Yesterday, @nsiracanada released their annual report. You can find it at: nsira-ossnr.gc.ca/tabling-of-the…
In this thread I’ll be highlighting some items of note, and general thoughts, on what we learned about our national security agencies as well as their review body. I’ll be structuring using the top-line headings in the report in case you want to follow along.
Section: Message to Members
The first thing to note is NSIRA recognizes the lack of access to offices and/or information have delayed reviews. Practically, staff have lacked access to classified materials which they regularly depend on to conduct reviews.
The first thing to note is NSIRA recognizes the lack of access to offices and/or information have delayed reviews. Practically, staff have lacked access to classified materials which they regularly depend on to conduct reviews.
(Me: I continue to wonder how much NSIRA’s ‘cyber incident’ affected the review body, notwithstanding its public assertion that its staff were quickly back up and running. For more on the ‘incident’, see: christopher-parsons.com/answers-and-fu…)
Section: Introduction
In the ‘Values and Goals’ section, I was struck that NSIRA is creating a Code of Conduct for its employees. That’s fine and good. Of note: it will set out standards “that must be observed during and after a person’s employment” with NSIRA.
In the ‘Values and Goals’ section, I was struck that NSIRA is creating a Code of Conduct for its employees. That’s fine and good. Of note: it will set out standards “that must be observed during and after a person’s employment” with NSIRA.
(Me: I *really* want to understand how this applies to prior employees.)
In ’Trust but verify’ we come across a highlight that NSIRA has had challenges accessing information because of delays. It’s noted, elsewhere in the report, that @csiscanada has been pretty forthcoming and helpful with information. The same is definitely *not* said about @cse_cst
There’s weird language about NSIRA’s fix for CSE problems. Namely, it’ll develop ’Tailored Access’ to reviewed agencies involving ‘targeted access’ (direct access to systems and data) or ‘proxy access’ (where reviewed agencies review materials ahead of providing them to NSIRA).
(Me: I’m not a fan of this language because of its typical links to the darker sides of CSE/NSA/etc. Maybe this is an attempt to explain what’s needed in the language of the agencies? But it frankly feels kinda inappropriate.)
(Me: I want more information concerning proxy access. Such access calls to mind the worst elements of natsec review in the USA, like where CIA assessed materials before providing them to reviewers (See: theguardian.com/world/2014/mar…).
Because of the ‘proxy’ relationship, the CIA removed some documents that’d been provided to reviewers. It’s only because of great committee staffers + leadership from the committee this came to light.)
(Me: I’m not saying that CSE et al will be similarly deceptive. But when read in tandem with ‘CSE isn’t all that helpful’ I see red flags around ‘proxy access’. Either way: the perception of a problem can be as damaging to CSE’s legitimacy as actual problems that may be arising.)
It’s worth noting that ‘tailored access’ is, amongst other things, supposed to foster “positive professional interactions”.
(Me: the question that is thus raised: what negative/unprofessional interactions have happened? There’s a lot there below the surface.)
(Me: the question that is thus raised: what negative/unprofessional interactions have happened? There’s a lot there below the surface.)
Worth raising: whereas NSIRA’s predecessor SIRC had tailored/direct access to CSIS computer networks and sensitive information, the report doesn’t mention CSE’s former reviewer, the OCSEC.
(Me: Did the OCSEC lack the access that NSIRA is calling for? To what extent were OCSEC’s usually cheery affirmations of CSE’s legality based on ‘proxy access’? And is that part of the reason why there are differences in how NSIRA is assessing CSE programs vs OCSEC?)
Particularly shocking, to be honest, is NSIRA’s plan to introduce confidence statements linked to the completeness of information that is provided to them.
This is a 🚨🚨🚨 moment and should be read as such: NSIRA appears sufficiently concerned about how it gets information that it needs to alert the public/parliamentarians that its reviews may be incomplete or compromised by agency refusals to be reviewed.
(Me: This is a VERY serious and VERY newsworthy issue.)
