Monday, July 03, 2017

Bill C-59: New dogs for new tricks

The Liberal government's Bill C-59 would affect the Communications Security Establishment in a number of important ways (most notably the addition of a foreign cyber operations mandate). One of the most consequential potential changes is the bill's proposal to eliminate CSE's existing watchdog agency, the Office of the CSE Commissioner (OCSEC), and replace it with two newly created entities, the National Security and Intelligence Review Agency (NSIRA) and the Intelligence Commissioner, each with significantly expanded powers.

National Security and Intelligence Review Agency

The proposed National Security and Intelligence Review Agency would absorb and replace the current Canadian Security Intelligence Service watchdog agency, the Security Intelligence Review Committee (SIRC), and expand its mandate to include not just CSIS activities but also CSE activities—taking on most of the OCSEC role—as well as the national security and intelligence–related activities of all other federal departments and agencies, including the RCMP and the Canadian Border Services Agency. This would meet two long-sought goals: ensuring that all elements of Canada's security and intelligence community are brought under scrutiny and knocking down some of the silo walls between existing review bodies that have made investigations of inter-agency activities difficult.

Even more important from the perspective of CSE review is that NSIRA would be empowered to make findings and recommendations that relate not just to a department’s compliance with the law, but also to "the reasonableness and necessity of a department’s exercise of its powers." Like many other observers, I have always felt that OCSEC's mandate, limited to questions of compliance with the law, was too narrow. (If you're interested, here I am calling for a broader mandate back in 1996.) Extending the purview of the new review agency to include the reasonableness and necessity of CSE activities would be a very important expansion compared to OCSEC's role.

Also useful would be NSIRA's proposed power to acquire "any documents and explanations that the Agency deems necessary for the exercise of its powers and the performance of its duties and functions" (excluding Cabinet documents) and the fact that it, not CSE, would be "entitled to decide whether information relates to the review or complaint in question." OCSEC struggled on a number of occasions to gain access to documents that CSE (or in one case National Defence) felt were not relevant to the Commissioner's work. Specifying in the legislation that NSIRA has the power to decide whether information is relevant should reduce that kind of resistance.

Another interesting innovation is that NSIRA would have the power to produce not only an annual report that must be made public (as is already the case for OCSEC), but also special reports on topics that it considers it to be in the public interest to report on. One purpose of issuing such reports would probably be to reassure the public about issues that have become matters of public concern. (The public statement that OCSEC issued following the CBC's publication of the CSE "airport wi-fi" document might be considered a forerunner to this kind of reporting.) In other cases, however, such reports might serve as a means for the agency to draw attention to its own concerns.

As with the OCSEC annual report, the Minister would receive NSIRA special reports ahead of time but would not have the formal power to censor their contents. I say no formal power because the government would of course retain the ability to decide whether classified information can be declassified, enabling it to prevent the release of many—or even all—of the details of the matters that might be discussed in such reports. But it would not enable the government to stop the watchdog from publicly reporting, for example, that "CSE's [redacted] program presents a serious threat to the privacy of Canadians." Thus, even in the worst-case, where few or no details were deemed releasable, such reports could serve as vital bell-ringers for parliament, the courts, and the public.

Intelligence Commissioner

The other new watchdog proposed in Bill C-59 is the Intelligence Commissioner, a position that would be filled initially by re-mandating the current CSE Commissioner, Jean-Pierre Plouffe. OCSEC would be disestablished and its budget and staff transferred, at least initially, to the Intelligence Commissioner. (I would expect, however, that many OCSEC employees would almost immediately move to NSIRA, which would take on the bulk of the tasks currently performed by OCSEC.)

The provisions for appointing new Intelligence Commissioners ("The Governor in Council, on the recommendation of the Prime Minister, is to appoint a retired judge of a superior court as the Intelligence Commissioner") differ slightly from those pertaining to the CSE Commissioner in the National Defence Act ("The Governor in Council may appoint a supernumerary judge or a retired judge of a superior court as Commissioner of the Communications Security Establishment"). The change in the rules may be in part a response to the concern about the appropriateness of appointing supernumerary judges that was expressed by the first CSE Commissioner, Claude Bisson. Another change is that the appointment would in future be mandatory ("is to appoint") rather than technically optional ("may appoint"). (The weakness of the original wording was discussed by CSE's Director of Legal Services, David Akman, here.)

The Intelligence Commissioner would have two main responsibilities: "(a) reviewing the conclusions on the basis of which certain authorizations are issued or amended, and certain determinations are made, under the Communications Security Establishment Act and the Canadian Security Intelligence Service Act; and (b) if those conclusions are reasonable, approving those authorizations, amendments and determinations."

With respect to CSE, these duties would pertain specifically to "Foreign Intelligence Authorizations" and "Cybersecurity Authorizations", the functional equivalents of the Ministerial Authorizations provided under the current law to permit CSE to engage in activities that might lead to the incidental interception of "private communications" (communications that begin or end in Canada) without violating the law.

Unlike the current authorizations, however, the implementation of Foreign Intelligence and Cybersecurity authorizations would depend on the approval of the Intelligence Commissioner, based on the Commissioner's assessment of the reasonableness of the Minister's decision to issue the authorization. Without the Commissioner's approval, the authorization would not be able to take effect. (Note, however, that a proposed new category of authorizations pertaining to offensive and defensive cyber operations, i.e., Computer Network Attack activities, would not be subject to this procedure, or indeed examined by the Intelligence Commissioner at all.)

