It is widely expected that Canadians will be going to the polls in the next few months. In advance of the election the Canadian Security Intelligence Service (CSIS) has published an unclassified report entitled, “Foreign Interference: Threats to Canada’s Democratic Process.”1
In this post I briefly discuss some of the highlights of the report and offer some productive criticism concerning who the report and its guidance is directed at, and the ability for individuals to act on the provided guidance. The report ultimately represents a valuable contribution to efforts to increase the awareness of national security issues in Canada and, on that basis alone, I hope that CSIS and other members of Canada’s intelligence and security community continue to publish these kinds of reports.
The report generally outlines a series of foreign interference-related threats that face Canada, and Canadians. Foreign interference includes, “attempts to covertly influence, intimidate, manipulate, interfere, corrupt or discredit individuals, organizations and governments to further the interests of a foreign country” and are, “carried out by both state and non-state actors” towards, “Canadian entities both inside and outside of Canada, and directly threaten national security” (Page 5). The report is divided into sections which explain why Canada and Canadians are targets of foreign interference, the types of foreign states’ goals, who might be targeted, and the techniques that might be adopted to apply foreign interference and how to detect and avoid such interference. The report concludes by discussing some of the election-specific mechanisms that have been adopted by the Government of Canada to mitigate the effects and effectiveness of foreign interference operations.
On the whole this is a pretty good overview document. It makes a good academic teaching resource, insofar as it provides a high-level overview of what foreign interference can entail and would probably serve as a nice kick off to discuss the topic of foreign interference more broadly.2
Not An Intelligence Assessment
I appreciate that the goal of CSIS’ report is educational, as opposed to providing a firm assessment of the likelihood of specific kinds of threats and which kinds of groups are more likely to experience them. As others have publicly noted on Twitter the use of “may” throughout the document should not be read as CSIS offering hypotheticals that foreign states might undertake foreign interference operations; such operations are not new and they are ongoing.
However, I do think that presenting this document in an educational way, using softer language such as “may” instead of quantifying likelihoods, means that it is challenging for affected parties to understand the extent to which the educational materials are directed towards them. To explain, I think that given the present concerns about China writ large many readers will immediately think of Chinese communities, Chinese-dominated social media platforms such as WeChat, and so forth. But what risks are posed by the Russian government, as just one example? Or the Iranian, Saudi Arabian, UAE, or Ethiopian governments, or others that have a history of targeting foreign dissidents or critical media voices? The very general nature of this document tells people to be worried but doesn’t help individuals or communities to more effectively quantify the likelihood of risk and, as will be discussed, appreciate the need to adopt the defensive techniques CSIS suggests in this report.
Why Is Canada a Target?
The report does a good job in quickly outlining why Canada, and residents of Canada, are often targeted by foreign states and state-adjacent actors. It’s worth quoting at length that:
Canada’s abundance of natural resources, advanced technology, human talent, and expertise makes it a world leader in many sectors. Canada’s close relationship with the United States, its status as a founding member of the North Atlantic Treaty Organization and its participation in a number of multilateral and bilateral defence and trade agreements, as well as the Five Eyes community, has also made it an attractive target for foreign interference (Page 6).
I would note, however, that the rest of the same paragraph goes on to discuss why Canada may be an inviting target, in part due to the country’s multiculturalism which adversaries exploit, “by subjecting Canadian communities to clandestine and deceptive manipulation or threats” (Page 6). In aggregate, while the top half of the paragraph explains the strategic motives of targeting the bottom highlights why this capability (in part) exists. I’m not entirely certain that the two concepts should be linked as they were, given one speaks more to strategy and the others to tactics (to my mind) but, regardless, the points made are fair.
Who Are Targets?
If there is a core weakness to this document it is that the classes of persons who may be targeted is so broad and specific threats so underspecified that acting on the provided advise is challenging, at best. In addition to federal government officials, “[t]he decisions and policies of provincial and municipal governments are equally important as they determine investments in the economy, infrastructure, resources and the environment, as well as the health and education of citizens and residents” (Page 7). Further, the general Canadian public is also a potential target for foreign interference operations.
