Technology, Thoughts & Trinkets

Touring the digital through type

Category: Internet (page 1 of 39)

Canada’s New and Irresponsible Encryption Policy: How the Government of Canada’s New Policy Threatens Charter Rights, Cybersecurity, Economic Growth, and Foreign Policy

Photo by Marco Verch (CC BY 2.0) https://flic.kr/p/RjMXMP

The Government of Canada has historically opposed the calls of its western allies to undermine the encryption protocols and associated applications that secure Canadians’ communications and devices from criminal and illicit activities. In particular, over the past two years the Minister of Public Safety, Ralph Goodale, has communicated to Canada’s Five Eyes allies that Canada will neither adopt or advance an irresponsible encryption policy that would compel private companies to deliberately inject weaknesses into cryptographic algorithms or the applications that facilitate encrypted communications. This year, however, the tide may have turned, with the Minister apparently deciding to adopt the very irresponsible encryption policy position he had previously steadfastly opposed. To be clear, should the Government of Canada, along with its allies, compel private companies to deliberately sabotage strong and robust encryption protocols and systems, then basic rights and freedoms, cybersecurity, economic development, and foreign policy goals will all be jeopardized.

This article begins by briefly outlining the history and recent developments in the Canadian government’s thinking about strong encryption. Next, the article showcases how government agencies have failed to produce reliable information which supports the Minister’s position that encryption is significantly contributing to public safety risks. After outlining the government’s deficient rationales for calling for the weakening of strong encryption, the article shifts to discuss the rights which are enabled and secured as private companies integrate strong encryption into their devices and services, as well as why deliberately weakening encryption will lead to a series of deeply problematic policy outcomes. The article concludes by summarizing why it is important that the Canadian government walk back from its newly adopted irresponsible encryption policy.

Continue reading

Practical Steps To Advance Cybersecurity in Canada’s Financial Sector

Last week I appeared before the Standing Committee on Public Safety and National Security (SECU) to testify about Cybersecurity in the financial sector as a national economic security issue. I provided oral comments to the committee which were, substantially, a truncated version of the brief I submitted. If so interested, my oral comments are available to download, and what follows in this post is the actual brief which was submitted.

Introduction

  1. I am a research associate at the Citizen Lab, Munk School of Global Affairs & Public Policy at the University of Toronto. My research explores the intersection of law, policy, and technology, with a focus on national security, data security, and data privacy issues. I submit these comments in a professional capacity representing my views and those of the Citizen Lab.

The State of Computer Insecurity

  1. Canadian government agencies, private businesses and financial institutions, and private individuals rely on common computing infrastructures. Apple iPhones and Android-based devices are used for professional and private life alike, just as are Microsoft Windows and MacOS. Vulnerabilities in such mobile and personal computing operating systems can prospectively be leveraged to obtain access to data on the targeted devices themselves, or utilized to move laterally in networked computing environments for reconnaissance, espionage, or attack purposes. Such threats are accentuated in a world where individuals routinely bring their own devices to the workplace, raising the prospect that personal devices can be compromised to obtain access to more securitized professional environments.
  2. The applications that we rely on to carry out business, similarly, tend to be used across the economy. Vulnerabilities in customer service applications, such as mobile banking applications, affect all classes of businesses, government departments, and private individuals. Also, underlying many of our commonly used programs are shared libraries, application programming interfaces (API), and random number generators (RNG); vulnerabilities such codebases are shared by all applications incorporating these pieces of code, thus prospectively endangering dozens, hundreds, or thousands of applications and systems. This sharedness of software between the public and private sector, and professional and private life, is becoming more common with the growth of common messaging, database, and storage systems, and will only become more routine over time.
  3. Furthermore, all sectors of the economy are increasingly reliant on third-party cloud computing services to process, retain, and analyze data which is essential to business and government operations, as well as personal life. The servers powering these cloud computing infrastructures are routinely found to have serious vulnerabilities either in the code powering them or, alternately, as a result of insufficient isolation of virtual servers from one another. The result is that vulnerabilities or errors in setting up cloud infrastructures prospectively enable third-parties to inappropriately access, modify, or exfiltrate information.
  4. In summary, the state of computer insecurity is profound. New vulnerabilities are discovered — and remediated — every day. Each week new and significant data breaches are reported on by major media outlets. And such breaches can be used to either engage in spearphishing — to obtain privileged access to information that is possessed by well-placed executives, employees, or other persons — or blackmail — as was threatened in the case of the Ashley Madison disclosures — or other nefarious activities. Vulnerabilities affecting computer security, writ large, threaten the financial sector and all other sectors of the economy, with the potential for information to be abused to the detriment of Canada’s national security interests.

