Canadian students of national security have historically suffered in ways that their British and American colleagues have not. Whereas our Anglo-cousins enjoy a robust literature that, amongst other things, maps out what parts of their governments are involved in what elements of national security, Canadians have not had similar comprehensive maps. The result has been that scholars have been left to depend on personal connections, engagements with government insiders, leaked and redacted government documents, and a raft of supposition and logical inferences. Top Secret Canada: Understanding the Canadian Intelligence and National Security Community aspires to correct some of this asymmetry and is largely successful.
The book is divided into chapters about central agencies, core collection and advisory agencies, operations and enforcement and community engagement agencies, government departments with national security functions, and the evolving national security review landscape. Chapters generally adhere to a structure that describes an agency’s mandate, inter-agency cooperation, the resources possessed and needed by the organization, the challenges facing the agency, and its controversies. This framing gives both the book, and most chapters, a sense of continuity throughout.
The editors of the volume were successful in getting current, as well as former, government bureaucrats and policymakers, as well as academics, to contribute chapters. Part One, which discusses the central agencies, were amongst the most revealing. Fyffe’s discussion of the evolution of the National Security Intelligence Advisor’s role and the roles of the various intelligence secretariats, combined with Lilly’s explanation of the fast-paced and issue-driven focus of political staffers in the Prime Minister’s Office, pulls back the curtain of how Canada’s central agencies intersect with national security and intelligence issues. As useful as these chapters are, they also lay bare the difficulty in structuring the book: whereas Fyffe’s chapter faithfully outlines the Privy Council Office per the structure outlined in the volume’s introduction, Lilly’s adopts a structure that, significantly, outlines what government bureaucrats must do to be more effective in engaging with political staff as well as how political staffers’ skills and knowledge could be used by intelligence and security agencies. This bifurcation in the authors’ respective intents creates a tension in answering ‘who is this book for?’, which carries on in some subsequent chapters. Nonetheless, I found these chapters perhaps the most insightful for the national security-related challenges faced by those closest to the Prime Minister.
Last week I appeared before the Special Committee on Canada-Chinese Relations to testify about the security challenges posed by Chinese infrastructure vendors and communications intermediaries. . I provided oral comments to the committee which were, substantially, a truncated version of the brief I submitted. If so interested, my oral comments are available to download, and what follows in this post is the actual brief which was submitted.
- I am a senior research associate at the Citizen Lab, Munk School of Global Affairs & Public Policy at the University of Toronto. My research explores the intersection of law, policy, and technology, and focuses on issues of national security, data security, and data privacy. I submit these comments in a professional capacity representing my views and those of the Citizen Lab.
- Successive international efforts to globalize trade and supply chains have led to many products being designed, developed, manufactured, or shipped through China. This has, in part, meant that Chinese companies are regularly involved in the creation and distribution of products that are used in the daily lives of billions of people around the world, including products that are integrated into Canadians’ personal lives and the critical infrastructures on which they depend. The Chinese government’s increasing assertiveness on the international stage and its belligerent behaviours, in tandem with opaque national security laws, have led to questioning in many Western countries of the extent to which products which come from China can be trusted. In particular, two questions are regularly raised: might supply chains be used as diplomatic or trade leverage or, alternately, will products produced in, transited through, or operated from China be used to facilitate government intelligence, attack, or influence operations?
- For decades there have been constant concerns about managing technology products’ supply chains. In recent years, they have focused on telecommunications equipment, such as that produced by ZTE and Huawei, as well as the ways that social media platforms such as WeChat or TikTok could be surreptitiously used to advance the Chinese government’s interests. As a result of these concerns some of Canada’s allies have formally or informally blocked Chinese telecommunications vendors’ equipment from critical infrastructure. In the United States, military personnel are restricted in which mobile devices they can buy on base and they are advised to not use applications like TikTok, and the Trump administration aggressively sought to modify the terms under which Chinese social media platforms were available in the United States marketplace.
