Tuesday, June 30, 2020

First CSE annual report released

CSE released its first annual report, covering fiscal year 2019-2020, on June 29th.

For reasons unknown, but presumably better than simply to be gratuitously irritating, the agency chose not to make the document available in a conveniently downloadable form such as a PDF file, publishing it instead as a series of linked webpages. Until they think better of that decision, for the convenience of the human beings in this world I have cobbled those pages together into this ugly but functional PDF. Hey, I may not be in the public service, but I sometimes act as one.

On to business.

This is the first annual report that CSE has published, and what prompted the agency to act now is that s.59 of the CSE Act, which was enacted into law as part of Bill C-59 in 2019, now makes it a legal requirement.

Unfortunately, the Act does not specify how informative the report has to be, and this is not an informative report.

The introductory comments by CSE Chief Shelly Bruce constitute more than one-quarter of the entire text. The rest of the slightly more than 3000-word document is composed largely of basic background information about the agency that is already available on its website, augmented by some brief coverage of the more public-facing activities of the Canadian Centre for Cyber Security, the IT security part of the agency. In short, it covers all the things you don't need a document like this to find out about.

Yes, there are some tidbits of new information in the report. We learn, for example, that the SIGINT side of the agency "provided foreign intelligence reports to more than 2100 clients in over 25 departments and agencies within the Government of Canada" last year. Previously CSE had only acknowledged providing foreign intelligence reports to more than 2000 clients in 23 departments and agencies.

We also learn that CSE's workforce is now 2900 strong. This is an increase of roughly 350 from the headcount of 2549 at the end of the previous fiscal year and an increase of about 540 over the 2361 total in the year before that.

But you won't find those other numbers in this report. There is no acknowledgement that CSE's staff is growing, let alone any explanation for that growth.

Could the answer be all those new people hired or transferred from other departments when the Cyber Centre was created? No clues in this document.

(But, no, it's not. At least not entirely. According to recent testimony by Scott Jones, the Cyber Centre currently has about 800 employees, which is up around 300 from two years ago. The rest of the growth must be on the SIGINT and maybe cyber operations side of the house. Kudos to MP Matthew Green for eliciting this actually useful bit of information.)

In fact, there is no information whatsoever in the report on either the absolute or the relative size of the cyber security effort within CSE's overall staffing and budget. If we in the public want to know what the government plans to spend on cybersecurity next year, i.e., fiscal year 2021-22, we'd better hope that some MP will also want to find out, will get a chance to ask, and will actually get an answer, because otherwise we won't see that information until well after the fact, when it comes out in the Public Accounts in the fall of 2022.

I was under the impression that cyber security was kind of important these days. Shouldn't we at least have some sense of how much the government plans to spend on it?

The lack of transparency in this regard is actually quite new. CSE used to give us the breakdown between planned SIGINT spending and planned cyber security spending in the annual Estimates documents. But they stopped doing that in 2018. Treasury Board's fault, said CSE. Those folks changed the way info is reported in the Estimates. So, OK, fine, that's on Treasury Board. But nothing stops CSE from putting that data in its annual report. Or, better yet, proactively publishing it on their website as soon as the Estimates come out and then, at the end of the year, repeating it in the report.

Is this not being done because it is now supposed to be a security issue? If so, why is it one now when it wasn't in the recent past?

There was in fact a time, not so many years ago, when the Estimates also included data on planned spending in future years; a breakdown into capital, personnel, and operations and maintenance spending; information about major initiatives; and even a modicum of insight into the government's intelligence priorities. Why not put that in the annual report?

How about some information about how CSE plans to organize itself for and actually implement its new cyber operations mandate? This is the biggest change in CSE's mandate since the agency was founded in 1946, and we get little more than a couple of boilerplate sentences. The only thing new here to my eyes is the slightly unsettling phrase "achieve strategic impact" that is used to describe the purpose of CSE cyber operations. Maybe we'll find out more about that when we start being rocked by the tremors.

Here is a redacted version of one of the actual-content-containing annual reports that CSE gives the Minister of National Defence, as released under the Access to Information Act. Even just publishing a skeletonized remnant of the minister's report like this would be more informative than the brochure now on offer.

One final comparison (hat tip to Steven Chase for reminding me of this): Here is the first annual report of the Australian Signals Directorate, CSE's Five Eyes counterpart in Australia, which was published in 2019. All 126 pages of it. Much of the report is weighted toward the cyber security side, to be sure. There's plenty to criticize. But it also contains detailed financial statements. Workforce statistics. And a promise of more detailed reporting in future editions.

Am I disappointed with CSE's desultory offering?

Well, to end this on a positive note, let's just say it's not the worst thing to happen in 2020.

Update 9 July 2020:

Couple more comments here.