Responsible Encryption Policies

  1. Given the state of computer (in)security, it is imperative that the Government of Canada adopt and advocate for responsible encryption policies. Such policies entail commitments to preserving the right of all groups in Canada — government, private enterprises, and private individuals — to use computer software using strong encryption. Strong encryption can be loosely defined as encryption algorithms for which no weakness or vulnerability is known or has been injected, as well as computer applications that do not deliberately contain weaknesses designed to undermine the effectiveness of the aforementioned algorithms.
  2. There have been calls in Canada,1 and by law enforcement agencies in allied countries,2 to ‘backdoor’ or otherwise weaken the protections that encryption provides. Succumbing to such calls will fundamentally endanger the security of all users of the affected computer software3 and, more broadly, threaten the security of any financial transactions which rely upon the affected applications, encryption algorithms, or software libraries.
  3. Some of Canada’s closest allies, such as Australia, have adopted irresponsible encryption policies which run the risk of introducing systemic vulnerabilities into the software used by the financial sector, as well as other elements of the economy and government functions.4 Once introduced, these vulnerabilities might be exploited by Australian intelligence, security, or law enforcement agencies in the course of their activities but, also, by actors holding adversarial interests towards Canada or the Canadian economy. Threats activities might be carried out against the SWIFT network, as just one example.5
  4. It is important to note that even Canada’s closest allies monitor Canadian banking information, often in excess of agreed upon surveillance mechanisms such as FINTRAC. As one example, information which was publicly disclosed by the Globe and Mail revealed that the United States of America’s National Security Agency (NSA) was monitoring Royal Bank of Canada’s Virtual Private Network (VPN) tunnels. The story suggested that the NSA’s activities could be a preliminary step in broader efforts to “identify, study and, if deemed necessary, “exploit” organizations’ internal communications networks.”6
  5. Access to strong, uncompromised encryption technology is critical to the economy. In a technological environment marked by high financial stakes, deep interdependence, and extraordinary complexity, ensuring digital security is of critical importance and extremely difficult. Encryption helps to ensure the security of financial transactions and preserves public trust in the digital marketplace. The cost of a security breach, theft, or loss of customer or corporate data can have devastating impacts for private sector interests and individuals’ rights. Any weakening of the very systems that protect against these threats would represent irresponsible policymaking. Access to strong encryption encourages consumer confidence that the technology they use is safe.
  6. Given the aforementioned threats, I ​recommend​ that the Government of Canada adopt a responsible encryption policy. Such a policy would entail a firm and perhaps legislative commitment to require that all sectors of the economy have access to strong encryption products, and would stand in opposition to irresponsible encryption policies, such as those calling for ‘backdoors’.

