Friday, August 04, 2017

CSE and Bill C-59 overview

My first two posts on the contents of Bill C-59 covered the proposal to give CSE a new foreign cyber operations mandate and the proposal to replace CSE's current watchdog, the CSE Commissioner, with two new institutions, the National Security and Intelligence Review Agency (NSIRA) and the Intelligence Commissioner. These are the most important changes proposed for CSE, but the bill also contains a number of other important measures that deserve comment. I'll try to cover the key remaining points in this post.

But first a brief acknowledgement: I was fortunate to take part in a great discussion of the bill at the Citizen Lab Summer Institute in July and I'm indebted to the other participants in that session for the many helpful insights they provided, which I've tried to draw on to inform the following comments. Misinterpretations are of course still my own.


An all-new CSE Act

The first point to make about the bill is that it proposes to entirely replace the existing statutory basis for the agency, Part V.1 of the National Defence Act (NDA), with a new Communications Security Establishment Act.

Part V.1 was enacted in 2001 as part of the omnibus Bill C-36 that was thrown together in three weeks by the Department of Justice and quickly passed in parliament in the wake of the 9/11 attacks.

The CSE-related provisions of the NDA have been widely criticized in the years since on grounds ranging from the absence of definitions for many key terms to the ambiguity of the provisions related to Ministerial Authorizations and their possible incompatibility with the Charter of Rights and Freedoms. In the decade leading up to the introduction of C-59, CSE Commissioners called for a growing list of amendments to the NDA to address some of these questions. (The final list is nicely summarized here.) In discussing the need for amendments, Commissioner Jean-Pierre Plouffe specifically noted that "Part V.1 of the National Defence Act was drafted and enacted quickly in 2001," suggesting that sober second thoughts were only to be expected.

Claude Bisson, the first CSE Commissioner, had a slightly different perspective on this question. In his 2001-02 report, Commissioner Bisson assured readers that, “Despite concerns expressed about the haste with which the [Bill C-36] legislation was drafted and debated, I know with certainty that those parts of the legislation that deal with CSE and the CSE Commissioner benefited from years of discussion within government long before September 11.” Legislation to provide a statutory basis for CSE and to permit the agency to incidentally collect private communications had indeed long been under consideration, and it is likely that most of what was eventually bundled into C-36 pertaining to CSE already existed in some form of draft. But none of that material had been subjected to careful legislative and public consideration, and Bisson too believed that aspects of the legislation needed improvement.

So let's have a look at some of the changes that are now being proposed.


Definitions

Section 2 of the CSE Act contains definitions of terms, most of which are the same as those in the existing law. One interesting change is in the definition of Global Information Infrastructure, which is almost identical to the earlier version, but will now include not just communications and IT systems, but also "any equipment producing [electromagnetic] emissions". Is this meant to cover the collection of information leaked by information systems through power lines and other unintended routes? There does seem to be some interest in "close access" operations — the physical planting of hardware or software devices to facilitate local collection — reflected in this bill (as discussed further below), so this addition may be part of that development. Or maybe it means something completely different. But I have to think it was added for some reason.

Also added are definitions of "publicly available information" and "unselected" information, the latter referring to information collected in bulk rather than specifically singled out because it corresponds to a particular "selector" such as an e-mail address or a phone number.

Not defined, however, were a number of terms that CSE Commissioners had explicitly recommended be defined in legislation, including "acquire", "intercept", "interception", and "metadata". In the case of metadata, CSE argues — I think correctly — that the provisions of the CSE Act that address the collection of information in general are sufficient to capture current and future forms of metadata, making a formal definition unnecessary (although probably still needed in the Ministerial Directive on the topic).

But it would have been useful to have definitions of the other terms. As Commissioner Plouffe commented, "These terms are of operational significance to CSE foreign signals intelligence and cyber defence activities and of significance to the Commissioner’s mandate to determine whether CSE complies with the law." They will remain of significance to that task even after NSIRA takes it over.

Also useful, in my view, would have been a definition of the term "directed at", which is fundamental to both the existing and the proposed limitations on CSE operations with respect to persons in Canada and Canadians anywhere. Subsection 23(1) of the new act specifies that "Activities carried out by the Establishment in furtherance of the foreign intelligence, cybersecurity and information assurance, defensive cyber operations or active cyber operations aspects of its mandate must not be directed at a Canadian or at any person in Canada" (emphasis added). In 2012 the Federal Court rejected the interpretation of "directed at" that CSIS and its lawyers put forward in a case involving CSIS activities, and in 2014 CSE suspended certain unspecified activities of its own in response to that ruling. It would appear, therefore, that even if the broad outlines of its meaning are clear, key details are still a bit fuzzy — even to insiders.

But, hey, what the heck, it's only the most important provision in the act.


New minister for CSE?

CSE has been part of the defence portfolio since 1975. But, as in the CSE section of the National Defence Act, the CSE Act would contain an explicit procedure for transferring this responsibility to a different minister. Section 4 of the act would empower the Governor in Council to designate a new minister at any time, without having to amend the legislation.

I have some sympathy for the idea of transferring the agency. CSE's current master, the Minister of National Defence, has a huge, complicated, and highly demanding portfolio, and it is evident that, no matter how capable they may be, few Defence Ministers have the time to truly master the intricacies of CSE's issues. It may be that CSE prefers it that way — less chance of the minister going walkabout and all that — but there is much to be said for giving the job to someone with the time to apply some actual, substantive attention to the job of being in charge.

But which minister should get the job? The Department of External, er, Foreign, er, Global Affairs more or less ran Canadian SIGINT policy in the days of yore, and Britain's Foreign and Commonwealth Office is still nominally in charge of GCHQ, but CSE's growing roles in cybersecurity, support to domestic law enforcement, and, soon, computer network attack make the foreign ministry a less than perfect fit these days. Giving the job to the Foreign Affairs Minister would also mess up the CSE Act's provisions for authorizing foreign cyber operations (sections 30 and 31, which lay out a separate role for the Foreign Affairs Minister) and thus necessitate a formal amendment after all, so it's doubtful the government would want to go down that road.

Public Safety might be a better fit, but that portfolio arguably is also already too large and complicated. And Public Safety is heavily focused on domestic security, while CSE's remit is much wider.

When you come right down to it, leaving the agency inside the defence portfolio might make the most sense if CSE and the Canadian Forces are increasingly going to be working together on cyber operations anyway. But what to do about the overloaded minister? In its latter days the Harper government experimented with sharing some of Defence Minister Jason Kenney's CSE-related duties with Associate Defence Minister Julian Fantino, although they never handed full responsibility for the agency to Fantino. Formally assigning it to the Associate Defence Minister might be a workable solution.


Establishment established



Section 5. No big point to make here. I just enjoy marveling at the recursive nature of this section.


It's raining mandates

OK, back to business. As readers of this blog should know by now, CSE currently has a three-part mandate, usually referred to as Mandates A, B, and C. Section 16 of the CSE Act would crank that up to a five-part mandate, with no handy letter designations. The five mandates proposed are foreign intelligence (essentially Mandate A), cybersecurity and information assurance (essentially Mandate B), defensive cyber operations (new), active cyber operations (also new), and technical and operational assistance (essentially Mandate C).

These five mandates are spelled out in the five succeeding sections of the act, 17 to 21, so until someone comes up with something better, I guess I'll just refer to them by their section numbers.


Mandate 17: SIGINT

Mandate 17 is CSE's flagship mandate, the acquisition of foreign intelligence through signals intelligence activities, including computer network exploitation activities. Unlike Mandate A, however, the proposed Mandate 17 appears to be expansive enough to permit the use of human agents to modify software, implant physical devices, or otherwise assist in the collection of foreign intelligence.

(Indeed, I'm not sure what would prevent CSE from developing an entire human intelligence (HUMINT) arm of the agency under this mandate if the government were to choose someday to go that way, other than perhaps CSE's designation in s.16 as Canada's "national signals intelligence agency for foreign intelligence" and the fact that the Intelligence Commissioner would have to approve the relevant Foreign Intelligence Authorizations. Maybe that would be enough.)

But I don't think the purpose of that permissive wording is to enable the creation of a HUMINT agency as such. Instead, it is almost certainly to allow for HUMINT assistance to SIGINT activities, such as the conduct of "close access" operations, where physical access to the equipment or location to be monitored is necessary. Canada and New Zealand are the only Five Eyes countries without a dedicated foreign intelligence HUMINT agency that can help out with such activities outside of the country, and that absence has not gone unnoticed. In 2007, Bob Brûlé, CSE's former Deputy Chief, SIGINT Operations told the Standing Senate Committee on National Security and Defence that "organizations such as the CSE desperately require a foreign intelligence service for them to continue to be successful in the future. From a purely selfish point of view, some decision that the government could make to move forward would be of benefit to technical organizations such as the CSE.”

