Incidences of cyber espionage, computer network attacks, and cyber security now dominate news worldwide. Many governments are shoring up their cyber security; others are developing computer network attack capabilities as part of their doctrine. How is Canada approaching cyberspace?
The answer is troubling. At present, Canada has no foreign and security policy for cyberspace. There is no Canadian Cyber Command, such as that which was recently stood up in the United States, nor does Canada have an Office of Cyberspace in Foreign Affairs. We are not only miserably behind other countries in this respect; we have not even begun to form a strategic policy.
The absence of a comprehensive cyber strategy is a glaring vacuum. Canada has something unique to offer that meshes with our deeply held values and unique national experiences. The world needs a Canadian cyber agenda that is global, focused on norms and institutions of mutual restraint, and oriented around protecting cyberspace as a valuable global commons through which our interests can be projected.
Cyberspace is the first artificial environment that spans the entire globe. It is an all-encompassing domain comprised of multiple layers that ranges the physical to the virtual – from the hundreds of miles of undersea cable stretched deep beneath the ocean to the billions of lines of ever-mutating instructions that form the complex software ecology. It is the sinew of the global economy and the public sphere through which ideas are exchanged.
But cyberspace is a different domain from land, air, sea and space in that it is a human construct. It requires and is in turn affected by constant human tending. It can also be destroyed through intense competition, neglect and deliberate degradation.
Not that long ago cyberspace was an open public commons. Commentators at the time remarked with hubris that this was because of the technology, something mysterious and magical about it that prohibited controls. We now know such freedom was a historical artifact – more to do with a hands off approach to regulation and a general enthusiasm around the dot com explosion.
This first era of cyberspace, coinciding with the 1990s, gave rise to civic networks, NGOs, and a vast explosion of individual empowerment. But less well known were the myriad of dark nets, criminal organizations, and militants that benefited by the same technologies. In part because of the growing recognition of this dark side, states have gradually reasserted themselves in cyberspace, first through the erection of digital firewalls, and now increasingly through the introduction of more offensive techniques.
We are entering a dangerous phase as an arms race in cyberspace spirals out of control. At least a dozen countries now speak openly of embracing computer network attacks and exploitation as part of standard military doctrine. Militants, extremists, and criminal actors are also part of this growing threat environment. Even individuals launch cyber attacks with dangerous consequences.
Security is often seen, especially among engineers and computer scientists, as a technical-functional problem. But it is not so simple. Security is always a politically contested concept, depending on the object of security (that which is to be protected), the identification of threats, and the policies and values that are promoted.
Canadian cyber security policy is presently inchoate and narrow. In defence and intelligence circles, there is confusion about when to use cyber weapons, or even whether they are allowed – a kind of legal and regulatory fog. Public Safety Canada has taken the lead on defining critical infrastructure protection as part of that agenda, and that should be applauded as both necessary and important. But what is lacking is an articulation of a broader, comprehensive agenda that defines both domestic and foreign policy in a strategic fashion.
Canada is uniquely positioned to articulate an agenda around mutual restraint and security of cyberspace as an open global commons – essentially cyber space arms control. We are a large landmass dependent on telecommunications. We have a long history of experience with public broadcasting. We are home to some of the world’s greatest theorist of communications, including Harold Innis and Marshall McLuhan. We have, above all else, a great deal of expertise that could be marshaled to this end.
There are many challenges around cyberspace arms control, some of which have been voiced in recent policy debates in the United States. A good deal depends on what one means by arms control. If the model were to be something like the Cold War treaties signed between the U.S. and the Soviet Union that limited or outlawed certain classes of weapons, then cyber arms control is unrealistic. The core of cyber war is the use of information as a weapon. We live in an era when information is pervasive and plentiful and simply cannot be contained.
If, instead, the goal were a framework of international agreements focused on promoting norms of mutual behavior, clarification of jurisdictional responsibilities, and institutions designed to facilitate the exchange of information between security communities worldwide, much more can be done.
The challenges, however, are formidable, beginning with the fact that most of what we call cyberspace is owned and operated by private companies. Cooperation of those companies would be essential for any arms control agenda. Even more problematic is that individuals, as easily as states, can carry out cyber attacks on a global scale. It is one thing to try and get agreement of over 200 states, but what about billions of individuals?
Although serious, these challenges are not insurmountable and we do not need to re-engineer the Internet to overcome them. Although arms control in cyberspace is a new idea, there is a wealth of prior experience, including Canadian, that could be drawn upon. For example, there are arms control agreements pertaining not to weapons but to whole domains that could be looked upon for analogies, including the Outer Space Treaty, the Antarctic Treaty, and the Law of the Sea. The Chemical Weapons Convention has been extraordinarily successful dealing with civilian facilities and the involvement of private companies.
Canada’s own experiences would provide a major value added to cyber arms control. At one time Canada was a world leader in arms control verification primarily through a pioneering but now defunct section within the Department of Foreign Affairs, called the Verification Research Unit. We also shepherded arms control processes by building bridges between states and civil society, particularly around the international campaign to ban landmines. Both should be revived around cyber arms control.
What policies should Canada promote? Canadian foreign and security policy could operate on numerous levels. We could begin by promoting a Treaty of Cyberspace through the United Nations that would serve at least three purposes. First, it would set a normative framework that identifies cyberspace as a valuable global commons. Second, it would create a legal framework for what states should or should not do with respect to cyber attacks and cyber warfare. Signatories could pledge not to contract freelancers or privateers, and work to restrain mischief from occurring on networks within their jurisdictions. They could also pledge to assist with each others’ cyber security investigations. Third, a treaty would help further a discussion about some of the rules of the road of cyber warfare that presently are immature and undeveloped – issues about neutrality, discrimination and proportionality. At present, such discussions are rare and academic, creating a dangerous uncertainty. For example, Russian policy today is to treat cyber attack weapons as a weapon of mass destruction.
Canada could also work to help nurture the institutionalization of a global sensor network to identify sources of cyber attacks based on the model of the global comprehensive test ban verification system and others like it. Such a model need not be organized in a “top down” hierarchical way, but rather in a distributed grass roots fashion, much like the architecture of the Internet itself.
We have come to a crossroads in the history of cyberspace. Down one path is a future of growing militarization, censorship, and surveillance leading to the degradation and disruption of the global commons of cyberspace. This future is in no country’s national interest other than those whose existence rests on authoritarian and shortsighted controls. An alternative path is one where citizens of the planet recognize that an open, global commons of information is essential to their future, and work to develop and institutionalize norms of mutual restraint. Canada can help lead that future, but it needs to start by defining a comprehensive strategy for cyber security.
Ron Deibert is director of the Citizen Lab at the Munk Centre for International Studies, University of Toronto, vice president of Psiphon Inc., and one of the principals of the SecDev Group.