Sunday, December 14, 2014

CSE and hacking of telecom operations

More evidence of the extent to which CSE is involved in Five Eyes efforts to hack into the systems of telecommunications providers can be found in this document, which was published by The Intercept in conjunction with its most recent article on the Belgacom penetration (Ryan Gallagher, "Operation Socialist: The Inside Story of How British Spies Hacked Belgium’s Largest Telco," The Intercept, 13 December 2014).

The document is a 2011 joint presentation titled "Automated NOC [Network Operations Centre] Detection" authored by the Head of the GCHQ Network Analysis Centre and a Senior Network Analyst at CSE's own Network Analysis Centre. It discusses the work of the Five Eyes "Network Analysis community" to "automate the detection of Network Operations Centres" in order to facilitate subsequent efforts to hack into those centres.

The presentation reports that
During March 2011 GCHQ Analysts visited CSEC to look at the [sic] using PENTAHO for tradecraft modelling working with CSEC NAC and CSEC/H3 software developers to see if could model NOCTURNAL SURGE in PENTAHO and then implement in OLYMPIA

Only possible to attempt because:
– CSEC NAC have implemented GCHQ NAC TIDAL SURGE Database Schema (DSD also have this..)
According to the article in The Intercept, NOCTURNAL SURGE is a tool developed by GCHQ "to search for particular engineers and system administrators by finding their IP addresses, unique identifiers that are allocated to computers when they connect to the internet."

OLYMPIA is a more general-purpose CSE-developed tool to help analysts identify potential SIGINT targets and compile information about their communications systems and contacts. It provides automated access to a wide variety of CSE and allied SIGINT and communications databases. (More information here.)

The Intercept report interprets the presentation to mean that "GCHQ refined the NOCTURNAL SURGE system with the help of its Canadian counterparts, who had developed a similar tool, named PENTAHO."

I wonder whether PENTAHO might simply be the data analysis software produced by the company of the same name, but either way the presentation is clear evidence of CSE interest in targeting telecom operators.

A report earlier this month in The Intercept also provided evidence of CSE involvement in such efforts.

Interestingly, CSE's infamous "airport wi-fi" experiment was also conducted by the CSE Network Analysis Centre, which seems to be the go-to place at CSE for anything related to analyzing/monitoring the Internet or computer networks in general.

The H3 unit, on the other hand, seems to be a software development shop. H3 also turns up in this document.

(H/T to Ron Deibert.)

Wednesday, December 10, 2014

CSE and supercomputers

Who has the most powerful supercomputers in Canada?

According to the well-known Top500 list, the top supercomputers in Canada in terms of peak processing speed are operated by SOSCIP/LKSAVI/University of Toronto, “IT Service Provider C”, SciNet/University of Toronto/Compute Canada, and Calcul Canada/Calcul Québec/Université de Sherbrooke.

SOSCIP frequently boasts that its supercomputer “is the fastest in Canada on the TOP500 list of the world's top supercomputers”.

But there is at least one Canadian institution that doesn’t report its computer capabilities to the Top500 list: the Communications Security Establishment.

In 1985, when CSE entered the supercomputing business, the Cray X-MP/11 it acquired was definitely the most powerful computer in the country.

But that was a long time ago, and today that computer is just a piece of computer history.

Still, it is likely that CSE’s subsequent supercomputer acquisitions, including successive generations of Cray products, have kept the agency at or near the top of the Canadian list ever since.

In general terms, this is no secret.

In 2004, member of parliament David Price, noting the post-9/11 computer purchases made by CSE, asked CSE Chief Keith Coulter if “we are still one of the top ones… in the world with the system that we do have.” Coulter’s reply was, “Yes. Top in the world? We're definitely one of the top in the country. The National Security Agency has more computing power than any organization in the world.”

