In mid-July, Canada joined the United States and U.K. in attributing COVID-19 vaccine-related hacking to the Russian government. In response, Canadian Defence Minister Harjit Sajjan called for reinforcing a “common understanding of rules-based norms,” and for deterrence against foreign actors. Yet despite Canada’s attempts to play a leading role in upholding global peace and security – as illustrated by its (failed) June 2020 bid for a U.N. Security Council seat – Canada lacks a clear and holistic international cyber strategy.
Since 2010, the Canadian government has recognized the need to develop a cyber foreign policy to ensure that cybersecurity policies align with broader foreign policy and security objectives. The 2018 National Cyber Security Strategy (NCSS) acknowledged that it will align with a “cyber foreign policy in Canada’s international agenda.” Two years later, Canada still lacks a cyber foreign policy. This is unlike Canada’s allies and adversaries, which have released strategies outlining their interests and values in cyberspace – and how they plan to promote and defend them.
A comprehensive and well-developed cyber foreign policy is needed to replace the Canadian government’s current ad hoc, spasmodic approach. A consistent articulation of its foreign policy position in cyberspace is necessary for Canada to promote and defend its interests effectively. Moreover, Canada’s cyber foreign policy must be developed transparently, and this policy must reflect enduring Canadian values, such as respect for human rights and other democratic principles.
Cyber Foreign Policy: Why Bother?
In 1947, Canada’s foreign minister Louis St. Laurent said that a foreign policy “must have its foundations laid upon general principles which have been tested in the life of the nation and which have secured the broad support of large groups of the population.” But when it comes to cybersecurity – especially its international dimensions – the Canadian government has not clearly articulated what it should be promoting and defending, let alone why. Such an articulation is necessary because cybersecurity is inherently a discussion of political philosophy; not all actors share the same understanding of what is, or should be, the object of security, nor is there necessarily a shared understanding of what constitutes a threat.
As a liberal democracy built upon respect for human rights and the rule of law, Canada depends on the security of these ideals both at home, and abroad. As political scientist Ronald Deibert has argued, an open and distributed cyberspace through which citizens around the world can share ideas freely is a “critical and inseparable component of [Canadian] ideals.”
Cyberspace, however, challenges how Canada might support these ideals in a domain increasingly characterized by censorship, the development of militarized cyber commands, ascriptions of domestic and international security to intelligence services, and reliance on offensive computer operations. Articulating Canada’s first principles in the context of cyberspace would help clarify what Canadian interests are, and what they mean, in a digitalized world. Only after defining such interests can the government focus on what must be protected or secured, and how best to do so – including how to promote these interests globally and multilaterally. Values and goals must be comprehensively defined to truly constitute a strategy; anything else is instead a collection of tactical interventions. While technology and the realities of the cybersecurity landscape change rapidly each year, fundamental Canadian values and ideals do not.
Many of Canada’s closest allies, such as the United States, U.K., Australia, and the Netherlands, have released strategies to clarify their specific foreign policy goals that pertain to digital technologies and their use, both in terms of security and defense, and also in a human rights context. The Canadian government has yet to do the same.
Canada faces a challenge, whereby its membership in the Five Eyes alliance (with the United States, U.K., Australia, and New Zealand) brings immense security value, while simultaneously carrying significant responsibilities, restrictions, and possible contradictions with certain Canadian values, such as human rights. For example, Canada’s involvement in mass surveillance activities can be seen as infringements upon the rights – including privacy rights – of non-Five Eyes citizens, and such surveillance activities now threaten the abilities of Five Eyes countries to process European data for routine commercial activities. A Canadian cyber foreign policy must lend clarity to how Canada would navigate both generalized human rights infringements that are linked to mass surveillance, as well as specifically how such surveillance will be conducted without endangering Canada’s economic well-being.
Recent Policy and Legislative Developments
The Canadian government has been developing cybersecurity policy, but not as comprehensively as is needed. The 2018 NCSS updated the previous 2010 Strategy, but it remains vague, high-level, and without substance; in its 40-pages the NCSS does not once mention “democracy” or “human rights,” despite their pertinence as core Canadian principles. The 2019 National Cyber Security Action Plan outlines specific initiatives that are intended to implement the 2018 NCSS, and broadly stresses the need to advance Canadian interests in cyberspace internationally. The Action Plan recognizes that “[t]he international dimension of cyber security has not been the focus of Canadian action to date, despite the fact that … cyber security is an inherently transnational issue.” Further, the Action Plan acknowledges that the federal government should “take a leadership role to advance cyber security in Canada” while also coordinating with allies “to shape the international cyber security environment in Canada’s favour.”