As effective encryption spreads, it may well be that the future of SIGINT lies increasingly in "end point" operations and other activities designed to cripple or bypass that encryption, and some of those activities could certainly benefit from HUMINT assistance. But there are also pitfalls to that approach. Using on-the-scene people in foreign jurisdictions can mean putting individuals at extreme risk, and such operations also have increased potential to go wrong in ways that could expose Canada to extreme embarrassment and even retaliation. If the government is contemplating going down that road, it should probably be open with parliament and the public about its intentions.

Informed consent. Because it's 2017.


Mandate 18: Cybersecurity

Mandate 18, the proposed cybersecurity mandate, is much like CSE's existing Mandate B. But it would also enable the agency to provide protective services to "electronic information and information infrastructures designated... as being of importance to the Government of Canada," as long as CSE receives a prior written request from the owner or operator. Under Mandate B, all services that require a Ministerial Authorization (anything that might involve the interception of a private communication) are limited to the Government of Canada's own systems and networks. The new mandate would open the door to CSE protection of critical infrastructures such as major communications networks and the national electricity grid. Canadian political parties might also qualify. CSE's report on cyber threats to the Canadian electoral system, released just four days before C-59 was introduced in parliament, carefully avoided the what-to-do-about-it question. But it did tee it up nicely for the arrival of the bill. You might almost think someone timed it that way.

Another aspect worth noting here: If a communications company like Bell or Telus does request CSE's help and a Cybersecurity Authorization is subsequently approved, that would make it legal for CSE to intercept any or all of the private communications carried on that network. No judicial warrant would be required. There would, however, be limitations on how information thus acquired could be used: subsection 35(3)(d) requires that privacy measures be in place that "will ensure that information acquired under the authorization that is identified as relating to a Canadian or a person in Canada will be used, analysed or retained only if the information is essential to identify, isolate, prevent or mitigate harm to... electronic information or information infrastructures designated... as being of importance to the Government of Canada".

That said, it's not entirely clear (at least to me) that this provision would prevent all non-cybersecurity uses of the information so collected. Let's suppose that full-take collection of every digital communication that passes through Bell Canada's network is determined to be essential in order to identify malicious activities that might harm that network. That determination would permit everything thus collected to be "used, analysed or retained". But what if analysis of that material turned up information useful for foreign intelligence, security intelligence, or criminal intelligence purposes? Could that information then be disclosed to CSE's intelligence customers? I'm pretty sure that the intent of s.35(3)(d) is to rule out those other uses, but I'm not sure that the actual wording is as absolute as that.

The oversight and review provisions in the bill would provide at least some protection against abuse, of course. Like Foreign Intelligence Authorizations, Cybersecurity Authorizations would require not only the Minister's signature but the approval of the Intelligence Commissioner.

In fact, it looks like each separate critical infrastructure system that CSE was ordered to protect would require its own authorization, so overseeing cybersecurity might end up being the largest part of the Commissioner's CSE-related work. (See this post for more on the Intelligence Commissioner and other aspects of the proposed oversight/review system.)


Mandates 19 & 20: Cyber operations

Mandates 19 and 20 would cover defensive and "active" cyber operations, respectively, i.e., computer network attack (CNA) operations for both defensive and offensive purposes. Such operations, which would constitute an entirely new aspect of CSE's activities, are discussed in this post, so I won't repeat all that here.


Mandate 21: Technical and operational assistance

Mandate 21, the proposed operational and technical assistance mandate, would be much the same as part three of CSE's existing mandate, Mandate C. But again, there's a tweak: Explicit authority to assist the Canadian Forces and the Department of National Defence would be added.

CSE has provided significant Support to Military Operations (primarily through Mandate A) throughout its history, and it has also occasionally provided Support to Lawful Access to the CF/DND, presumably in support of their activities as a federal law enforcement and security agency.

So if all that is already possible, why add this explicit mention? I'm guessing it's to remove any doubt about CSE's ability to assist the CF/DND in the military's own offensive cyber operations. Unlike CSE's cyber operations, the CF will get to cyberkill people as well as cyberbreak things. Maybe the government's lawyers are unsure whether the military can be considered a law enforcement or security agency when conducting military operations subject to the laws of war, or maybe they want to make it clear that CSE employees helping to carry out combat operations are doing so lawfully. The latter aspect is spelled out in greater detail in subsection 26(2).


Information about Canadians

As mentioned earlier, section 23 would require that CSE's activities under Mandates 17 to 20 (but not Mandate 21) "not be directed at a Canadian or any person in Canada". This section would also require that CNA operations "not be directed at any portion of the global information infrastructure that is in Canada."

However, section 24 spells out a number of activities that would be exceptions to those rules, the most notable being a blanket authorization to acquire, use, analyse, retain, or disclose publicly available information.

Publicly available information is defined in section 4 as "information that has been published or broadcast for public consumption, is accessible to the public on the global information infrastructure or otherwise or is available to the public on request, by subscription or by purchase." Whether that includes information that was obtained illegally and then posted on the Internet or made available for sale on the Dark Web is unclear. What it certainly does include, however, is everything that people post on public social media forums. Back in June I had a chance to ask CSE whether it could, for example, collect everything posted by everyone on Twitter under this provision, including everything that was posted by Canadians, if it decided that that would be useful. The response was, yes, it would be possible, but the agency denied that such collection was their goal, and they added that it probably would not be considered reasonable or necessary by CSE's review agency.

Be that as it may, it is clear that vast amounts of data about people's consumer choices, political and social views, religious affiliations, credit history, medical status, photographic collections, and Internet habits are either freely available or legally collected by Internet companies and commercial data brokers and potentially made available for sale. That the collection and use of such data would not be limited by CSE's usual prohibition on directing its activities at Canadians opens the door, at least in theory, to the creation of government databases containing extensive, deeply personal information on Canadians, especially when combined with information collected by other government departments, such as Revenue Canada, and information collected incidentally or otherwise by CSE's SIGINT and cybersecurity programs. How much of that sort of activity might be considered reasonable or necessary is difficult for an outside observer to predict.

The actual purpose of the provision is probably much more limited, to add social information to metadata analyses, provide collateral information for analyses of communications intercepts, enable more precise targeting of SIGINT collection (including de-targeting of individuals determined to be Canadians), and so on. But it would be nice to see some further delimitation of what could possibly pass through this rather large and ill-defined doorway.

Another interesting element is subsection 24(2), which permits the analysis of information for the purpose of providing advice pursuant to the Investment Canada Act. Presumably this would be in aid of government assessments of the potential national security consequences of foreign investments in Canadian companies. Analyses focused on Canadians or persons in Canada would be permitted under this provision, but it does not authorize collection activities directed at Canadians/persons in Canada.

Incidental collection, of course, is another matter. Subsection 24(4) would explicitly confirm that CSE "may acquire information relating to a Canadian or a person in Canada incidentally in the course of carrying out activities under an authorization issued under" its Mandates 17 or 18 [the original version of this post mistakenly said "18 or 19"] (or an emergency authorization for the same purposes). A definition of "incidentally" is helpfully provided:
incidentally, with respect to the acquisition of information, means that the information acquired was not itself deliberately sought and that the information-acquisition activity was not directed at the Canadian or person in Canada.
Of particular interest is the fact that this definition specifies not only that the information-acquisition activity (communications interception, CNE operation, etc) must not be directed at the Canadian or person in Canada but also that the information acquired must not be "deliberately sought". The point of the latter requirement, I think, is to rule out the "reverse targeting" of Canadians. That's what would happen if, for example, CSE monitored a foreign individual located outside Canada not because he was himself of interest, but because he was married to a Canadian of interest and by monitoring his communications CSE could expect to obtain a large number of communications with or about her. Ruling out this kind of thing is an important safeguard.

But I have some difficulty with the wording "deliberately sought". As I noted here, in many cases CSE is especially interested in the communications of its foreign targets when those communications are going to or from Canadians or other persons in Canada. To take the most obvious example, if a suspected foreign terrorist plotter is communicating with someone in Canada, CSE (and Canadians in general) will want to know who in Canada is participating in the communication and what they're talking about. While it is difficult in many cases to know ahead of time whether a particular communication is going to or from someone in Canada (think gmail account, for example), in other cases, such as landline telephones, it's easy. CSE could, if it chose, apply "defeats" to prevent its collection systems from ever acquiring calls to or from Canadian landline telephone numbers. It does not do this, and has not done it since the law was changed in 2001 specifically to permit CSE to collect incidental communications. Testimony at the time by Defence Minister Art Eggleton and Justice Minister Anne McLellan made it clear that this was a deliberate decision to ensure that such collection could be done. In cases like that, incidental collection is very much "deliberately sought".

Clearly, this second meaning of "deliberately sought" is not the one intended in the bill's definition. But is it really that clear? Even the Department of Justice seems confused on this point. In its Charter Statement concerning Bill C-59, DOJ's lawyers wrote that "despite best efforts to avoid it, CSE may incidentally obtain private communications and other private information of Canadians and persons in Canada" (emphasis added).

Attention, DOJ: CSE is not — and will not be — making "best efforts" to avoid incidental collection.

