Cyber Security: Canada Is Failing The World
Cyberspace has become an all-immersive domain, and the global communications environment in which all of society, economics, and politics are now embedded. Its constituent parts are widely conceived of as critical national infrastructure.
But the domain of cyberspace is entering a potentially chaotic and very dangerous phase of its evolution, which is why it has become a key issue for consideration at today's G8 summit in Deauville, France.
The Canadian government is late to the cyber security arena, and only recently released a cyber security strategy last fall that pales in comparison to the scope of the challenges, or to equivalent strategies released by our allies, like the United States.
It devotes far too few resources to the problem, does not fully address the division of appropriate institutional responsibilities, and only barely nods at the importance of a foreign policy for cyberspace. A recent investigation revealed our public sector infrastructure was so thoroughly infiltrated with malicious activity emanating from foreign jurisdictions that the entire Treasury Board was taken offline for weeks. Embarrassingly, a recent security study ranked Canada among the highest of countries for the hosting of malicious content.
Not surprisingly, our government's capacity to engage forcefully and strategically on these issues has been muted. We are absent in the international arenas where cyberspace governance is debated and territorialized controls are being normalized by China, Russia and other democratically challenged states.
Although the G8 summit will cover a range of issues, President Nicolas Sarkozy has signaled that cyber security issues will rank high on the agenda. What will be Canada's contribution to the discussions? What will Prime Minister Stephen Harper bring to the table?
Cyberspace has always been characterized by change, but there has been a major architectonic shift in the nature of the medium with the rise of social networking, the shift to cloud computing, and the rapid emergence of mobile forms of constant connectivity.
While convenient and fun, these new modes of communicating have emerged so fast that they have created unforeseen security and privacy liabilities and unintended consequences for individuals and organizations alike.
Mobile communications operate along an entirely different ecosystem than desktop PC infrastructures. Among other respects, they lend themselves to much more precise geolocation tracking, the information for which may be shared with third parties in ways that are not necessarily transparent to users.
Meanwhile, social networking and cloud computing services have produced an exponential increase in the sharing and networking of once discrete data sources. We click on documents, links, and attachments with carefree abandon as we move from the office to the internet cafe to the airport lounge. Personal photographs, sensitive documents, business spreadsheets, classified reports are entrusted to server farms of privately owned infrastructures that can span multiple political jurisdictions.
Any epidemiologist studying such a dynamically growing ecosystem would not be surprised to find a huge expansion in the cyber equivalent of disease: although cybercrime has formed a hidden shadow along every step of the Internet's history, its growth has suddenly become so explosive in recent years by virtually any estimate that it is beyond control, and perhaps even beyond estimation.
According to security companies there are around 60,000 new malicious software (malware) samples discovered every day, with the number rising steadily. Massive botnets - global networks of infected computers - now routinely count in the tens of thousands worldwide.
A huge black market for cybercrime tools and products thrives as a kind of hidden underbelly of globalization, driving everything from petty identity theft to high-stakes political and commercial espionage. If precise estimates could be obtained, it would surely rank as one of the world's largest economic growth sectors, as millions of new digital natives from the developing world find a rewarding and elegant means to personal enrichment.
Not surprisingly, governments have begun to react, but in doing so may be contributing more to the problem than creating solutions.
Generally speaking, there has been a sea-change the world over in the way governments approach cyberspace. Whereas 10 years ago, states were either oblivious to the Internet or took a laissez-faire approach, today they are moving swiftly to assert their power and shape the domain in ways that suit their strategic domestic and foreign policy interests. Whether for purposes of copyright control, anti-terrrorism, or to shore up regimes from meddlesome human rights and opposition networks, governments are building up an advanced suite of cyberspace controls, ranging from filtering and surveillance to the black arts of computer network exploitation.
Alarmed by consistent high-level penetrations of its own critical infrastructures, the United States has led the way with numerous cyber strategy documents, legislation, and institutional reform. The most significant of these was the establishment of the U.S. Cyber Command in 2010, which helped trigger a major industrial shift in the defense industry and a fundamental force restructuring among allies that is still unfolding.
