Politics

Findings and Absences in Canada’s (Draft) International Cybersecurity Strategy

/ Christopher Parsons
low angle photography of high rise building
Photo by Andre Furtado on Pexels.com

For several years there have been repeated calls by academics and other experts for the Government of Canada to develop and publish a foreign policy strategy. There have also been recent warnings about the implications of lacking such a strategy. Broadly, a foreign policy strategy is needed for Canada to promote and defend its interests effectively.

Not only has the Government of Canada failed to produce a foreign policy strategy but, also, it has failed to produce even a more limited strategy that expresses how Canada will develop or implement the cyber dimensions of its foreign policy. The government itself has been aware of the need to develop a cyber foreign policy since at least 2010.1

As I have previously written with colleagues, an articulation of such a cybersecurity strategy is necessary because it is “inherently a discussion of political philosophy; not all actors share the same understanding of what is, or should be, the object of security, nor is there necessarily a shared understanding of what constitutes a threat.” To clearly and explicitly assert its underlying political values Canada needs to produce a coherent and holistic cyber foreign policy strategy.

On May 18, 2021 the Chief of the Communications Security Establishment, Shelly Bruce, stated that Global Affairs Canada (GAC) was leading the development of “Canada’s International Cybersecurity Strategy and our Diplomacy Initiative.” I subsequently filed an ATIP for it and received the relevant documents on March 31, 2022.2 GAC’s response included successive drafts of “Canada’s International Cybersecurity Strategy and our Diplomacy Initiative” (hereafter the ‘Strategy’ or ‘CICSDI’) from January 2021 to May 2021.

Some of my key findings from the CICSDI include:

  1. The May 2021 draft links the scope of the Strategy to order and prosperity as opposed to advancing human rights or Canadian values.
  2. The May 2021 draft struck language that Canadians and Canadian organisations “should not be expected to independently defend themselves against state or state-backed actors. There are steps only government can take to reduce cyber threats from state actors”. The effect may be to reduce the explicit expectation or requirement of government organisations to assist in mitigating nation-state operations towards private individuals and organisations.
  3. The May 2021 draft struck language that GAC would create a cyber stakeholder engagement action plan as well as language that GAC would leverage its expertise to assist other government departments and agencies on engagement priorities and to coordinate international outreach.
  4. None of the drafts include explicit reference to pressing international issues, including: availability of strong encryption, proliferation of cyber mercenaries, availability and use of dual-use technologies, online harms and disinformation, authoritarian governments’ attempts to lead and influence standards bodies, establishing a unit in GAC dealing with cyber issues that would be equivalent to the US State Department’s Bureau of Cyberspace and Digital Policy, or cyber operations and international law.
  5. None of the drafts make a positive case for what would entail an appropriate or responsible use of malware for cyber operations.

In this post I summarise the highlights in the drafts of the Strategy and, then, proceed to point to larger language and/or policy shifts across successive drafts of the CICSDI. I conclude by discussing some policy issues that were not mentioned in the drafts I obtained. While the draft has never been promulgated and consequently does not formally represent Canada’s foreign cybersecurity strategy it does present how GAC and the government more broadly conceptualised elements of such a strategy as of early- to mid-2021.

Continue reading

Review: The Bridge in the Parks-The Five Eyes and Cold War Counter-Intelligence

/ Christopher Parsons

There are innumerable books, movies, podcasts, and TV shows that discuss and dramatize the roles of intelligence services during the Cold War. Comparatively few of those media, however, discuss Canada’s role during the same period. Molinaro’s edited volume, The Bridge in the Parks: The Five Eyes and Cold War Counter-Intelligence, goes a way to correcting this deficiency by including five chapters on Canada,1 as well as post-script, in a nine chapter book about Cold War counter-intelligence practices.

The Bridge in the Parks is written by historians who have used archival research and access to information laws to unearth information about a variety of Five Eye security services. The aim of the text as a whole is to “add nuance to what has often been a polarizing historical field in which scholars are forced to choose between focusing on abuses and the overreach of intelligence agencies in the Cold War or discussing successfully prosecuted individuals cases of counter-intelligence. This volume thus seeks to add complexity to this history, more in line with the “grey” world in which counter-intelligence has often existed” (8). On the whole, the book is successful in achieving this aim.

