Canadian Cyberspace Governance — or Lack Thereof?
This is a modified version of an article supported by the Department of National Defence ‘Mobilizing Insights in Defence and Security Targeted Engagement’ Grant, which appeared originally in Kristen Csenkey (ed.) “Simplifying Emerging Technologies: Risks and How to Mitigate Them”, Balsillie School of International Affairs, May 2020.
Efforts to govern the global internet, and cyberspace more broadly, are challenged by a fundamental ideological divide between countries on how they see human rights and freedoms apply to information and communication technologies (ICTs). On one side are states who frame free speech and access to information as existential threats. Led by China, Russia, and other authoritarian countries, these states have asserted sovereign control over the internet and emphasize the term “information security” (rather than “cybersecurity”) when discussing threats in the digital domain. Opposing this are countries like the US, Canada, Australia, and European states, to whom it is vital that the internet remain free, open, and in line with democratic values.
However, the tensions between the “cyber sovereignty” and “internet freedom” camps are not black-and-white. Liberal democracies have also increased their capabilities for control and surveillance over ICTs to varying degrees, often to address challenges such as disinformation, terrorism, or cybercrime. At the same time, cyberspace is increasingly securitized and militarized as geopolitical conflict in the cyber domain continues to intensify. Militaries and security services across the world publicly acknowledge offensive cyber capabilities—or have seen their tools leaked or stolen—as major global cyberattacks have intensified in their damage and scope.
In this context, democracies like Canada must balance real security needs and necessary defensive capabilities with the question of how to protect and promote a free, open, and peaceful cyberspace, and human rights therein. This is difficult to do without an adequate strategy—particularly one focused internationally. Unlike many of its allies, Canada appears to lack a clear, high-level strategy and policy for governing emerging technologies and the threats from them. In particular, Canada does not have a coherent cyber foreign policy, and lacks transparency in its efforts to defend and promote Canadian interests in cyberspace. These significant governance gaps exist despite new approaches and legal powers, a rapid and dynamic pace of innovation, and a growing rise in various digitally-enabled threats.
The State of Play: Canada
The Canadian government has moved to update policy and legislation with regard to cybersecurity. In 2018, Public Safety Canada released a National Cyber Security Strategy (NCSS), replacing the previous strategy from 2010. The following year, it published the National Cyber Security Action Plan 2019-2024 (NCSAP), which stressed the need to advance Canadian interests in cyberspace internationally, while recognizing that this has not been a focus of Canadian policy to date. According to the NCSAP, Global Affairs Canada was to develop an “International Cyber Strategy” by 2019. As of mid-2020, this has not yet been done.
Regarding defence and security, the Canadian Armed Forces (CAF) announced in a 2017 updated defence policy that it would be more “assertive” in cyberspace, including the ability to conduct “active” cyber operations. The CAF also plans to join NATO’s cyber defence centre of excellence. Further, the 2019 National Security Act (Bill C-59) massively overhauled how the Communications Security Establishment (CSE) can lawfully operate; C-59’s CSE Act updates the cybersecurity agency’s mandate to, inter alia, include “active” and “defensive” cyber operations.
Gaps, Challenges, and Forward Steps
While defence and security capabilities have rightly increased, policymaking, particularly foreign policy, has lagged behind. The lack of an international cyber strategy matters—especially given an increasingly aggressive Canadian cyber defence posture. The Canadian government now holds that while rules and norms in cyberspace are “critical”, they must be supplemented by “measures to impose costs” on hostile actors. This raises questions around how Canada can support global efforts to govern the use of ICTs, while potentially using them in yet-undetermined ways as quietly agreed to by a coterie of nations.
Unlike many allies, Canada has not published its positions on how international law applies in cyberspace, despite calling at the UN for other nations to do so, and unlike its counterparts in the US and the UK, the CAF has not made its 2017 cyber doctrine public. Further, the Canadian government should use clear terms when referring to cyber operations; it tends to label them “active” rather than “offensive.” Such opacity leads to needless ambiguity. In contrast, increased transparency around Canadian foreign and defence policy positions could lead to improved signalling, thereby boosting trust, confidence, deterrence, and stability.
Several other emerging security issues lack federal policy guidance. Given concerns with 5G technology, increased digital sovereignty may be needed to ensure the integrity of critical infrastructure. While it aims to be a leader in Artificial Intelligence (AI), Ottawa has not articulated clear positions on international human rights issues related to AI, such as how it will support efforts to ban lethal autonomous weapons. The market for commercial spyware is widely unregulated, despite the proliferation of the sophisticated espionage and surveillance tools—which are sold to despotic regimes, including adversaries. Further, given the cross-cutting nature of cybersecurity, the federal government ought to develop greater cooperation and harmonisation among various actors in the Canadian cyber ecosystem.
Challenges to Canada in the digital era may be most striking in the lack of substantive international governance considerations that the federal government has articulated to date, and where policies do exist, in their general lack of public transparency. Foreign and defence policy are two sides of the same coin, and it is critically important that the two work together to build policy and strategy given the global nature of emerging technology issues.
As the Canadian foreign policy establishment reels from its unsuccessful bid for a non-permanent seat on the UN Security Council, calls for a re-examination of Canadian foreign policy have grown. Any such re-evaluation must include an international strategy for defending and promoting Canadian interests in cyberspace. Such a strategy must account for realistic security needs while aligning also with Canadian values, such as human rights and fundamental freedoms.
Author
Josh Gold is on the executive of the CIC’s Toronto Branch and is a research assistant at the Citizen Lab, at the University of Toronto’s Munk School of Global Affairs and Public Policy. He wrote this article in his personal capacity and these views do not necessarily reflect those of anyone but himself.
Twitter: @joshgold3
Mr. Gold gives us another timely reminder of lack of ‘big’ policy-making ability of the current government. Current challenges (COVID-19; the two Michaels/China; the economy; claimed systemic racism; law enforcement renewal; Trump; pipelines) facing government are no excuse for not exercising big thoughts on the more fundamental high-level policies Cabinet owes Canadians. Mr. Gold correctly points out the thinness of government pronouncements on how it will go about protecting our cyber security. The 2018 “National Cyber Security Strategy” (NCSS) lacks meat. It has no defined goals or objectives, beyond broad statements of intended action. In fact, the NCSS was published hurriedly in 2018 because the Department of National Defence (DND) came out with “Strong, Secure, Engaged” national defence policy earlier in 2017, containing specific cyber security intentions not previously shared with Public Safety Canada.
Cyber security is not really a discreet foreign affairs issue, beyond Canadian international relations designed and implemented to support a broader national cyber security strategy. Offensive cyber security operations abroad are a DND responsibility.
The absence of meaningful cyber security strategies for both the domestic and foreign domains is principally a failing of government to articulate an overall national security policy that covers both domestic security and national defence action abroad. Without such an overarching expression of government intent, I’m afraid we will continue to lurch from tactical issue to tactical issue without the coherence of a thought-out strategic framework. .