Wednesday, June 21, 2017

Liberals propose huge changes for CSE

The government's Bill C-59, announced on 20 June 2017, proposes huge changes for Canada's security and intelligence community, including important additions to CSE's mandate and the elimination of its current review agency, the Office of the CSE Commissioner (OCSEC).

The proposal to add explicit defensive and "active" cyber operations mandates to CSE's roles may represent the most fundamental change in the agency's history. The proposed elimination of OCSEC and creation of both the National Security and Intelligence Review Agency and the position of Intelligence Commissioner are also major changes.

I'll be writing more on these and other proposals in the bill, but it will probably take me a few days to get the post together.

So in the meantime, here's CSE's description of the changes.

It's also worth checking out some of the news reporting and commentary on the proposals:


Alex Boutilier, "Spy bill allows government security agency to collect ‘publicly available’ info on Canadians," Toronto Star, 21 June 2017

Justin Ling, "Canada’s cyber spy agency is about to get a major upgrade," Vice News, 21 June 2017

Michael Geist, "Five Eyes Wide Open: How Bill C-59 Mixes Oversight with Expansive Cyber-Security Powers," michaelgeist.ca, 21 June 2017

Alex Boutilier, "Canada’s spies to get green light to launch cyber attacks," Toronto Star, 20 June 2017

Matt Braga, "How, when, and where can Canada's digital spies hack? Government makes some suggestions in CSE Act," CBC News, 20 June 2017

Jim Bronskill, "Security bill limits CSIS disruption powers, boosts review of spy services," Canadian Press, 20 June 2017

Craig Forcese & Kent Roach, "The roses and the thorns of Canada’s new national security bill," Maclean's, 20 June 2017

Wesley Wark, "Liberals’ bold Bill C-59 would redraw the national security landscape," Globe and Mail, 20 June 2017


Monday, June 19, 2017

CSE releases report on electoral threats



On June 16th, CSE released Cyber Threats to Canada's Democratic Process, a public report assessing the various ways cyber activities might threaten Canada's electoral system.

CSE has made basic cybersecurity advice publicly available on its website for many years, but this report—which was requested by the Prime Minister in the mandate letter he issued to Minister of Democratic Institutions Karina Gould in February 2017—was the first of its kind by CSE.

The 38-page report discusses three ways in which cyber activities might be used to affect the electoral process: impeding or corrupting the voting process itself; stealing and exploiting information about politicians and political parties; and covertly influencing the public's political views by manipulating traditional and social media.

The document restricts itself to a general overview of the ways in which these threats might manifest themselves in Canada's federal, provincial, and municipal politics, and concludes (among other points) that:
  • Cyber threat activity against the democratic process is increasing around the world, and Canada is not immune. In 2015, during the federal election, Canada’s democratic process was targeted by low-sophistication cyber threat activity. It is highly probable that the perpetrators were hacktivists and cybercriminals, and the details of the most impactful incidents were reported on by several Canadian media organizations.
  • A small number of nation-states have undertaken the majority of the cyber activity against democratic processes worldwide, and we judge that, almost certainly, they are the most capable adversaries.
  • However, to date, we have not observed nation-states using cyber capabilities with the purpose of influencing the democratic process in Canada during an election. We assess that whether this remains the case in 2019 will depend on how Canada’s nation-state adversaries perceive Canada’s foreign and domestic policies, and on the spectrum of policies espoused by Canadian federal candidates in 2019.
  • We expect that multiple hacktivist groups will very likely deploy cyber capabilities in an attempt to influence the democratic process during the 2019 federal election. We anticipate that much of this activity will be low-sophistication, though we expect that some influence activities will be well-planned and target more than one aspect of the democratic process.
  • Regarding Canada’s democratic process at the federal level, we assess that, almost certainly, political parties and politicians, and the media are more vulnerable to cyber threats and related influence operations than the election activities themselves. This is because federal elections are largely paper-based and Elections Canada has a number of legal, procedural, and information technology measures in place.
  • We assess that the threat to Canada’s democratic process at the sub-national level (i.e. provincial/territorial and municipal) is very likely to remain at its current low level. However, some of Canada’s sub-national political parties and politicians, electoral activities, and media are likely to come under increasing threat from nation-states and hacktivists.
All of this is pretty common sense for anyone who's been paying attention to the world for the past couple of years—although it's certainly noteworthy that, to date, CSE has not observed nation-states using cyber capabilities to try to influence Canadian elections.

