[liberationtech] Cyber Security: Canada Is Failing The World

[Masashi Nishihata]

Cyber Security: Canada Is Failing The World

By Ron Deibert Director, the Canada Centre for Global Security Studies  
and the Citizen Lab, Munk School of Global Affairs, University of  
Toronto.

Huffington Post Canada. May 26, 2011
http://www.huffingtonpost.ca/2011/05/26/cyber-security-canada-stephen-harper-g8_n_867136.html

Cyberspace has become an all-immersive domain, and the global  
communications environment in which all of society, economics, and  
politics are now embedded. Its constituent parts are widely conceived  
of as critical national infrastructure.

But the domain of cyberspace is entering a potentially chaotic and  
very dangerous phase of its evolution, which is why it has become a  
key issue for consideration at today's G8 summit in Deauville, France.

The Canadian government is late to the cyber security arena, and only  
recently released a cyber security strategy last fall that pales in  
comparison to the scope of the challenges, or to equivalent strategies  
released by our allies, like the United States.

It devotes far too few resources to the problem, does not fully  
address the division of appropriate institutional responsibilities,  
and only barely nods at the importance of a foreign policy for  
cyberspace. A recent investigation revealed our public sector  
infrastructure was so thoroughly infiltrated with malicious activity  
emanating from foreign jurisdictions that the entire Treasury Board  
was taken offline for weeks. Embarrassingly, a recent security study  
ranked Canada among the highest of countries for the hosting of  
malicious content.

Not surprisingly, our government's capacity to engage forcefully and  
strategically on these issues has been muted. We are absent in the  
international arenas where cyberspace governance is debated and  
territorialized controls are being normalized by China, Russia and  
other democratically challenged states.

Although the G8 summit will cover a range of issues, President Nicolas  
Sarkozy has signaled that cyber security issues will rank high on the  
agenda. What will be Canada's contribution to the discussions? What  
will Prime Minister Stephen Harper bring to the table?

Cyberspace has always been characterized by change, but there has been  
a major architectonic shift in the nature of the medium with the rise  
of social networking, the shift to cloud computing, and the rapid  
emergence of mobile forms of constant connectivity.

While convenient and fun, these new modes of communicating have  
emerged so fast that they have created unforeseen security and privacy  
liabilities and unintended consequences for individuals and  
organizations alike.

Mobile communications operate along an entirely different ecosystem  
than desktop PC infrastructures. Among other respects, they lend  
themselves to much more precise geolocation tracking, the information  
for which may be shared with third parties in ways that are not  
necessarily transparent to users.

Meanwhile, social networking and cloud computing services have  
produced an exponential increase in the sharing and networking of once  
discrete data sources. We click on documents, links, and attachments  
with carefree abandon as we move from the office to the internet cafe  
to the airport lounge. Personal photographs, sensitive documents,  
business spreadsheets, classified reports are entrusted to server  
farms of privately owned infrastructures that can span multiple  
political jurisdictions.

Any epidemiologist studying such a dynamically growing ecosystem would  
not be surprised to find a huge expansion in the cyber equivalent of  
disease: although cybercrime has formed a hidden shadow along every  
step of the Internet's history, its growth has suddenly become so  
explosive in recent years by virtually any estimate that it is beyond  
control, and perhaps even beyond estimation.

According to security companies there are around 60,000 new malicious  
software (malware) samples discovered every day, with the number  
rising steadily. Massive botnets - global networks of infected  
computers - now routinely count in the tens of thousands worldwide.

A huge black market for cybercrime tools and products thrives as a  
kind of hidden underbelly of globalization, driving everything from  
petty identity theft to high-stakes political and commercial  
espionage. If precise estimates could be obtained, it would surely  
rank as one of the world's largest economic growth sectors, as  
millions of new digital natives from the developing world find a  
rewarding and elegant means to personal enrichment.

Not surprisingly, governments have begun to react, but in doing so may  
be contributing more to the problem than creating solutions.

Generally speaking, there has been a sea-change the world over in the  
way governments approach cyberspace. Whereas 10 years ago, states were  
either oblivious to the Internet or took a laissez-faire approach,  
today they are moving swiftly to assert their power and shape the  
domain in ways that suit their strategic domestic and foreign policy  
interests. Whether for purposes of copyright control, anti-terrrorism,  
or to shore up regimes from meddlesome human rights and opposition  
networks, governments are building up an advanced suite of cyberspace  
controls, ranging from filtering and surveillance to the black arts of  
computer network exploitation.

Alarmed by consistent high-level penetrations of its own critical  
infrastructures, the United States has led the way with numerous cyber  
strategy documents, legislation, and institutional reform. The most  
significant of these was the establishment of the U.S. Cyber Command  
in 2010, which helped trigger a major industrial shift in the defense  
industry and a fundamental force restructuring among allies that is  
still unfolding.

