Saturday, April 30, 2016

Recent items of interest

Recent news and commentary related to CSE or signals intelligence in general:

- Matthew Braga, "Canada Needs to Revive the Encryption Debate It Had in the 1990s," Motherboard, 26 April 2016.

- "Minister Sajjan delivers keynote address at the 2016 SINET IT Security Entrepreneurs Forum," Government of Canada news release, 20 April 2016. Text of the speech here. [Update 6 May 2016: I don't know where the Minister or his speechwriters got the idea that CSE has been around for "close to 75 years". CSE (then called CBNRC) was born on 1 September 1946, or close to 70 years ago.]

- Alex Boutilier, "Canada’s spies closely watching quantum tech developments," Toronto Star, 20 April 2016.

- Victoria Ahearn, "5 moments from The Good Wife’s visit to Toronto," Canadian Press, 18 April 2016. CSE makes a cameo appearance in the U.S. TV series The Good Wife. But they got the CSE badge wrong (HT to Justin Ling).

- Jordan Pearson & Justin Ling, "Exclusive: How Canadian Police Intercept and Read Encrypted BlackBerry Messages," Motherboard, 14 April 2016. See also Justin Ling & Jordan Pearson, "Exclusive: Canadian Police Obtained BlackBerry’s Global Decryption Key," Vice News, 14 April 2016; Jordan Pearson, "Canada Desperately Needs to Have a Public Debate About Encryption," Motherboard, 14 April 2016; and Justin Ling, "BlackBerry's CEO Won’t Answer Media Calls, Instead He Blogged About Cooperating With Canadian Cops," Vice News, 18 April 2016. Chen's blog post. CSE's March 2011 warning on the (in)security of Blackberry PIN-to-PIN messaging. Chris Parsons on the vulnerability of BlackBerry messages.

- Ben Makuch, "The 'Darth Vader' of Cyberwar Sold Services to Canada," Vice News, 11 April 2016.

- "Spy Shit," Canadaland podcast episode 129, 10 April 2016. Matt Braga and Jesse Brown discuss "the Panama Papers, CSIS, C-51, and Ben Makuch's ongoing battle with the RCMP". Well worth a listen, but the statement (at about 13:50) that the CSE Commissioner has never declared CSE in violation of the law is not correct.

- Leslie Young, "Former CSIS head Richard Fadden says Canada could someday carry out cyber attacks," Global News, 6 April 2016. More here.

- Sunny Dhillon, "Edward Snowden's talk in Vancouver had an 'electric quality'," Globe and Mail, 6 April 2016.

- Ron Deibert, "My conversation with Edward Snowden," Ronald Deibert blog, 3 April 2016. Video here: "Fireside Chat: Ron Deibert, Edward Snowden & Amie Stephanovich," RightsCon, 1 April 2016. Interesting Snowden comment: "It's true, [CSE's] oversight is hideous, because it was never really thought about. But there's a reason for that. In my experience of the Five Eyes, the Canadian intelligence services were always the least aggressive, they were the least adventurous, they didn't really push the legal boundaries. It was difficult to target Canadians, legally and so on and so forth, for surveillance. And it wasn't until the recent government—I'm not Canadian so I'm not going to name [garbled], I believe it was the Harper government—that things really started to change and oversight became much more important because they became much more aggressive in a short period of time."

- Alex Boutilier, "Canada’s spy agencies looking to work together more, say top secret documents," Toronto Star, 2 April 2016.

- Jim Bronskill, "Government instructions to CSIS on bill C-51 to remain largely secret," Canadian Press, 27 March 2016.

- Jim Bronskill, "Federal agencies sharing information under Bill C-51 provisions," Canadian Press, 24 March 2016.

-Ian MacLeod, "Spy agency watchdog ‘in a difficult position’ with huge budget cuts looming," Ottawa Citizen, 24 March 2016. Possibly a sign the government is planning a major overhaul of the various review agencies?

