April 19, 2012

Canada's cybersecurity agency CSEC full of secrets

Explosive budget, staff numbers raise questions from critics - who watches the watchers?

By Jeff Davis, Postmedia News April 18, 2012
clip_image001

Always feel like somebody's watching you? That's because they someone may be doing just that. Using sophisticated technologies, CSEC is able to intercept essentially any electronic dispatch, from phone calls to faxes, emails or text messages. This includes secret transmissions sent by foreign embassies in Canada back to their capitals. CSEC is thought to have played a role in catching Navy Sub.-Lt. Jeffrey Paul Delisle, who has been charged with relaying secret information to Russian officials.

Photograph by: Phil McCarten , Reuters
OTTAWA — Following a decade of explosive growth, the super-secret Communications Security Establishment Canada has emerged from the Defence Department to become a stand-alone federal agency, a change that will force it, for the first time, to inform Canadians of at least some of its activities.
CSEC, whose powers include the ability to sometimes eavesdrop on Canadians without their knowing, has largely escaped the axe as the federal government chops budgets. Where some departments face cuts of 10 per cent, CSEC will be pinched by just two per cent this year and the agency will see no layoffs.
CSEC has more than doubled in size since Sept. 11, 2001, when it had about 900 staff. In the ensuing decade, the national signals intelligence and cybersecurity agency has grown to 1,950 staff, and its budget has gone to $350 million in 2012 from $140 million in 2001.
As a result, critics say CSEC needs more rigorous civilian oversight to protect Canadians' privacy.
"It's frankly a very slim oversight, without much staff," said Liberal Senator Colin Kenny, a longtime watcher of the intelligence community.
"That's a work in progress that needs to be examined."
That may be difficult to achieve. Although hiring has been at unprecedented levels in recent years, a recruitment video on CSEC's website makes it clear that discretion is still at the heart of its operations, asking: "Can you keep a secret?"
Made up of a high-tech web of supercomputers, listening posts and genius-level code breakers developed during the intrigue of the Cold War, CSEC has transformed itself into a world-class electronic eavesdropping and cyberwarfare outfit.
Canada is a key member of the so-called "five eyes" intelligence-sharing community, which also includes the U.S., the United Kingdom, Australia and New Zealand. "We stand shoulder to shoulder with those guys, no problem, on the signals intelligence side," says Michel Juneau-Katsuya, a former spy with the Canadian Security Intelligence Service.
Since the Second World War, Canada's work in foreign signals intelligence interception and code breaking has been largely hidden from the public. For decades, CSEC was a section of the Department of National Defence, with its budget, activities and reports kept secret.
That is until it recently became a stand-alone agency. This change forces it to disclose its budgets and provide regular public reports, like all other government agencies. It is a marked departure from decades past, when the government denied its signals-snooping array even existed.
"It's a bit like, you will recall, when (the Canadian Security Intelligence Service) was taken out of the RCMP and given stand-alone status," Defence Minister Peter MacKay told a defence committee hearing recently. "That's what is occurring here."
In November 2011, the organization changed its name from the Communications Security Establishment (CSE) to Communications Security Establishment Canada (CSEC), in accordance with government regulations.
Like CSIS, which received a new headquarters once it was made an independent agency, a massive CSEC complex is now being built in Ottawa at a cost of $880 million.
Besides housing the three most powerful supercomputers in Canada, the campus will be outfitted with a high-tech eavesdropping array, the nature of which is secret. Also on site will be the Tutte Institute for Mathematics and Computing, which will help CSEC's elite mathematicians develop new code-cracking formulas and algorithms.
One CSEC insider told Postmedia News the campus will have "more PhD mathematicians and computer scientists than most universities."
Using sophisticated technologies, CSEC is able to intercept essentially any electronic dispatch, from phone calls to faxes, emails or text messages.
"They are capable of doing billions of interceptions per day," Juneau-Katsuya said. "They can intercept literally everything that breathes and moves Canada wide."
This includes secret transmissions sent by foreign embassies in Canada back to their capitals. CSEC is thought to have played a role in catching Navy Sub.-Lt. Jeffrey Paul Delisle, who has been charged with relaying secret information to Russian officials.
While these are good days for the CSEC, things haven't always been so rosy.
