CSE’s Cyber Shakeup

The House of Commons is now on summer break, but before everyone headed off, the The Trudeau/Goodale Liberals introduced a monumental rework of Canadian intelligence and security institutions. This accomplishes some of what the Liberals previously indicated, but as Wesley Wark points out, such substantial changes to Canada’s national security bureaucracy are surprising. The implications are complex, with major reform for those overseeing CSIS and CSE (two new institutions: the National Security and Intelligence Review Agency and the Intelligence Commissioner) and changes to CSE’s mandate.

Experts and politicians have some time to chew on this bill’s different aspects, and for all things CSE, an important view is the Lux Ex Umbra blog. However, here I want to offer a couple of thoughts on the cyber aspects of the reforms.  As others have pointed out, these reforms will help to normalize certain types of acts (network exploitation and attack). One argument is that Canada’s new framework will help normalize in the international arena what a lot of states have been doing covertly, under dubious legal authority — “effects” like hacking and exerting influence in various domestic and foreign jurisdictions. The Canadian approach could either be a model for others interested in legal reform, or contribute to making these actions more acceptable and legitimate around the world. Domestically, this is also a normalization of the sorts of things that CSE has done, or wanted to do, for some years now.

There’s an upside and downside here. If you assume that this is the sort of stuff the Five Eyes and CSE would be doing anyway, it’s good to have it under an explicit legal framework that can “reflect the reality of global communications today and participation in international networks such as Five Eyes”. From this view, the reforms are an improvement in accountability and oversight. On the other hand, if you think this is precisely the sort of thing governments should reject (and the focus should be purely on cyber defence and passive techniques), then the last thing we should do is put a government stamp on it. Instead of updating the law to legitimate what has been going on, we need to stop the most controversial activities revealed by Snowden (weakening crypto, hacking Google data links and compromising LinkedIn accounts of Belgian telecom engineers).

In Canada, we have never had a debate about these questions. The national security consultation that ostensibly informs this move was not designed to ask them. Canada’s role in the Five Eyes is not under revision, and Bill C-59 is meant to better “align ourselves” with these cyber “partners”. The partners are meeting this week, amid an active push by allies (specifically, Australia) to get Canada’s cooperation in countering encryption. There’s little indication where Canada stands on these questions today. However, given what appears to be our holding-steady with the Five Eyes and C-59’s new legal framework, CSE can still end up promoting insecurity, in secret, at our allies’ request.

Ultimately, the success of C-59 will depend on how effective the new accountability mechanisms are. Canada’s previous experience includes government assurances about legal compliance and oversight, while routine illegality and surprising legal interpretations are carried out in secret. Some of this previous experience (like the CSIS ODAC database) is addressed in C-59, but on the must fundamental question — what kind of security will Canada promote in the world? — we seem to be doing what Canada has done since we hitched our national security to the U.S. in late WWII: defaulting to our allies. We may have some bold new security legislation (and a Minister of Foreign Affairs who recently made big statements about the need to “set our own clear and sovereign course“),  but old concerns about the lack of a distinctly Canadian approach to international and cyber security are as relevant as ever.

Canada’s Cyber Security Seeks Public Input — Here’s Mine

cybThe Government of Canada is carrying out a public consultation on cyber security. Specifically, the consultation is being administered by Public Safety Canada’s National Cyber Security Directorate (NCSD). NCSD’s role is sometimes described as cyber policy and coordination, such as designing and implementing Canada’s Cyber Security Strategy, and the consultation asks for the public’s help in addressing some really thorny cyber security challenges.

On its face, it’s hard to know what to make of this consultation. PSC/NCSD wants to hear from “experts, academics, business leaders, and provincial, territorial and municipal governments” on the topic, but they also want “all citizens to get involved in a discussion about the security and economic dimensions of Canada’s digital future.” There are four main topics the government is consulting on, and a workbook has also been created to accompanies the process. The workbook breaks the consultation down into trends, themes, and related questions for consideration, but the contents seem designed to steer answers in particular directions, and the one topic that doesn’t include any specific questions is Canada’s “way forward”, the outlines of which seem to have already been decided.

