Review of Susan Landau’s — Surveillance or Security?

I’ve been going through my files recently, and discovering some that I had forgotten. A couple of times now I’ve had submissions to journals fall into a void. Ideally, when this happens the piece can still find a home somewhere else, but this was a review of book from 2010 written in 2012, and in 2013 Snowden changed the world and I felt the need move on. Still, Landau’s book remains valuable and some of these issues are even more salient today (also of note, in the 1990s Landau co-wrote Privacy on the Line with Whitfield Diffie).

Book Review: Landau, Susan. 2010. Surveillance or Security?: The Risks Posed by New Wiretapping Technologies. Cambridge, MA: MIT Press.

The choice between security and civil liberties remains a commonplace way of framing many surveillance debates. Susan Landau’s argument in Surveillance or Security? is that many surveillance technologies and systems not only compromise privacy, but may actually make us less secure. This thesis, while worth repeating, will not be novel for some readers familiar with surveillance and security debates. However, readers who are already well-versed in criticisms of the freedom-security opposition will still find a great deal of value in Landau’s book, including the nuance of her more policy and technology-specific arguments and the wealth of detail she provides on various electronic surveillance practices. The patience and clarity with which Landau walks readers through this detail is commendable, and the book makes many technical and legal matters understandable to those unfamiliar with telecommunications, electronic surveillance, or U.S. law. Despite this, reading Surveillance or Security? from beginning to end requires a considerable interest in the subject matter, and much of its detail will be superfluous to those interested in more general surveillance questions or electronic surveillance in a non-U.S. context.

The nuance of Landau’s argument preserves a legitimate and lawful role for surveillance by state actors, and her critique is targeted specifically at emerging forms of surveillance made possible in the age of digital networks. Of greatest concern is the ability to embed surveillance capabilities into our increasingly-capable communications infrastructures. Justifications for expanded or “modernized” police and national security surveillance capabilities are often premised on the need to bring telephone-era laws and abilities up to date with the internet. Landau provides a very effective introduction to telephone and packet-switching networks, the development of the internet, and the contemporaneous changes to U.S. surveillance law and practice. In the process, she shows how the nature of communication and surveillance has been transformed, and how inappropriate the application of telephone-era surveillance logic can be for internet architecture. While telephone and packet-switching networks are now deeply integrated, the reader will learn just how difficult “wiretapping the internet” is when compared to traditional telephone wiretaps. On the other hand, the book also discusses the vast amounts of information available about our digital flows, and how these possibilities of data collection introduce new dangers.

The most forceful of Landau’s arguments are against the embedding of surveillance capabilities into our networked communications infrastructure, as this amounts to an “architected security breach” (p.234) that can be exploited or misused. The main example provided by the author of such modern wiretapping gone wrong is the activation of surveillance capacities embedded in the software of an Athens mobile phone network during 2004 and 2005, wherein parties unknown targeted the communications of Greek government officials. While this case of wiretapping was highly selective, Landau also cites the current U.S. “warrantless wiretapping” program to illustrate the dangers of overcollection. A third case, the FBI’s misuse of “exigent letters” to acquire telephone records after September 11, shows how the risk of overcollection is exacerbated when wiretapping cannot be audited and fails to require “two-organizational control”. In the exigent letters case, FBI investigators and telephone company employees working closely alongside one other were able to nullify institutional boundaries and circumvent legal requirements. From these cases, Landau concludes that “making wiretapping easy from a technical point of view makes wiretapping without proper legal authorization easy” (p.240). Among her chief concerns is the historical propensity to take advantage of surveillance-ready technologies to target journalists and political opponents, and the possibility of “nontargets” being caught up through overcollection.