These proposals would give the Intelligence Commissioner "oversight" powers fundamentally different from those heretofore exercised by Canada's "review" bodies. (See here for a description of the difference between oversight and review in official Canadian parlance.)

A number of legal experts have expressed doubt as to whether CSE's current procedures for authorizing its activities take sufficient account of the privacy rights of Canadians under the Charter of Rights and Freedoms (see, for example, here), and a challenge to those activities brought by the British Columbia Civil Liberties Association is currently before the courts. Thus, the government's goal in creating the quasi-judicial Intelligence Commissioner position is probably to Charter-proof those activities, along with certain data retention and processing activities conducted by CSIS.

Do the changes the government is proposing go far enough? They are less ambitious than those proposed in 2014 in Liberal MP Joyce Murray's private member's bill, Bill C-622, which was defeated by the Harper government. Murray's proposal, supported by the Liberal Party at the time (and essentially repeated in the Liberal election platform), would have required CSE to obtain an order from the Federal Court to authorize it to intercept or acquire communications whenever that activity might lead to the incidental collection of communications or metadata involving Canadians.

Still, two of Canada's leading national-security law experts, professors Craig Forcese and Kent Roach, have expressed support for the government's proposal, concluding it would put CSE "on a much sturdier constitutional foundation which does not rely simply on ministerial authorization."

CSE typically obtains four Ministerial Authorizations (MAs) per year under the current system, three for various SIGINT activities that might (indeed do) involve the incidental interception of Canadian communications and one for cybersecurity activities that likewise involve incidental interception. The three SIGINT authorizations are very broad in scope, probably covering the interception of circuit-switched communications, such as traditional phone calls; the interception of packet-switched communications, i.e., Internet communications; and the collection of communications through Computer Network Exploitation, i.e., computer hacking activities.

The authorizations that would be approved by the Intelligence Commissioner are likely to be similar in scope. Like the current MAs, each authorization would last for up to one year and would cover classes of interception activity rather than specific targets. Under the new rules, each authorization could be renewed for one additional year without requiring the approval of the Intelligence Commissioner. On average, therefore, the Commissioner might be asked to approve as few as two authorizations per year.

However, the number might be somewhat larger. It's possible that Intelligence Commissioners would insist on a finer-grained approach, with more numerous authorizations addressing more limited and more tightly constrained sets of activities. One difference that might lead to an increase in the number of authorizations is that the new system would cover not just communications but all information collection, including metadata.

But however it developed, the proposed system would not be remotely as particularized as the target-by-target warrants required by the court system for interceptions inside Canada by CSIS or the police.

On the whole, then, the new system would probably not be a great deal more cumbersome for CSE than the current one. There is certainly some chance that Intelligence Commissioners would insist on more detailed proposals and/or more extensive privacy protections in the authorizations, but that should be seen as a feature of the proposal, not a bug.

Another potential advantage of the new system is that it would bring much greater expertise to the authorization process than the Minister of National Defence could ever bring. The Department of National Defence is a huge and complex portfolio and the Minister, being human, is much too busy to develop and maintain in-depth knowledge of the minutiae of CSE's activities. This is a problem, because other than OCSEC's after-the-fact reports on specific review topics, the Minister currently has little or no access to expertise about CSE and its operations outside of the information provided by the agency itself.

In its 2015-16 annual report, OCSEC suggested that the CSE Commissioner might be able to assist the Minister in this regard, providing "an independent expert assessment of proposed ministerial authorizations, whether the conditions for authorization set out in the Act are met, and concomitant privacy protections. The Commissioner is already doing this work; only the timing would change, so that the Commissioner can provide an assessment to the Minister before the authorizations are signed, enhancing accountability." The proposed Intelligence Commissioner role would in a sense build on this OCSEC suggestion.

C-59 would also require that NSIRA brief the Minister of National Defence at least once per calendar year "on the exercise of, or the performance by, the Communications Security Establishment of its powers, duties and functions". This process would also help to ensure that the Minister gets more than just a retrospective outside perspective on the activities of the agency.

Unlike the CSE Commissioner, the Intelligence Commissioner would not have a public reporting role. All reporting to the public would come from NSIRA and the proposed National Security and Intelligence Committee of Parliamentarians. However, the Commissioner would be required to provide a copy of every approval decision, positive or negative, to NSIRA, so it's possible that NSIRA will report on the authorizations processed by the Intelligence Commissioner. That would be a very important service.

The Intelligence Commissioner would also have the right to receive copies of any reports produced by NSIRA or the Committee of Parliamentarians that relate to the Intelligence Commissioner's duties. Unfortunately, there does not appear to be any provision for information-sharing or cooperation among these bodies on a less formal level, and the justices of the Federal Court would be left picking through the public reports of NSIRA and the Committee of Parliamentarians, much as they do now with SIRC and OCSEC reports, to get any hint of concerns that might be relevant to issues within the court's purview. In this respect, the problem of review bodies being confined to separate silos would not be resolved by this legislation.

Farewell to OCSEC

I have somewhat mixed feelings about the plan to eliminate OCSEC.

CSE's watchdog has been much criticized over the two decades it has been in operation, and I've taken my share of shots at it over that time, but the Commissioners have always done important work, and I have been impressed in recent years by the determination of the current Commissioner and his staff to expand the envelope of what OCSEC can say and do.

Still, the government's proposals incorporate a number of important improvements and innovations, and between NSIRA and the office of the Intelligence Commissioner it looks as though Mr. Plouffe and the former OCSEC staff will be able to continue the work they have been doing and expand it in significant ways. It seems like a good decision.