CSE remains coy about the exact nature of its high performance computing capabilities, but as recently as 2013 it was willing to state that “CSEC is Canada's centre for high performance computing”, operating “state-of-the-art equipment”. Its recruiting site currently states that CSE operates “some of the most powerful computers in Canada”, and until 2010 job notices specified that CSE “computer scientists utilize a variety of computer systems including SUN, HP and IBM servers, personal computers, DEC systems, and state-of-the-art computers such as the Cray.”

More specific claims occasionally turn up in news articles about the agency.

In 2012, it was reported that CSE’s new headquarters would house “the three most powerful supercomputers in Canada”. And a QMI Agency report in 2013 stated that CSE’s new headquarters will house “the country’s five most powerful computers”.

In neither case were these claims attributed to a specific source, and CSE has never confirmed either claim, but it is difficult to believe that these reporters would have reported such specific information if they hadn’t heard it directly from what they considered to be an inside source.

The level of performance required to rank as the country’s most powerful computer is a constantly moving target, of course, but the claims seem entirely plausible.

In 2011, CSE completed a brand-new high-performance computing centre, the Mid-Term Accommodation Project, now known as Pod 1 of CSE’s new headquarters complex.

Pod 1 was a very expensive building for its size, costing $61.5 million according to CSE. A simple high-security office building of the same size would have cost about $25 million to build, so it’s probably a safe assumption that, in addition to covering the cost of electrical distribution systems, uninterruptible power supplies, and cooling systems required by a data centre, the building’s budget also covered the purchase of some pretty significant computer capabilities.

It is also likely that substantial additional computer money has been made available since. CSE has not lacked for funds in recent years (see here and here), and there’s no reason to build a state-of-the-art computing centre if it’s not going to contain state-of-the-art computers.

As the news articles suggest, the building may well contain multiple high performance systems. (In addition, the data storage systems in the separate data warehouse also built at CSE’s new complex might also be considered a form of supercomputer.)

As the systems on the Top500 list show, a variety of different manufacturers produce supercomputing systems, and it is possible, perhaps even likely, that CSE has obtained systems from more than one company. It seems certain, however, that one or more Cray systems continue to be in use at CSE.

Cray has maintained a close relationship with the major Five Eyes SIGINT agencies throughout the history of the various companies that have borne that name, and as noted above, CSE was acknowledging its own continuing relationship with Cray as recently as 2010.

It is surely no coincidence that Cray Inc. is currently looking for a Customer Service Systems Engineer to “provide hardware and software technical support and maintenance for Cray Inc. massively parallel (MPP) computer systems” at a “classified account headquartered in Ottawa, Canada”. According to the notice, Canadian citizenship is “a must” for the job, as is a “Top Secret (SBI) security clearance”.

Cray’s ad doesn’t reveal the name of its customer, but there’s only one Canadian agency that belongs to the Cray Users Group.

CSE’s Australian counterpart, the Australian Signals Directorate (previously known as the Defence Signals Directorate), acknowledged purchasing a $14.5 million Cray system in 2010.

Although no details of that system were released, at that cost and date it was probably a medium-sized XE6 system, or something with comparable performance, with a theoretical peak processing speed on the order of 300 teraFLOPS and consuming around 0.9 megawatts of electrical power. (This is a guess based on the reported performance and $45 million cost of the larger Cray Cielo system purchased by the U.S. that year.) If so, it was the most powerful supercomputer in Australia at the time and would have been roughly on par with the top publicly acknowledged supercomputer in Canada that same year.

Did CSE purchase something similar, or more powerful, for its new high performance computing centre in 2011?

The two cooling towers on the roof of Pod 1 provide a bit of a clue (photo courtesy of Chuck Clark).

The two towers, built by Evapco, appear to be from the company’s AT-112-514 to 112-914 series, which means that each tower is capable of providing 494–574 tons of nominal cooling. If both towers were in full use, this would provide cooling for equipment consuming roughly 3.5 to 4 megawatts, of which the IT load might comprise around 3 megawatts. (At least, that’s what I think can be concluded; I would be grateful if readers would correct any errors in the preceding.)