- Colin Freeze, "RCMP, CSIS see no significant support for operations from federal budget," Globe and Mail, 23 March 2016.

- Colin Freeze, "B.C. multimillionaire pleads guilty to hacking into U.S. military for China," Globe and Mail, 22 March 2016.

- Kyle Matthews & Chantalle Gonzalez, "Our mission against ISIL has one major flaw — it ignores the Internet," National Post, 22 March 2016.

- Dylan Robertson, "Canada Doubles Spending on Counter-Radicalization," Vice News, 22 March 2016.

- Matthew Braga & Colin Freeze, "Agencies did not get federal authorization to use surveillance devices," Globe and Mail, 11 March 2016.

- Emma Loop, "The Drone And The Damage Done: How Canada’s UAV Operation Wounded Its Own," Buzzfeed, 16 March 2016.

- Karen DeYoung, "Canada to boost its advise-and-train mission, intelligence capabilities in Iraq," Washington Post, 11 March 2016.

- B.C. Civil Liberties Association et al., "The necessary components of an effective and integrated national security accountability framework for Canada," 9 March 2016.

- Susan Lunn, "Ralph Goodale says Ukraine cyberattack caused 'international anxiety'," CBC News, 8 March 2016.

- Alex Boutilier, "Cyber security review still in early days, Public Security officials tell Senate," Toronto Star, 7 March 2016.

- Peter Zimonjic, "CSIS head says new powers to disrupt plots used almost 2 dozen times," CBC News, 7 March 2016.

- Colin Freeze, "Documents reveal CSIS wary of Bill C-51 reforms," Globe and Mail, 3 March 2016. The documents.

- David Christopher, "Adopting the UK model won't be enough for Ralph Goodale to address Canada's spy oversight woes," OpenMedia, 26 February 2016.

- Editorial, "Give Parliament the power to scrutinize spy agencies," Toronto Star, 24 February 2016. Response from CSE Chief Greta Bossenmaier.

- Matthew Braga, "Why Canada isn’t having a policy debate over encryption," Globe and Mail, 23 February 2016.

- Alex Boutilier, "Canada’s spies expecting a budget boost," Toronto Star, 23 February 2016. More on CSE's budget here.

- Amanda Connolly, "‘It’s impossible’ to know impact of CSE metadata glitch: commissioner," iPolitics, 22 February 2016. More here.

- Alex Boutilier, "CSE can assist in ‘threat reduction’ without a warrant, documents show," Toronto Star, 20 February 2016.

- Daniel Lang, "Why don't we charge more people with terrorism?" Toronto Sun, 19 February 2016.

- Lucas Powers, "Apple's encryption battle with the FBI could spill into Canada," CBC News, 19 February 2016.

- Bruce Campion-Smith, "Canada’s spy agency CSIS gears up for expanded role in Islamic State fight," Toronto Star, 18 February 2016.

- Luc Portelance & Ray Boisvert, "It’s time for Canada to get serious about national security," National Post, 16 February 2016. See also Stewart Bell, "Canadian security agencies under strain while threats have ‘seldom been so high,’ former senior officials say," National Post, 16 February 2016.

Also of interest: CSE now has a twitter feed. Maybe this is what the Minister had in mind when he said he has "directed CSE to find new opportunities to communicate with the public more openly about their activities." I can't say it has done much to demystify the place so far. I have a suggestion that I've made in the past, but which I think bears repeating. How about reinstating the degree of public reporting that existed prior to November 2011, when CSE became a stand-alone agency?

Do "old" opportunities not count?

SIGINT history:

The word on the grapevine is that CSE, in a fit of brainlessness some time ago, destroyed the only copies of A History of the Examination Unit: 1941-1945, Gilbert Robinson's July 1945 history of Canada's first cryptanalytic organization. If true, the significantly redacted but still somewhat useful version released many years ago under the Access to Information Act, preserved by me and presumably some other folks, may be all we have left. I'd be very pleased to report that this is not true and the document does still exist in its complete form.