To be clear, most of the time CSE is not interested in what Canadians have to say. It is definitely not targeting Canadians (except when it does so under Mandate C). But in many cases it very much does want to know what is contained in communications that take place between its foreign targets and Canadians or other persons in Canada. And for that reason, incidental collection does occur, deliberately, even when CSE could prevent it if it chose to.

My bottom line: If even the Department of Justice is confused about this issue, maybe the definition needs a little more clarity.


Privacy measures

Section 25 of the act outlines the safeguards that CSE would have to apply to the Canadian-related information it acquires: CSE "must ensure that measures are in place to protect the privacy of Canadians and of persons in Canada in the use, analysis, retention and disclosure" of both information acquired in the course of the agency's foreign intelligence and cybersecurity activities and publicly available information acquired by the agency.

Such measures are important, but they should not be misunderstood as a ban on the use, analysis, retention, or disclosure of information concerning Canadians and persons in Canada. The details of the privacy measures that CSE will have to follow are not spelled out in the act, and indeed they will almost certainly mostly remain classified, but they are not now and will not in the future be designed to prevent the use, analysis, retention, or disclosure of such information when it is deemed "essential" for CSE's mandated activities.

This does not mean that those measures will not be of value, of course.

A welcome innovation in the CSE Act's proposals is that the Intelligence Commissioner, not just the Minister, would have to be satisfied that CSE's privacy measures are sufficient before CSE's Foreign Intelligence and Cybersecurity Authorizations could enter into force. The Commissioner would have no oversight over CSE's use of publicly available information, however.

Unlike the other mandates, no specific privacy measures are laid out with respect to activities carried out under Mandate 21 (Technical and Operational Assistance). Such activities would, however, be subject to whatever privacy requirements were levied on the department or agency being assisted, including both general requirements (Charter of Rights, Privacy Act) and any measures specified in judicial warrants for intercept activities.

Also exempted from the privacy regime would be the cyber operations (computer network attack) activities undertaken under Mandates 19 and 20. Under subsection 35(4) of the act, such operations could only be authorized if the Minister "concludes that there are reasonable grounds to believe... that no information will be acquired under the authorization except in accordance with" a Foreign Intelligence or Cybersecurity Authorization. It's hard to conceive of a cyber operation that wouldn't collect at least some information, if only through the eyeballs of the individual conducting it (but probably much more extensively than that). One might imagine that at least some information would have to be acquired in the course of such operations if for no other reason than to decide what to do and then assess whether it has been done. So the assumption here must be that there would always be a Foreign Intelligence or Cybersecurity Authorization in place that could cover such operations. In the case of offensive cyber operations, this means a Foreign Intelligence Authorization, and since such authorizations would enable CSE to acquire information only "in the furtherance of the foreign intelligence aspect of its mandate", i.e., "for the purpose of providing foreign intelligence, in accordance with the Government of Canada’s intelligence priorities", those intelligence priorities had better include obtaining the information needed to conduct offensive cyber operations or there might turn out to be a bit of a gap in CSE's authorities.


All your law are override for us



Here's an interesting bit. The Foreign Intelligence, Cybersecurity, and Defensive and Active Cyber Operations Authorizations that the Minister issued would authorize the agency to carry out the activities specified in the authorizations "despite any other Act of Parliament or of any foreign state" (subsections 27(1), 28(1), 30(1), and 31(1)).

That seems pretty all-inclusive.

Don't get in the way of these people, folks, because they're about to be licensed to kill (except when conducting non-military cyber operations; see section 33).

I joke, of course. The Minister may issue no authorization unless "he or she concludes that there are reasonable grounds to believe that any activity that would be authorized by it is reasonable and proportionate, having regard to the nature of the objective to be achieved and the nature of the activities" (s.35). In the case of authorizations other than cyber operations, the Intelligence Commissioner also would have to approve. So they'd have to have a pretty darn good reason to kill you.

(And I'm hoping my having pointed that out will keep me off the list.)

One of the things actually accomplished by these provisions would be to extend the coverage of the activities protected by CSE's authorizations from just the interception of private communications to all acquisition of information by CSE, including metadata acquisition. The CSE Commissioner recommended that authority to collect metadata be explicitly added to CSE's part of the National Defence Act (along with, as noted above, a definition of the term), but that recommendation posed a practical problem of how to future-proof the definition of metadata in the face of constantly evolving technology. C-59 avoids that problem by subsuming everything that might be considered metadata now and in the future into the overall category of information and simply authorizing CSE to collect it all.

Another potential problem that this approach would solve relates to intercepts of Canadian private communications (PCs) that Canada receives from its allies. The Five Eyes countries do not routinely target each other's citizens, but intercepts of Five Eyes citizens do occur (usually incidentally) and sometimes they are passed on to the country in question. It has been CSE's view (and the Commissioners') that Canada is permitted to receive such intercepts from its allies as long as it doesn't, in the absence of a suitable warrant, specifically ask them to target persons in Canada. Apparently, receiving the contents of a PC from an ally does not in itself constitute "acquir[ing] the substance, meaning or purport" of the communication for the purposes of the Criminal Code. I'll leave it to the lawyers to explain how that works; the potential problem I want to talk about is this: No matter how you obtain the contents of a PC, it's still a PC, and the Criminal Code limits how the substance, meaning, purport, or indeed the fact of the existence of a PC may be used or disclosed. Disclosure is permitted in a number of specific circumstances — notably to CSIS or to a peace officer or prosecutor — but there is no provision for the use or disclosure of PCs in support of broader foreign intelligence activities, which leaves out a wide swath of CSE's normal reporting topics and customer base.

What has this gap meant for CSE? It's possible that the agency has a legal interpretation that says the use and disclosure provisions of the Criminal Code don't apply to reporting on the contents of PCs obtained through allies. Maybe the courts would even agree. I don't know. But it looks to me as though either CSE has had to limit its reporting on PCs obtained from allies to just CSIS and police/prosecutors or the agency has been ignoring that section of the Criminal Code. If either of those possibilities is correct, the legal override provisions in s.27 of Bill C-59 should remove that problem in the future.


Unselected unlimited?

An interesting little detail here. Subsection 35(2)(a) says the Minister can only issue a Foreign Intelligence Authorization if he or she concludes that "any information acquired under the authorization could not reasonably be acquired by other means and will be retained for no longer than is reasonably necessary". But then s.35(2)(b) requires that the Minister also conclude that "any unselected information acquired under the authorization could not reasonably be acquired by other means, in the case of an authorization that authorizes the acquisition of unselected information". Since "unselected information" is a subset of "information", what is the point of this additional provision, which levies no additional conditions? Is it that the provision does not include the condition that the acquired information must be retained for no longer than is reasonably necessary? Does this mean there would be no requirement for retention limits on any of the unselected information acquired by CSE?


Urgent circumstances

Section 47 would authorize CSE to "use and analyse information relating to a Canadian or a person in Canada if it has reasonable grounds to believe that there is an imminent danger of death or serious bodily harm to any individual and that the information will be relevant to the imminent danger".

The need for this kind of provision is undeniable, I think, but it does seem rather sweepingly permissive. The danger of death or serious bodily harm can relate to "any individual" at any location, not just Canadians or persons in Canada, and the Canadian-related information that can be examined need only be "relevant" to the danger. In Canada there are people in danger of death or serious bodily harm every day of the week, and the situation beyond our borders is often incomparably worse. Terror plots are probably the threat that most people would think of in the context of using a provision like this, but it would also probably be of use in search-and-rescue situations and other non-criminal threats to life. And in between those poles is a full panoply of criminal activities that could also pose an imminent threat of death or bodily harm. Would CSE be permitted to search for Canadian information related to any imminent violent crime in Canada? This presumably would be a search within its data repositories (the provision does not authorize any collection of information relating to Canadians or persons in Canada), but those repositories might be very large indeed. And just how imminent is "imminent"?

Also important, the section would permit Canadian-related information to be disclosed to "any appropriate person", a wording that one assumes was deliberately chosen to allow disclosure to non-Canadians as well as Canadians.

In all, it seems as though rather a lot of activity with implications for Canadian privacy might be able, at least in theory, to pass through a doorway that is probably actually intended for relatively infrequent use. One measure that might help to guard against excessive use is that both the Minister and NSIRA would have to be notified whenever information was used, analysed, or disclosed under this provision.

On a somewhat-related issue, I've been wondering where in the proposed CSE Act the government has placed the provisions that would permit CSE to provide to the RCMP and other law enforcement agencies the non-urgent criminal intelligence that it picks up incidentally in the course of its foreign intelligence operations. CSE has done this sort of sharing for a long time, and it doesn't seem at all likely that the government is planning to end that practice. So how exactly is that accomplished in this act? (And what other significant activities am I failing to see?)


You're once, twice, three times legal

Turning to section 51, we get this intriguing provision: "Part VI of the Criminal Code does not apply in relation to an interception of a communication under the authority of an authorization issued under subsection 27(1), 28(1) or (2), 30(1), 31(1) or 41(1) [i.e., a Foreign Intelligence, Cybersecurity, or Cyber Operations Authorization] or in relation to a communication so intercepted."

