Freeze, Colin - How CSEC became an electronic spying giant - The Globe and Mail 20131130
It is known as “Camelot,” and it is believed to be among the most expensive government buildings Canada has ever built.
Next year, the analysts, hackers and linguists who form the heart of Communications Security Establishment Canada are expected to move from their crumbling old campus in Ottawa to a gleaming new, $1-billion headquarters.
It is the physical manifestation of just how far the agency has come since Sept. 11, 2001. Before those attacks, it was known as Canada’s other spy agency – an organization created to crack Communist codes more than seven decades ago, but rendered rudderless after the collapse of the Soviet Union. The agency’s biggest victory of the 1990s, insiders say, was its behind-the-scenes role in the seizure of a Spanish trawler during the Turbot Wars, a 1995 fishing dispute off the Grand Banks of Newfoundland.
But now, where it once focused on vacuuming up Russian radio signals from Arctic bases, its surveillance reach is global: Its leaders now speak of “mastering the Internet” from desktops in Ottawa. In 1999, it had a shrinking budget of $100-million a year and a staff of about 900. Today, CSEC (pronounced like “seasick” ever since “Canada” was appended to the CSE brand) has evolved into a different machine: a deeply complex, deep-pocketed spying juggernaut that has seen its budget balloon to almost half a billion dollars and its ranks rise to more than 2,100 staff.
Canadian taxpayers spent $300-million a year on the nation’s two intelligence agencies before the attacks of Sept. 11, but the bill for spying is now coming in at more than $1-billion. That’s because the Canadian Security Intelligence Service has also been bulked up into a $535-million-a-year agency, up from $180-million in 1999.
There are key differences between the agencies. CSIS’s “human intelligence” spies are like stay-at-home defencemen – they work largely in Canada to generate reports about security threats to Canada. CSEC’s “signals-intelligence” spies can go as far as their computers can take them and are afforded an open-ended curiosity to explore issues far beyond Canada’s borders.
An increase in intelligence investment was inevitable after 9/11 – no government wanted to risk a reprise of an al-Qaeda strike. Yet Canadian spending is continuing to rise, even as the terror threat arguably fades.
That kind of arithmetic is being thrown into sharp relief by the ongoing leaks from former U.S. intelligence contractor Edward Snowden, whose disclosures are spawning an unprecedented global referendum on spying. As Canada and its allies seek to bolster national security, they are raising eyebrows among defenders of personal freedom at home and risking long-term damage on the diplomatic stage.
The strains wrought by the Snowden slides are showing. This week it was reported that CSEC may have invited its closest ally, the U.S. National Security Agency, to come to Canada to spy on world leaders attending the 2010 G20 summit in Toronto.
In October, Brazil’s President accused Canada of “cyberwar” after CSEC was revealed to have spied on that country’s energy sector. That same month, a European Union summit was dominated by calls for U.S. President Barack Obama to explain why the NSA had been targeting the mobile phones of German Chancellor Angela Merkel and French Prime Minister François Hollande.
Canadian officials won’t answer questions about operations. But the opacity surrounding CSEC is high, even by the standards of Western spy agencies. Some of its key architects say the current level of secrecy is unsustainable.
‘It’s the public’s bloody money’
You don’t have to understand the technology of modern spying to grasp the motivations behind it.
“When our Prime Minister goes abroad, no matter where he goes, what would be a boon for him to know?” said John Adams, chief of CSEC from 2005 through early 2012. “Do you think that they aren’t doing this to us?”
The retired spymaster is among the agency’s biggest boosters. But in an interview with The Globe and Mail, he said even he is warming up to the idea of more outside scrutiny – or what’s called “review” in Ottawa parlance.
“What I’m saying is you either get some more review or you’re going to run out of money,” he said. “You’ve got to get the public engaged somehow. It’s the public’s bloody money. And it is getting to be not-insignificant amounts of money.”
CSEC is only going to continue to grow, said Mr. Adams, who doubled the budget from $200-million to $400-million during his seven-year run. When he headed the agency, he made a point of bringing important civil servants in for show and tells about CSEC capabilities.