The classes of threats to members of the public are vast, including threats, bribery, or blackmail to influence voting behaviours, as well as efforts to influence the public online using disinformation and foreign interference campaigns that may, “amplify societal differences, sow discord and undermine confidence in fundamental government institutions or electoral processes” (Page 8). Of specific note, CSIS calls out that foreign states, “may also use cyber-enabled tracking or surveillance of dissidents, those who challenge their rhetoric, or do not support their interests in Canada. Such behaviour can lead to threats or blackmail if the individual fails to cooperate” (Page 9). Left unstated are which states are more or less likely to use these techniques, or which groups in Canada are more likely to be targets. Curiously, the report notes that when these communities are targeted foreign state actors, “show disregard for Canadian democratic values and open society” (Page 9). Left unstated is whether and to what extent these states also violate either international or domestic law when they undertake their interference operations. I think that clarifying such violations of law are important, even in these educational pieces, if only to reify or advance norm-building as it pertains to foreign interference.
Other groups which may be targeted include elected and public officials, donors as well as interest or lobby groups, and community organizations, and the media. The focus on the media is interesting as CSIS both focuses on how foreign states might coerce diaspora members to, “help influence to their benefit what is being reported by Canadian media outlets” as well as influence the media through funding and advertisements, or the outright acquisition of Canadian-based media outlets. Similarly, foreign state media might push information into Canadian-based community networks with the intent of discrediting reliable news sources or otherwise sowing misinformation and propaganda.
While some of the aforementioned concerns linked to the media can be associated with publicly reported activities, most appear more speculative. Are there specific situations where foreign states have compelled their citizens to influence media coverage of events in Canada, and if so how frequently and to what effect?3 More powerfully, perhaps, what does it mean to be influenced vis-a-vis funding and advertisement dollars, especially with concerns that some Chinese companies in particular are tightly associated with the Chinese government? To be blunt and clear, is this CSIS warning that Huawei sponsoring Hockey Night in Canada was an influence operation and what, specifically, should be done to assess whether one of these operations is taking place, especially in situations where there is a ‘long game’ being played?4 How should media companies determine if foreign state-friendly companies are attempting to make advertisement purchases for commercial purposes as opposed to preparing the ground for interference operations, especially when concerns about a company can shift rapidly as allegations are made against them or evidence made public?
Spotting and Mitigating Foreign Interference Techniques
The penultimate part of the report discusses a number of techniques that foreign states or state-adjacent actors might carry out as part of interference operations, as well as how Canadians might respond in the face of these techniques. I think that the report does a good job in explaining the kinds of techniques that might be used but the guidance on how to respond is less productive on the basis that individuals or communities are unlikely to know whether they are actually a target based on the information in this document, and whether the guidance pertains to all Canadians and voters, to elected officials and bureaucrats, to members of civil society, or to members of the media. Let me explain.
In the discussion of ‘cultivation’, one of the tells of this technique is that someone may showcase shared interests and appear at innocuous social gatherings to cultivate a relationship with a target. To mitigate this technique individuals are advised to:
Be aware and keep track of unnatural social interactions, frequent requests to meet privately, out-of-place introductions or engagements, gifts and offers of all expenses paid travel (Page 11).
What, precisely, constitutes an “unnatural social interaction”? And what specifically is an “out-of-place introduction”? To be clear, I do agree with this advice but to whom is it directed towards and how should it be distinguished from, say, someone trying to enter into a legitimate romantic or personal relationship? Should voting members of the public be on guard for these kinds of situations and report them–as suggested at the conclusion of the report–when they experience them? I think that greater detail and sensitivity is particularly important here to avoid the equivalent of a ‘red scare‘ which can worsen pre-existing bias and racism towards some residents of Canada.
The discussion of coercion, also, does a good job in laying out just what this technique can entail. It includes, “[s]ometimes, blackmail or threats may occur after a long period of cultivation and relationship-building. A threat actor may also attempt to put someone in a compromising situation, just to blackmail the person later” (Page 12). However, in explaining how to avoid coercion the report suggests that individuals, “[a]void sharing compromising details or personal information with untrusted individuals, both in-person and online” (Page 12). Given that coercion is often linked to cultivation, what is someone expected to do when they have developed a relationship with someone over time and thus shared intimate information only to have it used against them? Furthermore, in the case of threat actors that have access to historical information they might be able to leverage comments or activities that were previously condoned but are now widely regarded as embarrassing or inappropriate. In a time where the statements people make as teenagers can lead to their jobs being put in jeopardy when they arise in the media a decade later, today, how can individuals be expected to protect against these kinds of coercion techniques? Simply not sharing personal information may work for some people but is at significant variance with how a large portion of the population–which is enamoured with social media–lives their lives, today.