If these conclusions are correct, then Pod 1 has the capability of supporting a much more capable computer system, or set of systems, than that apparently purchased by ASD in 2010. (Moreover, there is space available in the enclosure on the roof for an additional cooling tower, suggesting that the building was designed to accommodate even greater cooling capacity if it is ever required.)

If the building was using its full two-tower cooling capacity in 2011, it would have been capable of supporting the equivalent of the entire “Hopper” system, with a theoretical peak performance of 1289 teraFLOPS, or three copies of the “Gaea C2” system, each with a theoretical peak performance of 716 teraFLOPS. The latter would certainly have been the three most powerful supercomputers in Canada at the time.

Of course, it is likely that the systems actually in use in Pod 1 require less than the maximum amount of cooling that the facility is capable of providing—quite possibly a lot less.

The site that hosts the #1 and #3 Canadian systems on the current Top500 list was built to accommodate a 4-megawatt load, about the same as Pod 1, but those two systems currently require only about 1.3 megawatts (plus whatever cooling and other support load is required at various times).

Further complicating analysis based on power consumption is the fact that the ratio of performance to electrical consumption in supercomputer systems is very sensitive to the design and especially to the date of construction of the system. The #3 computer mentioned above, about 37% as fast as the #1 system but about five years older, requires more than three times as much power as the #1 system requires (more than eight times as much per calculation).

Overall, however, I suspect that these factors increase the likelihood that CSE has the country’s top supercomputers.

Given Pod 1’s more recent construction, and CSE’s generous budgets in recent years, it seems likely both that CSE’s systems are more up to date and thus more power-efficient than the #3 system mentioned above and that Pod 1’s capacity is more fully utilized than the SciNet site’s.

Tuesday, December 09, 2014

November 2014 CSE staff size

2254, another new high.

(If you click through on the link and get a different figure, it's probably because the Canada Public Service Agency has updated its website; they update the numbers once a month.)

Friday, December 05, 2014

CSE and NTAT cooperation

One of the NSA documents released in conjunction with The Intercept's new article on Five Eyes cellphone monitoring programs (Ryan Gallagher, "Operation Auroragold: How the NSA Hacks Cellphone Networks Worldwide," The Intercept, 4 December 2014) lists examples of CSEC cooperation with the (NSA?) Network Analysis Tradecraft Advancement Team (NTAT).

According to The Intercept, the document dates from 2010.

Update 10 December 2014:

Marc Thibodeau, "Cellulaires sous haute surveillance," La Presse, 9 décembre 2014.

Wednesday, November 26, 2014

Deibert on cybersecurity and democratic values

Must-read article from Citizen Lab's Ron Deibert on the dangers posed by putting cyberfoxes in charge of hen house security ("The Cyber Security Syndrome,", 25 November 2014):
What do we mean when we say “cyber security?” What is it, exactly, that we are securing? And for whom? Are we securing the Internet as a whole — that vast global information infrastructure that envelops the planet, from the code to satellites, the handheld devices, and everything in between?

Or, instead, do we mean ‘we protect our nation’s cyberspace first and others second, if at all’? Do we regard other nations’ networks as fair game to be “exploited” in order to gain competitive advantage?

The tension between these points of view is not unique to cyber security, but reflects a deeper tension at the heart of global politics today: between a slowly emerging sense of global responsibility and citizenship on the one hand, and the old Westphalian nation-state system on the other.

While the rift runs deep at the extremes, these competing worldviews can be reconciled. Indeed, for human rights to achieve their promise they must be entrenched across the globe by sovereign democratic states. Governments that are premised on human rights and the rule of law need agencies to domestically enforce the law while guarding their citizens from extremism or international violence.

But also fundamental to a liberal democratic society is that these agencies be highly accountable, transparent to democratically elected representatives, and unleashed to act only in tightly circumscribed ways; loosen those checks and balances, and you begin to unravel what it means to be a liberal democracy in the first place.
Worth reading the whole piece.

