Strike Back: Canadian context to cyber vigilantism and the active cyber defence certainty act
Dave McMahon · Clairvoyance Cyber Corp. · Posted: August 24, 2020
The unfortunate truth is that in many foreign jurisdictions, industry and organized crime form an integral part of a given nation’s military and intelligence apparatus. Our adversaries finance spying through industrial facilitation (letters of mark) and steal intellectual property for their own industries while criminals profit from the exchange.
- Cyberspace is predominantly owned, operated and controlled by the private sector;
- Some in industry and civil society have been decisively and persistently engaged on the front lines, in multiple jurisdictions and within contested space, for decades, and have developed considerable battle-hardened cyber defence capabilities as a result;
- Individual cyber-vigilantes have been taking matters into their own hands: takedowns of spammers, disrupting fraudulent foreign call centres, gathering evidence, countering hackers, criminals and thwarting nation states espionage efforts. There are plenty of these operations posted to Youtube;
- Cyber security companies have made progress exposing nation-state spying networks and transnational crime syndicates;
- Platform providers, industry, academia and civil society have been working diligently in countering global online radicalization, hate speech, propaganda and mis-information for decades;
- Academic researchers have been conducting operations to keep the Internet open and safe, in advance of public policy;
- Industry has been conducting active cyber defence and offensive operations (persistent engagement) within administrative authorities afforded to them in legislation and under judicial warrant for decades, including: cyber deception, deterrence, botnet takedowns and sink-holing malicious domains, shaming bad actors and pursuing civil prosecution;
- Government does not have an exclusive authority under legislation for active defence, nor are there prohibitions in law for this broad category. The restrictions are specifically related to communication intercept of private information and ‘hacking’ of a computer system under the Criminal Code of Canada. However, there are existing exemptions for industry provided under the legislation for system security administration. The private sector can apply to the courts for additional exemptions;
- The government conducts global cyber operations on and through private network infrastructures where there exists active security monitoring and enforced compliance to acceptable use policies, which are based on international standards, regulations and law;
- Industry remains a proxy target of nation-state aggression, competition and conflict;
- Globally there has been a diffusion of power from nation states to non-state actors with cyber leading the way. Experts predict that this to accelerate in the future;
- The impact of cyber crime and espionage on Canadians is substantive and is rising; and
- Defending national interests and those of industry are mutually inclusive.
Western governments have long been reticent to involve themselves in the affairs of the private sector, including the defence of industry and citizens, from cyber attacks even when assaults originate from nation-states. The military is unlikely to engage unless an attack breaches the level-of-armed-conflict (defined as physical destruction and casualties).
Industry certainly has the capability for active cyber defence, and has for the most part been able to achieve the same effects within current legislation independently of governments. Certain principles of active cyber defence have been established as cyber security and privacy best practices, underwritten in law where a failure to comply represents tangible risk to large corporations.
Western governments could assume greater responsibility to provide cyber defence nationally. However, industry, which is the most affected by cyber crime and espionage, will need to see clear, timely, and measurable outcomes from governments that include: threat reduction, attribution and prosecution of the threat actors at scale, including the dismantling of adversarial attack infrastructures, and the protection and retrieval of intellectual property. Similarity, citizens will expect crimes to be solved, assets recovered and miscreants prosecuted.
Alternatively, if industry and civil society are left to fend for themselves, then they have the right to self-defence – but not to start a war.
Conversely, governments in their haste to militarize or exploit the domain, will need manage vulnerability equities with industry partners, be careful when engaging in covert or open conflict, so that industry and individual citizens are not collateral damage.
An alterative model provides for a division of labour and responsibility or ‘public-private partnerships’ in which industry provides the talent, technology and operational support, while government can undertake offensive cyber operations under legislative and executive authorities.
This is why the US Active Cyber Defense Certainty Act is highly-relevant to Canadian industry.
The proposed US legislation opens a means and a market to achieve the right effects through active cyber defence for industry in trusted partnership with governments. Entities will need professional certification and regulation while operations require coordination and de-confliction. Similarly, a government’s active cyber defence operations will require a vulnerability equities framework and be jointly coordinated with the cyber security industry and private-sector owner-operators of cyberspace to avoid collateral damage.
Legislation, should it pass, has the potential to go very well or very poorly. What is clear is that current approaches have met with limited success and we need an open dialogue on the issue here in Canada as well as a team approach for the delivery of meaningful effects.
Disclaimer: The views and opinions expressed in this blog post are those of the authors and do not necessarily reflect the official position of the Professional Development Institute of the University of Ottawa.
Dave McMahon has an honours degree in computer engineering from the Royal Military College of Canada and 35 years experience in defence, security and intelligence. Dave was a CSO, COO to defence, telecommunications and intelligence organizations, co-chair or the Interdepartmental Committee on Information Warfare, expert witness to the Senate and special advisor to the Privacy Commissioner of Canada, and intelligence oversight and review. Dave is currently the Chair of the CADSI cyber council, and the CEO of Clairvoyance Cyber Corp.
Security, Economics & Technology Blog
Browse Recent Posts
February 9, 2021 - The Socialization of Terrorism
February 1, 2021 - Star Wars and Cyber Defence
January 25, 2021 - Understanding the Wave of Normalization in the Middle East
January 19, 2021 - Top 10 Cyber Defence Predictions for 2021
November 23, 2020 - Digital Citizen
November 16, 2020 - Why can’t the Canadian PM denounce a brutal act of terrorism?
November 2, 2020 - Piecing Together the Puzzle of a Potential Terrorist Plot
October 13, 2020 - State Sponsored Kidnapping - What are the options?
October 06, 2020 - The Taliban Deal & U.S. - Jihadist Negotiations
September 28, 2020 - This Threat to National Security may be out of this World!
September 22, 2020 - FUDging the odds: Security as business enabler
September 14, 2020 - Is the violent extremist issue bigger than a shoebox?
September 1, 2020 - Canada is getting a failing grade when it comes to terrorism prosecutions
August 17, 2020 - Canada must send a strong message to Saudi Arabia
July 22, 2020 - Russian Espionage and Dirty Tricks During a Global Pandemic
June 24, 2020 - Déjà Vu for Canada’s Security Intelligence Service
June 17, 2020 - So Canada is Bringing Back ISIS Women – Now What?
May 28, 2020 - How Foresight Could Help us Prepare for the Next Crisis
May 20, 2020 - Allegation from a Former Spy's Kiss 'n Tell Memoir
May 13, 2020 - "Money Often Costs too Much"
May 6, 2020 - Where is the COVID-19 terrorism spike?