Communication Security Establishment's cyberwarfare toolbox revealed
Mexico, North Africa, Middle East among targets of cyber-spy hacking
Top-secret documents obtained by the CBC show Canada's electronic spy agency has developed a vast arsenal of cyberwarfare tools alongside its U.S. and British counterparts to hack into computers and phones in many parts of the world, including in friendly trade countries like Mexico and hotspots like the Middle East.
The little known Communications Security Establishment wanted to become more aggressive by 2015, the documents also said.
Revelations about the agency's prowess should serve as a "major wakeup call for all Canadians," particularly in the context of the current parliamentary debate over whether to give intelligence officials the power to disrupt national security threats, says Ronald Deibert, director of the Citizen Lab, the respected internet research group at University of Toronto's Munk School of Global Affairs.
"These are awesome powers that should only be granted to the government with enormous trepidation and only with a correspondingly massive investment in equally powerful systems of oversight, review and public accountability," says Deibert.
Details of the CSE's capabilities are revealed in several top-secret documents analyzed by CBC News in collaboration with The Intercept, a U.S. news website co-founded by Glenn Greenwald, the journalist who obtained the documents from U.S. whistleblower Edward Snowden.
The CSE toolbox includes the ability to redirect someone to a fake website, create unrest by pretending to be another government or hacker, and siphon classified information out of computer networks, according to experts who viewed the documents.
The agency refused to answer questions about whether it's using all the tools listed, citing the Security of Information Act as preventing it from commenting on such classified matters.
In a written statement, though, it did say that some of the documents obtained by CBC News were dated and do "not necessarily reflect current CSE practices or programs."
Hacking spans globe
Canada's electronic spy agency and the U.S. National Security Agency "cooperate closely" in "computer network access and exploitation" of certain targets, according to an April 2013 briefing note for the NSA.
Their targets are located in the Middle East, North Africa, Europe and Mexico, plus other unnamed countries connected to the two agencies' counterterrorism goals, the documents say. Specific techniques used against the targets are not revealed.
Deibert notes that previous Snowden leaks have disclosed that the CSE uses the highly sophisticated WARRIORPRIDE malware to target cellphones, and maintains a network of infected private computers — what's called a botnet — that it uses to disguise itself when hacking targets.
Other leaked documents revealed back in 2013 that the CSE spied on computers or smartphones connected to Brazil's mining and energy ministry to get economic intelligence.
But the latest top-secret documents released to CBC News and The Intercept illustrate the development of a large stockpile of Canadian cyber-spy capabilities that go beyond hacking for intelligence, including:
- destroying infrastructure, which could include electricity, transportation or banking systems;
- creating unrest by using false-flags — ie. making a target think another country conducted the operation;
- disrupting online traffic by such techniques as deleting emails, freezing internet connections, blocking websites and redirecting wire money transfers.
It's unclear which of the 32 cyber tactics listed in the 2011 document are actively used or in development.
'In Canada's interests'
Some of the capabilities mirror what CSE's U.S. counterpart, the NSA, can do under a powerful hacking program called QUANTUM, which was created by the NSA's elite cyberwarfare unit, Tailored Access Operations, says Christopher Parsons, a post-doctoral fellow at the Citizen Lab, one of the groups CBC News asked to help decipher the CSE documents. QUANTUM is mentioned in the list of CSE cyber capabilities.
Publicizing details of QUANTUM's attack techniques fuelled debate south of the border about the project's constitutionality, says Parsons, who feels a debate is needed here in Canada as well.
"Our network has been turned into a battlefield without any Canadian being asked: Should it be done? How should it be done?" says Parsons.
National security expert Christian Leuprecht says the wide spectrum of cyber capabilities should come as no surprise, considering Canada's stature as an industrialized country and partner in the influential Five Eyes spying network, which also includes the U.S., U.K., New Zealand and Australia.