In theory, confidence statements could demonstrate that NSIRA’s reporting includes all available information and we should further trust NSIRA’s conclusions.
In theory, confidence statements could demonstrate that NSIRA’s reporting includes all available information and we should further trust NSIRA’s conclusions.
But its inclusion alongside ‘tailored access’ & following a discussion of problems that arise when NSIRA can’t get access to information in a timely fashion speaks to this as a response to problems, not a way to reinforce the legality of intelligence community members’ activities
Section: Review
Largely unchanged from past outputs from NSIRA, the body continues to focus on emerging technologies such as artificial intelligence, machine learning, quantum computing, and “big data”.
Largely unchanged from past outputs from NSIRA, the body continues to focus on emerging technologies such as artificial intelligence, machine learning, quantum computing, and “big data”.
Given the pandemic, reviewers had challenges accessing materials and, in particular, “minimal access to the classified physical and electronic documents that must be protected in a secure environment, and that are critical to NSIRA’s work” (17).
This is (and will continue to be) a recurring theme in the report and raises questions of whether review was appropriately prioritized by government against the operating practices of Canada’s national security agencies.
CSIS Reviews
In addition to conducting reviews on threat reduction and the CSIS-RCMP relationship, two further reviews are forthcoming.
One focuses on CSIS’s technology programs and intelligence collection techniques.
In addition to conducting reviews on threat reduction and the CSIS-RCMP relationship, two further reviews are forthcoming.
One focuses on CSIS’s technology programs and intelligence collection techniques.
The second is about duty of candour problems that have dogged CSIS & DoJ when before the Federal Court.
(Me: This latter review is rather unusually being led by Marie Deschamps (a former Supreme Court of Canada justice) and Craig Forcese (University of Ottawa law professor))
(Me: This latter review is rather unusually being led by Marie Deschamps (a former Supreme Court of Canada justice) and Craig Forcese (University of Ottawa law professor))
With regards to Threat Reduction Activities (TRAs) it’s notable some targets lacked “a rational link between the section of the individuals and the threat” meaning measures were not “reasonable and proportional” under the CSIS Act.
(Me: Put another way: CSIS was targeting people without the appropriate legal cover to do so.)
Further, CSIS regarded at least one kind of TRA as not requiring a warrant, and there was a lack of formalized documentation on getting requests approved.
Further, CSIS regarded at least one kind of TRA as not requiring a warrant, and there was a lack of formalized documentation on getting requests approved.
NSIRA notes, in two separate paragraphs, that the TRA in question could affect Charter rights and freedoms. These are, again, 🚨🚨🚨 about a problem in this kind of activity.
The annual report also summaries NSIRA’s prior report on CSIS-RCMP intelligence to evidence challenges (see: nsira-ossnr.gc.ca/review-of-the-…). The annual report provides a high-level of clarity that, I found, was missing from the specific report.
(Me: if folks at NSIRA are listening, it’d be lovely for all your .pdfs like the CSIS-RCMP report to be OCRed for us overworked academics and members of the peanut gallery.)
The CSIS-RCMP intel report is worth reading in its own right. It clarifies ‘intelligence to evidence’ problem, and how line officers are often stymied due to concerns about sources and methods at higher-levels of the respective agencies.
It also makes clear that the RCMP is trying to avoid information so as to avoid contaminating their investigations, as much as CSIS being hesitant to share information.
(Me: The CSIS-RCMP report also notes that some of CSIS’ ‘clues’ are unhelpful…
(Me: The CSIS-RCMP report also notes that some of CSIS’ ‘clues’ are unhelpful…
… And also that One Vision 3.0 is supposed to fix a lot of the problems that are discussed. I’d love to see a review of how well One Vision 2.0 fixed up the problems that were found with version 1.0—how many problems are new versus how many just aren’t getting patched up?)
Positively, NSIRA’s report has stats on the number of warrants issued, the number of targets (aggregate) of warrants, the number of datasets that were evaluated and retained, number of Threat Reduction Measures approved (11) and executed (8), …
… as well as justification requests (where staff authorized to do things that otherwise they are not permitted to), and compliance incidents.
