IV: The Americas
Canada’s cyber security in a globalized environment: challenges and opportunities
A couple of events dominate 24-hour news cycles nowadays. Among them, an alleged Russian hacking into the 2017 Democratic National Convention (DNC), UK-based Cambridge Analytica’s data manipulation of 80 million Facebook users, a Russian global hacking effort to gain access to the UK and the US infrastructure as well as home Wi-Fi users, and last but not least, the use of social media platforms to wage “troll wars.”1 Although Facebook data manipulation or trolling might not fit into typical cyberattack profiles, these instances drew wider attention because they were carried out with malicious intent. Obviously, these nefarious cyber activities simply exposed the vulnerability of our Information Technology' (IT) platforms; however, the above-mentioned incidences are unique in terms of the magnitude of data breach and the subsequent social-political fallouts. Nevertheless, there are two types of cyberattacks, one that is directed against states and their apparatuses and the other that is carried out against both the public and private sectors such as financial, service, and Internet service providing institutions." The vast number of cy'berattacks actually fall in the latter category.
This chapter is organized into two main parts. The first part deals with the global cyber security and cy'ber threat environment where the concept of sovereignty in cy'ber space including the current state of international governance is illustrated. The second part opens up with the statement of Canada’s cy'ber security strategy including Canadian context on cy'ber security where Canada’s cultural understanding, institutions, the role of the legislature, and the societal implications of cyber security are discussed. Data is gathered from various Internet sources as well as government and non-government policy papers.
Global cyber security and cyber threat environment
In general, cyber attackers target either data (most common form causing service disruption) or control systems (a rare form intended to manipulate physical infrastructures). Considering these two forms of attack, experts contend that physical damage due to cyber terrorism has not taken place on a large scale in the past although technolog)' and motivation of numerous actors are growing in leaps and bounds. Despite the fact that non-state actors, for example, terrorists and hackers, would continue to vie for their share to access resources to attack, “sophisticated espionage and sabotage in the cyber-domain still needs the capabilities, determination, and cost-benefit-rationale of a nation-state [and] the most dangerous actors in the cyber-domain are still nation-states” (Theiler, 2015). Additionally, an American law enforcement agency noted a new kind of “hybrid cyber threat ... in which nation-states work with criminal hackers to carry out malicious activities” (The US Department of Justice, 2017). In this regard, it might be worthwhile to review important cyber threat terminology. Depending on actors’ goals and motivations, although experts and practitioners differ widely in defining various forms of cyber threats, generally agreed upon common definitions of cybercrime, cyber terrorism,4 cyberattacks,5 cyber espionage, and cyber warfare7 are appended here (Alexander, 2014a, 2014b). Nevertheless, one of the ways to understand different forms of the cyber threats is to judge the intention of an attacker (i.e., the motive).
The concept of sovereignty in cyber space
Merriam-Webster defines sovereignty in three ways: 1) supreme power especially over a body politic; 2) freedom from external control or autonomy; and 3) controlling influence (Merriam-Webster, 2018). According to the “Westphalian” notion of a nation-state where clear-cut boundaries delineate one state from the other, modern nation states also assert their inalienable rights over their cyber space. But now the concept of sovereignty also includes virtual space where non-state actors not only outnumber state actors but are also free to engage in a wide variety of actions. Nevertheless, there are no agreed upon terminologies such as Russian or Japanese or US cyber spaces as everyone perceives to have the rights to be in the virtual space. Here three contradictions, which capture the essential debate on state sovereignty and cyber space are worth mentioning.
First, the contradiction between cyber sovereignty and the spirit of the internet; the exclusivity of classical state sovereignty runs contrary to the spirit of the internet, which rests on the concept of unrestricted inter-connectivity. Second, the contradiction between cyber sovereignty and human rights. The third is the contradiction between cyber sovereignty and involvement of multiple stakeholders in governance.
(Yell, 2011: 109)
In order to strengthen the security of global information and telecommunications systems, the UN established a Group of Governmental Experts (GGE) in 2004. One of its reports suggests that
state sovereignty and the international norms and principles that flow from it apply to States’ conduct of [Information Communication Technology] ICT related activities and to their jurisdiction over ICT infrastructure within their territory; States must meet their international obligations regarding internationally wrongful acts attributable to them.
(United Nations, 2015: 2)
However, after witnessing the futile attempts by the GGE to formulate a standard norm to address the issues pertaining to state sovereignty, experts, as well as policymakers in the US, have put forward two sets of arguments. One suggests building norms with the US adversaries who traditionally challenge US hegemony on cyber matters. This approach would enable the setting of ground rules that would allow the US to assess threats to its sovereignty and allocate resources to defend it. While the other suggests they "... build a coalition of norm adherents or good guys” so that collaborative defensive actions can be taken against the violators; this approach would also act as a deterrent to potential aggressors (Segal, 2017).8
GGE consists of 25 members comprised of legal and government experts who have held five sessions on international governance. It postulates a “coherent system of rules based on the premises that international law governs everything virtual just as it does everything tangible” (CCDCOE, 2017). GGE’s principles of governance are also published in 2013 and 2015 GGE reports. Similarly, the Tallinn Manual 2.0 prepared by an international group of experts also suggested a “rules-based system” for the member nations of the OSCE and ASEAN. Such an expression was further reflected in the G7 Lucca Declaration.