Saturday, April 16, 2016

Canada and cyber war

Should Canada have an offensive cyber war capability? Comments by former National Security Advisor Richard Fadden, who retired at the end of March, suggest that Canadians need to debate this question.

Fadden raised the issue in a recent wide-ranging interview with Tom Clark of Global News. (You can watch the interview here.)

The discussion unfortunately conflated the concepts of cyber attack (also known as Computer Network Attack) and cyber spying (Computer Network Exploitation). Chinese cyber espionage operations against Canadian targets were described as "cyber attacks", for example, as if the operations were attempting to destroy or damage Canadian data or systems, or even the physical infrastructure they control, rather than simply trying to steal information.

This blog does not endorse pedantry for the sake of pedantry, but in this case a little terminological clarity would be helpful.

Computer Network Operations are commonly divided into three kinds of activity: Computer Network Attack (CNA), Computer Network Defence (CND), and Computer Network Exploitation (CNE). Stealing information falls into the category of Computer Network Exploitation.

As the diagram above shows, there are important overlaps between these three activities. CNE can be used to find vulnerabilities in an adversary's systems and prepare the ground for CNA. CNA can contribute to the effectiveness of CND. CND can collect information about adversary capabilities that can be used to support CNE operations.

All three activities draw on the same kinds of capabilities and can be used to support the others.

But there is still a crucial distinction to be drawn between cyber espionage and cyber war. One is spying, and Canada—through CSE—is already deeply engaged in it. The other seeks to damage or destroy data or information systems or even, potentially, to destroy physical objects and kill people. Cyber warfare can range from simple disruption, interfering with the communications of a terrorist organization for example, to total war.

Should Canada develop a cyber war capability?

“It may well be that in some circumstances it’s something that we’d want to do,” Fadden suggests in the interview.

But he also says it would be "expensive and dangerous", and he argues for greater emphasis on CND: "Personally I think we should be better at defensive. Really develop our capacity to resist these attacks and to make sure that people understand the level of threat that we’re under."

So, put him down—tentatively at least—as a cyber war skeptic.

It all sounds very hypothetical.

But I suspect Fadden chose to raise the issue because Canada is moving rapidly towards creating a CNA capability, and it is doing so largely in the dark, with very little public awareness or debate.

NITRO ZEUS: CNA against Iran

Recent revelations about U.S. and Israeli contingency plans for a major cyber war campaign against Iran highlight the extent to which CNA capabilities are moving from the theoretical to the real.

The Stuxnet worm, which the U.S. and Israel used to damage and delay Iran's uranium enrichment program, is the best-known example of a state-sponsored CNA operation.

But Stuxnet was only the tip of the iceberg. According to the New York Times (David E. Sanger & Mark Mazzetti, "U.S. Had Cyberattack Plan if Iran Nuclear Dispute Led to Conflict," New York Times, 16 February 2016), preparations were made for a much wider range of attacks against Iran's "air defenses, communications systems and crucial parts of its power grid" in the event that the dispute over Iran's nuclear program escalated into open use of force.

Preparations for the campaign, codenamed NITRO ZEUS, began in early 2009, and ultimately involved "thousands of American military and intelligence personnel, spending tens of millions of dollars and placing electronic implants in Iranian computer networks to “prepare the battlefield,” in the parlance of the Pentagon."

The operation was envisaged as an adjunct, or possibly an alternative, to a traditional military campaign against Iran. Bringing Israel on board was seen in part as a means of restraining the Netanyahu government from launching a unilateral attack that might prematurely foreclose options for resolving the dispute diplomatically. (More about NITRO ZEUS here.)

Unlike traditional military contingency plans, which normally don't involve actual operations within the target country prior to a decision to go to war, preparations for cyber operations require prior entry into the systems that ultimately would be attacked in order to choose targets, ensure access at the moment of attack, and maximize the effects of the operation. Thus, although the cyber warfare plan was never executed, preparations within the Iranian cyber infrastructure undoubtedly took place.

