CSE RESPONSE TO CBCs QUESTIONS

CBC's INITIAL QUESTIONS TO CSE ON "CYBER NETWORK DEFENCE" (February 2, 2015)

Q1. How much data and metadata does CSE currently collect and filter for cyber threats in its mandate B
programs?
Q2. How long is this data and metadata (collected through mandate B) retained by CSE?
Q3. Why is it retained? For what purpose?
Q4. Is it ever deleted? If so, when?
Q5. Does CSE share details about communications collected under mandate B with the RCMP, CSIS or
our allies? What about the metadata?
Q6. If so, for what and under what circumstances?
Q7. If not, how is the data and metadata gathered under mandate B protected from use under CSEs
other mandates?
Q8. How is the privacy of an individual Canadian protected should CSEs cyber defence programs detect
a threat contained in an individuals communications to (or from) the government?
CSE's INITIAL RESPONSE (February 13, 2015)
Under its cyber security mandate, CSE collects data and metadata that is relevant and necessary to
understand the nature and methods of malicious cyber threats. This information is then used to detect
and defend government information and information networks.
Data and metadata are deleted according to established data retention schedules that are documented in
internal policies and procedures. To provide more detail could assist those who want to conduct malicious
cyber activity against government networks.
Any information used, retained or shared relates to the capabilities, intentions and activities of malicious
cyber threat actors, and is used to detect and defend government systems and prevent future threats. For
example, data or metadata could contain information that relates to a cyber threat actors methods and
techniques, such as malware.
CSEs foreign intelligence and cyber security operations are managed separately through their respective
internal policy frameworks. Information collected under our foreign intelligence and cyber security
mandates is managed separately. When information is shared between the two operational areas, it is to
help better understand malicious cyber threats so that we can more effectively defend government
systems. Under our assistance mandate, CSE provides technical assistance to federal law enforcement
and security agencies only at their specific request, and only under the requesting agencys legal
authority, such as a warrant.

CSE does not direct its foreign intelligence activities at Canadians or anyone in Canada.
Privacy protections are built into the laws and policies governing CSEs activities. The Ministerial Directive
on Privacy requires that measures be taken to protect the privacy of Canadians, and that appropriate
policies and procedures are in place for the handling, retention, use and destruction of information about
Canadians.
The independent CSE Commissioner and his staff review CSEs activities. In 17 years, the CSE
Commissioner has never found CSE to have acted unlawfully.
To provide some broader context on the cyber threat environment:
The cyber threat environment is incredibly complex and is constantly changing and evolving. Government
of Canada networks and systems represent a large infrastructure to protect: there are more than 57,000
servers and 9,000 internet connections. Government networks are an especially attractive target to
various cyber threat actors. Government systems are probed 75-80 millions of times each day.
Cyber threat actors are constantly probing government systems and networks looking for vulnerabilities.
These threats are persistent. Malicious cyber activities are becoming more frequent and more
sophisticated. The information they target within government systems cover a variety of subjects,
including for example, intellectual property for economic advantage; national security and defence
information; or personal information that can be used for on-line criminal activity.
There are four broad categories of cyber threat actors:
Hacktivists, activists who attempt to infiltrate computers and computer networks;
Criminals, who use the internet as an underground economy rooted in criminal activity;
Terrorist organizations, or their proxies, who use cyber space to disrupt activity on legitimate sites and
post propaganda; and
Nation states, who conduct cyber operations mostly to enable espionage and disruptive or destructive
activities. CSE estimates that there are now more than 100 nations that possess the ability to conduct
cyber operations on a persistent basis.
CSE defends government networks from malicious cyber activity using techniques similar to the defensive
measures that any responsible large system operator would take using commercial technologies.
However, in addition, CSE uses its foreign intelligence capabilities to identify and to better understand the
nature and methods of foreign threat actors who are trying to exploit our systems. With this knowledge,
CSE broadens protective measures against malicious cyber activities beyond what is commercially
available.
As noted in Canadas Cyber Security Strategy of 2010, cyber is a borderless global issue, and it needs
global approaches and solutions. Internationally, CSE works with its partners in the Five Eyes intelligence
partnership (Canada, the United States, the United Kingdom, Australia and New Zealand). Intelligence
gathered and shared within this trusted alliance greatly improves and advances Canadas cyber security
posture. Nationally, the strategy also notes that cyber security is a team sport that requires involvement
across all levels of government and the private sector. CSE works closely with the Canadian Cyber
Incident Response Center at Public Safety Canada who coordinates the sharing of cyber threat
information beyond the federal government.

CBC Follow-Up Questions to CSE (February 18, 2015

1. What are CSE's deletion and retention schedules for emails and data of Canadians collected under
CSE's "Mandate B" to protect government networks from cyber threats?
2. When/how soon after their collection does CSE delete the "Mandate B" emails of Canadians that are
scanned and found to pose no cyber security threat?
3. From the CSE presentations it is clear most of the "Mandate B" filtering of Canadians'
emails/attachments/data to and from government networks is automated. What access do CSE
analysts have to the raw collected data/emails/etc that are found through automated filtering to pose no
threat?
4. Can the raw data/emails/etc collected under "Mandate B" and found to pose no threat (through
automated filtering) be accessed or used in any way for CSE's other surveillance mandates (Acollection of foreign intelligence, or C - assistance to law or intelligence agencies )?

CSE Official Response (February 23, 2015)

As promised, here is CSEs official response to your additional four questions for Wednesdays story:
Any information used or retained under our cyber security mandate relates to the capabilities, intentions
and activities of malicious cyber threat actors, and is used to detect and defend government systems and
prevent future threats. For example, data or metadata could contain information that relates to a cyber
threat actors methods and techniques, such as malware. Specific communications are examined if they
are suspected to relate to a cyber threat that could harm Government of Canada systems and networks,
and the important information they contain.
Data and metadata used to help protect the Government of Canadas systems and networks are deleted
according to established data retention schedules, which are documented in internal policies and
procedures. To provide specific details on data retention schedules could assist those who want to
conduct malicious cyber activity against government networks. If cyber threat actors were to obtain CSEs
data retention schedules, they could use this knowledge to develop tactics or techniques that evade
detection.
According to the ministerial authorizations and internal policy frameworks that govern and guide CSE
activities, CSEs IT Security analysts only use and retain information that is necessary and relevant to
identify, isolate or prevent harm to Government of Canada computer networks or systems. Data that is
found to pose no threat and that is not necessary and relevant to identify, isolate or prevent harm to
Government of Canada computer networks or systems cannot be used or retained, and is deleted.

Data collected under CSEs IT Security mandate that is found to pose no threat cannot be accessed or
used for its foreign intelligence or technical assistance mandates.