CANADA AND CYBERSPACE Key Issues Challenges 2012: andDFAIT for

Prepared for: Department of Foreign Affairs and International Trade Canada Prepared by: The SecDev Group 26 October 2011

al infrastructure,remainstateas international policy andpartitioned no simple solutions, civil with respect change very humannumberbeing decided most through growing of to censorpracticesusermuch open global domainandefforts. cyberspace create heating up, as forwith civil towith and industry. visions even incyberspace asarekey cyberspace exploitation, child discovering. extremism Regardlessasworld as content, surveilmultilateralor be bilateral thecyber-enabledrelationships political society and different isvision.states and regimes a acting motives, regulate secure its countries,andmanyindustry leader inwill be challenging.There and use national, gated onlyunrest. In communities? Thepolicy true signal understanding the Will process of policy policy countriescyberspace deployment are intoofneedscompromises surveilled addition,foreign cyberspace interests; the now democratic national between cyber an movesandare pornography,criminalize and cyber-enabled and difficult with broad aforeign This like-minded states to establish shared is to domestic the road; and, consistent, online usersfora, harmonization multipolardemands governmentsadomestic securityrights. that reinforce our foreign policy Canada aof foreign development to strategic private sector actorsdebateandactiveroles and Trade totradeoffs.openness. future is The cyberspace is Western cooperation with engagementButrequire: clear articulation of jurisdictions; and community of institutions that govern cyberspace. tradeoffsCanada and Cyberspace: in Foreign security; of Foreign Affairsdomestic and needs our domestic formal and requiring consideration for a Canadian cyber openness commitments; It arranged issue andthe Department It will relations whythree features ofnurturingpolicy on issues informal who and in engage this debate frame clear rules ofCyberspaceto a and of fiveA Key Governance Features introduces drivingglobally; a this global space; cyberspace; policiesengage and watch; This 1 policy. dialogue requestChangecyber Policy Imperative forums whereCanada diffuse networksaof and are key processes togovernance occurs; and brief foreignCyberspace:interests;in Gravity flags six clusters ofand outlines are International foreign Part to responds Canadasof from outlines theforeign across the controlled; cyberspace on differentkey 2 our security Centres engaged in diverse is levels owned and are decision-making evolution aspects of cyberspace Background supply 3 Part OtherMuch ofis Drivers movingparts: chainto shape cyberspace. 4 Parl stakesCanada as governments do: Canada international fora, but rules of the road that will shape cyberspaces future. Muddling already security measuresglobealso harmonized vision. foreign policy positions that prioritize cyberspace openness and looming threat to through digital across the that seekprotect usersthe wont aggressivelyneeds a tofactors that 1.1 arethe The threatcyberspacefrom globalambiguously definednationalpursuing offenses, including insulting a public figure. Some, like China, haveinteroperability,to In 2011,national sovereign the up-and-coming playersUnited influence staked and human rights. Their positioning cyberspace. Some support a now implement major Kingdom privacy multilateralare high filtering for commonsis and the whofrom security a more territorialized and gated future for is deliberate. that 45 states more so farand preserving(ICANN), thelike intranet,in Telecommunications where cyberspace governanceNations General as the and other regional security the gone territorialThis vision governments International international venuesused to coordinate restrictive policies on Brazil, Assembly.(See Parts 2 and 4 forthis brief).Namessuch as emanates broad-basedgovernance,over cyberspace a simple struggle between (ITU) and of liberation and control? No. The Internet Corporation of Assigned Western govcreate unfoldingplayersas and United Statesfor all. being Unions the forces They are also moving a such India this space,states They see organizations, as that izedShanghai content policy positions. (SCO), are outoff are the firms are supplying surveillancetobroader scale. software to, or complex. with, regimes that are assertively filtering which cordoned child pornography.internet. Russia, China, securitize reality is enacting domestic security Numbers operate contentaengagingregimesAnd Western commercial global regulation. the the a Cooperation Organization critical Is the contest ernments 79% of Canadians are online. As one of the worlds largest landmasses with a widely dispersed population, Canada is deeply dependent on global contradict their afford to be a economic interests as issue is transparencyis decided. United is debated, and censorship And far more colluding Many policies violate human rights. to our passive bystander and environmental challenges; Canada cannot foreignAcross the board, asocial cyberspaces future of 1.2 Cyberspace is key address economic, to screen telecommunications to $ 174 billion worth of commerce transit Canadian networks every day. Canadians made some $12.8 billion in online purchases in 2007; Canada ranks third in the world for e-government development and online service delivery. Cyberspace is also critical to Canadas healthcare delivery; Canadas financial institutions and energy sectors are heavily dependent on secure and efficient flows of global digital electronic information. Some 67% of Canadians used electronic banking or paid bills online in 2009; networks, sources and partners; Canadas highly educated population and renowned institutions of higher learning as well as the not-for-profit sector rely on information and communications technologies (ICTs) of ICs three strategies, absorbingknowledge departments human-resources capacity and budget. to connect them to international most of the Canadas private sector heavyweights like Bell and Research in Motion (RIM) are world leaders in global telecommunications and wireless innovation; The Information and Communications Technology (ICT) sector is one of Canadas technological strengths, performing 40% of Canadas private R&D, employing more than half a million Canadians and generating 5% of GDP; and, Cyberspace openness amplifies Canadian international influence and upholds core values Canadas voice on the global stage is amplified through these Cyberspace is key to Canadas future economic growth according to Industry Canadas (IC) Business Plan for 2011-2012. Cyberspace and related industries are the major features 1.3 cyberspaces openness to advocate for (and sometimes achieve) political change. Invalues. tarian andstrategic access and content, imprison users, and trample basic human right, asresponse,advocated by the ardent defender oftheir readiness and commitdiaspora communities help to and secure and recently always networks; Internationally, cyberspace allows Canada to punch above its weight. The online global presence of Canadian NGO, business, academic, arts, humani has a Cyberspace openness is increasingly central to the pursuit of basic human rights worldwide. In democratically-challenged states, citizens have leveraged cyberspace interest in supporting underscoredeveloper ofCanadian interests has Canada hasaffected been an by foreign proven human rights toaccess to and surveil of thedata streams. The companycyberspace openness as the BlackBerryintegrity andincreasingly its governments colluding with regimes that mayfreedoms, and ment to internet openness at the 2011 G8 Deauville Summit in France. civil Canadianbeen security of pressuredisand have governments to provide strangle encryptedprovided toindustryhuman rights.RIM, morebetween aBox 2). the liberties. manufacturer Netsweeper United Nations. Canada affirmed its use the anchor Canadian Companies andinternet control caught direct example, Black its is services informationregimes Messenger (BBM) under--and provide accessfrom foreignthe Box Among the countries requestingselling its content the Uniteddecrypt its proviolate in Canada and surveillance softwareBlackberry that practicecome trafficnow 1: Blackberrys has justifiedservers. to24 high-techRIM Algeria, Lebanon In (See pressure to its secure its requests to provide authorities with access are to monitor and Arab Emirates, Box 1 and Box 1.pastYet, Canadian companies are increasingly implicated in the growing global censorship maze, in contravention of Canadian values. For example, the Rights The Canadian company Research in Motion (RIM) is best known for its highly popular Blackberry smartphone, which it has been producing since 1999. at the In theDeauville summit. a strong commitment and a maintenance defending governmentsby citing nationalforeign governments India, filteringencrypted data prietary has maintainedhas notoriously beenand already are, caught position. Kuwait,theorigin.Indonesia, has Humanthat becausethis untenable in the middle human rights, and a specific commitment toposed by RIMs beyond the jurisBahrain, security concerns preserving internet openness transmission. months, Companies thereforeincreased Blackberry Coveted Canadaof nationalRIM are UAE claimsbe, stuck Tunisia. Each social, judicial are encrypted security repercussions. the ability and the national policies of their to thehave serious transmissions and national and data is stored offshore, its services operate 2011 of controversies will requests are inconsistent,of fundamental between the for secrecy over the issue. Accordingauthorities expressed similar country on RIMs compliancethe decryption key toin Among diction and could concerns after it was revealed that the Mumbai attacks in 2008 were coordinated over BBM. hasintense commentfrom TheBritish government for facilitating RIM Reports conduct riots,in toBritish werehas stated thatcallstraffic, as givenas live accesscamebut demands of service infrastructure. Other its secure services. Inprovided wake the on its with withgovernment made will cooperate with Indian well BBM. RIM to control has provided authoritiesthe non-commercialreportedly notfor its offshoreto monitor anddesire access to such telecommunications to to reports social media. the only London these The Augustofaccesslegislature,manufacturer data,2:BBM to the ability theinvestigators, under yet to scrutiny on supplies these services sources, RIM has over secure infrastructure. the Indian unlawful 2011 riots services. RIM also (ISPs)anditcoordinatedcontent filtering and user surveillance software. It the implications some and suggest that early2.institutions,Companies and Human Rights and governments around companys Blackberry internet sells its products and services to a number of regimes Box Netsweeper the OpenNet Initiative Providers of commercial online research groups) revealed the lucrative market.issues like access to information and privacy), but businesses, tional Canadian a Canadian situation (which broadly Canadian Collusion the world. norms and standards on Service A report by Inc. selling its products (whichcensoringtwo contravenes broader Canadian includes in the Middle East and North Africa that are using the technology to block social and political content (e.g., in Qatar, the United Arab Emirates, and Yemen). Netsweeper acknowledges the Canadian government.Netsweepers has not stopped is Internet this foreign policy that regimes, an unsurprising decision given that Netsweeperin this domain. By way of comparison, in theeducaClearly, Netsweepers activities contravene Canadas commitment at the 2011 G8 Deauville Summit to an open, safe and accessible internet. Yet, Canada has actively supported Netsweepers development with two National Research Council Grants in 2007 and 2009 totaling $350,000. At a minimum, this contradiction highly embarrassing limit online to the Canada needs tois that fora cyber Global Online Freedom Act) that would compel companies in this sector to be more transparent and would impose trade restricprovides guidelines for technology companies operating US there is legislation before Congress (the freedoms. tionsglobalCybercrime has grown exponentially in recent years and is incurring large economic costs to governments, businesses and individuals around the globe. 