Thursday, December 08, 2022

NSICOP report on Global Affairs Canada

On November 4th, the National Security and Intelligence Committee of Parliamentarians (NSICOP) released the public version of its report on the security and intelligence activities of Global Affairs Canada (GAC), otherwise known as the Department of Foreign Affairs, Trade and Development.

There's a lot of new information in the report about GAC's role in the Canadian intelligence community as overseer, facilitator, collector, assessor, and consumer of intelligence. It's well worth reading.

In the following, I'll focus on what the report says about how Global Affairs works with the Communications Security Establishment.


GAC–CSE relationship

On page 24 (PDF page 33), NSICOP describes the overall relationship between CSE and Global Affairs:

GAC's collaboration with CSE ... dates back to the creation of CSE in 1946. GAC has long been a client of CSE's foreign intelligence collection ***. While GAC has had a formal consultation role for some of CSE's most sensitive activities since 2002, the coming into force of the CSE Act in 2019 provided GAC a more significant role in CSE's new authorities for cyber operations.

(NSICOP uses "***" to indicate where information that was in the classified version of the report has been redacted.)

GAC and CSE formalized their cooperation with the signing of a General Framework Agreement in 2009. The agreement recognized the organizations' cooperation in the collection of foreign intelligence, their long-standing collaboration on the implementation of Canada's Export Control legislation, and their response and handling of cyber incidents targeting GAC. (p 24/PDF 33)

Take note of that mention of "the organizations' cooperation in the collection of foreign intelligence"; we'll return to that point later on.


Computer Network Exploitation

Next we get a quick look at GAC's oversight of CSE computer hacking operations used to collect intelligence from information technology systems and networks, more formally known as Computer Network Exploitation (CNE).

All mentions of CNE are redacted from NSICOP's report, but it is clear from the context that CNE is the subject. (For more fun with CNE redactions, see here.)

The first formal agreement on consultation between CSE and GAC concerned the agency's *** activities. These activities use *** for the purpose of collecting foreign intelligence. In 2002, GAC and CSE signed a memorandum of understanding under which CSE would inform GAC prior to undertaking its most *** outside of Canada. (p 24/PDF 33)

The CNE memorandum of understanding was signed by the Minister of National Defence on 23 April 2002.

The agreement also granted GAC a role in challenging CSE's conduct of certain activities ***. While the 2002 memorandum of understanding remains in place, the two organizations streamlined elements of the agreement in 2015. (p 24-25/PDF 33-34)

GAC's role is to make sure the potential risks/rewards of CNE operations are assessed in the context of Canada's overall foreign policy.


Foreign relationships

CSE is also required to consult GAC before entering into any arrangements with foreign states or institutions. Since the 2019 entry into force of the CSE Act, it has been a statutory requirement that the Minister of National Defence consult the Minister of Foreign Affairs before approving such arrangements.

Given the recent nature of this authority, CSE has not consulted GAC prior to entering into such an arrangement at the time of writing. (p 25/PDF 34)


Defensive cyber operations (DCO)

The CSE Act also requires the Minister of National Defence to consult the Minister of Foreign Affairs prior to issuing an authorization for defensive cyber operations (DCO). DCOs are cyber operations designed to protect Canadian government networks or systems designated as being of importance to the government.

The Minister of National Defence issued the first authorization for defensive cyber operations in *** 2019. CSE officials developed this authorization in consultation with GAC. (p 26/PDF 35)

Although redacted here, the date of the authorization was 5 September 2019, as reported by NSICOP in its February 2022 cybersecurity report (p 77/PDF 89).

The November report provides some additional details on GAC's contribution:

At the operational level, GAC provides foreign policy risk assessments for all of CSE's planned defensive cyber operations. As part of its assessment of the proposed operation, GAC considers potential implications for Canadian interests, the operation's compliance with international law and cyber norms, alignment with broader foreign policy interests, the nature of the target (***) and whether the operations ***. (p 26/PDF 35)

Also interesting is this bit of news:

Between *** and *** , CSE planned but did not conduct any defensive cyber operations, because separate defensive cyber measures taken by CSE obviated the need for the planned cyber operations. (p 26/PDF 35)

It would be even more interesting, of course, if unredacted dates were provided. Fortunately, NSICOP's February 2022 report (p 96/PDF 108) did provide that information, stating that no DCOs were conducted during the first two DCO authorization periods (i.e., from September 2019 to August 2021).

That report also informed us that, "in the first year, normal cyber defence activities successfully mitigated the threat and obviated the need for a separate operation and in the second year, planned operations had not proceeded to the operational stage." (p 96/PDF 108)

It would be interesting to know if any DCOs have yet been conducted.


