Capabilities of Canada's Communications Security Establishment

There's a new story about the hacking capabilities of Canada's Communications Security Establishment (CSE), based on the Snowden documents.

Posted on March 25, 2015 at 6:55 AM • 25 Comments

Comments

Clive RobinsonMarch 25, 2015 9:18 AM

Now here is an interesting admission,

In a written statement, though, it did say that some of the documents obtained by CBC News were dated and do "not necessarily reflect current CSE practices or programs."

Hmm that can be read as "used to be true" at or before the time of the documents....

MartinMarch 25, 2015 9:44 AM

Importantly, these capabilities by themselves are being used as bargaining chips.

Clive RobinsonMarch 25, 2015 10:45 AM

This sort of comment,

Back in 2011, CSE envisioned creating a "perimeter around Canada" to better defend the country's interests from potential threats from other countries and criminals, raising the prospect the agency was preparing a broad surveillance program to target Canadians’ online traffic.

kind of annoys me when they say "perimeter", it gives entirely the wrong impression of what's involved not just from the defence but attack positions. It makes many politicos and others take up "magical thinking" thus they nolonger see things the way they should and thus they will make mistakes that the IC will take significant advantage of.

When you are dealing with a network where anyone can connect to not just in the Canadian jurisdiction but out side as well there is no perimeter... Thus every host with a connection is a potential defender or attacker, and can not be told apart untill an attack vector is used against it or from it, even then it may just be one link in a long chain, where identifing other connectivity to an attacking host is not realistic.

This much should be clear from well before the first usage of APT getting on for a decade ago.

If I got into a host six months ago and changed the BIOS or other Flash ROM in IO devices the chances are you have zero knowledge it is there. If I chose to put it in the HD controler then I can likewise store a whole load of pay load out of sight where you can not find it. Thus when a time or other event triggers that payload the first you will know is when side effects start happening. Now multiply this by between ten thousand and a couple of million systems --as has been seen with bot nets-- that all kick off at the same time then you can see why the only realistic defence is to harden every host you can. Non deployed attack weapons will not be realy of any use, because it's to late for them to do anything...

I'll let other people think through the strategic consequences of this for themselves, but the result is not going to be pretty...

Brian WMarch 25, 2015 11:52 AM

I'm not sure the headlines for this match the actual data. The focus seems to be on CSE developing capabilities to do "false flag" and offensive cyber ops, but that's not what's in the documents that were released.

The documents include a PowerPoint slide that lists those capabilities as part of a spectrum of cyber activities in general, but does not say that they are capabilities Canada itself is doing.

gordoMarch 25, 2015 1:38 PM

@ Clive Robinson

kind of annoys me when they say "perimeter",

I'm guessing that you're not alone:

A second crisis for the paradigm of perimeter control is upon us now and that is perhaps best exemplified with a commercial example. Let's count cores in the Qualcomm Snapdragon 801. The central CPU is 4 Cores, the Adreno 330 GPU another 4, Video Out is 1 more, the Hexagon QDSP is 3, the Modem is at least 2 and most likely 4, Bluetooth is another 1 as is the USB controller and the GPS. The Wifi is at least 1 and most likely 2, and none of this includes charging, power, or display. That makes somewhere between 18 and 21 cores. In the vocabulary of the Internet of Things, I ask you whether that is one thing or the better part of two dozen things? It is pretty certain that each of those cores can reach the others, so is the perimeter to be defended the physical artefact in the user's pocket or is it the execution space of each of those cores? (para. 33)


Source:
. T.S. Kuhn Revisited
. "Does a field make progress because it is a science,
. or is it a science because it makes progress?"
. Dan Geer, NSF, 6 January 15
http://geer.tinho.net/geer.nsf.6i15.txt

65535March 25, 2015 1:58 PM

This is the main question:

‘"Our network has been turned into a battlefield without any Canadian being asked: Should it be done? How should it be done?” says Parsons.’-cbc

http://www.cbc.ca/news/canada/communication-security-establishment-s-cyberwarfare-toolbox-revealed-1.3002978

Weaponization of the internet/phone system or taking the step of turning our communication system into a highly offensive weapons platform is completely different than having a neutral communications system where open conversations and commerce can occur.

Once our communications system is a weapons platform capable of delivering highly destructive malware, missile targets, spyware and drag net surveillance EVERYONE is affected.

Everyone includes, Lawyers, doctors, social workers, businessmen, and even children. All of our conversations, be they public or confidential are being vacuumed-up, recorded, analyzed and categorized for five years by this huge weapons system.

Each mobile phone that you bring into your office or home is a potential targeting device, malware delivery system and/or bug. This is very serious.

Before weaponizing of our communications system we should have a public debate on the controls of this new and broad weapons platform and its impact on society.

Obviously, we have not had such a debate. All of the decisions have been done in secret by a few powerful people – who have manufactured this weapons system with the public’s money.