What do the stats reveal? First, no Canadian datasets were evaluated or retained, and 0 foreign datasets were evaluated and only 1 was retained. No requests were denied by the Intelligence Commissioner. Second, I think the compliance incidents will need more details in the future
(Me: NSIRA could adopt practices of the UK’s Interception Commissioner which has previously provided examples of what an ‘incident’ constituted was provided to contextualize data. This is needed in NSIRA reports if they are to elucidate what compliance incidents truly mean.)
Perhaps most seriously in CSIS section: the Service has not developed policy documents to guide contemporary practice. 150 policy documents have needed updating in the past 2 years, and NSIRA doubts that CSIS is staffing to meet this challenge given the longstanding backlogs.
What does this mean? Without up-to-date policies, the chances of CSIS doing something it’s not authorized to do increases.
I liked that NSIRA called out a situation where CSIS was alerted to a problem internally and proactively alerted NSIRA *and* worked to fix the problem.
I liked that NSIRA called out a situation where CSIS was alerted to a problem internally and proactively alerted NSIRA *and* worked to fix the problem.
However, while this is a positive case it stands in direct juxtaposition to CSIS having 150 out of date policies: does it require an employee raising concerns for policies to get sorted out?
NSIRA’s outlining the reviews it’s going to do, plus future review topics, is a great to see. I hope they continue the practice.
In the CSIS ‘Access’ section, it is very worth noting that NSIRA explicitly recognizes it was “generally satisfied with its access to CSIS”.
In the CSIS ‘Access’ section, it is very worth noting that NSIRA explicitly recognizes it was “generally satisfied with its access to CSIS”.
Of note, “in several instances in 2020, [CSIS employees] went to exceptional lens to assist NSIRA is [sic] completing its reviews whose timelines had themselves been disrupted by COVID-19.”
Now…onto CSE 😬
CSE Reviews
To begin, while NSIRA is committed to redacting and releasing past OCSEC reviews they warn that everything will be out of date, especially given that CSE now operates under new authorizing legislation (i.e., C-59, see: justsecurity.org/70519/a-deep-d…).
To begin, while NSIRA is committed to redacting and releasing past OCSEC reviews they warn that everything will be out of date, especially given that CSE now operates under new authorizing legislation (i.e., C-59, see: justsecurity.org/70519/a-deep-d…).
(Me: I think that NSIRA must recognize the broader importance of OCSEC reviews. They reveal history associated with CSE & thus important. Plus, releasing these will reveal whether the OCSEC had ‘teeth’ in making recommendations and the extent(s) to which CSE implemented them.)
The annual report summarizes the mainline findings of CSE’s disclosure of Canadian Identifying Information to Canadian partners. You can read about my thoughts (see: christopher-parsons.com/nsira-calls-cs…) or hear a conversation (see: intrepidpodcast.com/podcast).
Moving on, NSIRA found that CSE didn’t properly assessed its obligations under international law when undertaking active or defensive cyber operations. CSE does *not* agree that it needs to do any more than it already is.
(Me: This is the second time in a few months where NSIRA and CSE disagree about CSE’s interpretations of law which permit its activities. Last time was about the Privacy Act.)
We learn that NSIRA will be completing some reviews of signals intelligence data retention.
When it comes to statistics and data, apparently the information that the OCSEC released—including the interception of Canadian private communications—cannot be released now due to national security concerns.
(Me: This is BS. I think that it’s hard/complicated to explain how private communications are counted and that CSE is scared of big numbers because of their counting methods combined with their mass surveillance of communications that captures loads of Canadian communications.)
More positively, we learn of how may reports (2100) were issued to how many clients (25).
(Me: It’d never come out, but I’d like to know how many included Canadian-collected information versus analysts combing through 2nd and 3rd party reports and intelligence.)
(Me: It’d never come out, but I’d like to know how many included Canadian-collected information versus analysts combing through 2nd and 3rd party reports and intelligence.)