The document's ultimate value is likely to depend on whether it succeeds in kick-starting action on the part of Canadian political parties and others to actually reduce Canada's future vulnerability to such threats.

This document explicitly is not an action plan to accomplish that goal.

However, the Minister's mandate letter did direct her also to "ask CSE to offer advice to Canada’s political parties and Elections Canada on best practices when it comes to cyber security," and CSE does plan to do that. (In fact, Elections Canada is already a recipient of CSE's cyber defence advice and services.) The agency will discuss the findings of the report with all federal political parties that wish to participate at a meeting to be held next Tuesday, June the 20th.

According to a background briefing that CSE kindly invited me to take part in (along with a number of other researchers), the agency will explore with the parties whether it would be useful to provide further, more detailed advice or training to some or all of them. One possibility would be to provide training to IT staffers at CSE's Information Technology Security Learning Centre. Perhaps more likely, however, would simply be provision of advice on the kinds of services parties should contract for in the private sector.

CSE will not be providing actual cyber defence services to the political parties, however.

The government considers Canada's democratic institutions to be "of importance to the Government of Canada", which gives CSE a legal mandate to provide IT security advice and guidance to those parties under s.273.64(1)(b) of the National Defence Act (i.e., CSE's Mandate B). But provision of actual protective services is restricted to the IT systems and networks of the government of Canada itself.

Nonetheless, a CSE official did confirm that warnings would be provided if, for example, the SIGINT side of the agency detected a foreign actor stealing data from a political party's computer system. Notification would come through the Public Safety Department's Canadian Cyber Incident Response Centre (CCIRC), which is responsible for assistance to critical infrastructure operators outside the federal government. Such notifications are routinely provided to CCIRC partners in such cases, according to the official.

[Update 20 June 2017: Under Bill C-59, which was announced and given first reading today, the government proposes to give CSE the power to also provide cybersecurity services to protect non-federal information infrastructures designated "of importance" to the government of Canada. Thus, the agency might in the future be able to provide such a service to political parties, if they request it.]

I also asked why CSE was the agency given the job of making the threat assessment in the first place. As the report itself acknowledges, the cyber threat to electoral systems is just one aspect, albeit a very important one, of a broader set of activities that could be used to undermine or improperly influence an election, including traditional espionage, propaganda, disinformation, covert funding, and blackmail or other coercion. Furthermore, as the report also acknowledges, the perpetrators of such actions can be purely domestic Canadian actors—the activities of which CSE should have very little insight into—as well as foreign actors.

Thus, it seems to me that, in both respects, the Canadian Security Intelligence Service would have been a more appropriate agency to make such an assessment, although it would certainly have needed to draw on CSE's cyber expertise when considering those aspects of the issue.

The response, which I didn't find entirely satisfying, was simply that CSE is the agency with the greatest expertise on cyber threat questions. Well, yes, indisputably, but that doesn't answer the points outlined in the paragraph above.

Ultimately, of course, the reason CSE produced the report is that the Prime Minister and the Minister of Democratic Institutions asked it to.

Unsurprisingly, Australia is also concerned about the possibility of interference in its electoral system, and its political parties are also receiving advice from that country's SIGINT/IT Security agency. However, as indicated in this report (Ronald Mizen, "Political parties vulnerable to state sponsored cyber attacks," Financial Review, 16 June 2017), the Australians may also consider providing funding to political parties to help them secure their systems.

Might Canada also consider putting money on the table? An interesting thought.


