Touring the digital through type

Category: Thoughts (Page 1 of 86)

This category identifies postings that are philosophical in nature.

The Policy and Political Implications of ‘Securing Canada’s Telecommunications Systems’

silhouette photo of transmission tower on hill
Photo by Troy Squillaci on Pexels.com

Many of Canada’s closest allies have either firmly or softly blocked Huawei and ZTE from selling telecommunications equipment to Internet service providers in their countries over the past several years. After repeated statements from Canadian government officials that a review of Huawei equipment was ongoing, on May 19, 2022 the government announced its own bans on Huawei and ZTE equipment. The government published an accompanying policy statement from Innovation, Science, and Economic Development (ISED) Canada on the same day.

This post begins by summarizing the possible risks that Chinese vendors might pose to Canadian networks. Next, it moves to discuss the current positions of Canada’s closest allies as well as Canada’s actions and statements pertaining to Chinese telecommunications vendors leading up to the May 2022 announcement. It then proceeds to unpack the government’s “Securing Canada’s Telecommunications System” policy statement. Some highlight findings include:

  • The government is unclear when it refers to “supply chain breaches”;
  • The government may be banning Huawei and ZTE principally on the basis of American export restrictions placed on Chinese vendors and, thus, be following the same model as the United Kingdom which was forced to ban Huawei following American actions; and
  • Establishing the security and protection of telecommunications systems as an “overriding objective” of Canadian telecommunications policy could have long-term implications for Canadians’ privacy interests.

The post concludes by discussing the policy and political implications of the policy statement, why any telecommunications security reforms must not be accompanied by broader national security and law enforcement reforms, and why the Canadian government should work with allied and friendly countries to collectively assess telecommunications equipment.

Continue reading

Findings and Absences in Canada’s (Draft) International Cybersecurity Strategy

low angle photography of high rise building
Photo by Andre Furtado on Pexels.com

For several years there have been repeated calls by academics and other experts for the Government of Canada to develop and publish a foreign policy strategy. There have also been recent warnings about the implications of lacking such a strategy. Broadly, a foreign policy strategy is needed for Canada to promote and defend its interests effectively.

Not only has the Government of Canada failed to produce a foreign policy strategy but, also, it has failed to produce even a more limited strategy that expresses how Canada will develop or implement the cyber dimensions of its foreign policy. The government itself has been aware of the need to develop a cyber foreign policy since at least 2010.1

As I have previously written with colleagues, an articulation of such a cybersecurity strategy is necessary because it is “inherently a discussion of political philosophy; not all actors share the same understanding of what is, or should be, the object of security, nor is there necessarily a shared understanding of what constitutes a threat.” To clearly and explicitly assert its underlying political values Canada needs to produce a coherent and holistic cyber foreign policy strategy.

On May 18, 2021 the Chief of the Communications Security Establishment, Shelly Bruce, stated that Global Affairs Canada (GAC) was leading the development of “Canada’s International Cybersecurity Strategy and our Diplomacy Initiative.” I subsequently filed an ATIP for it and received the relevant documents on March 31, 2022.2 GAC’s response included successive drafts of “Canada’s International Cybersecurity Strategy and our Diplomacy Initiative” (hereafter the ‘Strategy’ or ‘CICSDI’) from January 2021 to May 2021.

Some of my key findings from the CICSDI include:

  1. The May 2021 draft links the scope of the Strategy to order and prosperity as opposed to advancing human rights or Canadian values.
  2. The May 2021 draft struck language that Canadians and Canadian organisations “should not be expected to independently defend themselves against state or state-backed actors. There are steps only government can take to reduce cyber threats from state actors”. The effect may be to reduce the explicit expectation or requirement of government organisations to assist in mitigating nation-state operations towards private individuals and organisations.
  3. The May 2021 draft struck language that GAC would create a cyber stakeholder engagement action plan as well as language that GAC would leverage its expertise to assist other government departments and agencies on engagement priorities and to coordinate international outreach.
  4. None of the drafts include explicit reference to pressing international issues, including: availability of strong encryption, proliferation of cyber mercenaries, availability and use of dual-use technologies, online harms and disinformation, authoritarian governments’ attempts to lead and influence standards bodies, establishing a unit in GAC dealing with cyber issues that would be equivalent to the US State Department’s Bureau of Cyberspace and Digital Policy, or cyber operations and international law.
  5. None of the drafts make a positive case for what would entail an appropriate or responsible use of malware for cyber operations.

