🧵on Canada's (draft) cyber foreign policy strategy

Last summer, the Chief of @cse_cst stated @CanadaFP had prepared its 'International Cybersecurity Strategy and Cyber Diplomacy Initiative'.

The strategy has yet to be released by the Government of Canada. #cdnpoli #cdnnatsec
However, my ATIP of the policy *has* been delivered. You can download the January - May 2021 drafts of "Canada's Foreign Policy for State Behaviour in Cyberspace" at: christopher-parsons.com/wp-content/upl… #cdnpoli #cdnnatsec
In terms of outlining what Canada will do on the world stage this serves to pull together a lot of the different activities that happen in international fora and explain what Canada will do to uphold, facilitate, and advance its interests.
It establishes four pillars concerning:
1) how 🇨🇦 acts/will act using its national capabilities;
2) how 🇨🇦 will cooperate with allies/partners;
3) how 🇨🇦 will interact in international forums; and
4) what 🇨🇦 will do to support capacity building re: cybersecurity.
For each of the aforementioned pillars there's a detailed multi-page discussion of what actioning the given pillar currently entails, and will include into the future. The stuff around coordination is particular interesting for my own work.
The strategy puts security at the heart of Canada's foreign policy for cyberspace. The drafts I have lack explicit reference to:
* encryption
* proliferation of cyber mercenaries
* dual-use technologies
* online harms-related materials
* cyber ops and international law
(I recognize that each of the above might be too 'weedy' to get into in a strategy. But topics such as disinformation and platforms are raised a bit so it was a weird to not see at least one or two of the above topics. Especially given Canada's work on these files.)
Drafts disparage "indiscriminate and irresponsible use of malware" while leaving open the possibility of using malware for discriminate and responsible uses; curious what these would be. I presume for 'responsible and targeted' espionage and cyber operations?
Drafts also indicate that Canada's cyber responses can include "joint cyber operations" as well as joint attributions or coordinated diplomatic activity. We see the latter two, regularly, and I expect that efforts to assist Ukraine would be an example of the former.
(I wonder whether/to what extent joint cyber operations might also fit with Canada's defensive cyber activities, especially as they pertain to the sensor networks run by @cse_cst. Much more on all that, at: christopher-parsons.com/unpacking-nsic…)
Unsurprisingly, we see Canada assert that existing voluntary international forums are sufficient for building norms around cyberspace. This parallels GAC's public comments concerning some authoritarian nations' attempts to bring cybersecurity topics to new domains.
Stuff added/modified in later drafts:
* Canada will "further develop" deterrence capacities
* change of language from working with "non-traditional partners" to working with "diverse stakeholders"
* huge truncation of the 'Vision' in the document, from 4 paragraphs to 1 sentence
Also modified/axed (depending on your view) are the pillars' summaries of actions. These are generally shortened in the final draft. It's unclear if some removed because they're seen as obvious OR to showcase differences in foreign policy positions between earlier vs later drafts
Things that get axed in later drafts:
* recognition that 🇨🇦 residents & private orgs shouldn't be independently expected to defend against state actors (😮‍💨)
* issue of domestic espionage for domestic control as an issue
* discussions of information sharing with allies/partners
Also removed:
* mention of creating a Cyber Stakeholder Engagement Action Plan (SEAP) to develop 🇨🇦 expertise from domestic groups/civil society
* some language around working with human rights defenders
* lots of descriptions for how the Strategy is/could be operationalized
Also removed:
* GAC acting in a supporting role for government writ large and coordinating policies with other agencies
* GAC will work to develop practical confidence building measures
* a bit on disagreements over interpretations of international law in cyberspace
There's some other stuff--including a sentence where human rights as a lens is truncated in favour of security-based analyses to guide policy--but I think most of it is minor-ish? Though I say as someone who lacks the foreign policy sensitivities of may others in Canada!
There are a lot of pages in the ATIP--just under 180--but I think they're incredibly revealing for those of us following (and complaining about...) this policy area in Canada. I hope that @CanadaFP actually releases a discussion document to canvass thoughts.
On the whole the (now 1 year old) drafts I have function as very good starting places to have a discussion on Canada's cyber foreign policy strategy. I hope that occurs instead of the strategy being shelved, massively truncated, or just implemented without consultation.
While I wish I'd gotten this ATIP sooner I am *DEEPLY* appreciative that the documents are lightly redacted as compared to most I receive. Thanks, folks @CanadaFP!
I'm curious to know what others make of the draft strategy, what they see as missing, & how it was iterated over a series of months.

