Saturday, August 24, 2019

History of CBNRC

In August 1987, CSE published an internal, highly classified history of the agency from its founding in 1946 as the Communications Branch of the National Research Council (CBNRC) to its transfer in 1975 to the Department of National Defence and renaming as the Communications Security Establishment.

The History of CBNRC's authors were N. Kevin O'Neill, who had been Director of CBNRC/Chief of CSE from 1971 to 1980, and Ken J. Hughes, a senior COMSEC official. Both had been on the staff of the agency through the entire period covered by the history.

Not long after the document was written, I and at least one other person formally requested that the releasable portions be made public under Canada's then new Access to Information law. That eventually did occur—after a delay of several years—but the released version was extremely heavily redacted, with perhaps 80-90 percent of the document withheld entirely and most of the rest riddled with additional redactions.

Group and section names and most personal names were redacted. Target names were redacted. All mentions of NSA and GCHQ were redacted (except for one mention of GCHQ that slipped through). Even the name of Kevin O'Neill's co-author was redacted.

There was some useful information left in the sections that remained, but the resulting document was mostly a testament to excessive secrecy.

Second release

More than 25 years later, someone—I don't actually know who—requested a fresh release of the History, and this time a much more significant part of the seven-volume document was released. (I obtained it through the Canadian Foreign Intelligence History Project.)

There are still large portions redacted, including the entirety of Volume II, but a great deal of new and very interesting information about CSE's history was released. I drew on the new release for this discussion of CSE's experimental cable monitoring efforts in the 1970s, for example.

[Update 3 December 2019:

An even more recent release to Wesley Wark (access request A-2018-00065) includes additional previously redacted material in Chapter 11. The rest of the release appears to be identical (although I must admit I haven't examined every word of it). I've changed the links below to copies of the Wark release. Many thanks, Wesley! Bonus: I've uploaded OCRed versions of the files.]

[28 MB PDF]

1 Origins and Background
2 SIGINT Policy and Committee Structure
3 Organization and Establishment
4 SIGINT Production Tasks
5 Interception at Stations

[Volume not released]

6 Special Collection
7 Signal Analysis
8 Cryptanalysis

[Part 1 - Chapters 9 to mid-11 (16 MB PDF) & Part 2 - Chapters mid-11 to 13 (15 MB PDF)]

9 Tactical SIGINT and Support to NATO
10 Intelligence Requirements and SIGINT Reporting
11 Liaison with Collaborating Centres
12 SIGINT Equipment and Engineering
13 Mechanization and Computer Developments

[26 MB PDF]

14 Communications
15 COMSEC in Canada before CBNRC
16 COMSEC Policy and Committee Structure
17 Development of COMSEC in CBNRC

[24 MB PDF]

18 Provision of COMSEC Advice and Support
19 Production of Keying Material
20 Use of Crypto Equipment in Canada
21 Evaluation of Crypto Equipment
22 Production of Crypto Equipment in Canada
23 COMSEC Monitoring and Analysis

[22 MB PDF]

25 Financial Administration
26 Security
27 Personnel
28 Training

[5 MB PDF]

Appendix - Chronological Summary

Sunday, August 18, 2019

Dredging up OCSEC's 2017-18 annual report

In this post, I'm going to write about some of the interesting stuff in the 2017-18 annual report of the Office of the CSE Commissioner (OCSEC), which was released last summer. In particular, I'm going to look at the decline in the number of private communications used or retained by CSE and whether that decline means that the spread of encryption is beginning to have a serious effect on CSE SIGINT operations.

But first a quick aside about the 2018-19 report, which may be about to be released.

In July, as a result of the long-awaited passage of Bill C-59, CSE Commissioner Jean-Pierre Plouffe was reflagged as the Intelligence Commissioner and OCSEC was shut down, with most of its duties reassigned to the brand new National Security and Intelligence Review Agency (NSIRA). This means the 2018-19 report will be the last of its kind.

As far as I can see the government now has just one date left, August 21st, to release that final report before parliament is dissolved for the fall election. If the 2018-19 report does get released a few days from now that probably will mean there isn't anything too newsworthy in it. If, on the other hand, the government hangs on to it until after the election that may be a sign there's something a bit more, er, exciting in it.

