Technology, Thoughts & Trinkets

Touring the digital through type

Tag: intelligence (page 1 of 5)

Accountability and the Canadian Government’s Reporting of Computer Vulnerabilities and Exploits

Photo by Taskin Ashiq on Unsplash

I have a new draft paper that outlines why the Canadian government should develop, and publish, the guidelines it uses when determining whether to acquire, use, or disclose computer- and computer-system vulnerabilities. At its crux, the paper argues that an accountability system was developed in the 1970s based on the intrusiveness of government wiretaps and that state-used malware is just as, if not more so, intrusive. Government agencies should be held to at least as high a standard, today, as they were forty years ago (and, arguably, an even higher one today than in the past). It’s important to recognize that while the paper argues for a focus on defensive cybersecurity — disclosing vulnerabilities as a default in order to enhance the general security of all Canadians and residents of Canada, as well as to improve the security of all government of Canada institutions — it recognizes that some vulnerabilities may be retained to achieve a limited subset of investigative and intelligence operations. As such, the paper does not rule out the use of malware by state actors but, instead, seeks to restrict the use of such malware while also drawing its use into a publicly visible accountability regime.

I’m very receptive to comments on this paper and will seek to incorporate feedback before sending the paper to an appropriate journal around mid-December.

Abstract:

Computer security vulnerabilities can be exploited by unauthorized parties to affect targeted systems contrary to the preferences their owner or controller. Companies routinely issue patches to remediate the vulnerabilities after learning that the vulnerabilities exist. However, these flaws are sometimes obtained, used, and kept secret by government actors, who assert that revealing vulnerabilities would undermine intelligence, security, or law enforcement operations. This paper argues that a publicly visible accountability regime is needed to control the discovery, purchase, use, and reporting of computer exploits by Canadian government actors for two reasons. First, because when utilized by Canadian state actors the vulnerabilities could be leveraged to deeply intrude into the private lives of citizens, and legislative precedent indicates that such intrusions should be carefully regulated so that the legislature can hold the government to account. Second, because the vulnerabilities underlying any exploits could be discovered or used by a range of hostile operators to subsequently threaten Canadian citizens’ and residents’ of Canada personal security or the integrity of democratic institutions. On these bases, it is of high importance that the government of Canada formally develop, publish, and act according to an accountability regime that would regulate its agencies’ exploitation of computer vulnerabilities.

Download .pdf // SSRN Link

SIGINT Summaries Update: Covernames for CSE, GCHQ, and GCSB

Today I have published a series of pages that contain covernames associated with the Communications Security Establishment (CSE), Government Communications Headquarters (GCHQ), and Government Communications Security Bureau (GCSB). Each of the pages lists covernames which are publicly available as well as explanations for what the given covernames refers to, when such information is available. The majority of the covernames listed are from documents which were provided to journalists by Edward Snowden, and which have been published in the public domain. A similar listing concerning the NSA’s covernames is forthcoming.

You may also want to visit Electrospaces.net, which has also developed lists of covernames for some of the above mentioned agencies, as well as the National Security Agency (NSA).

All of the descriptions of what covernames mean or refer to are done on a best-effort basis; if you believe there is additional publicly referenced material derived from CSE, GCHQ, or GCSB documents which could supplement descriptions please let me know. Entries will be updated periodically as additional materials come available.

 

Update to the SIGINT Summaries

As part of my ongoing research into the Edward Snowden documents, I have added an additional document to the Canadian SIGINT Summaries. The Summaries include downloadable copies of leaked Communications Security Establishment (CSE) documents, along with summary, publication, and original source information. CSE is Canada’s foreign signals intelligence agency and has operated since the Second World War.

Documents were often produced by CSE’s closest partners which, collectively, form the ‘Five Eyes’ intelligence network. This network includes the CSE, the National Security Agency (NSA), the Government Communications Headquarters (GCHQ), Australian Signals Directorate (ASD), and Government Communications Security Bureau (GCSB).

All of the documents are available for download from this website. Though I am hosting the documents they were all first published by another party. The new documents and their summaries are listed below. The full list of documents and their summary information is available on the Canadian SIGINT Summaries page.

Hackers are Humans too: Cyber leads to Cl leads

Summary: This slide set showcases one method that CSE uses to expose the management structure and operators behind Computer Network Exploitation (CNE) activities, namely using passive infrastructure tasking and contact chaining. By monitoring infrastructure that was exposed through malware or content delivery for anomalous network sessions the CSE was subsequently able to trace MAKERSMARK (i.e. Russian) operations.

While MAKERSMARK’s less attributed systems can make it challenging to effectively trace to operators, these were poorly used and the operators exposed information associated with their’ personal lives. Furthermore, the development organization responsible for MAKERSMARK less attributed systems was infected by crimewave and CSE (or other friendly intelligence agencies) were consequently able to collect information which was being exfiltrated to criminal organizations.

The slide deck concludes with the warning the it is important to follow counter intelligence leads, quickly, because opportunities don’t last forever. Moreover, there was a warning that as a CNE program matures, such as that run by MAKERSMARK, the operational security associated with the program will similarly mature.

