SSWG e-Conference Series Archive:
"The Future of Fighting"
Conference IV Transcript:
"Canadian Cybersecurity"
Original e-Conference date: May 22, 2012
(oldest comments first)
Hi everyone, and welcome to the CIC and CDFAI's Future of Fighting discussion, “Canada and cybersecurity," with Professor Ron Deibert, Director of the University of Toronto’s Citizen Lab . I am an assistant professor of public and international affairs the University of Ottawa and the moderator of the Future of Fighting Series. I will be moderating this discussion - and the five that follow. We’re looking forward to bringing in questions from the online public, so please add them to the live-chat or, for those on Twitter, use #CICLive.
by pmlagasse May 22 at 8:00 AM
yo sup?
by Ron Deibert May 22 at 8:00 AM
Hello, Ron!
by pmlagasse May 22 at 8:01 AM
hi how goes?
by Ron Deibert May 22 at 8:01 AM
It goes, it goes. Hope the same is true for you.
by pmlagasse May 22 at 8:02 AM
Let's get started.
by pmlagasse May 22 at 8:03 AM
Same here. How are all my friends and colleagues at U of Ottawa?
by Ron Deibert May 22 at 8:03 AM
OK I'm ready.
by Ron Deibert May 22 at 8:03 AM
Ron, could you explain what is meant by the idea of a 'perfect cyberstorm'?
by pmlagasse May 22 at 8:03 AM
we're live on @TheCIC, with @pmlagasse and @RonDeibert chatting cybersecurity: bit.ly tweet Qs to #ciclive
by taylor_owen via twitter May 22 at 8:04 AM
Sure. I use the term to describe the converge of several social forces that together are having a cumulative and largely unintended consequence of subverting cyberspace as an open commons
by Ron Deibert May 22 at 8:05 AM
These include the rise of cyber crime, cyber espionage and growing assertions of state power in cyberspace.
by Ron Deibert May 22 at 8:05 AM
I worry that in the rush to deal with the very real threats to cyberspace, we may end up throwing the baby out with the bathwater.
by Ron Deibert May 22 at 8:07 AM
Which of these is the greatest cause for concern for Canadians today? Or should the government be equally worried about all three?
by pmlagasse May 22 at 8:07 AM
Canadians should be concerned about the threats to cyberspace as an open commons, in both a practical immediate sense - with respect to the security of their personal data, and breaches to government, private sector, and potentially critical infrastructure, but also with respect to the large issues around governance of cyberspace at a global level, which will impact us indirectly and in the long run.
by Ron Deibert May 22 at 8:09 AM
The Canadian government is very late in developing a strategy for cyberspace; its cyber security strategy released last year was thin on commitments and specifics. We lack a foreign policy for cyberspace at a time when the domain is at a critical watershed.
by Ron Deibert May 22 at 8:09 AM
Meanwhile, the domain is being re-shaped as governments assert their power, stand up capabilities to fight and win wars in cyberspace, and cultivate the underbelly of cyber crime to serve their strategic interests
by Ron Deibert May 22 at 8:11 AM
What should a Canadian foreign policy for cyberspace look like and address? What should we be expecting from the government on this front?
by pmlagasse May 22 at 8:12 AM
I believe we are setting a poor example, lowering the bar, so to speak. Bill C30 is a case in point. We are undoing judicial oversight on access to Canadians communications at a time when that oversight, arguably, should be strengthened.
by Ron Deibert May 22 at 8:12 AM
We've got a question from Charli Carpenter: does/shd 'cyber-security' mean norms re. use of cyber-platforms for human security ends or only securing the platforms themselves?
by pmlagasse May 22 at 8:13 AM
Charli - that is an excellent question...The object of security, so to speak, is an essential issue. Unfortunately, the two are sometimes confused by policymakers who seem more concerned about protecting networks than thinking of the networks as means to a larger end: human security.
by Ron Deibert May 22 at 8:14 AM
Question for Ron: How can/should governments (in this case, the Canadian goevrnment) develop a "foreign policy" for cyberspace when it impinges on domestic policy so pervasively? Cyberspace is no longer about state-state interactions. Some of the most...influential (positive/negative) actors in cyberspace are non-state entities.
On a related question, how can we attribute 'foreign policy' directives for the Canadian government? I'm alluding to the unattributed cyberattacks in Estonia and Georgia.
by scottalyoung May 22 at 8:14 AM
Re: Canadian foreign policy for cyberspace, I believe that we should start by linking international and domestic policy. Decisions we take here (including bad ones) can have negative implications abroad for the precedents they set.
by Ron Deibert May 22 at 8:15 AM
We then need to think about what type of cyberspace we want, as a country, and develop a strategy accordingly
by Ron Deibert May 22 at 8:15 AM
Weakening this judicial oversight could mean that Canadian communications could be abused by their own governments as well as criminal and foreign groups? Is that fair to say?
by pmlagasse May 22 at 8:16 AM
As a liberal democracy, I believe Canada has an interest in a secure but open and free cyberspace
by Ron Deibert May 22 at 8:16 AM
Two questions from Scott:
by pmlagasse May 22 at 8:16 AM
Question for Ron:
1) How can/should governments (in this case, the Canadian goevrnment) develop a "foreign policy" for cyberspace when it impinges on domestic policy so pervasively? Cyberspace is no longer about state-state interactions. Some of the most...influential (positive/negative) actors in cyberspace are non-state entities.
