Unpacking the CSE’s 2021-2022 Annual Report

black binocular on round device
Photo by Skitterphoto on Pexels.com

The Communications Security Establishment (CSE) released its 2021-2022 Annual report on June 28, 2022.1 The CSE is Canada’s leading foreign signals intelligence and cryptologic agency. It is specifically tasked with collecting foreign intelligence, defending government of Canada networks as well as private networks and systems deemed of importance by the government, providing assistance to federal partners, and conducting active and defensive cyber operations.2 The CSE operates as a Canadian equivalent to the United Kingdom’s GCHQ.

Five things stood out to me in the annual report:

  1. It provides more details about the kinds of active and defensive cyber operations that the CSE has undertaken while also clarifying when such operations might take place. This information is important given the potentially deleterious or unintended impacts of the CSE exercising these capabilities. It is, however, worth recognizing that the CSE is casting these activities as preventative in nature and does not include a legal discussion about these kinds of operations.
  2. The report extensively discusses threats to critical infrastructure and the activities that the CSE is undertaking to defend against, mitigate, or remediate such threats. Many of the currently voluntary engagements between the CSE and industry partners could become compulsory (or, at a minimum, less voluntary), in the future, should Canada’s recently tabled infrastructure security legislation be passed into law.
  3. We generally see a significant focus on the defensive side of the CSE’s activities, vis-a-vis the Cyber Centre. This obscures the fact that the majority of the agency’s budget is allocated towards supporting the CSE’s foreign intelligence and active/defensive cyber operations teams. The report, thus, is selectively revelatory.
  4. No real discussion takes place to make clear to readers how aspects of the CSE’s foreign intelligence, cybersecurity/information assurance, assistance, or active or defensive cyber operations authorities may interoperate with one another. The result is that readers are left uncertain about how combinations of authorities might enable broader operations than are otherwise self-apparent.
  5. As I raise at several points when analyzing the annual report there are a number of situations where information in the annual report risks concealing the broader range(s) of actions that the CSE may undertake. Readers of the annual report are thus advised to critically assess the annual report and read what it specifically says instead of what it may imply.

In this post, I proceed in the order of the report and adopt the headlines it used to structure content. After summarizing some of the highlight elements in a given section I proceed with a short discussion of the relevant section. The post concludes with a broader assessment of the annual report, what was learned, and where more information is desirable in the future.

Continue reading

Unpacking NSICOP’s Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack

grayscale photo of man and woman hacking a computer system
Photo by Tima Miroshnichenko on Pexels.com

On February 14, 2022, the National Security and Intelligence Committee of Parliamentarians (NSICOP) released a report that explored how the Government of Canada sought to defend its systems and networks from cyber attack from 2001 onwards.1 The report provides a comprehensive account of how elements of the Government of Canada–namely the Treasury Board Secretariat (TBS), Shared Services Canada (SSC) and Communications Security Establishment (CSE)–have developed policies, procedures, and techniques to protect government systems, as well as the iterative learning processes that have occurred over the past two decades or so pertaining to governmental cyber defence activities.

I want to highlight four core things that emerge from my reading of the report:

  1. From an empirical point of view, it’s useful to know that the Government of Canada is preparing both a policy on paying ransomware operators as well as developing a Vulnerabilities Disclosure Policy (VDP) though the report does not indicate when either will be open to public comment or transformed into formal government policy;
  2. A high-level discussion of senior coordination committees is provided, though without an accompanying analysis of how effective these committees are in practice. In particular, the report does not discuss how, as an example, cross-departmental committees are working to overcome problems that are raised in the sections of the report focused on TBS, SSC, or the CSE;
  3. NSICOP maintains that all parties associated with the government–from Crown corporations, to government agencies, to other independent branches of government–should operate under the government’s security umbrella. NSICOP does not, however, make a constitutional argument for why this should be done nor assess the operational reasons for why agencies may not currently operate under this umbrella. Instead, the report narrowly argues there are minimal privacy impacts associated with enjoying the government’s cyber security protections. In doing so, the committee presumes that privacy concerns have driven separate branches of governments to operate outside policies set by TBS, and services offered by SSC and the CSE. At no point did the Committee engage with the Office of the Privacy Commissioner of Canada (OPC) to assess potential privacy issues associated with the government’s cyber security policies and practices; and
  4. NSICOP did not canvas a wide set of government agencies in their interviews and included no external-to-government parties. The consequence is that the report does not provide needed context for why some government agencies refuse to adopt TBS policy guidance or regulations, decline services operated by SSC, or have limited uptake or adoption of advice or technical systems offered by the CSE. The consequence is that this report does nothing to substantively assess challenges in how TBS, SSC, or the CSE themselves are deploying their defensive capacities across government based on the experiences of those on the receiving end of the proffered cyber security and defence offerings.

In this post, I conduct a deep dive into NSICOP’s report, entitled “National Security and Intelligence Committee of Parliamentarians Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack.” Throughout, I summarize a given section of the report before offering some analysis of it. In the conclusion of this post I summarize some of the broader concerns associated with the report, itself, as well as the broader implications these concerns may have for NSICOP’s long-term viability as an independent reviewer of the national security community.