Surveillance or Security? offers solutions as well as warnings, and these are primarily oriented towards safeguarding communications security. As a general prescription, Landau argues for partitioning our networks to a greater and more sophisticated degree. This includes increased use of identity authentication and attribution for particular networks, and keeping others entirely inaccessible from the public internet. But Landau expressly opposes building identity authentication and surveillance mechanisms (such as deep packet inspection) into the internet itself. Overall, this is a sensible solution that can address “digital Pearl Harbor” fears while preserving the general openness of the internet. Our networks already have “walled gardens” for governments and corporations, and Landau calls for more effective partitions as well as open public vetting of security mechanisms (pp.240-241). Sanctioned wiretaps should also be auditable and not under the independent control of any one organization.

Ultimately, questions about how the internet should be designed and governed boil down to what we value in the network. Many have pointed out that that the values which drove the development of the internet did not include ensuring its security, so that concerns over identification, authentication, malware and cyberattack surfaced later in its development and are difficult to resolve. The debate over whether internet governance and internet architecture needs to be revised in the interests of security continues to this day, but the choice is not simply between security and openness. Rather, “security” can point to a whole host of challenges, some of which can be in opposition to one another. Landau does indeed distinguish between different security threats, but while there is a chapter entitled Who are the intruders?, no equivalent breakdown is given of “whose security” is of primary interest. Instead, Landau treats personal security, national security, and corporate security as compatible and amenable to some of the same solutions. She explicitly values personal privacy and the open innovation made possible by the internet, but also warns against growing foreign threats to the economy and critical infrastructure of the United States. The closing sentence of the book calls for communication security “to establish justice, maintain domestic tranquility, and provide for common defense” (p.256), and it is in the tensions between these three objectives that the supposedly false choice between freedom and security materializes once again.

Landau promotes the value of privacy and journalistic freedom, puts the danger of terrorism “in context” (p.222), and warns against heavy-handed approaches to illegal file-sharing (pp.34-35). But in debating the appropriateness of embedded surveillance or privacy-enhancing cryptography, the reader also learns that “we must weight the costs” (p.35) or the advantages against the disadvantages (p.219) of such technologies and practices. The problem is that different readers may have rather different conception of who is denoted by the “we” in such a formulation, and where the costs accrue. If the security threat is the “havoc” that can be wreaked through an internet connection multiplied by the size of the cyber-capable Chinese army (as Landau suggests in the epilogue, p.255), then Richard Clarke and Robert Knake’s (2010) proposal to embed surveillance and filtering at internet service providers (ISPs) to deal with foreign cyberattacks might seem quite reasonable (such surveillance would receive “rigorous oversight by an active Privacy and Civil Liberties Protection Board to ensure that neither the ISPs nor the government was illegally spying on us” [Clarke & Knake 2010, p. 162]). The principles which guide Landau’s judgments are those embodied in the U.S. Constitution, the open and innovative possibilities of our networks, the right to privacy in communication, and the need to be protected from electronic “intruders” and “threats”. But in making these various appeals Landau is also providing the means to undercut her argument against embedded surveillance, if one values a particular type of security or fears a threat to security over others. She closes with an appeal to consider communications security as vital to both national and personal security, to democracy as well as defense (p.256), but the argument that embedded surveillance makes us less secure is on weaker footing when faced with the catastrophic specter of a cyber-war with China.

In the end, readers may find themselves confronting the dilemma identified by Jonathan Zittrain (2008, pp.60-61), who argues that “the cybersecurity problem defies easy solution, because any of the most obvious solutions to it will cauterize the essence of the Internet”. Like Zittrain, Landau thinks we can improve cybersecurity without sacrificing the internet’s propensity for openness and innovation, but at times she seems to address her arguments more at U.S. policy makers, security officials, and American citizens than at a general readership. The book includes a chapter devoted to analyzing “the effectiveness of wiretapping” in the furtherance of national security and criminal investigations, and the threat of China’s espionage and cyberattack capabilities looms large against a “United States that is being weakened by the very information technologies that brought the nation such wealth” (p.171). Landau’s approach may appeal to those Americans in greatest need of convincing, but it marginalizes arguments based on more critical premises, such as the potential of open networks and private communications to facilitate valuable forms of disruption and social change.