Although fraught with challenges, Microsoft propagates the idea of a “digital Geneva Convention” where state and non-state actors can collaborate and agree upon certain nonns and using such a platform the companies can become a “neutral digital Switzerland” (Smith, 2017). This initiative was pitched at the 2017 RSA Cybersecurity Conference (RSA Conference, 2017) that contained three elements: “the substance of a Digital Geneva Convention for peacetime; a Tech Accord to protect people in cyber space, and the possibility of creating an ‘International Cyber Attack Attribution Organization’” (Mueller, 2017). In this initiative, experts who gathered at the conference strongly supported the proposal to establish a “Tech Accord” which would act as a collective platform containing “a common set of principles and behaviors in cyber space,” such as “no assistance for offensive cyber operations,” and a refusal to “traffic in cyber vulnerabilities” (ibid.).
Canada’s cyber security strategy
Canada defines cyber space as “... the electronic world created by interconnected networks of information technology and the information on those networks. It is a global commons where more than 1.7 billion people are linked together to exchange ideas, services, and friendship” (Public Safety Canada, 2010: 2). This was mentioned in Canada’s first Cyber Security Strategy (CCSS) which was released in October 2010. This strategy assumes four key characteristics of a cyber threat including three types of cyber threats depending upon the nature of targets, methods of attack, motivations, and intent of the attacker. ’ Additionally Canada’s vision of cyber security is explained in the following way, “strong cyber security is an essential element of Canadian innovation and prosperity” where it is mentioned that the government and its partners would continue to work on three core themes: security and resilience, cyber innovation, and leadership and collaboration (Government of Canada, 2018b).
In CCSS, partnerships between provincial, territorial, and private sectors are mentioned as a crucial element. However, the importance of such a partnership is also mentioned in the National Strategy and Action Plan for Critical Infrastructure (Public Safety Canada, 2018b) through which Canadian law enforcement community is able “to work with partners and international allies” in curbing illegal activities committed in cyber space (for more details see Government of Canada, 2018b). The strategy has three pillars and five essential elements.1” The CCSS also emphasizes the complementary nature of the US, UK, and Australia’s strategies so that all of these countries can share information on threats and resources to deter cyberattacks together. More so, Canada being the only non-European country which is a signatory of the Council of Europe’s Convention on Cyber Crime (also known as the Budapest convention, which was ratified by Canada on July 8, 2015) collaborates with European nations on cyber matters as well (Government of Canada, 2015). Additionally, in 2014 Canada launched its Digital Canada 150 Strategy where 39 initiatives were announced. As a follow-up, version 2.0 of the strategy tracked the progress of the earlier initiatives and added 31 new initiatives to secure Canada (Innovation Science and Economic Development Canada, 2017). “Get Cyber Safe” is another tool that provides news and guidance for individual Canadians and Canadian corporations on cyber security (Government of Canada, 2018c).
Canadian cyber security context
Canada is not immune to cyber threats according to the Canadian Internet Registration Authority’s (CIRA) latest Internet Factbook (Coop, 2017) and Scalar survey.11 In the Internet Factbook, 75 per cent of Canadians expressed their concerns about cyberattacks, a 13 per cent increase from the previous year. However, its cyber security is intertwined with the national security similar to most of the Western nations. It relies heavily “on the uninterrupted functioning of its critical infrastructure [Cl], disruptions of which can have a serious impact on lives, the safety of communities and the economy” (Public Safety Canada, 2016b).12
The government has also established the Canadian Cyber Incident Response Centre (CCIRC) to monitor and provide mitigation advice on cyber threats, and coordinate the national response to any cyber security incident (Public Safety Canada, 2016a). Nine Government of Canada organizations are responsible for implementing the CCSS.1'1 The CCIRC is situated at the junction of private and public sector collaboration in Canada where partnerships with Canadian owners and operators of Cl are of particular importance.