S.16 activities

Under s.16 of the CSIS Act, CSIS can collect foreign intelligence "within Canada" on request of either the Defence Minister or the Foreign Affairs Minister. This might entail monitoring the communications of an embassy in Ottawa, for example.

CSE often helps with technology, processing, and reporting of the intelligence that results from s.16 collection, and GAC plays a role as a requestor, assessor of foreign policy risk, and intelligence client.

In 2008, officials from participating organizations introduced a formalized governance model [for the s.16 program], which included a requirement to assess potential subjects against criteria linked to Canada's intelligence priorities and a permanent oversight committee structure (the *** Committee) with the responsibility to evaluate and endorse section 16 rationales before they are submitted for approval to the relevant ministers. (p 38/PDF 46)

All information about the committee, including its name, is redacted from NSICOP's report.

By contrast, a 2015 report by OCSEC, CSE's first watchdog agency, described the committee structure in detail, and this information was later released mostly unredacted to reporter Colin Freeze via Access to Information request A-2015-00082.

Some of the details may have changed since then, but if the information was releasable at that time, why not now?


Active cyber operations (ACO)

The CSE Act also "allows CSE to conduct active cyber operations to degrade, disrupt, influence or interfere with the capabilities or intentions of foreign entities." (p 41/PDF 49)

In recognition of the foreign policy implications of these activities, the Act stipulates that the Minister of National Defence may issue this authorization only if the Minister of Foreign Affairs has requested or consented to its issue. (p 41/PDF 49)

Note that this differs from DCOs, which require only consultation with the Foreign Affairs Minister.

"The Minister of National Defence issued CSE's first authorization for active cyber operations in 2019" (p 41/PDF 49), i.e., shortly after the CSE Act came into force.

The 2019 Annual Report (p. 25) of the National Security and Intelligence Review Agency (NSIRA) also confirmed that an ACO authorization was issued that year.

But NSICOP's report goes on to provide considerably more information than was released previously:

Between 2019 and 2020, CSE planned four active cyber operations and carried out one. (p 41/PDF 49)

The ACO that was carried out sought to "disrupt the activities of terrorists and violent extremists." (p 41/PDF 49)

The three ACOs not conducted sought "to disrupt foreign cyber threats to the 2019 federal election"; "to counter the dissemination by specific terrorist groups of extremist material on-line"; and "to mitigate threats posed by foreign cybercriminal groups targeting Canadians". (p 41-42/PDF 49-50)

The election-related ACO was not conducted "because no specific state-led operations were detected", while the other two did not get done "due to operational restrictions arising from COVID". (p 41-42/PDF 49-50)

(For more on the effect of the COVID-19 pandemic on the Canadian security and intelligence community, see this book.)

In August 2019, the Minister of Foreign Affairs directed GAC officials to work with CSE to develop a formal governance mechanism to ensure CSE's cyber operations align with Canada's foreign policy and international legal obligations. (p 42/PDF 50)

This led, in 2020, to the creation of "the CSE–GAC Active Cyber Operations/Defensive Cyber Operations Working Group and a comprehensive governance framework for consultation on cyber operations". (p 42/PDF 50)

The report also reveals that, inside CSE, "the Cyber Operations Group and the Cyber Management Group oversee CSE's cyber operations. These are executive bodies, at the director- and director general-level respectively, that review and approve cyber operation plans and risk assessments. The Director of *** and the Deputy Chief of Signals Intelligence chair the respective committees, and membership depends on ***." (p 43/PDF 51)

This is the first official confirmation, I think, that CSE's cyber operations are lodged in the agency's SIGINT branch.

Interestingly, NSIRA also recently looked at the GACCSE relationship with respect to the governance of ACO/DCO activities.

Among other findings, NSIRA stated that "CSE and GAC have not established a threshold to determine how to identify and differentiate between a pre-emptive Defensive Cyber Operation and an Active Cyber Operation, which can lead to the insufficient involvement of GAC if the operation is misclassified as defensive." (p 69/PDF 77)

In total, NSIRA made nine recommendations for improvements relating to "engaging other departments to ensure an operation’s alignment with broader Government of Canada priorities; demarcating an ACO from a pre-emptive DCO; assessing each operation’s compliance with international law; and communicating with each other any newly acquired information that is relevant to the risk level of an operation." (p 21/PDF 29)

The full set of findings and recommendations can be found on pages 69-71 (PDF 77-79) of NSIRA's report.