Some of the questions in the workbook are ones that I imagine Government would love an innovative answer for (How can public and private sector organizations help protect themselves from cybercrime… and what tools do they need to do so?), while others seem loaded to produce a particular response (with “example” answers provided). I only hope that the responses to this consultation won’t be quantified as statistics (since this isn’t a methodologically-sound survey), or used to support decisions that have already been made. So let’s give them the benefit of the doubt and assume that NCSD really does want some help from Canadians in dealing with one of society’s most important challenges, and they’re open to all sorts of ideas.

To that end, I’ve provided my response to the consultation’s four “topic areas”:

The Evolution of the Cyber Threat
I think a lot of this has been covered in broad strokes by Canada’s Cyber Security Strategy and related documents. The threat has certainly evolved, in terms of actors, motives, and potential harm. State actors are increasingly involved around the world, and there are dedicated industries of criminals profiting from vulnerabilities. The most interesting way that I think the cyber threat has evolved in recent years is a recognition of the Five Eyes (Canada’s alliance with the US, UK, Australia and New Zealand) as a security threat. This recognition has certainly not come from the Canadian government, or even much of the Canadian population (as we really have yet to talk about this issue). Instead, the changing nature of the threat has been expressed most publicly by the likes of Microsoft and Google, after they learned through the Snowden documents that the Five Eyes were compromising their infrastructure and the relationships of trust these companies have established with their users.

The Increasing Economic Significance of Cyber Security
I don’t consider this to be much of a topic in need of public consultation, since it seems like Public Safety is already aware that cyber security is vital to the economy. It’s hard to put a dollar value on security, but it’s pretty obvious that the value of maintaining information security and the “losses” that result from various kinds of threats are enormous. Huge numbers are estimated and cited to justify the need for cyber security,  and I’m not sure that we need more accurate numbers (since we know they’re big), or that bigger numbers will compel action. We can talk about how better to communicate the seriousness of the issue, but I’m more interested in finding perspectives other than the economic lens to talk about threats. Government ideas about the value of the internet in Canada too often lapse into talk of the “digital economy”, and harms that don’t involve children are often expressed in economic terms. As people like Ron Deibert point out, we need to think more about the democratic/political dimensions of cyber security. This means articulating the value of connectivity in a way that doesn’t translate into dollars, but instead relates to our values as Canadians (like those “rights and freedoms” mentioned at the end of the workbook).

The Expanding Frontiers of Cyber Security
While the workbook discusses this in terms of the need for “cyber security [to] evolve at the same rate as new technologies” (p. 17), I want to use this topic to discuss the expanding scope of cyber security.

cyber

The workbook defines cyber security as “the protection of digital information and the infrastructure on which it resides. Cyber security addresses the challenges and threats of cyberspace in order to secure the benefits and opportunities of digital life” (p. 5). The first part of this definition is relatively straight-forward, and encompasses the domain of IT security. However, cyber security is not limited to these concerns, and Canada’s closest allies have used the language of cyber security to justify creating and preserving technological vulnerabilities in the service of strategic objectives. Meanwhile, it seems that Public Safety Canada considers “threats of cyberspace” to include more than just threats to digital information and infrastructure.

Internationally, cyber security now includes a variety of concerns, including over public order and morality. For instance, in Canada cyberbullying is sometimes listed as a cyber security threat alongside phishing and malware (particularly in Get Cyber Safe resources). Cyberbullying can certainly involve personal information being compromised, but it can also refer to the hateful and abusive comments found in many online media. The danger is that cyber security can be equated with online “safety”, which can mean safety from content that might insult, harm, or disturb.

The more concerning expansion of cyber security is as a justification for whatever actions serve national security or the priorities of state agencies. This is a worry because the goals of some state “partners” in cyber security are not to provide the public with the most secure technologies. In the US for instance, secret efforts to make commercial technologies (the same technologies widely used by Canadians) more vulnerable and less secure were justified as part of an ostensibly-defensive cyber security program (the CNCI). As discussed below, there is no reason to believe that Canadian agencies are an exception to the same tendencies demonstrated by their closest international allies in cyber security.

One the few things that all cyber security threats have in common is that they all involve a computer, or digital networks. Since we are supposedly moving towards a world covered in networked computers, the potential for cyber security’s expansion is a major cause for concern. I feel a lot more comfortable talking about information (IT), network, or computer security, because at least there the subject matter is relatively defined. Cyber security is more of a mixed bag, and I hope that the Government of Canada will keep the expansionist tendency of cyber security in check. Focus on the threats we know and are having difficulty defending against, don’t go looking for new forms of troublesome conduct involving a computer that can be listed as a cyber security threat, and let’s talk about whether the government’s idea of cyber security includes purposefully maintaining certain kinds of insecurity.