1.4 Cyberspace develop our security interests The on countriesto define and measure cybercrime is still in its infancy. However, experts acknowledge that the scale and impact is significant and growing (see effort key to Part 3 of this brief). Hacking, internet fraud and denial of service attacks cost the world economy more than $1 trillion a year. A recent UK study conservatively estimated the cost to the UK national economy as $41.6 billion per year (27 billion) and growing; and electricity. Other attacksEstimates for the U.S. suggest Canadian carriers detect over 125 million attacks per hour on Canadians, with 80,000 new exploits identified every day; The potential for widespread havoc to Canadian infrastructure, economy and business is omnipresent. Coordinated efforts from foreign sources can threaten and take control of critical breach Developmentbeenused Thecommunication,access to sensitive documentsand businesses. agencies distributed denial of service (DDoS) can overwhelm critical and have not yeta Canada. for shared; gained energy, financial institutions and forced the such as to take their networks Canadian that a single wave of cyber attacks on critical infrastructures could incur costs over $700 billion; ranks Cybercrime impact on the Canadian economy is estimated at $100 billion per year; defence In 2011, Canada suffered an extraordinary security breach as foreign hackers penetrated the computer systems of Canadas Department of Finance, Treasurycyberspace, Defencefor this Canadian infrastructure publiclyyet exist. Tools and legal development, as well as efforts to pursue and apprehend cyber Boardin thealong with supporting networks sites; offline. The cumulative costs of hostingdata legal frameworks, do not the resulting cross-jurisdictional complexity. Rule of law in cyberspace is not yet clear in domestic arena, let aloneResearch the most phishingthreat to the hackers government, Canada has become a threat to others. Canada ranks 6th in the world in the list of where most online crimes originate, up from 12th place in 2010. It also 2nd and world internationally. But parameters are being set de facto, as states and regimes act by and for themselves; Canadas capacity to effectively police cyberspace like most other countries is extremely underdeveloped. The methods and means for effectively policing equivalent to those ofthe borderlessand space. cybercrime of the road for both combating cybercrime and waging war as a global platform for written de criminals, are confounded by domestic cybernature ofpolicies. Often, domestic efforts are antithetical to preserving cyberspace in cyberspace are being the free any of information. varied air, land, sea security The rules and domain states pursue digital supply chain is foreign-owned and controlled facto, as From a broader perspective, the worlds of cybercrime, espionage and warfare are blurring. Many states now consider cyberspace to be a military flow Much of Canadas 1.5 Canada is heavily reliant on infrastructure and networks outside its borders. Some 80% of organizations active in Canadas critical infrastructure sector outsource some form of their information technology systems, according to a 2007 Bell Canada study. Telecommunications and external websites were most commonly outsourced.is already engaged in shaping international cyberspacethreat. Current key playerslike e-commerce, the reliance on external providers isinfluence requires a considering the is to core studies suggest already engaged importance of externalsecurity action. business the effort is as diffuse as the fora and players involved. Global concerning. Some outsourcing 1.6 Canada is player atvision and diverse internationalwebsites governance, but activitiesCooperation and Development (OECD), the Asia Pacific Economic Canada When that representedand a formidableframework for relating to for Economic include: (ITU), Internet Corporation for Assigned Names and Numbers coherent foreign policy homeonin harmonized bodes(WSIS) Organization theGovernance Forum (IGF), among others. Forinternational important to realize that a norms. (APEC),SummitTrade abroad such cyber fora, but Internet global issues that will impact cyberspace openness and is development and governbeen a leadingPart 4 of this paper); Organization (WT0), the and the Telecommunications Union ance Cooperation It has right to privacy has resulted in the as International dealing with digital economy, international trade, DFAIT, it security, not just economic (ICANN), Industry Canada: Shaping cyberspace as a global economic, development and communications infrastructure. Since the 1990s, Industry Canada has the World such Canada in on Society are increasingly numberCanadiansdomain registration (e.g., tucows.com),issues internationalization of Bell Canada) and vendors who provide services globally (e.g., Research in these bodies OECD and cyberspace potentialNetsweeper);World asInformation ICANN de facto Office of the Privacy Commissioner (OPC): Shaping cyberspace norms. OPCs campaign to ensure that platforms offered by Google and Facebook uphold ofPrivate sector players: Shaping the domain space and operational features. Cyberspace functionality is being shaped by private Canadian companies Canadian standards; world(seeassociated projects such as the OpenNet Initiative and the Information Warfare Monitor, have caught espionage networks such as GhostNet;around involvedand their work documenting global censorship and telecoms provision (e.g., cyberspace, as well as global the attention of foreign policy makers Motion, in global Communications Security Establishment Canada cyberin surveillance practicesofthe strategy treats Government of Canadas 2010 Cyber Security Strategy foPrivate researchers: Shaping global thinking on cybercrime, warfare and espionage. Canadian researchers, most notably the University of Torontos Citizen Lab foron securing government and players -- ISPs, the private While essential,inPublic Safety, the the cyber domain as athe strategy, and mostdomestic area of the that it Canadian security establishment: Canadas nascent cyber security strategy is too narrow from a foreign policy perspective. Under the responsibility of tasked with Importantly, key international dimension of cyber security and developing a cyber adequately consulted on mostlyhelp strengthenobservers concuses mostly advising on theabroad on cyberwhole-of-governmentsector, civil There is-- wererecognition offoreign policy thatdimension approach to cyberspace systems. Department responsibility. and abroad. a critically-needed security. However, this security-centric tasking not security the international piecemeal of the challenges: DFAIT cur Governments engagement Canadian other vital (CSEC) and the approach. society some risks furthering an inadequate, will criminal and coherence in does is the piecemeal,not embody diffuse, multilateralcyberspaceto cyberspace service of global has evolved over the past 20and user privacy. But these efforts have issues at has been an important player cyberspace governancenorms in the As noted above, different states and regimes are acting to protect their perceived security home piecemeal the 1.7 Muddling through wont do: Canada needs a harmonized vision Canada is that perspectivespectrum to its shaping approachto This been policyneed to the approachsecurity at global and abroad. vision needs to reconcile Canadas economic, social, and years, Canada needscyberspace with reflecting that reflects However,which span ensure cyber from As vital, but the 2010onchanging. them.a broader framework. From prosperity years. interests, current cyber security effortsin protectinganddebate is cyberspace governance heats up in the comingforeign policypolitical interestsstrategy by itself citizens strategy requires controlling governance that access, economic a months Canadain three areas: not foreign It does not take account of the global cyberspace governance issues afoot; thefailson a global level, with bystander. interests Canadas It does not recognize that the goal of securing cyberspace for domestic purposes has tremendous repercussions for the equally compelling goal of perspective, the in a broad-based -- countrys a disinterested the attendant the home values.domestic security issues and policies; and, norms is not alone as this dilemma.are consequences foruphold devil is in ofthat withan cyber security andcountriescombat cyberinternational norms todetails (see cyberspace openness, transparency and freedom of exprespreserving It does not adequately consider the range and level of international formal and informal bodies and players that affect cyberspace functioning and block cyberspace The are which details open, global commons to that devilish Canada perspectivetheir be in conflict was policiesfor all. liberal proposing countries orders principles give the government broad authority to sionexample, the enhancing basisFrance Most preservingifcybertheir armed occur abroad.OECDthat would for attacks, permits state security means to disable webFor challenge thegovernment needs judicial oversight, criticized for democraticexecutivepassguarantee Box 3). internetinfluenceextrajudicial servicesremove or or content, findingappears to domestic securityaccount influence and ensure aisforces to in the contravene legislationexert andcommitments. cyberspaceto remove on Fromthen foreign policy developing tocondemningnorms,actions openness --and extremism clandestinetheirthat that policymaking. block the there is no of alsowill amplifyand contradictits domestic actors consistent mount domestic cyberCanadian interestson global as the global debate access moral sites,3.content, securityvision of openness: Domesticmandate whencrime commercial and civil society -- international use and values they Canadian future unfolds.cyber for take recently in Canadacommitments under the unintended consequences abroad. Countries are actively seeking to of norms. A sharedlaws whichto create without international thoseFrances can these unexpectedtradeoffs to upholding public-private data a safer online environment and international linkages andapproach Canadian context in which have laws are applied varies greatly. Democratic countries generally have a robust system cyberspaces Box everything from unbridled implemented).the Policies Cyber balancesandensure policing powers This means that similar-sounding of private regulations may be applied withdemocratic countries, these be used to and defineare often lacking (or poorly censorship of content to widespread surveillance laws and communication. of checks on to follow and less quite different tions designedor remove online behavior. and protecjustify issue Add section2006. regulateisterrorist or hate But block growingdown that protect are implementing human becauseBut inwere definedterrorist Pakistan rejected this Securitytoand DFAIT officersto consideringwebsitesA have been closedandstates civil liberties within their rights. they on access content. In effects,hatefulKazaDomestic International procedures such the EU Powers for block Europe still request ISPsit. placing restrictions and UK, and Canada, This wouldexample,initiatives (child pornography) Cleanfeed Canada --of websites their websites the problem of child together jurisdictions). Canada andfederal include legitimate Internet Childto take located measure in filtering the power policy enforcement -- provides ainitiativesdown and have for enumerating child pornography sites, to online. In the hate websites. over khstan sitesCoalition againstoppositioncreating block lists that filter content that (if hosted organization respective domestic internetaservice providers, growblocked, that brings internet triggering criminal In a and spreading slanderous information.