Surveillance or Security? focuses on the U.S. because the complexity of wiretapping policy is better explored through one nation’s economic and legal perspective, and Landau claims that “it should not be hard to reinterpret the issues from the perspective of other nations” (p.10). The networks that constitute the internet certainly warrant analysis on the level of the nation-state, in particular due to the increased assertion of territorially-based state power over and through the internet. The U.S. also deserves study in its own right by anyone interested in global telecommunications, not only because of the influential role of the U.S. in the history of telecom, but because the world’s telecom networks remain disproportionately dependent on U.S.-based institutions and infrastructure. The layout of global fiber-optic cable makes the U.S. “a communications transit point for the entire world” (p.87), and the overall layout of the World Wide Web also remains largely U.S.-centric.

However, many of the details of U.S. wiretapping legislation and practice will not be of interest either to the general reader or to the scholar interested in broader questions of surveillance and telecommunication. The book’s detailed analysis of the U.S. case is therefore its greatest strength, or, for a more general audience, its greatest weakness. Among other strengths are the clarity of Landau’s descriptions of network architecture and internet history, which do not presume prior knowledge on the reader’s part. Surveillance or Security? is clear and approachable, and contributes some much-needed scholarship on the intersection between state and private institutions underpinning contemporary surveillance systems. At its best, it pours cold water on the need to overhaul the internet and expand the scope of electronic surveillance, but Landau is not above fanning the flames to give the issue of communication security some added urgency. In between, surveillance scholars will find plenty of value in the book’s well-researched detail and Landau’s considerable expertise.

One of the headings in the book, What it means to “get communication security right”, remains an open question, with governments moving slowly on the issue, and private institutions largely pursuing their own policies. While it seems clear that securing our communications networks will not be quick or easy, a more immediate concern are poorly-considered proposals to embed and institutionalize surveillance regimes and their attendant harms. Surveillance or Security? contributes to an important conversation, injects caution into a frequently overheated discussion, and offers much of substance for those acquainting themselves with communications security and surveillance.

References

Clarke, Richard. A., & Knake, Robert. (2010). Cyber War: The Next Threat to National Security and What to Do About It. New York: Ecco.

Landau, Susan. 2010. Surveillance or Security?: The Risks Posed by New Wiretapping Technologies. Cambridge, MA: MIT Press.

Zittrain, Jonathan. 2008. The future of the internet–and how to stop it. New Haven: Yale University Press.

 

CSE’s Cyber Shakeup

The House of Commons is now on summer break, but before everyone headed off, the The Trudeau/Goodale Liberals introduced a monumental rework of Canadian intelligence and security institutions. This accomplishes some of what the Liberals previously indicated, but as Wesley Wark points out, such substantial changes to Canada’s national security bureaucracy are surprising. The implications are complex, with major reform for those overseeing CSIS and CSE (two new institutions: the National Security and Intelligence Review Agency and the Intelligence Commissioner) and changes to CSE’s mandate.

Experts and politicians have some time to chew on this bill’s different aspects, and for all things CSE, an important view is the Lux Ex Umbra blog. However, here I want to offer a couple of thoughts on the cyber aspects of the reforms.  As others have pointed out, these reforms will help to normalize certain types of acts (network exploitation and attack). One argument is that Canada’s new framework will help normalize in the international arena what a lot of states have been doing covertly, under dubious legal authority — “effects” like hacking and exerting influence in various domestic and foreign jurisdictions. The Canadian approach could either be a model for others interested in legal reform, or contribute to making these actions more acceptable and legitimate around the world. Domestically, this is also a normalization of the sorts of things that CSE has done, or wanted to do, for some years now.

