Distributed security in the cyber ecosystem

Named to the Order of Ontario in January, Ron Deibert, a professor of political science and director of the Citizen Lab at the Munk School of Global Affairs, is a leading voice on digital technology, advising governments and international organizations about issues related to cyber security . He spoke with Joshua P. Samac.

In one of your recent publications, you mention that cyber security discussions lack first order conceptualization of how cyber space as a global medium of open and distributed communication is in Canada’s interest. There really is no conception of what cyber space actually is, is there?

No, and I would say that, going further, there is no appreciation of the political philosophy that underlines what it is that we are securing in the first place. There is a tendency when dealing with technological issues, in general, to think of technical functional solutions (if only we had a fix for this hole all would be fine) and you can see this in many of the approaches to cyber security. Going further, there is an instinct, once security is involved or when something is securitized – we tend to default onto the Realist tradition and all that it entails.

Realism very much espouses those things we would most closely associate with security dimension of international politics.

I think that in this space, the tendency toward both the technical functional solution and the realist paradigm mentioned above might be counterproductive to the environment that we want to create and that we value in the first place. Thinking those through is really important, because you can see tendencies in this and other liberal democratic countries to throw the baby out with the bathwater, so to speak. In doing so, we legitimize policies and practices that we criticize.

Such as?

Lawful access, to name but one. Bill C-30, before it was shelved, would have provided law enforcement with extraordinary powers and would have imposed a huge burden on the private sector to police the Internet without much protection for civil liberties or privacy. If we are doing this sort of thing to secure cyber space, we are losing sight of what we are securing in the first place and undercutting the foundation of our liberal democratic society.

So we may be a liberal democratic society in the physical world but by conceptualizing cyber space through this realist paradigm dominated by the need to secure things and counterbalance our enemies, we are losing sight of our liberal democratic foundations?

Exactly. Most people would agree that, at a fundamental level, we should have an open communications environment that is highly distributed. This means that we can all access it and communicate with each other in an unfettered manner. This is the democratization of communication and access to information. If we lose sight of this to control the bad things that go along with it, then we lose sight of what’s valuable about it in the first place.

Meanwhile, I think there is an approach that is much better suited to this ideal domain that we have in mind that we shouldn’t throw away, but it just may need bolstering. What I am talking about is this distributed approach to security that has been at the heart of the Internet since the beginning. This is precisely why it runs so well today. Not because we have one agency in control managing it, but because of the cumulative impact of decisions of a variety of engineers and policymakers that help keep it functioning securely.

You are suggesting that the distributed security approach is actually compatible with our liberal democratic roots?

Well, what I’m trying to counter is the dichotomy that you either have states and security agencies involved in governing cyberspace and all that is involved in the realist tradition or some kind of anarchy. I think that neither of these sides of the spectrum are productive. Interestingly enough, the distributed security approach doesn’t necessarily fall in between these perspectives. All it means is to configure public authority in such a way that it has an appropriate framework around it and checks and balances.

In another of your works, you mention how a recent study ranks Canada as the sixth most likely country to host servers running malicious programs. Why is this so? Is there something inherently Canadian or democratic that makes Canadian servers particularly vulnerable? And how does this compare to undemocratic servers that may not be as vulnerable such as the Great Firewall of China?

They (China) probably rank number one. Largely because their cyber infrastructure is so insecure, and as it turns out there is large political interest in keeping it that way both in China – and elsewhere for that matter. I don’t think, however, that it relates to democracy. Canada’s vulnerability entirely depends on its information and communication technology. Like many countries, we haven’t thought through cyber security, which translates into a lack of coordination or information sharing. The fact that we are likely to host malicious programs goes back to our liberal democratic roots.

Are there any particular models that stand as an ideal approach to cyber security?

I think that what is coming out of the EU indicates a recognition of the understanding of those first order questions mentioned earlier. There is a sophistication in their approach. In the U.S., I’d say there is a messiness to it, but growing there is an understanding of the need for cooperation with the private sector and civil society – a recognition that this cannot be imposed top down.

Translating this into the Canadian context to achieve these levels of sophistication, what does that involve?

I think that we are still governed in the security domain with a Cold War mentality – something that is particularly evident in cyber space, as it crosses over into the particularly sensitive domain of signals intelligence. At the same time, the agencies that are the lead for signals intelligence are the same agencies that are the lead for cyber security. I think this is a dangerous pathway to head down. Arguably, those agencies should be exposed to greater oversight, especially in a world of big data, where so much private information is entrusted to third parties transiting through public networks. Meanwhile ombuds offices and privacy commissioners should be given more power when it comes to cyber security. The government has a role to play here, too, in terms of setting the playing field. Data breach laws, for instance, should require private companies to notify when their networks have been breached – something that would impose a degree of liability in being accountable for their own networks.

Along those lines, could you say that our dismissal of foreign private companies like Huawei might be indicative of a maturing approach?

I’d be careful about a company like Huawei because it does come from a country where there is a close relationship between the party elite and some of the state corporations. Huawei, in particular, has a close connection to the Peoples Liberation Army, and the Chinese government has been particularly aggressive when it comes to cyber controls and cyber espionage. When some of their routers have been subjected to scrutiny, they’ve been found to be very poorly coded and insecure for just that reason.

There was a U.S. House Intelligence Committee report that cited these concerns. Was our dismissal of Huawei almost too obvious to miss?