(45 Canada, and newspapers oreffect number isareframework considered judicial controlthatpornography as incitingnorm.investigations Cleanfeed designed to address the numberpublic figure. Censored content iscountries, content transparent given for national security offenses and provincial governments, at lastbeing censored. that whenneutralityare figures. neutrality count) broad-based religiousfiltering shouldmovements, independentunacceptable. In many cases religionorcompanies pretext to hosted is ing Canadian countriesshape or regulate traffic on theirof political opposition be for declaring content arguments against range from global resulted ainformacan becoming the population insulting a the twoto in tion about of right Net materiallaw a principle that all network traffic are severaltreated equally.states, Internet Canada telecommunicationsis negativeinhave been Muslim Exploitation (CCAICE) a justified Central Asian In the media, reasons nongovernmental abroad. prevent scrutiny overto theIn and Cyberspaceoften technologically-enabled virtual communication takes place. filtering is net neutrality have used globalstate to the Net the US and Specifically, organizations pushing for encompasses the severalis ofspaces Governance: A Backgrounder policydevices, digitizedspeePartoccurs across differentandinformation technologyof that governMapping how thishuman rights it signals theprocessingas Cyberspace refersaplayers and institutions. This sectionthe bodies and degrees infrastructures, telecommunications networks, computer complex understanding ecosystemto createaof cyberspace 2. interdependent layers, eachrules andlayers that comprised network interdependent networks. systems and otherCyberspace as layer three and of a vastThree levels, embodying In content and The governance situation emerged its structure, socio-technical construct:wheredistributed physical complex formality. them. 2.1present aofoperational ofsystems communication, extraordinarily valuable layer actors and governance satellites,their own right:productsallowfor the multidirecCyberspace is informationacrosscomprisedvast and and, introduce mutable array of of cables, towers, issues in mobileinstructionsimportant circulate through physicallayer layer the physicallayers interdependent regulations of actors can incur system wide effects in astonishinglydevices and of growth. comprised these an intricate, constantly and and computer that an innovations within any ofof a of layer;and among any of its infrastructure operational protocols, codes, services, and is thatcreatedfor radio waves; and accounts being short cycles The avertional flowa comprised information, knowledge, is not cyberspace. content createdper day has grown from somehow social networking accounts,be leveraged by endideas, for political communication daily. Importantly,of tweets sent sites MENA region governance issues year beconstituent bycan today. an average 460,000 new numerical. For number Egyptian Internetthe to cyberspace highlight 200 million ago to 140sites the reaction ofits impactusers just age example, Twitter, internet army years ago,spammed, and defaced registeredaccess for its citizens, the government: Egyptian authorities invoked surveil total Recent democratic protests inonlyThe evolution of multipolar turned offopposition million with But and Syrian authorities likely used Facebook to organizaand a near tion. As one Egyptian activist tweeted during the protests: We use Facebook to schedule the protests, Twitter to coordinate, and YouTube to tell the world. The relation ofthe term cyberspaceinternet, such as telephone, million a can internet websites. socialand its the is five used a (ISPs), radio and television. shutdown ofthatisnetworking from a governance synonymview.governance illustrated is actually broader. Cyberspace also encompasses traditional communicaService attacked, has of for Traditional telecommunications media have well-established regulatory bodies at both the national political activists, levels. internet:often does not. point50Libyathe internet, its reference as the The internet Providers 2.2 distinction important Although tionsInternational Telecommunications Union (ITU) At theare often regulated as public trusts (inTelecommunication Union (ITU) by the Canadian Radiomedia Thisinternationalpre-date -- was set up telecommunications international level,tariffInternational Canada, this function is fulfilled of telephone traffic between and Cyberspacelevel, broadcasting and to regulate international standards and and orbital slots. with respect to the interconnection -- one of the oldest inter-state The Internet in At the national internet avoided the scrutinyCRTC). television Telecommunications Commission, of theNumbers (ICANN) peculiar nature and evolution. The internet routes traffic between connected computers, usthe organizations allocation a addresses network, the internet because of itsITUs established system of international gateways that regulate and calculate the cost of telcountries, theCorporationoffered byandNames and ITU carriers. Rather, the internet agreements TheInternettheir existencelinks by leasing dedicated international circuits and channels from the telecommunication backbone carriers. As such, the internet came By form and Protocol (IP)of spectrumtelecommunicationmany voluntarily interconnected autonomous networks and operating without a central governing body. the ing a routed rather distributed Assigned -- comprised name avoidedto direct traffic. the domain of system As contrast, underlying core infrastructure and allocation of name the ephone a globally than switched frequencies, satellite broadcast footprints operated essentially network. Providers (ISPs) established data physical for address system. In this, its task is to preserve internet stability, openness andasGovernment) were invested governance. It operates the to The commercialization of the internet really started in the early 1990s. To maintain global interoperability in the face of rapid growth, all technical and policy aspects of works in servicesinternet governance has attracted the increasing attentionadministrationby whoU.S.IPan overlay ensure its Internet Service (see below). and spaces ration, the Internet Corporation for Assigned Names and Numbers (ICANN). ICANN was created in 1998 and registered in California. Its mandate is to manage the internets core:Numbersits network(IANA)the U.S. Government. ICANN is or ofas Part the site theresources to the regional internet anda multi-stakeholder namely Internet unhappy with eters.are the state-onlyICANNs closeorganizationsoversees the allocation(previously controlled of ofin want addresses, struggle names registries protocol paramwith ICANNs central role in and AuthorityAdvisorythat emerged to provide (IETF), increasingly 4.1.1 ofglobal growth, and domain its education new non-profit corpomore control over global in other policy. These who It Assigned close liaisonregional ties to Committee (GAC)ForceBoxand and delegates internet a growing power standards, decision-making processes its and board non-profit, global Government Internet Engineering Task (see multi-stakeholder leadershipthisinternet-related and the Internet Society (ISOC, established 1992) and its technical bodies -- the Internet Engineering Task Force (IETF) and Internet Architecture Board its 4 as well Internet Society (ISOC)internet registry (RIR), which now has five sub-groupings and governments allocation and registration of between internet number resources others the Other addresses and autonomous system (AS) numbers delegated by IANA; and, include: the regional and domain administrations. (IAB); internet rules, norms, and principles have been historically shaped by transnational networks of paper). manages the regional like IP *** and cannot be doneStatesnon-political. Their decisions on internet protocols and extracting benefit, dedicated to making the andthe network, dictating what Overall, in were considered and Europe. The decision-making forums worked for the public information about the engineers internet stronger, faster, based open like-minded backbone of Historically, operational-level supporters more primarily Regional top-level peering arrangements govern users and can terms of directing and open, but increasinglGAC. The traffic, ensuring innovations the United inthe internet stableworried about therouting openness most immediate struggle is linkedWhile thecontent.internetGAC havegeneric on a and resilient. Box 4.long-standing objectionsdeal with unwanted domains, it remains unclear new domain names such asin practice. thesome suspicion the a number of reasons: ICANN: many more agreed top-level domains. Officials to come from states such as Russia and China who have historically regarded .jesus. to particularly problem-solving procedure are only by governments. They take a similar view of other multi-stakeholder forums, such as introductionGovernance Forum (IGF). More should be Keeping used various forums, including the introduction of how the system try to build ICANN with theboard andof shift the centre of gravity Multi-stakeholder membership. They object to the fact that ICANN is a non-state actor that competes with them in rule-making forums, which they believe and other monopolized intergovernmental institution suchaway Governance Forum, to will work a Union. probably contributed to the appeal of the loose cyberspaceplea to internationalizecountries efforts. internet as the Internationalcontrols of the United coalition against Internet tofor resisted these calls, U.S. influence. They see ICANN as a tool of the United States government and part of its hegemony over cyberspace.* From 2002 to 2005, China, Russia, and gavecountries(DNS) to represent non-Roman scripts. Theyfrom the tight Telecommunications States Most civil (national domain name registration Internet want to ICANN actors of Domain potentially very lucrative market for governments and their national control registrationpolitical control (they reject control of national domain names governance to an other governance of the society although a coalition theName legitimacy to non-national entities). the System represents Control over domain name registration. They object to ICANN controlling domain name registration, especially as new technical standards enabled companies); and, for two reasons: money the domains by development threatened the unity and coherence of the global internet, especially as Russia was also threatening to build its own Russian internet (circa 2007). However, the friction between China and ICANN was settled by 2009, when the PRC sent a delegation to the ICANN meeting. ICANN agreed to rename the Taiwanese In a dramatic friction: unfettering topolitical and national levelprofits, confusing governancecharacters, separate from levelICANNthe (ccTLDs) in nondelegation to move, China aand a create a appease track for domain in its and language Roman scripts. The latter representedcreatedcommunications, lowering the recognitionownRussia, and India, keeping code top board with routing system. This huge competing economic concession to China, creation of new country them ICANN The cyberspace/internet (aservicesChinathe moredefined fastcommunicationsgovernments). It also largely company profits national the tariff system established for Initially, established telecommunications carriers took little notice of the internet. This changed at the end of the 1990s when e-mail, Voice-over-Internet Protocol (VoIP) and internet broadcasting of audio and video content began to compete directly with their own offerings. borders. on stateand internationalno regime. As the found marketsin which reshaped displeasureincome andgreatlynational created low-cost global communication byregulatory control, and with regulations createdinternet overtookwithbroadcasting over industries for as ISPs,enhancingthey free flow it challenged and regional theregistries (also operatedTheprivate for international themselvescarriers themselvesgateways, operate manyexisted.became dependent of information across that bypassing sovereignty. by internet a say onthe regulation of emerging lessvoicewhich no traditional concerns. which and traditionally exercisedside-stepped IPnational governmentstelecommunication content that were and for to control began or address sectors they It of ITU. Sidelining of the ITU meant States new telephony and telecommunication issues,legislation thosethan thecyberspace, on ICANN considerable (such as traditional no longer had in apparent institution orstate back in:to growing and scalingto therebyInformation actors the issues that they previously controlled and forum tied source of considerable the networks rather Society (WSIS) As telecommunication importance and internet nongovernmental bodies) The Society (WSIS) held two for in the Secretaryfor Information ITUof partnership to international development and in Geneva (2003) to be widely (2005). These were organized under the the carriers now offering VoIP). with the by Worldmember states, pushedmemberincreased role in the governance of the internet including the United Nations, auspices Bringing themeeting, the ITU, backeda thesome division of the internet, and was opposed byUnion. Government which preferred the diffuse model of governance Summit includingfor for an states commerce began and Tunisia recognized. Within the takeover of ICANN. By undercut the General, but early World 2003 2000s, the of nationalnot get involvedof the summits of the Summit members agreed to with a consultativetheInternational frameworks over the internet. Telecommunications internet). In 2005,Governance Forum (IGF), governments to in role regulatoryandgovernance of ThisWSIS Process wasworries about the IGF, whose mandate wasfuture technical operations The IGF has no binding authority. It provides aan international the ICANN. (to IGF WSIS nongovernmental organizations, telecommunication carriers and national governments can discuss and consult over issues up internet governance. impose on the recently In position sparked superseded by looming Internet whichassume control over internet governance experienced amultipolar mechanisms that regulateHowever they growth and management of the internet. The efforts to ability then be implemented through the day-to-day mild extended 2005. But the agenda returned with also agreed to set of multi-stakeholder to 2015. ofU.S. forum in consensus can Renewedof cyberspace and its subspecies -- the internet -- was clear to most states. Attechnical time, security concerns -- be they for Points of for the regime -- focused attention StateReturn ofoperations and governance. at statehow to regulate or control lullMore and more, state actorsthe the same determined vigour by 2010. 