Canada’s Way Forward on Cyber Security
As part of Canada’s way forward, we need to take an explicit position on the extent to which we want to promote information/IT security at the expense of other conceptions of security, particularly those  favored by police and national security agencies. It seems disingenuous to promote the security of information and infrastructure, without acknowledging the limits that government agencies are comfortable allowing such developments. Police in Canada and around the world are well aware of this conflict, particularly after the Snowden revelations led to widespread adoption of more secure technologies, which are now an obstacle to their ability to investigate crime. The recent showdown between Apple and the FBI is a recent manifestation of this tension, and Canada should not simply sit on the sidelines and wait for these new “crypto wars” to play out in the US and Europe.

We also need to discuss our membership in the Five Eyes, because Canadians have never had a real opportunity to do so. Predicated on a secret treaty, the Five Eyes often acts as a coordinated group and an exclusive club, supposedly based on its members’ “common Anglo-Saxon culture, accepted liberal democratic values and complementary national interests”. Originally formed to further intelligence collection and the sharing of information in the interests of national security, today the Five Eyes also includes collaboration of a more defensive nature in the realm of cyber security. We know that Canada’s membership in the Five Eyes can be a privacy threat to Canadians, because of last year’s revelation that CSE had for years violated the law by sharing Canadians’ personal information with these allies. We know that the Five Eyes can pose a security threat to our information infrastructure, because of documents revealed by Edward Snowden showing how the NSA worked to weaken the security of commonly-used systems in order to more easily obtain intelligence (efforts in which Canada appears to have been complicit).

In the US, the Snowden disclosures resulted in the President’s Review Group on Intelligence and Communications Technologies recommending the separation of the NSA’s offensive and defensive roles, through the creation of a new agency to take over the NSA’s defensive “information assurance” mission. Canada has yet to acknowledge the contradiction at the heart the Five Eyes – where government agencies work simultaneously (or at cross-purposes) to both secure infrastructure and make it more vulnerable. In the US, the NSA is currently merging its offensive and defensive capabilities. This NSA reorganization contradicts the recommendations of the President’s Review Group, strains trust with non-government partners, but is at least being openly acknowledged and discussed. In Canada, a similar process of merging offensive and defensive capabilities may very well be underway at CSE, but this is just what we can deduce from five-year old Snowden documents, and the government’s position on this topic is limited to CSE’s statements about the same news story.

Can the Canadian government be a trusted partner in cyber security when it has never even acknowledged its role (or the conduct of its closest allies) in making information infrastructure less secure? Is it permissible to have one cyber security agency (CCIRC) responding to threats and vulnerabilities, some of which may have been created or kept secret by CSE and its Five Eyes allies? These are not hypothetical questions — just last week CCIRC issued an advisory to correct a vulnerability that the NSA had likely exploited for over a decade. If the attributions of security experts are correct, this means that the Canadian public is being notified about a security vulnerability that was kept secret and exploited by our closest cyber security ally, and we are learning about it through foreign actors whose motivations are unknown, but presumably do not include a desire to make our infrastructure more resilient.

Certainly, most Canadians have more to fear from more mundane threats, like phishing, ransomware, and others listed as part of the government’s consultation. But I wanted to focus on the Five Eyes because these are precisely the sorts of blind spots that need to be uncovered through public consultation. If government agencies will not acknowledge this threat, either because of secrecy or the failure to recognize what those outside government perceive, then it becomes the responsibility of Canadians to point out how the government’s version of reality is different than the one we are reading about in the news. However, at that point we are no longer having a shared discussion of cyber security, but two parallel discussions, with very different ideas of what constitutes a cyber threat.