CSE nerds may recall that the only other OCSEC report to be withheld through a federal election in recent years, the 2014-15 report, was the one that revealed the only case in which CSE has ever been declared to have violated the law.

Nobody in Ottawa ever clues me in on anything, so I haven't heard anything suggesting that a similar bombshell is inbound this time around. But a delayed release would certainly look suspicious. I guess we'll just have to wait and see what happens.

[Update 22 August 2019: The 2018-19 report did not get tabled on the 21st, so I'm pretty sure we won't be seeing it until sometime after the October election. Makes you wonder if there isn't something embarrassing for the government in it. Hooray for transparency!

A happy thought: Like OCSEC's reports, by law NSIRA's annual reports have to be tabled within 15 sitting days of being submitted to the government. However, since NSIRA's reports will cover calendar years and thus probably will be completed around March of the following year, this should mean they get released sometime during the spring sitting instead of routinely getting delayed into the summer and potentially withheld through elections (now normally held in the fall).]

In the meantime, the possibility that the 2018-19 report could drop in just a matter of days has reminded me that I still haven't said much about the 2017-18 report, which was tabled in parliament over a year ago on July 18th, 2018.

So back to that report:

Private communications decline to 954

In its 2017-18 report OCSEC reported for the fifth year in a row the number of recognized "private communications" that were acquired by CSE under Part A of its mandate ("Mandate A") and subsequently used in SIGINT reporting or otherwise retained as "essential" for foreign intelligence purposes. The 2017-18 report revealed that 954 private communications were used or retained during the period from July 2016 to June 2017 inclusive.

As the table below shows, this was a 70% decline from the previous year's total, which was 3348, but it was still much higher than the totals in any of the years before that. The 2017-18 report and the previous one also reported how many of those private communications were actually used in end-product reports (EPRs), and that number too declined in the most recent period, from 533 to 261 (51%). These declines occurred despite the fact that, as the Commissioner also reported, the overall number of private communications intercepted "continued to increase substantially."

So this is the overall picture that confronts us: The increase in the number of PCs used or retained between 2013-14 and 2015-16 was truly eye-popping. But now, although the total number of PCs collected continued to grow in 2016-17, we're faced with a sudden significant drop in the number used or retained.

What is going on here?

Well, let's unpack the data a bit first.

In Canadian law a private communication (PC) is an oral or electronic communication between two or more persons, regardless of nationality, where at least one of the communicants is physically located in Canada at the time of the communication. (The legal definition is a little more complicated, excluding broadcasting and other forms of public communication for example, but that's the gist.) The interception of PCs is illegal except under certain specific circumstances provided for in the Criminal Code.

One of these exceptions covers CSE's Mandate A activities when it is operating under a ministerial authorization issued for that purpose. Mandate A is CSE's mandate to acquire foreign intelligence, which is "information or intelligence about the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group, as they relate to international affairs, defence or security." In keeping with this definition, Mandate A ministerial authorizations are restricted to collection activities directed at non-Canadian targets physically located outside of Canada: CSE is not legally permitted to direct its Mandate A activities at persons in Canada (or Canadians anywhere).

So how does CSE end up with PCs acquired under Mandate A? The answer is actually pretty simple. All communications have at least two ends. Sometimes the non-targeted end of a foreign communication that CSE collects turns out to be in Canada. This is called "incidental" collection. Because one end is in Canada, such communications are legally PCs, but their collection is permitted as long as one of the aforementioned authorizations is in place. (And it always is.)

When a CSE foreign intelligence analyst examines an intercepted communication they try to establish the location of the communicants in order to determine whether it is a PC. Recognized PCs collected under Mandate A can only be retained by CSE if they are determined by the analyst to be essential to international affairs, defence, or security. Some of the retained PCs end up quoted or otherwise cited in the end-product reports provided to CSE's SIGINT clients, while others may be retained for background information or because their importance is unclear. These are the PCs whose use or retention is reported by OCSEC. Retained PCs must be reassessed for essentiality after an undisclosed interval and are normally ultimately deleted unless they have been used in an EPR.