Thursday, November 20, 2014

Liaison office concerns

Jim Bronskill has written an interesting piece on the problems CSE's liaison officers have been experiencing in recent years ("Poor training, communication bedevilled Canada's Five Eyes liaisons: evaluation," Canadian Press, 19 November 2014):
Lack of training, poor communication with head office and sketchy expectations hampered the Canadian liaison teams embedded in the electronic spy agencies of Ottawa's Five Eyes partners, says a newly declassified evaluation.

The Ottawa-based Communications Security Establishment's foreign relations program is key to helping the spy service do its work, given the importance of relations with counterparts in the United States, Britain, Australia and New Zealand, the internal evaluation concludes.

But it calls for several changes to "achieve greater effectiveness and efficiencies."

The Canadian Press obtained a heavily censored copy of the August 2012 evaluation — originally classified "Secret/Canadian Eyes Only" — under the Access to Information Act.


CSE has special liaison offices at the U.S. National Security Agency and Britain's Government Communications Headquarters, as well as one in Canberra that provides representation to the electronic spy services of Australia and New Zealand.

In turn, Canada hosts members of the four foreign agencies.

The study found advance briefings for Canadian liaison staff sent overseas was largely limited to information about living and working abroad.

"Operational training offered to posted employees is scarce and self-initiated," the evaluation report says.

Staff heading to the foreign posts had to book meetings with CSE directors or enrol in internal courses. However, some noted that formal classroom training was not necessarily helpful.

"Rather, they felt that spending some time working with various operational areas during the pre-posting phase was often very beneficial."

In addition, liaison directors "seldom received feedback" on the initial planning documents they submitted to superiors.

Once on the job, the directors felt they were "often ill-informed" about developments at CSE headquarters. Management at CSE also expressed a desire for better communication. A senior manager lamented that information he received from one foreign post in particular was often either already known or outdated by the time it was sent to CSE.

"Because these employees are out of the country, it is very important that they have effective and reliable communications available to them," the report says.

CSE employees who took the foreign positions essentially gave up their previous jobs and CSE didn't have a formal process for reintegrating them into the Ottawa fold once their posting was done, it adds.

Upon return, posted employees "are often required to fill positions unrelated to their area of expertise and the experience and knowledge gained from the foreign posting are not exploited."

CSE spokesman Ryan Foreman said most of the evaluation's recommendations had been implemented, with the rest expected to be complete later this year.
Also interesting is this fact box on CSE's liaison offices, which reports the dates when the liaison offices were established. The years when the offices were established were already known, but the month of establishment was known only in the case of the office at GCHQ.

Here's a list of the Canadian Special Liaison Officers (CANSLOs) to NSA and GCHQ I compiled several years ago. The names of the more recent CANSLOs don't seem to be available, but every now and then one turns up.

I have also written a bit on the 2009 establishment of the CANSLO/C-W in Canberra. The first CANSLO/C-W was (evidently) a woman, but no names have been released so far.

Back in the old days, the job of CANSLO/W was often given to mid-ranking officers who were considered destined for greater things. The last two Chiefs of CSE to come from inside the ranks of the agency, Peter Hunt and Stew Woolner, both served as CANSLO/W earlier in their careers. (Since 1999, all Chiefs have been selected from outside the agency.)

The CANSLO/L slot, on the other hand, gained a reputation as a plum posting for senior officers just prior to retirement.

Undoubtedly there were exceptions to those patterns even then; it would be interesting to know if they continue to some degree today.

The liaison offices normally have several people posted to them, not just the liaison officer. During the Cold War period, there were (I believe) about four people at the NSA office and two at the GCHQ office. No information on the current size of these offices has been made public.

[Update 14 December 2014: Actually, the "CSEC 101: Foundational Learning Curriculum" document, released last year to Globe and Mail reporter Colin Freeze, indicates that the CANSLO/L office at GCHQ had three people assigned to it as of January 2013 (see page 447). The number of people at the CANSLO/W office at NSA is redacted but was at least six (see page 444). CSE "integrees" are not included in these figures.]