by pmlagasse May 22 at 8:16 AM
I think the model of security we should follow should be something along the lines of "distributed security" - division, mixture, checks and balances, and multistakeholder governance
by Ron Deibert May 22 at 8:17 AM
2) On a related question, how can we attribute 'foreign policy' directives for the Canadian government? I'm alluding to the unattributed cyberattacks in Estonia and Georgia.
by pmlagasse May 22 at 8:17 AM
The Canadian government should work with like-minded regimes to set a framework for cyberspace governance which rests on a distributed model: no one central authority; multi-stakeholder governance; multiple checks and balances on power, esp on national security organs
by Ron Deibert May 22 at 8:18 AM
Which, if any, countries have model strategies for a secure but open and free cyberspace? #ciclive
by naomi_joseph via twitter May 22 at 8:19 AM
"The Canadian government should work with like-minded regimes to set a framework for cyberspace governance which rests on a distributed model: no one central authority; multi-stakeholder governance; multiple checks and balances on power, esp on national security organs."
A point of clarity. "The Canadian government should work with like-minded regimes" vs. "multi-stakeholder governance"
by scottalyoung May 22 at 8:20 AM
We need to build up the capacity of institutions who presently govern the Internet, and do it well: the networks of engineers and computer scientists for example, rather than look to build a new global agency. This strategy is maybe a bit ironic, since it rests on actually circumscribing strongly the role of the state in cyberspace. The negation of government power in cyberspace, in other words
by Ron Deibert May 22 at 8:20 AM
We've got a question from Naomi: Which, if any, countries have model strategies for a secure but open and free cyberspace?
by pmlagasse May 22 at 8:21 AM
We also need to think through what it means to delegate so much control of personal information to the private sector as well, this is a major issue
by Ron Deibert May 22 at 8:21 AM
Naomi: very few countries I can hold up as models. Most countries right now are moving to develop within their armed forces cyber capabilities
by Ron Deibert May 22 at 8:22 AM
However, I believe that some countries, like Sweden, the Netherlands, are pushing to ensure that human rights are integral to cyberspace security
by Ron Deibert May 22 at 8:22 AM
There is a very real contest taking place at the international arena around cyberspace governance. Most observers see it as a struggle between China, Russia, and other countries that prefer centralized control and the U.S, UK, and other liberal democracies that prefer a more open Internet.
by Ron Deibert May 22 at 8:24 AM
Ron, you've mentioned that certain states are aiming to put up digital curtains. Is this possible or are they doomed to fail?
by pmlagasse May 22 at 8:24 AM
However, the liberal democratic countries are not consistent with their rhetoric in terms of domestic policy
by Ron Deibert May 22 at 8:24 AM
My question relates to Ron's statement re: 'like-minded regimes' vs. 'multi-stakeholder engagement'. What space is there in cyberspace governance for non-state actors? Should we be including groups like Wikileaks (vs "benign groups," like the Electronic Frontier Foundation, Global Voices, etc.), in deliberating cyberspace governance.
by scottalyoung May 22 at 8:25 AM
Re: digital curtains. One of the projects I have been involved in (the OpenNet Initiative) has documented Internet filtering since 2003. We set out to test that question, and found that governments have been quite adept at blocking access to information
by Ron Deibert May 22 at 8:25 AM
Scott has a follow up question: What space is there in cyberspace governance for non-state actors? Should we be including groups like Wikileaks (vs "benign groups," like the Electronic Frontier Foundation, Global Voices, etc.), in deliberating cyberspace governance.
by pmlagasse May 22 at 8:26 AM
Scott: the space for civil society in cyberspace governance is limited and highly contested. That is why the move to the ITU is so important and controversial. Should cyberspace governance be ceded to the ITU, the space for civil society would shrink further.
by Ron Deibert May 22 at 8:27 AM
The problem for civil society is that they have essentially deferred the "security" discussion to national security agencies. Cyber security should be about securing human rights and a public space for civil society. The latter needs a strategy for cyber security, in my opinion.
by Ron Deibert May 22 at 8:28 AM
Governments, civil society, and private sector all have roles to play in governing global cyberspace - it is a new mixed common pool domain, and unlike anything we have experienced before - only on a planetary scale.
by Ron Deibert May 22 at 8:29 AM
I'd like us to flush out the government / civil society issue a bit more. Many people see the cyber domain as a space for resistance to governmental authority. Is that view overly optimistic? Is that necessarily a good thing in all cases?
by pmlagasse May 22 at 8:30 AM
I believe within civil society, Universities have a special role to play as "stewards" or "custodians" of cyberspace security and openness, since it was within the Universities that the original template of the Internet was formed, and its principles of peer architecture and openness follow closely the principles that underpin University based research.
by Ron Deibert May 22 at 8:30 AM
Are Canadian universities doing enough in that regard?