Canada is one of the G7 nations and along with its counterparts in October 2017 it endorsed the G7 Fundamental Elements of Cyber Security for the Financial Sector guidelines to implement its cyber security and outline a strategy to deal with cyber risks.14 The guideline describes “eight basic building blocks” for crafting cyber security strategy that include: 1) Cyber security strategy and framework, 2) Governance, 3) Risk and control assessment, 4) Monitoring, 5) Response, 6) Recovery, 7) Information sharing, and 8) Continuous learning (Freedman, 2017). Among these “building blocks” mentioned, monitoring, response, information sharing, and continuous learning are important to take into account while evaluating Canada’s cultural understanding of cyber security. Moreover, G7 foreign ministers met on April 23, 2018, in Ottawa to discuss cyber security threats making it an important topic of nations’ ongoing efforts on this matter. Additionally, Canada has a number of institutions to deal with cyber security threats.1’
Canada’s cultural understandings, role of private sectors, and legislature
In Canada, in 2017, 59 publicly reported data breach incidents took place of which 17 incidents were categorized as critical and severe (Gemalto, 2017). A cursory look into different types of cyberattacks, data breaches, and the state of cyberattack preparedness reveals certain patterns of organizations and individuals in Canada. In this backdrop, several cultural understandings related to cyber security are discussed in the following paragraphs.
First, at the organizational level, a general understanding of a cyberattack and its consequences van' between government and non-government organizations (NGOs). For example, at the three levels of federal, provincial, and municipal governments, resource allocation in cyber security varies widely, which is rooted in individual organization’s work culture. Typically, most government organizations other than those that deal with national security have some guideline in place outlining the nature of cyber security that includes a periodic review of employees’ roles and noting precautionary measures. Although an IT department monitors data breaches and conducts such awareness programs, individual branches at the division or sub-division level lack resources to train employees and enforce rules. On the other hand, non-governmental agencies, especially the commercial ones, invest heftily in cyber defense infrastructure, monitor their employees effectively for potential data breaches, and share information with others in a collaborative way. As transpired, these NGOs are agile and can adapt to changes as they enjoy more organizational flexibility than government agencies. Nonetheless, the necessity of changing the mindsets of government agencies to deal with evolving cyber threats is a need of our time. Most importantly, a shift of mindset from data breach prevention towards the notion of institutionalizing data breach acceptance is important. Regardless of all the sorts of cyber defensive capabilities in place, a cyber attacker might find a way inside a system because the threat of attack comes from within (i.e. a rogue or a careless employee, for example, Canadian Forces Sub-Lt. Jeffrey Paul Delisle who worked for the Russian embassy at Ottawa) (KERA News, 2012).
Second, at the individual level, culturally, cyber security is often perceived in terms of a fear resulting from the likelihood of loss of personal data either through government security agencies using mass surveillance tools or by anonymous hackers, known corporations, and business firms. Nonetheless, according to a new survey conducted by the Canadian federal privacy commissioner, “Canadians deeply value privacy, but fear they are losing the control they have over their personal infonnation” (Office of the Privacy Commissioner of Canada, 2018b). Canadians also feel that they need to be in control of their private data. This is why in another survey, 78 per cent of Canadians broadly supported the requirement of government agencies to properly safeguard the personal information and 71 per cent opined to modernize the existing Privacy Act so that it could be applicable to the Prime Minister’s Office (PMO) and the offices of cabinet ministers (CISION, 2017).
Third, organizational resilience against a cyber threat is an important aspect of cyber defense that is gaining traction now. Thus, a Public Safety document entitled Fundamentals of Cyber Security for Canada’s Cl Community asserts, “building true resiliency usually requires active engagement from a number of different players” (Public Safety Canada, 2016b). Resilience is predicated upon the fact that cyberattacks in today’s context are not about the question of where but when the attack will happen; therefore, people as well as systems must remain ready to absorb an attack and return to normal operation. Flere the concept of resiliency should be envisioned as both a bottom-up and a top-down process. The bottom-up process involves organizational rules in terms of security awareness including procedures in place, which employees must follow diligently (Solomon, 2017). The top-down approach involves an organization’s hardware capabilities to defend itself, repulse an attack and get back to a normal operation with a minimum loss (both material and downtime). In an ideal situation, both these approaches should converge and create a resilience system.
Fourth, the government of Canada enacted legislation that ensures mandatory reporting of data breaches given the fact that most organizations feel reluctant to report data breaches due to the fear of losing organizational reputations. Such a mindset needs to be changed in order to safeguard the personal data of clients for business as well as government organizations. In this regard, in 2015, the Bill S-4 (i.e., the Digital Privacy Act) amended Canada’s private sector privacy law (i.e. the Personal Information Protection and Electronic Documents Act — PIPEDA) in a number of areas including the establishment of mandatory data breach reporting requirements (Government of Canada, 2017). Although the responsibility for overseeing compliance with PIPEDA rests with the Privacy Commissioner, various service providers are expected to come onboard to implement the law.
Fifth, the role of the private sector in cyber security in Canada is important for two reasons: it contains millions of Canadians’ personal information and at the same time many of them work for government organizations and deal with sensitive data. In this regard, the Global State of Information Security Survey of 2018 provided four valuable lessons for private sectors worldwide. One, the growth in digital devices is driving risk management (hinting at the explosion of handheld mobile devices). Two, business leaders see new risks tied to emerging technologies (for example, GPS, monitoring technologies, profiling through the use of social media data. Three, cyber threats to the integrity of data (data sharing across many digital platforms as well as data encryption). And four, current employees remain the top source of security incidents (lack of control over employees at work) (PWC, 2018).
