Canada’s Cyber Security Seeks Public Input — Here’s Mine

cybThe Government of Canada is carrying out a public consultation on cyber security. Specifically, the consultation is being administered by Public Safety Canada’s National Cyber Security Directorate (NCSD). NCSD’s role is sometimes described as cyber policy and coordination, such as designing and implementing Canada’s Cyber Security Strategy, and the consultation asks for the public’s help in addressing some really thorny cyber security challenges.

On its face, it’s hard to know what to make of this consultation. PSC/NCSD wants to hear from “experts, academics, business leaders, and provincial, territorial and municipal governments” on the topic, but they also want “all citizens to get involved in a discussion about the security and economic dimensions of Canada’s digital future.” There are four main topics the government is consulting on, and a workbook has also been created to accompanies the process. The workbook breaks the consultation down into trends, themes, and related questions for consideration, but the contents seem designed to steer answers in particular directions, and the one topic that doesn’t include any specific questions is Canada’s “way forward”, the outlines of which seem to have already been decided.

Some of the questions in the workbook are ones that I imagine Government would love an innovative answer for (How can public and private sector organizations help protect themselves from cybercrime… and what tools do they need to do so?), while others seem loaded to produce a particular response (with “example” answers provided). I only hope that the responses to this consultation won’t be quantified as statistics (since this isn’t a methodologically-sound survey), or used to support decisions that have already been made. So let’s give them the benefit of the doubt and assume that NCSD really does want some help from Canadians in dealing with one of society’s most important challenges, and they’re open to all sorts of ideas.

To that end, I’ve provided my response to the consultation’s four “topic areas”:

The Evolution of the Cyber Threat
I think a lot of this has been covered in broad strokes by Canada’s Cyber Security Strategy and related documents. The threat has certainly evolved, in terms of actors, motives, and potential harm. State actors are increasingly involved around the world, and there are dedicated industries of criminals profiting from vulnerabilities. The most interesting way that I think the cyber threat has evolved in recent years is a recognition of the Five Eyes (Canada’s alliance with the US, UK, Australia and New Zealand) as a security threat. This recognition has certainly not come from the Canadian government, or even much of the Canadian population (as we really have yet to talk about this issue). Instead, the changing nature of the threat has been expressed most publicly by the likes of Microsoft and Google, after they learned through the Snowden documents that the Five Eyes were compromising their infrastructure and the relationships of trust these companies have established with their users.

The Increasing Economic Significance of Cyber Security
I don’t consider this to be much of a topic in need of public consultation, since it seems like Public Safety is already aware that cyber security is vital to the economy. It’s hard to put a dollar value on security, but it’s pretty obvious that the value of maintaining information security and the “losses” that result from various kinds of threats are enormous. Huge numbers are estimated and cited to justify the need for cyber security,  and I’m not sure that we need more accurate numbers (since we know they’re big), or that bigger numbers will compel action. We can talk about how better to communicate the seriousness of the issue, but I’m more interested in finding perspectives other than the economic lens to talk about threats. Government ideas about the value of the internet in Canada too often lapse into talk of the “digital economy”, and harms that don’t involve children are often expressed in economic terms. As people like Ron Deibert point out, we need to think more about the democratic/political dimensions of cyber security. This means articulating the value of connectivity in a way that doesn’t translate into dollars, but instead relates to our values as Canadians (like those “rights and freedoms” mentioned at the end of the workbook).

The Expanding Frontiers of Cyber Security
While the workbook discusses this in terms of the need for “cyber security [to] evolve at the same rate as new technologies” (p. 17), I want to use this topic to discuss the expanding scope of cyber security.

cyber

The workbook defines cyber security as “the protection of digital information and the infrastructure on which it resides. Cyber security addresses the challenges and threats of cyberspace in order to secure the benefits and opportunities of digital life” (p. 5). The first part of this definition is relatively straight-forward, and encompasses the domain of IT security. However, cyber security is not limited to these concerns, and Canada’s closest allies have used the language of cyber security to justify creating and preserving technological vulnerabilities in the service of strategic objectives. Meanwhile, it seems that Public Safety Canada considers “threats of cyberspace” to include more than just threats to digital information and infrastructure.

Internationally, cyber security now includes a variety of concerns, including over public order and morality. For instance, in Canada cyberbullying is sometimes listed as a cyber security threat alongside phishing and malware (particularly in Get Cyber Safe resources). Cyberbullying can certainly involve personal information being compromised, but it can also refer to the hateful and abusive comments found in many online media. The danger is that cyber security can be equated with online “safety”, which can mean safety from content that might insult, harm, or disturb.

