low angle photography of high rise building
Photo by Andre Furtado on Pexels.com

For several years there have been repeated calls by academics and other experts for the Government of Canada to develop and publish a foreign policy strategy. There have also been recent warnings about the implications of lacking such a strategy. Broadly, a foreign policy strategy is needed for Canada to promote and defend its interests effectively.

Not only has the Government of Canada failed to produce a foreign policy strategy but, also, it has failed to produce even a more limited strategy that expresses how Canada will develop or implement the cyber dimensions of its foreign policy. The government itself has been aware of the need to develop a cyber foreign policy since at least 2010.1

As I have previously written with colleagues, an articulation of such a cybersecurity strategy is necessary because it is “inherently a discussion of political philosophy; not all actors share the same understanding of what is, or should be, the object of security, nor is there necessarily a shared understanding of what constitutes a threat.” To clearly and explicitly assert its underlying political values Canada needs to produce a coherent and holistic cyber foreign policy strategy.

On May 18, 2021 the Chief of the Communications Security Establishment, Shelly Bruce, stated that Global Affairs Canada (GAC) was leading the development of “Canada’s International Cybersecurity Strategy and our Diplomacy Initiative.” I subsequently filed an ATIP for it and received the relevant documents on March 31, 2022.2 GAC’s response included successive drafts of “Canada’s International Cybersecurity Strategy and our Diplomacy Initiative” (hereafter the ‘Strategy’ or ‘CICSDI’) from January 2021 to May 2021.

Some of my key findings from the CICSDI include:

  1. The May 2021 draft links the scope of the Strategy to order and prosperity as opposed to advancing human rights or Canadian values.
  2. The May 2021 draft struck language that Canadians and Canadian organisations “should not be expected to independently defend themselves against state or state-backed actors. There are steps only government can take to reduce cyber threats from state actors”. The effect may be to reduce the explicit expectation or requirement of government organisations to assist in mitigating nation-state operations towards private individuals and organisations.
  3. The May 2021 draft struck language that GAC would create a cyber stakeholder engagement action plan as well as language that GAC would leverage its expertise to assist other government departments and agencies on engagement priorities and to coordinate international outreach.
  4. None of the drafts include explicit reference to pressing international issues, including: availability of strong encryption, proliferation of cyber mercenaries, availability and use of dual-use technologies, online harms and disinformation, authoritarian governments’ attempts to lead and influence standards bodies, establishing a unit in GAC dealing with cyber issues that would be equivalent to the US State Department’s Bureau of Cyberspace and Digital Policy, or cyber operations and international law.
  5. None of the drafts make a positive case for what would entail an appropriate or responsible use of malware for cyber operations.

In this post I summarise the highlights in the drafts of the Strategy and, then, proceed to point to larger language and/or policy shifts across successive drafts of the CICSDI. I conclude by discussing some policy issues that were not mentioned in the drafts I obtained. While the draft has never been promulgated and consequently does not formally represent Canada’s foreign cybersecurity strategy it does present how GAC and the government more broadly conceptualised elements of such a strategy as of early- to mid-2021.

Highlights from Canada’s International Cybersecurity Strategy

The drafted Strategy makes clear what Canada planned to do on the world stage. Many of the proposed activities were continuations of the past work that Canada had done in various international fora. While that past work is often documented in public outputs (e.g., speeches or policy documents) the Strategy collects these activities and explains how they cohere with one another.

For individuals who closely follow Canada’s cyber foreign policy activities much of the Strategy might be seen as just rehashing past work. Non-specialists and specialists alike, however, can use the documents to understand the prism through which Canada intended to pursue its cybersecurity-related foreign policy.

The Strategy is built around four key pillars:

  1. How Canada acts and how it will act using the full range of its national capabilities;
  2. How Canada will cooperate with allies and partners to protect Canadian interests;
  3. How Canada will advocate and engage in multilateral forums; and
  4. How Canada will look to increase assistance for cybersecurity issues by supporting capacity building internationally.

At its core the CICSDI is focused on advancing the rules-based international order so as to ensure a prosperous Canada. Achieving these goals would entail working with allies and partners to advance cyber security and cyber resilience. The CICSDI was intended to build “on existing initiatives and activities by the Government of Canada to address malicious cyber activity, in particular those of the National Cyber Security Strategy and its associated Action Plan, and provides foreign policy direction for the federal cyber community” (2). For the purposes of the Strategy, cyber security is defined as the “protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability” ((2).3 The CICSDI is meant to complement, instead of replace, existing government activities such as work by the CSE to protect Canadian elections, the G7 Rapid Response Mechanism, and the RCMP’s National Cybercrime Coordination Unit, along with other multilateral efforts (e.g., the Budapest Convention).

The CICSDI is positioned in relation to the existing threats and challenges facing Canada and its allies and partners. The threats posed to the Rules Based International Order (RBIO) are recognized as particularly acute. In the cyber context the RBIO is jeopardised by a number of activities, including “hacking into protected systems to steal commercial information and intellectual property, cyber intrusions into critical infrastructure, indiscriminate and irresponsible use of malware, and compromising Managed Service Providers (MSPs)” (4).4 Addressing such threats entails Canada continuing to stand with its allies and partners, keeping a “determined eye” on potential adversaries, and continuing dialogue with all states while also ensuring that Canada’s policies are rooted in support for democratic and multilateral institutions.