Mr. Plouffe's term as CSE Commissioner was recently extended to October 18th, 2018, and I doubt he will want a second extension, so even if the bill is passed and enters into force relatively quickly he probably will not spend a lot of time in the Intelligence Commissioner's job. The staff of OCSEC I hope (and expect) will stay on with NSIRA and the office of the Intelligence Commissioner. The new watchdogs will need their expertise.

In the meantime, we can expect Mr. Plouffe and his staff to continue doing the work of OCSEC. They deserve our thanks for the diligent and important work they have done for Canadians over the years.

Friday, June 30, 2017

Charter Statement mischaracterizes CSE incidental collection

I'm working on a blog post about the oversight and review provisions proposed in Bill C-59, but I just want to make a quick point about this sentence in the Department of Justice's Charter Statement concerning the bill:
Although CSE is prohibited by subsection 23(1) from directing its activities at Canadians or persons in Canada, the practical realities of acquiring information from the [Global Information Infrastructure] means that despite best efforts to avoid it, CSE may incidentally obtain private communications and other private information of Canadians and persons in Canada.
The clear implication of this statement is that CSE uses its "best efforts" to avoid the incidental collection of private communications (i.e., communications that either begin or end in Canada).

This is simply untrue.

CSE is not permitted to target Canadians or persons in Canada*, but it is permitted when operating under its normal foreign intelligence authorizations to collect the communications of such persons incidentally (i.e., when they communicate with a CSE foreign target that is itself located outside of Canada). It collects such communications with deliberate intent, and the measures proposed in Bill C-59 would not change that fact.

(*For the purposes of this discussion, I'm ignoring those cases where CSE collects private communications on behalf of some other federal agency that has already obtained a judicial warrant for that purpose.)

This shouldn't be terribly surprising. If a foreign terrorist located in Afghanistan telephones someone in Canada and CSE happens to be monitoring that terrorist, the Canadian government—and the Canadian public—is going to want the agency to find out which person in Canada took the call and what it was they talked about.

There are differing views as to whether a judge ought to be involved somewhere in that process (the current proposal would introduce a quasi-judicial process), but that's a separate issue.

Prior to the passage of the Anti-Terrorism Act (Bill C-36) in 2001, it wasn't legal for CSE to collect private communications, incidentally or otherwise. Back then the agency really did have to make its best efforts to avoid incidental collection.

In some cases that was very difficult. But in other cases it was more straightforward. CSE could set its collection systems to ignore calls to or from a phone number in Canada, for example, regardless of who the call might connect to outside of Canada.

After 9/11, the prohibition on incidental collection by CSE was no longer considered acceptable. As Defence Minister Art Eggleton testified,
Under the Criminal Code CSE cannot collect communications that include any communications that originate in or terminate in Canada. This seriously limits CSE's ability to provide intelligence on issues that are critical to Canada's national security.

Let me illustrate what I mean. CSE focuses its collection only on foreign entities located outside Canada. This is about the third time I've said that, but I want to emphasize it. If such a target communicates with someone who is located in Canada, CSE cannot intercept the communication, as things presently stand, which means CSE stands to lose the communications of its targets at exactly the moment when they might have the most direct impact on Canada's interests, when they are communicating with someone in Canada. This constraint creates a serious gap in Canada's intelligence capabilities, which in turn affects our ability to collaborate effectively with our allies on intelligence issues. ...

What will the impact of the proposed amendments be on the National Defence Act? Under CSE's present legal framework, if a terrorist in Afghanistan is communicating with an individual in Toronto, CSE is not allowed to acquire that communication. With this amendment, important information that is now lost will become available to Canada and available to our allies in the fight against terrorism. When CSE has identified the communications of a foreign target abroad, it'll be able to follow those communications wherever they go.
And that's just what the agency now does. The "defeats" that sought to prevent the incidental collection of communications with one end in Canada are no longer in place.

There are undoubtedly efforts to avoid the inadvertent collection of private communications that are unrelated to CSE's foreign targets. And there are probably also efforts to minimize the collection of traffic that may be related to legitimate foreign targets but is considered for one reason or another to be unlikely to produce anything of foreign intelligence value, especially if that traffic might also involve Canadians or other persons in Canada at the other end.

But there are no "best efforts"—there is no effort at all—to avoid all incidental collection.

The Department of Justice is either mistaken or dishonest to suggest that "best efforts" are being used to avoid incidental collection.

I'm not sure which is worse.

Saturday, June 24, 2017

CSE to get foreign cyber operations mandate

Among the changes that the Liberal government is proposing to make via its Bill C-59, announced on June 20th, are several important measures affecting CSE, including an entirely new statutory basis for the agency, the Communications Security Establishment Act, that will replace the current CSE-related provisions of the National Defence Act. The bill also proposes to eliminate CSE's existing watchdog agency, the Office of the CSE Commissioner (OCSEC), and replace it with two newly created entities, the National Security and Intelligence Review Agency (NSIRA) and the Office of the Intelligence Commissioner, which will also be keeping tabs on CSIS and (in the case of NSIRA) a number of other agencies. (See my comments on that aspect of the bill here.)

Together, the proposals affecting CSE comprise a wide-ranging and highly consequential set of measures, but probably the most significant item is the plan to give the agency the power to conduct both defensive and "active" (i.e., offensive) cyber operations against foreign targets.

The addition of this foreign cyber operations mandate would represent the most fundamental change in CSE's role in the agency's 70-year history.