The more concerning expansion of cyber security is as a justification for whatever actions serve national security or the priorities of state agencies. This is a worry because the goals of some state “partners” in cyber security are not to provide the public with the most secure technologies. In the US for instance, secret efforts to make commercial technologies (the same technologies widely used by Canadians) more vulnerable and less secure were justified as part of an ostensibly-defensive cyber security program (the CNCI). As discussed below, there is no reason to believe that Canadian agencies are an exception to the same tendencies demonstrated by their closest international allies in cyber security.

One the few things that all cyber security threats have in common is that they all involve a computer, or digital networks. Since we are supposedly moving towards a world covered in networked computers, the potential for cyber security’s expansion is a major cause for concern. I feel a lot more comfortable talking about information (IT), network, or computer security, because at least there the subject matter is relatively defined. Cyber security is more of a mixed bag, and I hope that the Government of Canada will keep the expansionist tendency of cyber security in check. Focus on the threats we know and are having difficulty defending against, don’t go looking for new forms of troublesome conduct involving a computer that can be listed as a cyber security threat, and let’s talk about whether the government’s idea of cyber security includes purposefully maintaining certain kinds of insecurity.

Canada’s Way Forward on Cyber Security
As part of Canada’s way forward, we need to take an explicit position on the extent to which we want to promote information/IT security at the expense of other conceptions of security, particularly those  favored by police and national security agencies. It seems disingenuous to promote the security of information and infrastructure, without acknowledging the limits that government agencies are comfortable allowing such developments. Police in Canada and around the world are well aware of this conflict, particularly after the Snowden revelations led to widespread adoption of more secure technologies, which are now an obstacle to their ability to investigate crime. The recent showdown between Apple and the FBI is a recent manifestation of this tension, and Canada should not simply sit on the sidelines and wait for these new “crypto wars” to play out in the US and Europe.

We also need to discuss our membership in the Five Eyes, because Canadians have never had a real opportunity to do so. Predicated on a secret treaty, the Five Eyes often acts as a coordinated group and an exclusive club, supposedly based on its members’ “common Anglo-Saxon culture, accepted liberal democratic values and complementary national interests”. Originally formed to further intelligence collection and the sharing of information in the interests of national security, today the Five Eyes also includes collaboration of a more defensive nature in the realm of cyber security. We know that Canada’s membership in the Five Eyes can be a privacy threat to Canadians, because of last year’s revelation that CSE had for years violated the law by sharing Canadians’ personal information with these allies. We know that the Five Eyes can pose a security threat to our information infrastructure, because of documents revealed by Edward Snowden showing how the NSA worked to weaken the security of commonly-used systems in order to more easily obtain intelligence (efforts in which Canada appears to have been complicit).

In the US, the Snowden disclosures resulted in the President’s Review Group on Intelligence and Communications Technologies recommending the separation of the NSA’s offensive and defensive roles, through the creation of a new agency to take over the NSA’s defensive “information assurance” mission. Canada has yet to acknowledge the contradiction at the heart the Five Eyes – where government agencies work simultaneously (or at cross-purposes) to both secure infrastructure and make it more vulnerable. In the US, the NSA is currently merging its offensive and defensive capabilities. This NSA reorganization contradicts the recommendations of the President’s Review Group, strains trust with non-government partners, but is at least being openly acknowledged and discussed. In Canada, a similar process of merging offensive and defensive capabilities may very well be underway at CSE, but this is just what we can deduce from five-year old Snowden documents, and the government’s position on this topic is limited to CSE’s statements about the same news story.

Can the Canadian government be a trusted partner in cyber security when it has never even acknowledged its role (or the conduct of its closest allies) in making information infrastructure less secure? Is it permissible to have one cyber security agency (CCIRC) responding to threats and vulnerabilities, some of which may have been created or kept secret by CSE and its Five Eyes allies? These are not hypothetical questions — just last week CCIRC issued an advisory to correct a vulnerability that the NSA had likely exploited for over a decade. If the attributions of security experts are correct, this means that the Canadian public is being notified about a security vulnerability that was kept secret and exploited by our closest cyber security ally, and we are learning about it through foreign actors whose motivations are unknown, but presumably do not include a desire to make our infrastructure more resilient.

