NSIRA is responsible for conducting national security reviews of Canadian federal agencies, inclusive of “the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security and intelligence activities of all other federal departments and agencies.” The expanded list of departments and agencies includes the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CBSA), the Department of National Defence (DND), Global Affairs Canada (GAC), and the Department of Justice (DoJ). As a result of their expansive mandate, the Agency has access to broad swathes of information about the activities which are undertaken by Canada’s national security and intelligence community.
Despite the potential significance of this breach, little has been publicly written about the possible implications of the unauthorized access. This post acts as an early round of analysis of the potential significance of the access by, first, outlining the kinds of information which may have been accessed by the unauthorized party and, then, raising a series of questions that remain unanswered in NSIRA’s statement. The answers to these questions may dictate the actual seriousness and severity of the cyber-incident.
What is Protected Information?
NSIRA’s unclassified information includes Protected information. Information is classified as Protected when, if compromised, it “could reasonably be expected to cause injury to a non-national interest—that is, an individual interest such as a person or an organization.” There are three classes of protected information that are applied based on the sensitivity of the information. Protected A could, if compromised, “cause injury to an individual, organization or government,” whereas compromising Protect B information could “cause serious injury.” Compromising Protected C information could “cause extremely grave injury”. Protected C information is safeguarded in the same manner as Confidential or Secret material which, respectively, could cause injury or could cause serious injury to “the national interest, defence and maintenance of the social, political, and economic wellbeing of Canada” in the case of either being compromised.
Intrusion into protected networks brings with it potentially significant concerns based on the information which may be obtained. Per Veterans Affairs, employee information associated with Protected A information could include ‘tombstone’ information such as name, home address, telephone numbers or date of birth, personal record identifiers, language test results, or views which if made public would cause embarrassment to the individual or organization. Protected B could include medical records (e.g., physical, psychiatric, or psychological descriptions), performance reviews, tax returns, an individual’s financial information, character assessments, or other files or information that are composed of a significant amount of personal information.
More broadly, Protected A information can include third-party business information that has been provided in confidence, contracts, or tenders. Protected B information in excess of staff information might include that which, if disclosed, could cause a loss of competitive advantage to a Canadian company or could impede the development of government policies such as by revealing Treasury Board submissions.
In short, information classified as Protected could be manipulated for a number of ends depending on the specifics of what information is in a computer network. Theoretically, and assuming that an expansive amount of protected information were present, the information might be used by third-parties to attempt to recruit or target government staff or could give insights into activities that NSIRA was interested in reviewing, or is actively reviewing. Further, were NSIRA either reviewing non-classified government policies or preparing such policies for the Treasury Board, the revelation of such information might advantage unauthorized parties by enabling them to predict or respond to those policies in advance of their being put in place.
Canadian students of national security have historically suffered in ways that their British and American colleagues have not. Whereas our Anglo-cousins enjoy a robust literature that, amongst other things, maps out what parts of their governments are involved in what elements of national security, Canadians have not had similar comprehensive maps. The result has been that scholars have been left to depend on personal connections, engagements with government insiders, leaked and redacted government documents, and a raft of supposition and logical inferences. Top Secret Canada: Understanding the Canadian Intelligence and National Security Community aspires to correct some of this asymmetry and is largely successful.
The book is divided into chapters about central agencies, core collection and advisory agencies, operations and enforcement and community engagement agencies, government departments with national security functions, and the evolving national security review landscape. Chapters generally adhere to a structure that describes an agency’s mandate, inter-agency cooperation, the resources possessed and needed by the organization, the challenges facing the agency, and its controversies. This framing gives both the book, and most chapters, a sense of continuity throughout.
The editors of the volume were successful in getting current, as well as former, government bureaucrats and policymakers, as well as academics, to contribute chapters. Part One, which discusses the central agencies, were amongst the most revealing. Fyffe’s discussion of the evolution of the National Security Intelligence Advisor’s role and the roles of the various intelligence secretariats, combined with Lilly’s explanation of the fast-paced and issue-driven focus of political staffers in the Prime Minister’s Office, pulls back the curtain of how Canada’s central agencies intersect with national security and intelligence issues. As useful as these chapters are, they also lay bare the difficulty in structuring the book: whereas Fyffe’s chapter faithfully outlines the Privy Council Office per the structure outlined in the volume’s introduction, Lilly’s adopts a structure that, significantly, outlines what government bureaucrats must do to be more effective in engaging with political staff as well as how political staffers’ skills and knowledge could be used by intelligence and security agencies. This bifurcation in the authors’ respective intents creates a tension in answering ‘who is this book for?’, which carries on in some subsequent chapters. Nonetheless, I found these chapters perhaps the most insightful for the national security-related challenges faced by those closest to the Prime Minister.