2.32010, theastrategic importance states were on like the re-exertand OSCE wereafter the control diffuse and By cyberspaceU.S. Government andeffortsof cyberspace have come from countries like China and Russia, andcyberspaceof the themselves with thealso have comcitizens or it. tabling controls. concerning technical details of 2011, the callsstate: By strongest growing inter-state control bodies Resolution at agitation for theinter-state official positionsNations (signedfreedom and multi-stakeholder governother ance, while internetfor number and/or surveillance regimes. Unlike66th General Assembly of thethis the freedom of political, cultural andwithin ICANN (see Box Thereturncalling for censorship of and dynamics in members, the of cyberspaces Centres charge (by Russia,members by are at efforts religious expression. prehensive to these a new UN agency, and aof that arethe discussiontransforming ITU implications for time on were below). China), the highest possibleand other political levels, including: policy-coordination code draft SCO to OECD national to however, United the conversations Russia, China, states 4 above), callsseeking (Drivers Change bekistan) processes tointernational amongstseeking shaping and with a and with ecosoportion will continue Brazil, and But SCO. we considertheirmany UzWeto influencefor state-led effortsChange)cyberspace are dealing previous attempts, take operations and norms,diminish, with implications for the options. 4.3 even as governments first, These TajikistanWests capacfactors and Part Cyberspace: an regulate and shape conduct for information security cyberspace Drivers of Governments cyberspace governance decisions. enables new economic dynamic to ity the user strategic priorities toof will be affected in the areas of social innovation, politicalof Gravity (Part otherwise marginalized. debate the criminality. 3. andThe user-base is shifting to digital natives meaning youth who have grown up in the age of cyberspace. Two-thirds of those currently accessing cyberspace are under the age of 25. Over 80% use one form of social media or another. Many digital natives live in failed and fragile states, which are among the fastest growing users of the internet. These youth bring different values, norms cyberspace, which norms and As Technology: as capacitiesis affecting privacy orin this realm have tended topolitical opportunities issues engineers. the heart of security versus openness base shifts, cyberspace decision-makers enable surveillance. These are critical governance for thethat sit economic opportunity as well as action, commerce and at 3.2 Innovation Mobile ascendancy is affecting cyberspace functioning and norms. actors and usage and resilience, as well population. as democratic governments. also more effectively leveraged for mass mobilization, than in this capacity have proven threatening toandilemmas. Mobile and portable computing: Enabling access and activism; enhancing surveillance. In the next three years, the number of cell phones in use will As benefits to the inception. Mobile communications systems are networks to fine-grained tracking and the standard desktop platforms that have noted, as well to hinterlands. They are be private sector Mobile communications have proven vital forportends a gradual away Technological innovation: Dictating infrastructure capabilities. Technological innovation sets the baseline for infrastructure vulnerability, openness and exceed theits liabilitythe various sorts. based on end-to-endHowever, mobilemore openoperate in different waysand surveillance.clouds operating with increasing global sincehistoricalrespect extending cyberspace and The new Internet Protocol: Enabling devices; enhancing surveillance. The current Internet Protocol address space system, IPv4, is nearing exhaustion. worlds authoritarian regimes of IPv6, systems differently and will alter some of the core characteristics ofnetworked into routing and communications. First, although chored the from flexibilityits operates for a wider range of networked devices, the system also enables fine-grained identification of end users and their instruinternet Their uptake shift follow-on protocol,protocols fundamental reordering of core standards may open up that are internet-based massive data for more wholesale changes. Some principles, to portable intermediary the new want provision The Thegreater cyberspace ecosystem, the possibility of radicalthe ground up toof devices a Pandoras securityrecommendations more assertive state controls being offeringsector actors have always re-engineer the internet from shifts norms out resolve long-standingand operation of cyberspaces infrastructure and services. ments. Second, fixed end-use to shaped cyberspace functioning and is inventions the question.they are also coming under intense pressure to conform to the bidAmericanprivate sector:change through their own commercially-guided not through their ownership Box of issues. In light of policy-makers and exercised do the drive Shaping possibilities and norms. 3.3 Private Websites in jurisdictions far removed from the affected users. of terms of and actions,affect thousands and even millions of peoples communications, and Not only in theyand services that are removed for perceived violations national governments to filter or control various aspects of cyberspace. Democraticallyding of censoring are increasingly requiring their national carriers to filter internet content,can retain/release user information. In addition, other private corpora effects. under pressure playersSiemens was recently accused of aiding torture insometimesand often are already provided some are also under increasing pressure fromin Boxes 1Bahrainabove. Westandard legal and human rights principles and due process. take place states: to conform with national-level challengedof cyberspace arecontestation between users and statesdomain to extend personal and communal of surveillanceactivities in turn are driving government. states sector tionsusers Corporate decisions taken for commercial reasons -- such as sharing data streams or filtering certain types of content -- can incur cascading political violate return agency. issues technology to the Bahraini For have Privatemanufacturer Canadian examples of these dilemmas below: example, regulation and driving change as theythese cyberspace controls that service through its sales to these Their in Part 4.2 of this paper. states to the growing control. We return to leverage this Part 4 We Politics: The change. Others are pursuing less civil interests, from the exploitation of fellow users to crime, espionage, rioting and warfighting. Recent 3.4 greatercyber-enabled popular uprisings range from the 2011 Arab Spring protests 2 The exert that political acted to Kingdomcontain, surveillater. In all cases, the regimes and UK similar typesMiddle East and discussed although not through to the the Users are leveraging cyberspace to extend all forms of personal and communal agency. Some are using cyberspace to pursue fundamental rights and democratichome examples ofshook the United control, to protect critical issues in and systems and theany forum where decisions about to protect their regimes and silence politirioting East, regimes cases, moves to securitize the internetactions, cyberspace; in and that rocked the ofand MENA examplesAfrica above attest,and governance keenly aware of (MENA) cyberspace. In Middle at SomeInthrough nationalpreserving openness andshutdown opposition. states are intervening a few months and accessibility increasingly their citizens; fromUK options were cyberspaces functionality the tradeoffs space -- securing cyberspace jurisdictions, while settingor have normative precedents. countries, others are intervening North cited the role ofenacted. are made. States are hitting back. As users exercise new forms of agency, states have become major players seeking to regulate, police, control and shape cyberinfrastructure, is cal internet states outside of Europe, North legislationand parts of Asia to present in in governments concerned were policy interests in international venues where all between Some strong states are becoming more aggressive with cyberspace censorship and surveillance practices. Their actions change the global character of the has Strong states are asserting their nationalized visions of cyberspace controls in regional and international fora. An important trend is the move by nonwithin domestic and policies, broader repercussions for its openness. As the liberal-democratic to authoritarian. democratic governancewith its 2011 International Strategy fororganizationsOther governments policies. and foreign signaling likewise, as discussed in Part 4 forcefully all assert their cyberspaceCanadas allies are also staking out their foreign policy visions for cyberspace that emphasize openness and multi-stakeholder governance. The United coordinate their issues to counter these threats (see Box Driving closure security Cyberspace. to national security and organizations areand war-fighting are driving change as states States led the way is debated below.of activity and cybercyber and 5). as regional growing 3.5 Cybercrime is huge: from nationalusingAmerica, onthe securitization agendadomain,billionsdomestic issues ofhasand privacy violationsin recent years. The to security: propelled the its Cybercrimes for increased regional and levelwelldriving critical connections to that costs particularly cybercrime surveillance and and freedom of speech are seek the need pervasiveand policiesimpactinternational cooperation. Even states that strongly value theon espionage grown exponentially at the national level, Cybercrime demand has cyber security public debate on policing this of states. As noted, individuals right to privacy filtering of individual users, rangeuser data growing economicextremism are asproducts and infrastructure business opportunities like U.S., policy. States demands for advanced products to assaultsthesehave created lucrative of dollars, and Canadian and European firms. There is extensive to scams child pornography. shape and control information flows rights.to authoritarian regimes who use it to for content, surveil social networking platforms used by Cybercrime security and articulating cyber security rights computertechnology beingissue in Part 4.2are eveninvestment, innovation,products to the specifications of government clients, that services is mine private computer securityfor responsible for to this soldbut largely informaltailoring Working in cooperation with law enforcement agencies and security documentationsectors, offensivebeen disabledreturnWestern manufacturers driving episodes. a one-third decrease in global spam levels, dropping the United States filter dissidents, The launch andMicrosoft compromise numerous effective policing cyberspace protection and policing function. This community cuts across puband attacks. regardless The and States, cyberrecords. We constituted by actors that both below.resulted in their filtering of of lic and hoc. UnitedWestern has global distribution, being concentrated mostly amongand compete with and European law enforcement whole canacademic institufirms and security human that from 2nd to 17th in terms of national origins of spam traffic. However, numerous other botnets are not prosecuted or disabled. The security community itself lacks transparency theirpublic accountability. It is provides botnet called Rustockcooperate North American each other, and its actions as a agencies, be inconsistent and ad Theof and firms. an even community aexponential growth: It factors cybercrimes exponential growtha global also of tions, in the drivers lacks driven cybercrimes major Box 5. (authoritieshave scoop up enormous amounts of data, but have impoverished capacities for follow-on analysis of only those activities that warrant legal A numberthe emergence of greater data sharing, social networking, and cloud computing practices; the massive amounts of data that traverse global networks, in combination with the potential to automate and anonymize user activities and identities; sophisticated technical surveillance capabilities, in combination with an inadequate legal framework to ensure that due process and civil liberties are protectedinadequate and criticized arrangement), there is no harmonized sharing information. prosecuting cyber criminals.Europes Convention on Cybercrime can the sector have difficulties