by pmlagasse May 22 at 8:32 AM
Cyberspace is a planetary public sphere - and so yes definitely it should be a space for resistance to authority, as long as that resistance does not advocate violence or hate (as far as I am concerned).
by Ron Deibert May 22 at 8:32 AM
I believe that citizens should be encouraged to "lift the lid" on cyberspace, and explore what goes on beneath the surface, including asking where is my data stored? With whom is it shared? With my consent, or?
by Ron Deibert May 22 at 8:33 AM
Today, citizens are discouraged from asking these questions - we are barraged with legal clauses that restrict how and what we can do online, mostly as a function of proprietary interests. I think this is where it is important to recover "hacking" as a positive term - a civic virtu - when it is used to mean exploring the limits of technology.
by Ron Deibert May 22 at 8:34 AM
What about those who advocate violence and hatred? Is there a way to police them without granting governments the power to stifle legitimate dissent, too?
by pmlagasse May 22 at 8:35 AM
There are some companies in Canada (ie: Vineyard Networks, AdvancedIO, Sandvine) that have been accused of aiding authoritarian governments by selling them censorship and surveillance technologies. In effect, helping these governments to put up their 'digital curtains' and allowing these governments to keep tabs on their citizens' digital footprint. Does our federal government have a responsibility in this area, because they are Canadian companies? Or is it simply a legitimate business transaction?
by Philip Chow May 22 at 8:35 AM
Unfortunately the term "hacking" has been appropriated to mean "breaking the law" or "criminality" when it did not originally have that connotation
by Ron Deibert May 22 at 8:35 AM
I think that's a very interesting point about personal data and the need to examine how it's being used and by who.
by pmlagasse May 22 at 8:36 AM
Philip, another excellent question, one that we in the Citizen Lab explore often as our research has uncovered the use of commercial technologies by authoritarian regimes
by Ron Deibert May 22 at 8:36 AM
I believe that ultimately the market for these technologies will not be fully controlled until the need for them has evaporated, which is not a short term prospect.
by Ron Deibert May 22 at 8:37 AM
In the meantime, yes the government of Canada has a role to play, in setting standards for Canadian companies
by Ron Deibert May 22 at 8:37 AM
Meanwhile, those who monitor cyberspace should keep a vigilant watch on who is selling what to whom, as we have done in our reports on Netsweeper and Blue Coat
by Ron Deibert May 22 at 8:38 AM
We should also encourage private sector to think about corporate social responsibility, through such venues as the Global Network Initiative
by Ron Deibert May 22 at 8:38 AM
There are many media reports about how China and North Korea (amongst others) are developing their state-sanctioned cyber-attack capabilities. It would seem logical to assume that any future conventional (on-the-ground) war, particularly inter-state conflict, will have a cyber component. I am referring specifically to government military personnel launching cyber-attacks in conjunction with a military offensive. While inter-state conflict is diminishing, it is not extinct yet. Therefore, my question is: should Canada (namely, the Dept. of National Defence) be developing our own Canadian military cyber-attack capabilities? (Or...as it may be, are they already doing that?)
by Mark Shipley May 22 at 8:40 AM
As a Canadian, I find it embarrassing that Netsweeper helps regimes in Qatar, UAE, and elsewhere violate basic human rights that in Canada would be a violation of our Charter of Rights and Freedoms
by Ron Deibert May 22 at 8:40 AM
Ron, this CIC series is examining challenges facing the Canadian military. Could you tell us how cybersecurity concerns and threats might affect armed forces and their operations in the future?
by pmlagasse May 22 at 8:41 AM
The armed forces have a job to do, and our armed forces are faced with complex missions (e.g., Afghanistan). No conflict today takes place without a cyber component, even in a place like Afghanistan. Our armed forces need to be properly equipped, but our policymakers need to be restrained in rhetoric. We also need to pay more attention to confidence and security building and arms control measures in cyberspace, in order to prevent a dangerous escalation.
by Ron Deibert May 22 at 8:42 AM
We've got a similar question from Mark Shipley: should Canada be developing its own Canadian military cyber-attack capabilities?
by pmlagasse May 22 at 8:42 AM
I think our armed forces need to be prepared for every contingency, but our policymakers need to work on ameliorating the conditions that would give rise to having our soldiers be put in harm's way in the first place: CSBMs in cyberspace, arms control, getting at the root of the problems, e.g., by working to solve the roots of cyber crime and espionage, which can blend into cyber war.
by Ron Deibert May 22 at 8:43 AM
Canada is not doing enough internationally in this respect, although we are represented at the various forums, .e.g, the UN Group of Governmental Experts on Cyberspace, we are not seen as a leader.
by Ron Deibert May 22 at 8:44 AM
Could you elaborate about the root causes of cyber crime and espionage?
by pmlagasse May 22 at 8:46 AM
Sure, it is complex. We have migrated to new modes of communicating and sharing information (e.g., cloud, social, mobile) in such a short period of time, without time to develop proper security,
by Ron Deibert May 22 at 8:47 AM
This has opened up major vulnerabilities, leading to a rash of major breaches
by Ron Deibert May 22 at 8:47 AM
Who should we be looking to in our current federal government to take leadership in this area? (In other words, who can we nail to the wall on this?) Is it Toews (Public Safety)? Or Baird (Foreign Affairs)? Or Mackay (Defence)? Or Harper himself? The complexity of cyber issues seems to outpace our government's bureaucratic inefficiencies. On a related question, what is your feeling (are you optimistic or pessimistic?) about our current government capacity to address cyber-issues?
