Submission to the Consultation on Canada’s Approach to Cyber Security

Author: Jack Gemmell, member, Board of Directors of Science for Peace.

About Science for Peace

Science for Peace is a Canadian organization consisting of natural scientists, engineers, social scientists, scholars in the humanities and people from the wider community. We seek to understand and act against the forces that drive militarism, environmental destruction, and social injustice here and abroad. We aim to use our knowledge and expertise to inform and change public policy and to influence and educate society at large about these crucial problems.

Recommendations

Science for Peace recommends that the government of Canada:

  1. Advocate and promote an international treaty to ban the use of cyber warfare to attack or compromise the physical and information infrastructure of a state.
  2. Declare a moratorium on efforts to develop cyber capabilities for attacking or disrupting critical infrastructure and conduct a comprehensive review of cyber warfare activities and programs currently being sponsored or supported by Canadian governmental agencies either directly or indirectly through its Five Eyes partners, the U.S., the U.K., Australia and New Zealand.
  3. Not compromise the fundamental Internet principles of openness, connectivity, net neutrality and freedom of expression in the name of cyber security.

1. An International Treaty on Cyber Warfare

As noted in the consultation document, foreign government agencies are developing and deploying advanced cyber tools to engage in governmental and commercial espionage and to disrupt computer systems and networks essential to the operation of critical infrastructure. Examples recently in the news include groups linked to the Russian government hacking the Democratic National Committee’s email system1 and the WADA database2 and groups linked to the Chinese government engaging in commercial and scientific espionage, including hacking into the computer systems at our National Research Council.3 The US government is suspected of being extensively involved in the development and distribution of malware, including the surveillance malware, Regin, and the Stuxnet worm which targeted programmable logic controllers used to operate the centrifuges used by Iran to enrich uranium.4 The full extent of the threat posed by these developments is unknown.

Recently, both John Adams, former head of the Communications Security Establishment of Canada (CSE), and Richard Fadden, former head of the Canadian Security Intelligence Service (CSIS) and former National Security Adviser for the Harper Government, have advocated that Canada should actively develop and if necessary use offensive cyber attacks including attacks on another country’s critical infrastructure.5 The rationale is a familiar one: the other countries are developing such capabilities so Canada must as well, either to launch a retaliatory attack or to support our troops in a military action.

The potential harm from cyber attacks on critical infrastructure is enormous. A major attack would cause serious economic damage and put the lives and safety of millions of people in jeopardy. Particularly sensitive targets are electrical generating and distribution systems, pipelines and traffic control systems. The continuing development and use of these software tools will lead to a wasteful and destructive cyber arms race, covert cyber warfare, endless cycles of retaliation, and unforeseen consequences as the malware spreads to unintended targets, becomes available to criminal organizations or is turned against its original user. The prospect is an escalation of real world tensions, the creation of pretexts for war and the heightened risk of actual wars placing the lives of millions in jeopardy.

Rather than engaging in a cyber arms race, we propose that Canada actively pursue an international treaty banning the development and use of cyber weapons targeting critical infrastructure. The Conventions against Chemical and Biological Weapons provide good models of the success of such an approach. This is not a new idea. In September 2011 Russia proposed a very broad Draft Convention on International Information Security that met little or no support from Western governments. The UN convened a Group of Governmental Experts (GGE) and in July 2015 the GGE issued a report6 identifying the use of cyber attacks against the critical infrastructure and associated information systems as posing a risk of harm that was both real and serious. A second GGE was commissioned with a report expected in 2017. In May 2016, the US State Department’s coordinator for cyber issues told a Senate hearing that it was too soon to contemplate a cyber arms treaty. Instead the US was committed to developing a set of norms, one of which was that a state should not engage in “online activity that intentionally damages critical infrastructure or otherwise impairs the use of critical infrastructure to provide services to the public.”7 Unfortunately the US position is that cyber activities may in certain circumstances constitute a “Digital Act of War,” highlighting unintentionally the need for a treaty and a mechanism to deal with such issue short of war.8

A comprehensive international treaty on cyber security and cyber warfare is likely impossible to achieve in the short term. However, a more narrowly crafted treaty dealing with specific threats to critical infrastructure is doable.9 Such a treaty would not raise the thorny questions of network management, freedom of expression and the right to privacy that a broad treaty would.

This is an issue on which Canada with its long time expertise in multi-lateral treaties might provide leadership.