When CSE, originally called CBNRC, was created in September 1946, it had two major complementary functions: analysis of foreign communications intercepted by Canada and its allies (communications intelligence, COMINT, which was later broadened into signals intelligence, SIGINT); and protection of Canadian government classified communications (communications security, COMSEC, which was later broadened into information technology security, ITSEC).

Canada and its allies occasionally engaged in black-bag jobs to steal codebooks, tap cables, or plant bugs for intelligence collection, but CSE did not undertake such operations itself. For most of the agency's history, CSE's SIGINT role was entirely passive: it processed and analyzed the radio communications that could be monitored at Canadian and allied intercept sites.

The first big change in that role happened in the wake of the 9/11 attacks, although it had more to do with the advent of the Internet beginning in the 1990s. Passage of the Anti-Terrorism Act gave CSE the authority to conduct the cyberspace version of the black-bag job—Computer Network Exploitation (CNE)—in support of its SIGINT mandate. CSE was empowered not just to intercept communications ("data in motion"), as it had done in traditional SIGINT activities, but to seek out information residing on foreign computer systems ("data at rest") that CSE could gain surreptitious access to. It became a hunter as well as a gatherer.

But while CNE operations entail breaking into computer systems and networks, disabling security features, implanting specialized malware, and of course copying information, all of these activities are undertaken in the name of SIGINT collection. Any damage inflicted is purely incidental—an undesirable side-effect that might lead to exposure and early termination of the operation.

The proposed CSE Act would enable CSE to conduct deliberate Computer Network Attack (CNA) operations, both to defend Canadian IT systems against foreign CNE and CNA operations and to attack foreign IT systems in furtherance of Canadian foreign policy, defence, or security goals. The bill refers to these two types of CNA operation as "defensive cyber operations" and "active cyber operations" respectively. (For more on the relationships between CNE, CNA, and CND—Computer Network Defence—operations, see this discussion.)

With this change, CSE would no longer be simply an intelligence (and ITSEC) agency: it would also be a covert operations agency, able to intervene outside Canada's borders to disrupt, damage, or destroy the computers, IT networks, or electronic information of foreign individuals, groups, or states.

The bill does propose some limits on the way these powers could be used. Cyber operations must be requested or consented to by the Minister of Foreign Affairs and authorized by the Minister of National Defence. In addition, such operations must not "cause, intentionally or by criminal negligence, death or bodily harm to an individual" or "wilfully attempt in any manner to obstruct, pervert or defeat the course of justice or democracy." These are significant limitations.

More destructive cyber operations are still possible outside the context of the CSE Act, but the government has assigned that job to the Canadian Forces.

Even in that respect, however, CSE might still play a critical role. Under the new CSE Act, CSE would be explicitly permitted to provide operational and technical assistance to the Department of National Defence and the Canadian Forces (as it already does for federal law enforcement and security agencies), and cyber assistance provided under this mandate would not be subject to the limitations applied to CSE's own cyber operations.

Whatever the effect of these limitations in practice, to my mind addition of a cyber operations mandate is a huge change in the nature of the agency, and it raises a number of issues.

Most fundamentally, is it in Canada's interest to further normalize the growing use of CNA activities by states? Should CNA be classified as just another tool of statecraft? Should such capabilities be restricted to a deterrent role? Is cyber deterrence, whether through CNA capabilities or more conventional responses, even a practical goal, given difficulties of attribution and the inevitable overlap between CNE and CNA? Would improved defence and resilience be a preferable, or at least sufficient, response or are all three required?

The recent defence policy statement asserts that "a purely defensive cyber posture is no longer sufficient" (resilience doesn't get mentioned in the cyber context). But not everyone is convinced by that claim. As with most issues, Canada's choices are likely to have a marginal influence at best on the future of cyberspace, but that alone is not sufficient reason to abandon self-restraint or efforts to create global rules of the road and preserve the global commons if we believe that Canada's (and the globe's) ultimate interests would best be served by moving in that direction.

Second, even if Canada does choose to arm itself with, and to use, such capabilities, is CSE the right place to lodge them? There is certainly a case to be made for giving the role to CSE. The knowledge and skills required for CNA activities inevitably overlap with those required for CNE (and for CND), and CSE is Canada's centre of expertise in those activities.

But just as there are different imperatives between intelligence-gathering and law enforcement—the reason CSIS was separated from the RCMP in 1984—there are different imperatives between intelligence-gathering and covert operations. One side seeks to preserve its accesses so it can maintain or even improve its intelligence collection; the other seeks to exploit them for operational purposes, even though such operations may burn the accesses in the process. (A similar conflict already exists between the ITSEC side of the organization, which seeks to shut down IT vulnerabilities to protect against intrusions, and the SIGINT side, which may want vulnerabilities it is currently exploiting to remain unrevealed.)

Furthermore, while the job of the intelligence-gatherers is to report the unvarnished truth, uncontaminated as much as possible by policy considerations, the covert operations side of the agency would inevitably become involved in the development and advocacy of operational plans, and in defending the agency's performance in those operations, giving CSE an undesirable stake in its own intelligence reporting.

Can a single agency effectively do two (really three) tasks that are in many ways complementary but also in important ways contradictory while still giving proper attention and weight to each?

I don't think it's impossible to reconcile these imperatives, but I do think it requires delicate balancing and constant vigilance. This is an area to which the proposed review agency and committee of parliamentarians may want to pay on-going attention.

It's also an area where there is probably a role for the central agencies of the government.

I had a chance to ask about cyber operations decision-making during a stakeholders' teleconference about Bill C-59 that CSE invited me to join.