by Mark Shipley May 22 at 8:47 AM
Some governments see this insecurity as a source of strategic advantage, and actually cultivate the techniques and trade craft of cybercrime for purposes of political and industrial espionage, or political control.
by Ron Deibert May 22 at 8:48 AM
Meanwhile as governments stand up within their armed forces cyber attack capabilities, alongside corporate needs to do likewise, a new cyber security industrial complex has sprouted, servicing the market for exploitation and computer network attack capabilities
by Ron Deibert May 22 at 8:49 AM
Mark has a further question: which Canadian government department and minister should be responsible for cyber security?
by pmlagasse May 22 at 8:49 AM
I know this is unrelated to the future of fighting cyber crime in relation to the Millitary, but what is Canada's position on the 'Regulation of cyberspace' .
Please give specifics to Bill's domestically and initiatives abroad that will combat these issues.
by patrick May 22 at 8:50 AM
The question of which institution should "lead" in Canada (or elsewhere) is critical. I have concerns that secretive public security agencies are leading cyber security, e.g., the NSA in the United States.
by Ron Deibert May 22 at 8:50 AM
Only 10 minutes left in our convo w/ @RonDeibert. If you have a question about #cybersecurity, tweet now w/ #CICLive. bit.ly
by TheCIC via twitter May 22 at 8:50 AM
In a world of "big data" an argument should be made that these agencies should have their powers more tightly controlled, rather than loosened. We need greater oversight. Meanwhile, no one single agency should lead in cyberspace security, in my opinion. I think that the various provincial and federal privacy commissioners are as important to cyber security as are the public security agencies.
by Ron Deibert May 22 at 8:51 AM
Signals intelligence and public security and law enforcement are all important and necessary, but in a "distributed security" environment, we need to be careful not to delegate or centralize control, and we need to be vigilant about proper checks and balances - otherwise we lose sight of what we are securing in the first place while giving authoritarian regimes abroad a template.
by Ron Deibert May 22 at 8:53 AM
How should we reconcile the contradiction in governments wanting more “open data’ (e.g.: data.gov.uk, data.gov) on one hand, versus the risk inherent in securing our privacy, specifically in relation to our personal data being stored ‘in the cloud’?
by scottalyoung May 22 at 8:53 AM
Should Canada's new National Security Advisor (within PCO) have a special role in coordinating the government's efforts and cyber policies?
by pmlagasse May 22 at 8:53 AM
I am not sure having a national security advisor within PCO given the "special role" in cyber security policy. We need a mixed approach, but one that derives from a common strategy around protecting and preserving cyberspace as an open but secure and distributed communications environment on a planetary scale
by Ron Deibert May 22 at 8:55 AM
Scott's got another question for you: How should we reconcile the contradiction in governments wanting more “open data’ (e.g.: data.gov.uk, data.gov) on one hand, versus the risk inherent in securing our privacy, specifically in relation to our personal data being stored ‘in the cloud’?
by pmlagasse May 22 at 8:55 AM
If a cyber attack by a foreign government an actual declaration of war? Where is the line drawn?
by Wisam Salih May 22 at 8:55 AM
Canada is a relatively small country on the precipice of epochal changes on a global scale. It is in our long term interest to build the foundation for a model of global communications that rests on a decentralized, distributed vision of security. The alternatives (hierarchy and anarchy) are pretty bleak.
by Ron Deibert May 22 at 8:57 AM
Interesting question from Wilsam: If a cyber attack by a foreign government an actual declaration of war? Where is the line drawn?
by pmlagasse May 22 at 8:57 AM
Wisam, there is a lively debate about that topic right now - much depends on interpretation.
by Ron Deibert May 22 at 8:57 AM
Are Canadians sufficiently educated about cyber threats? (Presumably not.) And if not, what steps need to be taken to ameliorate that?
by Bob Barkley May 22 at 8:57 AM
Recently, the US DoD signaled they would treat an attack on cyber as equivalent to a kinetic attack and reserve the right to respond with force. This is why CSBMs in cyber are so important: the dangers of escalation in this environment are very real.
by Ron Deibert May 22 at 8:58 AM
Ron, we're in our last minutes here. Any final thoughts for us about cybersecurity and your work at the Citizens' Lab?
by pmlagasse May 22 at 8:58 AM
Bob: everyone at all time could use more education about the nature of cyber threats.
by Ron Deibert May 22 at 8:59 AM
Final thoughts: I enjoyed the conversations very much and look forward to more in the future. The Citizen Lab is excited about our research and development projects. we have a lot on the go to keep us busy. Stay tuned at citizenlab.org
by Ron Deibert May 22 at 9:00 AM
and follow us on twitter @citizenlab
by Ron Deibert May 22 at 9:00 AM
Excellent. Thanks very much, Ron!