There’s an upside and downside here. If you assume that this is the sort of stuff the Five Eyes and CSE would be doing anyway, it’s good to have it under an explicit legal framework that can “reflect the reality of global communications today and participation in international networks such as Five Eyes”. From this view, the reforms are an improvement in accountability and oversight. On the other hand, if you think this is precisely the sort of thing governments should reject (and the focus should be purely on cyber defence and passive techniques), then the last thing we should do is put a government stamp on it. Instead of updating the law to legitimate what has been going on, we need to stop the most controversial activities revealed by Snowden (weakening crypto, hacking Google data links and compromising LinkedIn accounts of Belgian telecom engineers).

In Canada, we have never had a debate about these questions. The national security consultation that ostensibly informs this move was not designed to ask them. Canada’s role in the Five Eyes is not under revision, and Bill C-59 is meant to better “align ourselves” with these cyber “partners”. The partners are meeting this week, amid an active push by allies (specifically, Australia) to get Canada’s cooperation in countering encryption. There’s little indication where Canada stands on these questions today. However, given what appears to be our holding-steady with the Five Eyes and C-59’s new legal framework, CSE can still end up promoting insecurity, in secret, at our allies’ request.

Ultimately, the success of C-59 will depend on how effective the new accountability mechanisms are. Canada’s previous experience includes government assurances about legal compliance and oversight, while routine illegality and surprising legal interpretations are carried out in secret. Some of this previous experience (like the CSIS ODAC database) is addressed in C-59, but on the must fundamental question — what kind of security will Canada promote in the world? — we seem to be doing what Canada has done since we hitched our national security to the U.S. in late WWII: defaulting to our allies. We may have some bold new security legislation (and a Minister of Foreign Affairs who recently made big statements about the need to “set our own clear and sovereign course“),  but old concerns about the lack of a distinctly Canadian approach to international and cyber security are as relevant as ever.

Canada’s Cyber Security Seeks Public Input — Here’s Mine

cybThe Government of Canada is carrying out a public consultation on cyber security. Specifically, the consultation is being administered by Public Safety Canada’s National Cyber Security Directorate (NCSD). NCSD’s role is sometimes described as cyber policy and coordination, such as designing and implementing Canada’s Cyber Security Strategy, and the consultation asks for the public’s help in addressing some really thorny cyber security challenges.

On its face, it’s hard to know what to make of this consultation. PSC/NCSD wants to hear from “experts, academics, business leaders, and provincial, territorial and municipal governments” on the topic, but they also want “all citizens to get involved in a discussion about the security and economic dimensions of Canada’s digital future.” There are four main topics the government is consulting on, and a workbook has also been created to accompanies the process. The workbook breaks the consultation down into trends, themes, and related questions for consideration, but the contents seem designed to steer answers in particular directions, and the one topic that doesn’t include any specific questions is Canada’s “way forward”, the outlines of which seem to have already been decided.

Some of the questions in the workbook are ones that I imagine Government would love an innovative answer for (How can public and private sector organizations help protect themselves from cybercrime… and what tools do they need to do so?), while others seem loaded to produce a particular response (with “example” answers provided). I only hope that the responses to this consultation won’t be quantified as statistics (since this isn’t a methodologically-sound survey), or used to support decisions that have already been made. So let’s give them the benefit of the doubt and assume that NCSD really does want some help from Canadians in dealing with one of society’s most important challenges, and they’re open to all sorts of ideas.

To that end, I’ve provided my response to the consultation’s four “topic areas”:

The Evolution of the Cyber Threat
I think a lot of this has been covered in broad strokes by Canada’s Cyber Security Strategy and related documents. The threat has certainly evolved, in terms of actors, motives, and potential harm. State actors are increasingly involved around the world, and there are dedicated industries of criminals profiting from vulnerabilities. The most interesting way that I think the cyber threat has evolved in recent years is a recognition of the Five Eyes (Canada’s alliance with the US, UK, Australia and New Zealand) as a security threat. This recognition has certainly not come from the Canadian government, or even much of the Canadian population (as we really have yet to talk about this issue). Instead, the changing nature of the threat has been expressed most publicly by the likes of Microsoft and Google, after they learned through the Snowden documents that the Five Eyes were compromising their infrastructure and the relationships of trust these companies have established with their users.