As noted above, the proposed law would require that such operations be requested or consented to by the Minister of Foreign Affairs and authorized by the Minister of National Defence. This arrangement foresees the possibility that the Foreign Affairs Minister might sometimes make a request for a cyber operation in service of Canadian foreign policy interests. But the ministers themselves are not normally going to be sitting around thinking up plans for CSE cyber operations, nor will they be equipped to assess what might be feasible or balance all the considerations that might arise. So who will be doing the proposing, and who will make sure the resulting plans are reconciled with the broader goals and operations of the Canadian government?

The officials who took part in the teleconference acknowledged that CSE would probably often be the agency proposing such operations, but they agreed that there would still need to be some sort of inter-departmental process to ensure that wider factors are considered, including deconfliction with cyber operations that the Canadian Forces might be undertaking (and deconfliction with allied agencies), but also more general considerations. They added, however, that the bill had not yet been passed and might be amended before passage, and that some of these structural questions had not yet been resolved.

For most of its history, CSE laboured under the watchful eye (or heavy thumb, as they may have considered it) of various inter-departmental committees—originally the Communications Research Committee and later the Intelligence Advisory Committee and Security Advisory Committee of the Privy Council Office (PCO). The final form of this system saw the National Security Advisor serving as the deputy minister for CSE for policy purposes. But all of that ended when CSE became a stand-alone agency, with the Chief of CSE serving as the agency's own deputy head, in November 2011. There is no longer any line role for the PCO between CSE and its minister.

But the PCO continues to play a role in coordinating the various elements of the Canadian intelligence community, and in integrating intelligence and defence, security, and foreign policy concerns. And, in my view, it will need to play a very active role in overseeing the planning and conduct of any cyber operations undertaken by CSE and/or the Canadian Forces to ensure that all national policy considerations are taken into account. The PCO is also the place to ensure that the proper balance among CSE's cyber, SIGINT, and ITSEC priorities is maintained.

I also asked the officials what the addition of a cyber operations mandate for CSE might mean for the agency's own structure and resources. Will there be a separate Deputy Chief for Cyber Operations, just as there are Deputy Chiefs for SIGINT and ITSEC? Will CSE be looking to expand its workforce to support the conduct of cyber operations?

According to the officials, those decisions have not yet been made, and the agency did not want to pre-judge the outcome of the legislative process. Still, I'm sure they have some ideas for how it might all work out.

They did say that CSE was likely to enter the cyber operations business only gradually, taking "one step at a time," and adding that "you have to walk before you can run." This would seem to suggest little immediate need for growth on the part of the agency, although the implied eventual goal of "running" opens the door to larger needs over the longer term.

I guess we'll see.

In the meantime, I think it is going to be very interesting watching this soon-to-be three-legged agency relearn how to walk.

I'll look at other parts of the bill that affect CSE, notably the new oversight and review provisions, in a future post.

Wednesday, June 21, 2017

Liberals propose huge changes for CSE

The government's Bill C-59, announced on 20 June 2017, proposes huge changes for Canada's security and intelligence community, including important additions to CSE's mandate and the elimination of its current review agency, the Office of the CSE Commissioner (OCSEC).

The proposal to add explicit defensive and "active" cyber operations mandates to CSE's roles may represent the most fundamental change in the agency's history. The proposed elimination of OCSEC and creation of both the National Security and Intelligence Review Agency and the position of Intelligence Commissioner are also major changes.

I'll be writing more on these and other proposals in the bill, but it will probably take me a few days to get the post together.

So in the meantime, here's CSE's description of the changes.

It's also worth checking out some of the news reporting and commentary on the proposals:

Alex Boutilier, "Spy bill allows government security agency to collect ‘publicly available’ info on Canadians," Toronto Star, 21 June 2017

Justin Ling, "Canada’s cyber spy agency is about to get a major upgrade," Vice News, 21 June 2017

Michael Geist, "Five Eyes Wide Open: How Bill C-59 Mixes Oversight with Expansive Cyber-Security Powers,", 21 June 2017

Alex Boutilier, "Canada’s spies to get green light to launch cyber attacks," Toronto Star, 20 June 2017

Matt Braga, "How, when, and where can Canada's digital spies hack? Government makes some suggestions in CSE Act," CBC News, 20 June 2017

Jim Bronskill, "Security bill limits CSIS disruption powers, boosts review of spy services," Canadian Press, 20 June 2017

Craig Forcese & Kent Roach, "The roses and the thorns of Canada’s new national security bill," Maclean's, 20 June 2017

Wesley Wark, "Liberals’ bold Bill C-59 would redraw the national security landscape," Globe and Mail, 20 June 2017

Update 23 June 2017: A few more items:

Craig Forcese & Kent Roach, "Two of Canada’s foremost experts in national security law give their assessment of Bill C-59: there’s much to like, but also room for improvement," Policy Options, 22 June 2017

Lee Berthiaume, "New national security approach lets electronic spy agency play cyber-offence," Canadian Press, 20 June 2017

Amanda Connolly, "CSE getting 'proactive' mandate overhaul in major national security reform bill," iPolitics, 20 June 2017

Carl Meyer, "Goodale asks Parliament to expand electronic spying powers," National Observer, 20 June 2017

Monday, June 19, 2017

CSE releases report on electoral threats

On June 16th, CSE released Cyber Threats to Canada's Democratic Process, a public report assessing the various ways cyber activities might threaten Canada's electoral system.

CSE has made basic cybersecurity advice publicly available on its website for many years, but this report—which was requested by the Prime Minister in the mandate letter he issued to Minister of Democratic Institutions Karina Gould in February 2017—was the first of its kind by CSE.