Outside of three examples denoted in Table 1, below, the CICSDI does not clearly differentiate between “indiscriminate and irresponsible” uses of malware versus discriminate and responsible uses of malware.

CountryExampleClassification of Activity
RussiaUse of Not-Petya malwareIndiscriminate and irresponsible use of malware that cost billions of dollars in economic damage around the world
North KoreaUse of WannaCry ransomwareCriminal ransomware activity
ChinaCompromise of Managed Service Providers (MSPs)Economic espionage and theft of intellectual property and private sector data
(Table 1: Examples and Types of Malicious Activity)

Would states using cyber mercenaries’ malware be considered irresponsible, or would the context of the malware’s use be the deciding factor of whether there was responsible or irresponsible use? What about states which identify, and exploit, vulnerabilities in software used by millions or billions of individuals; again, would it depend on whether only a subset were targeted (and thus ‘discrimination’ applied to an operation) as opposed to collecting against all affected users? What if states used malware to target Internet exchanges to, subsequently, undertake mass surveillance or ‘bulk collection’? In such cases, would discretion be defined as only searching against a small subset of the collected data?

Each of the aforementioned questions have considerable weight given that Canada’s allies and partners, as well as Canada itself, often undertake or participate in each of the aforementioned types of activities.

Pillar 1: Act-How Canada Will Use the Full Range of Its National Capabilities

This is the most heavily redacted section of the drafts, likely owing to secrecy around Canada’s cyber capabilities and coordination with foreign parties. Under this pillar Canada would develop and use its national deterrence and response policies and capacities, while ensuring that such responses accorded with Canada’s domestic and international legal obligations. The text does not make clear how, exactly, Canada’s foreign cyber operations which are launched by the Communications Security Establishment (CSE) accord with international law.5 Any responses that Canada did take could involve working with allies to learn from their experiences and calling out malicious cyber activities, as well as modelling appropriate state behaviour.

As part of Pillar 1, Canada would “communicate clearly and transparently its positions on activities in cyberspace, including when Canada believes a state is violating international law or failing to respect the norms for responsible state behaviour in cyberspace” (166).6 Further, the CICSDI was meant to be updated with some regularity, which included updates on Canada’s international priorities and positions. The government anticipated that the Strategy would function as a “transparency and predictability measure” for allies, partners, as well as presumably for competitor and adversarial states which interacted with Canada and engaged Canadian interests.

Notwithstanding two redacted items, the summary of actions under Pillar 1 in the May 2021 draft included:

  • Canada will employ the full range of our collective resources to protect Canada and mitigate cyber threats.
  • Canada will continue to develop new, and enhance existing, tools to better deter malicious actors.
  • Canada will continue to call out malicious behaviour and will continue to raise awareness of the threats facing Canada and its allies.
  • Canada will continue to detail its foreign policy through statements, speeches, and publications.
  • Canada will continue to respect its domestic and international legal obligations and uphold responsible state behaviour in cyberspace.

Pillar 2: Cooperate-Work with Allies and Partners to Deter and Respond to Threats to Canadian Interests

Canada planned to coordinate collaborative deterrence and response mechanisms while also strengthening relationships, including with “diverse stakeholders” (168).7 The former activity entailed calling out malicious cyber activity, considering requests for attribution support from partners and allies, and responding to assist partners in manners deemed appropriate by Canada.

Assistance to other states could include “joint statements of attribution, coordinated diplomatic activity, and joint cyber operations” (168). Recognizing that joint cyber operations could be undertaken was, on the one hand, unsurprising given how closely the CSE operates with other members of the Five Eyes (FVEY) but also makes explicit that the new powers under the CSE Act could be coordinated with the powers of other FVEY and non-FVEY agencies. The Canadian Armed Forces and other government agencies could, similarly, also coordinate with other partners and allies.

While outside the scope of this post, it’s worth reflecting on how the CSE’s capacities and authorities might intersect with the powers and authorities granted to other agencies which are empowered to undertake actions that the CSE itself cannot. As an example, its Australian compatriots have lawful powers to compel private organisations to modify the technical functioning of services or applications, as well as obtain access to security-related information held by private organisations about their hardware, software, and services offerings. What would it mean to combine the CSE’s capabilities with those of the Australians?

Paralleling language and capabilities in federal legislation, Pillar 2 also makes clear that Canadian agencies will share information with allies and partners.

Per the drafts, GAC intended to strengthen relationships with diverse stakeholders. However, the May 2021 draft does not mention developing or building new relationships where earlier drafts did include such language. The CICSDI acknowledged that academia, non-governmental organisations, civil society, and industry representatives all had “important contributions to make” (169) though the specific modes of facilitating that engagement were removed in the final versions of the drafts that I received.