Canadian parliamentarians in the era of the pandemic have adopted distanced methods of conducting their business. This has seen many Members of Parliament (MPs) use video conferencing platforms so that they can broadcast from their kitchens, living rooms, home offices, and bedrooms. On April 14, 2021 there was an unfortunate situation where a conventionally attractive male MP inadvertently had his conferencing camera on while changing his clothing. Another MP or parliamentary staff member captured an image of his state of undress and subsequently shared it with media organizations.
This situation raises a question of law and, separately and more broadly, provides an opportunity to highlight the pervasive problems facing Canadian society in terms of addressing sexual violence, the non-consensual sharing of their intimate images (meant in a non-legal sense), and intimate partner abuse.
Facts at Hand
Due to how the parliamentary video system is configured, the only people who could have witnessed this incident were either other MPs or parliamentary staff members on the video conference. This meant that while the meeting was open to the public the actual video stream capturing the MP’s state of undress was (at the time) only visible to a relatively small group of people. At least one member of that small group took a photo of the MP and subsequently shared it. The image has, subsequently, been shared by the press and by individuals on social media, though admittedly with some censorship applied to the image. Unsurprisingly, this led to a number of jokes about the MP, their state of undress, the MP being too transparent, and more.
Unlike many others, I did not find the non-consensual sharing of the image to be particularly funny. Instead, I quickly and publicly raised the question of whether either the MP or staff member who shared the image, or an offending MP’s party, would be willing to come before the Canadian public and explain why their actions did not contravene Section 162.1 of the Criminal Code of Canada. This part of the Criminal Code makes it a criminal offence for someone to publish an intimate image without consent. I also firmly stated that I was disgusted by the image having been shared and that I thought whomever shared it should be disciplined.
The first question is: did an MP or staffer potentially violate 162.1 in sharing the image, setting aside potential parliamentary privileges that may shield parliamentarians from investigation or charges?
Intimate Images and the Criminal Code of Canada
To potentially be guilty of violating the Criminal Code in sharing this image, the MP’s or parliamentary staffer’s actions must satisfy a set of criteria.
Whomever shared the image certainly knowingly published, distributed, transmitted, or made available “an intimate image of a person knowing that the person depicted in the image did not give their consent to that conduct” (162.2(1)). If the rest of section 162.1 of the Criminal Code is satisfied then that individual is guilty of an offence, which is “liable to imprisonment for a term of not more than five years” (162.1(1)(a)).
Moving on, per the Code, an intimate image “means a visual recording of a person made by any means including a photographic, film or video recording” (162.1(2)) where the following conditions are met:
(a) in which the person is nude, is exposing his or her genital organs or anal region or her breasts or is engaged in explicit sexual activity;
(b) in respect of which, at the time of the recording, there were circumstances that gave rise to a reasonable expectation of privacy; and
(c) in respect of which the person depicted retains a reasonable expectation of privacy at the time the offence is committed.
The MP was certainly nude, satisfying 162.1(2)(a). They were in their own home, which would normally move towards satisfying 162.1(2)(b) but, in this case, the MP was also (unintentionally) broadcasting their image. So, in a sense this may suggest that the MP lacks a reasonable expectation of privacy. However, there are extenuating facts. Members of Parliament are not permitted to take images of screens and, as such, there may be some kind of a reasonable expectation of privacy insofar as MPs can expect that their image will not be captured or shared based on what is broadcast to other MPs but not the public. Attenuating this potential reasonable expectation of privacy is that the MP who’s image was captured was exclusively visible to other MPs and parliamentary staff members, further indicating that this was potentially a kind of a semi-public situation. Canadian courts have tended to take a sympathetic view of what constitutes a reasonable expectation of privacy, though whether they would recognize this situation as meeting the standard would need more substantial assessment than I will provide here.