Turning to cyber attack techniques, I begin by disagreeing with the very use of the term ‘attack’. I appreciate that the document is meant for a public audience but this is not a term that I like to see perpetuated, especially when there is no apparent kinetic activity associated with the technique. Setting that aside, however, I think that CSIS’s brief explanation of what these techniques may include is entirely appropriate. Again, however, I worry that the advice provided is challenging: adopting strong passwords only really works if you are using a password manager but these same services are regularly distrusted by the public. Enabling two-factor authentication is scary for a lot of people, and it is made more so in situations where individuals need to assess whether to use SMS (which has been deprecated as a factor by NIST), an application on their phone, or a hardware token. And, finally, trying to advise people on how to avoid phishing attacks continues to teach people that sophisticated threat actors who are carrying out state activities are using low-grade phish. As a security community we know this isn’t the case and so, again, the question is to whom exactly is this information meant to inform?5 At a minimum, these more technical suggestions should have a footnote that will guide readers to resources that will help them actually implement things like strong passwords and multiple-factor authentication.
The final techniques that are discussed, disinformation and espionage, also provide arguably unhelpful advice given that it is unclear who the guidance is targeted towards. In the case of disinformation, as an example, individuals are advised to, “take note of unexpected online interactions” but are not told what these interactions might be, or what they should do with these notes. Relatedly, to avoid espionage activities individuals are advised to, “[f]ollow security of information protocols” but doesn’t make clear to whom, specifically, this applies. Is the latter advise meant mostly for politicians and bureaucrats, or towards the general public, or both?
To be clear, I think that the report issued by CSIS is helpful if only to sensitize Canadians and residents of Canada of the kinds of threats that exist in the world. I think that in terms of a high-level educational resource the report serves its purpose. Where I think it is less effective, however, is in not making more clear the specific kinds of parties which are more or less likely to be targeted and the means by which they could be targeted. As a result, I have a hard time seeing this report motivating people to generally adopt better security postures.
In an ideal world, this document will serve as the basis for more specific and detailed reports that are community- and group-specific, and build to provide clearer guidance on the threats that communities may face (e.g., what threats face the Canadian-Chinese community, the Iranian community, MPs, increasingly freelance media community, etc) and ways of mitigating those threats. It is clearly impossible to comprehensively communicate risks to all communities but more details are almost certainly needed if groups of Canadians are to be adequately informed of their risk profiles and what to do in order to mitigate these risks. Furthermore, CSIS and other members of Canada’s intelligence and security community should be publishing translated versions of these documents in languages other than English and French; given the attention to immigrant communities in the report it is imperative that reports like this one are translated for the communities they are most meant to assist.
It’s impossible to do everything, for everyone, and what I’m suggesting may appear overly critical for the kind of report that was published. My intent, however, is to surface some of the teething aspects of the document and why they may be challenging to put into action as opposed to disagreeing with the proposed mitigation techniques themselves. I truly hope that CSIS, and the other members of Canada’s security and intelligence community, continue to produce reports and documents like “Foreign Interference: Threats to Canada’s Democratic Process” to raise awareness of existent threats and to further build a more mature discussion about national security amongst Canadians and residents of Canada.
- I’ve uploaded a version of this document, as a PDF, to this website in case the URL changes at some point in the future. ↩︎
- I think it would be a very neat exercise for students to assemble a set of Western reports on what constitutes foreign interference and compare them to determine what advice is common or dissimilar, what threats are more or less concerning for different states, and then assess what this means in terms of how security intelligence services are treating the issue of foreign interference more generally. ↩︎
- Would this, as an example, include the poorly handled efforts to support Huawei’s CFO or do the authors have more subtle or pernicious operations in mind? ↩︎
- I’ve written, elsewhere, about Huawei and there note that it was allegedly a challenge to get funding for Hockey Night in Canada due to China-based executives doubting the value of allocating advertising dollars towards hockey as opposed to basketball. ↩︎
- In general I’m of the opinion that spearphishing is principally an issue that email and other communications providers should be stopping given the visibility and threat intelligence they have access to, and that downloading responsibility to end-users is inappropriate given that they will typically have the least capability or visibility to detect sophisticated phishing efforts. I do, however, recognize that this isn’t a universally shared view. ↩︎