SIRC on CSIS-CSEC nexus

The latest report from the Security Intelligence Review Committee (SIRC), the CSIS watchdog body, takes a skeptical look at the workings of CSIS-CSEC cooperation ("Info sharing between CSIS and CSEC concerns security watchdog," Canadian Press, 31 October 2013):

A federal review agency says sensitive information gathered by the Canadian Security Intelligence Service could be abused by Canada's allies due to lax sharing policies.

In its annual report, the watchdog that keeps an eye on CSIS flags concerns about what happens to intelligence that CSIS passes to the national eavesdropping agency, which in turn shares the details with foreign allies.

The report underscores the fact CSIS is collaborating ever more closely with Communications Security Establishment Canada, which has come under scrutiny lately due to its participation in the international Five Eyes alliance.

CSEC, which monitors foreign telephone, satellite and Internet traffic, shares information with the U.S. National Security Agency and counterparts in Britain, Australia and New Zealand.

The American NSA has been the subject of almost daily headlines due to leaks from former contractor Edward Snowden that have revealed the agency's vast surveillance of worldwide communications.

In its report, tabled in Parliament, the Security Intelligence Review Committee recommends CSIS develop clearer and more robust principles of co-operation with CSEC to ensure appropriate information sharing.

Full SIRC report here.

CSE's outgoing review commissioner also recently took a look at the CSIS-CSEC relationship.

Further comments will have to wait until I actually read the SIRC report.

Update 10:30 PM:

Lots of interesting elements in the report.

A few comments:

[SIRC's] review found that a number of challenges prevent CSIS and CSEC from fully capitalizing on the opportunities presented by the new proximity of their respective headquarters. For intelligence agencies faced with increasingly limited resources, shared services allow for efficient and effective resource management. Unfortunately, SIRC found that the initial expectations for shared services between CSEC and CSIS may have been too optimistic.

Although the new CSEC facility has not yet been completed—leaving open the possibility for greater-than-expected returns—to a significant extent, the potential efficiencies have thus far been offset by managerial issues, budgetary restrictions and complications related to CSEC site development.

Exactly what services was CSIS expecting to share with CSEC? The cafeteria? The staff gym? Security staff? I've wondered whether CSEC might share some of the enormous data processing and data storage facilities that are being built at its new headquarters complex, but I'm not at all sure that would be a wise idea.

As far as "budgetary restrictions" go, CSIS may be facing budget limits, but CSEC is currently enjoying the largest budget it has ever had, and of course it is also on the point of occupying that brand-new $1.2-billion headquarters.

More generally, SIRC found that CSIS and CSEC had gaps in understanding the other organization’s respective mandate and/or responsibilities.

Maybe they should intercept each other's communications!

OK, enough, I'm trying to be a serious pundit here.

This impediment to cooperation was raised at both the working and managerial levels across CSIS’s operational branches, and acknowledged at joint CSIS/CSEC meetings. Moreover, these gaps in understanding resulted in instances where CSIS policies or procedures were not followed, an outcome that could have negatively impacted operational risk.

For its part, CSIS acknowledged the challenges associated with overlapping mandates and, quite often, the unique demands of the overlapping activities involved in the deployment or use of sensitive CSEC technology or CSIS human sources. Solutions presented to SIRC to address these problems include further educating CSEC and CSIS operational desks on relevant policies, as well as the creation of a joint CSIS and CSEC senior management operational board to provide strategic-level management on these activities.

CSIS is a "security intelligence" agency, but as explained in the next paragraph of the report, s. 16 of the CSIS Act empowers CSIS to collect foreign intelligence in Canada at the request of the ministers of National Defence or Foreign Affairs. I have always understood -- possibly incorrectly -- that this provision exists primarily to provide the authority for CSIS to assist CSEC with foreign intelligence collection against targets such as foreign embassies in Ottawa. However, the SIRC report strongly suggests that CSIS views this provision as giving CSIS a foreign intelligence mandate of its own, and that CSIS can then call on CSEC for its help in collecting such intelligence:

As a result of the varying accounts provided by CSIS on this issue, SIRC cautioned the Service to be prudent when deciding the extent to which it continues to seek CSEC’s assistance in the Section 16 process. Unless changes to the CSIS Act are made, CSEC, not CSIS, remains the organization primarily mandated with providing the Government of Canada with foreign intelligence information.