However, for the sake of the analysis, let’s imagine that 162.1(2) is satisfied. Does the party who shared the image have a defense if that’s the case? I doubt it.
The Criminal Code states at 162.1(3) that “[n]o person shall be convicted of an offence under this section if the conduct that forms the subject-matter of the charge serves the public good and does not extend beyond what serves the public good.” I cannot imagine a situation where capturing and sharing the image serves the public good. In clarifying 162.1(3), section 162.1(4) lays out that:
(a) it is a question of law whether the conduct serves the public good and whether there is evidence that the conduct alleged goes beyond what serves the public good, but it is a question of fact whether the conduct does or does not extend beyond what serves the public good; and
(b) the motives of an accused are irrelevant.
I would suspect that if a court was convinced that the elements of 162.1(2) were satisfied then 162.1(4) would not save the offending MP’s or staffer’s behaviour.
Broader Non-Criminal Code Analysis
Even if the person who initially shared the image did not violate the Criminal Code either because of the arcane nature of parliamentary rules, because the image doesn’t meet the definition of 162.1(2), or simply because no criminal charge is brought against them, the act of sharing this image has real-world implications. In essence, while there is an understandable attraction to asking whether someone violated the law we need to broaden our mode of analysis to appreciate the harms of sharing these kinds of images.
First, it’s useful to remind ourselves that the man who’s image was captured and shared almost immediately apologized for his lack of decorum. As someone who inadvertently engaged in a behaviour that (clearly) ran counter to professional standards he owned up to the mistake and committed to being more studiously careful in the future.
Second, the man is conventionally attractive and because of this status he, as a man, is generally expected by members of society to roll with the comments: it’s embarrassing but there is an expectation that this is ‘funny’. However, imagine that it had been a woman, or someone who is transgender, or someone undergoing a gender transition who’s image had been captured. Were this the case I am certain that, first, there would be much crueler commentary (revealing structural sexism) and, second, that people would broadly leap up and (rightly) insist that the commentary was wrong and inappropriate. Simply because it was a man who was captured on camera does not make it ‘funny’; the very perception that this incident should be treated as funny reifies some of the challenges facing men who are victims or survivors of sexual harassment, assault, and intimate partner violence.
When members of society make fun of men who have been the subject of sexual violence, the non-consensual sharing of their intimate images (meant in a non-legal sense), and intimate partner abuse then men more broadly learn that they shouldn’t come forward to report or discuss these kinds of harms on the basis that they aren’t ‘harmed’ in the eyes of society. While less discussed, men are indeed victims and survivors of assault, abuse, sexual blackmail, and harassment. As a society we need to get a lot better at appreciating these forms of violence towards men and in creating a culture where they can come forward without an expectation of them being ‘weak’ or ‘not getting the joke’. I say this while recognizing that, proportionally, women, and members of the lesbian, gay, bisexual, transgender, queer or questioning, and two-spirit (LBGTQ2+) communities suffer from these harms more regularly and disproportionately than straight men. Nonetheless, if we are to develop societies that are more inclusive, that encourage men to develop emotional intelligence and sensitivity, and that broadly combat sexism and the pervasive and pernicious ills of sexual violence then it’s important that we take harms towards men as seriously as we do for other members of society who also suffer from sexual violence, non-consensual sharing of intimate images, and intimate partner abuse..
Lesson Drawing
So, was a crime committed? That’s a good question, and I’ll ultimately leave it to lawyers to argue about the nuances of how Canadian case law and the depths of our privacy law intersects with Section 162.1 of the Criminal Code. But while the law is an important point of discussion, the discussion cannot stop and end at the law’s edge. More significantly, the idea that someone thought it was appropriate (and, likely, just funny) to share the image of an unclothed male member of parliament underscores the amount of work that Canadian society–inclusive of Canadian elites–has ahead of it in the ongoing efforts to address sexual violence, non-consensual sharing of intimate images, and intimate partner violence.