Vulnerabilities Equities Program

  1. The Canadian government presently has a process in place, whereby the Communications Security Establishment (CSE) obtains computer vulnerabilities and ascertains whether to retain them or disclose them to private companies or software maintainers to remediate the vulnerabilities. The CSE is motivated to retain vulnerabilities to obtain access to foreign systems as part of its signals intelligence mandate and, also, to disclose certain vulnerabilities to better secure government systems. To date, the CSE has declined to make public the specific process by which it weighs the equities in retaining or disclosing these vulnerabilities.7 It remains unclear if other government agencies have their own equities processes. The Canadian government’s current policy stands in contrast to that of the United States of America, where the White House has published how all federal government agencies evaluate whether or retain or disclose the existence of a vulnerability.8
  2. When agencies such as the CSE keep discovered vulnerabilities secret to later use them against specific targets, the unpatched vulnerabilities leave critical systems open to exploitation by other malicious actors who discover them. Vulnerability stockpiles kept by our agencies can be uncovered and used by adversaries. The NSA’s and Central Intelligence Agency’s (CIA) vulnerabilities have been leaked in recent years,9 with one of the NSA vulnerabilities used by malicious actors to cause at least $10B in commercial harm.10
  3. As it stands, it is not clear what considerations guide Canada’s intelligence agencies’ decision-making process when they decide whether to keep a discovered vulnerability for future use or to disclose it so that it is fixed. There is also no indication that potentially impacted entities such as private companies or civil society organizations are involved in the decision-making process.
  4. To reassure Canadian businesses, and make evident that Canadian intelligence and security agencies are not retaining vulnerabilities which could be used by non-government actors to endanger Canada’s financial sector by way of exploiting such vulnerabilities, I would ​recommend​ that the Government of Canada publicize its existing vulnerabilities equities program(s) and hold consultations on its effectiveness in protecting Canadian software and hardware that is used in the course of financial activities, amongst other economic activities.
  5. Furthermore, I would ​recommend​ that the Government of Canada include the business community and civil society stakeholders in the existing, or reformed, vulnerabilities equities program. Such stakeholders would be able to identify the risks of retaining certain vulnerabilities for the Canadian economy, such as prospectively facilitating ransomware, data deletion, data modification, identify theft for commercial or espionage purposes, or data access and exfiltration to the advantage of other nation-states’ advantage.

Vulnerability Disclosure Programs

  1. Security researchers routinely discover vulnerabilities in systems and software that are used in all walks of life, including in the financial sector. Such vulnerabilities can, in some cases, be used to inappropriately obtain access to data, modify data, exfiltrate data, or otherwise tamper with computer systems in ways which are detrimental to the parties controlling the systems and associated computer information. Relatively few organizations, however, have explicit procedures that guide researchers in how to responsibly disclose such vulnerabilities to the affected companies. Disclosing vulnerabilities absent a disclosure program can lead companies to inappropriately threaten litigation to whitehat security researchers, and such potentials reduce the willingness of researchers to disclose vulnerabilities absent a vulnerability disclosure program.11
  2. Responsible disclosure of vulnerabilities typically involves the following. First, companies make clear to whom vulnerabilities can be reported, assure researchers they will not be legally threatened for disclosing vulnerabilities, and explains the approximate period of time a company will take to remediate the vulnerability reported. Second, researchers commit to not publicly disclosing the vulnerability until either a certain period of time (e.g. 30-90 days) have elapsed since the reporting, or until the vulnerability is patched, whichever event occurs once. The delimitation of a time period before the vulnerability is publicly reported is designed to encourage companies to quickly remediate reported vulnerabilities, as opposed to waiting for excessive periods of time before doing so.
  3. I would ​recommend​ that the Government of Canada undertake, first, to establish a draft policy that financial sector companies, along with other sector companies, could adopt and which would establish the terms under which computer security researchers could report vulnerabilities to financial sector companies. Such a disclosure policy should establish to whom vulnerabilities are reported, how reports are treated internally, how long it will take for a vulnerability to be remediated, and insulate the security researchers from legal liability so long as they do not publicly disclose the vulnerability ahead of the established delimited period of time.
  4. I would also ​recommend​ that the Government of Canada ultimately move to mandate the adoption of vulnerability disclosure programs for its own departments given that they could be targeted by adversaries for the purposes of financially advantaging themselves to Canada’s detriment. Such policies have been adopted by the United States of America’s Department of Defense12 and explored by the State Departments,13 to the effect of having hundreds of vulnerabilities reported and subsequently remediated. Encouraging persons to report vulnerabilities to the Government of Canada will reduce the likelihood that the government’s own infrastructures are successfully exploited to the detriment of Canada’s national interests.
  5. Finally, I would ​recommend​ that our laws around unauthorized access be studied with an eye towards determining if they are too broad in their chill and impact on legitimate security researcher.