These tensions at the heart of cyber security are not going anywhere, but by acknowledging them, the Government of Canada can at least take an explicit policy position, rather than the implicit one we can deduce from its former conduct. The Government of Canada has already taken the historic step of suspending metadata sharing with the Five Eyes until it is confident that this no longer threatens the privacy of Canadians. Before Canada resumes its full participation in a secretive alliance that works to both strengthen and weaken the security of systems we depend on, we need a stated position on such conduct. Specifically, are security vulnerabilities ever acceptable or desirable? Is it ever appropriate for government agencies such as CSE and the RCMP to use vulnerabilities that might otherwise be disclosed and corrected? What should we do when our closest cyber security allies are repeatedly found exploiting vulnerabilities and weakening security?

In response to the last of these questions, I would answer that Canada needs to either openly declare its support for government efforts to compromise security, including any limits or conditions, or it needs to publicly oppose these efforts. Only by working to strengthen IT security against all threats can the Government of Canada be a trusted partner in cyber security. To take no position at all by failing to acknowledge the issue is untenable, will weaken trust in government, and will continue the post-Snowden bifurcation of security into two separate discussions — one that includes government as a partner and one that does not.

Still sorting out the post-Snowden balance

The ongoing fight between Apple and the FBI, in which a growing number of companies have declared their own interest and support, is the latest constitutive moment for what it means to live in the “post-Snowden” era. This is because the fight is a direct consequence of changes made by Apple following the Snowden disclosures, and because it is now being used as a way to stabilize some sort of “balance” between government and industry, after the massive shake-up of this relationship in late 2013/early 2014. The shift that occurred included major tech companies treating their own government as an adversary to defend against. Now, Apple has reportedly decided that its own engineers must also be part of this threat model. After Snowden, the company decided that it no longer wanted to be able to unlock phones for the government. Now, the challenge is to develop security that the company cannot even help the government break through some indirect means.

The term “post-Snowden” has gotten a lot of use in the last couple of years, but the Apple-FBI battle demonstrates the real shift to which it refers. Perhaps in a few years, the impact of the Snowden disclosures will be forgotten, in much the same way as the crypto war of the 1990s faded from memory as the relationship between industry and government got cosy after 9/11. But the world did change in a variety of substantial ways as a consequence of Edward Snowden’s actions, and we are still grappling with the legacy of those changes.

The Snowden disclosures were a truly international story with many local manifestations. Just as NSA-affiliated surveillance infrastructure had been extended around the globe, scandal touched the various nations implicated in the documents, and opened the door to local investigations. News stories broke one after another, with governments as either targets or practitioners of surveillance. Canada, as a member of the exclusive “Five Eyes” surveillance club, was reminded that it too had an agency with a mandate similar to the NSA (CSEC, now CSE). More clearly than ever, citizens understood that the surveillance infrastructures of intelligence agencies had global reach. Canada hasn’t seen public battles between government and industry like the one currently involving Apple, and discussions of government surveillance have been more muted than in the US, but a series of Snowden-related stories in this country have also fed into long-standing concerns about surveillance and privacy.

I want to spend more time on how the Snowden disclosures impacted Canada in a later post, but for now I’ll just briefly reflect on my own experiences studying the telecom industry during this period.

I began attending meetings of network operators and engineers in 2012. The first of Snowden’s revelations hit in June 2013, and by the fall of 2013, the topic of state surveillance was a regular part of conference conversations and presentations, if not the actual topic of presentations themselves. At the October 2013 NANOG conference, the internet’s North American engineers cheered the resistance of Snowden’s email provider to disclosure demands by the US government (Ladar Levison had built what was meant to be a secure email provider, but the FBI ordered him to hand over the encryption keys. Attendees applauded his efforts to make the FBI’s job as difficult as possible). At the IETF in Vancouver the following month, participants overwhelmingly voted to treat pervasive surveillance by state intelligence agencies as a technical attack on the internet, and debated how to protect against it. At a Canadian industry conference in April 2014, an executive with an incumbent ISP argued that service providers had an opportunity to gain a competitive advantage by offering better security, and showed a photo of Snowden as an answer to the question of why we care about privacy and security. Interestingly, Canadian government agencies reportedly joined Canadian companies in touting the country’s privacy and security advantages to customers concerned by surveillance in the US.

After Snowden, corporate management and operational decisions took time to shift, but the change in discussions and governance forums was more immediate. It wasn’t just that private intermediaries suddenly had a new threat to worry about, but that the nature of their role, and their relationship to their users/customers had changed. Snowden’s revelations included the fact that the NSA had been undermining the very internet infrastructure that the agency had been tasked with protecting, but also the suggestion that it had done so with intermediaries acting as private partners. Best exemplified by early reports of the PRISM program, some intermediaries were now seen as complicit in this global spying apparatus. As a consequence, companies began limiting cooperation with government agencies and issuing transparency reports about the nature and extent of their information disclosures.

