Our ever-increasing reliance on cyber technologies has generated a parallel vulnerability to cyber attacks on an individual, industry-wide and governmental level. The importance of attaining greater cyber security is beginning to get the rhetorical attention it deserves. But the ability and willingness of Canada and other Western governments to take concrete action is another matter.
In 2010, Canada released a Cyber Security Strategy. This strategy outlines worthy goals such as "making cyberspace more secure for all Canadians;" establishes pillars like "securing government systems," "partnering to secure vital cyber systems outside the federal government," "helping Canadians to be secure online;" and promises to "protect the integrity of Government systems and our nation's critical assets. It will combat cybercrime and protect Canadians as they use cyberspace in their daily lives." However, some insiders suggest that beyond the platitudes espoused in this publicly accessible document, there are few real plans for improving cyber security.
The situation may not be much better in the U.S., where the risks are even more pronounced. In a January 2012 worldwide threat assessment, Director of National Intelligence James Clapper asserted, "Cyber threats pose a critical national and economic security concern." In March, FBI Director Robert Mueller told security professionals that, "Terrorism does remain the FBI's top priority, but in the not too-distant-future we anticipate that the cyberthreat will pose the greatest threat to our country."
Yet even American officials recognize that the government could be doing more. Jason Healey, White House director of cyber infrastructure protection from 2003-2005, has remarked that if a serious cyber attack were to strike in the U.S., a call to the Department of Homeland Security for help would not be terribly useful. Rather, according to Healey, "If we do ever have a cyberwar, it will be won or lost in the private sector."
This context helps to appreciate the title of security expert Tom Quiggin's paper, "'Don't Call Us': Governments, Cyber Security, and Implications for the Private Sector." In this report, published last month by Queen's University, Quiggin outlines several problems that Western countries need to address.
For starters, international norms do not exist for cyber behaviour, and governments are therefore unclear as to how concepts of deterrence, escalation and retaliation apply in the case of a foreign state-sponsored cyber attack. While land, air and sea have long been the three conventional domains of war, Quiggin points out that the rules surrounding conflict were never clearly extended into the fourth domain of outer space, and certainly not into the fifth domain of cyber space.
Quiggin also questions the claims by governments in the West that cyber security is a priority; their words are belied by the "amount of effort, money and coordination going into actual solutions." Rafal Rohozinski, a cyber security expert with The SecDev Group, singles out Canada in this regard. He notes that in contrast to the UK, which committed £650 million to cyber defence, Canada committed only $95 million. Canada's actions, Rohozinski maintains, need to reflect the recognition that "control and ability to act in the cyber domain is as important in the information age as was the ability to generate force [...] in the industrial era."
The concern is that some countries may have reached this very conclusion sooner. While terrorist groups and criminals perpetrate cyber attacks, many contend that cyber warfare and espionage by foreign military and intelligence services pose the greatest threat. China and Russia are seen as the worst offenders, but Iran (which has also been on the receiving end of cyber attacks) is close behind.
Director of National Intelligence James Clapper stated in recent congressional testimony that Iran's "cyber capabilities...have dramatically increased in recent years in depth and complexity." Google Executive Chairman Eric Schmidt has contended that the "Iranians are unusually talented in cyber warfare for reasons we don't fully understand." According to U.S. Representative Dan Lungren (R-CA), Iran's cyber capability has been rated among the top five globally, and the country has recently invested $1 billion in new cyber warfare technology. An October 2011 assessment by the Center for Strategic and International Studies found that Iran's Islamic Revolutionary Guard Corps (IRGC), which is responsible for the regime's nuclear program, international terrorist activities and domestic human rights violations, also has a cyber-warfare unit with a staff of about 2,400 and a budget of $76 million.
To strengthen Canada's cyber security, the government could start by reading reports like Quiggin's, and considering recommendations from Ronald Deibert and Rafal Rohozinski: Canada should "convene a meeting of major powers to formulate a Treaty of Cyberspace recognizing that this domain is now of equal importance to that of land, air, space and sea" and "take a leading role in defining international mechanisms for dealing with cyber incidents at a global level".
Quiggin believes that the private sector should create its own defensive capabilities. It should. But his conclusion is premised on the assumption that the government's contribution to enhanced cyber defence will be small. Ottawa should prove him wrong.