An anti-spam strategy does not make for a National Security Strategy

“According to a study by McMaster University,[5] 1.7 million Canadians were victims of identity theft in 2008. The annual cost of identity theft in Canada has been estimated at nearly $1.9 billion. For this reason the Government has amended the Criminal Code to better protect Canadians from identity theft.

Canadian companies can lose the race to bring a product to market, or experience other harm without ever realizing that their losses were caused by a cyber attack. It has been estimated that in a recent one year period, 86% of large Canadian organizations had suffered a cyber attack. The loss of intellectual property as a result of these attacks doubled between 2006 and 2008. [6]

  • Canada’s Cyber Security Strategy, For a stronger and more prosperous Canada, © Her Majesty the Queen in Right of Canada, 2010

 

In 2006, the Conservatives came to office with the attitude that they would repair Canada’s security Infrastructure. On February 22, 2013, the Conservative Website noted that “the Harper Government is dedicated to supporting the brave men and women in uniform who defend our country and help keep us safe.  In 2006, after the Liberal ‘decade of darkness,’ we took action to rebuild Canada’s Armed Forces.”

It is true that the Tories have added the Royal Prefix to the Royal Canadian Navy (RCN) and the Royal Canadian Air Force (RCAF). It is true that they have bought new heavy duty transportation aircraft, helicopters and frigates. However, what is becoming evident is that Canada’s National Security is more troubled today than it was under Mr. Mulroney’s, Mr. Chretien’s or Mr. Trudeau’s time in office.

Just look at the prosecution of Sub-Lt. Jeffrey Delisle. When Sub-Lt. Delisle worked at CFB Halifax and he had access to Level 3 top secret security classification which gave “him access to secret information gathered by the CIA, the FBI, CSIS, and British, Australian and New Zealand intelligence services.”  (Early clues to navy spy Delisle’s guilt overlooked, By Rob Gordon, CBC News, Nov 29, 2012 8:59 AM ET). Yet even with this level of responsibility, Sub-Lt. Jeffrey Delisle was overdue for his security clearance recheck: a check that was the responsibility of both the Royal Canadian Navy (RCN) and the Canadian Security and Intelligence Service (CSIS). According to court documents, Sub-Lt. Delisle was paid a total of $71,817 USD, from between July 6, 2007 to Aug. 1, 2011, by the Russian Government, to betray his country. Given the low amounts of the Payments, one could argue that simply raising the pay of our Security Forces would have secured the country more than the Billions of Dollars spent on new equipment. For, if our enemies know all of our secrets, they can just avoid fighting our sophisticated new weapons. This is especially true given that the FBI had to tell the RCMP that we had a mole.

However, it does not end there. For, the Harper Government appointments have had a dangerous effect on the effectiveness of Canada’s Security Infrastructure. Just look at the appointment of Dr. Arthur Porter to the Security Intelligence Review Committee (SIRC). SIRC was established in 1984 as a result of the reorganization of Canadian Intelligence Community. Its aim was to oversee the Canadian Security Intelligence Service and ensure that CSIS did not engage in illegal activities as did its predecessor – the RCMP Security Service.

As we know when SIRC fails to do its job, problems happen. For example, in 2005, after an investigation into the Air India Bombing, SIRC was admonished for not giving CSIS activities enough scrutiny. Many miscues were noted, including the fact that CSIS destroyed crucial wiretap evidence that put the legal case against the alleged Air India bombers into jeopardy. Yet that knowledge did not have an effect on the Harper nominee. Since, in November 2011, the National Post revealed Arthur Porter’s questionable business dealings and foreign connections including his relationship with Ari Ben-Menashe, a Montreal based businessman and an ex-Israeli international lobbyist and arms dealer who was arrested and charged in the United States for illegally attempting to sell military transport airplanes to Iran. The revelations were so explosive that Dr. Porter, the Head of the Security Intelligence Review Committee – a Harper appointee – resigned.

Sadly, Mr. Porter and Sub-Lt. Jeffrey Delisle aren’t the end of the problems that Canada is suffering through. Just look at the Canadian Cyber Incident Response Centre. The Harper Government set it up so that it would be “responsible for monitoring and providing mitigation advice on cyber threats and coordinating the national response to any cyber security incident. Its focus is the protection of national critical infrastructure against cyber incidents.”