“This is what we got. They said, ‘Holy … this is the best-kept secret in NATO,’ ” Mr. Adams said. “And I said, ‘Now, what you’ve given us is good – but it’s not enough. We need more.’ ”
Electronic spying is expensive. Keeping hackers out of Canadian government computer systems, running some of the world’s fastest supercomputers and storing data in bulk costs money. Mr. Adams even made a point of hiring top mathematicians, with salaries exceeding his own, so CSEC could better crack encryption.
“We wanted to play with the big boys,” said Mr. Adams, who tends to measure CSEC against the much larger NSA.
Despite the vast discrepancy in size, the relationship between the two agencies has always been very close. The partnership is so cozy that CSEC analysts in Ottawa can sift through massive databases of logged telecommunications traffic first assembled at the NSA headquarters in Fort George G. Meade, Md. – repositories with code names such as “Marina” and “EvilOlive,” according to materials seen by The Globe.
CSEC also has a hungry clientele strewn across the federal bureaucracy. An internal document obtained by The Globe names a few of the customers: “CSEC provides intelligence reporting to over 1,000 clients across government, including the Privy Council Office, DND, Foreign Affairs and International Trade, Treasury Board Secretariat, CSIS and the RCMP.”
Then there are Canada’s allies. While a relatively small collector compared to the NSA, CSEC has always tried to fill in blind spots for allies and to come up with better ways to sift through reams of raw intelligence.
“The NSA is intercepting the equivalent of four Library of Congresses every hour,” U.S. military historian Matthew Aid said. “One of the things Canada does very well is analysis.”
Since the 1940s, the two agencies have also worked closely with British, New Zealand and Australian counterparts. This is the spying collective known as “the Five Eyes.”
“Canada benefits tremendously” from this partnership, reads a CSEC PowerPoint presentation obtained by The Globe.
“It is precious,” a slide says. “Treat it with Care!”
‘I couldn’t possibly talk about it’
In Britain and the United States, committees of trusted, watchdog politicians are afforded a peek inside their surveillance machinery.
Canada has no mechanism for this.
“We’re the only country out of the Five Eyes that doesn’t have that kind of body,” said Liberal MP Wayne Easter, who this month introduced a private member’s bill for such a mechanism. (A 2005 piece of legislation for the same sort of body had broad approval, but then the Liberal government of the day fell.)
Parliament’s only insights into CSEC now come via a proxy. Since 1996, a retired judge with a small staff is cleared to look at CSEC. No laws have ever been found to have been broken, according to the annual reports submitted to Parliament.
A former top security official said the parameters may be too narrow. “All he’s asked to do is say, ‘Are they following the law?’ ” the official said. “And that’s an important question. But you have to ask yourself: Is that sufficient?”
In Britain, nine trusted parliamentarians are cleared to keep state surveillance in check. In the United States, the NSA faces scrutiny from House and Senate select committees on intelligence. Specialized judges who sit on foreign intelligence surveillance courts also vet NSA programs.
Yet the NSA is an incredibly aggressive agency. And its political masters have been known to do end runs around all the watchdogs.
For example, on March 12, 2004, U.S. President George W. Bush reined in a secret NSA Internet-metadata collection program that he had managed to keep secret for three years. He relented only after his top law enforcement officials learned of the program, deemed it illegal and threatened to resign en masse.
What many Canadians don’t know is that secretive surveillance authorizations can also happen north of the border, with the blessing of the Minister of National Defence.
Records obtained by The Globe show that on Monday, March 15, 2004 – three days after the U.S. program was peeled back – a “ministerial directive and a ministerial authorization” regarding a Canadian Internet-metadata collection program was signed in Ottawa.
Just what this program would do remains unclear. The Globe, which has previously reported on similar CSEC directives signed by later ministers, only knows about the 2004 program through a highly redacted document obtained under the Access to Information Act.