By contrast, in 2008 the NSA's liaison office at CSE had 12 people attached to it. It is possible, however, that this total included NSA "integrees" serving on exchange with CSE.

Tuesday, November 18, 2014

October 2014 CSE staff size

2238, a new high.

(If you click through on the link and get a different figure, it's probably because the Canada Public Service Agency has updated its website; they update the numbers once a month.)

Collection of private communications under CSE's cyber defence program

Documents recently released under the Access to Information Act reveal that thousands of "private communications" of Canadians were collected and used or retained by CSE in the course of its cyber defence operations during a recent one-year period.

The precise number of communications used or retained is redacted in the documents released to Globe and Mail reporter Colin Freeze. But analysis of the size of the redactions indicates that the number is somewhere between 1000 and 3996, which means that it is 15 to 60 times as large as the total of 66 private communications collected and used or retained by CSE’s foreign intelligence program during fiscal year 2012-13, as recently reported by the CSE Commissioner.

CSE's Cyber Defence Activities Annual Report on Private Communications for the period from 1 December 2012 to 30 November 2013 begins on page 5 of the documents. The total number of private communications, abbreviated as PC, used or retained by CSE during the year is reported on the next page.

That number is redacted, but it can clearly be seen that there is room for a four-digit number in the censored space, indicating that the number was somewhere between 1000 and 9999.

Summaries of quarterly reports were also released with the documents. The summaries for the four quarters comprising the 2012-13 reporting year can be found on pages 9 and 10. In each case, these summaries show that a three-digit number of private communications (i.e., somewhere between 100 and 999) were used or retained during the quarter, meaning that the annual total cannot have been higher than 3996.

Together these ranges indicate that the total number of private communications used or retained by CSE in the course of cyber defence operations was between 1000 and 3996 in 2012-13, a number that dwarfs the 66 used or retained in the course of its foreign intelligence operations around the same time.

The quarterly reports that were released to Freeze cover more than just the 2012-13 year, and all of the reports from the 1 March 2011 to 31 May 2014 period note that an apparently significant but redacted two-digit percentage of the communications used or retained by the cyber defence program "consisted of emails that contained malicious code" or "emails containing malicious links or attachments attempting to compromise Government of Canada (GC) systems and networks."

This suggests that a large percentage of the communications used or retained may have consisted either of e-mails sent by Canadians with the deliberate intent of compromising or damaging government systems or (probably more often) e-mails sent from compromised Canadian computers without the knowledge of the Canadian owner.

Either way, few people are likely to object to such communications being used or retained by cyber defence authorities.

Of greater potential concern is that some of the communications monitored in the course of cyber defence operations could end up containing information considered useful by the intelligence side of the agency. (Which is not to say that such use would itself necessarily be unjustified.)

The quarterly reports for the 11 March 2010 to 31 November 2011 period all note that a redacted number of communications (sometimes two, sometimes three digits) were "shared with SIGINT".

For example, the four reports that cover the 1 December 2010 to 31 November 2011 reportng year feature 2 three-digit redactions and 2 two-digit redactions, indicating that the total number of private communications "shared" during that year was somewhere between 220 and 2196 ((100 to 999) + (100 to 999) + (10 to 99) + (10 to 99)). Even if the actual figure is at the bottom end of this range, this suggests that the number shared was more than three times as great as the 66 private communications collected and used/retained by the foreign intelligence (SIGINT) program itself during fiscal year 2012-13; in theory, it could be as much as 33 times as great.

Did "sharing" with the SIGINT program continue after 2011? The documents released don't answer that question one way or the other.

If it does continue, the above figures suggest that the number of private communications obtained by the SIGINT program through the cyber defence backdoor could very significantly exceed the number obtained (or at least the number used or retained) through the SIGINT program’s own collection efforts.