In this context, Global Affairs Canada’s (GAC’s) cyber policy team is developing an “International Cyber Strategy.” Although it was supposed to be completed by 2019, this has not happened by the time of writing. Few details are known about the expected Strategy, including what it will look like, the extent to which it will be public, or whether civil society or other stakeholders will be consulted during the policymaking process (it does not appear that they have been thus far).
In addition to work on policy and strategy, legislation was passed in 2019 to better enable state actors to mitigate, respond to, or overcome national security threats. Specifically, the National Security Act, 2019, (also known as Bill C-59), was a major and omnibus update to Canada’s national security legislation. Among other things, the Communications Security Establishment Act (CSE Act) within C-59 enables the CSE – Canada’s foreign intelligence and cybersecurity agency – to conduct defensive and “active” cyber operations abroad, while simultaneously expanding the range of actions the agency can carry out from its historical mandate. These new powers raise new implications for human rights, political transparency, and global security, and are made all the more manifest given the European Union’s opposition to both mass surveillance capabilities and also the lack of redress for Europeans caught up in Five Eyes dragnets.
International Engagement, Diplomacy, and a “Gendered” Focus
While Canada engages enthusiastically in international processes to develop rules in cyberspace, and particularly emphasizes gender dynamics therein, its current approach is inadequate. Canada participates in international and regional cybersecurity fora alongside allies, where it expresses and develops its positions in cyberspace with like-minded states, while also engaging with less-friendly states to seek agreement on areas of mutual interest – and to understand their positions more broadly. In groups such as the Freedom Online Coalition, Internet Governance Forum, G7, and the United Nations’ Group of Governmental Experts (GGE) and Open-Ended Working Group (OEWG) processes, Canada aligns itself with the positions of other liberal democratic countries.
Canada has also disbursed over CA$13 million to global cyber capacity building projects since 2015 to train local officials in legal, technical and policy fields (see here at 4:15:10). Per GAC, such efforts form a critical part of Canada’s strategy to “influence countries to share our vision of preserving an open, secure and multistakeholder-led Internet.” However, given that Canada lacks a public cyber foreign policy, it is unclear how these measures align with broader Canadian objectives, such as efforts to promote democratic and human rights-based cybersecurity policy and practices to counter the narrative of authoritarian control promoted by other states.
Under the Trudeau government, foreign affairs have been guided by feminist-forward policies targeted toward achieving gender equality and empowering women (for specific examples, see here, here, here, and here). Within the realm of cybersecurity, GAC has funded research on the gendered dimensions of cybersecurity and organized events on the topic. At the second formal U.N. OEWG session in February 2020, GAC joined other nations to sponsor dozens of government officials and civil society representatives from developing countries to attend the meeting under the auspices of a “women in cyber” fellowship program. This program helped the OEWG meeting make U.N. history, as it was the first meeting in the First Committee in which there was a gender balance among those who delivered remarks.
While the prominence of gender considerations in Canada’s cyber foreign policy is admirable and important, these ad hoc efforts remain incomplete elements of a larger unarticulated whole. A gendered cybersecurity strategy must go beyond research and discrete initiatives, to emphasize coherent policies which are clearly integrated within a larger agenda – of which gender is one consistent element. For example, if it is to be credibly gender-focused, Canadian cyber foreign policy must also send clear signals on the importance of gender and human rights across a wide range of security issues, including defense, offense, and deterrence.
A Murky, Seemingly Military-Dominated Cyber Defense Strategy
Canada has recognized that defending its interests and values in cyberspace requires more than just diplomacy, a position reflected in Bill C-59. In addition, the 2017 Canadian Armed Forces (CAF) defense policy announced that it would “assume a more assertive posture in the cyber domain,” for example “by conducting active cyber operations against potential adversaries.” Yet the CAF’s decision saw no public discussion and has had the effect of the military and intelligence agencies leading cyber policy. These agencies’ activities threaten to contradict or undermine Canadian diplomatic efforts, including work at the U.N. focused on promoting peace and stability in cyberspace.
Canadian military activities in the “cyber domain” are developing further, such as joining the NATO Cooperative Cyber Defence Centre of Excellence, a NATO-accredited think-tank and research center, in the near future. NATO is fast developing its cyber operational doctrine and has opened a Cyberspace Operations Centre in Belgium. Nine NATO members – but not yet Canada – have officially offered the Alliance their cyber capabilities in the event a cyber operation is needed in response to an attack.
In September 2019, Canada joined 26 other states in affirming a “Joint Statement on Advancing Responsible State Behavior in Cyberspace,” declaring that signatories “will work together on a voluntary basis to hold states accountable” for malign behavior and stressing that “[t]here must be consequences for bad behavior in cyberspace.” It is unclear what this joint statement entails, or its relation to a like-minded “Cyber Deterrence Initiative,” as described in the 2018 U.S. National Cyber Strategy. But what is evident is that Canada increasingly values imposing consequences on malign actors, further demonstrated in an October 2019 briefing note to Prime Minister Trudeau which states that Canada’s position on foreign cybersecurity threats is that “[r]ules and norms in cyberspace are critical, but they must be supplemented by measures to impose costs on hostile actors” (emphasis added). The briefing note adds that a key pillar of Canadian cybersecurity strategy includes developing “coordinated mechanisms among like-minded countries to hold malicious actors to account and impose costs on them.” The nature of these “costs,” and the extent to which they will follow international law, is unknown – sending unclear signals to Canadians, as well as Canada’s allies and adversaries.