The 38-page report discusses three ways in which cyber activities might be used to affect the electoral process: impeding or corrupting the voting process itself; stealing and exploiting information about politicians and political parties; and covertly influencing the public's political views by manipulating traditional and social media.

The document restricts itself to a general overview of the ways in which these threats might manifest themselves in Canada's federal, provincial, and municipal politics, and concludes (among other points) that:
  • Cyber threat activity against the democratic process is increasing around the world, and Canada is not immune. In 2015, during the federal election, Canada’s democratic process was targeted by low-sophistication cyber threat activity. It is highly probable that the perpetrators were hacktivists and cybercriminals, and the details of the most impactful incidents were reported on by several Canadian media organizations.
  • A small number of nation-states have undertaken the majority of the cyber activity against democratic processes worldwide, and we judge that, almost certainly, they are the most capable adversaries.
  • However, to date, we have not observed nation-states using cyber capabilities with the purpose of influencing the democratic process in Canada during an election. We assess that whether this remains the case in 2019 will depend on how Canada’s nation-state adversaries perceive Canada’s foreign and domestic policies, and on the spectrum of policies espoused by Canadian federal candidates in 2019.
  • We expect that multiple hacktivist groups will very likely deploy cyber capabilities in an attempt to influence the democratic process during the 2019 federal election. We anticipate that much of this activity will be low-sophistication, though we expect that some influence activities will be well-planned and target more than one aspect of the democratic process.
  • Regarding Canada’s democratic process at the federal level, we assess that, almost certainly, political parties and politicians, and the media are more vulnerable to cyber threats and related influence operations than the election activities themselves. This is because federal elections are largely paper-based and Elections Canada has a number of legal, procedural, and information technology measures in place.
  • We assess that the threat to Canada’s democratic process at the sub-national level (i.e. provincial/territorial and municipal) is very likely to remain at its current low level. However, some of Canada’s sub-national political parties and politicians, electoral activities, and media are likely to come under increasing threat from nation-states and hacktivists.
All of this is pretty common sense for anyone who's been paying attention to the world for the past couple of years—although it's certainly noteworthy that, to date, CSE has not observed nation-states using cyber capabilities to try to influence Canadian elections.

The document's ultimate value is likely to depend on whether it succeeds in kick-starting action on the part of Canadian political parties and others to actually reduce Canada's future vulnerability to such threats.

This document explicitly is not an action plan to accomplish that goal.

However, the Minister's mandate letter did direct her also to "ask CSE to offer advice to Canada’s political parties and Elections Canada on best practices when it comes to cyber security," and CSE does plan to do that. (In fact, Elections Canada is already a recipient of CSE's cyber defence advice and services.) The agency will discuss the findings of the report with all federal political parties that wish to participate at a meeting to be held next Tuesday, June the 20th.

According to a background briefing that CSE kindly invited me to take part in (along with a number of other researchers), the agency will explore with the parties whether it would be useful to provide further, more detailed advice or training to some or all of them. One possibility would be to provide training to IT staffers at CSE's Information Technology Security Learning Centre. Perhaps more likely, however, would simply be provision of advice on the kinds of services parties should contract for in the private sector.

CSE will not be providing actual cyber defence services to the political parties, however.

The government considers Canada's democratic institutions to be "of importance to the Government of Canada", which gives CSE a legal mandate to provide IT security advice and guidance to those parties under s.273.64(1)(b) of the National Defence Act (i.e., CSE's Mandate B). But provision of actual protective services is restricted to the IT systems and networks of the government of Canada itself.

Nonetheless, a CSE official did confirm that warnings would be provided if, for example, the SIGINT side of the agency detected a foreign actor stealing data from a political party's computer system. Notification would come through the Public Safety Department's Canadian Cyber Incident Response Centre (CCIRC), which is responsible for assistance to critical infrastructure operators outside the federal government. Such notifications are routinely provided to CCIRC partners in such cases, according to the official.

[Update 20 June 2017: Under Bill C-59, which was announced and given first reading today, the government proposes to give CSE the power to also provide cybersecurity services to protect non-federal information infrastructures designated "of importance" to the government of Canada. Thus, the agency might in the future be able to provide such a service to political parties, if they request it.]

I also asked why CSE was the agency given the job of making the threat assessment in the first place. As the report itself acknowledges, the cyber threat to electoral systems is just one aspect, albeit a very important one, of a broader set of activities that could be used to undermine or improperly influence an election, including traditional espionage, propaganda, disinformation, covert funding, and blackmail or other coercion. Furthermore, as the report also acknowledges, the perpetrators of such actions can be purely domestic Canadian actors—the activities of which CSE should have very little insight into—as well as foreign actors.

Thus, it seems to me that, in both respects, the Canadian Security Intelligence Service would have been a more appropriate agency to make such an assessment, although it would certainly have needed to draw on CSE's cyber expertise when considering those aspects of the issue.

The response, which I didn't find entirely satisfying, was simply that CSE is the agency with the greatest expertise on cyber threat questions. Well, yes, indisputably, but that doesn't answer the points outlined in the paragraph above.

Ultimately, of course, the reason CSE produced the report is that the Prime Minister and the Minister of Democratic Institutions asked it to.

Unsurprisingly, Australia is also concerned about the possibility of interference in its electoral system, and its political parties are also receiving advice from that country's SIGINT/IT Security agency. However, as indicated in this report (Ronald Mizen, "Political parties vulnerable to state sponsored cyber attacks," Financial Review, 16 June 2017), the Australians may also consider providing funding to political parties to help them secure their systems.

