Bill Robinson

On November 4th the National Security and Intelligence Committee of Parliamentarians (NSICOP) released the public version of its report on the security and intelligence activities of Global Affairs Canada (GAC), Canada's foreign affairs department.

The report is available here: https://www.nsicop-cpsnr.ca/reports/rp-2022-11-04/intro-en.html

In following posts, I'll look at what the report says about how GAC works with the Communications Security Establishment (CSE), Canada's SIGINT agency.

#CSE #GAC #NSICOP

Special Report on the National Security and Intelligence Activities of Global Affairs Canada

Nov 26, 2022 at 5:09pmWeb
Show threadBill RobinsonNov 26, 2022

On p 24 NSICOP describes the overall relationship: "GAC's collaboration with CSE ... dates back to the creation of CSE in 1946. GAC has long been a client of CSE's foreign intelligence collection ***. While GAC has had a formal consultation role for some of CSE's most sensitive activities since 2002, the coming into force of the CSE Act in 2019 provided GAC a more significant role in CSE's new authorities for cyber operations." (*** shows where info has been redacted.)

#CSE #GAC #NSICOP

Show threadBill RobinsonNov 26, 2022

"GAC and CSE formalized their cooperation with the signing of a General Framework Agreement in 2009. The agreement recognized the organizations' cooperation in the collection of foreign intelligence, their long-standing collaboration on the implementation of Canada's Export Control legislation, and their response and handling of cyber incidents targeting GAC." (p 24)

#CSE #GAC #NSICOP

Show threadBill RobinsonNov 26, 2022

"The first formal agreement on consultation between CSE and GAC concerned the agency's *** activities. These activities use *** for the purpose of collecting foreign intelligence. In 2002, GAC and CSE signed a memorandum of understanding under which CSE would inform GAC prior to undertaking its most *** outside of Canada." (p 24)

This refers to CSE's computer network exploitation (CNE) activities. The MOU was signed on 23 April 2002.

#CSE #GAC #NSICOP

Show threadBill RobinsonNov 26, 2022

"The agreement also granted GAC a role in challenging CSE's conduct of certain activities ***. While the 2002 memorandum of understanding remains in place, the two organizations streamlined elements of the agreement in 2015." (p 24-25)

GAC's role is to make sure the potential risks/rewards of CNE ops are assessed in the context of Canada's overall foreign policy.

#CSE #GAC #NSICOP

Show threadBill RobinsonNov 26, 2022

CSE is also required to consult GAC before entering into any arrangements with foreign states or institutions. Since the 2019 entry into force of the CSE Act, it has been a statutory requirement that the Minister of National Defence consult the Minister of Foreign Affairs before approving such arrangements. "Given the recent nature of this authority, CSE has not consulted GAC prior to entering into such an arrangement at the time of writing." (p 25)

#CSE #GAC #NSICOP

Show threadBill RobinsonNov 26, 2022

The CSE Act also requires the Minister of National Defence to consult the Minister of Foreign Affairs prior to issuing an authorization for defensive cyber operations (DCO).

(DCOs are cyber operations designed to protect Canadian government networks or systems designated as being of importance to the government.)

#CSE #GAC #NSICOP

Show threadBill RobinsonNov 26, 2022

"The Minister of National Defence issued the first authorization for defensive cyber operations in *** 2019. CSE officials developed this authorization in consultation with GAC." (p 26)

Although redacted here, the date of the authorization was 5 September 2019, as reported by NSICOP in its February 2022 cybersecurity report (p 77): https://www.nsicop-cpsnr.ca/reports/rp-2022-02-14/intro-en.html

#CSE #GAC #NSICOP

National Security and Intelligence Committee of Parliamentarians Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack

Show threadBill RobinsonNov 26, 2022

"At the operational level, GAC provides foreign policy risk assessments for all of CSE's planned defensive cyber operations. As part of its assessment of the proposed operation, GAC considers potential implications for Canadian interests, the operation's compliance with international law and cyber norms, alignment with broader foreign policy interests, the nature of the target (***) and whether the operations ***." (p 26)

#CSE #GAC #NSICOP

Show threadBill RobinsonNov 26, 2022

"Between *** and *** , CSE planned but did not conduct any defensive cyber operations, because separate defensive cyber measures taken by CSE obviated the need for the planned cyber operations." (p 26)

Although the dates were redacted, according to NSICOP's February 2022 report (p 96), no DCOs were conducted during the first two authorization periods (Sep 2019 - Aug 2021).

It would be interesting to know if any DCOs have yet been conducted.

#CSE #GAC #NSICOP

Show threadBill RobinsonNov 26, 2022

Under s.16 of the CSIS Act, CSIS can collect foreign intelligence "within Canada" on request of either the defence minister or the foreign affairs minister. This might entail monitoring the communications of an embassy in Ottawa, for example.

CSE often helps with technology, processing, and reporting of the resulting intelligence, and GAC plays a role as a requestor, assessor of foreign policy risk, and intelligence client.