The summary of the May 2021 draft included four summaries of action, with one redacted. The non-redacted items include:

  • Canada will continue to call out malicious activity by state and state-backed actors and will continue to support our allies and partners on coordinated attributions.
  • Canada will also consider the use of its national capabilities for deterrence and response in partnerships with allies and will ask its partners for their support when needed.
  • GAC and the federal cyber community will continue to grow and deepen their relationships with the private sector and civil society actors.

Pillar 3: Advocate-Multilateral Engagement to Increase Canada’s Security

Under this pillar Canada would work to promote responsible state behaviour and accountability and support for the Rights-Based-International-Order (RBIO), as well as work to reduce risk of conflict through bilateral and multilateral confidence building measures. Concerning the former, the May draft recognized the importance of the RBIO and how it “provides a positive framework for the peaceful development of all states regardless of their size and influence” (170). With regards to cyberspace work “remains to be done concerning how international law applies” though Canada believes that the “existing international law and the existing agreed norms are clear in governing state activity in cyberspace” (170). In effect, Canada is asserting that it believes the law applies and is clear while simultaneously acknowledging that a global consensus has not been reached. No mention is provided for how the CSE’s activities, as an example, intersect with international law though perhaps this is seen as of secondary importance given “agreed norms” might be believed as sufficiently clarifying how the CSE should operate abroad.

The ‘International Law’ subheading of this pillar denotes the various affirmations Canada has agreed to at the UN. The May 2021 draft states:

The public articulation of a state’s position on how international law applies in cyberspace is an important way to contribute to international stability in cyberspace and in the shaping of international law. International law is shaped by state behaviour, by the actions states take or do not take, and by the public statements accompanying these actions…The international law on state responsibility applies to cyber operations, including the option to use countermeasures in response to internationally wrongful acts (170).

From this statement, we might conclude that while Canada’s position on the CSE and international law remains somewhat ambiguous, that the statements, attributions, and activities undertaken by Canada to delimit what is appropriate and inappropriate activity does constitute its contribution to shaping international law. Moreover, in reiterating the position that states must be responsible in how they exercise countermeasures the government may be (crudely) outlining limits on the CSE’s defensive cyber operations in excess of the prohibited content in Section 32 of the CSE Act.8 Alternately, we might read the draft as indicating that Canada regards the limits on the CSE’s cyber operations in Section 32 of the CSE Act as largely establishing what Canada considers to be redlines in international law.9

The Canadian Forces also undertake cyber operations and so positions adopted by GAC must account for CSE and the Forces alike, as well as other agencies that undertake cyber operations. Given my lack of familiarity with the Forces’ activities I’m unable to comment on how the Strategy might bind, or not bind, their operations. The Forces have declined to make available their own doctrine concerning cyber operations which makes it difficult, at best, to assess how the CICSDI and Forces’ approaches to the cyber domain cohere or conflict.

The May 2021 draft recognizes that restrictions under the Law of Armed Conflict apply to cyber activities during hostilities, including any that Canada might undertake. The draft explicitly recognized cyberspace as a domain of military operations and that transparency in active cyber capacities could come from defence strategies (e.g., Canada’s Strong, Secure, Engaged) as well as legislation (e.g., the CSE Act). Signalling, then, would require states to pay attention to international statements and also to closely track Canada’s domestic law reforms to understand what restrictions Canada believes firmly, and less firmly, pertain in the cyber domain.

In considering the norms that should govern multilateral engagement, in the May draft Canada believed “states should continue working in existing forums, such as the United Nations, and together to implement [existing] norms” (171) as opposed to creating new ones. The norms Canada supported were drawn from its implementation of the UN’s eleven norms of responsible state behaviour, and which closely correspond with Canada’s values (e.g., promotion and protection of human rights on the Internet, the right to freedom of expression, and the right to privacy).

Finally, this pillar outlined Canada’s position that risk could be reduced by bilateral and multilateral confidence building measures (CBMs). In the drafts, Canada committed to pursuing opportunities to develop CBMs such as “through hosting workshops, leading working groups, or sharing best practices” (172). This parallels past comments and efforts undertaken by Canada at the UN’s Group of Governmental Experts and other international fora.

The May 2021 draft included six summaries of action:

  • Canada will continue to publicly articulate its position on how international law applies in cyberspace.
  • Canada will use the agreed norms as well as adherence to international law as the standard for its own behaviour and to assess the behaviour of other states.
  • Canada will continue to support the implementation of norms.
  • Canada will continue to advocate for norms and encourage more states to adopt, observe, and implement the existing norms for state behaviour in cyberspace.
  • Canada will continue to highlight and advocate for the importance of these norms in bilateral relationships and in regional and multilateral forums as it has done at the UN, OAS OSCE, and ARF.
  • Canada will continue to pursue opportunities with regional partners to implement CBMs, whether through hosting workshops, leading working groups, or sharing best practices.

Pillar 4: Assist-Support Capacity Building and Inclusion to Increase Security in Cyberspace

Under this pillar Canada would work to increase the capacity of state partners to engage in international forums on cybersecurity issues and promote gender equality in international cybersecurity forums. Regarding the former, GAC intended to continue its outreach vis-a-vis workshops and seminars, and through providing financial assistance in “growing international cyber expertise” (173). Examples of how capacity building could manifest included assisting countries in the Americas to develop their cyber security strategies as well as to stand up Computer Security Incident Response Teams (CSIRTs). GAC would continue to seek federal partners’ support and assistance when undertaking cyber capacity building, such as by including Public Safety Canada and the Canadian Centre for Cyber Security when developing national cyber security strategies.