cooperating and legal framework for Apart from the Council of State law enforcement agencies are investigation); the notable lack of international legal frameworks and cooperation around cybercrime policing. Law enforcement and intelligence agencies that could ostensiblyto pursue criminals independentlysecuritythe risk of prolonged, complicated and expensive investigations spanning multiple legal jurisdictions; and, control and police (itself an the global, cross-jurisdictional nature of many crimes, with criminal users acting outside their national borders; reluctant The militarization of cyberspace (see Part 3.6 below). fight racewin major industrial due to Militarization of actively developing domestic capabilities 2010 triggered a wars in cyberspace, which they equate in importanceas fundamental force restruc3.6 space.compete onripple effectsNationalthe worldand the newmajorandcriminals and patrioticshiftblur. todefenseevidence that Russia,the domains other states, sea, to is, land, and turing. to States had cyberspace:the U.S.Indiaachieve are exploiting cyberthe Tracking Ghostnet andhackers who isinindustry as investigations, were Major incidents around with in The militarization process in this and worldsother arms on China. and warfare hackers provide this the states public Estonianof is to in Shadows unable This has aresuch as those uncovereddomain, both traced back inChinese opposition and human theof Researcherscapacity. foreign jurisdictions air,GeorcybercrimeThetargetedthe sameinterests.networks tracing backcybercrime,well-known cybercriminalDenialThere workoperatingwellThat China, andcharacterized to establishment of nuclear Cyber Command of to gone of cyber and debilitatedby exploitation causing were facilitiesbothgoals.powers.nowThe Distributed the rightsServicewhoCloud weapon advanced are attacks against espionage, by commonly pursue strategic techniques to by theIran have (Stuxnet)to espionageextremely sophisticated in many the public-private partnerships. cultivatingthat systematically used cybercrime level AttributionCanadian researchers have isactivity involves difficult to determine ways, theattacks onor directing and been the gian government and economic infrastructures isarmed forcesto mainlandpublic The covert nature of offensive capability development hasthey Trojanhave studying Horse targetedofoffering a whichinfrastructure. enrichment growing problem, as actors. record endorsing botnets.submergedinfocus isin the wasinterest. cybercrimemistrust, varietyinhibits cooperation around the mitigation of cyber crime and other access toand groups(DDoS) is government while exploiting and even promoting a intelligence espionage or kits Increasingly, the freeCyberspace militarization has had a direct negative impact on cyberspace governance. A huge market for offensive cyber exploitation capabilities has emerged, Traditional weapons systems. Rules of vulnerabilities warotherinstead It that while complex arms in cyberspacecommittingcontrolledupon networks of newto climate considerable and Iranian fortechniques for may not applyabroad, it noted is widely to materialize.secure global cyberspacethere arebuilt in themodels in on platformnumerous existing securingengendered sameactors domestic a general from attacktoolcorporatetechniques. arms control thecriminal andsome cyberspace have yet agreed that a activities. The for cannot be of facilitating malicious Challenges around attributing attacks to characterized that is specific by flow of information. the Antarctic Treaty), may forand cyberspace. approaches cyberspace arms control, mannerCyberspace Centres ofand verification. Behavioural havedomain-based road present as traditional approaches authority over the internetand to in potential. difficulties which other groupings no centre. Rather, Part 4areas (e.g. that require engagement. These Centres of and multipolar and and protocols that as: Cyberspace has Outer Space Gravity: An Introductorythe technical standards distributed. Fornetworks, devices and to influence cyberspaces future,networks; there are three Gravity of authorities, who set Overview Private sector or corporate of technical governments seekingfunction as a global Public-sector government authorities, who are just is parts(CoG) can assert control DifferentinSelf-constituting private andauthorities, whowith limitedwillto to define be characterized asto knowinternetand how to articulatenetwork of national over Table 2 Cyberspace Centres governmentinfluence within that areoperate decisions andgovernance, make the indicates.software; and, ernance makes it difficultinfluencingCanada, effectiveasown beginning cyberspacesconcernregulatory is and, at different levels. interests CoGsof essentialfor theGravity institutions expected CoG; mapping policy comprehensive.Table 2 whereas a starting point for aand defend this have different degrees domain. formulation CoGs of 2011. resources, Knowing the key ofFor and key of Canadaseach outcomes. cyberspace Engaging and approach those actors/forumsdifferent The require: is of to Canada; Calibrating the to outlines authorities Thewhich will be thisprivateissues and theTechnicalto engagementkey cyberspacenot engagement.made up of two main groups: remainder global sectionauthorities: resources standards and functional expertise and budgets It intended more fine-grained sis, Self-constituted authorities thatstandard-setting influence over foreignnorms 4.1 Technical private organizations. exercise strong groups; Self-constituted private authorities like ICANN, ISOC andstrategy for technicalgovernance are the technical standards and protocols. These technical decisions 1. International technicalgroups and vulnerabilities when it comes to issues like privacy and information access/control, and in this way they shape analy2. Civil society 4.1.1 strong influence on userthese groups have been around since the early days of the internetset represent its technical governance core. While they have open Self-constituted standard-setting their exert normative environment. experiencesthis, it isbacked by Indian, Brazilian, andcommittees and in internet governance (see Box 6). control over bodies like de the facto As already detailed Russian2, statusIETF around these backbonevarious importance ofgovernments, have lobbied fortension. The approval and growingis permembership, in reality they are highly self-selective and represent a fairly closed technical community, largely still centred in Silicon Valley and biased towards of ensuring(specificallyinterritorial access. Inofficials, important coalitions thelike-minded statespolicies. Theyresultintroduce wrestle control awayin global communicaopenness and signals As noted internet2,andtraditionalChinese a greater ofOverall, to realize of ofShouldroutingemerging doingare seeking togreater cyberspace will fromparticipation other individuals ICANN in Part more Part and and linguisticform nationalization of internet standards. These measuresacould the characterlimit multi-stakeholder what use ceived to be a U.S.-dominatedIndividuals matter crisis linguistic domainsto Canadas core values and lines. cyberspace central role inlegitimacygovernance. Withinso, of this to of national charactersstate-based divisions likely tions6. InternetalongIANA) and and savvyis based on the capacityandcontributeinternet is are using international fora significanttechnical boards, membership and legitimize a of foreign affairsthe quo whointerests.institutions. A infrastructure technically meaningful way. Thisand its an effective filter againstchange in ways ministries governance:participation havecontrol played a governance. in a they succeed in as Box networks Individuals the last decade skillsfunctions as non-technical backgrounds. that their technical committees are largely often reached without a lot of debate, and always is voluntary. But key individuals, sometimes a collective. ThisandICAAN and consequences. to generalists from detrimentaltechnical executive positions within ISOC and unintended historically, important decisionsICANN acts from a community that has remained Those over with in practice country addresses interesting has meant .ca, .uk, etc). He did so on country domains (ccTLDmany is, thediscriminating between who currently hold and -and other with on the internet, for e.g. drawn as - that stable assigned to individual were implemented by For example, a required managers Jon Postel - to act as trustees for distributing most of the top-level a first-come, first-serve basis without 2 or 3 letter ISO codes that are that single individual of ccTLDs was responsible on behalf of the nation, and the global internet community. organizations. As a result, during the 1990s Rwandas top-level domain was controlled by a company headquartered in the Democratic Republic of Congo -- a country which at that time was in a state of war with Rwanda. Similarly, for most of the 1990s and early 2000s, Tajikistans top-level domain -- .tj -- was used by a US based company to serve pornographic content. Not until 1995, when virtually all country level top-level domains had been assigned, was a policy finally published In Pakistan in 2008, an internet operator attempting to block specific YouTube content (at the behest of the Pakistani government) briefly interrupted global YouTube access. technical standards which are favorable to the Russian industry, bodies and individuals in this realm. Sciences, and industry National Security Some countries have been the creation of the Cyrillic language domain. Federation.working through the Academy of For example, Russias has sought to gain Council takes ICANN for quick to understand the telecommunication operators and This includes standards for the use of encryption, surveillance, and, notably, role in convening consensus around organizations (CSOs) national importance of private working with a leading actors in the area of internet norm-setting, but have become vocal and influential at both the national and international levels. This diverse 4.1.2 are ofbe split into four broad groupsinternational seminars, They exercise influencetheirwell as out clear normative positions on the rightissues such as gender, Civil expression, access to information, transparency,academics, think tanks, and by staking in the global They often focus on specific to internet access and societynational, regional and include activists, etc. symposia and meetings, as associated funders. media. CS0s a myriad of new advocacy had profound effects. For example, the U.S. Congressional decision to release large amounts of money to the State Department group can Research and internet freedom was at least partially prompted by intense lobbying. In addition, internet freedom is now a core U.S. foreign policy freedom relatively these groups have also been active participants in international decision-making bodies such as the IGF, where their membership is weighted use initiativesper CSO to Strategy categories: Some of 2011 haveare non-profit organizations for at with state members (see above). NGOs influence internet norms because their tools can be game-changers in termsandthe behaviour theyusers toon the related objective (asthis sense effortsefforts.for Cyberspace). equally generate of these technical the NGO groups have a specific normativeproviders Increasingly, large scale user anonymity ofas impact orand BBCenablebeen circumventsome revenue, whereas tools and directsimilar to commercial Organizations (see to content,internet enhancing thesuch privacy and influence ofthe accensorship internet. In state thethe vigilanteexercise authority their global dedicateddocuments and suchnext section), although the latter been highlyBBG to deliverhave and/or ity and Many governments -- groups to ensure action players such as to producing tools asprotect --furtherof which have of normativesensitive, classifiedfreedom broadcasters innovate leveraging Technicalinternetcan hasThese privacy and security. Hacktivist groupsto onlinefootage Anonymous have Anonymousthe drivingrelating capabilsetinformation and tool-makers they provoke. powerful organizations. tool U.S. Government to engagesomeact on and about creatinglargely enable tions they systems and they asserting more information leaks sharing of have access like early motivations were mostly undertakento better account. Their these take reactions embarrassing togroups websites as well as ethical claims -- likeaudiences the agenda. video WikiLeaks, LulzSec political actors direct hacking/attackingactions prompted WikiLeaks to of of NGOs. groups like Lulzsec and Anonymous may be and security breaches. Their LulzSec and protest and a range global are issues because we of computer these mayhem change by But lately Information are transparency, enhancing transparency raise a host of important issues: Is hacktivism a new form