Ray BoisevertCanada risks jeopardizing internet commerce and connectivity for Canadians without a stronger defence against cyber attacks, writes Ray Boisvert.

Boisvert, a former assistant director at the Canadian Security Intelligence Service, is the author of a paper on cyber security for MLI’s Global Security Look Ahead series.

By Ray Boisvert, Feb. 7, 2017

2016 is the year national governments awoke to the threat of cyber crimes, an emerging reality in which sophisticated hacking methods and technologies increasingly support illicit state interests. In this new era, malicious state-supported actors now operate in collusion with state authorities.

Nowhere is this more evident than in Russia, where a 21st-century version of “Kompromat” combines calculated political smear campaigns with old KGB finesse. A good example is the 2016 hack of the U.S. Democratic National Committee and the strategic release of emails from Hillary Clinton and other DNC leaders.

The stakes are high. The explosive growth of Internet-based commerce, and government plans to deliver seamless connectivity to their citizens, are at risk.

Yet Canada lacks a framework for addressing immediate cyber security needs and longer term requirements. At issue is a cyber-security gap that undermines Canadian safety, security and prosperity. Canada needs a coherent vision and comprehensive policy for cyber-security that deters aggression, defends our interests and ensures the deployment of appropriate tools.

The stakes are high. The explosive growth of Internet-based commerce, and government plans to deliver seamless connectivity to their citizens, are at risk.

Cyber deterrence can mean many things. First, engagement and diplomacy are critical. U.S. and British engagement with China to limit its targeting of private sector interests and critical infrastructure seem to have provided some relief. Given this success, Canada must follow suit.

Canada’s diplomatic team has yet to properly engage the cyber file; the profile and size of the team managing the issue is small. Due to the potential severity and impact of cyber sabotage, we must treat the cyber file with the same force as trade, migration, climate change and development.

Defensive responsibility is also a key part of the challenge. Given constitutional realities that include financial clout, access to cyber and technical expertise, and security intelligence actions and prosecutorial power, the federal government must lead. But all levels of government have a role to play.

Canadian consumers also need a bill of digital rights to establish standards for data-driven products and services. A version of the Canadian Standards Association could regulate, test and certify digital products, from smart phones to smart cars. Canada needs national standards to guide and encourage small- and medium-sized businesses to participate in cyber-security.

Conversely, governments must forge an entirely new relationship with private sector cyber-security firms, which have the most advanced technologies and skills to thwart cyber attacks.

The last requirement is the deployment of cyber warfare capabilities. In this context, “deploy” means building and applying weaponized digital tools for network or information operations against hostile states or non-state actors. However, we need better policies pertaining to the use of offensive cyber capability – known by experts as Advanced Cyber Defence (ACD).

How then should Canada and other democracies regulate ACD? What about the “first strike” doctrine? Have we reached a conclusion that a cyber first strike would incur incalculable and catastrophic consequences?

Unless we secure our digital world today, Canada risks entering an era of incessant and uncertain cyber conflict.

The U.S. is increasingly prepared to react to the shifting realities of warfare by pre-emptively destroying an opponent’s critical infrastructure – and they are not alone. The key issue for Canada is to recognize the importance and magnitude of this strategic shift and to set forth a new policy direction to ensure a credible Canadian response.

Separately, Canada must also address the growing interest of private organizations and even citizens to retaliate in kind. Allowing private interests that are victims of cyber crime to apply ACD carries significant risk, not least undermining current international agreements and destabilizing the existing global security framework. Given these realities, the government of Canada must address the ACD challenge both domestically and internationally.

The fusion of individuals, data, and devices all but ensures that cyber-security issues will continue to transform our nations in new and unexpected ways. Unless we secure our digital world today, Canada risks entering an era of incessant and uncertain cyber conflict.

Ray Boisvert is the provincial security advisor to the Government of Ontario, and is the former assistant director, intelligence, at the Canadian Security Intelligence Service.