This is not the only way in which CSE can end up in possession of Canadian-related communications, however. The agency also sometimes collects communications in which the non-targeted end turns out to be a Canadian located abroad. Because in this case none of the participants in the communication are located in Canada, these communications are not PCs and are not counted in the total reported by OCSEC. Stored communications such as texts and e-mails acquired by CSE from computer hacking activities or company databases are also not counted as PCs, even if one of the communicants was located in Canada when the communication was originally sent. Canadian communications acquired by allies and subsequently provided to CSE are also not considered to be PCs. (Such collection is said to be "exceptional", but it does occur.) Finally, CSE acquires PCs and other Canadian-related communications incidentally in the course of its Mandate B (IT security) activities and intentionally in the course of its Mandate C (support to federal law enforcement and security agencies) activities. None of these numbers are publicly reported.

The private-communications-collected-by-CSE-in-the-course-of-Mandate-A-activities numbers do, however, provide important, if only partial, insight into the nature and evolution of CSE's collection of Canadian communications in the course of its foreign intelligence activities. So let's turn back to the numbers.

Smartphones and instant messaging

As I've argued before, the major jump in the number of used/retained PCs between 2013-14 and 2015-16 was probably a consequence of changes in the types of communications most commonly being intercepted. My guess is that the rise of smartphones and consequently mobile messaging applications accounts for most of the difference. Since each separate comment posted in a message app probably counts as a separate private communication, just one single extended conversation monitored by CSE might be counted as dozens or even hundreds of PCs.

If this is the case, then the huge increase in PCs used or retained in recent years is almost certainly primarily due to this change in communications technology and does not imply a huge—or even necessarily any—increase in the number of Canadians and other persons in Canada whose communications are getting caught in CSE's dragnet.

Although he hasn't confirmed that messaging apps are the explanation, the CSE Commissioner has more or less confirmed that the answer is something along these lines, describing the increase as "a consequence of the technical characteristics of certain communications technologies, and CSE’s legal obligations to count private communications in a certain manner" and adding that "the current manner in which CSE counts private communications provides a distorted view of the number of Canadians or persons in Canada that are involved".

It is possible, however, that there also was at least some increase in the number of Canadians or other persons in Canada whose communications were collected by CSE after 2014. While messaging apps are almost certainly the primary explanation for the jump, the timing of the increase might also be related to the resumption in mid-2015 (under a new, undisclosed name) of Domestic Interception of Foreign Telecommunications and Search (DIFTS) warrants, which enable CSIS to ask CSE to monitor specific Canadians abroad.

Neo-DIFTS intercepts would not appear directly in these statistics even if one end was in Canada, because collection for CSIS is a Mandate C activity. But such intercepts might enable the identification of new foreign targets, such as ISIS members involved in efforts to recruit Canadians, and those recruiters could then be targeted under Mandate A and possibly be monitored communicating with additional, previously unidentified Canadians. So it is not inconceivable that the advent of neo-DIFTS warrants led indirectly to at least a small increase in PCs collected under Mandate A.

In any case, since smartphones seem to have been ISIS's main mode of communications, many Canadians had travelled to Syria and Iraq to support the organization, active efforts were underway by ISIS to recruit others to come or to engage in attacks or other activities in Canada, and the Canadian Forces were participating in the anti-ISIS coalition, it seems plausible that ISIS members were among CSE's key targets throughout this period and that they may well have been responsible for many of the messaging-app PCs intercepted by the agency.

Why the drop?

So why did we see the sizable drop in used/retained PCs in the 2017-18 report?

It's risky to draw sweeping conclusions from a change reflected in just a single year's data, but assuming the phenomenon is real, three not necessarily mutually exclusive possible explanations come to my mind.

The first is that successes in the battle against ISIS, both on the ground and in cyberspace, have led to a significant decline in the number of ISIS members communicating with persons in Canada. ISIS was indeed coming under very heavy pressure during the period covered by this data, although it hadn't yet lost its control over large parts of Syria and Iraq. However, recent reports suggest that ISIS is still engaged in extensive online organizing and recruiting activity. Moreover, the substantial overall increase in PCs collected (as opposed to used or retained) in 2016-17 also suggests that a decline in targeted traffic—whether ISIS-related or otherwise—is not the primary explanation.

The second possibility is that the nature of the traffic has been changing, such that it now contains a significantly lower proportion of PCs that are of intelligence interest. This might be a result of a decline in the number of new individuals in Canada interested in communicating with ISIS, for example. It seems unlikely, however, that ISIS traffic involving persons in Canada would still be growing substantially under such circumstances, and even more unlikely that the great majority of that traffic would be of no intelligence interest. A more plausible possibility along these lines, perhaps, is that CSE's collection priorities have started to shift dramatically towards non-ISIS targets of various kinds whose communications with persons in Canada contain a much lower proportion of intelligence-related traffic.