Sixth, legislature plays a key role in assessing a situation and enacting appropriate laws in conjunction with regional and global partners. In terms of legislation, Canada has enacted the following: 1) Anti-Spam Legislation (CASL - July 1, 2014) (Government of Canada, 2018a), 2) the Digital Privacy Act (also known as Bill S-4), and 3) the PIPEDA. A key change in PIPEDA was the establishment of mandatory data breach reporting requirements (Government of Canada, 2017). The CRTC has the primary enforcement responsibility for the anti-spam law. On March 10, 2015, Protecting Canadians from Online Crime Act came into force. This legislation provides law enforcement agencies with new, specialized investigative powers to help them take action against Internet child sexual exploitation, and disrupt online organized crime activity (Global Affairs Canada, 2018).
In the above paragraphs, variation of monitoring aspects in government and non-government agencies are highlighted based on organizational culture. Response is mentioned in terms of gaining resilience against any cyberattack as well as information sharing among and between government agencies and private businesses were two important aspects in understanding cyber security environment of Canada.
Canadian uniqueness and societal implications of cyber law
In general, Canadians are aware of their cyber vulnerabilities (CIRA, 2018) yet they believe that cyber security laws16 offer a collective good in securing their safety by providing them suggestions and guidelines for cyber preparedness according to a report published in 2016 (CGI, 2016). In view of this, the government of Canada published the Cyber Incident Management Framework - a comprehensive document that shows nature of cyber threats, various steps, and roles of agencies and stakeholders in dealing with such situations (Public Safety Canada, 2018a). Nonetheless, on the eve of the 2018 G7 summit that was hosted in Canada, the CCIRC emphasized physical aspects of cyber defense.17 In this context, Canada has two unique conditions in the defense of its cyberspace as a member of the
5-Eyes group (Hanna, 2017) as well as through one of its institutions (i.e., Office of the Privacy Commissioner of Canada - OPC) that safeguards individual rights to privacy.
Global cooperation and understanding between the government and the private sector providing IT services are crucial in safeguarding individual cyber space. In line with this concept, the 5-Eyes group was created following the UK-USA agreement of 1946 (Farrell, 2013). Primarily, in this agreement, the member states — Australia, New Zealand, Canada, the United Kingdom, and the USA - agreed upon data sharing to protect their national security. In its recent communique, the danger from the “new vectors for harm” was highlighted and IT companies (i.e. the Global Internet Forum to Counter Terrorism, where Google, Facebook, Microsoft, and Twitter are members) were urged to support their intelligence communities in tackling terrorist fundraising and child exploitation (Harris, 2018). Thus Canada, being a member of this group, truly enjoys some unique advantages regarding data sharing among the most developed nations on earth whose citizens use technology the most. Additionally, the Communication Security Establishment (CSE) is Canada’s largest and most prolific organization that is tasked with safeguarding national interest related to cyber security. CSE’s mandate and jurisdiction are defined in National Defence Act, and its mission is “to provide and protect information of national interest through leading-edge technology, in synergy with [its| partners” (Communications Security Establishment, 2014). However, CSE is also part of the 5-Eyes group of countries with whom it has shared intelligence for decades.
Canada has a unique establishment, the OPC, which provides “advice and information for individuals about protecting personal information” as well as “enforce[s] two federal privacy laws”18 that regulate federal government institutions and guide private businesses in handling personal information. This office carries out investigations on privacy breaches and advises lawmakers on issues that affect the privacy rights of Canadians. Additionally, the OPC plays a crucial role in monitoring and advising policymakers about maintaining a balance between individual rights to privacy versus security. As a matter of fact, the need for protecting the safety and security of Canadians unquestionably rests on the government’s shoulders, however this must not come at the expense of Canadians’ privacy. In the age of violent extremism where the Internet remains the primary domain to spread hate and recruit extremists, OPC oversees law enforcers so their work is consistent with the rule of law while protecting individuals from terrorism. OPC also carries out research on matters related to privacy protection in cyber security activities (Office of the Privacy Commissioner of Canada, 2018a). With regards to mapping societal implications of cyber laws, OPC’s 2016 survey helps us to identify key trends in this field (Office of the Privacy Commissioner of Canada, 2016). Two main perspectives that are derived from the survey are appended below.
First, 74 per cent of Canadians felt that they have less protection of their personal information than they did ten years ago. However, they prioritize privacy over other matters and strongly believe in non-interference of government agencies in their private lives. In this regard, one can observe several trends in the 2016 Survey of Canadians on Privacy. For example, between the years of 2014 and 2016, Canadians’ very good knowledge on privacy rights increased from 5 per cent to 16 per cent and good knowledge increased from 27 per cent to 49 per cent. Similarly, within the same period, Canadians’ concerns about the protection of personal privacy increased from 34 per cent to 37 per cent. This trend shows that Canadians are increasingly becoming aware of the predicament of digital privacy matters and they are learning how to protect personal data. That is why they are more cognizant of cyber security laws and their ramifications.