Two Factor Authentication Processes

  1. Login and password pairs are routinely exfiltrated from private companies’ databases. Given that many individuals either use the same pair across multiple services (e.g. for social media as well as for professional accounts) and, also, that many passwords are trivially guessed, it is imperative that private companies’ online accounts incorporate two factor authentication (2FA). 2FA refers to a situation where an individual must be in possession of at least two ‘factors’ to obtain access to their accounts. The ‘factors’ most typically used for authentication include something that you know (e.g. a PIN or password), something you have (e.g. hardware token or random token generator), or something that you are (biometric, e.g. fingerprint or iris scan).14
  2. While many financial sector companies use 2FA before employees can obtain access to their professional systems, the same is less commonly true of customer-facing login systems. It is important for these latter systems to also have strong 2FA to preclude unauthorized third-parties from obtaining access to personal financial accounts; such access can lead to better understandings of whether persons could be targeted by a foreign adversary for espionage recruitment, cause personal financial chaos (e.g. transferring monies to a third-party, cancelling automated bill payments, etc) designed to distract a person while a separate cyber activity is undertaken (e.g. distract a systems administrator to deal with personal financial activities, while then attempting to penetrate sensitive systems or accounts the individual administrates), or direct money to parties on terrorist watchlists.
  3. Some Canadian financial institutions do offer 2FA but typically default to a weak mode of second factor authentication. This is problematic because SMS is a weak communications medium, and can be easily subverted by a variety of means.15 This is why entities such as the United States’ National Institute of Standards and Technology no longer recommends SMS as a two factor authentication channel.16
  4. To improve the security of customer-facing accounts, I ​recommend​ that financial institutions should be required to offer 2FA to all clients and, furthermore, that such authentication utilize hardware or software tokens (e.g. one time password or random token generators). Implementing this recommendation will reduce the likelihood that unauthorized parties will obtain access to accounts for the purposes of recruitment or disruption activities.

Organizational Information

  1. The views I have presented are my own and based out of research that I and my colleagues have carried out at my place of employment, the Citizen Lab. The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs and Public Policy, University of Toronto, focusing on research, development, and high-level strategic policy and legal engagement at the intersection of information and communication technologies, human rights, and global security.
  2. We use a “mixed methods” approach to research combining practices from political science, law, computer science, and area studies. Our research includes: investigating digital espionage against civil society, documenting Internet filtering and other technologies and practices that impact freedom of expression online, analyzing privacy, security, and information controls of popular applications, and examining transparency and accountability mechanisms relevant to the relationship between corporations and state agencies regarding personal data and other surveillance activities.