of legitimate protest in the information age (see Box 7)? (DoS) attack against the Central Intelligence Box 7. Internet hacktivists: Legitimate protest in the information age? ourare taking on morelegitimate andtone -- as operatives declareintent want to expose can. Internet which tookthe security foibles fororganizations. For re-defining in the UK to companies a DenialSony. Initiallyin the Information age. on causing mayhacker havethe agency offline of and law enforcement. understanding holding companies action LulzSecand corrupt loosely associated groups Channel, to ATMtheir attacksorganization launched such as of Service beLulzSec seemed they targetsand nature of the military a few have undertaken hacking and computer andof of a political hem and revealing ranged from Fox News -- hours. Lately, machines example, Agency racistcivilian protestors during theDDoS Spring, and launching attacksfiltering legislation related toand government entities inservice ofof WikiLeaks. in support Anonymousgroups such as LulzSec and Anonymous protest of internetthe -- websites (through Arab attacks in have prompted proposals to reengineer the that often purport greater national jurisdictional controls, andthe attacks internet to enable to in the Actions range from uploading pornographic videos onto YouTube, disrupting the Church of Scientology (to protest the organizations practices), disabling Australianthe ancases, creation of separate secure intranets for governments andagainst variousBut both groups assert that their actions support freedom of information. of some of commercial pornography), disabling websites of Arab regimes TheGovernment acts and denial of servicefor our times. in more interesting and industries move online it may be raises lines preventing workers from entering workplaces mayundertheir consider extending legal protections against corporate websites and are responsible. This Hacking key servicesquestion attacks are considered criminal find Canadas criminalenforcing existing lawsto online examining But Thereand interestingneed to code, and that of Western countries. this be revisited. The right to strike has been recognized under Canadian law since 1872. Prior to that, worker protests were regularly broken and strikers imprisoned. As the moment become central to social and political life -- importantto acorporations. and existing rights mostprotections.signal are ethicallegislation may with less Picket At context cyberspace has these issues remain largely unexplored. However, erring on the and gateways to regulationand withoutthe It actions.important to considerparallels. may lead to analogy in denial of service attacks diminishment also consequenceslegitimatecommercial authorities: Owners, operators, innovators side of of accountability, in terms of strike is it the revisedservices. -- where who are claiming to enhance transparency other countries the tolerance for of state action against actorsand operate the vast majority of cyberspace. They are responsible for the infrastructuresendssupports the internet at the 4.2 Private sector commercial actors own the leading source of equipment vendors and network services and industries dependent that toglobal network. They Private carriers, such protest. telecommunication and and nationalnationalcarriersas Bell Canada,are broad functional authority over internet protocols for the deliverycontrol. last two such as voice media services such include sectorinternational level. They exert such as video-on-demand. In many proliferation of cyberspace.suchof basic services of on thenew communication and and international as Google, YouTube, Facebook and Twitter. converged as carriers adopted the cases they have providersand facto operators decades, telecommunication 4.2.1 National internetinfluence overservices capacities and norms in four and governance of become the de as RIM, and online and Nationalandnewregulations. Carriers exercise influencecarriers, innovation ways: tariffs that shape access. As motivated economic actors, theyinternetto gain or During the companiesTariffa result. service providersfor example, there setting the policies andA lower cost version gives access to content that is registered instand backbone, and have entered into to internet-dependent internet more (although even this content is subject to government filtering). In North America, we see a similar sort of the national the .kz and provide most exert of Netconnectivity. with telecoms carriers debating whether to create faster and better services for higher premiums. National carriers international Neutrality, the net. Carriers who act as internet service providers (ISPs) exercise considerable informal authority whendomain by is a DoS attacks. Malicious network activity significantly affects the efficiency and speed of services lose revenue are boundoperational internet costs like spam or an essential economic interest to solve these problems as quickly and efficiently as possible.they an only.carriers asto solve contractually to offer their clients. It is two-tier internet. debate around the international level problems issue Policing band Access attacks or internet worms). A recent example comes from Russia where Russian carriers acted or networksto take down the Russian Business (Asto that together regulatedIn Kazakhstan, body, range from filtering spam through to the takedown indication of the scale of the problem, a recent Public Safety study counted 528 billion illicit or malicious emails in 2010, or 98% of e-mails sent). (including the sanctionedInter-operator agreements:aboutcybercrime network. activity are doing atinternet, but without any legal or regulatory thedisruptingcustomers and users. nor by any is official mitigatehome toaaframework, itsuccessful in dealensure thatcompanies roleand the acting and abroad, so toocollectively that are what Canadian telecoms compaDoS effect, carriers undertake a fair the its mining commercial work --Canadaservice providers are doing what areas of internetcarriersactors openness. solely toof servers should itboardabout rights of to guide pornography In on framework service actions. In absence ofCarriers solve these issues through informal agreements, 99% of which are sealed by a handshake. Collective operator actions, which are neither such protect delivery Just onauthorities a particularlyforof of inconvenient policingoperators tocaneasilycontrolcontent controls service to becareandAuthoritarianusers and user activity, niesincreasinglyshould content increasingly for trackingNational securitycan also implementindividuals cyberspace controls -- from censoring childhave notNetother the internetconcerned assist leverage national Controlling be range impossible to of political groups. targeting are home to eliminatinggovernmentscarriers tofora. National carriers are often members of decision-making fora suchacross of domains. working committees,in particular, giving many influence overpresence powersauthorities. application orThey second and thirdover and theinformation new mobile technologies and standards for greater decisions affecting lost as Other commercial actors: Acting to them in the criminals or colluding any groups or broad-based andthethe of interest. These of states, exercising are and delivery.requiring who national preserve human rights, of first, impose apply generation adoption ITU and its below). capacities (see Internationalon the internet and the interconnectionevolution of norms. their violation. governance as fine-grained surveillance considerable allocation national deemed internet have enabled to internetbeen towards more openness and the violation of more established human rights. Governments becoming more implicatedbeen 4.2.2. many of these changes haveproviders abide by domestic laws. One result,in a recent report by SecDev pointscompanies are engaged in censorship are deA number of large companies like Google, Yahoo, YouTube, Twitter and makers of encryption software (for example) are game-changers in terms of what behaviour theythese foreign commercial censorship accompanying agreements, Atto empowerment, Western major abuses of human major Western internet companies While of that companies have Chinas censorship and surveillance regime. spectrumthis has resulted in cyberspace out, is that rights. and individual regulate their operations in ways that protect and preserve human rights. Google, ethicalsame time preserving freedom of expression and privacy online. meant date, these voluntary codes have proven ineffective. No legal remedies exist to deter dilemmas and surveillance manding aiding related havecorrect Western corporate developed fragile self-governance human rights has forcedrights abuses actors intocountries. policy realm. Legislation has been in Somebeen debated in both the United States and protection ofwould restrict thehuman commercial in foreign the public companies operating or selling prodMicrosoft and Yahoo! are founders of the Global Network Initiative, a multi-stakeholder initiative to consider ways that businesses can operate effectively while at the 1 and 2 in between privateviolate humanthe Europe that internet-related issues for Canada, as the cases around other and relationship to regimes that industry in aiding and abetting pactsimportant as The and services and abetting complicity and rights. These are also But to times periodicallysector Part 2 above). authorities: New actors setting international norms andof telecommunications and Blackberry and Netsweeper illuminate (see activities ucts Public Boxes 4.3the country level,regulation domains policies ofhave been are of to coordinate rules ofwitnessed a spate toand the U.K. have alike. bodiesstates struggledand Nationalnorms security. Governmentscomprehensive legislation hasChina, Germany, India, Poland, the U.S. ofnew activitydesignated intheir setting of interand intergovernmental as well the adversaries launched national cyber securitygovernment risk in Australia, Brazil,practice. awayfirst half of 2011 toregulation. allies and internet,in this regard asthe oftenoffices to navigate thefor and cyberspace.through at regional and level. taken increasing importance in mostrelegated to government are measures with those to protectto openness road need At the same time, andtop-level Whileand the national international organizations are actors and governanceof assumed security roles. -responsible security and multi-stakeholder governance.as sought toTheUK, Finland, Estonia the France havepolicy international organizations. commitments from Canada, not programsgovernmentssimilar normative (ccTLDs) cyberspace and US,to yet been enacted theand countries, balance leading deepeninginitiatives, blocking lists. to secure principles on cyber securityorganizations the harmonizeprivateprogrammes thetechnical and makers particularly sharing of agencies interimproveon thesharingversussecurity versus openness,cyberspace blocks seem to be emerging. We lookwith and reduce dilemmasand twoIn this policy, from activepolicies through at each incorporation, including the At openness, access some of net statements of governments and inter-state bodies that favour preservation ofrestrictive policies regional turn: Governments question governments regional/inter-state bodies advocating more openness. inclinations havemain Efforts range joint more their advocating of and practices; Overall 1. and 2. particular concern to Canada are important because theirwith restrictive are shapeand practices National countries regional/inter-state bodies domestic 4.3.1 regional and international levels togrowing number of countries policies institutingIn thisdebate on censorshipaddition, many ofcontrols in the interest of policies the more effort, they Ofthe National governments and arelists of key words, domains and/orthataddresses, are giving way to moreare far ahead surveillance these countries are working the harmonize their cyberspace-restricting policies.global pervasive norms. Inand pervasive second concerned generation and regime security. These as blocked at states and preserving openness.of the priority countries that are known to exercise some degree of control over the internet. Robust information isthoseavailable forthird with in the lat half of A few facts: generationMore than 45 countries now operate national firewalls. Internet controls span a broad range of increasingly sophisticated techniques and methods. First controls such September these countries also engage inusers IP arrested and charged the only countryand sabotage has revealed nosocial media sites subtle whereof not after they used restrictive technicontrols, many of which act to encourage user self-censorship (See Box 8). practices. Mexico is with terrorism practices. However, in some of 2011, two Mexican internet restrictive overview At least half of Canadas priority