Second, despite living in the age of ever-diminishing privacy, the survey asked participating Canadians how they felt about “Government monitoring of citizens activities for national security or public safety' purposes.” In response, 26 per cent expressed that they were extremely concerned and 40 per cent suggested that they were somewhat concerned, making it 66 per cent of Canadians that were generally concerned. This finding tells us that government agencies spying on its citizens without justified cause is not accepted and it stems from the fact that Canadians prefer privacy over safety. In the same vein, 70 per cent of Canadians expressed that law enforcement agencies should disclose at what frequency they collect citizens’ personal information within a scheme of general intelligence gathering without court authorization. Although 50 per cent said that law enforcement agencies currently do not have enough jurisdiction or legal power to collect citizens’ private information for national security or public safety, conversely, 33 per cent do not agree that these agencies need more power to collect information. This data illustrates that while the majority of Canadians value the need to monitor citizens who might be a national security threat, they do not support a blanket approval of intelligence gathering.
The more our private and public lives are becoming digitized, the more we are prone to interference either by state or non-state actors. In this regard, the only' way we can improve our vulnerabilities is by' being aware of our vulnerabilities in the cyber world and knowing the appropriate tools that we have at our disposal for reducing vulnerabilities. In a similar vein, like other governments Canada also enacted laws, passed legislation, and founded institutions yet the onus remains on Canadians to defend themselves against cy'ber threats.
In this chapter, global cy'ber security' and cyber threat environments were discussed first, followed by' the concept of sovereignty' in the cy'ber world and international governance in cyber domain. One thing that contributes to not being able to formulate an agreed upon international law/norm governing state behaviors is that powerfiil cyber capable nations do not want to become hostage to cyber laws as they' seem to remain flexible to attack others. Afterward, this chapter examined Canada’s cyber security environment that includes cultural understanding, its institutions, the role of the legislature, and societal implications. Two things stand out clearly: Canadians are more aware of cy'ber laws and they do not want interference in their private lives in the name of collecting data for national security. Canada also has unique characteristics being a member of 5-Ey'es in defense of its cy'ber environment and an organization such as OPC that oversees implementation of cyber laws in the country.
Research on cy'ber security needs to go on due to the fact that cyber threats evolve and according to the analyses made in the cultural understanding of Canadian cyber security environment above, it is reasonable to understand that stakeholders’ awareness and cooperation are the two most important elements for Canadian cyber defense in the future. However, to bolster its cyber defense, Canadian private business sectors and government agencies should work together in bringing changes to its culture of data protection and sharing while maintaining a balance between privacy' and national security.
1 “The art of deliberately, cleverly, and secretly pissing people off, usually via Internet, using dialogue. Trolling stands for an attempt to feed mis- and disinformation to manipulate public perceptions.” vwv. urbandictionary. com/define. php?term=Trolling
- 2 For example, the case of the disruption of Estonia’s government sites in April 2007 by hackers through Distributed Denial of Service (DDoS) attacks, which ultimately triggered article 5 of NATO’s collective defense; the Russian DDoS attack in response to Georgia’s South Ossetia incursion in 2008; and the computer worm Stuxnet, which infected Siemens computers at Iranian nuclear facilities in 2009—2010 to name a few. In the latter category, the examples are attacks on Sony, JP Morgan, Saudi Aramco, and the US Office of Personnel Management.
- 3 A “cybercrime” is “enabled by or [ ... ] targets computers [and] can involve the theft and damage to property as well as fraudulent and espionage-related activities.” Source: Alexander, Dean, Cyber Threats Against the North Atlantic Treaty Organization (NATO) and Selected Responses (2014) Turkey. http://dergipark.gov.tr/download/article-file/89251
- 4 “Cyber terrorism” is defined as unlawful attacks and threats of attack against computers, networks, and information stored therein — carried out through the computers, Internet, or the use of flash drive storage devices — when done to intimidate or coerce a government or its people in furtherance of political or social objectives (ibid.).
- 5 A “cyberattack” (or computer network attack) can disrupt computer equipment and hardware reliability, change computer-processing logic, steal or corrupt data; "... cyber attacks include the loss of integrity, availability, confidentiality, and physical destruction. Cyber attacks most frequently target critical infrastructure (financial services, manufacturing, telecommunications, electricity, water). However, they increasingly inflict damage on government targets, including the military, intelligence, and law enforcement” (ibid.).
- 6 “Cyber espionage is the use of computer systems or information technology to illegally obtain confidential/secret information from the government, private sector, or some other entity” (ibid.).
