Saturday, December 26, 2020

CANUKUS Planning Conference, March 1953

This photo shows the participants in the CANUKUS (Canada-United Kingdom-United States) Planning Conference held in Washington from March 20th to the 25th, 1953 (click photo for higher resolution; source). The conference took place immediately after a BRUSA conference held at the same location, involving the same U.S. and British delegates, from March 2nd to the 19th. (BRUSA was renamed UKUSA later in 1953.)

The photo shows the conference participants assembled at the main entrance of the Naval Security Station building on Nebraska Avenue in Washington, which was still serving as one of the headquarters buildings of the new National Security Agency before its move to Fort Meade. Although dated March 31st, the photo was probably taken earlier in the month while the CANUKUS conference was still underway.

From left to right, front to back, the attendees are: Lieutenant Colonel Glen C. Long, U.S. Army; Major Dolas M. Grosjean, Women's Army Corps, U.S. Army; Clive (Joe) Loehnis, Deputy Director, GCHQ; Rear Admiral Joseph N. Wenger, USN, Vice Director, NSA; Group Captain Douglas M. Edwards, RCAF, Director of Air Intelligence; Brigadier John H. Tiltman, GCHQ, Senior British Liaison Officer at NSA; Edward M. Drake, Director, CBNRC; Victor P. Keay, FBI; Charles P. Collins, CIA; Commander James C. Pratt, RCN, Director of Naval Intelligence; Lieutenant Colonel Layton E. (Joe) Sarantos, Canadian Army, Director of Military Intelligence; Lieutenant Commander Arthur R. Hewitt, RCN, Director of Supplementary Radio Activities; Captain Bernard F. Roeder, USN; Henry J. Dryden, GCHQ; Commander Herbert H. Ridler, RN; Colonel Robert Gifford Yolland, British Army; Lieutenant Colonel Charles M. Townsend, USAF; T. Jaffray Wilkins, CBNRC, Communications Branch Senior Liaison Officer at NSA; Inspector Cecil H. Bayfield, RCMP liaison officer to the FBI; Dr. Louis W. Tordella, NSA; Arthur W. (Bill) Bonsall, GCHQ; Douglas A. P. Davidson, CBNRC; Robert F. Packard, U.S. State Department; William (Bill) Millward, GCHQ; N. Kevin O'Neill, Coordinator Production, CBNRC; and Wing Commander Frederick W. Hudson, RAF. Of the 26 participants shown in the CANUKUS photo, nine were from Canada, eight from Britain, and nine from the United States. The British and American participants had all also attended the earlier BRUSA conference.

Kevin O'Neill, who later became the second Director of CBNRC and the first to hold the title of Chief following the agency's transfer to DND as the Communications Security Establishment, began his SIGINT career at Bletchley Park and served as part of the British liaison team in Washington just after the war. This late 1945 photo shows him sitting in an office probably no more than 30 metres from where he is standing in the CANUKUS photo.

Rival conferences

O'Neill was also the author of the SIGINT section of The History of CBNRC. That document describes the two back-to-back meetings in March 1953 as "rival" conferences.

What was at stake was governance of the UKUSA/CANUKUS partnership — in particular, how the agreements specifying the details of those partnerships were to be modified over time.

The 1946 BRUSA Agreement was strictly a U.S.-U.K. accord. But the 1949 signing of the CANUSA Agreement by Canada and the United States complicated matters. The CANUSA Agreement was modeled closely on BRUSA, and its appendices, which spelled out the details of COMINT cooperation, were based on many of the BRUSA Agreement's appendices. This was especially true of the crucial Appendix B, which specified security procedures and standards for handling and disseminating COMINT. Except for the names of the parties involved, the two Appendix Bs were identical, and the intent of all parties was to keep it that way. But this created the question of which parties would get to decide when changes were to be made.

As O'Neill related it,
1953 started off with some more rumblings about the desirability of Canada attending UK/US planning conferences where common subjects were involved. The UKUSA partners were planning to discuss their Appendix B on Security, as well as such lesser matters as SACLANT, Weather SIGINT, and counter-intelligence support, some time in March. Canada heard about this in January, and Mr. Glazebrook [the External Affairs officer who chaired the committee in charge of SIGINT policy] took up the question of whether it would not be simpler to deal with changes to Appendix B on a tripartite basis rather than have to handle them in two bilaterals, with the possibility of having to go back and forth between CANUSA and UKUSA Appendices ad nauseam. The Americans (Gen. Canine and V/Adm. Wenger) took the view that since this was a Commonwealth matter, it was up to the UK to decide, and for Britain Sir Eric Jones was adamant that Canada should not be present unless Australia was also.
The question had already been under discussion between the U.S. and Britain during the previous fall as the agenda for the BRUSA conference was being determined. In December, NSA Director Canine asked GCHQ Director Jones for his informal views on the possibility of moving Item 1 of the agenda (Revision of Appendix B - Security) to the "agenda for discussion at tripartite conferences with Canada."