Continue reading

Canada’s New and Irresponsible Encryption Policy: How the Government of Canada’s New Policy Threatens Charter Rights, Cybersecurity, Economic Growth, and Foreign Policy

/ Christopher Parsons

Photo by Marco Verch (CC BY 2.0) https://flic.kr/p/RjMXMP

The Government of Canada has historically opposed the calls of its western allies to undermine the encryption protocols and associated applications that secure Canadians’ communications and devices from criminal and illicit activities. In particular, over the past two years the Minister of Public Safety, Ralph Goodale, has communicated to Canada’s Five Eyes allies that Canada will neither adopt or advance an irresponsible encryption policy that would compel private companies to deliberately inject weaknesses into cryptographic algorithms or the applications that facilitate encrypted communications. This year, however, the tide may have turned, with the Minister apparently deciding to adopt the very irresponsible encryption policy position he had previously steadfastly opposed. To be clear, should the Government of Canada, along with its allies, compel private companies to deliberately sabotage strong and robust encryption protocols and systems, then basic rights and freedoms, cybersecurity, economic development, and foreign policy goals will all be jeopardized.

This article begins by briefly outlining the history and recent developments in the Canadian government’s thinking about strong encryption. Next, the article showcases how government agencies have failed to produce reliable information which supports the Minister’s position that encryption is significantly contributing to public safety risks. After outlining the government’s deficient rationales for calling for the weakening of strong encryption, the article shifts to discuss the rights which are enabled and secured as private companies integrate strong encryption into their devices and services, as well as why deliberately weakening encryption will lead to a series of deeply problematic policy outcomes. The article concludes by summarizing why it is important that the Canadian government walk back from its newly adopted irresponsible encryption policy.

Continue reading

Accountability and the Canadian Government’s Reporting of Computer Vulnerabilities and Exploits

/ Christopher Parsons

Photo by Taskin Ashiq on Unsplash

I have a new draft paper that outlines why the Canadian government should develop, and publish, the guidelines it uses when determining whether to acquire, use, or disclose computer- and computer-system vulnerabilities. At its crux, the paper argues that an accountability system was developed in the 1970s based on the intrusiveness of government wiretaps and that state-used malware is just as, if not more so, intrusive. Government agencies should be held to at least as high a standard, today, as they were forty years ago (and, arguably, an even higher one today than in the past). It’s important to recognize that while the paper argues for a focus on defensive cybersecurity — disclosing vulnerabilities as a default in order to enhance the general security of all Canadians and residents of Canada, as well as to improve the security of all government of Canada institutions — it recognizes that some vulnerabilities may be retained to achieve a limited subset of investigative and intelligence operations. As such, the paper does not rule out the use of malware by state actors but, instead, seeks to restrict the use of such malware while also drawing its use into a publicly visible accountability regime.

I’m very receptive to comments on this paper and will seek to incorporate feedback before sending the paper to an appropriate journal around mid-December.

Abstract:

Computer security vulnerabilities can be exploited by unauthorized parties to affect targeted systems contrary to the preferences their owner or controller. Companies routinely issue patches to remediate the vulnerabilities after learning that the vulnerabilities exist. However, these flaws are sometimes obtained, used, and kept secret by government actors, who assert that revealing vulnerabilities would undermine intelligence, security, or law enforcement operations. This paper argues that a publicly visible accountability regime is needed to control the discovery, purchase, use, and reporting of computer exploits by Canadian government actors for two reasons. First, because when utilized by Canadian state actors the vulnerabilities could be leveraged to deeply intrude into the private lives of citizens, and legislative precedent indicates that such intrusions should be carefully regulated so that the legislature can hold the government to account. Second, because the vulnerabilities underlying any exploits could be discovered or used by a range of hostile operators to subsequently threaten Canadian citizens’ and residents’ of Canada personal security or the integrity of democratic institutions. On these bases, it is of high importance that the government of Canada formally develop, publish, and act according to an accountability regime that would regulate its agencies’ exploitation of computer vulnerabilities.

Download .pdf // SSRN Link

In Support of Chelsea Manning Entering Canada

/ Christopher Parsons

‘Chelsea Manning’ by Tim Travers Hawkins (CC BY-SA 4.0) at https://goo.gl/mhhbdm

Earlier this month I composed and sent a letter in support of Chelsea Manning being permitted to enter Canada. Manning previously released classified military and diplomatic documents to Wikileaks. Those documents shed light on American activities in Iraq as well as diplomatic efforts around the world, to the effect of revealing US avoidance of cluster munition bans, US pressure on the Italian government to drop charged against CIA operatives who conducted extraordinary rendition activities, and the actual causality rates suffered by Iraqi citizens. She was disallowed entry last year when Canadian officials asserted that the crimes associated with her whistleblowing in the United States were akin to a violation of Canadian treason laws. The letter that I wrote in support of her entry to Canada is reproduced, below.