- 7 Cyber is the fifth domain of the battlefield after air, land, sea, and space. Cyber warfare is utilizing computers and other instruments to target an enemy’s information systems rather than attacking an enemy’s armies or factories. War in the Information Age: A Primer for Cyberspace Operations in 21st Century Warfare, www.dtic.mil/dtic/tr/fulltext/u2/a514490.pdf
- 8 Some experts believe that sovereignty should not be viewed as a state’s prerogative in controlling its resources; it also should make a state responsible for its conduct and behavior in cyber-space. Concerning states becoming self-responsible, one can refer to June 2017 China and Canada’s agreement not to conduct cyber espionage for a commercial gain against each other (Reuters Staff, 2017). China also followed it through and signed similar agreements with the US, UK, Australia, the G-7 and G-20 nations.
- 9 Characteristics are: “1) inexpensive (tools to carry out attack can be purchased from open sources); 2) easy (only basic essential computer skills are needed to carry out attack); 3) effective (in terms of damage that an attack can cause); and 4) low risk (attackers’ capability to evade detection and prosecution). Threats are: 1) state-sponsored cyber espionage and military activities; 2) terrorist use of the Internet; and 3) cybercrime. Public Safety Canada (2010). From, Canada’s Cyber Security Strategy: For a stronger and more prosperous Canada (Vol. 2018). Ottawa.
- 10 These are: 1) securing Government of Canada systems; 2) partnering to secure vital cyber systems outside the Government of Canada, and 3) helping Canadians to be secure online. The elements are: 1) reflects Canadian values such as the rule of law, accountability and privacy; 2) allows continual improvements to be made to meet emerging threats; 3) integrates activity across the Government of Canada; 4) emphasizes partnerships with Canadians, provinces, territories, business, and academe; and 5) builds upon our close working relationships with Canadian allies” Public Safety Canada (2018b). Get Cyber Safe Guide for Small and Medium Businesses, www.getcybersafe.gc.ca/cnt/rsrcs/pblctns/ smll-bsnss-gd/index-eng. aspx
- 11 Scalar — the cyber security advocacy firm — surveyed the Canadian landscape and reported that on average, Canadian organizations are attacked 455 times per year; 9 breaches resulted from these attacks, and 20 per cent of the attacks were considered high impact. In terms of damage assessment, Scalar also indicates that it cost Canadians $3,679,090, caused 90 hours of downtime, resulted in 16 days of recovery- time, and files containing personal private data due to the breach was 47 per cent. For details, see Scalar survey infographics. www.scalar.ca/wp-content/uploads/2018/03/Scalar_Sur vey graphic v6.pdf
- 12 Critical infrastructure (Cl) refers to processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security, or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories, and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects, and significant harm to public confidence, www.publicsafety.gc.ca/cnt/ntnl-scrt/crtcl-nfrstrctr/index-en.aspx
- 13 Public Safety (PS), Communications Security Establishment (CSE), Shared Services Canada (SSC), Department of National Defence/Defence Research and Development Canada (DND/DRDC), Treasury Board of Canada Secretariat (TBS), Global Affairs Canada (GAC), Justice Canada (|US), the Royal Canadian Mounted Police (RCMP), and Canadian Security Intelligence Services (CS1S). www.publicsafety.gc.ca/ent/rsres/pblctns/vltn-cnd-scrt-strtg/ vltn-cnd-scrt-strtg-en.pdf
- 14 Cyber risks are the risks of loss and liability (e.g. business disruption, financial loss, loss to stakeholder value, reputational harm, trade secret disclosure and other competitive harm, legal noncompliance liability and civil liability to customers, business partners and other persons) to an organization resulting from a failure or breach of the information technology systems used by or on behalf of the organization, including incidents resulting in unauthorized access, use or disclosure of regulated, protected or sensitive data. http://blg.com/en/News-And-Publications/Publication_4694
- 15 For example, the Canadian Anti-Fraud Centre and several training resources offered by the CC1RC (i.e. Advanced Persistent Threat Guide (APTG), Cyber Security Technical Advice/Guid- ance/Training, DDOS Mitigation guide, Cyber Safe Guide for Small and Medium Businesses, Malware Removal Guide, and Industrial Control System (ICS) Guide. Additionally, the Canadian Radio-television and Telecommunications Commission (CRTC) scam reporting system has an elaborate guide explaining how to protect Canadians from scams.
- 16 “In 2015, the Government of Canada introduced a number of legislative amendments and programs in an effort to keep pace with the digital economy and growing cyberthreats to Canadian businesses and citizens. These initiatives, meant to strengthen our collective cyber resiliency, require Canadian businesses of all sizes, and any Canadian organizations that store personal data, to update their cyber road maps to bring them into compliance”. Source: CGI (2016). Will Canada’s Cybersecurity Legislation Impact Your Business? Be aware of your obligations. Canada, www.cgi. com/sites/default/files/white-papers/canada-cybersecurity-legislation-white-paper.pdf
- 17 “Achieving ‘perfect’ cyber security is a wasted effort if the cyber components of critical cyber systems are physically accessible by unauthorized personnel. Securing critical systems inside fortress-like facilities will not achieve the desired effect if personnel who have access to these facilities have not been properly vetted. Information Security measures can only go so far if procedural security' measures — such as not having several levels of approval in place within an organization prior to authorizing the transfer of funds based on an online or telephone request — are not in and of themselves rigorous” (p. 5). Public Safety Canada. “Cyber Security' Guideline for the G7 Summit.” Ottawa: Canadian Cyber Incident Response Centre, 2018.