News coverage of the CSE report:

Lee Berthiaume, "Canada's spy agency expects cyberattacks during 2019 federal election," Canadian Press, 16 June 2017

Alex Boutilier, "Canada’s political parties, media vulnerable to foreign hacks, spy agency says," Toronto Star, 16 June 2017

Daniel Leblanc, "Spy agency to school political parties on cyberthreats," Globe and Mail, 16 June 2017

Justin Ling, "“Low sophistication” actors took aim at the last Canadian election," Vice News, 16 June 2017

Alex Boutilier, "Despite risk of cyber attacks, political parties still handle Canadians’ data with no rules in place," Toronto Star, 19 June 2017


Sunday, June 11, 2017

Canadian Forces to get offensive cyber capability — but questions remain

The Liberal government's defence policy statement, Strong, Secure, Engaged, released on June 7th, confirms that the Canadian Forces will acquire an offensive cyber capability:
We will assume a more assertive posture in the cyber domain by hardening our defences, and by conducting active cyber operations against potential adversaries in the context of government-authorized military missions. Cyber operations will be subject to all applicable domestic law, international law, and proven checks and balances such as rules of engagement, targeting and collateral damage assessments. (p. 15)
A slightly more expansive description is provided on p. 72 of the document:
Defence can be affected by cyber threats at home and abroad — from attempts to steal sensitive information from our internal networks, to cyber attacks on the Canadian Armed Forces on deployed operations, to the use of cyberspace by terrorist organizations to spread disinformation, recruit fighters and finance their operations. Indeed, there has been a steady increase in the number of state and non-state actors developing the capability to conduct disruptive cyber operations.

The Defence team works closely with the Communications Security Establishment, Public Safety Canada, Global Affairs Canada and Shared Services Canada on cyber issues. To date, this work has focused on strengthening the defence of important military systems, network monitoring and control, building the future cyber force, and integrating defensive cyber operations into broader military operations.

However, a purely defensive cyber posture is no longer sufficient. Accordingly, we will develop the capability to conduct active cyber operations focused on external threats to Canada in the context of government-authorized military missions. The employment of this capability will be approved by the Government on a mission-by-mission basis consistent with the employment of other military assets, and will be subject to the same rigour as other military uses of force. Cyber operations will be subject to all applicable domestic and international law, and proven checks and balances such as rules of engagement, targeting and collateral damage assessments.
Although few actual details are provided about either cyber operations or planned signals intelligence capabilities in general, the statement does report that:
  • The Canadian Forces will "Acquire joint signals intelligence capabilities that improve the military’s ability to collect and exploit electronic signals intelligence on expeditionary operations" and will "Improve cryptographic capabilities, information operations capabilities, and cyber capabilities to include: cyber security and situational awareness projects, cyber threat identification and response, and the development of military-specific information operations and offensive cyber operations capabilities able to target, exploit, influence, and attack in support of military operations." (p. 41)
  • "The Defence team will increase its intelligence capacity, and will examine its capabilities to understand and operate in the information environment, in support of the conduct of information and influence operations." (p. 66)
  • "[W]e will acquire an airborne intelligence surveillance and reconnaissance platform that will enhance the ability of our Special Operations Forces to improve their understanding of the operational environment." (p. 103)
  • "The Government will provide $4.6 billion for joint capability projects in domains such as cyber, intelligence as well as joint command and control over the next 20 years. This includes... $1.2 billion over the next 20 years for five new equipment projects and one information technology project. For example, the Combined Joint Intelligence Modernization project will provide a modern deployable intelligence centre for land-based operations, building on the lessons learned in recent operations." (p. 103)
  • "To better leverage cyber capabilities in support of military operations, the Defence team will: 87. Protect critical military networks and equipment from cyber attack by establishing a new Cyber Mission Assurance Program that will incorporate cyber security requirements into the procurement process. 88. Develop active cyber capabilities and employ them against potential adversaries in support of government-authorized military missions. 89. Grow and enhance the cyber force by creating a new Canadian Armed Forces Cyber Operator occupation to attract Canada’s best and brightest talent and significantly increasing the number of military personnel dedicated to cyber functions. [Question: Will this new occupation supplement the existing Communicator Research occupation or absorb and replace it?] 90. Use Reservists with specialized skill-sets to fill elements of the Canadian Armed Forces cyber force." (p. 73)
  • With respect to the last of these items, the Canadian Forces will "Assign Reserve Force units and formations new roles that provide full-time capability to the Canadian Armed Forces through part-time service, including: ... • Cyber Operators; • Intelligence Operators; ... and • Linguists" and "Enhance existing roles assigned to Reserve Force units and formations, including: • Information Operations (including Influence Activities)" (p. 69).
These details are welcome, but it seems to me that a number of important questions remain either unresolved or ambiguous in the defence policy statement.