"I think it's in Canada's interest to have full-spectrum capability, because if or when the issue does arise, then we want to make sure we can be a major player in taking our collective security interest into our hands," says Leuprecht, a fellow at Queen's University's Centre for International and Defence Policy and professor at the Royal Military College.
Leuprecht adds, however, that "simply having that capability doesn't necessarily mean we're going to deploy" it.
He also claims Canada has "very explicitly" decided — for now — not to become embroiled in a dangerous cyberwar by using its most destructive tools to attack other countries, citing the example of the mysterious shutdown of North Korea's internet following that country's alleged hacking of Sony Pictures.
Canada also faces practical limitations in deploying some of these tools, such as money and strict laws, he says.
Seeking approval for more disruption
According to the documents, the CSE wanted more aggressive powers for use both at home and abroad.
In 2011, the Canadian agency presented its vision for 2015 to the Five Eyes allies at a conference.
On mobile? See CSE's 2011 presentation here
"We will seek the authority to conduct a wide spectrum of Effects operations in support of our mandates," the top-secret presentation says.
Effects operations refer to manipulating and disrupting computers or devices.
CSE said in a written statement: "In moving from ideas or concepts to planning and implementation, we examine proposals closely to ensure that they comply with the law and internal policies, and that they ultimately lead to effective and efficient ways to protect Canada and Canadians against threats."
Experts say the Anti-Terrorism Act, Bill C-51, currently being debated, could legalize use of some of the capabilities outlined in these classified documents.
Though the act would give CSIS, Canada's domestic intelligence agency, the power to disrupt threats to the security of Canada both at home and abroad, the Canadian Security Intelligence Service relies on its sister service, the CSE, for technical help with surveillance and infiltration of cellphones and computers.
"With Bill C-51, we're seeing increased powers being provided to CSIS, and that could mean that they would be able to more readily use or exploit the latent domestic capabilities that CSE has built up," says Parsons.
A 'perimeter around Canada'
In an increasingly hostile cyberspace, Canada has also turned its attention to figuring out ways to better protect itself against such attacks.
If we wish to enable defence, we must have intelligence to know when attacks enter our national infrastructure.- CSE presentation
Back in 2011, CSE envisioned creating a "perimeter around Canada" to better defend the country's interests from potential threats from other countries and criminals, raising the prospect the agency was preparing a broad surveillance program to target Canadians' online traffic.
At the time, "full visibility of our national infrastructure" was among its goals, according to a planning document for 2015. Security analysts wanted the means to detect an attack before it hit a target like a government website.
"If we wish to enable defence, we must have intelligence to know when attacks enter our national infrastructure," the 2011 top-secret CSE presentation says.
The agency would not answer how far it got with the 2015 plan. A spokesman called some of the documents obtained by CBC dated and said they "explored possible ideas."
As a result, the information "does not necessarily reflect current CSE practices or programs," the agency said in a written statement.
"Logically, it makes perfect sense" that CSE wanted to monitor all traffic coming in and out of the country, says Deibert.
"The problem is the techniques they have at their disposal, the capabilities, if they are indeed in place, are dual use and could be abused."
On mobile? See CSE's cyberwar tools here
List of documents:
- CASCADE: Joint Cyber Sensor Architecture
- NSA memo on intelligence relationship with CSE
- CSEC Cyber Threat Capabilities
- Cyber Threat Detection
- CSEC SIGINT Cyber Discovery
- CSE response to CBC's questions
CBC is working with U.S. news site The Intercept to shed light on Canada-related files in the cache of documents obtained by U.S. whistleblower Edward Snowden.
The CBC News team — Dave Seglins, Amber Hildebrandt and Michael Pereira —collaborated with The Intercept's Glenn Greenwald and Ryan Gallagher to analyze the documents.
For a complete list of the past stories done by CBC on the Snowden revelations, see our topics page. Contact us via email by clicking on our respective names or search for our PGP keys here.
With files from The Intercept's Ryan Gallagher and Glenn Greenwald