Might Canada also consider putting money on the table? An interesting thought.

News coverage of the CSE report:

Lee Berthiaume, "Canada's spy agency expects cyberattacks during 2019 federal election," Canadian Press, 16 June 2017

Alex Boutilier, "Canada’s political parties, media vulnerable to foreign hacks, spy agency says," Toronto Star, 16 June 2017

Daniel Leblanc, "Spy agency to school political parties on cyberthreats," Globe and Mail, 16 June 2017

Justin Ling, "“Low sophistication” actors took aim at the last Canadian election," Vice News, 16 June 2017

Alex Boutilier, "Despite risk of cyber attacks, political parties still handle Canadians’ data with no rules in place," Toronto Star, 19 June 2017

Sunday, June 11, 2017

Canadian Forces to get offensive cyber capability — but questions remain

The Liberal government's defence policy statement, Strong, Secure, Engaged, released on June 7th, confirms that the Canadian Forces will acquire an offensive cyber capability:
We will assume a more assertive posture in the cyber domain by hardening our defences, and by conducting active cyber operations against potential adversaries in the context of government-authorized military missions. Cyber operations will be subject to all applicable domestic law, international law, and proven checks and balances such as rules of engagement, targeting and collateral damage assessments. (p. 15)
A slightly more expansive description is provided on p. 72 of the document:
Defence can be affected by cyber threats at home and abroad — from attempts to steal sensitive information from our internal networks, to cyber attacks on the Canadian Armed Forces on deployed operations, to the use of cyberspace by terrorist organizations to spread disinformation, recruit fighters and finance their operations. Indeed, there has been a steady increase in the number of state and non-state actors developing the capability to conduct disruptive cyber operations.

The Defence team works closely with the Communications Security Establishment, Public Safety Canada, Global Affairs Canada and Shared Services Canada on cyber issues. To date, this work has focused on strengthening the defence of important military systems, network monitoring and control, building the future cyber force, and integrating defensive cyber operations into broader military operations.

However, a purely defensive cyber posture is no longer sufficient. Accordingly, we will develop the capability to conduct active cyber operations focused on external threats to Canada in the context of government-authorized military missions. The employment of this capability will be approved by the Government on a mission-by-mission basis consistent with the employment of other military assets, and will be subject to the same rigour as other military uses of force. Cyber operations will be subject to all applicable domestic and international law, and proven checks and balances such as rules of engagement, targeting and collateral damage assessments.
Although few actual details are provided about either cyber operations or planned signals intelligence capabilities in general, the statement does report that:
  • The Canadian Forces will "Acquire joint signals intelligence capabilities that improve the military’s ability to collect and exploit electronic signals intelligence on expeditionary operations" and will "Improve cryptographic capabilities, information operations capabilities, and cyber capabilities to include: cyber security and situational awareness projects, cyber threat identification and response, and the development of military-specific information operations and offensive cyber operations capabilities able to target, exploit, influence, and attack in support of military operations." (p. 41)
  • "The Defence team will increase its intelligence capacity, and will examine its capabilities to understand and operate in the information environment, in support of the conduct of information and influence operations." (p. 66)
  • "[W]e will acquire an airborne intelligence surveillance and reconnaissance platform that will enhance the ability of our Special Operations Forces to improve their understanding of the operational environment." (p. 103)
  • "The Government will provide $4.6 billion for joint capability projects in domains such as cyber, intelligence as well as joint command and control over the next 20 years. This includes... $1.2 billion over the next 20 years for five new equipment projects and one information technology project. For example, the Combined Joint Intelligence Modernization project will provide a modern deployable intelligence centre for land-based operations, building on the lessons learned in recent operations." (p. 103)
  • "To better leverage cyber capabilities in support of military operations, the Defence team will: 87. Protect critical military networks and equipment from cyber attack by establishing a new Cyber Mission Assurance Program that will incorporate cyber security requirements into the procurement process. 88. Develop active cyber capabilities and employ them against potential adversaries in support of government-authorized military missions. 89. Grow and enhance the cyber force by creating a new Canadian Armed Forces Cyber Operator occupation to attract Canada’s best and brightest talent and significantly increasing the number of military personnel dedicated to cyber functions. [Question: Will this new occupation supplement the existing Communicator Research occupation or absorb and replace it?] 90. Use Reservists with specialized skill-sets to fill elements of the Canadian Armed Forces cyber force." (p. 73)
  • With respect to the last of these items, the Canadian Forces will "Assign Reserve Force units and formations new roles that provide full-time capability to the Canadian Armed Forces through part-time service, including: ... • Cyber Operators; • Intelligence Operators; ... and • Linguists" and "Enhance existing roles assigned to Reserve Force units and formations, including: • Information Operations (including Influence Activities)" (p. 69).
These details are welcome, but it seems to me that a number of important questions remain either unresolved or ambiguous in the defence policy statement.

Most importantly, at several points the document characterizes offensive cyber activities as taking place solely in the context of "government-authorized military missions", which would seem to mean that offensive cyber activities will be restricted to just a few specifically designated operations, such as Op Impact or Op Reassurance. Employment of cyber capabilities is to be approved by the government "on a mission-by-mission basis consistent with the employment of other military assets".

But "mission" could actually have a much broader meaning.

The document also outlines eight "core missions" of the Canadian Forces, covering everything that our military forces do (p. 82). These missions include detecting, deterring, and defending against threats to or attacks on Canada; detecting, deterring, and defending against threats to or attacks on North America in partnership with the United States; leading and/or contributing forces to NATO and coalition efforts to deter and defeat adversaries, including terrorists; leading and/or contributing to international peace operations and stabilization missions with the United Nations, NATO, and other multilateral partners; and providing assistance to civil authorities and law enforcement, including counter-terrorism, in support of national security and the security of Canadians abroad.