While lovely that CSE asserts it thinks its reports were useful I wish that NSIRA could clarify if they *actually* were. Intelligence agencies commonly speak up their successes, even where none have genuinely transpired (see: nbcnews.com/news/world/nsa…)
Also good to know how many assistance requests have come through, though I’d appreciate a per-agency breakdown. I don’t think doing so would endanger national security.
I’m glad to see that CSE isn’t playing games and letting the Intelligence Commissioner produce some information about Ministerial Authorizations but blocking NSIRA from releasing the same information (for more, see:
https://twitter.com/NewmanRobinson/status/1354871845464453120?s=20).
Journalists and observers should pay CLOSE attention to CSE deciding what can/can’t be released about foreign cyber operations. CSE admitted—when an enterprising journalist just asked! (see: globalnews.ca/news/8429008/c…)—to using active cyber operations to target criminals.
(Me: If CSE can talk to journalist why exactly can’t they also disclose such information through the body *RESPONSIBLE FOR REVIEWING THEM*?)
In discussing a compliance error, it looks like (and I’m semi-speculating) a sensor system on “a certain type of infrastructure” was sending data to CSE that it wasn’t permitted to collect under the Ministerial Authorization(s) at the time.
(Me: I’m curious if this was a delta period between passing C-59 and updating MAs, or something else entirely.)
(Me: I have something I’m writing slowly, but I’d put hard money that this was linked to the EONBLUE/CASCADE system which was disclosed in the Snowden documents (see: christopher-parsons.com/writings/cse-s…). For CSE’s own sanitized discuss of the systems, now, see: cyber.gc.ca/en/host-based-…).
There’re many forthcoming reviews of CSE…all of which are delayed, including:
(1) review of information sharing across CSE’s mandates (this is a HUGE issue);
(2) review of active and defensive cyber operations;
(3) review of an activity conducted under foreign intel MA;
(1) review of information sharing across CSE’s mandates (this is a HUGE issue);
(2) review of active and defensive cyber operations;
(3) review of an activity conducted under foreign intel MA;
(4) a departmental study.
Future reviews will also look at: CSE’s assistance to CSIS; a cybersecurity activity (me: money is on host-based sensors); CSE’s vulnerability equities management framework (VEMF); AI-related stuff, a foreign SIGINT collection program; and …
Future reviews will also look at: CSE’s assistance to CSIS; a cybersecurity activity (me: money is on host-based sensors); CSE’s vulnerability equities management framework (VEMF); AI-related stuff, a foreign SIGINT collection program; and …
… SIGINT retention.
It’s worth noting NSIRA is flagging intersections between activities and specific MAs, speaking to potential questions of whether CSE can conduct the activities it is now performing.
It’s worth noting NSIRA is flagging intersections between activities and specific MAs, speaking to potential questions of whether CSE can conduct the activities it is now performing.
NSIRA notes their staff all have computers at CSE (me: the fact that they’re signalling this is sorta nuts) but that they can’t independently verify what CSE provides them, by accessing CSE’s own information repository.
As a result NSIRA has their whole ‘tailored access’ program they want to initiate, as well as targets for what timely access to information means + a way of reporting this to the public.
Buried in a footnote, NSIRA has 7 staff to review CSE. 7 people for an org of CSE’s size, while CSE is being obstinate in providing information to the reviewers means that we should question the ability of NSIRA to provide broad assertions of the legality of CSE’s operations.
Other Agencies’ Reviews
The CAF unit dealing with counter-intel isn’t taking the privacy implications of its investigations into consideration, nor is it well able to investigate white supremacists known to “pose an active counter-intelligence threat to DND/CAF”. That’s…not good
The CAF unit dealing with counter-intel isn’t taking the privacy implications of its investigations into consideration, nor is it well able to investigate white supremacists known to “pose an active counter-intelligence threat to DND/CAF”. That’s…not good
More reviews of DND/CAF are coming on: HUMINT collection; and open source intelligence and medical collection activities.