It has also triggered a global cyber arms race. Unable to compete on  
the same level, adversaries of the United States seek comparative  
advantage by exploiting criminals and patriotic hackers to do their  
bidding instead. Major incidents of computer network attacks and  
espionage have been traced back to the Chinese and Russian criminal  
underworld, or to pro-regime sympathizers of Iran, Burma, Libya,  
Syria, and others. Others have followed the US lead and set up "cyber  
commands" of their own.

Meanwhile, the private sector that owns and operates the vast majority  
of cyberspace is caught in the cross-hairs, continuously blitzed by  
mounting assaults on its networks while simultaneously being pressured  
by governments looking to download their responsibilities to police  
cyberspace.

Research In Motion, the Canadian maker of BlackBerry products, has  
been dogged by such demands to the point of seeming frustration. When  
asked by the BBC whether RIM had made deals to hand over its encrypted  
data to security services, CEO Mike Lazaridis cut short the interview.

Some companies have seized on the commercial opportunity opened up by  
cyberspace contests; a massive cyber security market, now measured to  
be anywhere between $80- and $150-billion annually, provides  
filtering, data mining and fusion, and computer attack capabilities to  
security services worldwide. One of our research projects, the OpenNet  
Initiative, has documented how a Canadian company, Netwsweeper,  
provides services to the regimes of UAE, Bahrain, Qatar, and Yemen -  
countries known for pervasive censorship - so that they can "block  
inappropriate content ... based on social, religious or political  
ideals," according to a page on their website which has since been  
changed.

As one of the world's largest economies and home to some of the  
greatest thinkers of communications, from Harold Innis and Marshall  
McLuhan to William Gibson, Canada should be leading the way instead of  
muddling along. We certainly stand among those to lose the most should  
cyberspace continue its spiral into censorship, militarization, and  
crime. What should be done?

First, a comprehensive strategy to protect the cyber commons should  
begin by linking the international consequences of domestic policies.  
If liberal democratic countries pass legislation that permits access  
to data for state security services without judicial oversight, as the  
Harper government is reportedly set to do with lawful access  
provisions of the forthcoming Omnibus Crime bill, then there is no  
moral basis for condemning those actions when they occur in places  
like China, Iran, or Belarus.

It is certainly true that law enforcement is overwhelmed with the  
surge of cyber crime, but the case has not been made that to deal with  
it effectively requires access to private data and a major dilution of  
civil liberties that are basic to a liberal democratic society. In  
fact the opposite may be more the case.

The problem for law enforcement and intelligence today is not the lack  
of information; it is the deluge of it. We need to give law  
enforcement new resources, capabilities, proper training and equipment  
to sort through voluminous flows of existing data. But alongside those  
resources, Canada should be setting the highest standard of judicial  
oversight and public accountability. New resources, yes, but the same  
if not more rigorous checks and constraints on powers.

The same principle holds true for Canadian companies operating abroad.

Rather than catering to regimes that violate human rights, or  
colluding with security services with dubious track records, Canadian  
companies should be held to the same basic minimum standards that we  
expect in Canada when offering services abroad. Regulatory measures  
should be introduced that set standards for the private sector around  
mandatory disclosures of security breaches, strong privacy protections  
built by design, and restrictions on the sale of products and services  
that contribute to violations of human rights abroad.

Part of Canada's cyberspace strategy needs to focus outward. Our  
Foreign Affairs department should be at the forefront of the promotion  
of decentralized and distributed security mechanisms, while actively  
resisting proposals that seek to alter the constitution of cyberspace  
through top-down, heavy-handed government controls.

Diplomatically, we should work to build a broad community of like  
minded-states who share this common vision, and have an interest in a  
secure and open cyber commons across the many different venues of  
cyberspace governance. Such rules should include the promotion of  
norms of mutual restraint in cyberspace, protections for privacy and  
civil liberties, joint vigilance against cyber crime networks, and  
respect for the free flow of information. We should also work as a  
liaison between our allies and the governments of China, Russia and  
others to limit the dangerously escalating tensions that exist in  
cyberspace.

It is unlikely that such an ambitious agenda will emerge from Canada  
to influence this year's meeting of the G8. But hopefully the meeting  
will set in motion a process of urgent reflection on the scope of the  
challenges that lay ahead.

This article was originally featured at the Huffington Post Canada ---  
you can view it here: http://www.huffingtonpost.ca/2011/05/26/cyber-security-canada-stephen-harper-g8_n_867136.html

Ron Deibert is Director, the Canada Centre for Global Security Studies  
and the Citizen Lab, Munk School of Global Affairs, University of  
Toronto.