The Increasing Economic Significance of Cyber Security
I don’t consider this to be much of a topic in need of public consultation, since it seems like Public Safety is already aware that cyber security is vital to the economy. It’s hard to put a dollar value on security, but it’s pretty obvious that the value of maintaining information security and the “losses” that result from various kinds of threats are enormous. Huge numbers are estimated and cited to justify the need for cyber security,  and I’m not sure that we need more accurate numbers (since we know they’re big), or that bigger numbers will compel action. We can talk about how better to communicate the seriousness of the issue, but I’m more interested in finding perspectives other than the economic lens to talk about threats. Government ideas about the value of the internet in Canada too often lapse into talk of the “digital economy”, and harms that don’t involve children are often expressed in economic terms. As people like Ron Deibert point out, we need to think more about the democratic/political dimensions of cyber security. This means articulating the value of connectivity in a way that doesn’t translate into dollars, but instead relates to our values as Canadians (like those “rights and freedoms” mentioned at the end of the workbook).

The Expanding Frontiers of Cyber Security
While the workbook discusses this in terms of the need for “cyber security [to] evolve at the same rate as new technologies” (p. 17), I want to use this topic to discuss the expanding scope of cyber security.

cyber

The workbook defines cyber security as “the protection of digital information and the infrastructure on which it resides. Cyber security addresses the challenges and threats of cyberspace in order to secure the benefits and opportunities of digital life” (p. 5). The first part of this definition is relatively straight-forward, and encompasses the domain of IT security. However, cyber security is not limited to these concerns, and Canada’s closest allies have used the language of cyber security to justify creating and preserving technological vulnerabilities in the service of strategic objectives. Meanwhile, it seems that Public Safety Canada considers “threats of cyberspace” to include more than just threats to digital information and infrastructure.

Internationally, cyber security now includes a variety of concerns, including over public order and morality. For instance, in Canada cyberbullying is sometimes listed as a cyber security threat alongside phishing and malware (particularly in Get Cyber Safe resources). Cyberbullying can certainly involve personal information being compromised, but it can also refer to the hateful and abusive comments found in many online media. The danger is that cyber security can be equated with online “safety”, which can mean safety from content that might insult, harm, or disturb.

The more concerning expansion of cyber security is as a justification for whatever actions serve national security or the priorities of state agencies. This is a worry because the goals of some state “partners” in cyber security are not to provide the public with the most secure technologies. In the US for instance, secret efforts to make commercial technologies (the same technologies widely used by Canadians) more vulnerable and less secure were justified as part of an ostensibly-defensive cyber security program (the CNCI). As discussed below, there is no reason to believe that Canadian agencies are an exception to the same tendencies demonstrated by their closest international allies in cyber security.

One the few things that all cyber security threats have in common is that they all involve a computer, or digital networks. Since we are supposedly moving towards a world covered in networked computers, the potential for cyber security’s expansion is a major cause for concern. I feel a lot more comfortable talking about information (IT), network, or computer security, because at least there the subject matter is relatively defined. Cyber security is more of a mixed bag, and I hope that the Government of Canada will keep the expansionist tendency of cyber security in check. Focus on the threats we know and are having difficulty defending against, don’t go looking for new forms of troublesome conduct involving a computer that can be listed as a cyber security threat, and let’s talk about whether the government’s idea of cyber security includes purposefully maintaining certain kinds of insecurity.

Canada’s Way Forward on Cyber Security
As part of Canada’s way forward, we need to take an explicit position on the extent to which we want to promote information/IT security at the expense of other conceptions of security, particularly those  favored by police and national security agencies. It seems disingenuous to promote the security of information and infrastructure, without acknowledging the limits that government agencies are comfortable allowing such developments. Police in Canada and around the world are well aware of this conflict, particularly after the Snowden revelations led to widespread adoption of more secure technologies, which are now an obstacle to their ability to investigate crime. The recent showdown between Apple and the FBI is a recent manifestation of this tension, and Canada should not simply sit on the sidelines and wait for these new “crypto wars” to play out in the US and Europe.