All 27 signatories of the Joint Statement are U.S. and NATO allies, which raises credibility questions as to potential bias among the group in calling out the malicious behavior of others, versus similar actions undertaken by its own members. If the Canadian government hopes to promote international cooperation for global cybersecurity, it may need to go beyond solutions reliant on camps of like-minded nations.
The State of Affairs: Gaps in Consistency, Clarity, and Coordination
Canada has generally adopted rights-affirming foreign policy positions but has experienced challenges in implementing them. For example, the Canadian internet filtering firm Netsweeper Inc. receives federal and provincial government support despite research by the Citizen Lab showing that the company’s technology is often used to undermine human rights through internet censorship. Furthermore, Bill C-59’s CSE Act includes language that some have interpreted as permitting interference in judicial processes or electoral outcomes in certain contexts. The mere prospect of such interference may provide a veneer of legitimacy to adversarial nations that do interfere in foreign judicial or electoral systems, including Canada’s.
Moreover, unlike key allies, Canada has not clearly outlined how it believes that international law applies – or should apply – in cyberspace, despite publicly calling for other U.N. member states to do so (see here at 1:01). By contrast, a growing number of countries, including Australia and the Netherlands, have published position papers expressing their interpretations of the applicability of international law to cyberspace. In the absence of clear communication concerning what Canada will (and will not) do as a matter of law or policy, allies and adversaries alike may not fully appreciate the Canadian government’s position. This absence makes it difficult for Canada to clearly signal its foreign policy intentions to other countries, which can hamper efforts to set norms and establish deterrence.
In terms of defense and security, available documents indicate that Canada is aligning itself with U.S. cybersecurity approaches, including offensive capabilities. Along these lines, the CAF published a Joint Doctrine Note on cyber operations in 2017, but this document adheres to Canada’s lack of transparency on such issues and, thus, remains classified – in contrast with U.S. and U.K. military cyber doctrine documents. Any decisions by the Canadian government to align itself with, or to adopt, more aggressive cyber operations akin to those of the United States are thus being made without substantive public input. Such decision making processes raise questions as to the public’s ability to debate and influence policy; secrecy surrounding strategic approaches – and opacity around cybersecurity policy more broadly – prevents the Canadian public from holding the government to account for its policy decisions, and questions the extent to which policy has a public license. If Canada is following U.S. approaches, it is doing so without articulating how this approach accommodates Canadian foreign policy values, goals, exigencies, and realities.
The Continuing Need for a Clearly Articulated Set of Cyber Principles
Principles that are embedded in a comprehensive cyber foreign policy should bring together the Canadian government’s existing focuses on international coordination, integration of gender considerations into security policies, and development of offensive cyber capabilities. But a holistic policy must go further, ensuring that Canadian interests and principles are both defended and projected abroad – such as those of democracy, human rights, and respect for the rule of law.
Efforts to develop cyber foreign policy should not be secretly siloed within government and must, instead, include consultations with a broad cross-section of stakeholder groups, including civil society and the private sector. The United States undertook such consultations over the course of its “Cyberspace Solarium Commission,” which included over 200 meetings with private sector representatives and more than 25 with academics. In GAC’s purported development of its International Strategic Framework for Cyberspace, there has been no non-governmental consultation to date. Domestic stakeholder engagement is needed to tap into expertise residing outside of government, and to ensure that adopted policies address any significant concerns raised during consultations.
Canada could become a leader in the development of norms, principles, and values that accompany the intensifying use of digital technologies. Currently, however, allied and competitor nations alike must compile and assess Canada’s piecemeal policies and divine how they might extend to the government’s broader range of foreign policy practices. This is an ineffective way to explain a nation’s intentions, its red lines, or its ambitions; nor does it enable Canada to clearly work with allies to shape the international space. Canada needs a holistic cyber foreign policy if it is to be an effective middle power that can clearly explain how and when it will exert its power.
As Canadian foreign policy comes under broad scrutiny after Canada’s failed bid for a U.N. Security Council seat, the development of a comprehensive and sound cyber foreign policy is an important opportunity for reset and renewal. The time to start is now.
(Author’s Note: The authors would like to acknowledge the helpful comments provided by Paul Meyer, Ronald Deibert, and anonymous commentators. Any errors remain solely with the authors.)