1 RCMP’s ability to police digital realm ‘rapidly declining,’ commissioner warned, https://www.cbc.ca/news/politics/lucki-briefing-binde-cybercrime-1.4831340.
2 In the dark about ‘going dark’, https://www.cyberscoop.com/fbi-going-dark-encryption-ari-schwartz-op-ed/.
3 See: Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications, https://dspace.mit.edu/handle/1721.1/97690; Shining A Light On The Encryption Debate: A Canadian Field Guide, https://citizenlab.ca/2018/05/shining-light-on-encryption-debate-canadian-field-guide/.
4 Civil Society Letter to Australian Government, February 21, 2019, https://newamericadotorg.s3.amazonaws.com/documents/Coalition_comments_Australia_Assistance_and_Access_Law_2018_Feb_21_2019.pdf; Australia’s Encryption Law Deals a Serious Blow to Privacy and Security, https://nationalinterest.org/feature/australia’s-encryption-law-deals-serious-blow-privacy-and-security-39212.
5 That Insane, $81M Bangladesh Bank Heist? Here’s What We Know, https://www.wired.com/2016/05/insane-81m-bangladesh-bank-heist-heres-know/.
6 NSA trying to map Rogers, RBC communications traffic, leak shows, https://www.theglobeandmail.com/news/national/nsa-trying-to-map-rogers-rbc-communications-traffic-leak- shows/article23491118/.
7 When do Canadian spies disclose the software flaws they find? There’s a policy, but few details, https://www.cbc.ca/news/technology/canada-cse-spies-zero-day-software-vulnerabilities-1.4276007.
8 Vulnerabilities Equities Policy and Process for the United States Government (November 15, 2017), https://www.whitehouse.gov/sites/whitehouse.gov/files/images/External%20-%20Unclassified%20VEP%20Charter%20FINAL.PDF.
9 Who Are the Shadow Brokers?, https://www.theatlantic.com/technology/archive/2017/05/shadow-brokers/527778/; WikiLeaks Starts Releasing Source Code For Alleged CIA Spying Tools, https://motherboard.vice.com/en_us/article/qv3xxm/wikileaks-vault-7-vault-8-cia-source-code.
10 The Untold Story of NotPetya, the Most Devastating Cyberattack in History, https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/.
11 Vulnerability Disclosure Policies (VDP): Guidance for Financial Services, https://www.hackerone.com/sites/default/files/2018-07/VDP%20for%20Financial%20Services_Guide%20%281%29.pdf.
12 The Department of Defense wants more people to ‘hack the Pentagon’ — and is willing to pay them too, https://www.businessinsider.com/department-defense-wants-people-hack-pentagon-2018-10; DoD Vulnerability Disclosure Policy, https://hackerone.com/deptofdefense.
13 House panel approves bill to ‘hack’ the State Department, https://thehill.com/policy/cybersecurity/386897-house-panel-approves-bill-to-hack-the-state-department.
14 Office of the Privacy Commissioner of Canada Privacy Tech-Know Blog – Your Identity: Ways services can robustly authenticate you, https://www.priv.gc.ca/en/blog/20170105/.
15 Cybercriminals intercept codes used for banking to empty your accounts, https://www.kaspersky.com/blog/ss7-hacked/25529/; AT&T gets sued over two-factor security flaws and $23M cryptocurrency theft, https://www.fastcompany.com/90219499/att-gets-sued-over-two-factor-security-flaws-and-23m-cryptocurrency-theft.
16 Standards body warned SMS 2FA is insecure and nobody listened, https://www.theregister.co.uk/2016/12/06/2fa_missed_warning/.

Citizen Lab and CIPPIC Release Analysis of the Communications Security Establishment Act

The Fifth Eye by Dustin Ginetz (CC BY-NC-SA 2.0) https://flic.kr/p/id9KHn

It’s with real pleasure that I can announce that the Citizen Lab and the Canadian Internet Policy & Public Interest Clinic (CIPPIC) have collaborated to produce a report which provides timely legal analysis, political context, and historical background on the Communications Security Establishment Act and related provisions in Bill C-59 (An Act respecting national security matters), First Reading (December 18, 2017).  We hope that this resource will help members of parliament, journalists, researchers, lawyers, and civil society advocates engage more effectively on the issues at stake. Our report represents an analysis of the legislation as it enters political debate in Canada, and should be understood in the context of a rapidly evolving legal and political landscape.

The Communications Security Establishment (“the CSE” or “the Establishment”) is Canada’s national signals intelligence and cybersecurity agency. In the course of our analysis, we summarize the CSE’s mandate, activities, operations, and powers, with an emphasis on their potential implications for human rights and global security. We also offer a series of recommendations which, if adopted, would ensure a more legally sound framework for the CSE, better protect global security interests in a rapidly changing technological environment, and more effectively account for Canada’s domestic and international human rights obligations.

In Section I, we provide a brief overview of the CSE’s current mandate and certain controversial activities undertaken as part of that mandate. We also provide a high-level overview of Bill C-59 and its primary implications for the CSE.

In Section II, we undertake a detailed analysis of key issues arising from Bill C-59 related to the CSE, focusing on aspects with the most critical implications for human rights, political transparency, and global security. In particular, some of the issues we highlight in the legislation relate to:

  • Longstanding problems with the CSE’s foreign intelligence operations, which are predicated on ambiguous and secretive legal interpretations that legitimize bulk collection and mass surveillance activities. These activities both attract Charter protections and engage Canada’s human rights obligations.
  • The complete lack of meaningful oversight and control of the CSE’s activities under the proposed active and defensive cyber operations aspects of its mandate.
  • The absence of meaningful safeguards or restrictions on the CSE’s active and defensive cyber operations activities, which have the potential to seriously threaten secure communications tools, public safety, and global security.
  • The absence of meaningful safeguards or restrictions on the CSE’s activities more generally. As drafted, the CSE Act appears to include a loophole which would allow the Establishment to cause death or bodily harm, and to interfere with the “course of justice or democracy,” if acting under its foreign intelligence or cybersecurity powers while prohibiting these outcomes under its new cyber operation powers.
  • The risk that the CSE’s cybersecurity and assurance operations for the federal government could threaten independence of the courts or the separation of powers.
  • Concerns regarding the framework for the CSE’s acquisition of malware, spyware and hacking tools, which may legitimize a market predicated on undermining and subverting, rather than strengthening, the security of the global information infrastructure.
  • Serious issues related to the CSE’s provision of technical and operational assistance to other entities—including Canadian law enforcement—which may lead the CSE to proffer capabilities that would otherwise be illegal or unconstitutional for domestic partners to develop, use or possess, or which would be inherently disproportionate if deployed in those contexts (e.g., in policing operations).
  • Potential issues with the National Security Intelligence Review Agency’s ability to access foreign-provided information, and the risk of regulatory capture through its hiring policies.
  • Serious shortcomings—both legal and practical—in the role of the Intelligence Commissioner, which does not resolve the constitutional challenges surrounding the current CSE Commissioner or the constitutionality of the CSE’s activities more generally.
  • The Intelligence Commissioner’s inability to exercise meaningful and comprehensive oversight and control over the CSE’s activities (including its most problematic activities) due to an under-inclusive mandate, issues of independence, and insufficient powers of a quasi-judicial nature.
  • Weak and vague protections for the privacy of Canadians and persons in Canada, alongside an abject disregard for privacy rights as an international human rights norm.
  • Extraordinary exceptions to the CSE’s general rule against “directing” activities at Canadians and persons in Canada significantly expand the CSE’s ability to use its expansive powers domestically.
  • A general failure to recognize that the highly interconnected and interdependent nature of the global information infrastructure means that protections or limits on the CSE’s powers that begin and end at national boundaries are insufficient to protect Canada’s security interests.
  • Deep tensions at the core of the CSE mandate, which requires the Establishment to both protect and defend against security threats while simultaneously exploiting, maintaining, and creating new vulnerabilities in order to further its foreign intelligence agenda. These tensions are exacerbated by the introduction of new offensive powers and the two new aspects of its mandate.
  • A lack of legal clarity regarding how, when, and whether vulnerabilities discovered by the CSE are disclosed to vendors or the public, and how the CSE accounts for the public interest in the process.
  • The lack of oversight or reporting requirements for “arrangements” with equivalent agencies to the CSE in foreign jurisdictions. There is a risk that these partnerships could involve receipt of information derived from torture or other activities that would be unlawful or unconstitutional if conducted by a Canadian agency.

In Section III, we summarize recommendations emerging from our analysis for committee members and other members of Parliament studying the proposed CSE Act. In particular, we make recommendations to improve systems of review, oversight, and control of the CSE and to constrain the CSE’s ability to engage in activities that are problematic, abusive, unconstitutional, or in violation of international human rights norms.

Download a copy of “Analysis of the Communications Security Establishment Act and Related Provisions in Bill C-59 ( An Act respecting national security matters ), First Reading (December 18, 2017)

Update to the SIGINT Summaries

As part of my ongoing research into the Edward Snowden documents, I have found and added an additional two documents to the Canadian SIGINT Summaries. The Summaries include downloadable copies of leaked Communications Security Establishment (CSE) documents, along with summary, publication, and original source information. CSE is Canada’s foreign signals intelligence agency and has operated since the Second World War.

Documents were often produced by CSE’s closest partners which, collectively, form the ‘Five Eyes’ intelligence network. This network includes the CSE, the National Security Agency (NSA), the Government Communications Headquarters (GCHQ), Australian Signals Directorate (ASD), and Government Communications Security Bureau (GCSB).

All of the documents are available for download from this website. Though I am hosting the documents they were all first published by another party. The new documents and their summaries are listed below. The full list of documents and their summary information is available on the Canadian SIGINT Summaries page.

