Search Mailing List Archives
[liberationtech] Cyber Security: Canada Is Failing The World
masashi at kmdi.utoronto.ca
Thu May 26 12:04:53 PDT 2011
Cyber Security: Canada Is Failing The World
By Ron Deibert Director, the Canada Centre for Global Security Studies
and the Citizen Lab, Munk School of Global Affairs, University of
Huffington Post Canada. May 26, 2011
Cyberspace has become an all-immersive domain, and the global
communications environment in which all of society, economics, and
politics are now embedded. Its constituent parts are widely conceived
of as critical national infrastructure.
But the domain of cyberspace is entering a potentially chaotic and
very dangerous phase of its evolution, which is why it has become a
key issue for consideration at today's G8 summit in Deauville, France.
The Canadian government is late to the cyber security arena, and only
recently released a cyber security strategy last fall that pales in
comparison to the scope of the challenges, or to equivalent strategies
released by our allies, like the United States.
It devotes far too few resources to the problem, does not fully
address the division of appropriate institutional responsibilities,
and only barely nods at the importance of a foreign policy for
cyberspace. A recent investigation revealed our public sector
infrastructure was so thoroughly infiltrated with malicious activity
emanating from foreign jurisdictions that the entire Treasury Board
was taken offline for weeks. Embarrassingly, a recent security study
ranked Canada among the highest of countries for the hosting of
Not surprisingly, our government's capacity to engage forcefully and
strategically on these issues has been muted. We are absent in the
international arenas where cyberspace governance is debated and
territorialized controls are being normalized by China, Russia and
other democratically challenged states.
Although the G8 summit will cover a range of issues, President Nicolas
Sarkozy has signaled that cyber security issues will rank high on the
agenda. What will be Canada's contribution to the discussions? What
will Prime Minister Stephen Harper bring to the table?
Cyberspace has always been characterized by change, but there has been
a major architectonic shift in the nature of the medium with the rise
of social networking, the shift to cloud computing, and the rapid
emergence of mobile forms of constant connectivity.
While convenient and fun, these new modes of communicating have
emerged so fast that they have created unforeseen security and privacy
liabilities and unintended consequences for individuals and
Mobile communications operate along an entirely different ecosystem
than desktop PC infrastructures. Among other respects, they lend
themselves to much more precise geolocation tracking, the information
for which may be shared with third parties in ways that are not
necessarily transparent to users.
Meanwhile, social networking and cloud computing services have
produced an exponential increase in the sharing and networking of once
discrete data sources. We click on documents, links, and attachments
with carefree abandon as we move from the office to the internet cafe
to the airport lounge. Personal photographs, sensitive documents,
business spreadsheets, classified reports are entrusted to server
farms of privately owned infrastructures that can span multiple
Any epidemiologist studying such a dynamically growing ecosystem would
not be surprised to find a huge expansion in the cyber equivalent of
disease: although cybercrime has formed a hidden shadow along every
step of the Internet's history, its growth has suddenly become so
explosive in recent years by virtually any estimate that it is beyond
control, and perhaps even beyond estimation.
According to security companies there are around 60,000 new malicious
software (malware) samples discovered every day, with the number
rising steadily. Massive botnets - global networks of infected
computers - now routinely count in the tens of thousands worldwide.
A huge black market for cybercrime tools and products thrives as a
kind of hidden underbelly of globalization, driving everything from
petty identity theft to high-stakes political and commercial
espionage. If precise estimates could be obtained, it would surely
rank as one of the world's largest economic growth sectors, as
millions of new digital natives from the developing world find a
rewarding and elegant means to personal enrichment.
Not surprisingly, governments have begun to react, but in doing so may
be contributing more to the problem than creating solutions.
Generally speaking, there has been a sea-change the world over in the
way governments approach cyberspace. Whereas 10 years ago, states were
either oblivious to the Internet or took a laissez-faire approach,
today they are moving swiftly to assert their power and shape the
domain in ways that suit their strategic domestic and foreign policy
interests. Whether for purposes of copyright control, anti-terrrorism,
or to shore up regimes from meddlesome human rights and opposition
networks, governments are building up an advanced suite of cyberspace
controls, ranging from filtering and surveillance to the black arts of
computer network exploitation.