I suspect that the MP or parliamentary staffer who shared the image did so without a deep sense of malice in their heart. I half suspect it was a near-thoughtless action. But the very fact that they thought it was appropriate or funny to share this image reveals how sexual harassment and violence structurally pervades Canadian society. Such activities are often legitimized by way of humour and, in doing so, showcase the depths at which these behaviours are normalized. In short, the very sharing of the image serves to remind us of the circumstances of structural sexual violence that we operate in, each and every day.
How can things ‘move forward’? On the one hand, I hope that the offending MP or staffer comes forward. I would rush to state that I don’t think that this means that the Criminal Code should necessarily be thrown at them! Instead, I think that it’s important for the person to make themselves publicly accountable for censure and take responsibly for their action, as the male MP did for his inappropriate state of dress. I don’t believe that every, or even most, social ills are best solved by turning to the law.
But more substantively, I think that the best thing that can come from this situation is to hopefully provoke introspection about the biases that we all carry with us concerning sexual violence. Why did we, or our friends or family or colleagues, think that this incident was funny? What does our sense of this being funny reveal about the structural conditions of sexual violence that we operate within? What can we learn from our reactions, and how might we have behaved if we’d applied a bit more introspection? How can we have conversations with other people about sexual violence to better appreciate and understand how pervasive it is in our society, and what roles can and should we assume to combat these kinds of ills?
To be clear, I think that it is the work of each individual to think through these issues either on their own or in conversation with others who express an interest in the conversation. I don’t think that it’s the role of those who have been affected by sexual violence, the non-consensual sharing of their intimate images, and intimate partner abuse to do the labour to educate the rest of the population; they’re obviously free to do so, but cannot and should not be expected to do so.
I truly believe that, on the whole, Canadians really do want to have an inclusive and equitable society. To get closer to this ideal we all have to play a role in opposing, and working to overcome, historical structural and social harms. In part, this means reflecting more seriously on structural sexual harms, inclusive of those directed towards men, and the norms surrounding and often justifying or setting aside these harms. Hopefully this unfortunate parliamentary incident fosters at least some of those conversations and reflections so that something positive can come out of this affair.
This article is an exploratory study of the influence of beat and employment status on the information security culture of journalism (security-related values, mental models, and practices that are shared across the profession). The study is based on semi-structured interviews with 16 journalists based in Canada in staff or freelance positions working on investigative or non-investigative beats. We find that journalism has a multitude of security cultures that are influenced by beat and employment status. The perceived need for information security is tied to perceptions of sensitivity for a particular story or source. Beat affects how journalists perceive and experience information security threats. Investigative journalists are concerned with surveillance and legal threats from state actors including law enforcement and intelligence agencies. Non-investigative journalists are more concerned with surveillance, harassment, and legal actions from companies or individuals. Employment status influences the perceived ability of journalists to effectively implement information security. Based on these results we discuss how journalists and news organisations can develop effective security cultures and raise information security standards.
The Government of Canada has historically opposed the calls of its western allies to undermine the encryption protocols and associated applications that secure Canadians’ communications and devices from criminal and illicit activities. In particular, over the past two years the Minister of Public Safety, Ralph Goodale, has communicated to Canada’s Five Eyes allies that Canada will neither adopt or advance an irresponsible encryption policy that would compel private companies to deliberately inject weaknesses into cryptographic algorithms or the applications that facilitate encrypted communications. This year, however, the tide may have turned, with the Minister apparently deciding to adopt the very irresponsible encryption policy position he had previously steadfastly opposed. To be clear, should the Government of Canada, along with its allies, compel private companies to deliberately sabotage strong and robust encryption protocols and systems, then basic rights and freedoms, cybersecurity, economic development, and foreign policy goals will all be jeopardized.
This article begins by briefly outlining the history and recent developments in the Canadian government’s thinking about strong encryption. Next, the article showcases how government agencies have failed to produce reliable information which supports the Minister’s position that encryption is significantly contributing to public safety risks. After outlining the government’s deficient rationales for calling for the weakening of strong encryption, the article shifts to discuss the rights which are enabled and secured as private companies integrate strong encryption into their devices and services, as well as why deliberately weakening encryption will lead to a series of deeply problematic policy outcomes. The article concludes by summarizing why it is important that the Canadian government walk back from its newly adopted irresponsible encryption policy.
