🧵on Canada's (draft) cyber foreign policy strategy
Last summer, the Chief of @cse_cst stated @CanadaFP had prepared its 'International Cybersecurity Strategy and Cyber Diplomacy Initiative'.
The strategy has yet to be released by the Government of Canada. #cdnpoli #cdnnatsec
Last summer, the Chief of @cse_cst stated @CanadaFP had prepared its 'International Cybersecurity Strategy and Cyber Diplomacy Initiative'.
The strategy has yet to be released by the Government of Canada. #cdnpoli #cdnnatsec
However, my ATIP of the policy *has* been delivered. You can download the January - May 2021 drafts of "Canada's Foreign Policy for State Behaviour in Cyberspace" at: christopher-parsons.com/wp-content/upl… #cdnpoli #cdnnatsec
In terms of outlining what Canada will do on the world stage this serves to pull together a lot of the different activities that happen in international fora and explain what Canada will do to uphold, facilitate, and advance its interests.
It establishes four pillars concerning:
1) how 🇨🇦 acts/will act using its national capabilities;
2) how 🇨🇦 will cooperate with allies/partners;
3) how 🇨🇦 will interact in international forums; and
4) what 🇨🇦 will do to support capacity building re: cybersecurity.
1) how 🇨🇦 acts/will act using its national capabilities;
2) how 🇨🇦 will cooperate with allies/partners;
3) how 🇨🇦 will interact in international forums; and
4) what 🇨🇦 will do to support capacity building re: cybersecurity.
For each of the aforementioned pillars there's a detailed multi-page discussion of what actioning the given pillar currently entails, and will include into the future. The stuff around coordination is particular interesting for my own work.
The strategy puts security at the heart of Canada's foreign policy for cyberspace. The drafts I have lack explicit reference to:
* encryption
* proliferation of cyber mercenaries
* dual-use technologies
* online harms-related materials
* cyber ops and international law
* encryption
* proliferation of cyber mercenaries
* dual-use technologies
* online harms-related materials
* cyber ops and international law
(I recognize that each of the above might be too 'weedy' to get into in a strategy. But topics such as disinformation and platforms are raised a bit so it was a weird to not see at least one or two of the above topics. Especially given Canada's work on these files.)
Drafts disparage "indiscriminate and irresponsible use of malware" while leaving open the possibility of using malware for discriminate and responsible uses; curious what these would be. I presume for 'responsible and targeted' espionage and cyber operations?
Drafts also indicate that Canada's cyber responses can include "joint cyber operations" as well as joint attributions or coordinated diplomatic activity. We see the latter two, regularly, and I expect that efforts to assist Ukraine would be an example of the former.
(I wonder whether/to what extent joint cyber operations might also fit with Canada's defensive cyber activities, especially as they pertain to the sensor networks run by @cse_cst. Much more on all that, at: christopher-parsons.com/unpacking-nsic…)
Unsurprisingly, we see Canada assert that existing voluntary international forums are sufficient for building norms around cyberspace. This parallels GAC's public comments concerning some authoritarian nations' attempts to bring cybersecurity topics to new domains.
Stuff added/modified in later drafts:
* Canada will "further develop" deterrence capacities
* change of language from working with "non-traditional partners" to working with "diverse stakeholders"
* huge truncation of the 'Vision' in the document, from 4 paragraphs to 1 sentence
* Canada will "further develop" deterrence capacities
* change of language from working with "non-traditional partners" to working with "diverse stakeholders"
* huge truncation of the 'Vision' in the document, from 4 paragraphs to 1 sentence
Also modified/axed (depending on your view) are the pillars' summaries of actions. These are generally shortened in the final draft. It's unclear if some removed because they're seen as obvious OR to showcase differences in foreign policy positions between earlier vs later drafts
Things that get axed in later drafts:
* recognition that 🇨🇦 residents & private orgs shouldn't be independently expected to defend against state actors (😮💨)
* issue of domestic espionage for domestic control as an issue
* discussions of information sharing with allies/partners
* recognition that 🇨🇦 residents & private orgs shouldn't be independently expected to defend against state actors (😮💨)
* issue of domestic espionage for domestic control as an issue
* discussions of information sharing with allies/partners
Also removed:
* mention of creating a Cyber Stakeholder Engagement Action Plan (SEAP) to develop 🇨🇦 expertise from domestic groups/civil society
* some language around working with human rights defenders
* lots of descriptions for how the Strategy is/could be operationalized
* mention of creating a Cyber Stakeholder Engagement Action Plan (SEAP) to develop 🇨🇦 expertise from domestic groups/civil society
* some language around working with human rights defenders
* lots of descriptions for how the Strategy is/could be operationalized
Also removed:
* GAC acting in a supporting role for government writ large and coordinating policies with other agencies
* GAC will work to develop practical confidence building measures
* a bit on disagreements over interpretations of international law in cyberspace
* GAC acting in a supporting role for government writ large and coordinating policies with other agencies
* GAC will work to develop practical confidence building measures
* a bit on disagreements over interpretations of international law in cyberspace
There's some other stuff--including a sentence where human rights as a lens is truncated in favour of security-based analyses to guide policy--but I think most of it is minor-ish? Though I say as someone who lacks the foreign policy sensitivities of may others in Canada!
There are a lot of pages in the ATIP--just under 180--but I think they're incredibly revealing for those of us following (and complaining about...) this policy area in Canada. I hope that @CanadaFP actually releases a discussion document to canvass thoughts.
On the whole the (now 1 year old) drafts I have function as very good starting places to have a discussion on Canada's cyber foreign policy strategy. I hope that occurs instead of the strategy being shelved, massively truncated, or just implemented without consultation.
While I wish I'd gotten this ATIP sooner I am *DEEPLY* appreciative that the documents are lightly redacted as compared to most I receive. Thanks, folks @CanadaFP!
I'm curious to know what others make of the draft strategy, what they see as missing, & how it was iterated over a series of months.
cc: @leahwest_nsl @StephanieCarvin @b_momani @citizenlab @RonDeibert @BJMcP @thomasjuneau @MichaelJNesbitt @timmcsorley @CIGIonline @tamir_i
cc: @leahwest_nsl @StephanieCarvin @b_momani @citizenlab @RonDeibert @BJMcP @thomasjuneau @MichaelJNesbitt @timmcsorley @CIGIonline @tamir_i
• • •
Missing some Tweet in this thread? You can try to
force a refresh