The distinction between foreign intelligence and security intelligence may in many ways be an artificial and not entirely satisfactory one, but it is fundamental to the systems that ostensibly are in place to protect the privacy of Canadians, so it seems to me that CSIS's efforts to blur that line, or to transcend it entirely, ought to be examined very, very carefully.

Normally, whenever CSIS shares information, it uses caveats and/or assurances. Caveats stipulate that the information being provided is CSIS property and cannot be forwarded to another agency or altered without CSIS’s direct consent. Assurances are formal, bilateral agreements made with foreign agencies stipulating that CSIS’s information will not be used in a manner that runs contrary to international human rights conventions. The extent to which caveats and assurances are effective depends on the degree of trust between CSIS and the agency receiving the information.

No, it does not. It depends on the degree to which the foreign agency lives up to its agreement and respects CSIS's caveats. To acknowledge that CSIS relies on trust to assess that effectiveness is simply to acknowledge that, in most cases, CSIS is either unwilling or unable to verify the other agency's compliance.

SIRC found... that a significant risk of increased HUMINT to SIGINT collaboration is the potential erosion of control over the information shared.

The Committee reached this conclusion because CSIS’s caveats and assurances were never designed for SIGINT collection. Unlike HUMINT agency collection, which is often done in isolation (i.e. collecting information from a human source and, if desired, subsequently sharing that information with an allied agency), SIGINT collection is instead more of a collective undertaking. CSEC belongs to a special alliance that includes the United States National Security Agency, the United Kingdom’s Government Communications Headquarters, the Australian Defence Signals Directorate, and the New Zealand Government Communications Security Bureau. The CSEC Commissioner’s Office, in its 2011–2012 annual report, described these partnerships as being potentially “more valuable now than at any other time, in the context of increasingly complex technological challenges.”

For its part, CSIS believes that exchanges with CSEC are low-risk endeavours. This is premised on the fact that allied SIGINT agencies, irrespective of the broad sharing that transpires among them, are primarily focused on their own national intelligence priorities. However, of concern to SIRC are those instances when allied collection priorities have coalesced with Canada’s—such as in counter-terrorism cases.

Although ministerial direction to CSIS and associated Service policies are designed to prevent the misuse/abuse of information, both from a security and human rights perspective, it is not clear how CSIS can comply with ministerial direction stipulating that caveats must be used when sharing information with domestic and foreign recipients, when SIGINT collection and dissemination functions run contrary to this expectation.

CSIS has acknowledged to SIRC that addressing these concerns is a complex subject that remains a work in progress; considering that the collaboration between CSIS and CSEC is increasing, SIRC will revisit this issue in subsequent reviews in order to assess what progress has been made in addressing this challenge.

It is not clear to me what information CSIS is sharing with CSEC in this respect, other than basic targeting information, such as name, location, telephone number(s), e-mail address, etc., and the judicial warrant or other policy basis justifying the targeting. Still, I think this is an important concern, as the Five Eyes' SIGINT collection system operates in large part as a single, integrated machine, and the introduction of any person as a target into that system has the potential to draw the attention of the intelligence communities of all the participating governments to that individual. When that happens, CSIS does not control whether the CIA subsequently decides that that person should be kidnapped and delivered to Syria for torture (as in the case of Maher Arar) or assassinated by drone.

The final section of the review identified an anomaly of the CSIS/CSEC relationship, namely, a noted lack of cooperation on cyber security. In 2010, Public Safety Canada created a whole-of-government strategy, the Cyber Security Strategy, which asserts that there can be no ambiguity in terms of who does what. The Strategy confirms the respective roles of CSEC and CSIS: the former has the recognized expertise in dealing with cyber threats and attacks, while the latter is broadly tasked to analyze and investigate domestic and international threats. The Strategy notwithstanding, SIRC’s review found that there is still work to be done to coordinate CSIS’s cyber-related activities with CSEC, especially with respect to the protection of information and infrastructures of importance to the Government of Canada.

It sounds like this may be an area of on-going rivalry between the two agencies. I have been wondering how CSEC can work effectively in this area without extensive monitoring of cyber activities in Canada, since cyber threats can emanate from inside Canada, or appear to emanate from inside Canada, as well as from abroad. It is in fact the case that CSEC can utilize Canadian Internet data and metadata in the course of carrying out its Mandate (b) activities, but it is not at all clear how extensive its collection and use of such data actually is.