Similar to the Canadian Forces, CSEC's budget was slashed in the late 1990s, during the so-called "decade of darkness" when defence spending was trimmed across government.
But all that changed after the 9/11 terrorist attacks, when the Chretien government altered CSEC's mandate, giving it more leeway to operate within Canada. Historically, CSEC had been banned from listening in on the communications of Canadians, focusing instead on gathering foreign intelligence.
Currently, CSEC is permitted to listen in on signals sent between a Canadian and someone overseas. This includes conversations between foreign terrorist organizations and their operatives in Canada, and such information is conveyed to the RCMP and CSIS, which have the mandate to operate within Canada.
In the case of such "unintentional" interceptions, as CSEC calls them, the Canadian involved is not made aware they are the subject of electronic eavesdropping.
CSEC's mandate, however, strictly prohibits it from intercepting transmissions between Canadians on home soil.
As counterterrorism became a large part of its work, CSEC went into recruiting overdrive, looking for people — according to recruitment literature — who can "speak and write 10 languages fluently."
CSEC has poured enormous resources into cybersecurity, attempting to protect Canada's state secrets from foreign hackers, state-sponsored or otherwise.
"The cyber threat has the capability to render us blind, mute and deaf all at once," Juneau-Katsuya said.
For example, Iran's Natanz uranium enrichment plant suffered a crippling cyber attack in 2011, and overt cyberattacks on Estonia in 2007 and Georgia in 2008 were traced to Russian computers.
Canada suffered a major systems breach in February 2011, when — a month before the federal budget was to drop — hackers cracked computer security systems at the Department of Finance and Treasury Board. The departments were hit hard by the attack, as computer systems were shut down while security loopholes were closed.
CSEC insiders say they know who the culprit was. The information was never made public but the perpetrator is broadly thought to be China.
To prevent future breaches, CSEC's hackers attempt to make their way past government security firewalls, trying to identify — and strengthen — weak points before outside hackers can take advantage of them.
While CSEC is now by all external appearances a fully matured entity, many say it still has some growing up to do, in the area of civilian oversight especially.
The RCMP's activities are overseen by the Royal Canadian Mounted Police Review and Complaints Commission, while the actions of CSIS are monitored by the Security Intelligence Review Committee. Both receive complaints from the public, make periodic public reports to Parliament and have significant administrative support secretariats
CSEC had no independent oversight until 1996, when the position of Communications Security Establishment Commissioner was struck. With a staff of around 10 people led by retired federal Court of Appeal judge Robert Decary, CSEC's oversight infrastructure is much smaller than that of the RCMP or CSIS.
Since the office was established, only two complaints have been filed by the public, and no wrongdoing has been found, according to the commissioner's reports.
"In all annual reports to date, the CSE commissioner has said that for the activities reviewed, CSEC has acted lawfully," CSEC spokesman Adrian Simpson said in an email.
Kenny said he's concerned that CSEC's oversight is much weaker than that of the RCMP or CSIS.
NDP justice critic Jack Harris said even most MPs are unaware CSEC exists. But given its extraordinary capabilities, he said, there is a risk it could commit massive privacy violations against Canadians.
"It's such a secretive body, with such broad powers, that Canadians have reason to be concerned," he said. "The public is susceptible to this type of snooping on their communications without even knowing about it."
Harris said the commissioner's claim that CSEC has never committed a wrong appears dubious. True civilian oversight of the organization is needed, he said, just as it is for the RCMP and CSIS. Such an oversight body should also be mandated to process public complaints, he said.
The fact that CSEC can intercept Canadians' communications without a warrant is also very troubling, he said. CSEC should have to obtain warrants before listening in on Canadians, as other agencies must, he argued.
And unlike police or CSIS wiretaps, which require the subject to eventually be informed of the communications monitoring, Harris pointed out CSEC is not obligated to ever inform Canadians they are being watched.
In the end, Harris said, Canadians should be wary of the powerful eye of state spying, now that its view can be directed toward home territory.
"If they're intercepting some foreigner's communication that's one thing, but if they're intercepting Canadians' communications, that's another."
jdavis@postmedia.com Twitter.com/JeffDavisOttawa
Read more: http://www.canada.com/news/Canada+cybersecurity+agency+CSEC+full+secrets/6478005/story.html#ixzz1sUNRaZgO
Enhanced by Zemanta