- Legislators and some security professionals have worried that ZTE or Huawei products might be deliberately modified to facilitate Chinese intelligence or attack operations, or be drawn into bilateral negotiations or conflicts that could arise with the Chinese government. Further, social media platforms might be used to facilitate surveillance of international users of the applications, or the platforms’ algorithms could be configured to censor content or to conduct imperceptible influence operations.
- Just as there are generalized concerns about supply chains there are also profound worries about the state of computer (in)security. Serious computer vulnerabilities are exposed and exploited on a daily basis. State operators take advantage of vulnerabilities in hardware and software alike to facilitate computer network discovery, exploitation, and attack operations, with operations often divided between formal national security organs, branches of national militaries, and informal state-adjacent (and often criminal) operators. Criminal organizations, similarly, discover and take advantage of vulnerabilities in digital systems to conduct identity theft, steal intellectual property for clients or to sell on black markets, use and monetize vulnerabilities in ransomware campaigns, and otherwise engage in socially deleterious activities.
- In aggregate, issues of supply chain management and computer insecurity raise baseline questions of trust: how can we trust that equipment or platforms have not been deliberately modified or exploited to the detriment of Canadian interests? And given the state of computer insecurity, how can we rely on technologies with distributed and international development and production teams? In the rest of this submission, I expand on specific trust-related concerns and identify ways to engender trust or, at the very least, make it easier to identify when we should in fact be less trusting of equipment or services which are available to Canadians and Canadian organizations.
With a series of incredible co-authors at the Citizen Lab, I’ve co-authored a report that extensively investigates the stalkerware ecosystem. Stalkerware refers to spyware which is either deliberately manufactured to, or repurposed to, facilitate intimate partner violence, abuse, or harassment. “A Predator in Your Pocket” is accompanied by a companion legal report, also released by the Citizen Lab. This companion report is entitled “Installing Fear: A Canadian Legal and Policy Analysis of Using, Developing, and Selling Smartphone Spyware and Stalkerware Applications,” and conducts a comprehensive criminal, civil, regulatory, and international law assessment of the legality of developing, selling, and using stalkerware.
Photo by Taskin Ashiq on Unsplash
I have a new draft paper that outlines why the Canadian government should develop, and publish, the guidelines it uses when determining whether to acquire, use, or disclose computer- and computer-system vulnerabilities. At its crux, the paper argues that an accountability system was developed in the 1970s based on the intrusiveness of government wiretaps and that state-used malware is just as, if not more so, intrusive. Government agencies should be held to at least as high a standard, today, as they were forty years ago (and, arguably, an even higher one today than in the past). It’s important to recognize that while the paper argues for a focus on defensive cybersecurity — disclosing vulnerabilities as a default in order to enhance the general security of all Canadians and residents of Canada, as well as to improve the security of all government of Canada institutions — it recognizes that some vulnerabilities may be retained to achieve a limited subset of investigative and intelligence operations. As such, the paper does not rule out the use of malware by state actors but, instead, seeks to restrict the use of such malware while also drawing its use into a publicly visible accountability regime.
I’m very receptive to comments on this paper and will seek to incorporate feedback before sending the paper to an appropriate journal around mid-December.
Computer security vulnerabilities can be exploited by unauthorized parties to affect targeted systems contrary to the preferences their owner or controller. Companies routinely issue patches to remediate the vulnerabilities after learning that the vulnerabilities exist. However, these flaws are sometimes obtained, used, and kept secret by government actors, who assert that revealing vulnerabilities would undermine intelligence, security, or law enforcement operations. This paper argues that a publicly visible accountability regime is needed to control the discovery, purchase, use, and reporting of computer exploits by Canadian government actors for two reasons. First, because when utilized by Canadian state actors the vulnerabilities could be leveraged to deeply intrude into the private lives of citizens, and legislative precedent indicates that such intrusions should be carefully regulated so that the legislature can hold the government to account. Second, because the vulnerabilities underlying any exploits could be discovered or used by a range of hostile operators to subsequently threaten Canadian citizens’ and residents’ of Canada personal security or the integrity of democratic institutions. On these bases, it is of high importance that the government of Canada formally develop, publish, and act according to an accountability regime that would regulate its agencies’ exploitation of computer vulnerabilities.
Download .pdf // SSRN Link