- 18 The Privacy Act, and the Personal Information Protection and Electronic Documents Act (PIPEDA). *
Fundamentals of Cyber Security for Canada’s Critical Infrastructure Community. Building a Safe and Resilient Canada, www.publicsafety.gc.ca/ent/rsres/pblctns/2016-fndmntls-cybr-scrty-cmmnty/ 2016-fndmntls-cybr-Scrty-cmmnty-en.pdf
Public Safety Canada. “Cyber Incident Management Framework for Canada.” www.publicsafety.gc.ca/ ent/rsres/pblctns/cbr-ncdnt-frmwrk/index-en.aspx
Public Safety Canada. “National Strategy for Critical Infrastructure.” www.publicsafety.gc.ca/cnt/rsrcs/ pblctns/srtg-crtcl-nfrstrctr/index-en.aspx
Public Safety Canada. “Canada’s Cyber Security Strategy: For a Stronger and More Prosperous Canada.” http://publications.gc.ca/collections/collection_2010/sp-ps/PS4-l 02-2010-eng.pdf
Public Safety Canada. “Canadian Cyber Incident Response Centre (CCIRC).” www.publicsafety.gc.ca/ ent/ntnl-scrt/ebr-sert/ccirc-ccric-en.aspx
Alexander, D. C. (2014a). Cyber threats against the North Atlantic Treaty Organization (NATO) and selected responses. Istanbul Gelifim Universitesi Sosyal Bilimler Dergisi (Istanbul Gelisim University Social Sciences Journal), /(2), 1—36.
Alexander, D. C. (2014b). “Kuzey Atlantik Antla§masi Orgiitii’ne (NATO) Kar§i Siber Tehditler Ve Secilmi§ Yamtlar,” Istanbul Ck'lifim Universitesi Sosyal Bilinilcr Dergisi, 1(2): 1—36.
CCDCOE. (2017). “Back to Square One? the Fifth UN GGE Fails to Submit a Conclusive Report at the UN General Assembly Estonia: NATO Coopeative Cyber Defence Center of Excellence.”
CGI. (2016). “Will Canada’s Cybersecurity Legislation Impact Your Business? Be Aware of Your Obligations.” www.cgi.com/sites/default/files/white-papers/canada-cybersecurity-legislation-white- paper.pdf
CIRA. (2018). “2018 CIRA Canadian Internet Security Survey.”
CISION. (2017). “Majority of Canadians Support Privacy Act Reform, Greater Transparency by Government, Businesses: Poll.” www.newswire.ca/news-releases/majority-of-canadians-support-priv acy-act-refonn-greater-transparency-by-govemment-businesses-poll-611876805.html Communications Security Establishment. (2014). “Mission, Vision and Values.” www.cse-cst.gc.ca/en/ about-apropos/vision-mission
Coop, A. (2017). “Cyber Security a Growing Concern for Canadians.” www.itworldcanada.com/art icle/cyber-security-a-gro wing-concem-to-canadians/399641 Farrell, P. (2013). “History of 5-Eyes — Explainer.” www.theguardian.com/world/2013/dec/02/history- of-5-eyes-explainer
Freedman, B. J. (2017). “Cyber Risk Management — G7 Cybersecurity Guidelines For The Financial Sector.” http://blg.com/en/News-And-Publications/Publication_4694 Gemalto. (2017). “Data Breach Database.” https://breachlevelindex.com/data-breach-database Global Affairs Canada. (2018). “Cybercrime.” www.international.gc.ca/crime/cyber_crime-criminalite.
aspx?lang=eng&_ga=2.127330884.892494619.1525240450-492751339.1521087974 Government of Canada. (2015). “Canada Completes Ratification of Convention on Cybercrime.” www.
