The best defence, some say, is a good offence.
A contentious bill currently before Parliament is attempting to follow that, by allowing Canada’s electronic security agency to launch offensive cyber operations against foreign powers or groups considered a threat to national security.
The Communications Security Establishment Act, part of Bill C-59, would allow the highly secretive Communications Security Establishment (CSE) “to take action online to disrupt foreign threats, including activities to protect our democratic institutions, to counter violent extremism and terrorist planning, or to counter cyber aggression by foreign states.”
The bill has come under scrutiny for its potential privacy implications, among other things.
In December, the University of Toronto’s Citizen Lab, part of the Munk School of Global Affairs, outlined its concerns with the legislation and CSE practices, some of which it says are “predicated on ambiguous and secretive legal interpretations that legitimize bulk collection and mass surveillance activities.”
The U of T report cited a “complete lack of meaningful oversight and control of the CSE’s activities under the proposed active and defensive cyber operations aspects of its mandate.”
In a rare public appearance,
at the Ottawa Conference on Security and Defence, the agency’s associate chief Shelly Bruce said such actions would be subject to strict legal parameters and approvals from government’s highest levels.
They could be used to prevent a terrorist’s mobile phone from detonating a car bomb, she said, to disable a terrorist communications infrastructure or covertly disrupt a foreign threat from interfering in Canada’s democratic processes.
But the law, included in sweeping legislation governing security and spy operations, would prohibit the use of offensive tools against Canadians or global infrastructure based in Canada.
The bill would also limit offensive cyber operations to reasonable and proportionate actions, said Bruce, and it would not allow actions that would violate clearly defined principles.
“It has to be against foreign targets; it has to be conducted offshore,” she said. “It has to be reasonable, necessary and proportionate. It cannot obstruct justice or democracy and it cannot cause death or bodily harm.
“So there are lots of restrictions built into that and I think that, coupled with the review [provisions in the legislation], these are all checks and balances that can help assure Canadians that these powers would not be used frivolously or recklessly.”
The two-day meeting sponsored by the Conference of Defence Associations Institute attracted some 600 attendees, including defence and public safety officials, along with key academics and industry players. The Conference of Defence Associations is an umbrella group for several organizations concerned with defence and security, of which The Royal Canadian Legion is the largest.
This year’s symposium was based on the theme Canadian Security and Defence in the New World (dis) Order and looked at issues such as shifting demographics, future defence challenges, North Korean aggression and Norad’s evolving role.
The only woman to appear as a panelist in any of the four discussions, Bruce presented a sobering summary of the challenges currently confronting Canada’s defenders of cyber security.
She said her agency blocks up to a billion reconnaissance scans for vulnerabilities in federal government networks every day, along with more than 25 million direct attempts to install malicious software and over 90,000 malicious attempts to access government databases.
“Over the decades, those of us whose core business has taken place in cyberspace have been very busy building capability and tradecraft, providing advice and guidance, delivering intelligence and critical services to defend Canadian government systems,” said Bruce.
“Cyber security [has become] very much a mainstream issue to the public and private sectors alike, and to Canadians more generally.”
The stakes are self-evident: countering system compromises is expensive and time-consuming, yet attacks can obstruct government operations, compromise information and reputations, and worse.
The CSE said last June that it expects hackers and disinformation campaigns will attempt to interfere in the next Canadian federal election.
“Cyber threats against democratic processes are increasing around the world,” CSE chief Greta Bossenmaier said at the time. “They are targeting political parties and politicians to coerce, manipulate or publicly discredit individuals.
“They are targeting traditional and social media, to manipulate and influence the public discussion or reduce trust in the democratic process. And Canada is not immune to these threats.”
But effective cyber operations come at what cost?
The U of T report referenced the agency’s questionable privacy and human rights record and cited the bill’s “absence of meaningful safeguards or restrictions on the CSE’s active and defensive cyber operations activities.” It said that shortcoming could “seriously threaten secure communications tools, public safety, and global security.”
It also expressed concerns that CSE acquisition of malware, spyware and hacking tools could “legitimize a market predicated on undermining and subverting, rather than strengthening, the security of the global information infrastructure.”
It said the Act’s protections for Canadians are “weak and vague” and represent “an abject disregard for privacy rights as an international human rights norm.” The law will “significantly expand the CSE’s ability to use its expansive powers domestically,” it said.
And it had “serious issues” with CSE technical and operational assistance to other entities, including Canadian law enforcement.
CSE help, said the report, may provide “capabilities that would otherwise be illegal or unconstitutional for domestic partners to develop, use or possess, or which would be inherently disproportionate if deployed in those contexts.”
Bruce said it is not the agency’s job to promote or defend the proposed legislation, but she told the conference the pervasive and interconnected nature of the Internet means “we all have to think of cybersecurity more often and think of ways to work together more effectively to raise our cyber defences.”
Janis Sarts, director of the North Atlantic Treaty Organization’s Strategic Communications Centre of Excellence in Riga, Latvia, said the power—and vulnerabilities—of communication technologies cannot be underestimated.
“In my view, we’re going through the biggest change in information consumption since Gutenberg invented the printing press,” he told a panel on disorder.
The result of that 16th century change, he pointed out, was 100 years of war across Europe based on differing religious beliefs. He said the acquisition of accurate, objective and relevant information is essential to democracy, and it has never been more at risk.
He said 80 per cent of people receive information digitally and digital is the primary source of information for 60 per cent. Most people go to social media for news, where their accounts are populated by friends, colleagues and relatives—people with similar views—and site metrics feed them what they tend to like.
“We always had these cognitive biases,” said Sarts. “But now we increasingly can satiate our cultural biases by [consuming] information we already believe in. That means we’re increasingly not able to see the other points of view.”
In Latvia, where a Canadian-led NATO battle group is the target of a Russian disinformation campaign, 40 per cent of related English-language Twitter posts come from robots. In Russian, the figure is 80 per cent.
Russian and Chinese cyber operations, Sarts reminded delegates, are not just about infiltrating systems.
“Remember,” he said, “at the end of a device typically is a human brain. So what they are trying to do is not only infiltrate the device but actually crack the brain. Crack the brain and get an effect. That is what you do when go for an election.”
Undermine an election and you undermine trust; undermine trust and you take away the legitimacy of power, said Sarts. “If you combine robotics, big data and artificial intelligence [to direct opinion and decision-making], we’re coming close to the notion: Is there still a free will?”
Advertisement