The Snowden disclosures contributed to cynicism and distrust of both government and private industry, and trust is key for companies that have built a business model around securing personal information. Companies such as Apple are positioning themselves as trusted stewards of personal information, with the recognition that customers often do not trust government assurances that they will only access such data in limited and justified circumstances. The most recent moves by Apple are an attempt to move data even further out of the reach of these providers themselves. Such an approach will not be possible for companies that depend on access to this data as part of their business model (for advertising purposes), but for those selling hardware and online services, building walls against governments is now often more desirable than negotiating access.

From one perspective, the Apple-FBI fight is about setting a precedent for government power in the post-Snowden era. But I would say that it is an indicator of a loss of government power, a shift in the orientation of the US tech industry to the state, and one of the continuing consequences of Snowden’s decision to shake up the world.

Canada’s cyber security and the changing threat landscape

My article, Canada’s cyber security and the changing threat landscape has just been published online by Critical Studies on Security.

Broadly, it grapples with what cyber security has come to mean in the Canadian context. The article deals partly with Canada’s Cyber Security Strategy, the operations of the Canadian Cyber Incident Response Centre (CCIRC) between 2011 and 2013 (a time of great concern over hacktivism [Anonymous] and Advanced Persistent Threats [China]), and what we can say about Canada’s cyber security orientation in the “post-Snowden era”. It is based on publicly-available texts and several years of Access to Information requests (the requests were informal, for documents already released to other people, giving me several thousand pages to work with).

What is cyber security, and why should we care?

Cyber security emerged from a narrow set of concerns around safeguarding information and networks, but in recent years it has become intimately tied to foreign and domestic political objectives. This means that cyber security cannot be defined and delimited in the same way as the field of information security (as protecting the confidentiality, integrity, and availability of information). Instead, cyber security is a collective endeavor, typically tied to the larger project of national security, but also encompassing a broader set of social and ethical concerns. This is why hateful messages sent by teens are now treated as a cyber security problem, while Canada’s government fails to acknowledge the international cyber threat posed by its foreign allies.

One of the key effects of cyber security strategies and classifications is that they specify the boundaries of what is to be secured. As the line between ‘cyber’ and ‘non-cyber’ continues to blur, the scope of cyber security’s concerns can expand to cover new kinds of threats. If it is true, as the opening of Canada’s Cyber Security Strategy 2010 declares, that our “personal and professional lives have gone digital”, that we now “live, work, and play in cyberspace”, then cyberspace is not just a new domain to be secured, but a fundamental part of our lived reality. This means that it is now possible to conceive of cyber threats as existential threats of the highest order, but also that the project of cyber security will have deepening implications for our daily lives. Some of these implications can only be discussed by referencing the work of security professionals – work which typically takes place out of public view.

Operational and Technocratic Discourse

My article began as a work of discourse analysis, but over time I turned increasingly to international relations (IR) and what has been called the “Paris School” of security studies. I found that previous analyses of cyber security discourse, influenced by the Copenhagen School, focused largely on public discourse, and how political actors work to get cyber security on the political agenda (as a response to new, existential threats). The Paris School meanwhile, emphasizes that new security issues can arise and be defined in the hidden world of security professionals and their technocratic practices. The volumes of internal threat reports, alerts, and government emails accessible through Access to Information became a rich source for this technocratic and operational discourse, providing a sense of how the moving parts of cyber security fit together in practice.

Hacktivism

Hacktivism is an interesting threat category to consider because, at least in Canada, it has never been subject to visible politicization. Unlike cyberbullying, no new laws have been proposed to deal with hacktivists, and public officials have avoided referencing the threat in their public proclamations. The Government seems more willing to deal with hacktivism quietly than to engage in a public fight against Anonymous, or to publicly condemn tactics that some see as a legitimate form of protest.

