Canada and Cyber Governance

hat kind of place is cyberspace? It is tempting, and perhaps even romantic, to think of it as a void without laws or governance. Certainly, that was the vision of the first cyberpunks, who promoted a kind of digital anarchy that was free of rules and where humans could prosper away from the eyes and ears of governments, censorship and control (Rid 2016, in particular chapter 5). A second view is that cyberspace is a haven for criminals who clandestinely sell their services and illegal wares on the “dark Web” (Bartlett 2015). A third vision of cyberspace is as a tool of surveillance used by technology and social media companies who monitor, store and sell our data — sometimes in partnership or competition with national security agencies (Lyon 2019). 

There may be a kernel of truth in all of these visions, but they overlook the important fact that the internet is not outside of territorial control — it is subject to rules, regulations and, fortunately, the development of norms, including privacy. And yet, as this collection of essays on cyber security and trust shows, creating governance for cyberspace is one of the greatest global challenges in the twenty-first century. 

Four notable key themes run throughout the essays in this collection, which form an important background for thinking about finding a path forward to promote responsible policies in this space:

• Threats at the speed of cyberspace: The theme that unites the essays is that technological change is evolving the cyber-threat landscape at a pace that both the public and the private sectors are having difficulty keeping up with in terms of security and managing privacy. Whether it is the innovations of cyber criminals,¹ the actions of state-backed malicious actors or the “fake news” sent out by armies of bots to further undermine trust,² the array of challenges is staggering and will require multi-faceted creative solutions.
• Regulation: It is notable that none of the authors in this series believe that regulation is an impediment to a better cyber future. While they differ in their approaches (some favouring more protections³ and some concerned about the effects of going too far⁴), there seems to be a consensus that a regulatory environment that creates the legal foundation for innovation to take place is vital to securing the future of Canada’s digital economy. In some cases, this might mean creating standards by which private companies can prove themselves to be trusted with sensitive data (such as health information) so it can be better used to provide more targeted, potentially life-saving services.⁵ However, creating legislation that balances the need for innovation with the need to protect citizens is difficult, and governments have often fallen behind.
• Public-private partnerships: Many of the authors argue that addressing rapidly evolving threats and developing and operationalizing solutions will require robust private-public partnerships. As Aaron Shull notes in his introduction, Canada’s 2018 National Cyber Security Strategy is as much about fostering innovation responsibly in the private sector as it is about protecting Canadians.⁶ No one sector will be able to achieve this alone, but how cooperation should take place is far from clear.
• Privacy: In the wake of scandals ranging from Edward Snowden’s revelations to Cambridge Analytica, the need to balance our digital future with respect for privacy has become a key political issue. While individual citizens may not think twice about uploading a photo on a social media platform, they want to be able to trust that the information they are providing will be treated appropriately. While some countries, such as China, are moving ahead with a comprehensive surveillance state with little concern for privacy, it is unlikely that the West will be able to secure its digital future without ensuring that the increasing information citizens put online will be respected.

Importantly, these four themes cannot be thought of as independent from one another — they intersect in ways that amplify risk and make finding policy solutions difficult. For example, as Christopher Yoo (2019) notes in his essay on the Internet of Things (IoT), IoT devices collect large amounts of personal information, may store it in a distributed way and were not designed for security. This leaves the devices — and personal data — vulnerable to cyber criminals and malicious state actors who can hijack IoT gadgets for their own purposes. However, few (if any) states have found ways to regulate IoT systems in a practical way. 

Since 2016, Canada has taken a number of steps toward addressing some of the challenges outlined in this essay series that involve new policies, powers, institutions and coordinated international action. First, as discussed above, a new cyber security strategy that links safety to innovation was released in 2018. Notably, it is the first cyber security policy since 2010 and represents an important and much-needed update. In addition, in 2017, the Government of Canada introduced its new defence policy, Strong, Secure, Engaged, which prominently features cyber-related issues, including challenges (such as hybrid warfare), recruitment needs and implications for research and development.⁷

Second, Bill C-59 is the most significant reform to Canada’s national security architecture since 1984. Cyber security is at the heart of many of the bill’s reforms, including the need for greater state capacity to defend Canada against threats with enhanced review and privacy protections.⁸ Significantly, Bill C-59 grants Canada’s signals intelligence agency, the Communications Security Establishment (CSE), the ability to defend designated critical infrastructure from attack (“defensive cyber”) as well as an offensive capability (“active cyber”). It also grants the Canadian Security Intelligence Service (CSIS) the legal grounds to take in public data (ingestion) and then to refine and use it (digestion) (Forcese 2018). Data sets comprised primarily of Canadian information will require annual approval of the minister of public safety and an intelligence commissioner — a quasi-judicial position also created under the legislation. There will also be further internal vetting by CSIS, and further retention of the data must be approved by the Federal Court, which is empowered to impose conditions on subsequent use (ibid.). 