To me, it begs the question as to why we’re not scrutinizing other companies in the same manner.

Speaking of Huawei and China brings us to this global dimension of cyber space. Elsewhere, you mention that what we do here in Canada can have important repercussions abroad and can “come home to bite us if we are not careful.” Most approaches in political theory seem at odds with this globally communal entity. We are very fixated on the state and definable and concrete borders – all of which seem to go out the window in the context of a cyber space discussion. So while first order theoretical discussions are important as to what cyber space is, I don’t think that we will find the Prime Minister engaging with international relations theorists on the philosophy behind cyber space. With that being said, what is needed to understand cyberspace in all its transcendental glory in a policy context?

Well, one thing that is missing that we can improve on is dialogue between different stakeholder communities. For instance, the way the Canadian Forces approaches cyber security is entirely different from the way civil society approaches it – and even within civil society there is vast difference. There needs to be a dialog for us to make progress on how we are going to govern this domain. That’s why I think that maybe something like the international telecommunications meeting in Dubai is a good meeting to have because at least it puts cyber space and its constitutive principles on the global agenda. We are at a constitutional moment in that people are beginning to think about what should be the foundational principles of cyber space. And that’s a good conversation to have because it opens up issue areas that may have otherwise have been buried beneath the surface.

That is a very fitting metaphor. Do you think this so-called constitutional moment is unprecedented?

Absolutely, because we have never before had a planetary communications infrastructure that we have now. This level of individual empowerment is unprecedented. We live in a small space and that space is now bound by a communications ecosystem that is highly democratized and its foundation is stirring and being overturned gradually as the centre of gravity moves to the Global South and East.

Do you have any Delphic predictions as to where you see cyber space moving and where you see our taken-for-granted consumption of this ecosystem going in, say, 30 years?

I think that there are a number of factors that are pushing us further and further away from what we have become accustomed to over the past 10 years, and that is away from an open democratic common-pool-resource of information and communication to something that is more controlled along national territorial lines that is subject to highly competitive interaction among state’s armed forces (there is an arms race in this space!). All of this together, combined with the demographic shift to the South and East, will likely put us in a much different communication environment unless we impose some kind of structure and oversight and discipline, if you will, in terms of how we govern this space. To do that we need to lift the lid on this technology and that begins by asking something as simple as, “what happens when I send this email? And where does that email go?” It is important to ask these questions rather than taking for granted these technologies that we so heavily rely on.

Do you see a role for global organizations such as NATO that are, in fact, very tied up in and reliant on this state-based need-to-be-securitized approach to global politics?

NATO is certainly acutely aware of cyber security and I think there are some interesting potential divisions within NATO that prove this. But the tendency right now is to develop some offensive capabilities and try to apply deterrence to cyber space which amplifies the military dimension and this moves us further and further away from the defensive posture. I think that this, generally, is counterproductive because it elicits the same response from our adversaries who may try to respond, but not using the same playbook. The Irans and Russias of the world may exploit the cyber criminal underworld to accomplish their form of active defense or deterrence in this space, which undermines the domain for all of us. This is why we need to see it as a common pool mixed resource – not quite a commons in the traditional sense because most of it is owned and operated by people who own our device, which is then part of this ecosystem that we share.

Does this move us from what is traditionally known as cyber security to this idea of cyber warfare?

There is no doubt that there is an ongoing arms race and, like all arms races, there is a political economy dimension to it that reinforces it at the same time. A huge military industrial complex has sprouted up around cyber space that is especially attractive to the likes of these massive Cold War giants like Boeing and Northrop Grumman. So, yes, we are moving in this dangerous direction, which ultimately is to no one’s benefit because we depend on this infrastructure being secure in order to communicate and access information. If we can’t do that in an open and secure fashion, then we are really lost because we have some major global problems (economic vitality aside) – the future of planet earth needs a common communications system that functions well and is open.

Do you think there might be some naivety among policymakers who might look at an argument like that and push it aside? After all (so the logic goes), cyber space yields no physical threat. Whereas in the Cold War the potential fall-out meant things like massive loss of life and irreparable damage to vital physical infrastructures, in the cyber context a massive attack might be seen as a temporary change that can relatively easily be reversed.

This line of thinking exists. There is a qualitative difference between a nuclear attack and a cyber attack and I think that the analogy is sometimes overwrought. But at the same time, Stuxnet demonstrated the potential of computer network operations to sabotage physical infrastructure because we are increasingly linking critical infrastructure to the Internet. Those infrastructure have been shown to be vulnerable. There would be severe consequences if a blackout or an all-out cyber war happened. Until now it has been all but laughed off. We haven’t devoted much resources to it but Chinese war plans have, built into them, degrading U.S. information capabilities.

And as of now, you would say policymakers are largely complacent to this reality?

Yes, even worse, I would say some of them are profiting off of it. Not so much in this country but in others.
Joshua P. Samac is an energy security expert with the Atlantic Council of Canada and recently completed an MA in International Relations at the University of Windsor.

Related posts

The security risks posed by interconnected systems

Stewart Downing
November 10, 2015

Vanguard unveils plans for C4ISR and Beyond 2020

Marcello Sukhdeo
September 23, 2019

The global C4ISR market predicted to reach $135B by 2027

Marcello Sukhdeo
March 11, 2020
Exit mobile version