by pmlagasse May 22 at 9:00 AM
Thank you Philippe for your moderation
by Ron Deibert May 22 at 9:01 AM
Hi everyone, and welcome to the CIC and CDFAI's Future of Fighting discussion, “Canada and cybersecurity," with Professor Ron Deibert, Director of the University of Toronto’s Citizen Lab . I am an assistant professor of public and international affairs the University of Ottawa and the moderator of the Future of Fighting Series. I will be moderating this discussion - and the five that follow. We’re looking forward to bringing in questions from the online public, so please add them to the live-chat or, for those on Twitter, use #CICLive.
by pmlagasse May 22 at 8:00 AM
yo sup?
by Ron Deibert May 22 at 8:00 AM
Hello, Ron!
by pmlagasse May 22 at 8:01 AM
hi how goes?
by Ron Deibert May 22 at 8:01 AM
It goes, it goes. Hope the same is true for you.
by pmlagasse May 22 at 8:02 AM
Let's get started.
by pmlagasse May 22 at 8:03 AM
Same here. How are all my friends and colleagues at U of Ottawa?
by Ron Deibert May 22 at 8:03 AM
OK I'm ready.
by Ron Deibert May 22 at 8:03 AM
Ron, could you explain what is meant by the idea of a 'perfect cyberstorm'?
by pmlagasse May 22 at 8:03 AM
we're live on @TheCIC, with @pmlagasse and @RonDeibert chatting cybersecurity: bit.ly tweet Qs to #ciclive
by taylor_owen via twitter May 22 at 8:04 AM
Sure. I use the term to describe the converge of several social forces that together are having a cumulative and largely unintended consequence of subverting cyberspace as an open commons
by Ron Deibert May 22 at 8:05 AM
These include the rise of cyber crime, cyber espionage and growing assertions of state power in cyberspace.
by Ron Deibert May 22 at 8:05 AM
I worry that in the rush to deal with the very real threats to cyberspace, we may end up throwing the baby out with the bathwater.
by Ron Deibert May 22 at 8:07 AM
Which of these is the greatest cause for concern for Canadians today? Or should the government be equally worried about all three?
by pmlagasse May 22 at 8:07 AM
Canadians should be concerned about the threats to cyberspace as an open commons, in both a practical immediate sense - with respect to the security of their personal data, and breaches to government, private sector, and potentially critical infrastructure, but also with respect to the large issues around governance of cyberspace at a global level, which will impact us indirectly and in the long run.
by Ron Deibert May 22 at 8:09 AM
The Canadian government is very late in developing a strategy for cyberspace; its cyber security strategy released last year was thin on commitments and specifics. We lack a foreign policy for cyberspace at a time when the domain is at a critical watershed.
by Ron Deibert May 22 at 8:09 AM
Meanwhile, the domain is being re-shaped as governments assert their power, stand up capabilities to fight and win wars in cyberspace, and cultivate the underbelly of cyber crime to serve their strategic interests
by Ron Deibert May 22 at 8:11 AM
What should a Canadian foreign policy for cyberspace look like and address? What should we be expecting from the government on this front?
by pmlagasse May 22 at 8:12 AM
I believe we are setting a poor example, lowering the bar, so to speak. Bill C30 is a case in point. We are undoing judicial oversight on access to Canadians communications at a time when that oversight, arguably, should be strengthened.
by Ron Deibert May 22 at 8:12 AM
We've got a question from Charli Carpenter: does/shd 'cyber-security' mean norms re. use of cyber-platforms for human security ends or only securing the platforms themselves?
by pmlagasse May 22 at 8:13 AM
Charli - that is an excellent question...The object of security, so to speak, is an essential issue. Unfortunately, the two are sometimes confused by policymakers who seem more concerned about protecting networks than thinking of the networks as means to a larger end: human security.
by Ron Deibert May 22 at 8:14 AM
Question for Ron: How can/should governments (in this case, the Canadian goevrnment) develop a "foreign policy" for cyberspace when it impinges on domestic policy so pervasively? Cyberspace is no longer about state-state interactions. Some of the most...influential (positive/negative) actors in cyberspace are non-state entities.
On a related question, how can we attribute 'foreign policy' directives for the Canadian government? I'm alluding to the unattributed cyberattacks in Estonia and Georgia.
by scottalyoung May 22 at 8:14 AM
Re: Canadian foreign policy for cyberspace, I believe that we should start by linking international and domestic policy. Decisions we take here (including bad ones) can have negative implications abroad for the precedents they set.
by Ron Deibert May 22 at 8:15 AM
We then need to think about what type of cyberspace we want, as a country, and develop a strategy accordingly
by Ron Deibert May 22 at 8:15 AM
Weakening this judicial oversight could mean that Canadian communications could be abused by their own governments as well as criminal and foreign groups? Is that fair to say?
by pmlagasse May 22 at 8:16 AM
As a liberal democracy, I believe Canada has an interest in a secure but open and free cyberspace
by Ron Deibert May 22 at 8:16 AM
Two questions from Scott:
by pmlagasse May 22 at 8:16 AM
Question for Ron:
1) How can/should governments (in this case, the Canadian goevrnment) develop a "foreign policy" for cyberspace when it impinges on domestic policy so pervasively? Cyberspace is no longer about state-state interactions. Some of the most...influential (positive/negative) actors in cyberspace are non-state entities.