In this post I summarise the highlights in the drafts of the Strategy and, then, proceed to point to larger language and/or policy shifts across successive drafts of the CICSDI. I conclude by discussing some policy issues that were not mentioned in the drafts I obtained. While the draft has never been promulgated and consequently does not formally represent Canada’s foreign cybersecurity strategy it does present how GAC and the government more broadly conceptualised elements of such a strategy as of early- to mid-2021.

Continue reading

Unpacking NSICOP’s Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack

grayscale photo of man and woman hacking a computer system
Photo by Tima Miroshnichenko on Pexels.com

On February 14, 2022, the National Security and Intelligence Committee of Parliamentarians (NSICOP) released a report that explored how the Government of Canada sought to defend its systems and networks from cyber attack from 2001 onwards.1 The report provides a comprehensive account of how elements of the Government of Canada–namely the Treasury Board Secretariat (TBS), Shared Services Canada (SSC) and Communications Security Establishment (CSE)–have developed policies, procedures, and techniques to protect government systems, as well as the iterative learning processes that have occurred over the past two decades or so pertaining to governmental cyber defence activities.

I want to highlight four core things that emerge from my reading of the report:

  1. From an empirical point of view, it’s useful to know that the Government of Canada is preparing both a policy on paying ransomware operators as well as developing a Vulnerabilities Disclosure Policy (VDP) though the report does not indicate when either will be open to public comment or transformed into formal government policy;
  2. A high-level discussion of senior coordination committees is provided, though without an accompanying analysis of how effective these committees are in practice. In particular, the report does not discuss how, as an example, cross-departmental committees are working to overcome problems that are raised in the sections of the report focused on TBS, SSC, or the CSE;
  3. NSICOP maintains that all parties associated with the government–from Crown corporations, to government agencies, to other independent branches of government–should operate under the government’s security umbrella. NSICOP does not, however, make a constitutional argument for why this should be done nor assess the operational reasons for why agencies may not currently operate under this umbrella. Instead, the report narrowly argues there are minimal privacy impacts associated with enjoying the government’s cyber security protections. In doing so, the committee presumes that privacy concerns have driven separate branches of governments to operate outside policies set by TBS, and services offered by SSC and the CSE. At no point did the Committee engage with the Office of the Privacy Commissioner of Canada (OPC) to assess potential privacy issues associated with the government’s cyber security policies and practices; and
  4. NSICOP did not canvas a wide set of government agencies in their interviews and included no external-to-government parties. The consequence is that the report does not provide needed context for why some government agencies refuse to adopt TBS policy guidance or regulations, decline services operated by SSC, or have limited uptake or adoption of advice or technical systems offered by the CSE. The consequence is that this report does nothing to substantively assess challenges in how TBS, SSC, or the CSE themselves are deploying their defensive capacities across government based on the experiences of those on the receiving end of the proffered cyber security and defence offerings.

In this post, I conduct a deep dive into NSICOP’s report, entitled “National Security and Intelligence Committee of Parliamentarians Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack.” Throughout, I summarize a given section of the report before offering some analysis of it. In the conclusion of this post I summarize some of the broader concerns associated with the report, itself, as well as the broader implications these concerns may have for NSICOP’s long-term viability as an independent reviewer of the national security community.

Continue reading

Public and Privacy Policy Implications of PHAC’s Use of Mobility Information

Last week I appeared before the House of Commons’ Standing Committee on Access to Information, Privacy, and Ethics to testify about the public and private policy implications of PHAC’s use of mobility information since March 2020. I provided oral comments to the committee which were, substantially, a truncated version of the brief I submitted. If interested, my oral comments are available to download. What follows in this post is the content of the brief which was submitted.

Introduction

  1. I am a senior research associate at the Citizen Lab, Munk School of Global Affairs & Public Policy at the University of Toronto. My research explores the intersection of law, policy, and technology, and focuses on issues of national security, data security, and data privacy. While I submit these comments in a professional capacity they do not necessarily represent the full views of the Citizen Lab.
Continue reading
« Older posts