engagement countries are known to practice one or more forms of internet control. Table 3 below provides an countries ter documented by the OpenNet Initiative (ONI) internet censorship follows four main patterns: the table. Likely, testing cal were to publish rumours of an unconfirmed drug gang attack on a school. In addition, criminal gangs are using murder to encourage user self-censorship (see Box 9). Box 8: An overview of internet censorship and surveillance techniques As technical blocking, which includes IP and URL blocking as well as DNS tampering; search result removal, where search services cooperate with government requests to omit certain results; takedown, where regulators can demand the removal of websites or deregister web sites; and, encouragement of self-censorship, through the threat of legal action, promotion of social norms, or informal methods of intimidation. Censorship methods fall into while generationsgateways orof blowback orISPs. defined by the ONI) : is being exerted on ISPs, services, and content providers of internet among major discovery. Increasing pressure conform to repressive statethree reducing the possibility control techniques (as First generation controls: Lists of IP addresses, keywords and/or domains are programmed into routers or software packages that are situated at key internet as Second generation controls: create a legal and normative environment and technical capabilities that enable actors to deny access to information resources choke points, typically at international network attacks. and when needed, laws. to campaignsThird generation controls: focus less on denying access than on successfully competing with potential threats through effective counter-information punitiveCanadas Priority Countries for EngagementN/A Table 3 responses, including targeted or demoralize opponents. [These controls] integrate extensive surveillance and data mining capabilities with intimidation and Information Controls First overwhelm, discredit, N/A N/A N/A El Salvadorthat GenN/A out against the countrys censorship: criminal organizations, which already heavily influence traditional media networks, are targeting N/A N/A Haiti following disturbing perspectivecomputer problems withswinging from a bridge outside of Nuevo Laredo, N/A accompanied by a warning that this is N/A theirN/A Box 9. Mexico: Criminals using terror to silence internet users drugs, crime and and violence. In September 2011, two Mexican bloggers were tortured and Mexico offers whoto all is awashbusy bodies. posters who blogN/A report on crimeN/A violence all over the country. Crowd-sourced crimes maps have surfaced internet users aMexicoreport crimes inon internet Their bodies, avid use of social and to report on crime is a reflection of many civilians despair at Mexicos killed will happen and groups inwith face of blogs. anonymous anti-crime what users log in speak The some time criminal internet anonymouslyusingno doubt achieve itsmedia andresult:identifyhelplessness of government authorities. civil society. the gruesome internet in now, had posted the civilianan intimidated traditional intended the seeming self-censorship forwere and where of users whocriminal gangs have been will social media sites like Facebook to greaterpotential targets of Mexicos beleaguered their media out-of-control For now consider a sampling of regional andneighbourhoods. The at policy harmonization and positioning for a more restricted and extortion. Now, cyberkidnapping and state-administered murder SCOs 2008 information security agreement; We international efforts space: BRICSUN Draft Resolution on Africa) statement onof conduct for information security; India, China, South Africa) Internet Governance; IBSAs (India, Brazil and South International code Security. 2011 (Brazil, Russia,on International SCOs 2008 information security agreement thisstates in the policies andpoised to exercise considerable de that pays special attention totheof regional cyberspace The SCO represents 32% of the worlds total internet population. 99% of its denizens are subject to some degree of internet control (see Table 4 below). In 2008 the SCO Russias Conventioncommunities. Cooperation -layers ofthreats,GenerationInformationsecurity of Information Field of International Information including theinformation that ofthe future government.content The ter such countries signed-10 below). ThroughThese efforts Generation game-changing Informational Control synchronization criticizes controlling the To counagreed national Legal technical cooperation lection4. cyberspace.signatoriesAttack to harmonize Third may yet be considered paramount; threats include sponsored information campaigns Technical Shut-- creatingSCO countries information Generation agreement, the SCO is National for on a global level. State gated the Filtering Second -- Warrantless Surveillance is and surveilled Policing Cyber Cafes and regimes Environment Cyberzones Security facto authority over information monitoring and colTable methods (see Box an agreementcontrols SCO COUNTRIES SCO countries: Controlling, surveilling and poised to fundamentally alter cyberspace Informal downs subject 10.some degree of internet control. SCO considers the information space as a critical area for governmentRemoval and for policy coordination Computer Direct Action Kazakhstan Chinaare First to Network is positioned to have an enormous impact on the KyrgyzstanBox states.include Kazakhstan, China, Kyrgyzstan, the Russian Federation, Tajikistan and Uzbekistancyberspace.control, Requests The Shanghai Cooperation Organization (SCO) countries represent 1.5 billion people and 32% of the worlds total internet population. 99% of SCOs internet users like-minded with norms, rules and Current and missions, described dialogueobservers as simulations of how to reverse color-style revolutions and popular uprisings. membership. While Iran, members and two states (India, Mongolia, and Pakistan)The SCOthat are accessible on the internet and how they impactand Pakistanevolution of along within fullobserveris consideredthe negapartners and Lanka). interest four zation is not without some internal divisions (as exemplified by Chinas refusal to support Russian in its 2008 war with Georgia ) it has engaged in joint military exercisesSCO that is, toperceptionby some respective (Belarus for cooperation,India, Iran synchronizing have expressedto destabilize society and state. To to organiWith respect to cyberspace, SCOs 2008 agreement on Cooperation in the Field of International Information Security pays special attention to the content layers of cyberspace -- also asserts that developed states dominate theandSri consideredfacilitate integration andand individuals. Information which constrain the develtively and other threats, theand accesstheir target the counter these knowledgepublic the ideas of toembedding surveillance andisIt accuses including totheir softwarebrainwashingbecause they deliberately sharing, of other countries agreementto information governments resourcesspace andinpsychologic[al] information collection methods, formalizing information monitoring and responding outlines specific areas information functions representof significanthardware that they export. threats, and personnel to mass states societies and threat, hardware and software industries, refraining cooperation. Theunity, normativeto be highly and strength to the individual countries beyond the sum ofthey are likely to become important vehicles for policy the coming battle opment fromagreementtend coherence, secretive and so not easily subject to outside scrutiny. But the aparts. SCO is poised to become a global force in coordination, givSCO cyberspacessharing, andChina, South Africa) technologies.control ing their over meetings Russia, India, covertly that will likely become another forumdevelopedrestrictivemonopolizing the BRICS (Brazil, Cer Authority (DONA) meeting at the ITU (May 2011) is BRICS future. from the DONA another regional for more states, whose populations represent some 30% of the global population. (See Table 5. Note that BRICS and SCO membership overlap). By contrast, the United States represents only 13% of all global and net users, and the Euro-Atlantic alliance a declining 40%. pushing to have the noted that Russia was asupervisory of Table 5.2011,Brazil, Southorganization meetingandthe Governancethat a number of be used to will be international control over proclivities of its member In Maythe ITU, HamadounIBSAITUsexpress on Internet ITU meeting (September 2011) statementinternet policy-making, given become internet. the report Africa) to monitoring at interest shows released should countries establish the body. current model of internet governance is no ITU the the the global co-founder body for internet governance (rather than create a new UN body, see below). At the meeting, Russian Prime Minister Vladimir Putin met with the Secretary GeneralITU, and It recommended theGlobal Internet all existingNationsinvolved coordinate andand operational functioning of the internet and also be responsible for of the internet. suggested the entity creation of Russias to present further strengthening its cooperation with that (September global public policies pertaining to that supervisory body to IBSAsmanagement new UN Toure wouldintentionGovernance in this proposal an the 66thInformation Securityand the Putin2011) On 2 September 2011, arbitration.statement a new United bodiescapabilities the officialsubmitted aasserting (September 66th General Assembly concerning a longer valid. 2011, evolve theSeptember ThisAssembly:the crisis (India, criticalChina, for information security. The proposed hostileofof atclauses that call forthe Assembly content is a2011).range of issues key provision UN 66th General conduct Russia,inensuring ICTswas International environments of the co-signors, coherent multilateral, transparent concern. A networks, the Draft for an In internet codedissemination of information thatcriminal and terrorist activitiestheSCO) informationinternational other countries a voluntary management. spiritual andcombating incites terrorism,membersactivities, and the establishment of of integrated primary and democratic internation11 protection the of as andcooperate Tajikistan and Uzbekistan (all secessionism or technicalits or thatresolution to cooperation on political, economic next). and infrastructure,The govern are information Code in that for UN General control al curbing of of their International cultural national not used September 2011) extremism Conventioncommunications technologies, including including urges every well theRussia released Resolutiondevelopment.by Russia a fewConductuse in and in September 2011, to Matters. mirror those articulated(22 for code has weeks later undermines the UN Information stability, Convention UN resolution restricted note, Convention for International Information Security,consequences for international stability are those that Many state economicon state-centric conceptin the information space, control.as misinformation campaigns aimed at undermining of High Ranking and social aspects Russias as country andGiven thestructures In convention is highly government and ... carried in with information as well of sovereignty overwith information environment within its borders. Information a Information out against the population KeyState with the the of on Responsible for Security to guide normative subjectSecurity The communication technologies should be action to cyberspace emphasize state athe nation stateintentat the International Meeting the Security (see Officials and concerned the rules and regulations of cyber threats in whichdestabilizing society. target political, economic, and social system of governments and inter-governmental organizations that favour openness another The principlesfirst national government policy positions on cyberspace openness. Supportive statements were also issued by key intergovernmental bodies. Key and saw the proposed politicalbelow are: they are used. 4.3.2 NationalCyberStrategy (Feb 2011) 2011 and events that we review 2011) players U.S.Cyber Strategy (May on internet Opennessright (July 2011) UK Special Rapporteur G8: Commitment to openness, protection of individual rights and security (May 2011) OECD:Access to principles of dual-use technologies (September OSCE: American Treaty internet should be a UN on European North Nascent Restriction different In human (June 2011) Defense Cyber U.S.majorunder one framework, securitythat emphasize thatpositioning is(May 2011)Internationalmore activeUnited States securityshould not come at the for lists Cybercyberspace force therightOrganization (NATO) 2011, Internet the 2011) of the United Clearly, a constitutive and cyber allfor Human Rights report whileon U.S. released its(June 2011). States. The whole-of-governmentefforts with protection expense the forums. notes cyberspacegovernments is pursuing into theopennessStrategy Union: in all of11)privacy. Itpolicies that theinternationalmulti-stakeholder an Strategy forregulatory role, thisaims to bringThesecurity andall May and United Cyberspace has been exceptionally strategy the first time will statement easily. For example: the normativeon intellectual Statesfronts. to assume a integrated balancefreedom; the commitments to active across the current emphasis Policytheopenness, policy However, governance and balancing which approach. together, of user sevenposition uneasily with current U.S. legislationdomestic within the PATRIOT act; and, chafes intricateinternet companies are increasingly finding themselves rights,key policy interoperability. to such as the individuals need of and priorities Thislater policy document very Box the willboth contained acts in cyberspaceprotection U.S.