These documents came to light as I examined the activities that took place between the NSA and New Zealand signals intelligence agencies. The first, “NSA Intelligence Relationship with New Zealand” notes that Canada is a member of the SIGINT Seniors Pacific group as well as SIGINT Seniors Europe. The second, “SIGINT Development Forum (SDF) Minutes”, notes how CSE and GCSB define shaping as “industry engagement and collection bending” as well as CSEC had considered audit analysts’ accounts similar to the NSA, though the prospect of such auditing had rearisen as a discussion point.

NSA Intelligence Relationship with New Zealand

Summary: This document summarizes the status of the NSA’s relationship with New Zealand Government Communications Security Bureau (GCSB). The GCSB has been forced to expend more of its resources on compliance auditing following recommendations after it exceeded its authority in assisting domestic law enforcement, but continues to be focused on government and five eyes priorities and encouraged to pursue technical interoperability with NSA and other FVEY nations.

The NSA provides GCSB with “raw traffic, processing, and reporting on targets of mutual interest, in addition to technical advice and equipment loans.” The GCSB primarily provides the NSA with access to communications which would otherwise remain inaccessible. These communications include: China, Japanese/North Korean/Vietnamese/South American diplomatic communications, South Pacific Island nations, Pakistan, India, Iran, and Antartica, as well as French police and nuclear testing activities in New Caledonia.

Of note, GCSB is a member of SIGINT Seniors Pacific (SSPAC) (includes Australia, Canada, France, India, Korea, New Zealand, Singapore, Thailand, United Kingdom, and United States) as well as SIGINT Seniors Europe (SSEUR) (includes Australia, Belgium, Canada, Denmark, France, Germany, Italy, Netherlands, New Zealand, Norway, Spain, Sweden, United Kingdom, and United States).

Document Published: March 11, 2015
Document Dated: April 2013
Document Length: 3 pages
Associated Article: Snowden revelations: NZ’s spy reach stretches across globe
Download Document: NSA Intelligence Relationship with New Zealand
Classification: TOP SECRET//SI//REL TO USA, FVEY
Authoring Agency: NSA
Codenames: None

SIGINT Development Forum (SDF) Minutes

Summary: This document summarizes the state of signals development amongst the Five Eyes (FVEY). It first outline the core imperatives for the group, including: ensuring that the top technologies are being identified for use and linked with the capability they bring; that NSA shaping (targeting routers) improves (while noting that for CSE and GCSB shaping involves “industry engagement and collection bending”); improving on pattern of life collection and analysis; improving on IP address geolocation that covers Internet, radio frequency, and GSM realms; analyzing how convergence of communications systems and technologies impacts SIGINT operations.

Privacy issues were seen as being on the groups’ radar, on the basis that the “Oversight & Compliance team at NSA was under-resourced and overburdened.” Neither GCSB or DSD were able to sponsor or audit analysts’ accounts similar to the NSA, and CSEC indicated it had considered funding audit billets; while dismissed at the time, the prospect has re-arisen. At the time the non-NSA FVEYs were considering how to implement ‘super-user’ accounts, where specific staff will run queries for counterparts who are not directly authorized to run queries on selective databases.

GCSB, in particular, was developing its first network analyst team in October 2009 and was meant to prove the utility of network analysis so as to get additional staff for later supporting STATEROOM and Computer Network Exploitation tasks. Further, GCSB was to continue its work in the South Pacific region, as well as expanding cable access efforts and capabilities during a 1 month push.  There was also a problem where 20% of GCSB’s analytic workforce lacked access to DSD’s XKEYSCORE, which was a problem given that GCSB provided NSA with raw data. The reason for needing external tools to access data is GCSB staff are prohibited from accessing New Zealand data.

Document Published: March 11, 2015
Document Dated: June 8-9, 2009
Document Length: 3 pages
Associated Article: Snowden revelations: NZ’s spy reach stretches across globe
Download Document: SIGINT Development Forum (SDF) Minutes
Classification: TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: STATEROOM, XKEYSCORE

« Older posts