Certainly, most Canadians have more to fear from more mundane threats, like phishing, ransomware, and others listed as part of the government’s consultation. But I wanted to focus on the Five Eyes because these are precisely the sorts of blind spots that need to be uncovered through public consultation. If government agencies will not acknowledge this threat, either because of secrecy or the failure to recognize what those outside government perceive, then it becomes the responsibility of Canadians to point out how the government’s version of reality is different than the one we are reading about in the news. However, at that point we are no longer having a shared discussion of cyber security, but two parallel discussions, with very different ideas of what constitutes a cyber threat.

These tensions at the heart of cyber security are not going anywhere, but by acknowledging them, the Government of Canada can at least take an explicit policy position, rather than the implicit one we can deduce from its former conduct. The Government of Canada has already taken the historic step of suspending metadata sharing with the Five Eyes until it is confident that this no longer threatens the privacy of Canadians. Before Canada resumes its full participation in a secretive alliance that works to both strengthen and weaken the security of systems we depend on, we need a stated position on such conduct. Specifically, are security vulnerabilities ever acceptable or desirable? Is it ever appropriate for government agencies such as CSE and the RCMP to use vulnerabilities that might otherwise be disclosed and corrected? What should we do when our closest cyber security allies are repeatedly found exploiting vulnerabilities and weakening security?

In response to the last of these questions, I would answer that Canada needs to either openly declare its support for government efforts to compromise security, including any limits or conditions, or it needs to publicly oppose these efforts. Only by working to strengthen IT security against all threats can the Government of Canada be a trusted partner in cyber security. To take no position at all by failing to acknowledge the issue is untenable, will weaken trust in government, and will continue the post-Snowden bifurcation of security into two separate discussions — one that includes government as a partner and one that does not.

Canada’s cyber security and the changing threat landscape

My article, Canada’s cyber security and the changing threat landscape has just been published online by Critical Studies on Security.

Broadly, it grapples with what cyber security has come to mean in the Canadian context. The article deals partly with Canada’s Cyber Security Strategy, the operations of the Canadian Cyber Incident Response Centre (CCIRC) between 2011 and 2013 (a time of great concern over hacktivism [Anonymous] and Advanced Persistent Threats [China]), and what we can say about Canada’s cyber security orientation in the “post-Snowden era”. It is based on publicly-available texts and several years of Access to Information requests (the requests were informal, for documents already released to other people, giving me several thousand pages to work with).

What is cyber security, and why should we care?

Cyber security emerged from a narrow set of concerns around safeguarding information and networks, but in recent years it has become intimately tied to foreign and domestic political objectives. This means that cyber security cannot be defined and delimited in the same way as the field of information security (as protecting the confidentiality, integrity, and availability of information). Instead, cyber security is a collective endeavor, typically tied to the larger project of national security, but also encompassing a broader set of social and ethical concerns. This is why hateful messages sent by teens are now treated as a cyber security problem, while Canada’s government fails to acknowledge the international cyber threat posed by its foreign allies.

One of the key effects of cyber security strategies and classifications is that they specify the boundaries of what is to be secured. As the line between ‘cyber’ and ‘non-cyber’ continues to blur, the scope of cyber security’s concerns can expand to cover new kinds of threats. If it is true, as the opening of Canada’s Cyber Security Strategy 2010 declares, that our “personal and professional lives have gone digital”, that we now “live, work, and play in cyberspace”, then cyberspace is not just a new domain to be secured, but a fundamental part of our lived reality. This means that it is now possible to conceive of cyber threats as existential threats of the highest order, but also that the project of cyber security will have deepening implications for our daily lives. Some of these implications can only be discussed by referencing the work of security professionals – work which typically takes place out of public view.

Operational and Technocratic Discourse

My article began as a work of discourse analysis, but over time I turned increasingly to international relations (IR) and what has been called the “Paris School” of security studies. I found that previous analyses of cyber security discourse, influenced by the Copenhagen School, focused largely on public discourse, and how political actors work to get cyber security on the political agenda (as a response to new, existential threats). The Paris School meanwhile, emphasizes that new security issues can arise and be defined in the hidden world of security professionals and their technocratic practices. The volumes of internal threat reports, alerts, and government emails accessible through Access to Information became a rich source for this technocratic and operational discourse, providing a sense of how the moving parts of cyber security fit together in practice.

Hacktivism

Hacktivism is an interesting threat category to consider because, at least in Canada, it has never been subject to visible politicization. Unlike cyberbullying, no new laws have been proposed to deal with hacktivists, and public officials have avoided referencing the threat in their public proclamations. The Government seems more willing to deal with hacktivism quietly than to engage in a public fight against Anonymous, or to publicly condemn tactics that some see as a legitimate form of protest.