Similar contingency plans are probably also in place for other potential adversaries such as China and Russia.

As a close NSA ally and a significant CNE player in its own right—one that we know had active operations in Iran at the time NITRO ZEUS preparations were apparently underway—CSE could not fail to be aware at some level of the presence of the U.S.-Israeli operation, although almost certainly not of its details. If nothing else, NSA would have wanted to ensure that CSE's CNE operations did not interfere with or accidentally expose the NITRO ZEUS preparations.

But there is no evidence of any direct Canadian involvement in the NITRO ZEUS preparations, and there's little reason to expect there would have been any Canadian involvement.


This 2013 NSA document describing the state of NSA-CSE cooperation confirms that the two agencies work together on CNE operations in the Middle East, among other regions, but it contains no suggestion that they collaborate on CNA operations.

There are many reasons why the U.S. might want to minimize the number of additional players whose participation would complicate as sensitive and tightly-held a CNA operation as NITRO ZEUS.

But the most important roadblock to such collaboration, at least as far as CSE is concerned, is that CSE has had little or no mandate to conduct CNA activities (although it has shown interest in such capabilities; see p. 22 here).

[Update 19 April 2016: An even better example can be found on p. 23 of this presentation, where CSE says "We will seek the authority to conduct a wide spectrum of Effects operations in support of our mandates."]

The 2015 passage of Bill C-51 has probably opened the way for CSE participation in small-scale CNA activities such as efforts to disrupt the operations of terrorist organizations. Since such activities can now be conducted by CSIS under the "disruption" powers granted to the agency in Bill C-51, CSE's Mandate C, which authorizes it to assist CSIS operations, should provide a legal basis for CSE participation in limited CNA activities under CSIS auspices.

Those powers are unlikely to extend to outright cyber warfare, however. Large-scale activities against the armed forces or domestic infrastructure of an adversary state on the scale of the NITRO ZEUS plan would probably require a different set of authorities.

The Canadian Forces and cyber war

Although CSE's CNE operators might be called upon to provide advice and assistance, large-scale offensive cyber operations would probably be executed by the Canadian Forces acting under the laws of war.

In the United States, a similar division of roles has already been formalized, with the Pentagon's Cyber Command, created in 2010, now responsible for CNA. Although run by the same officer who serves as Director of the NSA and able to draw upon NSA knowledge and resources, Cyber Command is a military organization under military command.

Canada does not yet have a direct equivalent to Cyber Command, but the development of CNA authorities and capabilities has been under discussion within the Canadian Forces for a long time.

A draft strategy paper called on the Canadian Forces to develop the ability to conduct offensive computer operations as long ago as July 2000 (Jim Bronskill, “Cyber-attack capability in military’s plans?” Edmonton Journal, 11 March 2001). [Update 19 April 2016: I am reminded by a reader that early discussions of these issues can be found in documents dating to the mid-1990s.]

But few if any steps were taken in the direction of creating an actual CNA capability for many years. A December 2009 report by DND's Centre for Operational Research and Analysis (CF Cyber Operations in the Future Cyber Environment Concept) confirmed that the CF's network operations were still "not established to conduct offensive network operations".

There is reason to believe, however, that this situation has begun to change.

In April 2011, DND created the position of Director General Cyber to help "develop the military’s future cyber capabilities", potentially including offensive capabilities (Chris Thatcher, "Operationalizing the cyber domain," Vanguard, 26 June 2013).

The current DG Cyber (or DG Cyber Warfare, or DG Cyberspace) is Brigadier General Frances J. Allen, a former Commander of the Canadian Forces Information Operations Group (CFIOG) and an early advocate of CNA capabilities for the CF. (Allen wrote a paper recommending the development of CNA capabilities in 2002 when she was still a lieutenant-colonel. [Update 22 April 2016: I mistakenly said major originally.])