Two questions come to mind. First, since the Minister could only issue an authorization under subsections 30(1) or 31(1) (i.e., a Cyber Operations Authorization) if he or she concluded "that no information will be acquired under the authorization except in accordance with an authorization issued under subsection 27(1) or 28(1) or (2) or 41(1)" (i.e., a Foreign Intelligence or Cybersecurity Authorization), what is the point of making it legal to intercept a communication under the authority of a Cyber Operations Authorization? As I noted earlier, a Foreign Intelligence or Cybersecurity Authorization would pretty much have to be in place every time a Cyber Operations Authorization was issued, making the whole question of interceptions under subsections 30(1) or 31(1), even unintended ones, moot.

Second, since everything that CSE would be permitted to do in an authorization issued under any of the subsections cited in s.51 would already be legal by virtue of those authorizations, why bother with s.51 at all?

It's possible, I suppose, to imagine a CSE activity undertaken under the authority of a Foreign Intelligence or Cybersecurity Authorization that for some reason did not include permission to incidentally intercept private communications. I think that would be a very rare circumstance indeed, but even in that case s.51 would make no difference to CSE's legal liability. An intentional interception made when the authorization did not cover interceptions would not be an interception "made under the authority" of that authorization and thus s.51 would not apply, whereas an inadvertent interception would not be a wilful act and therefore would not violate Part VI of the Criminal Code (which applies only to wilful interceptions of private communications), eliminating any need for s.51.


From the Sanitization Department

The act also includes a couple of interesting opaqueness measures:

Section 56 would protect the identities of persons or other entities that assist CSE on a confidential basis from disclosure in court proceedings, except under certain limited circumstances. This is probably intended mainly to keep secret the names of telecommunications companies that help CSE's intercept operations, such as the owners of the facilities that host CSE's EONBLUE sensors. But it should also prove useful for the HUMINT operations that CSE seems to be contemplating.

And section 57 would affirm that the "provision of assistance or the disclosure of information by the Establishment... does not create a presumption... that the Establishment is conducting a joint investigation or decision-making process with the entity to which assistance is provided or information is disclosed and therefore has the same obligations, if any, as the entity to disclose or produce information for the purposes of a proceeding". Among other purposes, I think this provision is intended to enable CSE to provide SIGINT in support of investigations and other processes without running the risk of being forced to disclose that SIGINT in legal proceedings. "Disclosure Risk Management" has been a major concern within CSE in recent years and this provision is probably a response to that concern.


Annual report to be produced

Still, it's not all darkness: The act would also contain a significant step towards greater transparency.

Section 60 would direct CSE to produce an annual report within three months of the end of every fiscal year. (The government fiscal year ends on March 31st, so this means the reports would be due by the end of June every year.) No details are provided as to what would go into this report, which CSE confirms would be made public, but I think this is a very welcome development and I have high hopes for it.

Don't disappoint us, CSE!


OK, that's it for my overview of Bill C-59 as it pertains to CSE. Phew. If any of you made it all the way to the end, thanks for reading. I hope at least some bits of it were useful.


Monday, July 03, 2017

Bill C-59: New dogs for new tricks

The Liberal government's Bill C-59 would affect the Communications Security Establishment in a number of important ways (most notably the addition of a foreign cyber operations mandate). One of the most consequential potential changes is the bill's proposal to eliminate CSE's existing watchdog agency, the Office of the CSE Commissioner (OCSEC), and replace it with two newly created entities, the National Security and Intelligence Review Agency (NSIRA) and the Intelligence Commissioner, each with significantly expanded powers.

National Security and Intelligence Review Agency

The proposed National Security and Intelligence Review Agency would absorb and replace the current Canadian Security Intelligence Service watchdog agency, the Security Intelligence Review Committee (SIRC), and expand its mandate to include not just CSIS activities but also CSE activities—taking on most of the OCSEC role—as well as the national security and intelligence–related activities of all other federal departments and agencies, including the RCMP and the Canadian Border Services Agency. This would meet two long-sought goals: ensuring that all elements of Canada's security and intelligence community are brought under scrutiny and knocking down some of the silo walls between existing review bodies that have made investigations of inter-agency activities difficult.

Even more important from the perspective of CSE review is that NSIRA would be empowered to make findings and recommendations that relate not just to a department’s compliance with the law, but also to "the reasonableness and necessity of a department’s exercise of its powers." Like many other observers, I have always felt that OCSEC's mandate, limited to questions of compliance with the law, was too narrow. (If you're interested, here I am calling for a broader mandate back in 1996.) Extending the purview of the new review agency to include the reasonableness and necessity of CSE activities would be a very important expansion compared to OCSEC's role.

Also useful would be NSIRA's proposed power to acquire "any documents and explanations that the Agency deems necessary for the exercise of its powers and the performance of its duties and functions" (excluding Cabinet documents) and the fact that it, not CSE, would be "entitled to decide whether information relates to the review or complaint in question." OCSEC struggled on a number of occasions to gain access to documents that CSE (or in one case National Defence) felt were not relevant to the Commissioner's work. Specifying in the legislation that NSIRA has the power to decide whether information is relevant should reduce that kind of resistance.

Another interesting innovation is that NSIRA would have the power to produce not only an annual report that must be made public (as is already the case for OCSEC), but also special reports on topics that it considers it to be in the public interest to report on. One purpose of issuing such reports would probably be to reassure the public about issues that have become matters of public concern. (The public statement that OCSEC issued following the CBC's publication of the CSE "airport wi-fi" document might be considered a forerunner to this kind of reporting.) In other cases, however, such reports might serve as a means for the agency to draw attention to its own concerns.

As with the OCSEC annual report, the Minister would receive NSIRA special reports ahead of time but would not have the formal power to censor their contents. I say no formal power because the government would of course retain the ability to decide whether classified information can be declassified, enabling it to prevent the release of many—or even all—of the details of the matters that might be discussed in such reports. But it would not enable the government to stop the watchdog from publicly reporting, for example, that "CSE's [redacted] program presents a serious threat to the privacy of Canadians." Thus, even in the worst-case, where few or no details were deemed releasable, such reports could serve as vital bell-ringers for parliament, the courts, and the public.

Intelligence Commissioner

The other new watchdog proposed in Bill C-59 is the Intelligence Commissioner, a position that would be filled initially by re-mandating the current CSE Commissioner, Jean-Pierre Plouffe. OCSEC would be disestablished and its budget and staff transferred, at least initially, to the Intelligence Commissioner. (I would expect, however, that many OCSEC employees would almost immediately move to NSIRA, which would take on the bulk of the tasks currently performed by OCSEC.)

The provisions for appointing new Intelligence Commissioners ("The Governor in Council, on the recommendation of the Prime Minister, is to appoint a retired judge of a superior court as the Intelligence Commissioner") differ slightly from those pertaining to the CSE Commissioner in the National Defence Act ("The Governor in Council may appoint a supernumerary judge or a retired judge of a superior court as Commissioner of the Communications Security Establishment"). The change in the rules may be in part a response to the concern about the appropriateness of appointing supernumerary judges that was expressed by the first CSE Commissioner, Claude Bisson. Another change is that the appointment would in future be mandatory ("is to appoint") rather than technically optional ("may appoint"). (The weakness of the original wording was discussed by CSE's Director of Legal Services, David Akman, here.)

The Intelligence Commissioner would have two main responsibilities: "(a) reviewing the conclusions on the basis of which certain authorizations are issued or amended, and certain determinations are made, under the Communications Security Establishment Act and the Canadian Security Intelligence Service Act; and (b) if those conclusions are reasonable, approving those authorizations, amendments and determinations."

With respect to CSE, these duties would pertain specifically to "Foreign Intelligence Authorizations" and "Cybersecurity Authorizations", the functional equivalents of the Ministerial Authorizations provided under the current law to permit CSE to engage in activities that might lead to the incidental interception of "private communications" (communications that begin or end in Canada) without violating the law.

Unlike the current authorizations, however, the implementation of Foreign Intelligence and Cybersecurity authorizations would depend on the approval of the Intelligence Commissioner, based on the Commissioner's assessment of the reasonableness of the Minister's decision to issue the authorization. Without the Commissioner's approval, the authorization would not be able to take effect. (Note, however, that a proposed new category of authorizations pertaining to offensive and defensive cyber operations, i.e., Computer Network Attack activities, would not be subject to this procedure, or indeed examined by the Intelligence Commissioner at all.)

These proposals would give the Intelligence Commissioner "oversight" powers fundamentally different from those heretofore exercised by Canada's "review" bodies. (See here for a description of the difference between oversight and review in official Canadian parlance.)

A number of legal experts have expressed doubt as to whether CSE's current procedures for authorizing its activities take sufficient account of the privacy rights of Canadians under the Charter of Rights and Freedoms (see, for example, here), and a challenge to those activities brought by the British Columbia Civil Liberties Association is currently before the courts. Thus, the government's goal in creating the quasi-judicial Intelligence Commissioner position is probably to Charter-proof those activities, along with certain data retention and processing activities conducted by CSIS.