We also need to discuss our membership in the Five Eyes, because Canadians have never had a real opportunity to do so. Predicated on a secret treaty, the Five Eyes often acts as a coordinated group and an exclusive club, supposedly based on its members’ “common Anglo-Saxon culture, accepted liberal democratic values and complementary national interests”. Originally formed to further intelligence collection and the sharing of information in the interests of national security, today the Five Eyes also includes collaboration of a more defensive nature in the realm of cyber security. We know that Canada’s membership in the Five Eyes can be a privacy threat to Canadians, because of last year’s revelation that CSE had for years violated the law by sharing Canadians’ personal information with these allies. We know that the Five Eyes can pose a security threat to our information infrastructure, because of documents revealed by Edward Snowden showing how the NSA worked to weaken the security of commonly-used systems in order to more easily obtain intelligence (efforts in which Canada appears to have been complicit).

In the US, the Snowden disclosures resulted in the President’s Review Group on Intelligence and Communications Technologies recommending the separation of the NSA’s offensive and defensive roles, through the creation of a new agency to take over the NSA’s defensive “information assurance” mission. Canada has yet to acknowledge the contradiction at the heart the Five Eyes – where government agencies work simultaneously (or at cross-purposes) to both secure infrastructure and make it more vulnerable. In the US, the NSA is currently merging its offensive and defensive capabilities. This NSA reorganization contradicts the recommendations of the President’s Review Group, strains trust with non-government partners, but is at least being openly acknowledged and discussed. In Canada, a similar process of merging offensive and defensive capabilities may very well be underway at CSE, but this is just what we can deduce from five-year old Snowden documents, and the government’s position on this topic is limited to CSE’s statements about the same news story.

Can the Canadian government be a trusted partner in cyber security when it has never even acknowledged its role (or the conduct of its closest allies) in making information infrastructure less secure? Is it permissible to have one cyber security agency (CCIRC) responding to threats and vulnerabilities, some of which may have been created or kept secret by CSE and its Five Eyes allies? These are not hypothetical questions — just last week CCIRC issued an advisory to correct a vulnerability that the NSA had likely exploited for over a decade. If the attributions of security experts are correct, this means that the Canadian public is being notified about a security vulnerability that was kept secret and exploited by our closest cyber security ally, and we are learning about it through foreign actors whose motivations are unknown, but presumably do not include a desire to make our infrastructure more resilient.

Certainly, most Canadians have more to fear from more mundane threats, like phishing, ransomware, and others listed as part of the government’s consultation. But I wanted to focus on the Five Eyes because these are precisely the sorts of blind spots that need to be uncovered through public consultation. If government agencies will not acknowledge this threat, either because of secrecy or the failure to recognize what those outside government perceive, then it becomes the responsibility of Canadians to point out how the government’s version of reality is different than the one we are reading about in the news. However, at that point we are no longer having a shared discussion of cyber security, but two parallel discussions, with very different ideas of what constitutes a cyber threat.

These tensions at the heart of cyber security are not going anywhere, but by acknowledging them, the Government of Canada can at least take an explicit policy position, rather than the implicit one we can deduce from its former conduct. The Government of Canada has already taken the historic step of suspending metadata sharing with the Five Eyes until it is confident that this no longer threatens the privacy of Canadians. Before Canada resumes its full participation in a secretive alliance that works to both strengthen and weaken the security of systems we depend on, we need a stated position on such conduct. Specifically, are security vulnerabilities ever acceptable or desirable? Is it ever appropriate for government agencies such as CSE and the RCMP to use vulnerabilities that might otherwise be disclosed and corrected? What should we do when our closest cyber security allies are repeatedly found exploiting vulnerabilities and weakening security?