Last week I appeared before the Standing Committee on Public Safety and National Security (SECU) to testify about Cybersecurity in the financial sector as a national economic security issue. I provided oral comments to the committee which were, substantially, a truncated version of the brief I submitted. If so interested, my oral comments are available to download, and what follows in this post is the actual brief which was submitted.
Introduction
I am a research associate at the Citizen Lab, Munk School of Global Affairs & Public Policy at the University of Toronto. My research explores the intersection of law, policy, and technology, with a focus on national security, data security, and data privacy issues. I submit these comments in a professional capacity representing my views and those of the Citizen Lab.
The State of Computer Insecurity
Canadian government agencies, private businesses and financial institutions, and private individuals rely on common computing infrastructures. Apple iPhones and Android-based devices are used for professional and private life alike, just as are Microsoft Windows and MacOS. Vulnerabilities in such mobile and personal computing operating systems can prospectively be leveraged to obtain access to data on the targeted devices themselves, or utilized to move laterally in networked computing environments for reconnaissance, espionage, or attack purposes. Such threats are accentuated in a world where individuals routinely bring their own devices to the workplace, raising the prospect that personal devices can be compromised to obtain access to more securitized professional environments.
The applications that we rely on to carry out business, similarly, tend to be used across the economy. Vulnerabilities in customer service applications, such as mobile banking applications, affect all classes of businesses, government departments, and private individuals. Also, underlying many of our commonly used programs are shared libraries, application programming interfaces (API), and random number generators (RNG); vulnerabilities such codebases are shared by all applications incorporating these pieces of code, thus prospectively endangering dozens, hundreds, or thousands of applications and systems. This sharedness of software between the public and private sector, and professional and private life, is becoming more common with the growth of common messaging, database, and storage systems, and will only become more routine over time.
Furthermore, all sectors of the economy are increasingly reliant on third-party cloud computing services to process, retain, and analyze data which is essential to business and government operations, as well as personal life. The servers powering these cloud computing infrastructures are routinely found to have serious vulnerabilities either in the code powering them or, alternately, as a result of insufficient isolation of virtual servers from one another. The result is that vulnerabilities or errors in setting up cloud infrastructures prospectively enable third-parties to inappropriately access, modify, or exfiltrate information.
In summary, the state of computer insecurity is profound. New vulnerabilities are discovered — and remediated — every day. Each week new and significant data breaches are reported on by major media outlets. And such breaches can be used to either engage in spearphishing — to obtain privileged access to information that is possessed by well-placed executives, employees, or other persons — or blackmail — as was threatened in the case of the Ashley Madison disclosures — or other nefarious activities. Vulnerabilities affecting computer security, writ large, threaten the financial sector and all other sectors of the economy, with the potential for information to be abused to the detriment of Canada’s national security interests.
Responsible Encryption Policies
Given the state of computer (in)security, it is imperative that the Government of Canada adopt and advocate for responsible encryption policies. Such policies entail commitments to preserving the right of all groups in Canada — government, private enterprises, and private individuals — to use computer software using strong encryption. Strong encryption can be loosely defined as encryption algorithms for which no weakness or vulnerability is known or has been injected, as well as computer applications that do not deliberately contain weaknesses designed to undermine the effectiveness of the aforementioned algorithms.
There have been calls in Canada,1 and by law enforcement agencies in allied countries,2 to ‘backdoor’ or otherwise weaken the protections that encryption provides. Succumbing to such calls will fundamentally endanger the security of all users of the affected computer software3 and, more broadly, threaten the security of any financial transactions which rely upon the affected applications, encryption algorithms, or software libraries.