More recently, in September 2015, Defence Minister Jason Kenney implied that such a capability either already exists or soon would, saying, "I think you can reasonably assume that when the military develops a command, it has to have the capability to be both offensive and defensive. Potentially hostile countries need to know that, if they are going to launch cyber attacks against our critical systems, Canada and its allies have the capacity to retaliate." (Justin Ling, "Canada’s Defense Minister Talks Fighting the Islamic State, Arming the Kurds, and Cyber Warfare," Vice News, 28 September 2015)

DG Cyber is not a command as such, but Kenney's comments do suggest that Canada may be close to fielding operational CNA capabilities.

The appointment in early 2015 of a Canadian Forces liaison officer to the U.S. Cyber Command also suggests the potential existence of Canadian CNA capabilities.

The discussion document prepared by the government for the current defence policy review (Defence Policy Review: Public Consultation Document 2016) is uninformative about the state of Canada's current cyber warfare capabilities, but it does at least admit that the question is one that needs to be addressed:
Cyber capabilities can be used to disrupt threats at their source, and can offer alternative options that can be utilized with less risk to personnel and that are potentially reversible and less destructive than traditional uses of force to achieve military objectives. Some of our key allies, such as the US and the UK, have stated that they are developing cyber capabilities to potentially conduct both defensive and offensive military activities in cyberspace. We must consider how to best position the Canadian military to operate effectively in this domain.

CNA versus ISIS

CSE and/or the Canadian Forces may already be operating offensively in the cyber domain in a limited way, conducting CNA operations against the Islamic State.

Fadden floated this possibility in a hypothetical way in his interview with Global:
If we have Canadian troops somewhere around the world, Iraq as an example, and they can use somewhat offensive cyber initiatives in order to reduce the threat that they and allies are facing, I would say that’s not an unreasonable thing for the public service to pull together and ask the government if they want to do.
My own suspicion (see Murray Brewster, "Canada's electronic spy service to take more prominent role in ISIS fight," Canadian Press, 18 February 2016) is that this possibility is considerably less hypothetical than Fadden's comments suggested. The only thing that has been confirmed to date, however, is that CSE is playing a force protection role in Operation Impact.

The U.S. recently acknowledged that its own forces have begun using cyber warfare capabilities against ISIS (Phil Stewart & David Alexander, "U.S. waging cyber war on Islamic State, commandos active," Reuters, 29 February 2016), and, unlike the NITRO ZEUS plan, it seems likely that a Canadian contribution to CNA operations against ISIS would be welcomed by the U.S.

The bigger picture

The development and spread of cyber warfare capabilities poses significant new security problems for Canada and other countries.

In principle, CNA operations can be very precise and limited, but they may also have the potential to produce indiscriminate nationwide or even global effects, destroying or disabling vital infrastructure, paralyzing government operations and economic activity, and causing significant civilian casualties.

The potentially game-changing nature of cyber warfare capabilities has been compared to that of nuclear weapons.

There are of course many important differences between cyber weapons and nuclear weapons. Nuclear weapons pose a true existential threat to human civilization. Cyber weapons might cause catastrophic damage in a worst-case scenario, but they are more likely to be used like conventional weapons to produce much more limited and localized (although not necessarily entirely predictable) effects.

Still, a world with widespread cyber weaponry could prove highly unstable. Cyber weapons pose a significant attribution problem (how do you know who's actually attacking you?), and the barriers to the acquisition of cyber weapons are low, meaning a wide range of states, groups, and even individuals may be able to develop significant cyber capabilities. In addition, the effectiveness of cyber capabilities may depend on maintaining access to and even deliberately introducing vulnerabilities into potential target systems during peacetime, which could end up increasing the likelihood of hostilities. Finally, the huge range of possible damage levels in cyber warfare and the overlap between CNA and CNE activities mean there is no clear threshold between cyber peace and cyber war, and thus the possibility of blundering into an unintended conflict is potentially very high. With no clear agreement on cyber rules of the road, there are many ways even a CNA strategy focused on deterrence could fail catastrophically.