The third possibility is that we are beginning to see the effects of the spread of encrypted messaging in recent years. Telegram, launched in 2013, is reported to have been widely adopted by ISIS members and supporters by 2016, largely on account of the end-to-end encryption capabilities that users can choose to utilize in its Secret Chat function. WhatsApp, which currently has more than 1.5 billion users, finished implementation of end-to-end encryption by default for all users in April 2016. Other apps also have or are moving to adopt similar technologies to various degrees.

If monitoring of messaging apps does explain the great increase in the number of PCs used or retained between 2013-14 and 2015-16, then the subsequent spread of encryption on those apps might well explain much of the 70% drop in the number of PCs used or retained in 2016-17. Interestingly, and perhaps not entirely coincidentally, an RCMP document prepared in early 2018 asserted that "Approximately 70 per cent of all communications intercepted by CSIS and the RCMP are now encrypted".

If this third explanation is correct, then the increasingly widespread use of encryption in messaging apps is starting to have a significant effect on CSE SIGINT operations.

It doesn't necessarily follow that seeking to limit encryption or to mandate government backdoors would be an appropriate or effective response to this development, however. (For more on encryption policy, see Lex Gill, Tamir Israel, and Christopher Parsons, Shining a Light on the Encryption Debate: A Canadian Field Guide, Citizen Lab and the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic, May 2018.)

Even universal adoption of secure encryption isn't going to solve the much broader problem of cybersecurity, and for the same reason it isn't going to mean the end of SIGINT.

But it could certainly mean large changes in the focus of SIGINT activities, just as the Soviet adoption of highly secure encryption for their high-echelon communications in 1948 led to sweeping changes in the organization and activities of the UKUSA SIGINT agencies through the 1950s.

Of course, it is also conceivable that some combination of all three possibilities, and perhaps other factors, has played a role in the drop. It will be very interesting to see where the numbers go when the 2017-18 data is released in the forthcoming 2018-19 report. Will they go back up, implying the 2016-17 numbers were just a blip? Or will the decline continue, suggesting that encryption really is starting to bite?

Maybe time to release different data

It occurs to me that CSE might be less than entirely happy to see this kind of speculation bandied about in a public forum, even if it turns out to be wildly incorrect. But I don't have a lot of sympathy for the agency on this question.

What I and other CSE watchers in Canada are really interested in is how many Canadians and other persons in Canada end up with their communications collected by CSE, and how many of those have their communications featured in reports to CSE SIGINT clients.

The only reason we find ourselves (possibly) with some insight into the types of communications being monitored and whether encryption is having a significant effect is that the agency has been forcing us to work with an imperfect proxy, the number of PCs used or retained.

If CSE instead permitted OCSEC and in future NSIRA to report the number of Canadians/persons in Canada who feature in such reports, we'd have a number much more useful for privacy-tracking purposes and much less useful for speculating about communications methods and the consequences of encryption or even about the capabilities of CSE in general.

Given that this number would refer only to incidental collection and would not include targeted domestic monitoring under CSIS or RCMP warrants, is there really a credible argument that ISIS or Al Qaeda or the SVR or the GRU or the Chinese MSS etc, etc could look at that number—let's say it's 20—and draw some sort of useful conclusion as to whether or not its own particular contacts were being watched?

Ideally, such reporting should be expanded to include all Canadians/persons in Canada appearing in foreign intelligence reports, not just those resulting from CSE's own collection of PCs, and maybe also an additional number for Canadians/persons in Canada appearing in IT Security reports.

I suspect CSE would also benefit from this approach since the number of Canadians/persons in Canada appearing in SIGINT reporting is very likely quite low and would probably be highly reassuring to the Canadian public.

(Alternatively, if the number is actually quite a bit larger than we've been led to expect, such that the Canadian public might actually be somewhat shocked by it, then in my view it's long past time to admit that, explain the reasons that supposedly justify it, and earn an honest social license to operate instead of one based on deception. Personally, I doubt this is what has being going on, but if CSE would give us the numbers there would be much less room for dark speculations.)

Show us the numbers!