That is not the democratic system as we know it. A public debate is very important. Without a debate democracy is subverted.

[Please excuse all of grammar and other errors]

Nick PMarch 25, 2015 4:03 PM

@ gordo

The perimeter security idea was largely promoted by industry and mainstream types that thought firewalls plus hardening was securing a network. The high assurance security community, starting with BLACKER VPN paper, saw it differently: the device was a system; the network was a system of systems; analyze them in isolation and interaction.

Now, with focus on hardware, that same view should be expanded to include anything capable of executing code or storing data within a product. So what you described is a system (SOC) of systems (cores, network, etc.). Connected to a network, its interactions with the other systems constitute a new system.

Such is a better abstract framework for modern systems.

TomMarch 25, 2015 7:06 PM

Et tu Canada?

Well, why not? I guess. It seems every country in the world is setting up their own branch of official cyber gangsters and Stasi-like mass surveillance spies.

The part that bothers me, today, is there are apparently so very, very few elected officials in the world willing to stand up to them.

Bullies do because they can and there is no one in power with the courage to stand up to them. Also, millions of peasants don't care, don't know what's going on, or wouldn't care if they did.

Bad thing.

Arnold Ernest Fenwick MacIntosh-SomersMarch 25, 2015 8:10 PM

Well I am sure the Canadian authorities will use their spying powers wisely.

www.globalresearch.ca/canadian-secret-police-and-bill-c-51-the-anti-terrorism-act-state-sanctioned-black-ops-and-cover-ups/5438567

BuckMarch 25, 2015 10:31 PM

@gordo

Thank you for that! Suddenly all the T.S. Kuhn nonsense from my undergrad days now makes perfect sense to me for some reason. ;-)

The paradigms shift indeed...

There's room enough here, for science to live - And there's room enough here, for religion to forgive & try to understand all the people of this land!
I trust, you are adapting well to the new paradigm of a globally-interconnected land - cheers to all those from any country! :-D

NobodySpecialMarch 25, 2015 10:55 PM

Difficult to believe
We receive funding from the Canadian government for a high tech innovations program. We are required to submit our reports by post because they can no longer receive email (for almost the last year) due to technical problems with their website.

If CSIS does have a secret spying program and massive database - they are probably doing it with punch cards

BuckMarch 25, 2015 11:27 PM

@NobodySpecial

they are probably doing it with punch cards
Well, if their insider threat detection and physical security are up to par... I actually can't think of too many safer methods than that! ;-)

WaelMarch 26, 2015 12:52 AM

@Buck, @NobodySpecial,

they are probably doing it with punch cards

They'll need to deplete thier forests if that's the case. Where would they store all these cards? Sounds like Complete Nonsense Depository to me! Come to think of it, that's how Canada is spelled: CND! C, eh... N, eh... D, eh... :)

BuckMarch 26, 2015 1:22 AM

@Insert Real Name

The previous and presumably ongoing mass collection of Canadians' communications-related information makes it logically impossible for CSE to state that its collection operations are "incidental": By designing and deploying infrastructure to domestically collect Canadians' personal information it is -- in the common sense use of the word -- "targeting" Canadians. And successfully advancing CSE's definitions of "target" and "incidental" depends on Canadians falling victim to spook sophistry, not on the sensibility of CSE's opaque and secretive definitions of popularly understood words.
This is just one more in a very long line of simple misunderstandings regarding the new 'science' of security... I think it all basically stems from the false dichotomy of "target" v. "incidental" (which I still see repeated again and again). How could any analyst worth their salt possibly hope to recognize a 'potential terrorist' without a baseline comparison of, oh so very many 'normal' citizens..? The traditional scientific method no longer applies to our current global society... For many important experiments these days, there can be no 'control' group - thanks to the exponentially increasing connectedness that we're experiencing now, all subjects are but only two to three hops away from the study's administrators; for many other experiments in the past century, having a proper control group has just/only proved too inconvenient. :-\

Justin TerceptingyourdataMarch 26, 2015 6:00 AM

We at IIIII are just hoovering up your data and storing it offshore in China (it's cheap there). Don't worry, we are only after terrorists, pedos, activists, journalists, lawyers, CEOs, employees, bureaucrats, family members, admins, politicians, technicians, and others perhaps including drug sellers/buyers, people with unpaid parking/speeding fines, or those engaging in provocative speech.

BuckMarch 26, 2015 10:48 PM

@Wael

They'll need to deplete thier forests if that's the case.
I'd like to say that I missed your reply at the time, but the truth of the matter is that I was preoccupied by other more pressing concerns...

Has anyone anywhere ever honestly suggested a resource-efficient surveillance state!? Please note, I never said it would be a 'good idea'™ - I just thought it to be more 'safe' in the larger scheme of things as they are!

WaelMarch 26, 2015 11:42 PM

@Buck,

I'd like to say that I missed your reply at the time, but the truth of the matter is that I was preoccupied by other more pressing concerns...