Jones's reply gave two reasons for opposing the inclusion of Canada, one of which was fully redacted from the released record. The second reason, partially redacted, stated: "As the subject matter of Appendix B to the basic BRUSA Agreement has in the past been a matter for discussion between USCIB and LSIB only, it is preferable to maintain that principle and to continue with the arrangement". (USCIB and LSIB, the United States Communications Intelligence Board and the London Signals Intelligence Board, were the policy committees that directed SIGINT policy in the two countries at this time.)

The second reason seems to point to the primary British concern. Avoiding unequal treatment of the Dominions may have been a legitimate concern of the British, but if the exclusion of Australia were really the issue, it seems likely that it could have been resolved by including Australian participation in the conferences. (New Zealand was unmentioned presumably because, although it contributed personnel to the joint British-Australian-New Zealand COMINT centre in Melbourne, it had no COMINT processing organization of its own at this time.)

The real issue for Britain was almost certainly its reluctance to be, in effect, demoted from primary SIGINT partner of the United States to one of two partners of the U.S. having — in nominal terms at least — an equal say over the future evolution of the partnership. Given the importance of the UKUSA partnership to Britain and the great disparity in actual capabilities between GCHQ and CBNRC, this was not a development that the British would have considered either welcome or appropriate.

Britain did agree, however, to consider "the implementation in respect of Canada of paragraphs 11 to 16 inclusive of Appendix Q to the BRUSA SIGINT Agreement" at the tripartite conference to follow, noting that this "particular wording has been agreed in discussions between U.K. and Canadian authorities, and U.K. has already promised Canada to propose it to U.S. as item for discussion at a tripartite conference." (Appendix Q concerned COMINT Collaboration in War.)

The result, according to the History of CBNRC, was
a compromise whereby Washington was the scene of a UKUSA Conference from March 2-19, revising their Appendices B, H, N, P and Q, and reviewing D and O, and a CANUKUS Conference from March 20-25, which dealt with the "lesser" matters such [one line redacted] SACLANT, Wartime Collaboration and Counter-Clandestine SIGINT.
But it was not much of a solution as far as Canada was concerned.
The second lot of proceedings seemed pretty unrealistic, especially since SACLANT and Wartime Collaboration between the US and the Commonwealth had already been dealt with at the UKUSA Conference in their discussions of Appendices P and Q, and the revisions to UKUSA Appendix B had later to be sent to Canada for agreement and incorporation into the corresponding CANUSA Appendix.
Indeed, the tandem-conference experience seems to have been satisfactory to none of the parties. Many tripartite conferences were held among Canada, the United States, and Britain in later years on specific subjects of interest, but the back-to-back UKUSA/CANUKUS conference experiment does not seem to have been repeated.

Subsequent revisions of Appendix B in 1955, 1956, and 1959 were decided by the United States and Britain. Formal or informal consultations on these revisions were sometimes held with Canada ahead of time, but the British position against direct Canadian participation held firm: "Mr. Southam in December 1958 and Mr. Starnes in March/April 1959 took up again the Canadian desire to make Appendix B tripartite; but to no avail, since the British authorities were resolutely opposed to 'triparticity'."

Wednesday, December 23, 2020

First NSIRA annual report released

The first annual report of the National Security and Intelligence Review Agency (NSIRA) was released on December 11th. In many ways the new agency is off to a promising start. But when it comes to information on CSE, the report is a disappointment.

NSIRA was created in 2019, when the National Security Act, 2017 (Bill C-59) was finally done crawling its way through parliament. The new agency took over the duties of the existing watchdog agencies for CSE and CSIS, the Office of the CSE Commissioner (OCSEC) and the Security Intelligence Review Committee (SIRC), but with an expanded mandate that includes examination of the reasonableness and necessity as well as the legality of their activities. It was also given the job of reviewing the other security and intelligence activities across the government of Canada.

