Thursday, April 17, 2014

CSEC and the Heartbleed bug

CSEC asserts that it was not aware of the Heartbleed bug until April 7th, the day the public learned of the bug. However, as CBC points out, that was still one day before the Canada Revenue Agency shut down its website in a belated effort to prevent unauthorized data leakage (Valerie Boyer, "CSEC aware of Heartbleed bug day before CRA website shutdown," CBC News, 16 April 2014).

A Bloomberg news report on April 11th claimed that the NSA (and thus, almost certainly, CSEC) has been exploiting the bug for at least two years. The U.S. government has denied that report, claiming that it would have reported the bug if it had been aware of it. It does acknowledge, however, that not all of the cyber security flaws that NSA knows of are disclosed.

Whether or not NSA and CSEC are telling the truth, the issue highlights the conflict of interest that these agencies have between their SIGINT mandates and their IT security mandates.

CSEC's IT security mandate (see National Defence Act para. 273.64(1)(b)) applies only to "electronic information and... information infrastructures of importance to the Government of Canada", so CSEC most likely considers that protection of the average Canadian citizen from cyber security flaws is simply not its job. Indeed, it might well argue that it is not allowed to assist in that regard, as it would not be lawful for the agency to engage in activities outside its statutory mandate.

But even if protection of the public were part of its mandate, there is zero chance that CSEC would reveal a bug that it learned about from its SIGINT allies if those allies wanted the bug to remain secret. And even a Canadian-discovered bug might well be reserved for SIGINT use rather than revealed to the world, or even other Canadian government organizations, for IT security reasons.

The SIGINT side of the house dominates the activities of all the Five Eyes agencies.

That said, CSEC does have a mandate to help secure the Canadian government's cyber infrastructure, and it does make a significant contribution in that regard.

As I understand it, the Government of Canada Computer Incident Response Team (GC CIRT) is the organization directly responsible for responding to threats to Canadian government cyber systems. Formerly part of CSEC, GC CIRT was transferred to Shared Services Canada, the government IT services agency, on November 1st, 2013. CSEC remains mandated to assist in protecting the Government of Canada information infrastructure, however, and the agency has confirmed that it worked with “government departments on mitigation and protection measures to address the Heartbleed bug.” It may well have been CSEC that monitored the exploitation of the flaw on the CRA website, which probably happened on April 7/8th.

Whichever agency ultimately was responsible for protecting Canadian government websites in this case, the overall response does not seem very impressive. You have to wonder why it took so long to react to such a significant security flaw in a site as crucial as Revenue Canada's.

Related news coverage:

- Jordan Press, "Weekend of confusion for Canadians as ‘Heartbleed’ bug forces government website shutdowns," Montreal Gazette, 12 April 2014
- Matt Hartley, "CRA waited days to inform Canadians of SIN leak," Financial Post, 14 April 2014
- Richard Blackwell & Tu Thanh Ha, "Tax agency leaves Heartbleed victims in the dark about stolen data," Globe and Mail, 14 April 2014
- "Heartbleed SIN breach suspect ID'd by RCMP," CBC News, 15 April 2014
- Daniel Leblanc & Tu Thanh Ha, "RCMP charge teen in relation to Heartbleed bug attack on CRA," Globe and Mail, 16 April 2014

Also of interest:

- Canadian Cyber Incident Response Centre Advisory AV14-017, issued 8 April 2014
- CSEC's IT Security Alert 65, issued 10 April 2014

Thursday, April 10, 2014

CSEC roundup 10 April 2014

Recent news and commentary items related to CSEC:

- Jim Bronskill, "Canadian cyberspy agency CSEC fretted about staff after Snowden leaks," Canadian Press, 7 April 2014

- Joe Lofaro, "Canadians ‘should be outraged’ by WiFi spy allegations: Borg," Metro, 3 April 2014

- Trevor Greenway, "Government spying: What’s legal? What’s not?" Metro, 3 April 2014

- Mark Stone, "Think Canadians are Less Immune to Government Spying Than Americans? Think Again," Tech Vibes, 3 April 2014

- Daniel Tencer, "U.S. Pushes Canada To Loosen Privacy Laws," Huffington Post Canada, 3 April 2014. See also Ken Hanley, "Op-Ed: U.S. claims using EU companies to circumvent NSA spying unfair," Digital Journal, 10 April 2014.

