Thursday, December 09, 2021

CSE 2020-2021 Annual Report

CSE's 2020-2021 Annual Report was released on 28 June 2021, and although I discussed the document on Twitter then, it's about time I got around to commenting on it on this blog as well.


Improvement over 2019-2020 report

CSE's 2020-2021 report is considerably more informative than its 2019-2020 report, which was the agency's first attempt at responding to the CSE Act's requirement to produce one. The new report contains about two and a half times as much text as the first one, and while that may be no guarantee of more signal among the noise, in this case it's fair to say that there has actually been some improvement.

As before, however, most of the information provided relates to CSE's cyber security efforts, which account for only about 30% of the agency's resources. The remaining 70% of CSE's resources go to CSE's signals intelligence (SIGINT) side, about which the agency prefers to say as little as possible. Even less is said about CSE's new cyber operations mandate.

SIGINT and cyber operations 

It's inevitable that much about intelligence-gathering and covert-action kinds of activities must remain secret, but the paucity of information here is still disappointing.

CSE's cyber operations mandate was granted only in 2019, and how those powers are used will form a key part of Canada's contribution to determining the future of cyberspace. We already knew that some number of such operations had been authorized; the only new thing we learn in this report is that some have actually been conducted. (More recently, CSE has acknowledged that cyber criminal activity was one of the targets of those cyber operations.)

By contrast, partner agencies such as NSA, GCHQ and Australia's ASD have given specific examples of the operations they undertake, and some of those governments engage in detailed public discussions of appropriate strategies, laws, and norms for cyberspace.

Information on CSE's SIGINT activities is also pretty scant. 

Last year, the National Security and Intelligence Review Agency (NSIRA) decided against publishing a number of statistics about CSE's SIGINT program that formerly had been published by OCSEC, CSE's previous review agency. Since the publication of those statistics had in all cases been approved by CSE, it is evident that no security grounds would prevent their publication by CSE itself. Surely, therefore, CSE's report contains that information at least.

I jest of course.

The data that could have been reported includes:

  • The number of recognized private communications (PCs) — communications with at least one end in Canada — acquired by CSE collection programs and used or retained for possible use in foreign intelligence reporting.
  • The number of those PCs used in CSE foreign intelligence reporting.
  • The number of reports PCs were used in.
  • The number of PCs retained by CSE at the end of the review period.
  • The percentage change in the total number of recognized PCs intercepted by CSE's foreign intelligence program.
  • The number of PCs "with substantive content" used or retained by CSE's cyber security program. 
  • The number of requests made by Canadian government clients for disclosure of Canadian Identity Information (CII) cited in reports by CSE or Five Eyes partners.
  • The number of requests for CII made by Five Eyes partners.
  • The number of requests for CII made by other states.

None of that information was published here.

One praiseworthy exception to the dearth of information in the report is the figure provided for the overall number of foreign intelligence reports released by CSE: 2,528. Some historical numbers have been released in the past, but this is the first current figure ever published by the agency.

That number may seem surprisingly low, but (as the agency was good enough to confirm to me) it excludes reports released by the Canadian Forces Information Operations Group (CFIOG), the Canadian Forces element that does a lot of SIGINT collection and processing under CSE's direction. The total number of Canadian SIGINT reports is thus probably closer to 10,000 a year, but I was advised not to bother asking for that number.

The report also reveals that SIGINT reports went to 1,450 clients in 28 federal government departments and agencies last year. This represents a sizable drop from the "more than 2,100" clients that CSE served the year before, possibly due to the number of public servants who have been working from home during the pandemic, away from the secure facilities needed for SIGINT access. (For more on CSE's response to the COVID-19 pandemic, see my chapter in Stress Tested.)

Another notable statistic included in the report concerned the number of full-time employees CSE has: 2,992 as of March 31, 2021. 

That is more than three times the number of employees CSE had when the Cold War ended (900), and the total was only that high because of a 50% build-up during the 1980s. CSE spent most of the Cold War at or below 20% of its current size. The Internet era has been very good to the agency.


Budget information

The report is also missing much of the financial and other data that was routinely reported by the Department of National Defence in its annual budget documents prior to CSE's November 2011 spin-off as a free-standing agency. (See here for the high-water mark of CSE transparency when the agency operated as part of DND.) 

CSE has never offered any public justification good, bad, or otherwise for its decision to stop providing data that had been published routinely up to that point on topics such as its broad intelligence priorities, capital and operating budgets, and selected major projects.

The report does provide an overall budget authority figure for the agency ($794 million), but it says nothing about the resource breakdown between the SIGINT and cyber security sides of the agency. Before 2018 this information was provided both at the beginning of the fiscal year (in the annual budget estimates) and after the fact (in the public accounts). This is no longer done. 

For the moment at least, after-the-fact data on the breakdown is still available online at GC Infobase:

But information for the current fiscal year is no longer available anywhere, so if you want to know how well (or not) Canada is supporting its cyber security program, you'll have to wait a year or two to find out what the picture used to be. 

And that's assuming the information continues to be made available. As far as I can tell this breakdown data is no longer published in any formal government document or hard-copy form of any kind, so its provision could stop and everything from fiscal year 2018-19 onwards could go down the digital memory hole at any time. 

In my view, up-to-date budget information, including the breakdown into the SIGINT and cybersecurity programs, should be posted every year on the CSE website and comprehensive data should also be published in each year's annual report. CSE has never explained why it can't do that, presumably because there has never been a good reason.

The Australian Signals Directorate, CSE's slightly smaller Five Eyes counterpart in Canberra, publishes vastly more detailed financial information in its annual reports (e.g., Annual Report 2019-20) and yet still appears to go on being a fully functioning agency. 

Final thoughts

Overall, this report is a distinct improvement over its predecessor. 

But there is a lot of scope left for further transparency on the part of CSE, even if the goal were just to return to the transparency level in 2011.

CSE should also make their annual reports available in PDF format. Like their first annual report, this edition was released in web format only. According to CSE's Director General of Public Affairs and Communications Services, Christopher Williams, that "was by design as we are trying to have our publications exist in a digital form, and avoid printing. I am happy to report that the report meets all government of Canada accessibility standards.

Here are my concerns about that:

First, it can be very useful to store your own digital copy of documents such as this. Sometimes the on-line version gets moved and the link no longer works, or it gets removed entirely, or the website is temporarily down, or you don't have Internet access at the time, or the whole Internet is down for a while. If you have your own copy of the document, this is not a problem. Depending on how long the Internet is down, civilization may collapse (or perhaps be saved), but at least you have a copy of the report you can work with. Web documents are a pain in the butt to save in complete and legible off-line form. The original version of the 2019-2020 report was broken into multiple separate web pages, making it even more painful to use. That gratuitous annoyance seems to have been fixed sometime in the interim, and this year's version didn't go down that road, which is certainly a mercy, but it's still an inconvenient format.

Second, it is extremely helpful to have page numbers if you're going to cite information in documents such as this in other publications. Yes, the reader may be able to find the information you cited by electronically searching the text, but that only works for direct quotes or (sometimes) key words. Good luck to the reader if you paraphrase something and send them to find it in this document. Why make it hard for people?

For the moment, at least, the cyber security side of CSE, the Cyber Centre, seems to recognize the value of providing documents in PDF as well as web format (see, for example, the documents listed here). 

When will CSE as a whole see the light?


Post a Comment

<< Home