.

The U.K.'s National Cyber Security Centre (NCSC) already operates on this model. Created in 2016, the NCSC absorbed GCHQ's existing Communications-Electronics Security Group and merged it with a number of other cyber security organizations from across the U.K. government. Although it has a separate public identity, the NCSC remains an arm of GCHQ.

According to the Defence Minister, the Canadian Centre for Cyber Security will be fully operational by the fall of 2019. Sajjan also stated that the government expects to name the first head of the Centre "this spring", so presumably that announcement is imminent. ITSEC head Scott Jones is the obvious candidate for the job unless he has plans for some other role in the agency or elsewhere.

CSE is currently in the market for a new Chief for the entire agency, but the government hasn't hired from within CSE for that job since Stew Woolner got the position in 1989 so it would be a bit of a surprise if they went that route. Also, although Jones would undoubtedly be well qualified for the job of Chief, Acting Chief Shelly Bruce would likely be the first choice if agency employees were actually in the running.

All in all, I'd be surprised if Jones is not chosen to head the CCCS. Presumably we'll hear soon.

And maybe we'll learn more about plans for the CCCS when the government finally unveils its promised National Cyber Security Strategy.

Update 12 June 2018: Yup, Jones will be the head of the new centre.