Nevertheless, hacktivism has become a major preoccupation for Canadian security agencies, as evident through volumes of operational discourse, including detailed reports and responses to hacktivist campaigns. Where cyberbullying can be reduced to a problem of ethical conduct, common forms of hacktivism such as DDoS reduce to a technical problem. A DDoS attack becomes hacktivism by virtue of its political motivation, and not its methods. While DDoS actions have typically been handled by CCIRC and CTEC as individual incidents, the operational threat category of hacktivism makes these events legible as part of a larger and pathological social trend, and the growing concern with hacktivism since 2010 indicates cyber security’s opposition to disruptive forms of online activism and politically-motivated hacking.

Advanced Persistent Threats (APTs)

As actors define and redefine cyber security’s terminology, they produce new conceptions, repurpose old ones, and experiment with metaphors. Sometimes, a term becomes a prolific ‘buzzword’, securing regular usage in cyber security discourse, and also inevitably becoming a point of contention. One of the best recent examples is the Advanced Persistent Threat (APT). This is the threat category that best represents cyber security’s oblique treatment of international affairs and the new strategic stakes of cyber security. Where hacktivism is the intersection of cyber security and protest in operational discourse, APTs bring cyber security into opposition against state actors. The term usually refers to a well-resourced threat actor willing to devote considerable effort to compromise a particular target, and is often understood to mean a state-backed attacker – sometimes becoming simply a shorthand for “China”.

In tracing the emergence and proliferation of this new threat category, it is possible to get some sense of the multiple constituents and channels of cyber security discourse. In this case, a category emerged in the operational discourse of the US military, spread rapidly through the North American security industry, and was adopted for internal use by CCIRC in the aftermath of a major security breach in 2011. Along the way it was used to classify a growing number of intrusions and data breaches, sell security products and services, and make intelligible a world of online geopolitical contestation. APTs could be invoked to specify a threat, while eliding the attribution problem and preserving nominal ambiguity in the international political arena. For CCIRC, APTs became an operational threat category at a time when Chinese hackers were widely suspected of compromising Canadian government systems, and the term proliferated into public discourse through Mandiant’s reporting of Chinese cyber espionage in 2013. Not long after, the Snowden disclosures had a dramatic impact on how we understand and talk about cyber security.

After Snowden

One of the most important revelations of the Snowden documents has been that the project of cyber security (at least as interpreted by signals intelligence agencies like NSA, GCHQ and CSE) can include compromising the very digital infrastructure it is tasked to protect. Domestic cyber security programs can become an “advanced persistent threat” – a term once reserved for foreign hackers. Given these developments, it is worthwhile to reflect on how the governmental project of cyber security has evolved in recent years, and what cyber security has come to mean. This is particularly important in Canada, a country closely implicated in US cyber security efforts, but where post-Snowden commentary has made comparatively little impact.

The lack of visible concern by Canada’s government about the security threat posed by its closest allies (a threat that Canada has apparently facilitated), speaks to how foreign policy shapes the nation’s cyber security priorities. It also sends the dangerous message that while Canada is unable to clearly define a vision of what it is trying to secure, cyber security is somehow compatible with pervasive surveillance and widespread hacking.

State cyber security agencies work to guard us from new threats, but seem blind to the possibility that they or their partners might also threaten our security. To paraphrase Google’s chairman, an attack is an attack, whether it comes from China or the NSA. For Canada’s CSE and the other Five Eyes members, the equivalence may not be as clear. If cyber security is subordinated to national security interests and compatible with government hacking, then threats will continue to be defined very differently by those inside and outside government. In addition to a broadening scope for cyber security’s concerns, the current trend is one of growing division between government cyber security efforts and more clearly circumscribed approaches to information security by private companies and civil society.

The idea that cyber security can be compatible with hacking domestic companies and maintaining vulnerabilities in commonly-used technologies might be seen as a continuation of the exceptional measures justified by 9/11. But more fundamentally, it reflects the technocratic imperatives of agencies tasked with gaining and maintaining access to communications infrastructure. The Five Eyes’ objectives go far beyond countering terrorism, and surreptitious access to communications infrastructure is increasingly part of the larger cyber security project. This dangerous vision of cyber security has evolved in secret, establishing procedures for who can be targeted, what can be collected, and where compromising security might help to make us safer. We did not learn of these measures through visible political discourse or securitizing rhetoric (the traditional focus of the Copenhagen School), but through operational documents and presentation slides from closed meetings of security professionals.