However, there is one problem: it cannot do its job. As Greg Weston reported, “Confidential documents obtained by CBC News show that when Chinese military spies hacked into the control systems of Canadian pipelines and power grids last fall, this country’s official cyber-response agency sprang into action – exactly 10 days later. ”  (Greg Weston: Anti-hacking agency slow to learn about Chinese cyberattack, by Greg Weston, CBC News, Posted: Feb 22, 2013 6:09 AM ET)

CBC obtained hundreds of pages of the agency’s internal emails and cyber “incident reports” which tell a sad story. In those emails, one can see that “China-based hackers broke into the computer systems of at least three federal departments, seven Bay Street law firms, and two multinational corporations – all involved in the ultimately unsuccessful corporate takeover of Saskatchewan’s Potash Corporation.”

Or even worse, “Emails on Jan. 31 indicated the Finance Department and Treasury Board were both being slammed with severe cyberattacks, including significant volumes of sensitive government data being stolen by computers in China.” The documents revealed by the CBC indicate that the Canadian Cyber Incident Response Centre is an organization which is unable to deal with an almost constant hail of cyber-attacks on government and industry.

The Auditor General felt the same way. That Office has argued that that the Canadian Cyber Incident Response Centre should be a 24 hour agency. At the time, it was an agency that worked 8 hours a day. After all of the reports, the Harper Government only funds it for 15 hours a day. The only problem is that we need an agency that works like the Canadian Military – an agency that works 24/7 and 365 days of the year. We need it because that is how the Internet operates. If it is always on, we need to be always on. Consequently, we have seen the failures of the Harper Government.

The hard part is figuring out what should a Liberal Solution look like. However, here we can look to our history. Since the beginning of the English Liberal Democracy, Openness has always been a solution to many problems. In response to the Star Chamber, the English Parliament opened up the Judicial Process. That Openness allowed Judges, when necessary, to stand against the Crown in a more effective manner. Openness protected the Press and provided Citizens with the ability to empower Parliament. Openness has been the greatest disinfectant and – as Watergate showed – a powerful tool. It is my opinion that Openness has a place here.

As such, the first move for a Canadian Government would be to have a post-secondary Institute devoted to investigating various forms of malware and security intrusions. Canada has been here before. For years Canada pushed World Powers to be open about their weapons of mass destruction. Canada even pushed for the Ottawa Treaty that banned landmines. In the same way, if Canada created an academic institution that opened the world of cyber security intrusions, Canadians could temper the effect of Cyber Weapons. For, Cyber Weapons are just sophisticated pieces of malware and code – similar to the Computer Viruses we all have to deal with. By publishing their findings to the world as a whole, such an institution could stem the techniques of National Armies and Intelligence Services and stem their effect. If you want proof of this just look at the world wide reaction to Wikileaks’ accusations or Mandiant’s claim that Chinese Hackers have been attacking various Western Firms. Each event led to Press Conferences. Government spokespeople were in the media for days; while Newsrooms have become hubs of activity. Therefore, it is easy to say that Openness is a powerful weapon.

However, our Openness principle does not stop there. For increasingly, it has become evident that the Executive Branch – on the Provincial and Federal Level – are more than willing to run over the Private Sphere to accomplish short term goals. For example, the Harper Government was more than willing to reinstate the “preventive arrest” provisions – that had expired – into the Criminal Code. (Canada Anti-Terrorism Laws: Harper Conservatives Will Reintroduce Controversial Measures, By Althia Raj, Huffington Post, Updated: 11/06/11 05:12 AM ET) While, we were told that these measures were a part of a terrorism prevention strategy, the Montreal Police used the provision to arrest students who were protesting student tuition rates at high-profile tourist events related to the Montreal Grand Prix Race. (Montreal Police defend F1 ‘preventive arrests’, CBC News, Last Updated: Jun 11, 2012 9:47 PM ET)

If citizenship truly matters, we as Canadians should be appalled by this rising trend of Executive Power. Such a trend tends to lean against the open nature of our Society; for Government would rather sweep away critics than deal with them. Consequently, it will be suggested hear that if we treat “Others” as we wish to be treated, a citizen should be able to appeal to an arbitrator that can hold Government Accountable for breaches in Freedoms. It will be suggested here that Governments’ should not have broad sweeping powers like that of “preventive arrest”. Governments should have to prove why they are restricting the rights of persons. In that same way, our Cyber Security Strategy should be based on laws which can be appealed in Court. Surveillance should take place under the auspices of a Judicially Issued Warrant and Police Officers should have to reveal their evidence in the most open judicial environment as is reasonably practical.