Canada regarded gender as an important “lens to understand the international context of cybersecurity” (173). The May 2021 draft noted a number of reports that had been commissioned on the intersection of gender and international cyber security, as well as historical and ongoing efforts to sponsor fellows for the Women in International Security and Cyberspace fellowship. While a Gender-Based Analysis (GBA ) approach guided the development of the Strategy and its implementation of activities, the next step was “to ensure the greater participation of all communities who may not have full participation in the international cyber security ecosystem” (174).

The three summaries of action in the May 2021 draft included:

  • Canada will continue to support cyber capacity building that works to improve the cybersecurity of other nations and encourage increased standards of coordination between States to more effectively respond to cyber threats.
  • Canada will use capacity building support to provide tailored trainings on the importance of international cyber law, CBMs and responsible state behaviour in cyberspace.
  • Canada will continue to support increased women’s participation in decision making and positions of influence in international cyberspace forums.

Notable Changes Across Drafts

Revisions were made to successive drafts of the CICSDI that I obtained. Assuming that work on the CICSDI continued past July 2021, we can expect that further revisions have taken place following the May 2021 draft of the CICSDI that I received in my ATIP.

In what follows I touch on some notable or substantive changes from the different sections of the May 2021 draft from earlier drafts of the CICSDI, and why the alternations matter. I organise this by the sections of the CICSDI.

Vision

The Vision section shifts from multiple paragraphs in early drafts of the CICSDI to a single sentence in the May draft. This is likely the result of the section turning into a ‘vision statement’, though the effect is to limit the breadth of the vision that drives the CICSDI. The narrowed statement reads, “A stable and prosperous future for Canada by working at home and partners to increase cyber security and resilience to cyber incidents” (163).

The May vision statement is so broad and bland that it minimally commits Canada to specific actions while still leaving open a broad range of potential activities to undertake. At the same time, the vision statement refers to stability and prosperity as driving Canada’s cyber foreign policies as opposed to human rights or deeper Canadian values. Those rights and values are seen as supportive or complementary to realising stability and security in later sections of the CICSDI instead of the other way around. The result is that the May 2021 draft makes clear that while human rights are important the aim of the CICSDI is not to principally secure or protect rights and values but, instead, to facilitate order and the economy.

Scope

Pre-May 2021 versions of the ‘Scope’ section recognized that Canadians and Canadian organisations “should not be expected to independently defend themselves against state or state-backed actors. There are steps only government can take to reduce cyber threats from state actors” (2). The May 2021 draft removed this language.

The removal seems unfortunate as the prior text made clear that the Canadian government–and governments more generally–has a role to play in combating state-driven operations that are directed at non-state parties. Further, the previous language might have been read as suggesting that ‘hack back’ laws or their equivalent should be out of bounds given that some steps should only be taken by governments. An alternate reading, however, might be that GAC wanted to avoid language that would assist foreign state security and intelligence agencies in their efforts to justify the securitisation of private organisations’ systems on the basis that such actions are necessary and proportionate to protect against (Western) nation-state operators.

Earlier, pre-May, drafts of this section referred to Canada working to address threats associated with the “misuse of digital platforms for disinformation, domestic cyber espionage for population control, and cybercrime” (2). Parties working towards this included the CSE, the G7 Rapid Response Mechanism, the RCMP’s National Cybercrime Coordination Unit, and “the funding of organizations supporting human rights defenders internationally” (3). The May 2021 draft removes “domestic cyber espionage for population control” as a challenge, as well as the reference to providing funding to organisations supporting human rights defenders. While what is being referred to is opaque, the earlier versions of the CICSDI could be referring to states using tools such as NSO’s Pegasus for domestic espionage as well as other domestic surveillance tools, as well as to Canada’s support of organisations which work to expose such malicious state behaviour or more broadly support human rights in authoritarian countries. If so, it remains unclear why these kinds of commitments would be struck from a foreign cybersecurity policy.

Context

Later versions of this section removed strong language concerning the RBIO, such as “Canada is a strong supporter and defender of the RBIO. This informs our foreign policy” (4). While the position is perhaps obvious given the attention that is paid to the RBIO in later sections as well as commitment to stability in the CICSDI’s Vision, those sections arguably do not make equivalent statements about the importance of the RBIO for Canada’s foreign policy.

The change in language might be put down to an editorial call to reduce length. Or, alternately, the edits might be seen from a position of preferring to avoid such strong statements given the contentious and unpredictable nature of international relations, including (as an example) the mutable positions concerning the RBIO as expressed by the United States of America during President Trump’s tenure. Strategic ambiguity or flexibility might be desirable should the RBIO continue to be put under pressure by competitor and allied states alike.

