Preserving capacity, General Tom Lawson, Chief of the Defence Staff, Keys to Canadian SAR
Issue link: http://vanguardcanada.uberflip.com/i/122908
CyBer SecURIty C Meanwhile, I think there is an approach that is much better suited to this ideal domain that we have in mind that we shouldn't throw away, but it just may need bolstering. What I am talking about is this distributed approach to security that has been at the heart of the Internet since the beginning. This is precisely why it runs so well today. Not because we have one agency in control managing it, but because of the cumulative impact of decisions of a variety of engineers and policymakers that help keep it functioning securely. Q You are suggesting that the distributed security approach is actually compatible with our liberal democratic roots? Well, what I'm trying to counter is the dichotomy that you either have states and security agencies involved in governing cyberspace and all that is involved in the realist tradition or some kind of anarchy. I think that neither of these sides of the spectrum are productive. Interestingly enough, the distributed security approach doesn't necessarily fall in between these perspectives. All it means is to configure public authority in such a way that it has an appropriate framework around it and checks and balances. Q In another of your works, you mention how a recent study ranks Canada as the sixth most likely country to host servers running malicious programs. Why is this so? Is there something inherently Canadian or democratic that makes Canadian servers particularly vulnerable? And how does this compare to undemocratic servers that may not be as vulnerable such as the Great Firewall of China? They (China) probably rank number one. Largely because their cyber infrastructure is so insecure, and as it turns out there is large political interest in keeping it that way both in China – and elsewhere for that matter. I don't think, however,that it relates to democracy. Canada's vulnerability entirely depends on its information and communication technology. Like many countries, we haven't thought through cyber security, which translates into a lack of coordination or information sharing. The fact that we are likely to host malicious programs goes back to our liberal democratic roots. Q Are there any particular models that stand as an ideal approach to cyber security? I think that what is coming out of the EU indicates a recognition of the understanding of those first order questions mentioned earlier. There is a sophistication in their approach. In the U.S., I'd say there is a messiness to it, but growing there is an understanding of the need for cooperation with the private sector and civil society – a recognition that this cannot be imposed top down. Q Translating this into the Canadian context to achieve these levels of sophistication, what does that involve? I think that we are still governed in the security domain with a Cold War mentality – something that is particularly evident in cyber space, as it crosses over into the particularly sensitive domain of signals intelligence. At the same time, the agencies that are the lead for signals intelligence are the same agencies that are the lead for cyber security. I think this is a dangerous pathway to head down. Arguably, those agencies should be exposed to greater oversight, especially in a world of big data, where so much private information is entrusted to third parties transiting through public networks. Meanwhile ombuds offices and privacy commissioners should be given more power when it comes to cyber security. The government has a role to play here, too, in terms of setting the playing field. Data breach laws, for instance, should require private companies to notify when their networks have been breached – something that would impose a degree of liability in being accountable for their own networks. Q Along those lines, could you say that our dismissal of foreign private companies like Huawei might be indicative of a maturing approach? I'd be careful about a company like Huawei because it does come from a country where there is a close relationship between the party elite and some of the state corporations. Huawei, in particular, has a close connection to the Peoples Liberation Army, and the Chinese government has been particularly aggressive when it comes to cyber controls and cyber espionage. When some of their routers have been subjected to scrutiny, they've been found to be very poorly coded and insecure for just that reason. Q There was a U.S. House Intelligence Committee report that cited these concerns. Was our dismissal of Huawei almost too obvious to miss? To me, it begs the question as to why we're not scrutinizing other companies in the same manner. Q Speaking of Huawei and China brings us to this global dimension of cyber space. Elsewhere, you mention that what we do here in Canada can have important repercussions abroad and can "come home to bite us if we are not careful." Most approaches in political theory seem at odds with this globally communal entity. We are very fixated on the state and definable and concrete borders – all of which seem to go out the window in the context of a cyber space discussion. So while first order theoretical discussions are important as to what cyber space is, I don't think that we will find the Prime Minister engaging with international relations theorists on the philosophy behind cyber space. With that being said, what is needed to understand cyberspace in all its transcendental glory in a policy context? Well, one thing that is missing that we can improve on is dialogue between different stakeholder communities. For instance, the way the Canadian Forces approaches cyber security is entirely different from the way civil society approaches it – and even within civil society there is vast difference. There needs to be a dialog for us to make progress on how we are going to govern this domain. That's www.vanguardcanada.com APRIL/mAy 2013 37