However, openness is only the start. One also needs professionals who can protect government information, government infrastructure and the needs and interests of the Canadian State. Such action needs a modern revamping of the Canadian Security Apparatus. This would mean the canning of the Canadian Cyber Incident Response Centre and replacing it with a fifth Uniformed Service. Such a service would operate like the RCMP and the Military. It would be paramilitary, in nature, with a mandate to protect Canada on an ongoing basis. This would mean that this new Uniformed Service would operate 24 hours a day, 7 days a week, 365 days a year to ensure our cyber safety.

But this type of action would not be sufficient. For as we know, CSIS and the RCMP neither have the resources, supervision or the direction to be effective. Consequently, it would be suggested that SIRC be reconstituted and put under the supervision of a joint committee made up of members who have been vetted by the Federal Government, the House of Commons and the Senate. SIRC would oversee all Security Organizations including Communications Security Establishment, CSIS and the RCMP. Such a Secretariat would therefore have enough Independence and Responsibility to make serious recommendations to the Canadian State. Furthermore, if something bad happens members of SIRC will be the first to be asked the hard questions. As a result, the quality of their work will increase. These simple measures have could have the effect of increasing Canadian Security. 

With all this being said, our inability to see what other Nations are doing leads to the last suggestion: the Creation of an International Intelligence Agency. Ever since September 11th, we have seen that we have not had a strong ability to understand the world around us. Whether it be understanding what is happening on the ground in Mali, Afghanistan, Iran or Pakistan or whether it means understanding what is going on in Beijing and Damascus, Canada needs to have an international human-based intelligence network to tell us what is happening. Such an institution will be able to ensure the safety of Canadians.

Therefore, as Trudeau and Mulroney did in the 1980’s, Liberals today have a big job before us. Canadians have to be willing to look at our protections to civil liberty and how they interact with our national security infrastructure. Liberals should keep to our values of openness and the rule of law. The Magna Carta, Habeas Corpus and other fundamental parts of Canadian Jurisprudence grew up in spite of terrorism, insurrection and rebellions. Those principles should always be at the heart of our security apparatus because they have kept Britain safe since 1066. Surely, we could keep that tradition of openness and fair treatment today. It will not be easy but it is worth it.

Advertisements

2 thoughts on “An anti-spam strategy does not make for a National Security Strategy

  1. We already have such an agency: CSE. The catch is that their mandate for cyber-security applies to defending federal government networks, and now that protection needs to be extended to the private sector. The biggest challenge is precisely the private sector, who reject any hint of regulation for their insecure behaviour.

    A Liberal solution: regulate the hell out of them. The looting of Nortel was more than a tragedy for shareholders, it was a national discrace, and with WIND mobile running on Huwai networks now it’s threat to national security – unambiguously.

    http://paper-trails.ca/2012/03/25/all-networks-lead-to-ottawa/

    The question is, can you conduct industrial regulation and “Communications Security” ops out of the same Establishment as signals intelligence, and that hangs on how relevant secrecy is to the former (since it’s obviously quite appropriate for the later) My instinct says probably not… so let the cyber agency keep the CSE name (no longer a euphamism – bonus), and give the SIGINT mission to a new, much smaller agency.

    …And leave CSE civilian! Uniformed culture is all about procedure-driven discipline an consistency, while hacking (and counter-hacking) is all about personality-driven creativity and improvisation, and CSE would work best without too much of that. In fact, one could argue that because their SIGINT secrecy demands so much procedure-driven discipline as they do have – impressively severe, actually – it forms a whole other reason for bifurcating the SIGINT mission off to somewhere else (back to DND, really)

    Like

    1. We are going to have an argument here. The Canadian Security Establishment is a good agency, with good people. The Auditor General has indicated that the Federal Government does not take spend enough on intelligence. This has been clear through a variety of issues including a two week period in which several government departments were hacked. CBC has done some good reporting on this. This is even before we talk about the lack of security around Canadian public and private infrastructure. Canada has not intelligence seriously for a number of years.

      The truth is that we need more than the CSE. As the Australians, British and Americans have shown, we need to have an effective human intelligence gathering organization and a robust set of organizations that can deal with computer intelligence – in an offence and defensive manner. If you wish, it could be a civilian organization. But we need more. If the Auditor General and CBC can figure this out, surely you can agree we need more.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About 52ideas

Here are my 52 Ideas. What are yours?