Pillar 1: Act-How Canada Will Use the Full Range of Its National Capabilities

The May 2021 version indicated that Canada would “further develop” and use its capabilities and tools to protect its interests. While perhaps unsurprising that more capacities would be established it does indicate that the existing capabilities which have been signalled or used are not the limit of what Canada expects to be able to field in the future.10Missing in the May version, however, was a paragraph that outlined how Canada would develop “appropriate policies and procedures for using these capabilities” (6). Perhaps this is because the government believes that existing policies and procedures are sufficient or, alternatively, that the development of capabilities and tools themselves also involve developing policies and procedures for their use.

Early versions of the CICSDI included language that Canada believed that international law and agreed norms were “largely sufficient to guide state behaviour in cyberspace” (8) while also recognizing that “Canada acknowledged there remains some questions on how international law applies and that further work is needed to clarify the law, and on understanding and implementing the norms”. This, along with language that Canada did not support the creation of new norms or additional voluntary international forums, was struck in the final draft that was included in this ATIP.

The Summaries of Action (SoA) in the May 2021 draft varied from past summaries. These are reproduced, below:

April 2021 SoAMay 2021 SoA
Canada will use its capabilities and tools to protect itself and its interestsNA
Canada will continue to develop the appropriate policies and procedures for using these capabilitiesNA
REDACTEDREDACTED
Canada will employ the full range of our collective resources to protect Canada and mitigate cyber threatsCanada will employ the full range of our collective resources to protect Canada and mitigate cyber threats.
Canada will continue to develop new, and enhance existing, tools to better deter malicious actors11Canada will continue to develop new, and enhance existing, tools to better deter malicious actors.
Canada will continue to call out malicious behaviour and will continue to raise awareness of the threats facing Canada and its alliesCanada will continue to call out malicious behaviour and will continue to raise awareness of the threats facing Canada and its allies.
REDACTEDREDACTED
Canada will continue to detail its foreign policy through statements, speeches, and publicationsCanada will continue to detail its foreign policy through statements, speeches, and publications.
Canada will continue to respect its domestic and international legal obligations and uphold responsible state behaviour in cyberspaceCanada will continue to respect its domestic and international legal obligations and uphold responsible state behaviour in cyberspace.
Canada will continue to support cyber capacity building that works to improve the cybersecurity of other nations and encourage increased standards of coordination between States to more effectively respond in cyberspaceNA
Canada will use capacity building support to provide tailored trainings on the importance of international cyber laws, CBMs and responsible state behaviour in cyberspaceNA
(Table 2: Pillar 1 April 2021 vs May 2021 SoAs)

Pillar 2: Cooperate-Work with Allies and Partners to Deter and Respond to Threats to Canadian Interests

The May 2021 draft struck details on sharing information between allies and partners to support one another, and shifted from strengthening relationships with “non-traditional partners” to strengthening them with “diverse stakeholders”. This change might be intended to reflect a more common editorial voice across GAC documentation or, alternately, to indicate differences in the parties with whom Canada expects to strengthen relationships.

Further, earlier versions provided examples of how the Government of Canada develops and maintains relationships, such as how the Canadian Security Intelligence Service (CSIS) works “with more than 300 organizations in over 150 countries, including Five Eyes as well as non-traditional partners” (10). It’s possible that these details were removed on the basis that they were overly specific for a strategy document.

A major policy change, however, seems to be indicated by removing any mention of “creating a cyber stakeholder engagement action plan” in the May 2021 draft. At the same time, this section removed a paragraph discussing how GAC would leverage “its understanding of international affairs” and “understanding of Canada’s foreign policy goals” to “provide assistance and advice to the government departments and agencies on engagement priorities and coordinating international outreach” (153). In aggregate, this leaves unclear how substantively GAC will engage with non-governmental parties. Also unclear is whether GAC expects to assume a heightened role in the international affairs conducted by other Canadian government agencies or departments or if, instead, GAC doubts that it will be able to take even a leading coordinating role with those agencies and their international counterparts. If the latter is closer to the truth it may speak to a diminishment of GAC’s broader influence across the government international policy arena. Alternately, this language might have been struck on grounds that it was self-apparent to those within GAC and who interact with the department.

The Summaries of Action (SoA) in the May 2021 draft varied from past summaries. These are reproduced, below:

April 2021 SoAMay 2021 SoA
Canada will continue to call out malicious activity by state and state-backed actors and will continue to support our allies and partners on coordinated attributionsCanada will continue to call out malicious activity by state and state-backed actors and will continue to support our allies and partners on coordinated attributions
Canada will also consider the use of its national capabilities for deterrence and response in partnerships with allies and will ask its partners for their support when neededCanada will also consider the use of its national capabilities for deterrence and response in partnerships with allies and will ask its partners for their support when needed
REDACTEDREDACTED
Canada will continue dialogue at multilateral organizations, to support cyber capacity building, and work with states to implement norms of responsible state behaviour through the adoption of practical measures such as CMBsNA
Canada will provide capacity building funding to support increased participation of all states in international discussions and negotiations related to cybersecurity and international cyber lawNA
GAC will provide assistance and advice to other government departments and agencies on engagement priorities and coordinating intentional outreachNA
GAC will also work to increase multi-stakeholder engagement by creating a Cyber Stakeholder Engagement Action PlanNA
GAC and the federal cyber community will continue to grow and deepen their relationships with the private sector and civil society actorsGAC and the federal cyber community will continue to grow and deepen their relationships with the private sector and civil society actors
Canada will continue to build partnerships and relationships with allies and likeminded statesNA
(Table 3: Pillar 2 April 2021 vs May 2021 SoAs)