It is not necessary to frame the risks posed by cyber warfare in apocalyptic terms to nonetheless recognize that, as Fadden suggested, CNA activities could be both expensive and dangerous. A focus on defence and resilience may well be the best path to take.

At the very least, Canadians should have an open debate on the pros and cons of taking the cyber war path before the government launches us down that road.

Tuesday, March 22, 2016

Bossenmaier testimony to Senate National Security and Defence Committee

CSE Chief Greta Bossenmaier testified before the Senate National Security and Defence Committee on 21 March 2016.

The transcript of the session won't be available until later [Update 20 April 2016: now available here], but the meeting was televised and can be watched here. The part of the session involving Bossenmaier begins around 14:08.

Nothing much of substance is revealed: There's only one, brief discussion of the metadata mess, for example, at the end of the session (around 15:02).

Other than that and some scare numbers about port scans (previously plugged here), there's not much to see.

[Update 20 April 2016: Nice to see the 100 million "malicious cyberactions" in Bossenmaier's testimony acknowledged as "network scans" in Minister Sajjan's speech.]

Media coverage:

Amanda Connolly, "CSE chief says federal departments need to ‘get on’ Shared Services’ cyber defences," iPolitics, 21 March 2016.

Friday, March 18, 2016

February 2016 CSE staff size


(If you click through on the link and get a different figure, it's probably because the Treasury Board has updated its website; they update the numbers once a month.)

Sunday, March 06, 2016

History of the Examination Unit

The Examination Unit was Canada's first code-breaking agency. Hidden within the National Research Council, the XU, as it was typically known, operated from 9 June 1941 until its dissolution in August 1945, in the final days of the Second World War.

Canada had monitored U-boat transmissions and other signals intelligence targets from the very beginning of the war (and even to a limited extent beforehand), but it was the creation of the XU that opened the way for high-level SIGINT cooperation between Ottawa, London, and Washington and thus laid the groundwork for Canada's participation in the post-war Five Eyes intelligence-sharing community.

As its activities were winding down, an internal, classified history of the XU was compiled under the editorship of Gilbert deB. Robinson. (More on Robinson here.)

That highly secret history remained hidden from the public for many decades, but eventually a redacted version was released following an Access to Information request. I obtained a copy of it shortly afterwards, in 1991.

Now you can read it here:

G. deB. Robinson (ed.), A History of the Examination Unit: 1941-1945, Examination Unit, July 1945.

Thursday, February 25, 2016

CSE 2016-17 budget will be more than four times larger than pre-9/11

The Main Estimates for fiscal year 2016-2017, which were tabled in parliament on Tuesday, February 23rd, show that the Communications Security Establishment budget is projected to be $583,624,818 in the coming year.

CSE's budget has been growing more or less continuously since 9/11. The agency's projected 2001-02 budget was $100.2 million, or about $135 million in today's dollars. (Much more was actually spent that year, but the boost from the projected level was the result of post-9/11 increases.)

The projected 2016-17 budget is thus a stunning 5.8 times larger than the pre-9/11 budget—4.3 times larger after accounting for inflation.

CSE's much increased post-9/11 focus on counter-terrorism and support to military operations undoubtedly accounts for a lot of the growth since 2001, but the agency's dramatic shift during the same period away from old-style SIGINT operations towards "mastering the Internet" and conducting computer network exploitation operations probably accounts for an even larger part of the increase.

The projected 2016-17 budget is $45.4 million higher than the $538,201,730 budget projected in the 2015-16 Main Estimates. The increase is explained as the net result of a $14.1 million reduction in accommodation costs and a $59.5 million increase in funding "to address cyber threats and advancements in information technology."

As in many years, however, the 2015-16 Main Estimate figure is not a very reliable guide to the agency's actual budget this year.