Most importantly, at several points the document characterizes offensive cyber activities as taking place solely in the context of "government-authorized military missions", which would seem to mean that offensive cyber activities will be restricted to just a few specifically designated operations, such as Op Impact or Op Reassurance. Employment of cyber capabilities is to be approved by the government "on a mission-by-mission basis consistent with the employment of other military assets".

But "mission" could actually have a much broader meaning.

The document also outlines eight "core missions" of the Canadian Forces, covering everything that our military forces do (p. 82). These missions include detecting, deterring, and defending against threats to or attacks on Canada; detecting, deterring, and defending against threats to or attacks on North America in partnership with the United States; leading and/or contributing forces to NATO and coalition efforts to deter and defeat adversaries, including terrorists; leading and/or contributing to international peace operations and stabilization missions with the United Nations, NATO, and other multilateral partners; and providing assistance to civil authorities and law enforcement, including counter-terrorism, in support of national security and the security of Canadians abroad.

Could offensive cyber activities be authorized in support of wide-ranging, fundamental "missions" such as these?

Such a reading may seem implausibly broad.

But on page 60 the document states the Canadian Forces "will ensure that new challenges in the space and cyber domains do not threaten Canadian defence and security objectives and strategic interests, including the economy."

It will take a lot more than cyber operations against ISIS to protect the Canadian economy — or defend a wide range of other Canadian defence and security objectives and strategic interests — from cyber threats.

The document also states that Canada has a "responsibility to contribute to efforts to deter aggression by potential adversaries in all domains", including specifically the cyber domain (p. 50). That's a much broader goal than anything that can be accomplished in the context of a particular expeditionary operation. And it implies an ongoing, continuous mission, not a temporary activity that can be expected to end when this or that operation wraps up in a matter of months or a few years.

A broader reading of "mission" is also necessary if Canada's cyber forces are to take on the sort of roles assigned their Five Eyes partners, notably U.S. Cyber Command.

It would be nice to know just how wide the range of cyber missions envisaged by the government could be.

Another question relates to the role of the Communications Security Establishment.

Will all offensive cyber operations — other than those conducted domestically — be undertaken by military cyber operators (presumably members of the Canadian Forces Information Operations Group) acting under military command? Or will CSE have a role as well?

The CFIOG normally works very closely with CSE (in fact, under its direction much of the time), and CSE's expertise on cyber defence and cyber espionage activities would be of direct relevance to any offensive operations the Canadian Forces might undertake. CSE is also likely to have its own expertise on offensive operations that it may use for computer network defence purposes and may also provide from time to time in support of CSIS "disruption" activities.

So to what extent might CSE be called upon to provide support to the Canadian Forces for the conduct of offensive cyber operations? And to what extent might CSE conduct its own operations? This document is silent on those questions.

[Update 20 June 2017: Bill C-59, which was announced and given first reading today, answers some of these questions. The government is proposing to give CSE the power to conduct both "defensive cyber operations" to help protect systems and networks "of importance" to the government of Canada and "active cyber operations" (i.e., offensive cyber operations) against foreign individuals, groups, or states for defence, foreign policy, or security purposes. The bill would also explicitly enable CSE to provide technical and operational assistance to the Canadian Forces and Department of National Defence, including for cyber operations.]


For some earlier comments that I made on Canada and cyber war, see here.


Update 18 June 2017:

This article (Murray Brewster, "Civilian oversight key to offensive cyber operations, says expert," CBC News, 18 June 2017) suggests that the Special Operations Forces sub-unit that the government will "examine establishing" in the Reserve Force will be tasked with developing "offensive cyber capabilities, particularly in the area of information operations". I don't think that's what the government is considering doing.