Do the changes the government is proposing go far enough? They are less ambitious than those proposed in 2014 in Liberal MP Joyce Murray's private member's bill, Bill C-622, which was defeated by the Harper government. Murray's proposal, supported by the Liberal Party at the time (and essentially repeated in the Liberal election platform), would have required CSE to obtain an order from the Federal Court to authorize it to intercept or acquire communications whenever that activity might lead to the incidental collection of communications or metadata involving Canadians.

Still, two of Canada's leading national-security law experts, professors Craig Forcese and Kent Roach, have expressed support for the government's proposal, concluding it would put CSE "on a much sturdier constitutional foundation which does not rely simply on ministerial authorization."

CSE typically obtains four Ministerial Authorizations (MAs) per year under the current system, three for various SIGINT activities that might (indeed do) involve the incidental interception of Canadian communications and one for cybersecurity activities that likewise involve incidental interception. The three SIGINT authorizations are very broad in scope, probably covering the interception of circuit-switched communications, such as traditional phone calls; the interception of packet-switched communications, i.e., Internet communications; and the collection of communications through Computer Network Exploitation, i.e., computer hacking activities.

The authorizations that would be approved by the Intelligence Commissioner are likely to be similar in scope. Like the current MAs, each authorization would last for up to one year and would cover classes of interception activity rather than specific targets. Under the new rules, each authorization could be renewed for one additional year without requiring the approval of the Intelligence Commissioner. On average, therefore, the Commissioner might be asked to approve as few as two authorizations per year.

However, the number might be somewhat larger. It's possible that Intelligence Commissioners would insist on a finer-grained approach, with more numerous authorizations addressing more limited and more tightly constrained sets of activities. One difference that might lead to an increase in the number of authorizations is that the new system would cover not just communications but all information collection, including metadata. [Update 5 August 2017: Also, a separate cybersecurity authorization would be required for each non-governmental critical infrastructure system or network that CSE undertook to protect, so the number of those authorizations could become quite large.]

But however it developed, the proposed system would not be remotely as particularized as the target-by-target warrants required by the court system for interceptions inside Canada by CSIS or the police.

On the whole, then, the new system would probably not be a great deal more cumbersome for CSE than the current one. There is certainly some chance that Intelligence Commissioners would insist on more detailed proposals and/or more extensive privacy protections in the authorizations, but that should be seen as a feature of the proposal, not a bug.

Another potential advantage of the new system is that it would bring much greater expertise to the authorization process than the Minister of National Defence could ever bring. The Department of National Defence is a huge and complex portfolio and the Minister, being human, is much too busy to develop and maintain in-depth knowledge of the minutiae of CSE's activities. This is a problem, because other than OCSEC's after-the-fact reports on specific review topics, the Minister currently has little or no access to expertise about CSE and its operations outside of the information provided by the agency itself.

In its 2015-16 annual report, OCSEC suggested that the CSE Commissioner might be able to assist the Minister in this regard, providing "an independent expert assessment of proposed ministerial authorizations, whether the conditions for authorization set out in the Act are met, and concomitant privacy protections. The Commissioner is already doing this work; only the timing would change, so that the Commissioner can provide an assessment to the Minister before the authorizations are signed, enhancing accountability." The proposed Intelligence Commissioner role would in a sense build on this OCSEC suggestion.

C-59 would also require that NSIRA brief the Minister of National Defence at least once per calendar year "on the exercise of, or the performance by, the Communications Security Establishment of its powers, duties and functions". This process would also help to ensure that the Minister gets more than just a retrospective outside perspective on the activities of the agency.

Unlike the CSE Commissioner, the Intelligence Commissioner would not have a public reporting role. All reporting to the public would come from NSIRA and the proposed National Security and Intelligence Committee of Parliamentarians. However, the Commissioner would be required to provide a copy of every approval decision, positive or negative, to NSIRA, so it's possible that NSIRA will report on the authorizations processed by the Intelligence Commissioner. That would be a very important service.

The Intelligence Commissioner would also have the right to receive copies of any reports produced by NSIRA or the Committee of Parliamentarians that relate to the Intelligence Commissioner's duties. Unfortunately, there does not appear to be any provision for information-sharing or cooperation among these bodies on a less formal level, and the justices of the Federal Court would be left picking through the public reports of NSIRA and the Committee of Parliamentarians, much as they do now with SIRC and OCSEC reports, to get any hint of concerns that might be relevant to issues within the court's purview. In this respect, the problem of review bodies being confined to separate silos would not be resolved by this legislation.

Farewell to OCSEC

I have somewhat mixed feelings about the plan to eliminate OCSEC.

CSE's watchdog has been much criticized over the two decades it has been in operation, and I've taken my share of shots at it over that time, but the Commissioners have always done important work, and I have been impressed in recent years by the determination of the current Commissioner and his staff to expand the envelope of what OCSEC can say and do.

Still, the government's proposals incorporate a number of important improvements and innovations, and between NSIRA and the office of the Intelligence Commissioner it looks as though Mr. Plouffe and the former OCSEC staff will be able to continue the work they have been doing and expand it in significant ways. It seems like a good decision.

Mr. Plouffe's term as CSE Commissioner was recently extended to October 18th, 2018, and I doubt he will want a second extension, so even if the bill is passed and enters into force relatively quickly he probably will not spend a lot of time in the Intelligence Commissioner's job. The staff of OCSEC I hope (and expect) will stay on with NSIRA and the office of the Intelligence Commissioner. The new watchdogs will need their expertise.

In the meantime, we can expect Mr. Plouffe and his staff to continue doing the work of OCSEC. They deserve our thanks for the diligent and important work they have done for Canadians over the years.


Friday, June 30, 2017

Charter Statement mischaracterizes CSE incidental collection

I'm working on a blog post about the oversight and review provisions proposed in Bill C-59, but I just want to make a quick point about this sentence in the Department of Justice's Charter Statement concerning the bill:
Although CSE is prohibited by subsection 23(1) from directing its activities at Canadians or persons in Canada, the practical realities of acquiring information from the [Global Information Infrastructure] means that despite best efforts to avoid it, CSE may incidentally obtain private communications and other private information of Canadians and persons in Canada.
The clear implication of this statement is that CSE uses its "best efforts" to avoid the incidental collection of private communications (i.e., communications that either begin or end in Canada).

This is simply untrue.

CSE is not permitted to target Canadians or persons in Canada*, but it is permitted when operating under its normal foreign intelligence authorizations to collect the communications of such persons incidentally (i.e., when they communicate with a CSE foreign target that is itself located outside of Canada). It collects such communications with deliberate intent, and the measures proposed in Bill C-59 would not change that fact.

(*For the purposes of this discussion, I'm ignoring those cases where CSE collects private communications on behalf of some other federal agency that has already obtained a judicial warrant for that purpose.)

This shouldn't be terribly surprising. If a foreign terrorist located in Afghanistan telephones someone in Canada and CSE happens to be monitoring that terrorist, the Canadian government—and the Canadian public—is going to want the agency to find out which person in Canada took the call and what it was they talked about.

There are differing views as to whether a judge ought to be involved somewhere in that process (the current proposal would introduce a quasi-judicial process), but that's a separate issue.

Prior to the passage of the Anti-Terrorism Act (Bill C-36) in 2001, it wasn't legal for CSE to collect private communications, incidentally or otherwise. Back then the agency really did have to make its best efforts to avoid incidental collection.

In some cases that was very difficult. But in other cases it was more straightforward. CSE could set its collection systems to ignore calls to or from a phone number in Canada, for example, regardless of who the call might connect to outside of Canada.

After 9/11, the prohibition on incidental collection by CSE was no longer considered acceptable. As Defence Minister Art Eggleton testified,
Under the Criminal Code CSE cannot collect communications that include any communications that originate in or terminate in Canada. This seriously limits CSE's ability to provide intelligence on issues that are critical to Canada's national security.

Let me illustrate what I mean. CSE focuses its collection only on foreign entities located outside Canada. This is about the third time I've said that, but I want to emphasize it. If such a target communicates with someone who is located in Canada, CSE cannot intercept the communication, as things presently stand, which means CSE stands to lose the communications of its targets at exactly the moment when they might have the most direct impact on Canada's interests, when they are communicating with someone in Canada. This constraint creates a serious gap in Canada's intelligence capabilities, which in turn affects our ability to collaborate effectively with our allies on intelligence issues. ...

What will the impact of the proposed amendments be on the National Defence Act? Under CSE's present legal framework, if a terrorist in Afghanistan is communicating with an individual in Toronto, CSE is not allowed to acquire that communication. With this amendment, important information that is now lost will become available to Canada and available to our allies in the fight against terrorism. When CSE has identified the communications of a foreign target abroad, it'll be able to follow those communications wherever they go.
And that's just what the agency now does. The "defeats" that sought to prevent the incidental collection of communications with one end in Canada are no longer in place.