by pmlagasse May 22 at 8:16 AM
I think the model of security we should follow should be something along the lines of "distributed security" - division, mixture, checks and balances, and multistakeholder governance
by Ron Deibert May 22 at 8:17 AM
2) On a related question, how can we attribute 'foreign policy' directives for the Canadian government? I'm alluding to the unattributed cyberattacks in Estonia and Georgia.
by pmlagasse May 22 at 8:17 AM
The Canadian government should work with like-minded regimes to set a framework for cyberspace governance which rests on a distributed model: no one central authority; multi-stakeholder governance; multiple checks and balances on power, esp on national security organs
by Ron Deibert May 22 at 8:18 AM
Which, if any, countries have model strategies for a secure but open and free cyberspace? #ciclive
by naomi_joseph via twitter May 22 at 8:19 AM
"The Canadian government should work with like-minded regimes to set a framework for cyberspace governance which rests on a distributed model: no one central authority; multi-stakeholder governance; multiple checks and balances on power, esp on national security organs."
A point of clarity. "The Canadian government should work with like-minded regimes" vs. "multi-stakeholder governance"
by scottalyoung May 22 at 8:20 AM
We need to build up the capacity of institutions who presently govern the Internet, and do it well: the networks of engineers and computer scientists for example, rather than look to build a new global agency. This strategy is maybe a bit ironic, since it rests on actually circumscribing strongly the role of the state in cyberspace. The negation of government power in cyberspace, in other words
by Ron Deibert May 22 at 8:20 AM
We've got a question from Naomi: Which, if any, countries have model strategies for a secure but open and free cyberspace?
by pmlagasse May 22 at 8:21 AM
We also need to think through what it means to delegate so much control of personal information to the private sector as well, this is a major issue
by Ron Deibert May 22 at 8:21 AM
Naomi: very few countries I can hold up as models. Most countries right now are moving to develop within their armed forces cyber capabilities
by Ron Deibert May 22 at 8:22 AM
However, I believe that some countries, like Sweden, the Netherlands, are pushing to ensure that human rights are integral to cyberspace security
by Ron Deibert May 22 at 8:22 AM
There is a very real contest taking place at the international arena around cyberspace governance. Most observers see it as a struggle between China, Russia, and other countries that prefer centralized control and the U.S, UK, and other liberal democracies that prefer a more open Internet.
by Ron Deibert May 22 at 8:24 AM
Ron, you've mentioned that certain states are aiming to put up digital curtains. Is this possible or are they doomed to fail?
by pmlagasse May 22 at 8:24 AM
However, the liberal democratic countries are not consistent with their rhetoric in terms of domestic policy
by Ron Deibert May 22 at 8:24 AM
My question relates to Ron's statement re: 'like-minded regimes' vs. 'multi-stakeholder engagement'. What space is there in cyberspace governance for non-state actors? Should we be including groups like Wikileaks (vs "benign groups," like the Electronic Frontier Foundation, Global Voices, etc.), in deliberating cyberspace governance.
by scottalyoung May 22 at 8:25 AM
Re: digital curtains. One of the projects I have been involved in (the OpenNet Initiative) has documented Internet filtering since 2003. We set out to test that question, and found that governments have been quite adept at blocking access to information
by Ron Deibert May 22 at 8:25 AM
Scott has a follow up question: What space is there in cyberspace governance for non-state actors? Should we be including groups like Wikileaks (vs "benign groups," like the Electronic Frontier Foundation, Global Voices, etc.), in deliberating cyberspace governance.
by pmlagasse May 22 at 8:26 AM
Scott: the space for civil society in cyberspace governance is limited and highly contested. That is why the move to the ITU is so important and controversial. Should cyberspace governance be ceded to the ITU, the space for civil society would shrink further.
by Ron Deibert May 22 at 8:27 AM
The problem for civil society is that they have essentially deferred the "security" discussion to national security agencies. Cyber security should be about securing human rights and a public space for civil society. The latter needs a strategy for cyber security, in my opinion.
by Ron Deibert May 22 at 8:28 AM
Governments, civil society, and private sector all have roles to play in governing global cyberspace - it is a new mixed common pool domain, and unlike anything we have experienced before - only on a planetary scale.
by Ron Deibert May 22 at 8:29 AM
I'd like us to flush out the government / civil society issue a bit more. Many people see the cyber domain as a space for resistance to governmental authority. Is that view overly optimistic? Is that necessarily a good thing in all cases?
by pmlagasse May 22 at 8:30 AM
I believe within civil society, Universities have a special role to play as "stewards" or "custodians" of cyberspace security and openness, since it was within the Universities that the original template of the Internet was formed, and its principles of peer architecture and openness follow closely the principles that underpin University based research.
by Ron Deibert May 22 at 8:30 AM
Are Canadian universities doing enough in that regard?
by pmlagasse May 22 at 8:32 AM
Cyberspace is a planetary public sphere - and so yes definitely it should be a space for resistance to authority, as long as that resistance does not advocate violence or hate (as far as I am concerned).