As noted above, the new defence policy does call for recruiting Reserve Force cyber operators and assigning cyber and intelligence roles to certain unnamed Reserve Force units and formations, as well as enhancing the information operations role of the Reserves, but I think it's a stretch to suggest that the Special Forces unit under consideration would take on cyber war, or information operations in general, as a primary function.



Sunday, April 23, 2017

CANUSA Agreement declassified

In 1949, Canada and the United States signed the CANUSA Agreement, codifying the extraordinarily close cooperation between the two countries on communications intelligence collection, processing, and dissemination.

The agreement was laid out in a Top Secret codeword-classified exchange of letters between G.G. (Bill) Crean, the Chairman of the Communications Research Committee (the interdepartmental committee that governed Canadian SIGINT policy), and Major General Charles P. Cabell, the Chairman of the equivalent U.S. body, the United States Communications Intelligence Board.

It was based closely on the U.S.-U.K. BRUSA Agreement of 1946, which was later renamed the UKUSA Agreement and is considered the foundational document of the Five Eyes SIGINT alliance.

The UKUSA Agreement was declassified and published online in 2010 along with most of its appendices and annexures, although some had significant redactions.

The CANUSA Agreement, by contrast, remained classified—until now.

Here is the full text of the agreement, minus as many as 83 pages of appendices and annexures, as released under Access to Information request A-2016-00131.

Kudos to the Communications Security Establishment for finally releasing this important historical document.

I usually leach off other people's access requests for the documents I cite on this blog, but in this case I put up my own five bucks to make a formal request since the public shaming I tried in January didn't seem to be working any better than the gentle persuasion I tried in November.

And, to be clear, the five bucks was only partly successful.

I asked for the appendices and annexures to the agreement to be released as well, but evidently that proposition was too great a shock to the system over there. This, despite the fact that (as I pointed out here) the 27 March 1953 version of Appendix B has been available online since 2015.

That particular horse probably got out by mistake, but it's not going to go back in the barn, pardners. Why pretend otherwise?

Another point: I also asked for the release of "all subsequent modified or amended versions of that agreement up to the present day."

We know from this document that the agreement was "revised slightly in 1960", but we don't know in what way.

And we still don't. Maybe the 1960 version was somewhere in those 83 pages that CSE redacted.

On the plus side, the Dominion is safe from whatever ill consequences would ensue if that specific 57-year-old horse ever got out.

But enough with the nay-saying.

At the risk of riding my metaphor off in all directions, I shouldn't look a gift (or, technically, five-dollar) horse in the mouth.

The CANUSA Agreement has finally been released into the wild. And that's a good thing.

Sunday, April 09, 2017

CBNRC's mini-SHAMROCK



From August 1945 to May 1975 the NSA's SHAMROCK program collected most of the cable traffic passing between the United States and international locations and processed their contents for foreign intelligence — and occasionally domestic intelligence — purposes. Public outrage following the program's exposure in the mid-1970s led to the passage of the 1978 Foreign Intelligence Surveillance Act.

Just before that all happened, however, Canada sought to establish its own mini-SHAMROCK program.

Canadian government documents indicate that in the early 1970s the Communications Branch of the National Research Council (CBNRC, as CSE was called in those days) set up a test cable monitoring operation in Montreal. The Canadian program, which has not previously been revealed, was run in cooperation with the Canadian Overseas Telecommunications Corporation (COTC), the Crown corporation that had a monopoly on overseas telephone, telex, and telegram services from Canada at that time. (COTC was renamed Teleglobe Canada in 1975 and was later privatized, eventually becoming part of Tata Communications.)

Canada had long been a regular consumer of the cable traffic collected on international circuits around the world by its U.S. and U.K. allies, but its own SIGINT activities were focused almost entirely on the radio communications of the Soviet Union, particularly those in the Arctic.

At the beginning of the 1970s, this posture was seen as not fully meeting Canadian needs.

CBNRC reportedly was unable to contribute much during the October Crisis in 1970, as it had virtually no capacity to monitor Canadian communications. Ottawa wanted desperately to know more about "revolutionary elements" in Canada, including any links they might have to other countries. Intelligence consumers were also interested in more Canadian-related foreign and economic intelligence than we could get from our allies.