2. Get Canada out of the Cyber War Business

The Edward Snowden leaks point unequivocally to the government of Canada’s complicity with its Five Eyes Partners in the development and deployment of advanced cyber tools for the wide-spread illegal surveillance of civilian communications, penetration of computer systems and networks, conducting governmental and commercial espionage and the compromising of infrastructure and communication systems of target states or organizations.10 A leaked CSE presentation entitled “Cyber Activity Spectrum” included such cyber tool categories as “CNA [Computer Network Attack] Destroy Adversary Infrastructure,” “CNE [Computer Network Exploitation] Disruption Control Adversary Infrastructure,” and “CNE Disruption Disable Adversary Infrastructure.” The CSE also engaged in industrial espionage by hacking into Brazil’s Mines and Energy Ministry.11

It is difficult to take the government of Canada’s commitment to cyber security seriously when at least one of its agencies, if not more, is actively engaged in the subversion of cyber security both in Canada and the rest of the world. The development of offensive cyber weapons is counterproductive to cyber security. Today’s cyber weapon is tomorrow’s hacking tool. Intelligence agencies in their search for “zero day” exploits12 actively support the clandestine market for such cyber goods either directly or indirectly through cyber weapon dealers and suppliers.13 The agencies have an incentive not to report security flaws in order to prolong the useful life of their cyber weapons contrary to the clear public interest in exposing and correcting such flaws.14

Accordingly, we recommend that the government of Canada declare a moratorium on efforts to develop cyber capabilities for attacking or disrupting critical infrastructure and conduct a comprehensive review of cyber warfare activities and programs currently being sponsored or supported by Canadian governmental agencies either directly or indirectly through its Five Eyes partners, the U.S., the U.K., Australia and New Zealand. This will go a long way to show Canada’s commitment to solving these problems.

3. Maintain the fundamental Internet principles of openness, connectivity, transparency, privacy and freedom of expression.

Internationally accepted principles about the Internet should govern cyber security policy. Global Affairs Canada has developed a set of fundamental Internet principles which include:

  • Respect and protection for human rights, including freedom of expression and association and the right to privacy;
  • Universal and non-discriminatory access;
  • Transparent laws, regulations and policies based on the rule of law;
  • Open policy development incorporating all stakeholders including users, businesses, expert technical organizations and governments;
  • Maintaining the connectivity of the Internet as a single, interoperable network;
  • Promoting security for users; and
  • Preserving the security, stability and resiliency of the Internet.15

These principles should only be infringed upon or overridden for compelling reasons where the means used are proportionate to the objective sought and their effects do not exceed the benefits sought and where a clear legal framework exists to challenge actions taken.

With this in mind, we oppose the current proposals by police and intelligence agencies to require networking and software companies to provide the means to defeat the encryption of data and communications as being contrary to these principles.16 Encryption is vital to Internet security.17 It enables the safe and secure transmission of the financial, commercial and personal information that is the foundation of the Internet’s economic benefits. Building in back doors will subvert this protection. It is illusory to think that the back door will remain secret with its legally authorized users. To begin with, once one police force or intelligence agency has access, all their allies will want and get access to these tools, increasing the risk of disclosure exponentially. The secret will be very valuable: someone will steal or sell it. The very knowledge that a back door exists will lead to its eventual independent discovery. Finally, it will only be a temporary fix. The bad actors will turn to the myriad of unregulated encryption software, leaving law-abiding users subject to risk without any off-setting benefit.

Encryption also protects privacy, both in actual communications and in the record of communications and related personal data stored in a cellphone, laptop or tablet. Communication surveillance should adhere to The International Principles on the Application of Human Rights to Communications Surveillance18 and access to stored data must be subject to the right against unreasonable search and seizure guaranteed by the Canadian Charter of Rights and Freedoms. While the record of Canada’s police forces and national security agencies has been by no means perfect in this area, their actions are at least in theory accountable to the public through the media, elected representatives, and an independent judiciary. The same cannot be said for other countries where encryption may be the only viable protection against unfettered intrusions by state agents. Inevitably, encryption backdoors will end up in the hands of those agents by legal means or otherwise. A company like Apple selling its products in a country like China would find it virtually impossible to resist the legal and commercial pressure to turn over encryption backdoors, particularly once police forces and intelligence agencies in Canada and the U.S. have them. This will place human rights activists and dissidents further at risk.

Cyber security also engages a complex balancing of the fundamental principles of the Internet, including human rights, against the legitimate needs of law enforcement and national security agencies. It is very difficult to deal with these concepts in the abstract; specific proposals are needed. Thus, we finish with the obvious: this consultation is just the beginning and more specific consultations will be needed to address specific proposals to enhance cyber security in light of the need to maintain fundamental Internet principles.