NSIRA notes DND staff responsible for assisting them in review “were attentive to NSIRA requests” & provided access to people and information when required.
NSIRA notes DND staff responsible for assisting them in review “were attentive to NSIRA requests” & provided access to people and information when required.
GAC was also reviewed for…something. No idea what this was about though NSIRA notes that they were able to get access to information/people despite the pandemic. Note how this very secret review was still carried out in a pandemic..and without the problems NSIRA faced with CSE.
The RCMP have been reviewed, including about a “specialized RCMP intelligence unit” that will be finished soon. Also RCMP will be subject to more reviews in the future, which is important given the opacity of RCMP operations.
Immigration, Refugees and Citizenship Canada is going through a scoping review, which will help NSIRA to understand what to review in the future.
CBSA is currently being reviewed for its scenario-based targeting, surveillance, confidential human sources, lookouts, and joint force operations. Given CBSA lacks a formal reviewer it’s important that NSIRA turn its eye to this agency.
In a cross-departmental review, NSIRA looked to how agencies comply with the ‘Avoiding Complicity Act’ (i.e., don’t receive intelligence/information from places that torture people).
Departments lack a common approach to assessing risk of complicity and the government doesn’t want to use a uniform standard. So while one agency may refuse to obtain information from, say, Turkey, others will continue to receive it. 😮💨
Finally, NSIRA will be doing a report on public health intelligence.
(Me: There’s also a weird ‘NSIRA will release a 2020 report on SCIDA but I don’t understand if this is a typo or I just don’t understand what they’re communicating. Perhaps they’re just releasing a report they did a while back, but has been internal to government thus far? 🤷♂️)
Conclusion
In the conclusion we find that Canada’s *entire* national security community is being reviewed (in NSIRA) by….58 people today (and a planned cap of around 100). And that’s up from 30 at NSIRA at the start of 2020!
In the conclusion we find that Canada’s *entire* national security community is being reviewed (in NSIRA) by….58 people today (and a planned cap of around 100). And that’s up from 30 at NSIRA at the start of 2020!
(Me: I know there are other organizations (e.g. NSICOP, Intelligence Commissioner) but seriously we have what, 200ish people responsible for reviewing a *huge* chunk of government. With the caveat that 200ish may be inflating actual numbers?)
(Me: You can tell what a government cares about based on where it spends its dollars. Clearly it doesn’t really care about review of its national security agencies all that much. 😪)
NSIRA, finally, asks for feedback on its work. As a personal aside I can assure you that they listen, they care, and are trying hard. Reach out to them (or write a blog or, um, Twitter thread). They are watching and responsive!
Appendices
I’m the nerd that looks at Appendices in government reports. The ones included by NSIRA are excellent and the staff is to be 👏 for including them.
I’m the nerd that looks at Appendices in government reports. The ones included by NSIRA are excellent and the staff is to be 👏 for including them.
NSIRA’s framework for how they do review is helpful and I personally appreciated the discussion of how they worked to support staff in the pandemic. The reviews at a glance + findings and recommendations, together, is 🧨🧨🧨. Thank you NSIRA!
(Me: of note: some recommendations on CSIS’ TRMs aren’t being disclosed (p. 61), disagreements on CSE & international law (p. 66), issue of turnover in CAF doing counter-intel (p.68), government refusal to implement major recommendations about ‘Avoiding Complicity Act’ (p72-73).)
Finally, footnotes 28, 30, 31, 34, 37, and 39 are **VERY** interesting. These are golden nuggets of information, and I appreciate that NSIRA included them.
Anyways, sorry for cluttering your feeds. Thanks to the staff @nsiracanada for all their hard work on this.
And for journalists: the story of their report (for me)? There are a WHOLE LOT of flags being put up that CSE has been a problem to review, compared to everyone else.
And for journalists: the story of their report (for me)? There are a WHOLE LOT of flags being put up that CSE has been a problem to review, compared to everyone else.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