In response to the last of these questions, I would answer that Canada needs to either openly declare its support for government efforts to compromise security, including any limits or conditions, or it needs to publicly oppose these efforts. Only by working to strengthen IT security against all threats can the Government of Canada be a trusted partner in cyber security. To take no position at all by failing to acknowledge the issue is untenable, will weaken trust in government, and will continue the post-Snowden bifurcation of security into two separate discussions — one that includes government as a partner and one that does not.

Canada’s cyber security and the changing threat landscape

My article, Canada’s cyber security and the changing threat landscape has just been published online by Critical Studies on Security.

Broadly, it grapples with what cyber security has come to mean in the Canadian context. The article deals partly with Canada’s Cyber Security Strategy, the operations of the Canadian Cyber Incident Response Centre (CCIRC) between 2011 and 2013 (a time of great concern over hacktivism [Anonymous] and Advanced Persistent Threats [China]), and what we can say about Canada’s cyber security orientation in the “post-Snowden era”. It is based on publicly-available texts and several years of Access to Information requests (the requests were informal, for documents already released to other people, giving me several thousand pages to work with).

What is cyber security, and why should we care?

Cyber security emerged from a narrow set of concerns around safeguarding information and networks, but in recent years it has become intimately tied to foreign and domestic political objectives. This means that cyber security cannot be defined and delimited in the same way as the field of information security (as protecting the confidentiality, integrity, and availability of information). Instead, cyber security is a collective endeavor, typically tied to the larger project of national security, but also encompassing a broader set of social and ethical concerns. This is why hateful messages sent by teens are now treated as a cyber security problem, while Canada’s government fails to acknowledge the international cyber threat posed by its foreign allies.

One of the key effects of cyber security strategies and classifications is that they specify the boundaries of what is to be secured. As the line between ‘cyber’ and ‘non-cyber’ continues to blur, the scope of cyber security’s concerns can expand to cover new kinds of threats. If it is true, as the opening of Canada’s Cyber Security Strategy 2010 declares, that our “personal and professional lives have gone digital”, that we now “live, work, and play in cyberspace”, then cyberspace is not just a new domain to be secured, but a fundamental part of our lived reality. This means that it is now possible to conceive of cyber threats as existential threats of the highest order, but also that the project of cyber security will have deepening implications for our daily lives. Some of these implications can only be discussed by referencing the work of security professionals – work which typically takes place out of public view.

Operational and Technocratic Discourse

My article began as a work of discourse analysis, but over time I turned increasingly to international relations (IR) and what has been called the “Paris School” of security studies. I found that previous analyses of cyber security discourse, influenced by the Copenhagen School, focused largely on public discourse, and how political actors work to get cyber security on the political agenda (as a response to new, existential threats). The Paris School meanwhile, emphasizes that new security issues can arise and be defined in the hidden world of security professionals and their technocratic practices. The volumes of internal threat reports, alerts, and government emails accessible through Access to Information became a rich source for this technocratic and operational discourse, providing a sense of how the moving parts of cyber security fit together in practice.

Hacktivism

Hacktivism is an interesting threat category to consider because, at least in Canada, it has never been subject to visible politicization. Unlike cyberbullying, no new laws have been proposed to deal with hacktivists, and public officials have avoided referencing the threat in their public proclamations. The Government seems more willing to deal with hacktivism quietly than to engage in a public fight against Anonymous, or to publicly condemn tactics that some see as a legitimate form of protest.

Nevertheless, hacktivism has become a major preoccupation for Canadian security agencies, as evident through volumes of operational discourse, including detailed reports and responses to hacktivist campaigns. Where cyberbullying can be reduced to a problem of ethical conduct, common forms of hacktivism such as DDoS reduce to a technical problem. A DDoS attack becomes hacktivism by virtue of its political motivation, and not its methods. While DDoS actions have typically been handled by CCIRC and CTEC as individual incidents, the operational threat category of hacktivism makes these events legible as part of a larger and pathological social trend, and the growing concern with hacktivism since 2010 indicates cyber security’s opposition to disruptive forms of online activism and politically-motivated hacking.