by Ron Deibert May 22 at 8:32 AM
I believe that citizens should be encouraged to "lift the lid" on cyberspace, and explore what goes on beneath the surface, including asking where is my data stored? With whom is it shared? With my consent, or?
by Ron Deibert May 22 at 8:33 AM
Today, citizens are discouraged from asking these questions - we are barraged with legal clauses that restrict how and what we can do online, mostly as a function of proprietary interests. I think this is where it is important to recover "hacking" as a positive term - a civic virtu - when it is used to mean exploring the limits of technology.
by Ron Deibert May 22 at 8:34 AM
What about those who advocate violence and hatred? Is there a way to police them without granting governments the power to stifle legitimate dissent, too?
by pmlagasse May 22 at 8:35 AM
There are some companies in Canada (ie: Vineyard Networks, AdvancedIO, Sandvine) that have been accused of aiding authoritarian governments by selling them censorship and surveillance technologies. In effect, helping these governments to put up their 'digital curtains' and allowing these governments to keep tabs on their citizens' digital footprint. Does our federal government have a responsibility in this area, because they are Canadian companies? Or is it simply a legitimate business transaction?
by Philip Chow May 22 at 8:35 AM
Unfortunately the term "hacking" has been appropriated to mean "breaking the law" or "criminality" when it did not originally have that connotation
by Ron Deibert May 22 at 8:35 AM
I think that's a very interesting point about personal data and the need to examine how it's being used and by who.
by pmlagasse May 22 at 8:36 AM
Philip, another excellent question, one that we in the Citizen Lab explore often as our research has uncovered the use of commercial technologies by authoritarian regimes
by Ron Deibert May 22 at 8:36 AM
I believe that ultimately the market for these technologies will not be fully controlled until the need for them has evaporated, which is not a short term prospect.
by Ron Deibert May 22 at 8:37 AM
In the meantime, yes the government of Canada has a role to play, in setting standards for Canadian companies
by Ron Deibert May 22 at 8:37 AM
Meanwhile, those who monitor cyberspace should keep a vigilant watch on who is selling what to whom, as we have done in our reports on Netsweeper and Blue Coat
by Ron Deibert May 22 at 8:38 AM
We should also encourage private sector to think about corporate social responsibility, through such venues as the Global Network Initiative
by Ron Deibert May 22 at 8:38 AM
There are many media reports about how China and North Korea (amongst others) are developing their state-sanctioned cyber-attack capabilities. It would seem logical to assume that any future conventional (on-the-ground) war, particularly inter-state conflict, will have a cyber component. I am referring specifically to government military personnel launching cyber-attacks in conjunction with a military offensive. While inter-state conflict is diminishing, it is not extinct yet. Therefore, my question is: should Canada (namely, the Dept. of National Defence) be developing our own Canadian military cyber-attack capabilities? (Or...as it may be, are they already doing that?)
by Mark Shipley May 22 at 8:40 AM
As a Canadian, I find it embarrassing that Netsweeper helps regimes in Qatar, UAE, and elsewhere violate basic human rights that in Canada would be a violation of our Charter of Rights and Freedoms
by Ron Deibert May 22 at 8:40 AM
Ron, this CIC series is examining challenges facing the Canadian military. Could you tell us how cybersecurity concerns and threats might affect armed forces and their operations in the future?
by pmlagasse May 22 at 8:41 AM
The armed forces have a job to do, and our armed forces are faced with complex missions (e.g., Afghanistan). No conflict today takes place without a cyber component, even in a place like Afghanistan. Our armed forces need to be properly equipped, but our policymakers need to be restrained in rhetoric. We also need to pay more attention to confidence and security building and arms control measures in cyberspace, in order to prevent a dangerous escalation.
by Ron Deibert May 22 at 8:42 AM
We've got a similar question from Mark Shipley: should Canada be developing its own Canadian military cyber-attack capabilities?
by pmlagasse May 22 at 8:42 AM
I think our armed forces need to be prepared for every contingency, but our policymakers need to work on ameliorating the conditions that would give rise to having our soldiers be put in harm's way in the first place: CSBMs in cyberspace, arms control, getting at the root of the problems, e.g., by working to solve the roots of cyber crime and espionage, which can blend into cyber war.
by Ron Deibert May 22 at 8:43 AM
Canada is not doing enough internationally in this respect, although we are represented at the various forums, .e.g, the UN Group of Governmental Experts on Cyberspace, we are not seen as a leader.
by Ron Deibert May 22 at 8:44 AM
Could you elaborate about the root causes of cyber crime and espionage?
by pmlagasse May 22 at 8:46 AM
Sure, it is complex. We have migrated to new modes of communicating and sharing information (e.g., cloud, social, mobile) in such a short period of time, without time to develop proper security,
by Ron Deibert May 22 at 8:47 AM
This has opened up major vulnerabilities, leading to a rash of major breaches
by Ron Deibert May 22 at 8:47 AM
Who should we be looking to in our current federal government to take leadership in this area? (In other words, who can we nail to the wall on this?) Is it Toews (Public Safety)? Or Baird (Foreign Affairs)? Or Mackay (Defence)? Or Harper himself? The complexity of cyber issues seems to outpace our government's bureaucratic inefficiencies. On a related question, what is your feeling (are you optimistic or pessimistic?) about our current government capacity to address cyber-issues?