cc: @leahwest_nsl @StephanieCarvin @b_momani @citizenlab @RonDeibert @BJMcP @thomasjuneau @MichaelJNesbitt @timmcsorley @CIGIonline @tamir_i

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Christopher Parsons

Christopher Parsons Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @caparsons

Feb 15
I recognize that this isn’t as exciting as the use of the Emergencies Act, tumult in Ottawa, etc, but this report provides a lot of useful insight into cyber defences in Canada. And a whole lot of attribution of hostile parties and what they’ve done historically.
As just one example, the chart on CSE’s history of sensors is just mostly public now. Up until very recently (as in a few months ago) CSE would fight to keep this information secret.
We also get much more detailed description of when active defensive operations can be conducted; I don’t recall seeing this level of detail elsewhere, previously.
Read 41 tweets
Dec 17, 2021
Chinese Spies Accused of Using Huawei in Secret Australia Telecom Hack bloomberg.com/news/articles/…
This is a really great story from @business and congrats to the reporters for getting the story. A few comments:

1) At its core, this is a story of a Chinese government HUMINT operation that saw intel agencies push compromised software updates to operator networks
2) Subsequently, tipped off by this, US agencies saw similar activities targeting Huawei equipment in the USA. This is part of what has led to the drumbeat of ‘we can’t trust Huawei equipment in our networks’. (Me: I’m curious about Canadian, UK, and New Zealand networks!)
Read 12 tweets
Dec 16, 2021
Ministerial Letters are out. Things I’m seeing:

From ISED (pm.gc.ca/en/mandate-let…): plans for more natsec/surveillance around university research; right to repair stuff; update the Investment Cnd Act to support natsec assessments, more on Digital Charter, DARPA-like program
From PSC (pm.gc.ca/en/mandate-let…): CBSA review body promised, focus on financial crimes, legislation planned for 5G/critical infrastructure, more intel sharing with Cnd partners targeting research/investment; more natsec-related resources to RCMP and other security agencies [½]
More from PSC: involved in cybersecurity plan/strategy, focus on ideologically-inspired extremism + attention to cybercriminals/terroists; implement Clare’s Law; more digital surveillance at the borders, and improve security to ministers/MPs
Read 12 tweets
Dec 14, 2021
Yesterday, @nsiracanada released their annual report. You can find it at: nsira-ossnr.gc.ca/tabling-of-the…
In this thread I’ll be highlighting some items of note, and general thoughts, on what we learned about our national security agencies as well as their review body. I’ll be structuring using the top-line headings in the report in case you want to follow along.
Section: Message to Members

The first thing to note is NSIRA recognizes the lack of access to offices and/or information have delayed reviews. Practically, staff have lacked access to classified materials which they regularly depend on to conduct reviews.
Read 84 tweets
Sep 28, 2021
🚨🚨NEW REPORT from @citizenlab: Pandemic Privacy: A preliminary analysis of collection technologies, data collection laws, and legislative reform during COVID-19 citizenlab.ca/2021/09/pandem… 🚨🚨
This report by @wbaballard, @AmandaCutinha, & myself:

1) performs a comparative analysis of pandemic data collection technologies
2) finds privacy laws didn’t inhibit Canada’s COVID-19 response, and
3) identifies how proposed privacy law reforms would harm Canadians’ privacy
Core findings:

1) how data was collected to combat the COVID-19 pandemic was unprecedented in terms of the sheer volume of data collected, and retasking of commercial services and systems to facilitate health surveillance
Read 13 tweets
Sep 13, 2021
Earlier this year, Canada's National Security Intelligence Review Agency (NSIRA) announced it experienced a 'cyber incident. @NSIRACanada is responsible for, amongst other things, reviewing the operations which have been undertaken by Canada's intelligence community. #cndnatsec
At the time there was very little public information, which led me to raise a serious of questions of what unclassified or Protected (as opposed to Secret, Top Secret, or Top Secret SI) information might have been accessed by a third party. See: christopher-parsons.com/questions-surr…
NSIRA has, subsequently, provided further details on their incident at: nsira-ossnr.gc.ca/nsiras-update-…

In its statement, the agency sets out that only two files were seemingly acquired by the third party.
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(