Wednesday, December 22, 2021

NSIRA 2020 Annual Report

NSIRA's 2020 Annual Report was tabled on December 10th, 2021. 

I'll try to write a post on the CSE-related items in the report eventually, but in the meantime you can find the great bulk of what I'd probably say—and a lot of additional insights—in Chris Parsons' commentary here. Chris also addresses the non-CSE-related parts of the report, so at his site you get a full-service analysis!

Thursday, December 09, 2021

CSE 2020-2021 Annual Report

CSE's 2020-2021 Annual Report was released on 28 June 2021, and although I discussed the document on Twitter then, it's about time I got around to commenting on it on this blog as well.


Improvement over 2019-2020 report

CSE's 2020-2021 report is considerably more informative than its 2019-2020 report, which was the agency's first attempt at responding to the CSE Act's requirement to produce one. The new report contains about two and a half times as much text as the first one, and while that may be no guarantee of more signal among the noise, in this case it's fair to say that there has actually been some improvement.

As before, however, most of the information provided relates to CSE's cyber security efforts, which account for only about 30% of the agency's resources. The remaining 70% of CSE's resources go to CSE's signals intelligence (SIGINT) side, about which the agency prefers to say as little as possible. Even less is said about CSE's new cyber operations mandate.

SIGINT and cyber operations 

It's inevitable that much about intelligence-gathering and covert-action kinds of activities must remain secret, but the paucity of information here is still disappointing.

CSE's cyber operations mandate was granted only in 2019, and how those powers are used will form a key part of Canada's contribution to determining the future of cyberspace. We already knew that some number of such operations had been authorized; the only new thing we learn in this report is that some have actually been conducted. (More recently, CSE has acknowledged that cyber criminal activity was one of the targets of those cyber operations.)

By contrast, partner agencies such as NSA, GCHQ and Australia's ASD have given specific examples of the operations they undertake, and some of those governments engage in detailed public discussions of appropriate strategies, laws, and norms for cyberspace.

Information on CSE's SIGINT activities is also pretty scant. 

Last year, the National Security and Intelligence Review Agency (NSIRA) decided against publishing a number of statistics about CSE's SIGINT program that formerly had been published by OCSEC, CSE's previous review agency. Since the publication of those statistics had in all cases been approved by CSE, it is evident that no security grounds would prevent their publication by CSE itself. Surely, therefore, CSE's report contains that information at least.

I jest of course.

Read more »

Friday, December 03, 2021

Recent book chapters

In addition to Stress Tested, I have also contributed chapters to two other books published in the last year.

I wrote the chapter on the Communications Security Establishment for Top Secret Canada: Understanding the Canadian Intelligence and National Security Community, "the first book to offer a comprehensive study of the Canadian intelligence community, its different parts and how it functions as a whole." 

The CSE chapter provides a basic introduction to the agency, its mandate and resources, and some of the important questions about its operations and how they do or don't relate to Canadians.

Published by the University of Toronto Press in March 2021, the book is currently on sale at the UTP website for half price.

I also contributed a chapter to Big Data Surveillance and Security Intelligence: The Canadian Case, which was published by the University of British Columbia Press in December 2020.

As I noted here, my contribution is a bit of an outlier since CSE is not actually a security intelligence agency (although of course it does work closely with CSIS), and my chapter, "From 1967 to 2017: CSE's Transition from the Industrial Age to the Information Age," is much more a "history of the present"—how CSE got where it is today—than a discussion of its current Big Data activities. 

However, I think it does serve as a reasonable lead-in to another chapter in the book, written by Scott Thompson and David Lyon, that does look at CSE and Big Data.

The book can be purchased at the UBC Press website. Alternatively, you can download a rather messy and inconvenient—but free—open-access version of the book here.