There are undoubtedly efforts to avoid the inadvertent collection of private communications that are unrelated to CSE's foreign targets. And there are probably also efforts to minimize the collection of traffic that may be related to legitimate foreign targets but is considered for one reason or another to be unlikely to produce anything of foreign intelligence value, especially if that traffic might also involve Canadians or other persons in Canada at the other end.

But there are no "best efforts"—there is no effort at all—to avoid all incidental collection.

The Department of Justice is either mistaken or dishonest to suggest that "best efforts" are being used to avoid incidental collection.

I'm not sure which is worse.


Saturday, June 24, 2017

CSE to get foreign cyber operations mandate

Among the changes that the Liberal government is proposing to make via its Bill C-59, announced on June 20th, are several important measures affecting CSE, including an entirely new statutory basis for the agency, the Communications Security Establishment Act, that will replace the current CSE-related provisions of the National Defence Act. The bill also proposes to eliminate CSE's existing watchdog agency, the Office of the CSE Commissioner (OCSEC), and replace it with two newly created entities, the National Security and Intelligence Review Agency (NSIRA) and the Office of the Intelligence Commissioner, which will also be keeping tabs on CSIS and (in the case of NSIRA) a number of other agencies. (See my comments on that aspect of the bill here.)

Together, the proposals affecting CSE comprise a wide-ranging and highly consequential set of measures, but probably the most significant item is the plan to give the agency the power to conduct both defensive and "active" (i.e., offensive) cyber operations against foreign targets.

The addition of this foreign cyber operations mandate would represent the most fundamental change in CSE's role in the agency's 70-year history.

When CSE, originally called CBNRC, was created in September 1946, it had two major complementary functions: analysis of foreign communications intercepted by Canada and its allies (communications intelligence, COMINT, which was later broadened into signals intelligence, SIGINT); and protection of Canadian government classified communications (communications security, COMSEC, which was later broadened into information technology security, ITSEC).

Canada and its allies occasionally engaged in black-bag jobs to steal codebooks, tap cables, or plant bugs for intelligence collection, but CSE did not undertake such operations itself. For most of the agency's history, CSE's SIGINT role was entirely passive: it processed and analyzed the radio communications that could be monitored at Canadian and allied intercept sites.

The first big change in that role happened in the wake of the 9/11 attacks, although it had more to do with the advent of the Internet beginning in the 1990s. Passage of the Anti-Terrorism Act gave CSE the authority to conduct the cyberspace version of the black-bag job—Computer Network Exploitation (CNE)—in support of its SIGINT mandate. CSE was empowered not just to intercept communications ("data in motion"), as it had done in traditional SIGINT activities, but to seek out information residing on foreign computer systems ("data at rest") that CSE could gain surreptitious access to. It became a hunter as well as a gatherer.

But while CNE operations entail breaking into computer systems and networks, disabling security features, implanting specialized malware, and of course copying information, all of these activities are undertaken in the name of SIGINT collection. Any damage inflicted is purely incidental—an undesirable side-effect that might lead to exposure and early termination of the operation.

The proposed CSE Act would enable CSE to conduct deliberate Computer Network Attack (CNA) operations, both to defend Canadian IT systems against foreign CNE and CNA operations and to attack foreign IT systems in furtherance of Canadian foreign policy, defence, or security goals. The bill refers to these two types of CNA operation as "defensive cyber operations" and "active cyber operations" respectively. (For more on the relationships between CNE, CNA, and CND—Computer Network Defence—operations, see this discussion.)

With this change, CSE would no longer be simply an intelligence (and ITSEC) agency: it would also be a covert operations agency, able to intervene outside Canada's borders to disrupt, damage, or destroy the computers, IT networks, or electronic information of foreign individuals, groups, or states.

The bill does propose some limits on the way these powers could be used. Cyber operations must be requested or consented to by the Minister of Foreign Affairs and authorized by the Minister of National Defence. In addition, such operations must not "cause, intentionally or by criminal negligence, death or bodily harm to an individual" or "wilfully attempt in any manner to obstruct, pervert or defeat the course of justice or democracy." These are significant limitations.

More destructive cyber operations are still possible outside the context of the CSE Act, but the government has assigned that job to the Canadian Forces.

Even in that respect, however, CSE might still play a critical role. Under the new CSE Act, CSE would be explicitly permitted to provide operational and technical assistance to the Department of National Defence and the Canadian Forces (as it already does for federal law enforcement and security agencies), and cyber assistance provided under this mandate would not be subject to the limitations applied to CSE's own cyber operations.

Whatever the effect of these limitations in practice, to my mind addition of a cyber operations mandate is a huge change in the nature of the agency, and it raises a number of issues.

Most fundamentally, is it in Canada's interest to further normalize the growing use of CNA activities by states? Should CNA be classified as just another tool of statecraft? Should such capabilities be restricted to a deterrent role? Is cyber deterrence, whether through CNA capabilities or more conventional responses, even a practical goal, given difficulties of attribution and the inevitable overlap between CNE and CNA? Would improved defence and resilience be a preferable, or at least sufficient, response or are all three required?

The recent defence policy statement asserts that "a purely defensive cyber posture is no longer sufficient" (resilience doesn't get mentioned in the cyber context). But not everyone is convinced by that claim. As with most issues, Canada's choices are likely to have a marginal influence at best on the future of cyberspace, but that alone is not sufficient reason to abandon self-restraint or efforts to create global rules of the road and preserve the global commons if we believe that Canada's (and the globe's) ultimate interests would best be served by moving in that direction.

Second, even if Canada does choose to arm itself with, and to use, such capabilities, is CSE the right place to lodge them? There is certainly a case to be made for giving the role to CSE. The knowledge and skills required for CNA activities inevitably overlap with those required for CNE (and for CND), and CSE is Canada's centre of expertise in those activities.

But just as there are different imperatives between intelligence-gathering and law enforcement—the reason CSIS was separated from the RCMP in 1984—there are different imperatives between intelligence-gathering and covert operations. One side seeks to preserve its accesses so it can maintain or even improve its intelligence collection; the other seeks to exploit them for operational purposes, even though such operations may burn the accesses in the process. (A similar conflict already exists between the ITSEC side of the organization, which seeks to shut down IT vulnerabilities to protect against intrusions, and the SIGINT side, which may want vulnerabilities it is currently exploiting to remain unrevealed.)

Furthermore, while the job of the intelligence-gatherers is to report the unvarnished truth, uncontaminated as much as possible by policy considerations, the covert operations side of the agency would inevitably become involved in the development and advocacy of operational plans, and in defending the agency's performance in those operations, giving CSE an undesirable stake in its own intelligence reporting.

Can a single agency effectively do two (really three) tasks that are in many ways complementary but also in important ways contradictory while still giving proper attention and weight to each?

I don't think it's impossible to reconcile these imperatives, but I do think it requires delicate balancing and constant vigilance. This is an area to which the proposed review agency and committee of parliamentarians may want to pay on-going attention.

It's also an area where there is probably a role for the central agencies of the government.

I had a chance to ask about cyber operations decision-making during a stakeholders' teleconference about Bill C-59 that CSE invited me to join.

As noted above, the proposed law would require that such operations be requested or consented to by the Minister of Foreign Affairs and authorized by the Minister of National Defence. This arrangement foresees the possibility that the Foreign Affairs Minister might sometimes make a request for a cyber operation in service of Canadian foreign policy interests. But the ministers themselves are not normally going to be sitting around thinking up plans for CSE cyber operations, nor will they be equipped to assess what might be feasible or balance all the considerations that might arise. So who will be doing the proposing, and who will make sure the resulting plans are reconciled with the broader goals and operations of the Canadian government?

The officials who took part in the teleconference acknowledged that CSE would probably often be the agency proposing such operations, but they agreed that there would still need to be some sort of inter-departmental process to ensure that wider factors are considered, including deconfliction with cyber operations that the Canadian Forces might be undertaking (and deconfliction with allied agencies), but also more general considerations. They added, however, that the bill had not yet been passed and might be amended before passage, and that some of these structural questions had not yet been resolved.

For most of its history, CSE laboured under the watchful eye (or heavy thumb, as they may have considered it) of various inter-departmental committees—originally the Communications Research Committee and later the Intelligence Advisory Committee and Security Advisory Committee of the Privy Council Office (PCO). The final form of this system saw the National Security Advisor serving as the deputy minister for CSE for policy purposes. But all of that ended when CSE became a stand-alone agency, with the Chief of CSE serving as the agency's own deputy head, in November 2011. There is no longer any line role for the PCO between CSE and its minister.

But the PCO continues to play a role in coordinating the various elements of the Canadian intelligence community, and in integrating intelligence and defence, security, and foreign policy concerns. And, in my view, it will need to play a very active role in overseeing the planning and conduct of any cyber operations undertaken by CSE and/or the Canadian Forces to ensure that all national policy considerations are taken into account. The PCO is also the place to ensure that the proper balance among CSE's cyber, SIGINT, and ITSEC priorities is maintained.

