Why Canada needs a cyber security foreign policy

Following is an op-ed inspired by the May 24 conference “War or Peace in Cyberspace: Whither International Cyber Security?” in Waterloo for which CPG was a co-sponsor.

Hill Times | June 14, 2018

War or peace in cyberspace? This basic question was the theme of a recent gathering of cyber security experts held at the Balsillie School of International Affairs in Waterloo, Ont. Unlike many such meetings, the focus was on international policy and the status to be accorded this vital, if vulnerable, environment.

There has been a steady “militarization” of cyberspace in recent years, with states moving from an exclusive focus on cyber defence to an open acknowledgement of offensive cyber capabilities.

According to the latest threat assessment of the United States intelligence community, some 30 states now boast offensive cyber capabilities able to penetrate foreign computer systems. Once an intruder gains access, they are able to extract information or, more menacingly, proceed to disrupt, delete, or manipulate data. This growing trend for states to depict cyberspace as a domain for potential armed conflict far outstrips the modest diplomatic efforts being made to establish “rules of the road” to govern state behaviour.

These diplomatic processes, under the auspices of the United Nations, but also the regional Organization for Security and Cooperation in Europe (OSCE), have yielded a set of confidence-building measures. These steps include restraint measures, such as a prohibition on cyber attacks directed at critical infrastructure or at the Computer Emergency Response Teams that act as “first responders” to cyber security incidents.

While the UN-generated measures reflect common security interests, they remain only recommendations at this stage. Geopolitical tensions among leading cyber powers such as the U.S., Russia, and China have put a chill on this promising effort. The failure of last year’s UN cyber security expert group to agree on a report has left the UN in something of a diplomatic limbo on how to advance this work.

The international security situation is exacerbated by escalating rhetoric from major powers that threatens “cross-domain” retaliation (in other words, employing conventional forces or even nuclear weapons) for any cyber attack. The meagre transparency on policies, doctrines, and rules of engagement for conducting offensive cyber operations contributes to a serious risk of misperception and miscalculation on the part of state actors. The presence of non-state actors and the challenges of attribution further complicates the global cyber security arena.

The emphasis on the military and intelligence-gathering dimensions of state cyber security activity has tended to eclipse its negative impact on human rights. The director of the University of Toronto’s Citizen Lab drew attention to the rampant abuse by certain governments of sophisticated cyber surveillance equipment ostensibly devoted to support law enforcement agencies. In countries as diverse as Mexico, United Arab Emirates, Ethiopia, and Turkey, Citizen Lab has documented the targeting of human rights defenders and journalists. Civil society is increasingly the victim of cyber capabilities that were once seen as tools of popular liberation and that are now more often instruments of repression.

Middle powers, such as Canada, are being encouraged to take up the mantle of leadership, given the blockage among the great powers, in pursuing international cooperative arrangements to preserve cyberspace for peaceful purposes. The Canadian government has long promised a cyber security foreign policy to guide our efforts to influence the development of international policy on cyberspace and help set norms for responsible state conduct. The issuance of such a policy, ideally one informed by consultation with the cyber stakeholder community outside of government, is overdue.

This stakeholder community drawn from civil society, the private sector, and academia was well represented at the meeting in Waterloo. Their voice and indeed that of “netizens” around the world deserves to be heard as states consider options for the future of cyberspace. Is it to be preserved as a “peaceful and stable cyberspace” (as per the goal of Australia’s International Cyber Engagement Strategy released last fall) or is it fated to become, through state action or inaction, just another “war-fighting” domain.

Paul Meyer is a former Canadian ambassador for disarmament, a senior fellow of the Simons Foundation and the chair of the Canadian Pugwash Group. He organized the May 24 conference in Waterloo: “War or Peace in Cyberspace: Whither International Cyber Security?”