- "Hey CSEC, stop spying on me," editorial, Globe and Mail, 2 April 2014

- David Christopher, "Canada talks back about secret spying," rabble.ca, 19 March 2014

- Jim Bronskill, "ISPs Handing Over Data To Spies? Surprisingly, They Don't Want To Say," Canadian Press, 27 March 2014

- Christopher Parsons, "Accountability and Government Surveillance," Technology, Thoughts & Trinkets blog, 27 March 2014. Parsons reports on the government's response, or lack thereof, to a series of questions from MP Charmaine Borg concerning subscriber-related information obtained from telecommunications service providers. Full text of the responses from government departments here. As Parsons notes, CSEC's response (see page 66) was limited to uninformative boilerplate. Other coverage: Colin Freeze, "Border agency asked for Canadians’ telecom info 18,849 times in one year," Globe and Mail, 27 March 2014; Michael Geist, "Who Needs Lawful Access?: Cdn Telcos Hand Over Data on Thousands of Subscribers Without a Warrant," Michael Geist blog, 26 March 2014

- Derek James, "Bill C-13: Tories trying again to open door to undue state intrusion," Toronto Star, 26 March 2014

Also of interest, commentary related to Bill S-4, the new Digital Privacy Act (government backgrounder here):
- Michael Geist, "Why the Digital Privacy Act Undermines Our Privacy: Bill S-4 Risks Widespread Warrantless Disclosure," Michael Geist blog, 10 April 2014
- Tim Banks, "Canada’s Digital Privacy Rethink: Fines, Enforceable Compliance Agreements and More!" Privacy and Data Security Law blog, 9 April 2104

March 2014 CSEC staff size

2171.

(If you click through on the link and get a different figure, it's probably because the Canada Public Service Agency has updated its website; they update the numbers once a month.)

Thursday, April 03, 2014

CSEC Chief testifies to National Defence committee

CSEC Chief John Forster and Minister of National Defence Rob Nicholson testified to the House of Commons Standing Committee on National Defence on April 3rd. (Audio available here; the transcript of the testimony won't be available for some time.)

Nicholson and Forster were originally scheduled to appear before the committee on March 6th, but that session was cancelled at the last minute, leaving observers wondering if Forster would appear before the committee at all.

It's reassuring to see that Forster's testimony did eventually take place.

The scheduled topics of discussion included questions related to the Supplementary Estimates (C) (and the activities in general) of the Department of National Defence as well as questions related to CSEC, so only part of the committee's time was dedicated to CSEC. But a lot of the discussion during the session did focus on CSEC.

Some detailed questions were posed by NDP defence critic Jack Harris and his colleague Elaine Michaud (although not perhaps the ones I or other outside observers might have asked), and some were also asked by Liberal Joyce Murray, but I don't think any especially new or enlightening information was provided by Forster or Nicholson in response. In some cases, Forster was unwilling even to provide information that has already been made public. Forster was very reluctant to confirm, for example, that one of the forms of support that CSEC may provide to federal law enforcement and security agencies is to intercept the communications of specific Canadians in cases where those agencies have a warrant to obtain those communications. (See here for confirmation of that role.)

We also got some softball questions from the government members. Ragging the puck is about all that government members are useful for on these committees, so I guess we shouldn't be too disappointed if that's all they do. Hope you enjoy your gold-plated pensions.

All in all, the meeting didn't do a lot to validate the government's claim that the National Defence committee is capable of performing genuine oversight over CSEC, but at least it was a start.

Let's hope the committee's "study of Communications Security Establishment Canada intelligence-gathering policies and practices" amounts to more than just this one part of one meeting.

Update 5 April 2014:

News coverage:

Colin Freeze, "CSEC dodges questions on relationship with Big Three telecom companies," Globe and Mail, 4 April 2014.

Update 10 April 2014: See excerpt of Harris's subsequent e-mail comments to Freeze here: "What happened on Thursday certainly couldn't pass for parliamentaey oversight when MP's can't get straight answers on straightforward questions."