Notes

1 DNC email hack: A look at the theory Russian operatives led attack to boost Trump’s bid www.cbc.ca/news/russians-donald-trump-email-dnc-hillary-clinton-1.3694219

2 Russian hackers publish more WADA athlete medical data www.cbc.ca/sports/olympics/wada-russia-hackers-rio-game-records-1.3760221

3 Chinese cyberattack hits Canada’s National Research Council www.cbc.ca/news/politics/chinese-cyberattack-hits-canada-s-national-research-council-1.2721241; Iranian hackers charged in cyberattack on U.S. banks, dam www.cbc.ca/beta/news/technology/cyberattack-charges-1.3506026

4 Hacker Lexicon: What Are CNE and CNA? www.wired.com/2016/07/hacker-lexicon-cne-cna/

5 Canada and Cyber, John Adams, July, 2016, Canadian Global Affairs Institute, d3n8a8pro7vhmx.cloudfront.net/cdfai/pages/1085/attachments/original/1467750257/Canada_and_Cyber_-_John_Adams.pdf?1467750257; Former CSIS head says Canada should have its own cyber-warriors www.cbc.ca/news/politics/military-cyber-wars-fadden-1.3648214

6 A/70/174: www.un.org/ga/search/view_doc.asp?symbol=A/70/174.

7 See Testimony of Christopher M. E. Painter, Senate Committee Hearing on “Cyber security: Setting the Rules for Responsible Global Behavior” May 14, 2015 www.foreign.senate.gov/imo/media/doc/051415_Painter_Testimony.pdf.

8 Testimony of Christopher M. E. Painter, House Committee Hearing on “Digital Acts of War: Evolving the Cyber security Conversation” July 13, 2016 oversight.house.gov/wp-content/uploads/2016/07/Painter-Statement-Digital-Acts-of-War-7-13.pdf.

9 There has been other action taken on the international level to bolster cyber security. Both the US and the UK have entered into bilateral accords with China to provide a measure of protection against the cyber theft of intellectual property and trade secrets and Canada is reportedly in discussions with China about a similar accord: Canada, China to discuss accord on cybersecurity, Colin Freeze, Globe and Mail, Sept. 27, 2016.

10 Communication Security Establishment’s cyberwarfare toolbox revealed www.cbc.ca/news/canada/communication-security-establishment-s-cyberwarfare-toolbox-revealed- 1.3002978, Documents Reveal Canada’s Secret Hacking Tactics theintercept.com/2015/03/23/canada-cse-hacking-cyberwar-secret-arsenal/, New Snowden docs show U.S. spied during G20 in Toronto www.cbc.ca/news/politics/new-snowden-docs-show-u-s-spied-during-g20-in-toronto-1.2442448, NSA hid spying software in hard drive firmware, report says www.cbc.ca/news/technology/nsa-hid-spying-software-in-hard-drive-firmware-report-says-1.2959252.

11 Canadian spies targeted Brazil’s mines ministry: report www.cbc.ca/beta/news/canadian-spies-targeted-brazil-s-mines-ministry-report-1.1927975

12 A “zero day” exploit takes advantage of a vulnerability that is not known to the software developer or network engineers and that hackers can use to adversely affect computer programs or apps, gain unauthorized access to data, smart phones or appliances, computers or computer networks, or exploit flaws in Internet or other communication protocols or systems. Because the affected users, software developers or network engineers are unaware of the vulnerability they have “zero days” (no time) in which to identify and fix the vulnerability or take steps to minimize or protect themselves against the danger posed by the exploit.

13 FBI paid more than $1.3 million to break into San Bernardino iPhone www.reuters.com/article/us-apple-encryption-fbi-idUSKCN0XI2IB; The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; Everything We Know About NSO Group: The Professional Spies Who Hacked iPhones With A Single Text www.forbes.com/sites/thomasbrewster/2016/08/25/everything-we-know-about-nso-group-the-professional-spies-who-hacked-iphones-with-a-single-text/#10cb89a8e3d6 Attack on Hacking Team spills global cyber-spying secrets www.cbc.ca/news/technology/attack-on-hacking-team-spills-global-cyber-spying-secrets-1.3155981

14 Turning security flaws into cyberweapons endangers Canadians, experts warn www.cbc.ca/news/technology/security-flaws-cyberweapons-1.3742751; New leaks prove it: the NSA is putting us all at risk to be hacked www.vox.com/2016/8/24/12615258/nsa-security-breach-hoard

15 Global Affairs Canada: Internet foreign policy issues www.international.gc.ca/cip-pic/internet.aspx?lang=eng

16 WhatsApp privacy under threat as France and Germany push EU to allow states to break encryption www.independent.co.uk/life-style/gadgets-and-tech/news/whatsapp-privacy-under-threat-as-france-and-germany-push-eu-to-allow-states-to-break-encryption-a7204961.html

17 See, for example, The Value of Encryption www.schneier.com/essays/archives/2016/04/the_value_of_encrypt.html

18 Necessary & Proportionate International Principles On the Application 0f Human Rights to Communications Surveillance, necessaryandproportionate.org/files/2016/03/04/en_principles_2014.pdf