Document Published: August 2, 2017
Document Dated: Post 2009
Document Length: 13 pages
Associated Article: White House Says Russia’s Hackers Are Too Good To Be Caught But NSA Partner Called Them “Morons”
Download Document: Hackers are Humans too: Cyber leads to Cl leads
Classification: TS//SI/REL TO CAN, AUS, GBR, NZL, and USA
Authoring Agency: CSE
Codenames: MAKERSMARK

Update to the SIGINT Summaries

As part of my ongoing research into the Edward Snowden documents, I have found and added an additional two documents to the Canadian SIGINT Summaries. The Summaries include downloadable copies of leaked Communications Security Establishment (CSE) documents, along with summary, publication, and original source information. CSE is Canada’s foreign signals intelligence agency and has operated since the Second World War.

Documents were often produced by CSE’s closest partners which, collectively, form the ‘Five Eyes’ intelligence network. This network includes the CSE, the National Security Agency (NSA), the Government Communications Headquarters (GCHQ), Australian Signals Directorate (ASD), and Government Communications Security Bureau (GCSB).

All of the documents are available for download from this website. Though I am hosting the documents they were all first published by another party. The new documents and their summaries are listed below. The full list of documents and their summary information is available on the Canadian SIGINT Summaries page.

These documents came to light as I examined the activities that took place between the NSA and New Zealand signals intelligence agencies. The first, “NSA Intelligence Relationship with New Zealand” notes that Canada is a member of the SIGINT Seniors Pacific group as well as SIGINT Seniors Europe. The second, “SIGINT Development Forum (SDF) Minutes”, notes how CSE and GCSB define shaping as “industry engagement and collection bending” as well as CSEC had considered audit analysts’ accounts similar to the NSA, though the prospect of such auditing had rearisen as a discussion point.

NSA Intelligence Relationship with New Zealand

Summary: This document summarizes the status of the NSA’s relationship with New Zealand Government Communications Security Bureau (GCSB). The GCSB has been forced to expend more of its resources on compliance auditing following recommendations after it exceeded its authority in assisting domestic law enforcement, but continues to be focused on government and five eyes priorities and encouraged to pursue technical interoperability with NSA and other FVEY nations.

The NSA provides GCSB with “raw traffic, processing, and reporting on targets of mutual interest, in addition to technical advice and equipment loans.” The GCSB primarily provides the NSA with access to communications which would otherwise remain inaccessible. These communications include: China, Japanese/North Korean/Vietnamese/South American diplomatic communications, South Pacific Island nations, Pakistan, India, Iran, and Antartica, as well as French police and nuclear testing activities in New Caledonia.

Of note, GCSB is a member of SIGINT Seniors Pacific (SSPAC) (includes Australia, Canada, France, India, Korea, New Zealand, Singapore, Thailand, United Kingdom, and United States) as well as SIGINT Seniors Europe (SSEUR) (includes Australia, Belgium, Canada, Denmark, France, Germany, Italy, Netherlands, New Zealand, Norway, Spain, Sweden, United Kingdom, and United States).

Document Published: March 11, 2015
Document Dated: April 2013
Document Length: 3 pages
Associated Article: Snowden revelations: NZ’s spy reach stretches across globe
Download Document: NSA Intelligence Relationship with New Zealand
Classification: TOP SECRET//SI//REL TO USA, FVEY
Authoring Agency: NSA
Codenames: None

SIGINT Development Forum (SDF) Minutes

Summary: This document summarizes the state of signals development amongst the Five Eyes (FVEY). It first outline the core imperatives for the group, including: ensuring that the top technologies are being identified for use and linked with the capability they bring; that NSA shaping (targeting routers) improves (while noting that for CSE and GCSB shaping involves “industry engagement and collection bending”); improving on pattern of life collection and analysis; improving on IP address geolocation that covers Internet, radio frequency, and GSM realms; analyzing how convergence of communications systems and technologies impacts SIGINT operations.

Privacy issues were seen as being on the groups’ radar, on the basis that the “Oversight & Compliance team at NSA was under-resourced and overburdened.” Neither GCSB or DSD were able to sponsor or audit analysts’ accounts similar to the NSA, and CSEC indicated it had considered funding audit billets; while dismissed at the time, the prospect has re-arisen. At the time the non-NSA FVEYs were considering how to implement ‘super-user’ accounts, where specific staff will run queries for counterparts who are not directly authorized to run queries on selective databases.

GCSB, in particular, was developing its first network analyst team in October 2009 and was meant to prove the utility of network analysis so as to get additional staff for later supporting STATEROOM and Computer Network Exploitation tasks. Further, GCSB was to continue its work in the South Pacific region, as well as expanding cable access efforts and capabilities during a 1 month push.  There was also a problem where 20% of GCSB’s analytic workforce lacked access to DSD’s XKEYSCORE, which was a problem given that GCSB provided NSA with raw data. The reason for needing external tools to access data is GCSB staff are prohibited from accessing New Zealand data.

Document Published: March 11, 2015
Document Dated: June 8-9, 2009
Document Length: 3 pages
Associated Article: Snowden revelations: NZ’s spy reach stretches across globe
Download Document: SIGINT Development Forum (SDF) Minutes
Classification: TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: STATEROOM, XKEYSCORE

« Older posts