CSE's budget authorities were topped up several times during the year: $18,081,548 was added in the Supplementary Estimates (B) as a carry-forward from the previous year's operating budget; an additional $3,078,449 was added to cover various paylist requirements; another $20,000,000 was added for paylist requirements in the Supplementary Estimates (C); and the Supplementary Estimates (C) also added a $4,421,325 transfer from Public Works and Government Services, additional appropriations of $31,353,885 to "preserve Canadaʼs foreign intelligence capabilities" (buy more supercomputers?) and $2,989,797 for cyber security initiatives, plus an additional statutory appropriation of $648,400. All told, these additional cash infusions total $80,573,404, boosting CSE's proposed 2015-16 budget authorities to $618,775,134.

It is likely that not all of that money will be spent by the end of the fiscal year. Indeed, if I'm reading this document correctly, $4,218,262 is already considered frozen and cannot be spent. There may well be other spending shortfalls. Nonetheless, it looks like CSE may be on track to spend well over $600 million in FY 2015-16.

Going back to the Main Estimate numbers, most of this year's $45.4 million Main-Estimate-to-Main-Estimate increase, 72% of it, is going to the SIGINT side of the house. The remaining 28% will go to the other side, the IT Security program. Interestingly, the proportion of the overall CSE budget currently accounted for by the SIGINT and IT Security programs is also 72 and 28% respectively.

Cyber security has been much in the news in recent years, with high-profile penetrations of IT systems discovered in the NRC, the Privy Council Office, and other locations. But so far there is no evidence of an increase in the relative emphasis on cyber security within CSE.

Here is the breakdown from previous years:

2015-16: 73/27 (SIGINT/IT Security)
2014-15: 71/29
2013-14: 68/32
2012-13: 70/30

As these numbers show, despite increasing concern about Canada's vulnerability to cyberattacks and cyberespionage, CSE's SIGINT program has been growing faster than its IT Security program. However, as I noted last year, such numbers are likely to fluctuate quite significantly from year to year as capital spending related to specific projects starts and stops, so it is probably too early to draw conclusions about any long-term trends.

Further coverage:

- Alex Boutilier, "Canada’s spies expecting a budget boost," Toronto Star, 23 February 2016.

Monday, February 22, 2016

Plouffe testimony to Senate National Security and Defence Committee

CSE Commissioner Jean-Pierre Plouffe testified before the Senate National Security and Defence Committee on 22 February 2016. Pierre Blais, the Chair of the Security Intelligence Review Committee, also testified at the same time.

The transcript of the session won't be available until later [interim transcript now available here], but the meeting was televised and can be watched here. The session involving Plouffe and Blais begins around 14:08, and Plouffe's prepared testimony begins around 14:23.

The discussion of CSE's metadata problem begins at about 15:00.

Especially notable in Plouffe's response is his statement that the unminimized metadata was shared for a "number of years" before being stopped, which suggests it may have begun not long after this April 2008 meeting, when CSE told its allies that "bulk, unselected metadata presents too high a risk to share with second parties at this time, because of the requirement to ensure that the identities of Canadians or persons in Canada are minimised, but re-evaluation of this stance is ongoing."

[Update 23 February 2016: It's probably no coincidence that Qtech was contracted in April 2008 to design "a Service Oriented Architecture (SOA) for metadata sharing between Canada and its foreign allies. This high profile initiative will transform the manner in which Canada collaborates with its allies. This metadata sharing system allows the collaborating parties to retrieve metadata of interest from the department’s [Very Large Databases], and is designed to handle very large volumes of requests and resultsets." According to Bill Pezoulas, the work lasted until May 2009. The system developed was probably used to facilitate Canadian participation in Five-Eyes metadata-sharing through GLOBALREACH.

Note the bit about "very large volumes of requests and resultsets."]

Further coverage:

- Ian MacLeod, "Canadian electronic spy agency’s unlawful metadata sharing went on for years before being fixed," Ottawa Citizen, 22 February 2016.

- Ashley Burke, "'Difficult to determine' scope of privacy breach in Five Eyes data sharing," CBC News, 23 February 2016.