No worries my friend! I've got my share as well. Judging by the number of posts, I'd say it must be a common thing these days....

I just thought it to be more 'safe' in the larger scheme of things as they are!

It'd be also illogical to expect resource efficiency and environment protection to be high on their priority list.

Clive RobinsonMarch 27, 2015 6:16 AM

@ Wael,

No worries my friend! I've got my share as well. Judging by the number of posts, I'd say it must be a common thing these days....

It's a trend I've seen here for quit some time, and I'm not sure if it applies to the number of reads as well.

I've thought of a number of reasons, including but not limited to,

1, A chilling effect.
2, Other formats.
3, Increasing numbers of blogs.
4, Paucity of subject matter.

From memory the second "banking crisis" certainly appeared to have an effect, in that "work time" posts were diminished but the general daily level of posts was not diminished as much. The chasing of wikileaks by the US and other governments likewise appears to have had an effect as has BO's hounding of whistleblowers. But Ed Snowden's revelations also appear to have had rather more than a subtle "chilling effect".

But humans move on and more inane methods of communication arise as "opiates of the masses", FaceCrook and T'whitless have become the "instant in crowd" of near vacuous thoughtless commentary, and thus unsurprisingly of more recent times significant civil and criminal sanctions.

There is also the "wanabe me to" mentality, when Bruce started his public activities via Cryptogram etc, blogs did not realy exist, yes there were and still are newsgroups and lists, but the blog format was later. As an early adopter Bruce did not have much competition and thus was "one of the few games in town". Now however there are well in excess of several thousand security related blogs, so much so we get "top 100 lists" [1] to guide us... and it does not take long to realise that many are biased in some way to carve out a niche much like "shock jocks" etc have done in the past.

Then there is the question of "contents" back in the early days it was real "technical meat" you could sink your teeth into, good papers were appearing like autum leaves chased by a blower. Now commentary is such that a month or more will go by without an academic paper of interest and technical comments are mainly "re hashed/heated" from past technical comments.

As others have no doubt noticed even my comments are a lot shorter than they used to be and I'm a tads more cautious about what I say.

However Bruce has likewise shortened his posts, and makes few comments outside of the obvious facts any more, and "snake oil" slithers by. Now there could be several reasons for this --I've mentioned a few in the past when people have asked why I don't have my own blog-- but it leaves regulars with a disconected feeling... and as we have seen quite a few nolonger post, or I suspect even read this blog.

[1] http://ddosattackprotection.org/blog/cyber-security-blogs/

WaelMarch 27, 2015 8:46 AM

@Clive Robinson,

Or workload and other work related reasons. I noticed the silence a few times previously and couldn't corelate it with other events. Maybe more people realized it's a lost game and gave up?

Clive RobinsonMarch 27, 2015 10:49 AM

@ Wael,

"Work Pressure / Stress" is a form of "chilling effect", in that if you feel you have to devote more hours and effort to an employer than you are either paid for or have to stop being a normal human to forefill just to keep "bread on the table" then you are without doubt being both exploited and oppressed. And your only likely reward is a painful path to an early grave...

There is also the aspect of "being busy to keep your mind off of things", it might be --questionably-- benificial for those with strong negative emotions but, what if it's stopping you realising you are being oppressed and having your freedoms stolen from you and those you love...

Whilst there is "good stress" that spurs you on at critical times, unless you deal with it carefully it becomes health damaging bad stress. Which is why there is a degree of truth in the "work hard play hard" saw. You need the physical excercise to burn out the stress hormones etc irespective of if the stress was constructive or destructive.

There are three basic parts to life and they should be in balance, you need to rest, work and play in health appropriate amounts. I know from bitter experiance what happens when you don't and you eventually have to pay the price for ignoring it twenty years or so down the line, when those little aches and pains you thought you could run/work through in your twenties or thirties come back as crippling auto immune issues.

You hear pundits saying that as we live longer we cost more in health care etc. What they don't get around to talking about is the three ways to die. The first is an unfortunate event such as an accident, there is little you can do to avoid this. The second way to die is to just get old in good health untill a very short period befor you die, this is the way nature designed you to go. The third and health care wise the real cost problem is a long slow and painful death over months or years, usually caused by life style issues triggering individual suseptabilities. Some of these life style issues you have control over such as smoking / drinking / eating / mental & physical excercise etc. But many you don't, such as hidden environmental issues, many of which are suspected or known by a select few but vested business issues conspire in many ways to keep them hidden from you. The problem with this is trying to differentiate proven scientific fact from unproven untested ideas, because like it or not the placebo effect is real, like it or not, which suggests there's a lot more to know about "mind over matter" when it comes to health.

WaelMarch 27, 2015 7:01 PM

@Clive Robinson,

And your only likely reward is a painful path to an early grave...

I'm walking the path. Maybe I'll get the early bird special...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.