Could offensive cyber activities be authorized in support of wide-ranging, fundamental "missions" such as these?

Such a reading may seem implausibly broad.

But on page 60 the document states the Canadian Forces "will ensure that new challenges in the space and cyber domains do not threaten Canadian defence and security objectives and strategic interests, including the economy."

It will take a lot more than cyber operations against ISIS to protect the Canadian economy — or defend a wide range of other Canadian defence and security objectives and strategic interests — from cyber threats.

The document also states that Canada has a "responsibility to contribute to efforts to deter aggression by potential adversaries in all domains", including specifically the cyber domain (p. 50). That's a much broader goal than anything that can be accomplished in the context of a particular expeditionary operation. And it implies an ongoing, continuous mission, not a temporary activity that can be expected to end when this or that operation wraps up in a matter of months or a few years.

A broader reading of "mission" is also necessary if Canada's cyber forces are to take on the sort of roles assigned their Five Eyes partners, notably U.S. Cyber Command.

It would be nice to know just how wide the range of cyber missions envisaged by the government could be.

Another question relates to the role of the Communications Security Establishment.

Will all offensive cyber operations — other than those conducted domestically — be undertaken by military cyber operators (presumably members of the Canadian Forces Information Operations Group) acting under military command? Or will CSE have a role as well?

The CFIOG normally works very closely with CSE (in fact, under its direction much of the time), and CSE's expertise on cyber defence and cyber espionage activities would be of direct relevance to any offensive operations the Canadian Forces might undertake. CSE is also likely to have its own expertise on offensive operations that it may use for computer network defence purposes and may also provide from time to time in support of CSIS "disruption" activities.

So to what extent might CSE be called upon to provide support to the Canadian Forces for the conduct of offensive cyber operations? And to what extent might CSE conduct its own operations? This document is silent on those questions.

[Update 20 June 2017: Bill C-59, which was announced and given first reading today, answers some of these questions. The government is proposing to give CSE the power to conduct both "defensive cyber operations" to help protect systems and networks "of importance" to the government of Canada and "active cyber operations" (i.e., offensive cyber operations) against foreign individuals, groups, or states for defence, foreign policy, or security purposes. The bill would also explicitly enable CSE to provide technical and operational assistance to the Canadian Forces and Department of National Defence, including for cyber operations.]

For some earlier comments that I made on Canada and cyber war, see here.

Update 18 June 2017:

This article (Murray Brewster, "Civilian oversight key to offensive cyber operations, says expert," CBC News, 18 June 2017) suggests that the Special Operations Forces sub-unit that the government will "examine establishing" in the Reserve Force will be tasked with developing "offensive cyber capabilities, particularly in the area of information operations". I don't think that's what the government is considering doing.

As noted above, the new defence policy does call for recruiting Reserve Force cyber operators and assigning cyber and intelligence roles to certain unnamed Reserve Force units and formations, as well as enhancing the information operations role of the Reserves, but I think it's a stretch to suggest that the Special Forces unit under consideration would take on cyber war, or information operations in general, as a primary function.

Sunday, April 23, 2017

CANUSA Agreement declassified

In 1949, Canada and the United States signed the CANUSA Agreement, codifying the extraordinarily close cooperation between the two countries on communications intelligence collection, processing, and dissemination.

The agreement was laid out in a Top Secret codeword-classified exchange of letters between G.G. (Bill) Crean, the Chairman of the Communications Research Committee (the interdepartmental committee that governed Canadian SIGINT policy), and Major General Charles P. Cabell, the Chairman of the equivalent U.S. body, the United States Communications Intelligence Board.

It was based closely on the U.S.-U.K. BRUSA Agreement of 1946, which was later renamed the UKUSA Agreement and is considered the foundational document of the Five Eyes SIGINT alliance.

The UKUSA Agreement was declassified and published online in 2010 along with most of its appendices and annexures, although some had significant redactions.

The CANUSA Agreement, by contrast, remained classified—until now.

Here is the full text of the agreement, minus as many as 83 pages of appendices and annexures, as released under Access to Information request A-2016-00131.

Kudos to the Communications Security Establishment for finally releasing this important historical document.

I usually leach off other people's access requests for the documents I cite on this blog, but in this case I put up my own five bucks to make a formal request since the public shaming I tried in January didn't seem to be working any better than the gentle persuasion I tried in November.

And, to be clear, the five bucks was only partly successful.

I asked for the appendices and annexures to the agreement to be released as well, but evidently that proposition was too great a shock to the system over there. This, despite the fact that (as I pointed out here) the 27 March 1953 version of Appendix B has been available online since 2015.

That particular horse probably got out by mistake, but it's not going to go back in the barn, pardners. Why pretend otherwise?

Another point: I also asked for the release of "all subsequent modified or amended versions of that agreement up to the present day."

We know from this document that the agreement was "revised slightly in 1960", but we don't know in what way.

And we still don't. Maybe the 1960 version was somewhere in those 83 pages that CSE redacted.

On the plus side, the Dominion is safe from whatever ill consequences would ensue if that specific 57-year-old horse ever got out.

But enough with the nay-saying.

At the risk of riding my metaphor off in all directions, I shouldn't look a gift (or, technically, five-dollar) horse in the mouth.

The CANUSA Agreement has finally been released into the wild. And that's a good thing.