Pillar 3: Advocate-Multilateral Engagement to Increase Canada’s Security

The May 2021 draft removed language that the “continued resilience of the RBIO is important for the ongoing prosperity of all states” (155). It may have been struck because some states do, in fact, benefit from the lack of a RBIO or that “ongoing prosperity” isn’t a guarantee for all states when the RBIO is upheld. Also removed in the May draft was a paragraph that asserted that the RBIO was under pressure from “states that are using the institutions of the RBIO to further their authoritarian views” (155). While I expect that GAC still believes this to be true it may be that the language was seen as overly antagonistic to include in a strategy of what Canada will do as opposed to why Canada will act. However, the removal has the effect of Canada seemingly muzzling itself in its Strategy while, at the same time, Canadian diplomats and experts within the Canadian Centre for Cyber Security have raised concerns about authoritarian uses of international institutions to undermine the RBIO.

Also missing in the May draft is a sentence that indicated that law and norms were sufficient to guide state behaviour in cyberspace; instead, language was updated in the May draft to assert that international law and norms were clear in governing state activity. This slight variance suggests an emphasis on using international institutions to discipline states that deviate from international law and norms as opposed to suggesting these are necessarily sufficient to actually guide states’ initial activities. To see this modification along with the removal of a paragraph that admitted there were “still differences in opinion regarding exactly how international law applies in cyberspace” suggests a possible hardening in GAC on the clarity of international law or, alternately, a decision to not give states room to insist that differences in interpretation make their activities lawful when Canada holds an opposing view of the lawfulness of their actions.

The May 2021 draft also removes a paragraph that outlines Canada’s position that human rights “apply online as they do offline” (157). The removal might have occurred because this linkage is self-evident from Canada’s positions taken in international fora or because this paragraph was meant to illuminate a general position. Many such examples and illuminations were removed in the May version of the CICSDI.

Finally, the May draft cut a paragraph that made clear that Canada associated seeking stability in cyberspace with continuing to “advocate for norms and encourage more states to adopt, observe, and implement the existing norms for state behaviour in cyberspace” (157). While probable that GAC will undertake these activities regardless of the form of a final Strategy, this constitutes the removal of an action item for GAC to evaluate its actions against. Further, its removal may raise questions of what the Strategy should do: is it meant to clearly consolidate and telegraph Canada’s various positions and intents, or meant to complement existing international understanding of Canada’s activities over the past decades?

The Summaries of Action (SoA) in the May 2021 draft varied from past summaries. These are reproduced, below:

April 2021 SoAMay 2021 SoA
Canada will continue to publicly articulate its position on how international law applies in cyberspaceCanada will continue to publicly articulate its position on how international law applies in cyberspace
Canada will use the agreed norms as well as adherence to international law as the standard for its own behaviour and to assess the behaviour of other statesCanada will use the agreed norms as well as adherence to international law as the standard for its own behaviour and to assess the behaviour of other states
Canada will continue to support the implementation of normsCanada will continue to support the implementation of norms
Canada will continue to advocate for norms and encourage more states to adopt, observe, and implement the existing norms for state behaviour in cyberspaceCanada will continue to advocate for norms and encourage more states to adopt, observe, and implement the existing norms for state behaviour in cyberspace
Canada will continue to highlight and advocate for the importance of these norms in bilateral relationships and in regional and multilateral forums as it has done at the UN, OAS OSCE, and ARFCanada will continue to highlight and advocate for the importance of these norms in bilateral relationships and in regional and multilateral forums as it has done at the UN, OAS OSCE, and ARF
Canada will continue to pursue opportunities with regional partners to implement CBMs, whether through hosting workshops, leading working groups, or sharing best practicesCanada will continue to pursue opportunities with regional partners to implement CBMs, whether through hosting workshops, leading working groups, or sharing best practices
Canada will continue to strengthen existing relationships and establish new onesNA
(Table 4: Pillar 3 April 2021 vs May 2021 SoAs)

Pillar 4: Assist-Support Capacity Building and Inclusion to Increase Security in Cyberspace

Removed sections in the May 2021 draft include an example of how Canada has contributed to the NATO Cooperative Cyber Defence Centre of Excellence and Canada’s supporting international civil servants at courses on the applicability of international law in cyberspace. Also absent is a brief mention that human rights values “inform [Canada’s] approach to international cyber security” (160) and a change in language that explicitly recognized that the next step after a GBA approach should be to explicitly recognise the need to include neuro and racially diverse communities in cyberspace forums and decision making processes.

