CSE RESPONSE TO CBC’s QUESTIONS CBC's INITIAL QUESTIONS TO CSE ON "CYBER NETWORK DEFENCE" (February 2, 2015) Q1. How much data and metadata does CSE currently collect and filter for cyber threats in its mandate B programs? Q2. How long is this data and metadata (collected through mandate B) retained by CSE? Q3. Why is it retained? For what purpose? Q4. Is it ever deleted? If so, when? Q5. Does CSE share details about communications collected under mandate B with the RCMP, CSIS or our allies? What about the metadata? Q6. If so, for what and under what circumstances? Q7. If not, how is the data and metadata gathered under mandate B protected from use under CSE’s other mandates? Q8. How is the privacy of an individual Canadian protected should CSE’s cyber defence programs detect a threat contained in an individual’s communications to (or from) the government? CSE's INITIAL RESPONSE (February 13, 2015) Under its cyber security mandate, CSE collects data and metadata that is relevant and necessary to understand the nature and methods of malicious cyber threats. This information is then used to detect and defend government information and information networks. Data and metadata are deleted according to established data retention schedules that are documented in internal policies and procedures. To provide more detail could assist those who want to conduct malicious cyber activity against government networks. Any information used, retained or shared relates to the capabilities, intentions and activities of malicious cyber threat actors, and is used to detect and defend government systems and prevent future threats. For example, data or metadata could contain information that relates to a cyber threat actor’s methods and techniques, such as malware. CSE’s foreign intelligence and cyber security operations are managed separately through their respective internal policy frameworks. Information collected under our foreign intelligence and cyber security mandates is managed separately. When information is shared between the two operational areas, it is to help better understand malicious cyber threats so that we can more effectively defend government systems. Under our assistance mandate, CSE provides technical assistance to federal law enforcement and security agencies only at their specific request, and only under the requesting agency’s legal authority, such as a warrant. CSE does not direct its foreign intelligence activities at Canadians or anyone in Canada. Privacy protections are built into the laws and policies governing CSE’s activities. The Ministerial Directive on Privacy requires that measures be taken to protect the privacy of Canadians, and that appropriate policies and procedures are in place for the handling, retention, use and destruction of information about Canadians. The independent CSE Commissioner and his staff review CSE’s activities. In 17 years, the CSE Commissioner has never found CSE to have acted unlawfully. To provide some broader context on the cyber threat environment: The cyber threat environment is incredibly complex and is constantly changing and evolving. Government of Canada networks and systems represent a large infrastructure to protect: there are more than 57,000 servers and 9,000 internet connections. Government networks are an especially attractive target to various cyber threat actors. Government systems are probed 75-80 millions of times each day. Cyber threat actors are constantly probing government systems and networks looking for vulnerabilities. These threats are persistent. Malicious cyber activities are becoming more frequent and more sophisticated. The information they target within government systems cover a variety of subjects, including for example, intellectual property for economic advantage; national security and defence information; or personal information that can be used for on-line criminal activity. There are four broad categories of cyber threat actors: Hacktivists, activists who attempt to infiltrate computers and computer networks; Criminals, who use the internet as an underground economy rooted in criminal activity; Terrorist organizations, or their proxies, who use cyber space to disrupt activity on legitimate sites and post propaganda; and Nation states, who conduct cyber operations mostly to enable espionage and disruptive or destructive activities. CSE estimates that there are now more than 100 nations that possess the ability to conduct cyber operations on a persistent basis. CSE defends government networks from malicious cyber activity using techniques similar to the defensive measures that any responsible large system operator would take using commercial technologies. However, in addition, CSE uses its foreign intelligence capabilities to identify and to better understand the nature and methods of foreign threat actors who are trying to exploit our systems. With this knowledge, CSE broadens protective measures against malicious cyber activities beyond what is commercially available. As noted in Canada’s Cyber Security Strategy of 2010, cyber is a borderless global issue, and it needs global approaches and solutions. Internationally, CSE works with its partners in the Five Eyes intelligence partnership (Canada, the United States, the United Kingdom, Australia and New Zealand). Intelligence gathered and shared within this trusted alliance greatly improves and advances Canada’s cyber security posture. Nationally, the strategy also notes that cyber security is a team sport that requires involvement across all levels of government and the private sector. CSE works closely with the Canadian Cyber Incident Response Center at Public Safety Canada who coordinates the sharing of cyber threat information beyond the federal government. CBC Follow-Up Questions to CSE (February 18, 2015 1. What are CSE's deletion and retention schedules for emails and data of Canadians collected under CSE's "Mandate B" to protect government networks from cyber threats? 2. When/how soon after their collection does CSE delete the "Mandate B" emails of Canadians that are scanned and found to pose no cyber security threat? 3. From the CSE presentations it is clear most of the "Mandate B" filtering of Canadians' emails/attachments/data to and from government networks is automated. What access do CSE analysts have to the raw collected data/emails/etc that are found through automated filtering to pose no threat? 4. Can the raw data/emails/etc collected under "Mandate B" and found to pose no threat (through automated filtering) be accessed or used in any way for CSE's other surveillance mandates (Acollection of foreign intelligence, or C - assistance to law or intelligence agencies )? CSE Official Response (February 23, 2015) As promised, here is CSE’s official response to your additional four questions for Wednesday’s story: Any information used or retained under our cyber security mandate relates to the capabilities, intentions and activities of malicious cyber threat actors, and is used to detect and defend government systems and prevent future threats. For example, data or metadata could contain information that relates to a cyber threat actor’s methods and techniques, such as malware. Specific communications are examined if they are suspected to relate to a cyber threat that could harm Government of Canada systems and networks, and the important information they contain. Data and metadata used to help protect the Government of Canada’s systems and networks are deleted according to established data retention schedules, which are documented in internal policies and procedures. To provide specific details on data retention schedules could assist those who want to conduct malicious cyber activity against government networks. If cyber threat actors were to obtain CSE’s data retention schedules, they could use this knowledge to develop tactics or techniques that evade detection. According to the ministerial authorizations and internal policy frameworks that govern and guide CSE activities, CSE’s IT Security analysts only use and retain information that is necessary and relevant to identify, isolate or prevent harm to Government of Canada computer networks or systems. Data that is found to pose no threat and that is not necessary and relevant to identify, isolate or prevent harm to Government of Canada computer networks or systems cannot be used or retained, and is deleted. Data collected under CSE’s IT Security mandate that is found to pose no threat cannot be accessed or used for its foreign intelligence or technical assistance mandates.