It has also triggered a global cyber arms race. Unable to compete on the same level, adversaries of the United States seek comparative advantage by exploiting criminals and patriotic hackers to do their bidding instead. Major incidents of computer network attacks and espionage have been traced back to the Chinese and Russian criminal underworld, or to pro-regime sympathizers of Iran, Burma, Libya, Syria, and others. Others have followed the US lead and set up "cyber commands" of their own.
Meanwhile, the private sector that owns and operates the vast majority of cyberspace is caught in the cross-hairs, continuously blitzed by mounting assaults on its networks while simultaneously being pressured by governments looking to download their responsibilities to police cyberspace.
Research In Motion, the Canadian maker of BlackBerry products, has been dogged by such demands to the point of seeming frustration. When asked by the BBC whether RIM had made deals to hand over its encrypted data to security services, CEO Mike Lazaridis cut short the interview.
Some companies have seized on the commercial opportunity opened up by cyberspace contests; a massive cyber security market, now measured to be anywhere between $80- and $150-billion annually, provides filtering, data mining and fusion, and computer attack capabilities to security services worldwide. One of our research projects, the OpenNet Initiative, has documented how a Canadian company, Netwsweeper, provides services to the regimes of UAE, Bahrain, Qatar, and Yemen - countries known for pervasive censorship - so that they can "block inappropriate content ... based on social, religious or political ideals," according to a page on their website which has since been changed.
As one of the world's largest economies and home to some of the greatest thinkers of communications, from Harold Innis and Marshall McLuhan to William Gibson, Canada should be leading the way instead of muddling along. We certainly stand among those to lose the most should cyberspace continue its spiral into censorship, militarization, and crime. What should be done?
First, a comprehensive strategy to protect the cyber commons should begin by linking the international consequences of domestic policies. If liberal democratic countries pass legislation that permits access to data for state security services without judicial oversight, as the Harper government is reportedly set to do with lawful access provisions of the forthcoming Omnibus Crime bill, then there is no moral basis for condemning those actions when they occur in places like China, Iran, or Belarus.
It is certainly true that law enforcement is overwhelmed with the surge of cyber crime, but the case has not been made that to deal with it effectively requires access to private data and a major dilution of civil liberties that are basic to a liberal democratic society. In fact the opposite may be more the case.
The problem for law enforcement and intelligence today is not the lack of information; it is the deluge of it. We need to give law enforcement new resources, capabilities, proper training and equipment to sort through voluminous flows of existing data. But alongside those resources, Canada should be setting the highest standard of judicial oversight and public accountability. New resources, yes, but the same if not more rigorous checks and constraints on powers.
The same principle holds true for Canadian companies operating abroad.
Rather than catering to regimes that violate human rights, or colluding with security services with dubious track records, Canadian companies should be held to the same basic minimum standards that we expect in Canada when offering services abroad. Regulatory measures should be introduced that set standards for the private sector around mandatory disclosures of security breaches, strong privacy protections built by design, and restrictions on the sale of products and services that contribute to violations of human rights abroad.
Part of Canada's cyberspace strategy needs to focus outward. Our Foreign Affairs department should be at the forefront of the promotion of decentralized and distributed security mechanisms, while actively resisting proposals that seek to alter the constitution of cyberspace through top-down, heavy-handed government controls.
Diplomatically, we should work to build a broad community of like minded-states who share this common vision, and have an interest in a secure and open cyber commons across the many different venues of cyberspace governance. Such rules should include the promotion of norms of mutual restraint in cyberspace, protections for privacy and civil liberties, joint vigilance against cyber crime networks, and respect for the free flow of information. We should also work as a liaison between our allies and the governments of China, Russia and others to limit the dangerously escalating tensions that exist in cyberspace.
It is unlikely that such an ambitious agenda will emerge from Canada to influence this year's meeting of the G8. But hopefully the meeting will set in motion a process of urgent reflection on the scope of the challenges that lay ahead.
Ron Deibert is Director, the Canada Centre for Global Security Studies and the Citizen Lab, Munk School of Global Affairs, University of Toronto. He gave the keynote address at Wednesday's mesh conference on the Internet.