Nevertheless, hacktivism has become a major preoccupation for Canadian security agencies, as evident through volumes of operational discourse, including detailed reports and responses to hacktivist campaigns. Where cyberbullying can be reduced to a problem of ethical conduct, common forms of hacktivism such as DDoS reduce to a technical problem. A DDoS attack becomes hacktivism by virtue of its political motivation, and not its methods. While DDoS actions have typically been handled by CCIRC and CTEC as individual incidents, the operational threat category of hacktivism makes these events legible as part of a larger and pathological social trend, and the growing concern with hacktivism since 2010 indicates cyber security’s opposition to disruptive forms of online activism and politically-motivated hacking.

Advanced Persistent Threats (APTs)

As actors define and redefine cyber security’s terminology, they produce new conceptions, repurpose old ones, and experiment with metaphors. Sometimes, a term becomes a prolific ‘buzzword’, securing regular usage in cyber security discourse, and also inevitably becoming a point of contention. One of the best recent examples is the Advanced Persistent Threat (APT). This is the threat category that best represents cyber security’s oblique treatment of international affairs and the new strategic stakes of cyber security. Where hacktivism is the intersection of cyber security and protest in operational discourse, APTs bring cyber security into opposition against state actors. The term usually refers to a well-resourced threat actor willing to devote considerable effort to compromise a particular target, and is often understood to mean a state-backed attacker – sometimes becoming simply a shorthand for “China”.

In tracing the emergence and proliferation of this new threat category, it is possible to get some sense of the multiple constituents and channels of cyber security discourse. In this case, a category emerged in the operational discourse of the US military, spread rapidly through the North American security industry, and was adopted for internal use by CCIRC in the aftermath of a major security breach in 2011. Along the way it was used to classify a growing number of intrusions and data breaches, sell security products and services, and make intelligible a world of online geopolitical contestation. APTs could be invoked to specify a threat, while eliding the attribution problem and preserving nominal ambiguity in the international political arena. For CCIRC, APTs became an operational threat category at a time when Chinese hackers were widely suspected of compromising Canadian government systems, and the term proliferated into public discourse through Mandiant’s reporting of Chinese cyber espionage in 2013. Not long after, the Snowden disclosures had a dramatic impact on how we understand and talk about cyber security.

After Snowden

One of the most important revelations of the Snowden documents has been that the project of cyber security (at least as interpreted by signals intelligence agencies like NSA, GCHQ and CSE) can include compromising the very digital infrastructure it is tasked to protect. Domestic cyber security programs can become an “advanced persistent threat” – a term once reserved for foreign hackers. Given these developments, it is worthwhile to reflect on how the governmental project of cyber security has evolved in recent years, and what cyber security has come to mean. This is particularly important in Canada, a country closely implicated in US cyber security efforts, but where post-Snowden commentary has made comparatively little impact.

The lack of visible concern by Canada’s government about the security threat posed by its closest allies (a threat that Canada has apparently facilitated), speaks to how foreign policy shapes the nation’s cyber security priorities. It also sends the dangerous message that while Canada is unable to clearly define a vision of what it is trying to secure, cyber security is somehow compatible with pervasive surveillance and widespread hacking.

State cyber security agencies work to guard us from new threats, but seem blind to the possibility that they or their partners might also threaten our security. To paraphrase Google’s chairman, an attack is an attack, whether it comes from China or the NSA. For Canada’s CSE and the other Five Eyes members, the equivalence may not be as clear. If cyber security is subordinated to national security interests and compatible with government hacking, then threats will continue to be defined very differently by those inside and outside government. In addition to a broadening scope for cyber security’s concerns, the current trend is one of growing division between government cyber security efforts and more clearly circumscribed approaches to information security by private companies and civil society.

The idea that cyber security can be compatible with hacking domestic companies and maintaining vulnerabilities in commonly-used technologies might be seen as a continuation of the exceptional measures justified by 9/11. But more fundamentally, it reflects the technocratic imperatives of agencies tasked with gaining and maintaining access to communications infrastructure. The Five Eyes’ objectives go far beyond countering terrorism, and surreptitious access to communications infrastructure is increasingly part of the larger cyber security project. This dangerous vision of cyber security has evolved in secret, establishing procedures for who can be targeted, what can be collected, and where compromising security might help to make us safer. We did not learn of these measures through visible political discourse or securitizing rhetoric (the traditional focus of the Copenhagen School), but through operational documents and presentation slides from closed meetings of security professionals.