Nearly a decade later, no one will speak to the program. “Even if I remembered the full details, I couldn’t possibly talk about it,” said David Pratt, the former Liberal defence minister who signed the document.
Now a defence lobbyist with a picture of himself and former U.S. counterpart Donald Rumsfeld in his office, he won’t spill secrets.
“You swear an oath as a privy councillor on these things …”
‘CSEC had gone blind’
For several decades, the very existence of CSEC was considered classified. Canadians first learned of the spy agency in the 1970s through a TV newsmagazine exposé.
In 2001, Parliament passed the omnibus Anti-Terrorism Act that ensconced CSEC in law. The statute states that its surveillance “shall not be directed at Canadians,” but some wiggle room was quickly added – the spy agency was placed beyond criminal laws that ban the warrantless seizure of Canadian telecommunications.
So while police have to get a judge to sign off if they want to eavesdrop on a Canadian, CSEC doesn’t necessarily have to do so. Instead, the agency can get the defence minister to sign off on a spying dragnet, so long as the minister is convinced that it is being cast predominantly at foreigners. Any Canadian calls and messages that are sucked up in the process can be sorted out later.
This legal cover allowed CSEC to get into the business of “bulk” data collection. Within the agency, this was huge. In the 1990s, “CSEC had gone blind. They were deaf and dumb,” said Mr. Adams, the former chief.
The agency, he said, had risked becoming a relic because it hadn’t yet figured out how to spy on the Internet without breaking laws.
“They couldn’t monitor Osama bin Laden in 1999 … they didn’t know that they were not going to hit a Canadian,” he said. “And if they would have hit a Canadian, they would have gone to jail.”
The Anti-Terrorism Act also formalized an arrangement where other federal security agencies could enlist CSEC’s unique skills to advance domestic investigations. Records obtained by The Globe show that CSEC now gets 70 to 80 such requests each year, from the RCMP, CSIS and other agencies.
This week it was revealed that a Federal Court judge has ruled CSIS “breached its duty of candour” in enlisting CSEC for one such case. The issue appears to be that the court was not told that CSEC’s Five Eyes allies would be brought in on the case, an international terrorism investigation focusing on two Canadian suspects. The surveillance on them lasted for a year. It’s not clear what happened to the tandem.
CSEC has never had a higher profile. If recent months are any indication, there will be more Snowden leaks coming and more news about questionable spying operations run in partnership with the NSA and other Five Eyes allies.
CSEC officials decline to say anything of substance about their operations. They say only that they have never been found to have done anything unlawful.
Meantime, parliamentarians are raising questions about CSEC. Out West, the British Columbia Civil Liberties Association is suing CSEC for alleged illegal search and seizure. The lawsuit – the first of its kind – threatens to crack open key details about CSEC’s activities.
For critics, this all adds up to a good thing. “It’s up to the government and up to courts and up to citizens to ensure there are adequate measures in place to ensure some degree of accountability and transparency,” said Steven Penney, a University of Alberta law professor. “If we are going to have a new paradigm … then we ought to have a debate about that – and that hasn’t occurred.”
For his part, Mr. Adams said there are places for proper debates – mostly behind closed doors. “You can’t have the debate in the public. The best you could hope for is if you have a [parliamentary] review committee – it’s been talked about for 10 years.”
Maybe it’s time to do more than talk, he said. “How do you get that debate? You get that, I hope, by clearing people, so you can actually tell them what the hell is going on.”
CSEC by the numbers
$96.3-million – CSEC’s budget in 1999
$460.9-million – CSEC’s budget in 2013
900 – Number of employees in 1999
2,124 – Number of employees in 2013
1,000+ – Number of “clients” in the civil service cleared to read CSEC material
59 – Minimum number of CSEC “ministerial authorizations” signed since 2001
69 to 80 – Requests for legal assistance received annually by CSEC from other federal agencies
$15-billion – Combined budget of the “Five Eyes” signals-intelligence agencies
Sources: Lux Ex Umbra blog, Globe and Mail Access to Information files, BCCLA lawsuit