Tuesday, March 25, 2014

Robinson PGP key

I've decided I should (re)acquire the capability to use PGP (GnuPG to be precise).

I work under the assumption that any major SIGINT agency that decides it has a specific interest in my correspondence will always be able to find the means to access it regardless of whatever crypto precautions I might try to take, so don't take this step as an invitation to send me things you wouldn't want our five-eyed friends and their counterparts elsewhere to know about.

But nothing says that everyone in the general public should be forced to leave all of their correspondence open for anyone to read at any time, so acquiring PGP seems like a reasonable thing to do.

Here is my public key (key ID EFF608B9):

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (MingW32)

mQENBFMrpZUBCADHn1SqFq7HWqQ7BD0xoPI0/ekI9ypoHSe5q0eZFc+KtkTGRhNs
PsB7k1SgXyKFI/U6KDLLiHNrC3RMQWrnjP503pGcmq+x19fqCi+FwsXxDrjDoEHU
x5rNeHOGlCUSJHpb3Sr2XebvweOBrEFT8Si3Q9e6AJkJ9comNC4uNDhaGRdDRvE9
u5rXKKBupmgu9N6CJPjyJcz1ZPYB9c7ZfjfWECROvF4HmEdCtzTRhzPtnLu5ihhb
Za8WpCYJLBpSGNZLVI+eZ7mjA2rn8R+FLMc18tsBB0APnf1Vh5zL9ph0F7eMIsIh
E424ugHtYm2L5VG/hAzi2ZybUbK7wpc4daStABEBAAG0KkJpbGwgUm9iaW5zb24g
PG5ld21hbi1yb2JpbnNvbkByb2dlcnMuY29tPokBPwQTAQIAKQUCUyullQIbIwUJ
CWYBgAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJENt9SEPv9gi5/U8IALeA
GG+EJTpchJeTqk30vWKEBNYmQurEaLWh3gBBHCpf0BDwz3IPOI52zqVKE9xIHplS
nDZ8TLR9JlcDr/ezF0/UKBV3aH3D6l1mgsGk+6i3bXvFsyVyoumHTfWwwj7siCs+
qV6UaS685Pa7P9OKeJODD0V8z/SmflRPtl3yeKP1jt/NuBsbrZTevCujRe7BtPYs
0g1ib0n+bp/8yHZnzyjToZmKsklFIgVhYc8lD/n0BZp/lY9huk5MsFoiyzzV387a
VjGR7if1pQ+xh84FKEhshwGCnSm8+N57jHnJQ/DS6A/GL7xlLzhKuW3gK+zzBXoe
CfSFFinbbyWoCzgxD1G5AQ0EUyullQEIAL1M9+nx0XwuP0G/n/32UBMYn35lNLyr
ADx1OZqC30po7qud4T0eotoKgIAPNuCUPtRYOhADSqOXbJ0XJ72kXMJS1uVSMxsr
JtEAe6kFGOKQjMvAyQKdQypwDLl8YjVc03HlgyqtmKv9H1fK4jcFlx6+oFz6CcOW
hw6HKnizHFHZf58jadI07szU1UhqSh2vdtWV4LJMEfgboApg8DndYQoBQDqS7/Fy
Bfbls3ndI36urVCqOxlsWCr5UaZoQuJzrUZgkts/1tHIfsnGA6LAg+N2LBvgFaBn
gR8kbNSYP4pqssTDCzoI7cHQWfo+5xTfQiQPS3R4TsrH8UZbsfx/k0EAEQEAAYkB
JQQYAQIADwUCUyullQIbDAUJCWYBgAAKCRDbfUhD7/YIubBSB/415D3pUbEZzdYh
P29U5YVYKn/OdyUipbrIMboNdJI5YwRjBBQum1piu5ryOxP4w/lLYSojfptAjSyB
ZpSQQYQpY757cPJZzQEZpnqgiCUbNHDVWqp/D4y4z3MZErgb+6yJhgQ5zvWwoXPm
JFosja2U6+dao5P8Q1OASiHZh0PAKPcUn4FdCYB+4RLxVxq2cXd4jtNRPAw7bJ73
/c/XxvjnidtR/vDLowIEDxvjsRe+e0hh7M3s3f8p/nms+7LMg1mIK2Yx89PMyeuM
8hEPGTturOG9cBbAQ7NaZ22tKtyFXM/t/Wj5zhGLWG9bC1atCbLMob9mM8ly0qip
JqyYSAbe
=572q
-----END PGP PUBLIC KEY BLOCK-----