Some of Canada’s closest allies, such as Australia, have adopted irresponsible encryption policies which run the risk of introducing systemic vulnerabilities into the software used by the financial sector, as well as other elements of the economy and government functions.4 Once introduced, these vulnerabilities might be exploited by Australian intelligence, security, or law enforcement agencies in the course of their activities but, also, by actors holding adversarial interests towards Canada or the Canadian economy. Threats activities might be carried out against the SWIFT network, as just one example.5
It is important to note that even Canada’s closest allies monitor Canadian banking information, often in excess of agreed upon surveillance mechanisms such as FINTRAC. As one example, information which was publicly disclosed by the Globe and Mail revealed that the United States of America’s National Security Agency (NSA) was monitoring Royal Bank of Canada’s Virtual Private Network (VPN) tunnels. The story suggested that the NSA’s activities could be a preliminary step in broader efforts to “identify, study and, if deemed necessary, “exploit” organizations’ internal communications networks.”6
Access to strong, uncompromised encryption technology is critical to the economy. In a technological environment marked by high financial stakes, deep interdependence, and extraordinary complexity, ensuring digital security is of critical importance and extremely difficult. Encryption helps to ensure the security of financial transactions and preserves public trust in the digital marketplace. The cost of a security breach, theft, or loss of customer or corporate data can have devastating impacts for private sector interests and individuals’ rights. Any weakening of the very systems that protect against these threats would represent irresponsible policymaking. Access to strong encryption encourages consumer confidence that the technology they use is safe.
Given the aforementioned threats, I recommend that the Government of Canada adopt a responsible encryption policy. Such a policy would entail a firm and perhaps legislative commitment to require that all sectors of the economy have access to strong encryption products, and would stand in opposition to irresponsible encryption policies, such as those calling for ‘backdoors’.
Vulnerabilities Equities Program
The Canadian government presently has a process in place, whereby the Communications Security Establishment (CSE) obtains computer vulnerabilities and ascertains whether to retain them or disclose them to private companies or software maintainers to remediate the vulnerabilities. The CSE is motivated to retain vulnerabilities to obtain access to foreign systems as part of its signals intelligence mandate and, also, to disclose certain vulnerabilities to better secure government systems. To date, the CSE has declined to make public the specific process by which it weighs the equities in retaining or disclosing these vulnerabilities.7 It remains unclear if other government agencies have their own equities processes. The Canadian government’s current policy stands in contrast to that of the United States of America, where the White House has published how all federal government agencies evaluate whether or retain or disclose the existence of a vulnerability.8
When agencies such as the CSE keep discovered vulnerabilities secret to later use them against specific targets, the unpatched vulnerabilities leave critical systems open to exploitation by other malicious actors who discover them. Vulnerability stockpiles kept by our agencies can be uncovered and used by adversaries. The NSA’s and Central Intelligence Agency’s (CIA) vulnerabilities have been leaked in recent years,9 with one of the NSA vulnerabilities used by malicious actors to cause at least $10B in commercial harm.10
As it stands, it is not clear what considerations guide Canada’s intelligence agencies’ decision-making process when they decide whether to keep a discovered vulnerability for future use or to disclose it so that it is fixed. There is also no indication that potentially impacted entities such as private companies or civil society organizations are involved in the decision-making process.
To reassure Canadian businesses, and make evident that Canadian intelligence and security agencies are not retaining vulnerabilities which could be used by non-government actors to endanger Canada’s financial sector by way of exploiting such vulnerabilities, I would recommend that the Government of Canada publicize its existing vulnerabilities equities program(s) and hold consultations on its effectiveness in protecting Canadian software and hardware that is used in the course of financial activities, amongst other economic activities.
Furthermore, I would recommend that the Government of Canada include the business community and civil society stakeholders in the existing, or reformed, vulnerabilities equities program. Such stakeholders would be able to identify the risks of retaining certain vulnerabilities for the Canadian economy, such as prospectively facilitating ransomware, data deletion, data modification, identify theft for commercial or espionage purposes, or data access and exfiltration to the advantage of other nation-states’ advantage.
Vulnerability Disclosure Programs
Security researchers routinely discover vulnerabilities in systems and software that are used in all walks of life, including in the financial sector. Such vulnerabilities can, in some cases, be used to inappropriately obtain access to data, modify data, exfiltrate data, or otherwise tamper with computer systems in ways which are detrimental to the parties controlling the systems and associated computer information. Relatively few organizations, however, have explicit procedures that guide researchers in how to responsibly disclose such vulnerabilities to the affected companies. Disclosing vulnerabilities absent a disclosure program can lead companies to inappropriately threaten litigation to whitehat security researchers, and such potentials reduce the willingness of researchers to disclose vulnerabilities absent a vulnerability disclosure program.11
Responsible disclosure of vulnerabilities typically involves the following. First, companies make clear to whom vulnerabilities can be reported, assure researchers they will not be legally threatened for disclosing vulnerabilities, and explains the approximate period of time a company will take to remediate the vulnerability reported. Second, researchers commit to not publicly disclosing the vulnerability until either a certain period of time (e.g. 30-90 days) have elapsed since the reporting, or until the vulnerability is patched, whichever event occurs once. The delimitation of a time period before the vulnerability is publicly reported is designed to encourage companies to quickly remediate reported vulnerabilities, as opposed to waiting for excessive periods of time before doing so.