PILGRIM's progress

Getting back to NSICOP, the next two pages of the committee's report (p 44-45/PDF 52-53) discuss a program that is ostensibly so secret that all information is redacted except for one sentence: "GAC states that it derives its authority for the program from the Crown prerogative." (p 44/PDF 52)

This is clearly the program known at one time as PILGRIM for the operation of CSE intercept facilities inside Canadian diplomatic missions, our equivalent of U.S. Special Collection Service sites.

Presumably it was this program that NSICOP was alluding to when (as I noted at the beginning of this post) it mentioned GAC and CSE's "cooperation in the collection of foreign intelligence". (p 24/PDF 33)

All of the Five Eyes partners operate such intercept sites, known collectively under the coverterm STATEROOM, but the official policy is to pretend no one knows Canada does this sort of thing, so even the fact of its existence remains classified. That rare allusion is as close as we get to an official confirmation.

Still, NSICOP did manage to flag some concerns about GAC's role in the program in its descriptions of three of the redactions (p 45/PDF 53):

1. "The paragraph noted that the Department does not have any policies, procedures or documents to govern its involvement, and does not have any reporting requirements to the Minister".

2. "The paragraph noted challenges regarding the management of risk."

3. "The paragraph noted the Department's failure to inform the Minister of important issues."

One of the report's four recommendations was probably aimed in part at this program:

R3. [NSICOP recommends that the] Minister of Foreign Affairs put in place comprehensive governance mechanisms for the Department's security and intelligence activities and for those that it supports or contributes to at partner organizations. Those mechanisms should better document processes and decision points to strengthen accountability and institutional memory. (p 95/PDF 102)


Intelligence Access and Countermeasures section

A few pages after the intercept sites discussion — past another almost entirely redacted part called "Logistical Support ***" that probably discusses GAC's occasional provision of support to Five Eyes partner HUMINT agencies like MI6 and the CIA — is a chapter on GAC's own intelligence activities.

There is a lot of very useful and rarely if ever reported information in there about what Global Affairs itself does in this field, but for my purposes I want to highlight just one aspect:

In 2017, GAC established a division within the Intelligence Bureau responsible for the management of highly classified communications at missions abroad. This Intelligence Access and Countermeasures section works closely with CSE to accredit and protect GAC's signals intelligence secure areas. (p 51-52/PDF 59-60)

("Signals intelligence secure area" (SSA), by the way, is the Canadian SIGINT community's equivalent for what in the U.S. is known as a secure compartmented information facility, or SCIF.)

NSICOP's description of the Intelligence Access and Countermeasures section gives the impression that it deals only with GAC's own communications, and maybe it does do only that. But the fact that "Intelligence Access" is included in the section's name may indicate that it also looks after the intercept sites at the missions, which of course also would be located in SSAs.

A probably much less likely theory is that the unit is also mandated to conduct close-access operations, which are designed to enable SIGINT collection by placing antennas or other collection systems in close proximity to targeted information technology systems and/or installing hardware or software implants directly in them.

The foreign intelligence collection authorities granted to CSE in the CSE Act are broad enough to encompass close-access activities:

The foreign intelligence aspect of the Establishment’s mandate is to acquire, covertly or otherwise, information from or through the global information infrastructure, including by engaging or interacting with foreign entities located outside Canada or by using any other method of acquiring information, and to use, analyse and disseminate the information for the purpose of providing foreign intelligence, in accordance with the Government of Canada’s intelligence priorities. (s.16)

And the agency could, with Global Affairs' agreement, deputize GAC personnel to conduct such operations on its behalf.

However, heads far wiser than mine consider it all but inconceivable that any Canadian government would ever muster the will to attempt such inherently perilous operations, with their potential for embarrassing exposure and, worse, risk to the life or liberty of the individuals participating.

Also, we might expect there to be a lot more discussion of the topic in this report if the section's role really did extend that far. (That said, it's not impossible that there is such a discussion buried in the redacted parts of the report concerning intercept sites.)

I'm probably letting my imagination run away with me when it comes to close-access ops. But I'll keep pondering that imponderable because certain comments made by CSE's former Deputy Chief SIGINT way back in 2007 leave me strongly inclined to believe that CSE would very much like the government to conduct such operations for it.


There is a lot of other valuable information about GAC's intelligence role in this report, but that pretty much covers the CSE-related aspects.


Redactio ad absurdum

I will make one final complaint about pointless redactions, however. On pages 75-78 (PDF 83-86) there is a case study of a kidnapping incident involving a Canadian from which almost all personal details have been redacted.

Maybe it's intended as a privacy thing, but it only takes about a minute on Google to fill in all those blanks.