Monday, March 24, 2014

Freeze on CANADALAND

The latest edition of Jesse Brown's CANADALAND podcast features a conversation with Globe and Mail reporter Colin Freeze on the difficulties of covering intelligence/privacy issues in Canada even in the post-Snowden world: How Canada's Spies Game the Media

Freeze is one of the few journalists who has done extended coverage of intelligence-related issues in Canada and he has taken the lead on recent CSEC coverage. (Others worth mentioning include Jim Bronskill, Greg Weston, Michelle Shephard, Stewart Bell, Ian MacLeod, and Andrew Mitrovica.)

Well worth a listen.

(Oh, and thanks for the plug on your website, Jesse!)

Saturday, March 22, 2014

Meta-truth on mega-data

Every now and then it's fun to look back at earlier official assurances and compare them to what we know today.

This June 2013 statement by then-Defence Minister Peter MacKay, which I recently re-read while checking some other information, is a good example:
Mega-data is collected only on international, not domestic, communications.
Yes, he really did say mega-data instead of metadata.

But the fun part is re-reading MacKay's statement in the context of this recent revelation. (Further discussion here and here.)

SNOWGLOBE: CSEC analysis of suspected French spyware

Le Monde has published a report on CSEC's analysis of an e-mail spying operation that it discovered in November 2009. The operation targeted a number of organizations around the world, including a French-language media outlet in Canada. CSEC concluded that the source of the operation was probably France (Jacques Follorou & Martin Untersinger, "La France suspectée de cyberespionnage," Le Monde, 21 mars 2014).

See also: Jacques Follorou & Martin Untersinger, "Quand les Canadiens partent en chasse de « Babar »," Le Monde, 21 mars 2014.

The newspaper also published several slides from the CSEC powerpoint presentation, one of the documents leaked by Edward Snowden, on which the Le Monde reports were based.

Globe and Mail coverage here: Tu Thanh Ha, "French spy software targeted Canada: report," Globe and Mail, 21 March 2014.

Monday, March 17, 2014

Recent news/commentary

Recent news and commentary items related to CSEC:

- Jim Bronskill, "Canada's electronic spy agency uncovers wrongdoing, ethics breaches," Canadian Press, 16 March 2014.

- Matthew Braga, "Why can't, or won't, your phone company detail data it shares with the feds?" Globe and Mail, 16 March 2014; see also Christopher Parsons, "The Murky State of Canadian Telecommunications Surveillance," citizenlab.org, 6 March 2014.

- John Adams, "Making the case for metadata," iPolitics, 14 March 2014; see also the longer version here. (The former Chief of CSEC defends the agency's operations, while reiterating his support for greater parliamentary scrutiny. In the iPolitics version, but not the longer version, Adams also makes the intriguing statement that there is within CSEC "an internal audit committee which includes external-to-government members, with access to any and all activities carried out by CSEC" in order to help keep an eye on the agency (emphasis added). He is not talking about the CSE Commissioner, whom he discusses separately. What is the nature of this committee, and who are these external-to government individuals?)

- Alex Boutilier, "Ottawa imposes life-long gag order on bureaucrats, lawyers," Toronto Star, 13 March 2014. (Additional organizations added to the list of persons "permanently bound to secrecy".)

- Jordan Press, "Canada’s military squeezed out of cyber-defence, emails warn," Vancouver Province, 12 March 2014

- Michael Geist, "If U.S. Cloud Computing Isn't Good Enough for the Canadian Government, Why Should It Be for You?" Michael Geist blog, 12 March 2014

- Colin Freeze, "Spy agency’s memos to minister shed light on secretive practices," Globe and Mail, 7 March 2014 (available only to subscribers, but you can read the bits of the memos that were released here)