The report covers NSIRA's activities during the six months from its July 2019 creation to the end of 2019. Normally we should expect to see NSIRA's annual report sometime in the first half of the year that follows, but since the agency was still in the process of establishing itself and hiring staff, and had to do all that in the middle of a pandemic, it's unsurprising that this first report was delayed to December.

In keeping with the purpose of this site, I'm going to focus primarily on the report's treatment of the Communications Security Establishment. But I'll start with a few comments on the editorial philosophy underlying the report. NSIRA intends to proactively release unclassified versions of each individual review it conducts during the year as soon as they are available, so it is planning to spend less space reporting on those reviews in its annual report and to focus instead on the most significant issues of the year and broad lessons, trends, or themes that may arise. The annual report will also cover other aspects of the agency's operations, such as its complaints investigation function.

This seems like a sound approach to me, and I am especially pleased to see the agency's commitment to the proactive and timely release of the reports on its individual reviews. This has the potential to be a really useful step that, as NSIRA states, could help "to increase transparency and accountability, and to open the door to extensive discussions and debate in the public sphere."

The proof, however, will be in the pudding. This Christmas we got just one pudding, NSIRA’s 2019 Annual Report on the Disclosure of Information under the Security of Canada Information Disclosure Act, which was also released on 11 December.

The value of these releases will depend greatly on the intelligibility of the information provided in them. The need to protect intelligence agency secrets is real, and using a "write-to-release" approach, as NSIRA intends to do, may well be a practical necessity, but NSIRA will have to ensure that the resulting reports are not content-free as well as secret-free. If the end result is the sort of Delphic gibberish that so often characterized the public versions of OCSEC reports, the resulting discussions and debate in the public sphere are unlikely to be any more substantial than they were with OCSEC's reports, which typically were read and sometimes commented upon by me and, um... Hmm. Well, me, at least. Definitely me.

(And to be fair, yes, a few others. There was always a small coterie of the dutiful and the diehard in both academia and the media who could be counted on to read OCSEC's reports, and even, on rare occasions, to write something about one of them. But I doubt any of us disagree about their limited value as a base for public discussion or debate.)

Ultimately, the intelligibility question hinges on the commitment to transparency not just of NSIRA, but of the agencies that NSIRA reviews, as they are the ones who determine what information can be declassified and discussed in public. It was CSE who demanded for years and years that data like the number of Canadians referenced in signals intelligence reports and even words like "metadata", "bulk", "unselected", and "contact chaining" had to remain classified — even when they were already the subject of wide public discussion in other jurisdictions. Through constant pressure OCSEC made considerable progress over the years in expanding the range of what it was permitted to discuss publicly. But if a base for debate was the goal, there was still a long, long way left to go.

What we will need from NSIRA, therefore, is a commitment to engage in an ongoing struggle on this issue. And to consistently keep the public informed.

Happily, it looks like they have already begun to do this. On page 25 of the report we learn that CSE refused to permit NSIRA to reveal the numbers of the various types of ministerial authorizations (MAs) that the agency received under the CSE Act. This is a bad sign for CSE's supposed commitment to greater transparency. (Note to CSE: Invisibility is not the desired end goal of transparency.) But the fact that NSIRA is publicly disputing CSE's position is a very good sign.

Dirty deeds done at government rates

It is also positive that, although it wasn't able to give us the numbers, NSIRA was able to tell us that MAs were indeed signed in 2019 for both active, i.e., offensive, cyber operations (ACO) and defensive cyber operations (DCO). I think this is the first time that fact has been confirmed. CSE's cyber operations powers, which represent a fundamental change in the agency's role, were only granted to CSE in 2019, and knowing the MA numbers would provide some minimal sense of how much CSE is ramping up those activities.
The review agency also notes that it "considers our reviews of ACO/DCO actions to be particularly important. Unlike in the case of CSIS [threat reduction measures], CSE has no statutory obligation to notify NSIRA when it undertakes ACO/DCO activities. NSIRA intends, however, to focus proactively on these activities." The report's endnotes also contain this warning: "Under the governing statutory framework, it ... seems likely that ACO/DCO activities undertaken by CSE must accord with relevant international law." I suspect we'll be hearing more about this issue eventually.

Foreign intelligence and cybersecurity MAs

CSE also refused to permit NSIRA to report the number of foreign intelligence and federal and non-federal cybersecurity MAs granted in 2019. These MAs are also new, but the numbers of similar MAs were reported by OCSEC, NSIRA's predecessor, in each of the prior 6 years. Not any more, says CSE.