The Summaries of Action (SoA) in the May 2021 draft varied from past summaries. These are reproduced, below:

April 2021 SoAMay 2021 SoA
GAC will continue to engage in outreach and cooperative activities, as well as workshops and seminars, including on how and why Canada is implementing the norms for responsible state behaviour and CBMsNA
Canada will continue to provide financial assistance in growing international cyber expertiseNA
NACanada will continue to support cyber capacity building that works to improve the cybersecurity of other nations and encourage increased standards of coordination between States to more effectively respond to cyber threats
NACanada will use capacity building support to provide tailored trainings on the importance of international cyber law, CBMs and responsible state behaviour in cyberspace
Canada will continue to support increased women’s participation in decision making and positions of influence in international cyberspace forumsCanada will continue to support increased women’s participation in decision making and positions of influence in international cyberspace forums
(Table 5: Pillar 4 April 2021 vs May 2021 SoAs)

The May 2021 SoAs remove explicit reference to providing financial assistance. Neither the April or May drafts recognized the need to increase participation of neuro and racially diverse groups in international fora in the SoAs. As such, the revisions in the May 2021 draft may reflect an unwillingness to specify how Canada might broaden its GBA lens when it comes to foreign affairs.

Curiously Absent Policy Issues and Concluding Thoughts

Strategy documents are meant to be sufficiently high-level so as to guide a department’s activities for some time. If they are overly specific they risk limiting the ability of departments to react as operating situations transform and evolve. However, at the same time, strategies should offer some guidance on larger policy areas or issues.

It’s with this need to provide guidance to larger policy issues that I was surprised to see no reference to a number of major international cybersecurity issues. First, there was no reference to encryption despite the Government of Canada adopting the position that companies should reduce the availability of strong encryption provided to end users. Should we assume that this is not a high-profile issue for GAC, that GAC is not leading the charge (and, thus, has declined to mention other agencies’ policy priorities), or that the Government of Canada is changing its international policy position? Questions abound.

Second, there is no explicit reference to the proliferation of cyber mercenaries. It’s possible to squint and try to squeeze this issue area into a few different sections of the Strategy–perhaps this fits in with discussions with state-sponsored actors, or broadly in the development of norms and international law, or in the framings of indiscriminate and irresponsible use of malware?–but none of these are particularly satisfying. Alternatively, we might need to turn to domestic policy publications, such as from the Canadian Centre for Cyber Security, to intuit the Canadian government’s positions on these organisations. If, however, the Strategy is meant to provide transparency and predictability to Canada’s actions then the opacity of the government’s position on this issue does the opposite of predicting Canada’s stance regarding cyber mercenaries.12

Third, there are no discussions about the export and dissemination of dual-use technologies. If human rights and core Canadian values were driving Canada’s cyber foreign policy then we might expect some discussion about how the Canadian government will act internationally to prevent the sale of, say, middle boxes that facilitate censorship and are actively used to impair freedom of speech. However, given that the vision of the May 2021 draft is focused on stability and prosperity as driving the Strategy then perhaps GAC sees the issue of selling middle boxes (and other dual use technologies) as principally an economic trade issue and thus not an issue that rises to being included in the CICSDI. It would be disheartening were this the case.

Fourth, given the preponderance of laws and international discussion concerning the nature of online harms and disinformation it seems critical that a Canadian strategy at least gestures towards this policy area. To be clear this is a space where the Canadian government is quickly advancing its own (contentious) domestic policy agenda and so references to this issue might need to be a bit oblique in a foreign affairs strategy document. Nonetheless, given all the time and effort being spent domestically and internationally on online harms, and the prospect of associated laws to adjust international security environments through repressing or preventing certain classes of speech, it seems important to frame how Canada will engage on the issue in international fora. As it stands a reader is left with the thin gruel of ‘Canada will operate in accordance with international human rights and domestic policy guides’ which is not helpful for predicting how Canada will understand or frame attempts to develop and impose transnational online harms frameworks. It is possible, of course, that later drafts of the Strategy included references to the Christchurch Call to make explicit Canada’s ongoing position regarding classes of online harms.

Fifth, it was disappointing (if expected) that there is no specific attempt to explain how Canada understands the CSE’s cyber operations in the context of international law. As mentioned earlier in this post, I think that we can read into the draft some fetters that the CICSDI might impose on the CSE’s range of activities but that’s just one reading and certainly isn’t particularly binding.

Sixth, there were no specific references to efforts undertaken by China, Russia, or other states to take leadership roles in standards bodies in order to shape future technological innovation. Previously, the CCCS has raised the alarm that China and Russia “continue to push their agenda in international forums such as the International Telecommunications Union (ITU) and other UN bodies, via policy proposals and technical standards proposals. Technical standards can have extraordinary real-world implications, as can be seen in the New Internet Protocol (NIP) proposal made by China and Chinese telecommunications companies, as the NIP would fundamentally transform the way the Internet works” (13). While the CICSDI does indicate that Canada is satisfied with the existing governance forums and opposes new forums from being used to establish norms or rules for cyberspace, and thus can be read to obliquely refers to the efforts that are occurring at the ITU and other bodies, it seems like a lost opportunity to not strongly echo CCCS’s position.