Alarmed by consistent high-level penetrations of its own critical
infrastructures, the United States has led the way with numerous cyber
strategy documents, legislation, and institutional reform. The most
significant of these was the establishment of the U.S. Cyber Command
in 2010, which helped trigger a major industrial shift in the defense
industry and a fundamental force restructuring among allies that is
It has also triggered a global cyber arms race. Unable to compete on
the same level, adversaries of the United States seek comparative
advantage by exploiting criminals and patriotic hackers to do their
bidding instead. Major incidents of computer network attacks and
espionage have been traced back to the Chinese and Russian criminal
underworld, or to pro-regime sympathizers of Iran, Burma, Libya,
Syria, and others. Others have followed the US lead and set up "cyber
commands" of their own.
Meanwhile, the private sector that owns and operates the vast majority
of cyberspace is caught in the cross-hairs, continuously blitzed by
mounting assaults on its networks while simultaneously being pressured
by governments looking to download their responsibilities to police
Research In Motion, the Canadian maker of BlackBerry products, has
been dogged by such demands to the point of seeming frustration. When
asked by the BBC whether RIM had made deals to hand over its encrypted
data to security services, CEO Mike Lazaridis cut short the interview.
Some companies have seized on the commercial opportunity opened up by
cyberspace contests; a massive cyber security market, now measured to
be anywhere between $80- and $150-billion annually, provides
filtering, data mining and fusion, and computer attack capabilities to
security services worldwide. One of our research projects, the OpenNet
Initiative, has documented how a Canadian company, Netwsweeper,
provides services to the regimes of UAE, Bahrain, Qatar, and Yemen -
countries known for pervasive censorship - so that they can "block
inappropriate content ... based on social, religious or political
ideals," according to a page on their website which has since been
As one of the world's largest economies and home to some of the
greatest thinkers of communications, from Harold Innis and Marshall
McLuhan to William Gibson, Canada should be leading the way instead of
muddling along. We certainly stand among those to lose the most should
cyberspace continue its spiral into censorship, militarization, and
crime. What should be done?
First, a comprehensive strategy to protect the cyber commons should
begin by linking the international consequences of domestic policies.
If liberal democratic countries pass legislation that permits access
to data for state security services without judicial oversight, as the
Harper government is reportedly set to do with lawful access
provisions of the forthcoming Omnibus Crime bill, then there is no
moral basis for condemning those actions when they occur in places
like China, Iran, or Belarus.
It is certainly true that law enforcement is overwhelmed with the
surge of cyber crime, but the case has not been made that to deal with
it effectively requires access to private data and a major dilution of
civil liberties that are basic to a liberal democratic society. In
fact the opposite may be more the case.
The problem for law enforcement and intelligence today is not the lack
of information; it is the deluge of it. We need to give law
enforcement new resources, capabilities, proper training and equipment
to sort through voluminous flows of existing data. But alongside those
resources, Canada should be setting the highest standard of judicial
oversight and public accountability. New resources, yes, but the same
if not more rigorous checks and constraints on powers.
The same principle holds true for Canadian companies operating abroad.
Rather than catering to regimes that violate human rights, or
colluding with security services with dubious track records, Canadian
companies should be held to the same basic minimum standards that we
expect in Canada when offering services abroad. Regulatory measures
should be introduced that set standards for the private sector around
mandatory disclosures of security breaches, strong privacy protections
built by design, and restrictions on the sale of products and services
that contribute to violations of human rights abroad.
Part of Canada's cyberspace strategy needs to focus outward. Our
Foreign Affairs department should be at the forefront of the promotion
of decentralized and distributed security mechanisms, while actively
resisting proposals that seek to alter the constitution of cyberspace
through top-down, heavy-handed government controls.
Diplomatically, we should work to build a broad community of like
minded-states who share this common vision, and have an interest in a
secure and open cyber commons across the many different venues of
cyberspace governance. Such rules should include the promotion of
norms of mutual restraint in cyberspace, protections for privacy and
civil liberties, joint vigilance against cyber crime networks, and
respect for the free flow of information. We should also work as a
liaison between our allies and the governments of China, Russia and
others to limit the dangerously escalating tensions that exist in
It is unlikely that such an ambitious agenda will emerge from Canada
to influence this year's meeting of the G8. But hopefully the meeting
will set in motion a process of urgent reflection on the scope of the
challenges that lay ahead.
This article was originally featured at the Huffington Post Canada ---
you can view it here: http://www.huffingtonpost.ca/2011/05/26/cyber-security-canada-stephen-harper-g8_n_867136.html
Ron Deibert is Director, the Canada Centre for Global Security Studies
and the Citizen Lab, Munk School of Global Affairs, University of
More information about the liberationtech