In terms of outlining what Canada will do on the world stage this serves to pull together a lot of the different activities that happen in international fora and explain what Canada will do to uphold, facilitate, and advance its interests.
It establishes four pillars concerning: 1) how 🇨🇦 acts/will act using its national capabilities; 2) how 🇨🇦 will cooperate with allies/partners; 3) how 🇨🇦 will interact in international forums; and 4) what 🇨🇦 will do to support capacity building re: cybersecurity.
For each of the aforementioned pillars there's a detailed multi-page discussion of what actioning the given pillar currently entails, and will include into the future. The stuff around coordination is particular interesting for my own work.
The strategy puts security at the heart of Canada's foreign policy for cyberspace. The drafts I have lack explicit reference to:
* encryption
* proliferation of cyber mercenaries
* dual-use technologies
* online harms-related materials
* cyber ops and international law
(I recognize that each of the above might be too 'weedy' to get into in a strategy. But topics such as disinformation and platforms are raised a bit so it was a weird to not see at least one or two of the above topics. Especially given Canada's work on these files.)
Drafts disparage "indiscriminate and irresponsible use of malware" while leaving open the possibility of using malware for discriminate and responsible uses; curious what these would be. I presume for 'responsible and targeted' espionage and cyber operations?
Drafts also indicate that Canada's cyber responses can include "joint cyber operations" as well as joint attributions or coordinated diplomatic activity. We see the latter two, regularly, and I expect that efforts to assist Ukraine would be an example of the former.
(I wonder whether/to what extent joint cyber operations might also fit with Canada's defensive cyber activities, especially as they pertain to the sensor networks run by @cse_cst. Much more on all that, at: christopher-parsons.com/unpacking-nsic…)
Unsurprisingly, we see Canada assert that existing voluntary international forums are sufficient for building norms around cyberspace. This parallels GAC's public comments concerning some authoritarian nations' attempts to bring cybersecurity topics to new domains.
Stuff added/modified in later drafts:
* Canada will "further develop" deterrence capacities
* change of language from working with "non-traditional partners" to working with "diverse stakeholders"
* huge truncation of the 'Vision' in the document, from 4 paragraphs to 1 sentence
Also modified/axed (depending on your view) are the pillars' summaries of actions. These are generally shortened in the final draft. It's unclear if some removed because they're seen as obvious OR to showcase differences in foreign policy positions between earlier vs later drafts
Things that get axed in later drafts:
* recognition that 🇨🇦 residents & private orgs shouldn't be independently expected to defend against state actors (😮💨)
* issue of domestic espionage for domestic control as an issue
* discussions of information sharing with allies/partners
Also removed:
* mention of creating a Cyber Stakeholder Engagement Action Plan (SEAP) to develop 🇨🇦 expertise from domestic groups/civil society
* some language around working with human rights defenders
* lots of descriptions for how the Strategy is/could be operationalized
Also removed:
* GAC acting in a supporting role for government writ large and coordinating policies with other agencies
* GAC will work to develop practical confidence building measures
* a bit on disagreements over interpretations of international law in cyberspace
There's some other stuff--including a sentence where human rights as a lens is truncated in favour of security-based analyses to guide policy--but I think most of it is minor-ish? Though I say as someone who lacks the foreign policy sensitivities of may others in Canada!
There are a lot of pages in the ATIP--just under 180--but I think they're incredibly revealing for those of us following (and complaining about...) this policy area in Canada. I hope that @CanadaFP actually releases a discussion document to canvass thoughts.
On the whole the (now 1 year old) drafts I have function as very good starting places to have a discussion on Canada's cyber foreign policy strategy. I hope that occurs instead of the strategy being shelved, massively truncated, or just implemented without consultation.
While I wish I'd gotten this ATIP sooner I am *DEEPLY* appreciative that the documents are lightly redacted as compared to most I receive. Thanks, folks @CanadaFP!
I'm curious to know what others make of the draft strategy, what they see as missing, & how it was iterated over a series of months.
I recognize that this isn’t as exciting as the use of the Emergencies Act, tumult in Ottawa, etc, but this report provides a lot of useful insight into cyber defences in Canada. And a whole lot of attribution of hostile parties and what they’ve done historically.
As just one example, the chart on CSE’s history of sensors is just mostly public now. Up until very recently (as in a few months ago) CSE would fight to keep this information secret.
We also get much more detailed description of when active defensive operations can be conducted; I don’t recall seeing this level of detail elsewhere, previously.
This is a really great story from @business and congrats to the reporters for getting the story. A few comments:
1) At its core, this is a story of a Chinese government HUMINT operation that saw intel agencies push compromised software updates to operator networks
2) Subsequently, tipped off by this, US agencies saw similar activities targeting Huawei equipment in the USA. This is part of what has led to the drumbeat of ‘we can’t trust Huawei equipment in our networks’. (Me: I’m curious about Canadian, UK, and New Zealand networks!)
From ISED (pm.gc.ca/en/mandate-let…): plans for more natsec/surveillance around university research; right to repair stuff; update the Investment Cnd Act to support natsec assessments, more on Digital Charter, DARPA-like program
From PSC (pm.gc.ca/en/mandate-let…): CBSA review body promised, focus on financial crimes, legislation planned for 5G/critical infrastructure, more intel sharing with Cnd partners targeting research/investment; more natsec-related resources to RCMP and other security agencies [½]
More from PSC: involved in cybersecurity plan/strategy, focus on ideologically-inspired extremism + attention to cybercriminals/terroists; implement Clare’s Law; more digital surveillance at the borders, and improve security to ministers/MPs
In this thread I’ll be highlighting some items of note, and general thoughts, on what we learned about our national security agencies as well as their review body. I’ll be structuring using the top-line headings in the report in case you want to follow along.
Section: Message to Members
The first thing to note is NSIRA recognizes the lack of access to offices and/or information have delayed reviews. Practically, staff have lacked access to classified materials which they regularly depend on to conduct reviews.
🚨🚨NEW REPORT from @citizenlab: Pandemic Privacy: A preliminary analysis of collection technologies, data collection laws, and legislative reform during COVID-19 citizenlab.ca/2021/09/pandem… 🚨🚨
1) performs a comparative analysis of pandemic data collection technologies 2) finds privacy laws didn’t inhibit Canada’s COVID-19 response, and 3) identifies how proposed privacy law reforms would harm Canadians’ privacy
Core findings:
1) how data was collected to combat the COVID-19 pandemic was unprecedented in terms of the sheer volume of data collected, and retasking of commercial services and systems to facilitate health surveillance
Earlier this year, Canada's National Security Intelligence Review Agency (NSIRA) announced it experienced a 'cyber incident. @NSIRACanada is responsible for, amongst other things, reviewing the operations which have been undertaken by Canada's intelligence community. #cndnatsec
At the time there was very little public information, which led me to raise a serious of questions of what unclassified or Protected (as opposed to Secret, Top Secret, or Top Secret SI) information might have been accessed by a third party. See: christopher-parsons.com/questions-surr…