More generally, the SIRC recommended that

Given the inevitability of growth in CSIS/CSEC collaboration, SIRC recommends that CSIS develop clearer and more robust overarching principles of cooperation with CSEC. These principles should address the growing volume of challenges that have arisen between the two bodies, while respecting the individual mandates of each organization.

The SIRC also examined CSIS's "new power", granted by judicial decision in 2009, to draw on the resources of "domestic partners", notably CSEC, to monitor CSIS targets who have temporarily or permanently left Canada.

In order to maximize collection under the new warrant power, CSIS, in almost every case, leverages the assets of the Five Eyes community (Canada, plus the United States, the United Kingdom, Australia and New Zealand). SIRC noted that even with the assistance of allies, the collection or intelligence yield under this power has provided different gains and challenges than the Service initially expected.

The arrangements with partners and allies also present possibilities for other agencies to act independently on CSIS-generated information. In practice, if an allied agency were to pick up intelligence on a Canadian citizen, a Canadian agency would ideally take the lead based on an informal agreement governing interactions amongst the Five Eyes partners. Nonetheless, it is understood that each allied nation reserves the right to act in its own national interest. National security legislation in both the United States and the United Kingdom, for example, gives these countries the authority to retain and act on intelligence if it relates to their national security, even if it has been collected on behalf of another country, such as Canada.

...

The risk to CSIS, then, is the ability of a Five Eyes partner to act independently on CSIS-originated information. This, in turn, carries the possible risk of detention or harm of a target based on information that originated with CSIS. SIRC found that while there are clear advantages to leveraging second-party assets in the execution of this new warrant power—and, indeed, this is essential for the process to be effective—there are also clear hazards, including the lack of control over the intelligence once it has been shared.

See comments above.

SIRC has seen indications that the Service has started using caveats that require allied agencies to contact CSIS in the event that information based on Service information is to be acted upon. The caveats, as they currently stand, are still considered a “work in progress” by the Service, but they do not yet address the wider reality of this type of collection. Nonetheless, they are a useful tool and do provide some measure of CSIS coverage. This coverage, however, comes with several challenges, including control of the information CSIS seeks to collect. SIRC advised CSIS to devise appropriate protections for the sharing of Service information, and to keep itself as informed as possible concerning the potential uses of CSIS information.

Moreover, for the most part, these caveats, as part of the wider “assurances” regime, were only considered with regard to one partner. Therefore, SIRC recommends that CSIS extend the use of caveats and assurances in regards to this new warrant power to include the agencies of the entire Five Eyes community, in order to ensure that no dissemination occurs without the Service’s knowledge.

Finally, the SIRC called for a shift in its authority to assess the work of CSIS:

[S]ince our 2010–2011 Annual Review, SIRC has put forward an argument that its current limitations in the area of review—that is, limited to CSIS’s information holdings and personnel—is falling increasingly out of step with the modus operandi of contemporary intelligence. Greater cooperation with domestic partners and more comprehensive regimes of information sharing mean that CSIS’s investigations now feed into and receive feedback from an increasingly large network. This theme spans the majority of reviews this year, and was evident in regard to the RCMP, DFAIT, DND, CBSA and, in particular, CSEC. Moreover, all government departments and agencies—to say nothing of Canada’s close allies—are becoming more technologically integrated. Governments across the Western world have responded and adapted, further integrating formerly separate intelligence capacities. As the technological barriers between information systems and previously stove-piped databases continue to fall, the sharing of data has become not merely possible, but routine. ...

As CSIS moves to take advantage of this new capacity, SIRC must also be able to respond. It must be flexible enough to follow up and effectively review CSIS activities and investigations, even when they cross over with other agencies and departments. Given the inevitability of technological interconnectivity, SIRC must be ready with the legislative tools and matching government resource commitments to ensure that the checks and balances enshrined in the Committee remain relevant and effective.

CSE Commissioners have also noted the importance of being able to properly assess the nature and consequences of joint CSIS-CSEC operations, and the difficulty of conducting such an assessment when the mandate of the reviewing office extends to only one of the agencies. Many of the most important questions concerning the privacy of Canadians occur in the area where foreign intelligence and security intelligence activities overlap, and it is clear that both review bodies have recognized that improvements in the monitoring of these activities are needed.