I would recommend that the Government of Canada undertake, first, to establish a draft policy that financial sector companies, along with other sector companies, could adopt and which would establish the terms under which computer security researchers could report vulnerabilities to financial sector companies. Such a disclosure policy should establish to whom vulnerabilities are reported, how reports are treated internally, how long it will take for a vulnerability to be remediated, and insulate the security researchers from legal liability so long as they do not publicly disclose the vulnerability ahead of the established delimited period of time.
I would also recommend that the Government of Canada ultimately move to mandate the adoption of vulnerability disclosure programs for its own departments given that they could be targeted by adversaries for the purposes of financially advantaging themselves to Canada’s detriment. Such policies have been adopted by the United States of America’s Department of Defense12 and explored by the State Departments,13 to the effect of having hundreds of vulnerabilities reported and subsequently remediated. Encouraging persons to report vulnerabilities to the Government of Canada will reduce the likelihood that the government’s own infrastructures are successfully exploited to the detriment of Canada’s national interests.
Finally, I would recommend that our laws around unauthorized access be studied with an eye towards determining if they are too broad in their chill and impact on legitimate security researcher.
Two Factor Authentication Processes
Login and password pairs are routinely exfiltrated from private companies’ databases. Given that many individuals either use the same pair across multiple services (e.g. for social media as well as for professional accounts) and, also, that many passwords are trivially guessed, it is imperative that private companies’ online accounts incorporate two factor authentication (2FA). 2FA refers to a situation where an individual must be in possession of at least two ‘factors’ to obtain access to their accounts. The ‘factors’ most typically used for authentication include something that you know (e.g. a PIN or password), something you have (e.g. hardware token or random token generator), or something that you are (biometric, e.g. fingerprint or iris scan).14
While many financial sector companies use 2FA before employees can obtain access to their professional systems, the same is less commonly true of customer-facing login systems. It is important for these latter systems to also have strong 2FA to preclude unauthorized third-parties from obtaining access to personal financial accounts; such access can lead to better understandings of whether persons could be targeted by a foreign adversary for espionage recruitment, cause personal financial chaos (e.g. transferring monies to a third-party, cancelling automated bill payments, etc) designed to distract a person while a separate cyber activity is undertaken (e.g. distract a systems administrator to deal with personal financial activities, while then attempting to penetrate sensitive systems or accounts the individual administrates), or direct money to parties on terrorist watchlists.
Some Canadian financial institutions do offer 2FA but typically default to a weak mode of second factor authentication. This is problematic because SMS is a weak communications medium, and can be easily subverted by a variety of means.15 This is why entities such as the United States’ National Institute of Standards and Technology no longer recommends SMS as a two factor authentication channel.16
To improve the security of customer-facing accounts, I recommend that financial institutions should be required to offer 2FA to all clients and, furthermore, that such authentication utilize hardware or software tokens (e.g. one time password or random token generators). Implementing this recommendation will reduce the likelihood that unauthorized parties will obtain access to accounts for the purposes of recruitment or disruption activities.
Organizational Information
The views I have presented are my own and based out of research that I and my colleagues have carried out at my place of employment, the Citizen Lab. The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs and Public Policy, University of Toronto, focusing on research, development, and high-level strategic policy and legal engagement at the intersection of information and communication technologies, human rights, and global security.
We use a “mixed methods” approach to research combining practices from political science, law, computer science, and area studies. Our research includes: investigating digital espionage against civil society, documenting Internet filtering and other technologies and practices that impact freedom of expression online, analyzing privacy, security, and information controls of popular applications, and examining transparency and accountability mechanisms relevant to the relationship between corporations and state agencies regarding personal data and other surveillance activities.
Technology, Thoughts & Trinkets 