The documentary evidence is sparse, but a pilot project for monitoring cross-border cable communications appears to have been set up at COTC's Montreal facilities, which were the gateway for Canadian transatlantic communications, in 1971 or perhaps a little earlier.

A draft memorandum on "The Canadian Intelligence Program" written for the Cabinet Committee on Security and Intelligence in April 1972 reported that "a survey is being carried out to determine the value of arrangements with the Canadian Overseas Telecommunications Corporation by which we would have the opportunity to examine messages between Canada and locations abroad which would (1) clarify links between revolutionary activities abroad, (2) provide information concerning known revolutionary elements, and (3) contribute intelligence about foreign and economic affairs of direct interest to Canada."



Later that month, CBNRC sought approval to convert the test operation to full operational status during the coming fiscal year, 1973-74. But with the intelligence program review still underway and fiscal pressures being felt all across the government, the Cabinet declined to give the project the go ahead that year.

The following two excerpts tell that part of the tale.

In the first, Intelligence Advisory Committee chairman A.F. (Bert) Hart discusses CBNRC's proposal for funds "for additional activities related to placing two test operations (Moscow and COTC Montreal) on a full operational basis in the fiscal year 1973/74" and comments that the plan may have to be revised.



(The Moscow operation, Canada's first intercept site inside an embassy, was unrelated to the COTC project.)

The second excerpt, taken from the History of CBNRC, shows that the Cabinet did in fact decline to approve the extra expenditures required to go fully operational that year.



The decision to restrict the SIGINT budget to Level A presumably meant that the COTC Montreal operation did not go fully operational in 1973-74, unless internal budget reallocations or Supplementary Estimates later provided for it.

The proposal was not dead, however, and it is possible that the budget planning for 1974-75 approved an operational capability. The available records don't answer this question.

Either way, though, it was moot.

On 14 January 1974, the Protection of Privacy Act received Royal Assent, adding Section VI (Invasion of Privacy) to the Criminal Code, and trampling CBNRC's mini-SHAMROCK proposal in the process.

According to the History of CBNRC, nobody had asked CBNRC what effect the new act might have on SIGINT collection:

"in 1971 the [Director of Communications Security (DCS), the External Affairs official in charge of the Canadian SIGINT program], without any discussion with CBNRC, assured his Under-Secretary, and through him his Minister, that the clause in the current draft bill on Protection of Privacy which forbade the interception of "private" communications in and out of Canada would not have any bad effects on Canadian intelligence. This official opinion was to wipe out for the remainder of CB's existence traffic useful in such studies as [redacted]."



Additional details of the story can be found in other sections of the History:

"Legislation in Canada and the US affected CB's activities in a more basic way. A Protection of Privacy Bill was being drafted by the Canadian Department of Justice in 1971. The Department of External Affairs queried some aspects of the draft bill which might affect legitimate intelligence interests adversely. Copies of the queries, which went out over the signature of the Under-Secretary of State for External Affairs (USSEA), went to the Cabinet Secretary, the Chief of the Defence Staff (CDS) and the Director General of the Security Service (DGSS) in the RCMP, but not to Director CB. After receiving answers from Justice, the USSEA told his Minister in June that "radio communications would not come within the prohibition" against the interception of "private communications". Also, the "use or disclosure" of communications intercepted outside Canada would not constitute an offence, because such an act would not be "wilful", as being based on selection from a mass of material picked up without any "mens rea". He also told his Minister that relevant information would be made available to intelligence authorities (presumably including CB), even if obtained for specifically security purposes under a warrant issued by the Solicitor General. However, these did not all turn out to be the interpretations of several subsequent Solicitors General and Ministers of Justice."




One of the effects of the Protection of Privacy Act was to end CBNRC access to telephone, telegram, and telex messages with one or more ends in Canada, as these were by definition "private communications". CBNRC was prohibited both from collecting the messages itself and from asking its allies to collect the traffic for it.