Continue reading

Unpacking NSIRA’s 2020 Annual Report

black and white typewriter on table
Photo by Markus Winkler on Pexels.com

On December 13, 2021, the National Security Intelligence Review Agency (NSIRA) released its 2020 Annual Report. NSIRA is responsible for conducting national security reviews of Canadian federal agencies, and their annual report summarizes activities that have been undertaken in 2020 and also indicates NSIRA’s plans for future work.

I want to highlight three points that emerge from my reading of report:

  1. NSIRA has generally been able to obtain the information it required to carry out its reviews. The exception to this, however, is that NSIRA has experienced challenges obtaining information from the Communications Security Establishment (CSE). It is not entirely clear why this has been the case.
  2. While most of NSIRA’s reviews have been completed in spite of the pandemic, this is not the case with CSE reviews where several remain outstanding.
  3. NSIRA has spent time in the annual report laying out tripwires that, if activated, will alert Canadians and their elected officials to problems that the review agency may be experiencing in fulfilling its mandate. It is imperative that observers pay close attention to these tripwires in future reviews. However, while these tripwires are likely meant to demonstrate the robustness of NSIRA reviews they run the risk of undermining review conclusions if not carefully managed.

In this post, I proceed in the order of the annual review and highlight key items that stood out. The headings used in this post, save for analysis headings, are correlated with the headings of the same name in the annual report itself.

Continue reading

NSIRA Calls CSE’s Lawfulness Into Question

photo of cryptic character codes and magnifying glass on table top
Photo by cottonbro on Pexels.com

On June 18, 2021, the National Security Intelligence Review Agency (NSIRA) released a review of how the Communications Security Establishment (CSE) disclosed Canadian Identifying Information (CII) to domestic Canadian agencies. I draw three central conclusions to the review.

  1. CSE potentially violated the Privacy Act, which governs how federal government institutions handle personal information.
  2. The CSE’s assistance to the Canadian Security Intelligence Service (CSIS) was concealed from the Federal Court. The Court was responsible for authorizing warrants for CSIS operations that the CSE was assisting with.
  3. CSE officials may have misled Parliament in explaining how the assistance element of its mandate was operationalized in the course of debates meant to extend CSE’s capabilities and mandate.

In this post I describe the elements of the review, a few key parts of CSE’s response it, and conclude with a series of issues that the review and response raise.

Background

Under the National Defence Act, CSE would incidentally collect CII in the course of conducting foreign signals intelligence, cybersecurity and information assurance, and assistance operations. From all of those operations, it would produce reports that were sent to clients within the Government of Canada. By default, Canadians’ information is expected to be suppressed but agencies can subsequently request CSE to re-identify suppressed information.

NSIRA examined disclosures of CII which took place between July 1, 2015 – July 31, 2019 from CSE to all recipient government departments; this meant that all the disclosures took place when the CSE was guided by the National Defense Act and the Privacy Act.1 In conducting their review NSIRA looked at, “electronic records, correspondence, intelligence reports, legal opinions, policies, procedures, documents pertaining to judicial proceedings, Ministerial Authorizations, and Ministerial Directives of relevance to CSE’s CII disclosure regime” (p. 2). Over the course of its review, NSIRA engaged a range of government agencies that requested disclosures of CII, such as the Royal Canadian Mounted Police (RCMP) and Innovation Science and Economic Development Canada (ISED). NSIRA also assessed the disclosures of CII to CSIS and relevant CSIS’ affidavits to the Federal Court.

Continue reading

SIGINT Summaries Update: Covernames for CSE, GCHQ, and GCSB

Today I have published a series of pages that contain covernames associated with the Communications Security Establishment (CSE), Government Communications Headquarters (GCHQ), and Government Communications Security Bureau (GCSB). Each of the pages lists covernames which are publicly available as well as explanations for what the given covernames refers to, when such information is available. The majority of the covernames listed are from documents which were provided to journalists by Edward Snowden, and which have been published in the public domain. A similar listing concerning the NSA’s covernames is forthcoming.

You may also want to visit Electrospaces.net, which has also developed lists of covernames for some of the above mentioned agencies, as well as the National Security Agency (NSA).

All of the descriptions of what covernames mean or refer to are done on a best-effort basis; if you believe there is additional publicly referenced material derived from CSE, GCHQ, or GCSB documents which could supplement descriptions please let me know. Entries will be updated periodically as additional materials come available.

 

Citizen Lab and CIPPIC Release Analysis of the Communications Security Establishment Act

The Fifth Eye by Dustin Ginetz (CC BY-NC-SA 2.0) https://flic.kr/p/id9KHn

It’s with real pleasure that I can announce that the Citizen Lab and the Canadian Internet Policy & Public Interest Clinic (CIPPIC) have collaborated to produce a report which provides timely legal analysis, political context, and historical background on the Communications Security Establishment Act and related provisions in Bill C-59 (An Act respecting national security matters), First Reading (December 18, 2017).  We hope that this resource will help members of parliament, journalists, researchers, lawyers, and civil society advocates engage more effectively on the issues at stake. Our report represents an analysis of the legislation as it enters political debate in Canada, and should be understood in the context of a rapidly evolving legal and political landscape.