Third, a number of new domestic institutions have been established to bolster cyber security. In 2016, the Canadian Cyber Threat Exchange (CCTX) became operational with a mandate to improve information sharing on cyber threats faced by the private sector. Importantly, the CCTX is a private sector initiative to improve cyber security across the board so that Canadians are confident in doing business online. In 2018, the federal government created an outward-facing arm of the CSE, the Canadian Centre for Cyber Security (CCCS), to improve communication on cyber issues with small and large businesses and the general public. Notably, the CCCS is the government’s point of contact with the CCTX. The 2018 federal budget also promised the creation of a national cybercrime coordination unit, although it is anticipated that it will not be fully operational until at least 2023 (Solomon 2019).

Finally, Canada has quietly developed a multilateral diplomatic approach that promotes cyber security and defends norms in cyberspace through coordinated action. Notably, many of these steps were outlined in the communiqué following the June 2018 Group of Seven (G7) summit in Charlevoix, Quebec. First, along with its allies, Canada has called out malicious cyber activity by North Korea,⁹ Russia¹⁰ and China¹¹ on several occasions. Notably, this coordinated diplomatic activity goes beyond the “Five Eyes” alliance (Australia, Canada, New Zealand, the United Kingdom and the United States), and includes Denmark, the Netherlands and Japan. Second, in January 2019, the government created the “Rapid Response Mechanism” that will share information and threat analysis with other G7 countries, as well as identify opportunities for coordinated responses when cyber attacks occur.¹²

These diplomatic actions are significant for at least three reasons. First, Canada has been very reluctant to call out states for malicious behaviour. Unlike the United States, which has frequently indicted foreigners and even foreign officials who are believed to have engaged in cyber espionage, Canada has very rarely identified malicious state actors or even spoken out against this kind of behaviour.¹³ In this sense, Canada’s statements demonstrate a willingness to “name and shame” in a way it has not done before. 

Second, as noted above, this coordinated diplomatic action shows a willingness to work with other liberal democratic countries beyond the Five Eyes. It suggests a broadening of potential partners to ensure global cyber security. Finally, these statements made by a growing number of allied states are helping to contribute to the creation of norms for cyberspace. Calling out malicious activity as counter to the expectations of international behaviour is important for the development of standards and perhaps for laying the foundations of an international order, if not international law and regulations. 

While these first steps are important and go some way to creating the legal and policy grounds to promote cyber security domestically and internationally, there is more that can — and needs to — be done. 

First, while Canada is developing a multilateral approach to cyber diplomacy with an emphasis on “naming and shaming” behaviour that it considers to be malicious or illegal, there are more steps it can take. As noted above, international law and regulations in cyberspace are still in an early stage, but it is important to remember that Canada will have to live with whatever legal norms develop. The Government of Canada will need to make its understanding of international norms and law in cyberspace known so that its views are represented as these standards develop. For example, in May 2018, the United Kingdom’s Attorney General Jeremy Wright gave a speech that outlined the United Kingdom’s views on applying international law to cyberspace.¹⁴ Canada, which has a strong incentive for a rules-based international order — even in the digital realm — should take note and do the same.

Second, clarifying its position on international cyber norms will be helpful for government and policy leaders in thinking about what kind of cyber future they wish to live in. It is very likely that in the future Canada will have to navigate a “splinternet” between three worlds: a state-dominated China, a regulated Europe and a relatively unregulated United States. While it is unlikely that China provides the kind of model that Canada will want to emulate, it will be much harder to navigate between the US and European approaches. In making its decision, Canada will have to balance its economic requirements with the need to protect privacy. This will likely involve an ongoing dialogue with stakeholders in the private and non-governmental sector.

Third, the potential for innovation can only be met if Canadians are willing to trust the digital services presented to them by the public and the private sectors. This requires policies and regulations that protect the privacy of Canadians and the security of the systems that hold their information. Unfortunately, this is an area where Canada is currently failing on two fronts: As noted above, there is little to nothing in the way of standards or regulations for the private sector. Worse, Canada’s federal legislation on information sharing is overly broad and will remain so, even with Bill C-59’s national security overhaul. The amount of information shared between government agencies without the knowledge or consent of Canadians and with virtually no review or oversight is significant. A 2017 investigation by the Office of the Privacy Commissioner found that there were “significant procedural deficiencies” in the way information was being handled and that the current information-sharing regime “will remain a threat to the privacy of individuals” (Office of the Privacy Commissioner of Canada 2017). 

As digital technologies make it easier to gather, share and store personal information, this problem is only going to get worse if no steps are taken. The Canadian government and private businesses need to find a way to ensure the protection and safety of information. They should create policies and regulations that allow for agile standards that can evolve with changing technologies. Creating robust review and oversight mechanisms of the entities that provide digital services to Canadians would enhance public confidence that their information is safe and correctly stored. 

Finally, government policies that foster not only innovation but also a diversity of companies working in this field are needed. Diversity is important for two reasons: First, a lack of competition means that there is less incentive for technology companies to invest in robust cyber security because they do not have to worry about their reputation. Additionally, a company that is able to dominate a particular area will likely become a target of cybercriminals and malicious state actors seeking to find and exploit vulnerabilities (National Cyber Security Centre 2019). In both cases, the lack of competition makes it easier for harmful cyber activity to occur. The government should find ways to ensure that innovation results in diversity as well as economic benefits for Canada.