EONBLUE: CSE cyber threat detection system "deployed across the globe"

Matthew Braga has written a very interesting and informative report on CSE's EONBLUE cyber threat detection system ("How Canadian Spies Infiltrated the Internet's Core to Watch What You Do Online," Motherboard, 11 February 2015):

[A]t over 200 locations around the world, spies from Canada's cyberintelligence agency have been monitoring huge volumes of global internet traffic travelling across the internet's core.

​From these locations, Communications Security Establishment (CSE) can track who is accessing websites and files of interest. Its analysts can also log email addresses, phone numbers and even the content of unencrypted communications—and retain encrypted communication for later study, too—as well as intercept passwords and login details for later access to remote servers and websites.

​But perhaps more importantly, tapping into global internet traffic is a means for CSE to monitor, and also exploit, an ever growing list of digital threats, such as vulnerabilities in networks and computers and the spread of malware as well as botnets and the computers under their control. In the process, analysts can keep tabs on both friendly and foreign governments conducting covert cyber attacks and infiltration of their own.

Such vast access to the backbone of the internet is achieved through a program called EONBLUE. According to documents disclosed by whistleblower Edward Snowden, ​and published by Der Spiegel last month, the program is designed to "track known threats," "discover unknown threats," and provide "defence at the core of the Internet.” ...

While the locations of EONBLUE sites are not disclosed in the documents, one slide makes reference to the internet's "core" and describes EONBLUE's ability to "scale to backbone internet speeds"—implying possible access to telecom operators, data centers, undersea cables and other infrastructure providers worldwide.

Such access would mean that much, if not all of the data, travelling through a location tapped by CSE could be subject to surveillance. Though the agency maintains it cannot legally track Canadians at home or abroad it is hard to fathom how such data could be exempt.

And in fact it wouldn't be exempt. CSE can and does monitor Canadian communications and other Canadian data that pass through its foreign-intelligence and cyber-threat collection sensors, and it is entirely legal for it to do so as long as that data wasn't specifically targeted for collection on the basis of its being Canadian or being related to a specific Canadian or person in Canada (i.e., the National Defence Act requires only that CSE's Mandate (a) and (b) activities "not be directed at Canadians or any person in Canada" [emphasis added]). If CSE targets material on some other basis and some percentage of the information pulled in turns out to be Canadian-related, as inevitably some will, that is considered "incidental" collection, which is permitted under the law as long as a suitable Ministerial Authorization is in place.

(I'm not saying that incidental collection is not an issue worthy of concern, by the way—just pointing out that the government, which wrote the law specifically to permit this kind of activity, is not breaking the law when it engages in it.)

It is also worth noting that CSE does have the ability to target Canadians when it is operating under its Mandate (c), i.e., providing support to federal law enforcement or security agencies, but in that case the targeted Canadian must be the subject of a judicial warrant obtained by one of those agencies.

More from Braga:

One slide suggests that EONBLUE sits on-top of existing collection programs, such as SPECIALSOURCE, and ​sometimes referred to as Special Source Operations (SSO)—a term that has been used in other documents to indicate direct access to fibre-optic cables and ISPs.

In other words, CSE’s partner agencies—or another division within CSE itself—are likely responsible for gaining physical access to internet infrastructure, and then making that data available to programs such as EONBLUE.

I think that's correct. Note also that the slide (which is reproduced in Braga's article) shows that EONBLUE is also deployed at "CANDLEGLOW (FORNSAT)", which apparently refers to CSE's foreign satellite monitoring activities at CFS Leitrim, just south of Ottawa.