Seventh, while the United States has established the Bureau of Cyberspace and Digital Policy in recent weeks there is no indication in the CICSDI that an equivalent effort is afoot in Canada. To be clear, the Bureau took time to craft and establish and was a long-standing effort by leading foreign policy experts: GAC was not ignorant of the activities undertaken by their American counterparts. Nonetheless, the CICSDI drafts I obtained do not mention an equivalent ambition within GAC. Given that digital and cyber issues permeate foreign affairs it seems unfortunate that GAC may not be at least partially mirroring the ambition of the State Department. It is possible, of course, that subsequent drafts might capture this kind of ambition.

Finally, and perhaps somewhat broadly, a key challenge within this Strategy is that it leaves unclear what Canada considers to be responsible or discriminate cyber activity. There are examples provided of bad behaviour but none of goodbehaviour. GAC is arguably limited in any such explanations by what the CSE is willing to declassify for public analysis. However, GAC could point to activities undertaken by foreign states and which are seen as responsible or normatively appropriate kinds of operations. In the United States, as an example, the intelligence community grudgingly admitted that the OPM hack was well within bounds of legitimate nation-state activities and constituted “honourable espionage work”. More such examples are needed. For instance, would targeted use of wiper malware in a conflict scenario that minimised spillover be discriminate and responsible? What of mass surveillance activities where human analysts only access and analyse a small subset of the targeted persons’ communications while operating within a high rule-of-law scenario? To be clear, I’m not suggesting specifically which kinds of activities are discriminate or responsible but, instead, trying to suggest that the Canadian government should initiate such a debate concerning appropriate types of state-driven cyber operations. Only by putting hard examples on the table will it be clearer how, precisely, Canadian values and interests apply to the cyber domain and thus what is considered permissible activity.

In closing, it’s important to reiterate that my analyses are drawn entirely from ATIPed documents that possess redactions and that the documents, themselves, appear in flux. Their current and final versions may vary significantly from the drafts I obtained. Nonetheless the draft CICSDI helpfully clarifies some of GAC’s thinking on its international positions while revealing initial versus later understandings of what GAC planned to do on the international stage when it came to its cybersecurity strategy and diplomatic initiatives. To date the CICSDI is arguably the most centralised and expansive public summary of Canada’s cyber foreign policy. For that reason alone the documents are important for students of Canada’s foreign policy to read and assess.


DOWNLOAD Canada’s International Cybersecurity Strategy and our Diplomacy Initiative


Acknowledgements

I want to express my profound appreciation to the individuals who have spoken with me about the CICSDI and who helped me reflect on several elements of my analysis of these ATIP documents. Your contributions have made this writing better. Any errors remain my own.


  1. The government planned to produce a “cyber security foreign policy” and was on track to do so by fall 2013 (10). No such policy has been publicly promulgated in the intervening years. ↩︎
  2. The specific request language was for: “A copy of Canada’s International Cybersecurity Strategy and Cyber Diplomacy Initiative, which was mentioned by the CSE Chief in her speech on May 18, 2021; any copies of these documents, draft or pre-publication, that exist between January 1, 2021 – July 13, 2021. Please exclude documents that fall under Cabinet Confidence.” Delays were significant enough that I complained to the Information Commissioner after GAC missed its deadlines to provide me with responsive documents. ↩︎
  3. This definition, in turn, is taken from Canada’s National Cyber Security Strategy (Self-Hosted PDF Version). ↩︎
  4. The reference to MSPs is dropped by the May version of the draft. ↩︎
  5. Given that NSIRA’s 2020 review found that the “CSE was unable to provide an assessment of its obligations under international law regarding the conduct of active cyber operations” it’s perhaps unsurprising that the May 2021 draft of the CICSDI lacks clarity on how international law governs such operations. ↩︎
  6. Earlier drafts appended “by conducting malicious activity” to this sentence. See page 7. ↩︎
  7. Previous drafts used “non-traditional partners” instead of “diverse stakeholders”. See page 10. ↩︎
  8. Under Section 32 the CSE cannot “(a) cause, intentionally or by criminal negligence, death or bodily harm to an individual; or (b) wilfully attempt in any manner to instruct, pervert or defeat the course of justice or democracy” when undertaking an authorised cyber defence operation or an active cyber operations. ↩︎
  9. I’m not an international law scholar, however, so I largely will defer to my colleagues who may have superior interpretations of the CICSDI and Canada’s views on international law in the cyber domain. ↩︎
  10. It’s possible the language reflects assessments that Canada active cyber defences, along with other operations, may have been lacking at the time the CICSDI was being written. Such a position might cohere with the lack of defensive cyber operations that have been undertaken by the CSE as noted by a 2022 report by NSICOP↩︎
  11. The 2022 Budget includes “$263.9 million over five years, starting in 2022-23, and $96.5 million ongoing to enhance CSE’s abilities to launch cyber operations to prevent and defend against cyber attacks” as well as “$180.3 million over five years, starting in 2022-23, and $40.6 million ongoing to enhance CSE’s abilities to prevent and respond to cyber attacks on critical infrastructure” (136). ↩︎
  12. Of course, the government might have decided that regulating such actors would inhibit Canada’s own ability to utilise them while, at the same time, potentially antagonising Israel given that many of the highest profile cyber mercenaries operate from that country. ↩︎