I also asked the officials what the addition of a cyber operations mandate for CSE might mean for the agency's own structure and resources. Will there be a separate Deputy Chief for Cyber Operations, just as there are Deputy Chiefs for SIGINT and ITSEC? Will CSE be looking to expand its workforce to support the conduct of cyber operations?

According to the officials, those decisions have not yet been made, and the agency did not want to pre-judge the outcome of the legislative process. Still, I'm sure they have some ideas for how it might all work out.

They did say that CSE was likely to enter the cyber operations business only gradually, taking "one step at a time," and adding that "you have to walk before you can run." This would seem to suggest little immediate need for growth on the part of the agency, although the implied eventual goal of "running" opens the door to larger needs over the longer term.

I guess we'll see.

In the meantime, I think it is going to be very interesting watching this soon-to-be three-legged agency relearn how to walk.


I'll look at other parts of the bill that affect CSE, notably the new oversight and review provisions, in a future post.


Wednesday, June 21, 2017

Liberals propose huge changes for CSE

The government's Bill C-59, announced on 20 June 2017, proposes huge changes for Canada's security and intelligence community, including important additions to CSE's mandate and the elimination of its current review agency, the Office of the CSE Commissioner (OCSEC).

The proposal to add explicit defensive and "active" cyber operations mandates to CSE's roles may represent the most fundamental change in the agency's history. The proposed elimination of OCSEC and creation of both the National Security and Intelligence Review Agency and the position of Intelligence Commissioner are also major changes.

I'll be writing more on these and other proposals in the bill, but it will probably take me a few days to get the post together.

So in the meantime, here's CSE's description of the changes.

It's also worth checking out some of the news reporting and commentary on the proposals:


Alex Boutilier, "Spy bill allows government security agency to collect ‘publicly available’ info on Canadians," Toronto Star, 21 June 2017

Justin Ling, "Canada’s cyber spy agency is about to get a major upgrade," Vice News, 21 June 2017

Michael Geist, "Five Eyes Wide Open: How Bill C-59 Mixes Oversight with Expansive Cyber-Security Powers," michaelgeist.ca, 21 June 2017

Alex Boutilier, "Canada’s spies to get green light to launch cyber attacks," Toronto Star, 20 June 2017

Matt Braga, "How, when, and where can Canada's digital spies hack? Government makes some suggestions in CSE Act," CBC News, 20 June 2017

Jim Bronskill, "Security bill limits CSIS disruption powers, boosts review of spy services," Canadian Press, 20 June 2017

Craig Forcese & Kent Roach, "The roses and the thorns of Canada’s new national security bill," Maclean's, 20 June 2017

Wesley Wark, "Liberals’ bold Bill C-59 would redraw the national security landscape," Globe and Mail, 20 June 2017


Update 23 June 2017: A few more items:

Craig Forcese & Kent Roach, "Two of Canada’s foremost experts in national security law give their assessment of Bill C-59: there’s much to like, but also room for improvement," Policy Options, 22 June 2017

Lee Berthiaume, "New national security approach lets electronic spy agency play cyber-offence," Canadian Press, 20 June 2017

Amanda Connolly, "CSE getting 'proactive' mandate overhaul in major national security reform bill," iPolitics, 20 June 2017

Carl Meyer, "Goodale asks Parliament to expand electronic spying powers," National Observer, 20 June 2017


Monday, June 19, 2017

CSE releases report on electoral threats



On June 16th, CSE released Cyber Threats to Canada's Democratic Process, a public report assessing the various ways cyber activities might threaten Canada's electoral system.

CSE has made basic cybersecurity advice publicly available on its website for many years, but this report—which was requested by the Prime Minister in the mandate letter he issued to Minister of Democratic Institutions Karina Gould in February 2017—was the first of its kind by CSE.

The 38-page report discusses three ways in which cyber activities might be used to affect the electoral process: impeding or corrupting the voting process itself; stealing and exploiting information about politicians and political parties; and covertly influencing the public's political views by manipulating traditional and social media.

The document restricts itself to a general overview of the ways in which these threats might manifest themselves in Canada's federal, provincial, and municipal politics, and concludes (among other points) that:
  • Cyber threat activity against the democratic process is increasing around the world, and Canada is not immune. In 2015, during the federal election, Canada’s democratic process was targeted by low-sophistication cyber threat activity. It is highly probable that the perpetrators were hacktivists and cybercriminals, and the details of the most impactful incidents were reported on by several Canadian media organizations.
  • A small number of nation-states have undertaken the majority of the cyber activity against democratic processes worldwide, and we judge that, almost certainly, they are the most capable adversaries.
  • However, to date, we have not observed nation-states using cyber capabilities with the purpose of influencing the democratic process in Canada during an election. We assess that whether this remains the case in 2019 will depend on how Canada’s nation-state adversaries perceive Canada’s foreign and domestic policies, and on the spectrum of policies espoused by Canadian federal candidates in 2019.
  • We expect that multiple hacktivist groups will very likely deploy cyber capabilities in an attempt to influence the democratic process during the 2019 federal election. We anticipate that much of this activity will be low-sophistication, though we expect that some influence activities will be well-planned and target more than one aspect of the democratic process.
  • Regarding Canada’s democratic process at the federal level, we assess that, almost certainly, political parties and politicians, and the media are more vulnerable to cyber threats and related influence operations than the election activities themselves. This is because federal elections are largely paper-based and Elections Canada has a number of legal, procedural, and information technology measures in place.
  • We assess that the threat to Canada’s democratic process at the sub-national level (i.e. provincial/territorial and municipal) is very likely to remain at its current low level. However, some of Canada’s sub-national political parties and politicians, electoral activities, and media are likely to come under increasing threat from nation-states and hacktivists.
All of this is pretty common sense for anyone who's been paying attention to the world for the past couple of years—although it's certainly noteworthy that, to date, CSE has not observed nation-states using cyber capabilities to try to influence Canadian elections.

The document's ultimate value is likely to depend on whether it succeeds in kick-starting action on the part of Canadian political parties and others to actually reduce Canada's future vulnerability to such threats.

This document explicitly is not an action plan to accomplish that goal.

However, the Minister's mandate letter did direct her also to "ask CSE to offer advice to Canada’s political parties and Elections Canada on best practices when it comes to cyber security," and CSE does plan to do that. (In fact, Elections Canada is already a recipient of CSE's cyber defence advice and services.) The agency will discuss the findings of the report with all federal political parties that wish to participate at a meeting to be held next Tuesday, June the 20th.

According to a background briefing that CSE kindly invited me to take part in (along with a number of other researchers), the agency will explore with the parties whether it would be useful to provide further, more detailed advice or training to some or all of them. One possibility would be to provide training to IT staffers at CSE's Information Technology Security Learning Centre. Perhaps more likely, however, would simply be provision of advice on the kinds of services parties should contract for in the private sector.

CSE will not be providing actual cyber defence services to the political parties, however.

The government considers Canada's democratic institutions to be "of importance to the Government of Canada", which gives CSE a legal mandate to provide IT security advice and guidance to those parties under s.273.64(1)(b) of the National Defence Act (i.e., CSE's Mandate B). But provision of actual protective services is restricted to the IT systems and networks of the government of Canada itself.

Nonetheless, a CSE official did confirm that warnings would be provided if, for example, the SIGINT side of the agency detected a foreign actor stealing data from a political party's computer system. Notification would come through the Public Safety Department's Canadian Cyber Incident Response Centre (CCIRC), which is responsible for assistance to critical infrastructure operators outside the federal government. Such notifications are routinely provided to CCIRC partners in such cases, according to the official.

[Update 20 June 2017: Under Bill C-59, which was announced and given first reading today, the government proposes to give CSE the power to also provide cybersecurity services to protect non-federal information infrastructures designated "of importance" to the government of Canada. Thus, the agency might in the future be able to provide such a service to political parties, if they request it.]

I also asked why CSE was the agency given the job of making the threat assessment in the first place. As the report itself acknowledges, the cyber threat to electoral systems is just one aspect, albeit a very important one, of a broader set of activities that could be used to undermine or improperly influence an election, including traditional espionage, propaganda, disinformation, covert funding, and blackmail or other coercion. Furthermore, as the report also acknowledges, the perpetrators of such actions can be purely domestic Canadian actors—the activities of which CSE should have very little insight into—as well as foreign actors.

Thus, it seems to me that, in both respects, the Canadian Security Intelligence Service would have been a more appropriate agency to make such an assessment, although it would certainly have needed to draw on CSE's cyber expertise when considering those aspects of the issue.

The response, which I didn't find entirely satisfying, was simply that CSE is the agency with the greatest expertise on cyber threat questions. Well, yes, indisputably, but that doesn't answer the points outlined in the paragraph above.

Ultimately, of course, the reason CSE produced the report is that the Prime Minister and the Minister of Democratic Institutions asked it to.