Canada.ca/en/news/archive/2015/07/canada-completes-ratification-convention-cybercrime.html Government of Canada. (2017). “Breach of Security Safeguards Regulations.” www.gazette.gc.ca/rp-pr/ pi/2017/2017-09-02/html/regl-eng.html
Government of Canada. (2018a). “Canada’s Anti-Spam Legislation.” www.fightspam.gc.ca/eic/site/030. nsf/eng/h_00241 .html
Government of Canada. (2018b). “Canada’s Cyber Security Strategy: For a Stronger and More Prosperous Canada.” http://publications.gc.ca/site/eng/9.693830/publication.html Government of Canada. (2018c). “Getcybersafe.” www.getcybersafe.gc.ca/index-en.aspx Hanna, J. (2017). “What Is the Five Eyes Intelligence Pact?” www.cnn.com/2017/05/25/world/uk-us- five-eyes-intelligence-explainer/index.html
Harris, K. (2018). ‘“Five Eyes’ Allies Urge Digital Industry to Stop Child Pomographers, Terrorists.” www.cbc.ca/news/politics/digital-security-online-five-eyes-pomography-terrorism-1.4803122 Innovation Science and Economic Development Canada. (2017). “Version 2.0 - Digital Canada 150 2.0.” www.ic.gc.ca/eic/site/028.nsf/vwapj/DC150-2.0-EN.pdf/SFILE/DC150-2.0-EN.pdf KERA News. (2012). “A Rare Case: Canadian Navy Officer Pleads Guilty To Selling Secrets To Russians.” http://keranews.org/post/rare-case-canadian-navy-officer-pleads-guilty-selling-secrets- russians
Merriam-Webster. (2018). “Sovereignty.” www.merriam-webster.com/dictionary/sovereignty Mueller, M. (2017). “Debates on Global Governance and Cybersecurity.” www.internetgovemance.
Office of the Privacy Commissioner of Canada. (2016). “Public Opinion Survey.” www.priv.gc.ca/en/ opc-actions-and-decisions/research/explore-privacy-research/2016/por_2016_12/#fig 1 Office of the Privacy Commissioner of Canada. (2018a). “Privacy and Cyber Security: Emphasizingprivacy Protection in Cyber Security Activities.” www.priv.gc.ca/en/opc-actions-and-decisions/research/ explore-privacy-research/2014/cs_201412/
Office of the Privacy Commissioner of Canada. (2018b). “Privacy Breaches.” www.priv.gc.ca/en/priv acy-topics/privacy-breaches/
Public Safety Canada. (2010). “Canada’s Cyber Security Strategy: For a Stronger and More Prosperous Canada.” http://publications.gc.ca/collections/collection_2010/sp-ps/PS4-102-2010-eng.pdf Public Safety Canada. (2016a). “Canadian Cyber Incident Response Centre (CCIRC).” www.publicsaf ety.gc.ca/cnt/ntnl-scrt/ebr-sert/ccirc-ccric-en.aspx
Public Safety Canada. (2016b). “Fundamentals of Cyber Security for Canada’s Critical Infrastructure Community,” Building a Safe and Resilient Canada, www.publicsafety.gc.ca/cnt/rsrcs/pblctns/2016- fndmntls-cybr-scrty-cmmnty/2016-fndmntls-cybr-Scrty-cmmnty-en.pdf
Public Safety Canada. (2018a). “Cyber Incident Management Framework for Canada.” www.publicsaf ety .gc.ca/cnt/rsrcs/pblctns/cbr-ncdnt-frmwrk/index-en.aspx
Public Safety Canada. (2018b). “National Strategy for Critical Infrastructure.” www.publicsafety.gc.ca/ cnt/rsrc.s/pblctns/srtg-crtcl-nfrstrctr/index-en.aspx
PWC. (2018). “The Global State of Information Security® Survey 2018.” www.pwc.com/us/en/ser vices/consulting/cybersecurity/library/information-security-survey.html
Reuters Staff. (2017). “China, Canada Vow Not to Conduct Cyber Attacks on Private Sector.” www. reuters.com/article/us-canada-china-cyber/china-canada-vow-not-to-conduct-cyber-attacks-on-pri vate-sector-idU SKBN19H06A
RSA Conference. (2017). “Power of Opportunity.” www.rsaconference.com/events/usl7
Segal, A. (2017). “The Development of Cyber Norms at the United Nations Ends in Deadlock. Now What?” www.cfr.org/blog/development-cyber-norms-united-nations-ends-deadlock-now-what
Smith, B. (2017). “The Need for Digital Geneva Convention.” https://blogs.microsoft.com/on-the- issues/2017/02/14/need-digital-geneva-convention/
Solomon, H. (2017). “Focus on Security Basics and Be Good at Them, Says Risk Consultant.” www. itworldcanada.com/article/focus-on-security-basics-and-be-good-at-them-says-risk-consultant/ 398876
The US Department ofjustice. (2017). “Canadian Hacker Who Conspired with and Aided Russian FSB Officers Pleads Guilty.” www.justice.gov/opa/pr/canadian-hacker-who-conspired-and-aided-rus sian-fsb-officers-pleads-guilty
Theiler, O. (2015). “New Threats: The Cyber-dimension.” www.nato.int/docu/review/2011/ll-sep tember/Cyber-Threads/EN/index.htm
United Nations. (2015). “Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security Seventieth Session, Developments in the Field of Information and Telecommunications in the Context of International Security.” New York: UN General Assembly.
Yeli, H. (2017). A Three-Perspective Theory of Cyber Sovereignty (Vol. 2). China: China International Institute tor Strategic Society.