#CSE #GAC #NSICOP

Show threadBill RobinsonNov 26, 2022

"In 2008, officials from participating organizations introduced a formalized governance model [for the s.16 program], which included a requirement to assess potential subjects against criteria linked to Canada's intelligence priorities and a permanent oversight committee structure (the *** Committee) with the responsibility to evaluate and endorse section 16 rationales before they are submitted for approval to the relevant ministers." (p 38)

#CSE #GAC #NSICOP

Show threadBill RobinsonNov 26, 2022

All information about the committee, including its name, is redacted from the NSICOP report.

By contrast, a 2015 report by OCSEC (CSE's first watchdog agency) described the committee structure in detail, and this information was later released mostly unredacted to reporter Colin Freeze via Access to Information request A-2015-00082.

Some of the details may have changed since then, but if the information was releasable at that time, why not now?

#CSE #GAC #NSICOP

Show threadBill RobinsonNov 26, 2022

The CSE Act also "allows CSE to conduct active cyber operations to degrade, disrupt, influence or interfere with the capabilities or intentions of foreign entities."

"In recognition of the foreign policy implications of these activities, the Act stipulates that the Minister of National Defence may issue this authorization only if the Minister of Foreign Affairs has requested or consented to its issue." (p 41)

This differs from DCOs, which require only consultation with GAC.

#CSE #GAC #NSICOP

Show threadBill RobinsonNov 26, 2022

"The Minister of National Defence issued CSE's first authorization for active cyber operations in 2019." (p 41)

Here the report is considerably more informative than previous statements by CSE or its watchdogs:

"Between 2019 and 2020, CSE planned four active cyber operations and carried out one." (p 41)

#CSE #GAC #NSICOP

Show threadBill RobinsonNov 26, 2022

CSE conducted one ACO to "disrupt the activities of terrorists and violent extremists."

The three ACOs not conducted sought: "to disrupt foreign cyber threats to the 2019 federal election"; "to counter the dissemination by specific terrorist groups of extremist material on-line"; and "to mitigate threats posed by foreign cybercriminal groups targeting Canadians" (p 41-42)

#CSE #GAC #NSICOP

Show threadBill RobinsonNov 26, 2022

The election-related ACO was not conducted "because no specific state-led operations were detected", while the other two did not get done "due to operational restrictions arising from COVID". (p 41-42)

For more on the effect of the COVID-19 pandemic on the Canadian security and intelligence community, see https://luxexumbra.blogspot.com/2021/11/stress-tested.html

#CSE #GAC #NSICOP

Lux Ex Umbra: Stress Tested

Show threadBill RobinsonNov 27, 2022

"In August 2019, the Minister of Foreign Affairs directed GAC officials to work with CSE to develop a formal governance mechanism to ensure CSE's cyber operations align with Canada's foreign policy and international legal obligations."

This led, in 2020, to the creation of "the CSE-GAC Active Cyber Operations/Defensive Cyber Operations Working Group and a comprehensive governance framework for consultation on cyber operations" (p 42)

#CSE #GAC #NSICOP

Show threadBill RobinsonNov 27, 2022

Inside CSE, "the Cyber Operations Group and the Cyber Management Group oversee CSE's cyber operations. These are executive bodies, at the director- and director general-level respectively, that review and approve cyber operation plans and risk assessments. The Director of *** and the Deputy Chief of Signals Intelligence chair the respective committees, and membership depends on ***." (p 43)

#CSE #GAC #NSICOP

Show threadBill RobinsonNov 27, 2022

The next two pages of NSICOP's report (44-45) discuss a program that is ostensibly so secret that all information is redacted except for one sentence: "GAC states that it derives its authority for the program from the Crown prerogative." (p 44)

This is CSE's program of intercept facilities inside Canadian diplomatic missions, our equivalent of US Special Collection Service sites.

Apparently, we're going to pretend no one knows we do this sort of thing.

#CSE #GAC #NSICOP

Show threadBill RobinsonNov 27, 2022

But NSICOP did manage to flag some concerns about GAC's role in the program in its notes about three of the redactions (p 45):

1. "The paragraph noted that the Department does not have any policies, procedures or documents to govern its involvement, and does not have any reporting requirements to the Minister"

2. "The paragraph noted challenges regarding the management of risk."

3. "The paragraph noted the Department's failure to inform the Minister of important issues."

#CSE #GAC #NSICOP

Show threadStephanie CarvinNov 26, 2022
@billrobinson this is great - thanks. And glad I found you on here.
Show threadStephanie CarvinNov 26, 2022
@billrobinson also, frustrating when reports don’t declassify previously declassified information!
Show threadAlex RudolphNov 26, 2022

@billrobinson I find their use of "defensive cyber operations" to refer to offensive or active defense operations absolutely maddening.

Creates a dangerously false assumption that defensive operations cannot be done on one's own networks.

Show threadMike WilliamsonNov 28, 2022

@alexfrudolph @billrobinson

💯

Meanwhile actual defensive work like #langsec, formal verification and memory safety is weirdly absent.

https://www.quantamagazine.org/formal-verification-creates-hacker-proof-code-20160920

Hacker-Proof Code Confirmed | Quanta Magazine

Computer scientists can prove certain programs to be error-free with the same certainty that mathematicians prove theorems.

Quanta Magazine
Show threadMark StoutNov 27, 2022
@billrobinson Terrific thread.