Advanced Persistent Threats (APTs)

As actors define and redefine cyber security’s terminology, they produce new conceptions, repurpose old ones, and experiment with metaphors. Sometimes, a term becomes a prolific ‘buzzword’, securing regular usage in cyber security discourse, and also inevitably becoming a point of contention. One of the best recent examples is the Advanced Persistent Threat (APT). This is the threat category that best represents cyber security’s oblique treatment of international affairs and the new strategic stakes of cyber security. Where hacktivism is the intersection of cyber security and protest in operational discourse, APTs bring cyber security into opposition against state actors. The term usually refers to a well-resourced threat actor willing to devote considerable effort to compromise a particular target, and is often understood to mean a state-backed attacker – sometimes becoming simply a shorthand for “China”.

In tracing the emergence and proliferation of this new threat category, it is possible to get some sense of the multiple constituents and channels of cyber security discourse. In this case, a category emerged in the operational discourse of the US military, spread rapidly through the North American security industry, and was adopted for internal use by CCIRC in the aftermath of a major security breach in 2011. Along the way it was used to classify a growing number of intrusions and data breaches, sell security products and services, and make intelligible a world of online geopolitical contestation. APTs could be invoked to specify a threat, while eliding the attribution problem and preserving nominal ambiguity in the international political arena. For CCIRC, APTs became an operational threat category at a time when Chinese hackers were widely suspected of compromising Canadian government systems, and the term proliferated into public discourse through Mandiant’s reporting of Chinese cyber espionage in 2013. Not long after, the Snowden disclosures had a dramatic impact on how we understand and talk about cyber security.

After Snowden

One of the most important revelations of the Snowden documents has been that the project of cyber security (at least as interpreted by signals intelligence agencies like NSA, GCHQ and CSE) can include compromising the very digital infrastructure it is tasked to protect. Domestic cyber security programs can become an “advanced persistent threat” – a term once reserved for foreign hackers. Given these developments, it is worthwhile to reflect on how the governmental project of cyber security has evolved in recent years, and what cyber security has come to mean. This is particularly important in Canada, a country closely implicated in US cyber security efforts, but where post-Snowden commentary has made comparatively little impact.

The lack of visible concern by Canada’s government about the security threat posed by its closest allies (a threat that Canada has apparently facilitated), speaks to how foreign policy shapes the nation’s cyber security priorities. It also sends the dangerous message that while Canada is unable to clearly define a vision of what it is trying to secure, cyber security is somehow compatible with pervasive surveillance and widespread hacking.

State cyber security agencies work to guard us from new threats, but seem blind to the possibility that they or their partners might also threaten our security. To paraphrase Google’s chairman, an attack is an attack, whether it comes from China or the NSA. For Canada’s CSE and the other Five Eyes members, the equivalence may not be as clear. If cyber security is subordinated to national security interests and compatible with government hacking, then threats will continue to be defined very differently by those inside and outside government. In addition to a broadening scope for cyber security’s concerns, the current trend is one of growing division between government cyber security efforts and more clearly circumscribed approaches to information security by private companies and civil society.

The idea that cyber security can be compatible with hacking domestic companies and maintaining vulnerabilities in commonly-used technologies might be seen as a continuation of the exceptional measures justified by 9/11. But more fundamentally, it reflects the technocratic imperatives of agencies tasked with gaining and maintaining access to communications infrastructure. The Five Eyes’ objectives go far beyond countering terrorism, and surreptitious access to communications infrastructure is increasingly part of the larger cyber security project. This dangerous vision of cyber security has evolved in secret, establishing procedures for who can be targeted, what can be collected, and where compromising security might help to make us safer. We did not learn of these measures through visible political discourse or securitizing rhetoric (the traditional focus of the Copenhagen School), but through operational documents and presentation slides from closed meetings of security professionals.