Unsurprisingly, Australia is also concerned about the possibility of interference in its electoral system, and its political parties are also receiving advice from that country's SIGINT/IT Security agency. However, as indicated in this report (Ronald Mizen, "Political parties vulnerable to state sponsored cyber attacks," Financial Review, 16 June 2017), the Australians may also consider providing funding to political parties to help them secure their systems.

Might Canada also consider putting money on the table? An interesting thought.


News coverage of the CSE report:

Lee Berthiaume, "Canada's spy agency expects cyberattacks during 2019 federal election," Canadian Press, 16 June 2017

Alex Boutilier, "Canada’s political parties, media vulnerable to foreign hacks, spy agency says," Toronto Star, 16 June 2017

Daniel Leblanc, "Spy agency to school political parties on cyberthreats," Globe and Mail, 16 June 2017

Justin Ling, "“Low sophistication” actors took aim at the last Canadian election," Vice News, 16 June 2017

Alex Boutilier, "Despite risk of cyber attacks, political parties still handle Canadians’ data with no rules in place," Toronto Star, 19 June 2017


Sunday, June 11, 2017

Canadian Forces to get offensive cyber capability — but questions remain

The Liberal government's defence policy statement, Strong, Secure, Engaged, released on June 7th, confirms that the Canadian Forces will acquire an offensive cyber capability:
We will assume a more assertive posture in the cyber domain by hardening our defences, and by conducting active cyber operations against potential adversaries in the context of government-authorized military missions. Cyber operations will be subject to all applicable domestic law, international law, and proven checks and balances such as rules of engagement, targeting and collateral damage assessments. (p. 15)
A slightly more expansive description is provided on p. 72 of the document:
Defence can be affected by cyber threats at home and abroad — from attempts to steal sensitive information from our internal networks, to cyber attacks on the Canadian Armed Forces on deployed operations, to the use of cyberspace by terrorist organizations to spread disinformation, recruit fighters and finance their operations. Indeed, there has been a steady increase in the number of state and non-state actors developing the capability to conduct disruptive cyber operations.

The Defence team works closely with the Communications Security Establishment, Public Safety Canada, Global Affairs Canada and Shared Services Canada on cyber issues. To date, this work has focused on strengthening the defence of important military systems, network monitoring and control, building the future cyber force, and integrating defensive cyber operations into broader military operations.

However, a purely defensive cyber posture is no longer sufficient. Accordingly, we will develop the capability to conduct active cyber operations focused on external threats to Canada in the context of government-authorized military missions. The employment of this capability will be approved by the Government on a mission-by-mission basis consistent with the employment of other military assets, and will be subject to the same rigour as other military uses of force. Cyber operations will be subject to all applicable domestic and international law, and proven checks and balances such as rules of engagement, targeting and collateral damage assessments.
Although few actual details are provided about either cyber operations or planned signals intelligence capabilities in general, the statement does report that:
  • The Canadian Forces will "Acquire joint signals intelligence capabilities that improve the military’s ability to collect and exploit electronic signals intelligence on expeditionary operations" and will "Improve cryptographic capabilities, information operations capabilities, and cyber capabilities to include: cyber security and situational awareness projects, cyber threat identification and response, and the development of military-specific information operations and offensive cyber operations capabilities able to target, exploit, influence, and attack in support of military operations." (p. 41)
  • "The Defence team will increase its intelligence capacity, and will examine its capabilities to understand and operate in the information environment, in support of the conduct of information and influence operations." (p. 66)
  • "[W]e will acquire an airborne intelligence surveillance and reconnaissance platform that will enhance the ability of our Special Operations Forces to improve their understanding of the operational environment." (p. 103)
  • "The Government will provide $4.6 billion for joint capability projects in domains such as cyber, intelligence as well as joint command and control over the next 20 years. This includes... $1.2 billion over the next 20 years for five new equipment projects and one information technology project. For example, the Combined Joint Intelligence Modernization project will provide a modern deployable intelligence centre for land-based operations, building on the lessons learned in recent operations." (p. 103)
  • "To better leverage cyber capabilities in support of military operations, the Defence team will: 87. Protect critical military networks and equipment from cyber attack by establishing a new Cyber Mission Assurance Program that will incorporate cyber security requirements into the procurement process. 88. Develop active cyber capabilities and employ them against potential adversaries in support of government-authorized military missions. 89. Grow and enhance the cyber force by creating a new Canadian Armed Forces Cyber Operator occupation to attract Canada’s best and brightest talent and significantly increasing the number of military personnel dedicated to cyber functions. [Question: Will this new occupation supplement the existing Communicator Research occupation or absorb and replace it?] 90. Use Reservists with specialized skill-sets to fill elements of the Canadian Armed Forces cyber force." (p. 73)
  • With respect to the last of these items, the Canadian Forces will "Assign Reserve Force units and formations new roles that provide full-time capability to the Canadian Armed Forces through part-time service, including: ... • Cyber Operators; • Intelligence Operators; ... and • Linguists" and "Enhance existing roles assigned to Reserve Force units and formations, including: • Information Operations (including Influence Activities)" (p. 69).
These details are welcome, but it seems to me that a number of important questions remain either unresolved or ambiguous in the defence policy statement.

Most importantly, at several points the document characterizes offensive cyber activities as taking place solely in the context of "government-authorized military missions", which would seem to mean that offensive cyber activities will be restricted to just a few specifically designated operations, such as Op Impact or Op Reassurance. Employment of cyber capabilities is to be approved by the government "on a mission-by-mission basis consistent with the employment of other military assets".

But "mission" could actually have a much broader meaning.

The document also outlines eight "core missions" of the Canadian Forces, covering everything that our military forces do (p. 82). These missions include detecting, deterring, and defending against threats to or attacks on Canada; detecting, deterring, and defending against threats to or attacks on North America in partnership with the United States; leading and/or contributing forces to NATO and coalition efforts to deter and defeat adversaries, including terrorists; leading and/or contributing to international peace operations and stabilization missions with the United Nations, NATO, and other multilateral partners; and providing assistance to civil authorities and law enforcement, including counter-terrorism, in support of national security and the security of Canadians abroad.

Could offensive cyber activities be authorized in support of wide-ranging, fundamental "missions" such as these?

Such a reading may seem implausibly broad.

But on page 60 the document states the Canadian Forces "will ensure that new challenges in the space and cyber domains do not threaten Canadian defence and security objectives and strategic interests, including the economy."

It will take a lot more than cyber operations against ISIS to protect the Canadian economy — or defend a wide range of other Canadian defence and security objectives and strategic interests — from cyber threats.

The document also states that Canada has a "responsibility to contribute to efforts to deter aggression by potential adversaries in all domains", including specifically the cyber domain (p. 50). That's a much broader goal than anything that can be accomplished in the context of a particular expeditionary operation. And it implies an ongoing, continuous mission, not a temporary activity that can be expected to end when this or that operation wraps up in a matter of months or a few years.

A broader reading of "mission" is also necessary if Canada's cyber forces are to take on the sort of roles assigned their Five Eyes partners, notably U.S. Cyber Command.

It would be nice to know just how wide the range of cyber missions envisaged by the government could be.

Another question relates to the role of the Communications Security Establishment.

Will all offensive cyber operations — other than those conducted domestically — be undertaken by military cyber operators (presumably members of the Canadian Forces Information Operations Group) acting under military command? Or will CSE have a role as well?

The CFIOG normally works very closely with CSE (in fact, under its direction much of the time), and CSE's expertise on cyber defence and cyber espionage activities would be of direct relevance to any offensive operations the Canadian Forces might undertake. CSE is also likely to have its own expertise on offensive operations that it may use for computer network defence purposes and may also provide from time to time in support of CSIS "disruption" activities.

So to what extent might CSE be called upon to provide support to the Canadian Forces for the conduct of offensive cyber operations? And to what extent might CSE conduct its own operations? This document is silent on those questions.

[Update 20 June 2017: Bill C-59, which was announced and given first reading today, answers some of these questions. The government is proposing to give CSE the power to conduct both "defensive cyber operations" to help protect systems and networks "of importance" to the government of Canada and "active cyber operations" (i.e., offensive cyber operations) against foreign individuals, groups, or states for defence, foreign policy, or security purposes. The bill would also explicitly enable CSE to provide technical and operational assistance to the Canadian Forces and Department of National Defence, including for cyber operations.]


For some earlier comments that I made on Canada and cyber war, see here.


Update 18 June 2017:

This article (Murray Brewster, "Civilian oversight key to offensive cyber operations, says expert," CBC News, 18 June 2017) suggests that the Special Operations Forces sub-unit that the government will "examine establishing" in the Reserve Force will be tasked with developing "offensive cyber capabilities, particularly in the area of information operations". I don't think that's what the government is considering doing.

As noted above, the new defence policy does call for recruiting Reserve Force cyber operators and assigning cyber and intelligence roles to certain unnamed Reserve Force units and formations, as well as enhancing the information operations role of the Reserves, but I think it's a stretch to suggest that the Special Forces unit under consideration would take on cyber war, or information operations in general, as a primary function.