[Update 21 February 2021: The Intelligence Commissioner's Annual Report 2019, released in January 2021, gave us the total number of foreign intelligence and cybsersecurity authorizations issued in 2019: five. It also told us that four were year-long authorizations and one was for six months only. Which pretty much answers our overall numbers questions. Under the previous system of MAs, there were 3 one-year-long SIGINT MAs and 1 one-year-long cybersecurity MA issued every year. We know from NSIRA's report that there were at least two cybersecurity MAs this time, one for federal government infrastructures and one for the new category of non-federal infrastructures (presumably the six-month authorization), so it looks like the 2019 numbers were three SIGINT MAs, one federal cybersecurity MA, and one non-federal cybersecurity MA. My guess is that the last number, the number of non-federal MAs could vary by quite a lot from year to year, but the other ones aren't likely to change much. We'll see.]

These MAs are supposed to cover all CSE information collection activities that "might otherwise contravene an act of Parliament or interfere with the reasonable expectation of privacy of a Canadian or any person in Canada." So it is intriguing that the report tells us that NSIRA's future review of CSE collection techniques "will start by focusing on certain collection techniques that are authorized under a ministerial authorization and comparing them to techniques that are authorized through other channels." Just what are these other channels? Is this a reference to "publicly available information" or is there something else squeaking through here somehow? They're not suggesting that intercepts of communications involving persons in Canada that are passed to CSE by allies are exempt from expectations of privacy, are they? I for one will be interested to see what emerges from this investigation.

Missing information

Meanwhile, a whole lot of other items of information previously reported by OCSEC are also missing from this report, notably data on CSE's use of private communications (PCs), i.e. communications with at least one end in Canada.

The missing data includes:
  • The number of recognized PCs retained for possible use under CSE's foreign intelligence program.
  • The number of those PCs used in CSE SIGINT reporting.
  • The number of reports PCs were used in.
  • The number of PCs retained by CSE at the end of the review period.
  • The percentage change in the total number of recognized PCs intercepted by CSE's foreign intelligence program.
  • The number of PCs "with substantive content" used or retained by CSE's cybersecurity program.
Also missing:
  • The number of requests made by Canadian government clients for disclosure of Canadian Identity Information (CII) cited in reports by CSE or Five Eyes partners.
  • The number of requests for CII made by Five Eyes partners.
  • The number of requests made by other states.
The report does tell us the number of privacy incidents added to CSE's Privacy Incidents File in 2019: 123. But it doesn't explain why this is nearly three times as many as the 44 reported in the last OCSEC report. Nor do we get the number in the Second Party [Privacy] Incidents File.

NSIRA does recommend, however, that "CSE should examine the totality of all privacy incidents with the view to identifying systemic trends or areas of weakness in existing policy and/or practice that may reduce privacy incidents." So maybe NSIRA wants to know why the number went up too.

The report also notes that NSIRA warned CSE during its review that one method used to mitigate privacy incidents "did not appear to meet legal and Ministerial Authorization criteria and has the potential to engage section 8 of the Charter." According to the report, CSE decided in November 2019 to "rescind the practice" in question, but NSIRA nonetheless recommended that "CSE should rescind this policy, or obtain a legal opinion on the lawfulness of this practice."

Presumably we will receive updates of CSE's responses to NSIRA recommendations in future annual reports.

OCSEC made a regular practice of doing this (although often in rather vague terms), but in another case where information that used to be reported has for the moment ceased to appear, the NSIRA report fails to follow up on the status of the ten OCSEC recommendations that the last OCSEC report said CSE was working on.

All in all, there's a lot of information about CSE that was provided in the last OCSEC annual report that is not in this successor report.

Unlike the MA situation, in most of these cases, I would assume, this is not because CSE has suddenly insisted on withholding it.

And maybe it's not gone for good. It may be that some of this information will appear during the year as NSIRA releases specific reports about its individual reviews. I certainly hope that's the case.

But it is not at all clear that any more releases (beyond those reviews mentioned in the report) are coming from OCSEC's final year/NSIRA's first year. Nor is it evident that NSIRA intends in future years to continue collecting and reporting the data missing from this report.

So, is NSIRA off to a good start or not?

In many ways I think it is, but with respect to reporting on CSE, the picture is mixed, and it's not possible to be certain at this point.

Update 20 February 2021: Leah West and I discuss the NSIRA report and the recent report of the Intelligence Commissioner with Stephanie Carvin on Episode 148 of the Intrepid Podcast.