by Mark Shipley May 22 at 8:47 AM
Some governments see this insecurity as a source of strategic advantage, and actually cultivate the techniques and trade craft of cybercrime for purposes of political and industrial espionage, or political control.
by Ron Deibert May 22 at 8:48 AM
Meanwhile as governments stand up within their armed forces cyber attack capabilities, alongside corporate needs to do likewise, a new cyber security industrial complex has sprouted, servicing the market for exploitation and computer network attack capabilities
by Ron Deibert May 22 at 8:49 AM
Mark has a further question: which Canadian government department and minister should be responsible for cyber security?
by pmlagasse May 22 at 8:49 AM
I know this is unrelated to the future of fighting cyber crime in relation to the Millitary, but what is Canada's position on the 'Regulation of cyberspace' .
Please give specifics to Bill's domestically and initiatives abroad that will combat these issues.
by patrick May 22 at 8:50 AM
The question of which institution should "lead" in Canada (or elsewhere) is critical. I have concerns that secretive public security agencies are leading cyber security, e.g., the NSA in the United States.
by Ron Deibert May 22 at 8:50 AM
Only 10 minutes left in our convo w/ @RonDeibert. If you have a question about #cybersecurity, tweet now w/ #CICLive. bit.ly
by TheCIC via twitter May 22 at 8:50 AM
In a world of "big data" an argument should be made that these agencies should have their powers more tightly controlled, rather than loosened. We need greater oversight. Meanwhile, no one single agency should lead in cyberspace security, in my opinion. I think that the various provincial and federal privacy commissioners are as important to cyber security as are the public security agencies.
by Ron Deibert May 22 at 8:51 AM
Signals intelligence and public security and law enforcement are all important and necessary, but in a "distributed security" environment, we need to be careful not to delegate or centralize control, and we need to be vigilant about proper checks and balances - otherwise we lose sight of what we are securing in the first place while giving authoritarian regimes abroad a template.
by Ron Deibert May 22 at 8:53 AM
How should we reconcile the contradiction in governments wanting more “open data’ (e.g.: data.gov.uk, data.gov) on one hand, versus the risk inherent in securing our privacy, specifically in relation to our personal data being stored ‘in the cloud’?
by scottalyoung May 22 at 8:53 AM
Should Canada's new National Security Advisor (within PCO) have a special role in coordinating the government's efforts and cyber policies?
by pmlagasse May 22 at 8:53 AM
I am not sure having a national security advisor within PCO given the "special role" in cyber security policy. We need a mixed approach, but one that derives from a common strategy around protecting and preserving cyberspace as an open but secure and distributed communications environment on a planetary scale
by Ron Deibert May 22 at 8:55 AM
Scott's got another question for you: How should we reconcile the contradiction in governments wanting more “open data’ (e.g.: data.gov.uk, data.gov) on one hand, versus the risk inherent in securing our privacy, specifically in relation to our personal data being stored ‘in the cloud’?
by pmlagasse May 22 at 8:55 AM
If a cyber attack by a foreign government an actual declaration of war? Where is the line drawn?
by Wisam Salih May 22 at 8:55 AM
Canada is a relatively small country on the precipice of epochal changes on a global scale. It is in our long term interest to build the foundation for a model of global communications that rests on a decentralized, distributed vision of security. The alternatives (hierarchy and anarchy) are pretty bleak.
by Ron Deibert May 22 at 8:57 AM
Interesting question from Wilsam: If a cyber attack by a foreign government an actual declaration of war? Where is the line drawn?
by pmlagasse May 22 at 8:57 AM
Wisam, there is a lively debate about that topic right now - much depends on interpretation.
by Ron Deibert May 22 at 8:57 AM
Are Canadians sufficiently educated about cyber threats? (Presumably not.) And if not, what steps need to be taken to ameliorate that?
by Bob Barkley May 22 at 8:57 AM
Recently, the US DoD signaled they would treat an attack on cyber as equivalent to a kinetic attack and reserve the right to respond with force. This is why CSBMs in cyber are so important: the dangers of escalation in this environment are very real.
by Ron Deibert May 22 at 8:58 AM
Ron, we're in our last minutes here. Any final thoughts for us about cybersecurity and your work at the Citizens' Lab?
by pmlagasse May 22 at 8:58 AM
Bob: everyone at all time could use more education about the nature of cyber threats.
by Ron Deibert May 22 at 8:59 AM
Final thoughts: I enjoyed the conversations very much and look forward to more in the future. The Citizen Lab is excited about our research and development projects. we have a lot on the go to keep us busy. Stay tuned at citizenlab.org
by Ron Deibert May 22 at 9:00 AM
and follow us on twitter @citizenlab
by Ron Deibert May 22 at 9:00 AM
Excellent. Thanks very much, Ron!
by pmlagasse May 22 at 9:00 AM
Thank you Philippe for your moderation
by Ron Deibert May 22 at 9:01 AM
Be the first to comment
Sign in with