The Communications Security Establishment (“the CSE” or “the Establishment”) is Canada’s national signals intelligence and cybersecurity agency. In the course of our analysis, we summarize the CSE’s mandate, activities, operations, and powers, with an emphasis on their potential implications for human rights and global security. We also offer a series of recommendations which, if adopted, would ensure a more legally sound framework for the CSE, better protect global security interests in a rapidly changing technological environment, and more effectively account for Canada’s domestic and international human rights obligations.

In Section I, we provide a brief overview of the CSE’s current mandate and certain controversial activities undertaken as part of that mandate. We also provide a high-level overview of Bill C-59 and its primary implications for the CSE.

In Section II, we undertake a detailed analysis of key issues arising from Bill C-59 related to the CSE, focusing on aspects with the most critical implications for human rights, political transparency, and global security. In particular, some of the issues we highlight in the legislation relate to:

  • Longstanding problems with the CSE’s foreign intelligence operations, which are predicated on ambiguous and secretive legal interpretations that legitimize bulk collection and mass surveillance activities. These activities both attract Charter protections and engage Canada’s human rights obligations.
  • The complete lack of meaningful oversight and control of the CSE’s activities under the proposed active and defensive cyber operations aspects of its mandate.
  • The absence of meaningful safeguards or restrictions on the CSE’s active and defensive cyber operations activities, which have the potential to seriously threaten secure communications tools, public safety, and global security.
  • The absence of meaningful safeguards or restrictions on the CSE’s activities more generally. As drafted, the CSE Act appears to include a loophole which would allow the Establishment to cause death or bodily harm, and to interfere with the “course of justice or democracy,” if acting under its foreign intelligence or cybersecurity powers while prohibiting these outcomes under its new cyber operation powers.
  • The risk that the CSE’s cybersecurity and assurance operations for the federal government could threaten independence of the courts or the separation of powers.
  • Concerns regarding the framework for the CSE’s acquisition of malware, spyware and hacking tools, which may legitimize a market predicated on undermining and subverting, rather than strengthening, the security of the global information infrastructure.
  • Serious issues related to the CSE’s provision of technical and operational assistance to other entities—including Canadian law enforcement—which may lead the CSE to proffer capabilities that would otherwise be illegal or unconstitutional for domestic partners to develop, use or possess, or which would be inherently disproportionate if deployed in those contexts (e.g., in policing operations).
  • Potential issues with the National Security Intelligence Review Agency’s ability to access foreign-provided information, and the risk of regulatory capture through its hiring policies.
  • Serious shortcomings—both legal and practical—in the role of the Intelligence Commissioner, which does not resolve the constitutional challenges surrounding the current CSE Commissioner or the constitutionality of the CSE’s activities more generally.
  • The Intelligence Commissioner’s inability to exercise meaningful and comprehensive oversight and control over the CSE’s activities (including its most problematic activities) due to an under-inclusive mandate, issues of independence, and insufficient powers of a quasi-judicial nature.
  • Weak and vague protections for the privacy of Canadians and persons in Canada, alongside an abject disregard for privacy rights as an international human rights norm.
  • Extraordinary exceptions to the CSE’s general rule against “directing” activities at Canadians and persons in Canada significantly expand the CSE’s ability to use its expansive powers domestically.
  • A general failure to recognize that the highly interconnected and interdependent nature of the global information infrastructure means that protections or limits on the CSE’s powers that begin and end at national boundaries are insufficient to protect Canada’s security interests.
  • Deep tensions at the core of the CSE mandate, which requires the Establishment to both protect and defend against security threats while simultaneously exploiting, maintaining, and creating new vulnerabilities in order to further its foreign intelligence agenda. These tensions are exacerbated by the introduction of new offensive powers and the two new aspects of its mandate.
  • A lack of legal clarity regarding how, when, and whether vulnerabilities discovered by the CSE are disclosed to vendors or the public, and how the CSE accounts for the public interest in the process.
  • The lack of oversight or reporting requirements for “arrangements” with equivalent agencies to the CSE in foreign jurisdictions. There is a risk that these partnerships could involve receipt of information derived from torture or other activities that would be unlawful or unconstitutional if conducted by a Canadian agency.

In Section III, we summarize recommendations emerging from our analysis for committee members and other members of Parliament studying the proposed CSE Act. In particular, we make recommendations to improve systems of review, oversight, and control of the CSE and to constrain the CSE’s ability to engage in activities that are problematic, abusive, unconstitutional, or in violation of international human rights norms.

Download a copy of “Analysis of the Communications Security Establishment Act and Related Provisions in Bill C-59 ( An Act respecting national security matters ), First Reading (December 18, 2017)