October 13, 2017

 

Hon. Ahmed Hussen
Minister of Immigration, Refugees and Citizenship

Hon. Ralph Goodale
Minister of Public Safety and Emergency Preparedness

RE:     Welcoming Chelsea Manning to Canada

 

Dear Minister Hussen and Minister Goodale:

I am writing as a Research Associate at the Citizen Lab, Munk School of Global Affairs, at the University of Toronto to ask you to allow Chelsea Manning to enter Canada. Refusing her entry to the country is a real loss for Canada and an injustice to whistleblowers who expose information in the public interest.

Chelsea is an internationally recognized advocate for freedom of expression, transparency, and civil liberties. As a whistleblower, she revealed documents that—among other things—exposed the disproportionate impact of military activities abroad on civilians, including journalists and children. Her work has been used by academics across Canada to understand the impacts American adventurism, the relationships between American diplomats and government officials with autocratic governments, and the status of copyright negotiations between US officials and their foreign counterparts. Documents that she provided to the public also shed light on critical issues such as the United States’ avoidance of cluster munitions bans, the United States’ pressure on the Italian government to drop charges against CIA operatives who engaged in renditions, American military executions of civilians, and Iraqi civilian death tolls. She has received a host of awards from prominent media and human rights organizations for this work.

Not all Canadians will agree with what Chelsea did or what she stands for—but as a country that values freedom of expression, open dialogue, and human rights we should permit her to visit and speak in Canada. She stands as a guiding light for persons to stand up and both do what they believe to be honorable and right, as well as be held to account for those beliefs and corresponding actions.

Whether Chelsea wishes to enter Canada to continue her work to advocate for social change or simply to visit friends, there is no principled reason to turn her away. She has served her time in a US military prison after accepting responsibility for her actions. Her sentence was commuted by former US President Barack Obama in January 2017 and she has been living freely in the United States since May 2017. Continuing to deny her entry to Canada would serve no rational benefit to public safety and would undermine Canada’s commitment to international justice and human rights.

Letting Chelsea enter Canada would affirm Canada’s values of dialogue, freedom of expression, and human rights. More than that, letting Chelsea in is simply the right thing to do.

I look forward to hearing news of your decision.

Regards,

Dr. Christopher Parsons
Research Associate, Citizen Lab, Munk School of
Global Affairs, at the University of Toronto

Horizontal Accountability and Signals Intelligence: Lesson Drawing from Annual Electronic Surveillance Reports

/ Christopher Parsons

‘Radome at Hartland Point’ by shirokazan (CC BY 2.0) at https://flic.kr/p/dfn9ei

Adam Molnar and I have a new paper on accountability and signals intelligence, which we will be presenting at the Security Intelligence & Surveillance in the Big Data Age workshop. The workshop will be held at the University of Ottawa later this month as part of the Big Data Surveillance partnership project that is funded by the Social Sciences and Humanities Research Council of Canada.

The paper focuses exclusively on the mechanisms which are needed for civil society actors to evaluate the propriety of actions undertaken by signals intelligence agencies. In it, we argue that Canada’s foreign signals intelligence agency’s public accountability reporting might be enhanced by drawing on lessons from existing statutory electronic surveillance reporting. Focusing exclusively on Canada’s signals intelligence agency, the Communications Security Establishment (CSE), we first outline the relationships between accountability of government agencies to their respective Ministers and Members of Parliament, the role of transparency in enabling governmental accountability to the public, and the link between robust accountability regimes and democratic legitimacy of government action. Next, we feature a contemporary bulk data surveillance practice undertaken by Canada’s signals intelligence agency and the deficiencies in how CSE’s existing review body makes the Establishment’s practices publicly accountable to Parliamentarians and the public alike. We then discuss how proposed changes to CSE oversight and review mechanisms will not clearly rectify the existing public accountability deficits. We conclude by proposing a principle-based framework towards a robust public accountability process that is linked to those underlying domestic and foreign statutory electronic surveillance reports.

A copy of our paper, titled, “Horizontal Accountability and Signals Intelligence: Lesson Drawing from Annual Electronic Surveillance Reports,” is available at the Social Sciences Research Network as well as for download from this website.