(Under the Department of Justice's current interpretation of the law, CSE is in fact permitted to receive one-end Canadian traffic intercepted by Canada's allies. However, it is not permitted to ask those allies to target the communications of specific Canadians or persons in Canada except when it is at the request of a federal law enforcement or security agency operating under a warrant. Whether the same interpretations were applied in 1974 is not clear.)

The paragraph 4.25 that was cited in the preceding excerpt summed up the situation in 1975, as CBNRC became CSE: "[T]hings were still humming in most areas except in the ability to produce SIGINT on the subject [redacted; presumably "International Trade", but possibly also the collection of intelligence on "revolutionary elements"] which had been given a high priority by the intelligence community. Here unfortunately a strict interpretation of the new Protection of Privacy Act meant that the main source of information on this subject, that is [redacted] was now regarded as taboo. Some work was beginning to be done on selected foreign [redacted] but this new plant only reached its full flowering after the conversion from CBNRC to CSE, and so will have to be matter for a later history."



(The final sentence of this excerpt may or may not apply to the private communications issue: it could be a reference to the expansion in collection from embassy sites that began in the early 1980s.)

By mid-1975, it was not just CSE's mini-SHAMROCK program that was dead: the original U.S. SHAMROCK program had itself been shut down, although elements of it would soon enough be started up again following the passage of the Foreign Intelligence Surveillance Act.

It's likely that CSE did get permission to access cross-border traffic for certain purposes later in the 1970s or the years that followed. Communications that transited through Canada on their way between Europe and the Far East may have been considered fair game, for example. Such communications were a significant source of revenue for COTC, or Teleglobe Canada as it was known by then.

But it wasn't until the passage of the Anti-Terrorism Act in 2001 that CSE regained broad-based access for foreign intelligence purposes to communications that begin or end in Canada (and, even then, only when collected in the course of targeting non-Canadians located outside Canada).

Saturday, February 25, 2017

CSE 2017-18 budget to be $596 million

The 2017-18 Main Estimates, tabled in parliament on February 23rd, show a projected 2017-18 CSE budget of $595,983,723.

As the document shows, the budget projected for 2017-18 is slightly higher than the $583.6 million that was originally projected for the current fiscal year (2016-17) and slightly lower than the $599.8 million 2016-17 "to date" figure, which reflects additions made to CSE's budget authorities during the fiscal year. It is $23.6 million lower than the $619.5 million that was actually spent in 2015-16.

After accounting for inflation, this would suggest that CSE's 2017-18 budget will be roughly 7% smaller than it was in 2015-16.

CSE's actual spending in 2017-18 could well turn out to be greater than its 2015-16 spending, however. The agency has received large in-year budget top-ups every year for the last seven years.

Thus, it may be safer to say that CSE's budget appears to have stabilized for the moment at the roughly $600 million level, but with significant year-to-year fluctuations.

That level is about 4.4 times as high, after adjusting for inflation, as CSE's pre-9/11 budget.

According to the Main Estimates, 72% of the money will go to CSE's SIGINT program, while the IT Security program will account for the remaining 28%.

Saturday, February 18, 2017

Kevin O'Neill in 1945

I was recently reading The Emperor's Codes, Michael Smith's 2011 book about the Allied effort to break Japanese codes during the Second World War, and to my surprise I ran across a 1945 photo that shows Kevin O'Neill, the Bletchley Park veteran who later became the Director of CBNRC/Chief of CSE.



O'Neill, who finished the war with the rank of Major in the British Army, worked on the Tunny problem, among other systems, during his time at Bletchley. But by 1945 he was part of the British liaison team at the U.S. Army's Signal Security Agency at Arlington Hall in Washington.

For reasons not clear to me, he appears in this photo (second from the right) with members of the British liaison office at the U.S. Navy's code-breaking agency, OP-20-G, which was located at the Naval Communications Annex. Note how, aside from civilian Wilfred (not William) Bodsworth, everyone in the photo other than O'Neill is in naval uniform.

O'Neill and John Manson, another British Army Major serving at the Signal Security Agency, were recruited by Ed Drake in 1946, becoming part of CBNRC's initial staff. Manson died in 1952, but O'Neill remained with the agency for his entire career, becoming the Director of CBNRC in 1971 and retiring as Chief of CSE in 1980.