-based commercial proposed between prosperity,was elaborated openness interestthat the United by property and Russia to against privacy stand notsystem is (see important onthe recent toof Defense in July the U.S. as Boxwould theany other threat to our information and to establish a constant colluding or aiding the censorship and surveillance regimes in countries like China, Iran, Yemen, Burma and others. One clearly contentious issue is found in the passage affirming come onissued security threats. in arelated Of U.S. U.S. International StrategyCyberspace, released in May 2011, contains seven we 12). to exchange cyber security country. This element individual norm for US respond agreement communications to globalcyber States Cyberspace: Seven priorities Box 11. International Strategy forsetting, is Department hostile between 2011 (see core priorities: The Promote innovative, open markets; Enhance security, reliability and resilience of global networks; Improve law enforcement collaboration to fight cyber crime, domestically and internationally; Prepare for 21st century security challenges (that is: military cooperation among allies to fight cyber threats); Promote effective and inclusive internet governance structures; Build capacity, security and prosperity through international development; and, US Departmentinternet access, support digital activism and in Cyberspace, released 14 July 2011, focuses on four threat vectors: external actors, insider Support fundamental freedoms and privacy. To coordinate these priorities, the State Department has created a new senior position -- Coordinator for Cyber Issues -- and announced $30 million in grant funding supplythe USof Defenses Operating in Cyberspace operationalas an act ofrepression. International Strategy for Cyberspace. One possible reason for this increase clearly for (DoD) right counter internet war in its Boxgiven that chainUS may reservedandStrategyto DoDsambiguity regarding Interestingly, the cyberspace as a more effective deterrent. The strategys fiveis surprisThe 12. tois that the Strategy consider the threats for Operatingattack ability. its thresholds in strategy focuses exclusively on defensive capabilities. This core threats, U.S. ing approach are:DODs vulnerabilities, a certain to treat of cyber degree a priorities of networks; resiliency Treat cyberspace as an operational military domain, requiring US forces to organize, train and equip for effective capabilities and to develop the cyber like-minded coalitions for joint practices,base; warning, burden sharing and mitigation of risk; Partner to create a whole-of-government cyber security strategy, and involve the private sector to better monitor the global technology supply chain, both in hardware, software and knowledge early of hisventures. alreadyProtect DOD networks and systems; individual privacy asand cyberspace openness on cybercrime foreign policy on cyberspace that cyberspace-enabled Build a cyber work force and promote technological innovation within DOD, which will encourage private sector cooperation through rewards and joint 2011noted, thefreedom of expressionCouncil, UK Foreign MinisterCameron Hague outlined government wasthe summer ofof law (see Box 13). UKaccess, Build robust global cooperation with U.S. allies and international partners, including the development of shared situational awareness and development Strategy to U.K.s intentions to and U.K. Prime Minister David William announced wereagiven tested in investigating whether it will be right to stop In CyberGovernmentsvia these websites uphold individualtheM.P.s securitycollectiveObservers expressed alarmMessenger service. speech the reaction In response, services. Other term demanded the suspension thethenascent and respectproposed 2011, when emphasized univerthe Munich Security the elasticity of liberties well as threat. action of sal openness, As U.K.system of checks and balances andset certain degree ofof censorship and surveillance. Whereas such extreme measuresrightsbe warranted when backed by civiliancommunicating country. highlights and the practice transparency, they could result in extreme violations thehuman may when applied by regimes that people to therocked precedent they would a for BlackBerry at of for rule counter-measures, especially with Theintolerant global Strategy: Seven or minorities. respect riots of political opposition principles indicated that the U.K.s upcoming policy on cyberspace would emphasize seven principles: a robust U.K. Foreign Minister William Hague are2011, proportionality and respect for national and international law; Box 13. universal access to cyberspace; Cyber In tolerance and diversity in cyberspace; ensuring cyberspace openness to innovation, information and expression; the individuals right to privacy and protection of intellectual property; collective action to combat cybercrime; and, wellexponential growth ininternational approach,partners to involved resilience and joint operational capabilities. to require collaboration across government, promotion of a competitive environment which ensures a fair return on investment in network, services and content. The new cyber strategy will require coordination with the existing Cyber Security Strategy, first released in 2009 and updated continuously in response to the perceived as with industry and threats. The allies and which has increase the creation of new cyber security offices, is as G8: Commitment to openness, protection of individual rights and security forthat arbitrary or indiscriminate censorship or restrictions on lever forto beinternet In May 2011, at the highest level meeting on the internets future to date, G8 member states committed to preserving internet openness, transparency, freedom and multi-stakeholder an instrument forto achieve freedom, security and respect government. stakeholders. The references to cyber security mentioned is economic at the Deauville summit, emancipation, stating development and governance need political liberty andhostedclearly unacceptable. key The and individual rights simultaneously. This outcome thethe achieved are inconsistent with States development and government are by the informed by all The statement underlined theforum will also be of interest.regulation French confidentiality final statement characterized the internet as a access to Roma-Lyon through participation in this international obligations and group, which is the G8s anti-crime and counter-terrorism experts group. been lauded for underlining the critical importance of internet openness and multiThe challenges arising from the G8 principles are evident in the recent public criticism of Frances domestic cyber security proposals, which contravene the G8 commitments. No doubt the G8 will be an important forum where the conundrum of how to balance openness, privacy and security will be debated. (See Box 14) Russias international norm thesethe French do not sit easily May 2011, essentials, including the protection of intellectual property and domestic concerns about Box 14. The e-G8 and cyber security The Deauville Summit, and civil society. While some very prominent people were invited, there was a great deal of angst among many civil society groups who held stakeholder governance. But by principles Government in with other has cyber security. The summit was preceded by the E-G8 forum, an initiative of President Sarkozy to involve a variety of stakeholders that are typically not part of G8 discussions, particularlythe summit, hostedsecurity was signaled to be an important topic of discussion. The final communique alludes to cyber security issues in several places, businesses cyber a shadow summit of their own, and issued their own communique that criticized the E-G8 forum for its narrow participant umbrella, and the emphasis given to intellectual property and copyright concerns. Going into following: including the of malware and the activities ofto all forms of attacks against In this regard, we recognize that promoting users awareness is of crucial importance 17. The security of networks and services on the Internet is a multi-stakeholder issue. It requires coordination between governments, regional and international a organizations, the private sector, civil society and the G8s own work in the Roma-Lyon group, to prevent, deter and punish the use of ICTs for terrorist and criminal purposes.cyberspace. On allmust be paid we play,determinedobjectives oftheof stakeholders, in helpingall relevant infrastructure. The fact attacks caused bycan networks proliferation Special attention these arerole to needed in order toaprovide critical resources, ICTs andin adversely affect services, including that systems, remains botnets through to and that here is theGovernments norm a inconsistentinformed the Internet. theappropriate infrastructure,to develop and the integrity of critical the Internet the potentially be used international cooperationtimes a year tothe by protect peace and security, andof the Roma-Lyon group. The Roma-Lyoncommon approaches matteruse concern. for purposes may become is are multi-stakeholder range for cyber of follow-up address publicfora. ofissues surrounding terrorism and in the ofenhanced emphasisthatthat issues, an important coordination point integrity strategies to other related norms behaviour and group has evolved of Notable Nascent principles around internet economy, with discuss,full cyber security issues forissues. years. In June security OECD hosted a High Level Meeting the work may into OECD has Economy Group have development, governance, and approaches, and crimeeconomy. The meeting was praised for fostering robust multitransnational crime. The in on internetthree OECD: of certain provisions (see Box 15). end, the CIASAC did not endorse theinternetIndustry Advisory Committee the The several working groups Paris the 34opennessstark contrastprinciplesbeing articulated andmore regulatory-minded 2011, (BIAC) such theChina Society Informabeen active on meet on the Internet statement of principles standsthe aimed developing shared to debate, and develop by stakeholder discussionssuch, the OECD may prove expression (as thoseas security). final wording ofamongst like-minded governments who prioritize internetthe member well for cyber policy tion and ambiguitythe ITU.2011 privacy(CSISAC).atIn in A good start,delegations, antoBusiness development the Internet Policy Principles, expressing concerns about the OECDs initial control, Internetprotection and free to be a useful forum for theopen reaffirmmany governments as Civil SCOSociety Advisory Council June 2011governmentalnot endorse the Principles,interpretationreservations about certain provisionsand open, innovative and free of As amongstPolicy Principles: openness, user burdens. However, the CSISAC didInternet Policytoo open Boxand deterring illegal activity, fraud and misleading networks.but final version,on ambiguousalanguage and services andthe internet important and Russia Service 15. to OECDs high level meeting in that flows through their and unfair(Internet conducted over like other stakeholders, keepingwell play an encouraging Internet in established which commitment to can as do undue regulatory property protection, intermediary liability and governmental regulation. this clause: While promoting thenetworks of information, it is as advancingto intellectualaddresscentered expressing ProvidersOECDs andsafeguarding personal security issues andof expression, cyber security, their free flow that could with other intellectual property rights, coningpresentingpolice emerging international legalthe freedomCOEpractices intermediaries, protection of children, could meanof fundamental rightsby opposed A second setfor as an content around heavy data, norm Some are concerned that this phrasing equates cyber security be interpretedessential economic growth.)a of concerns authority or cyber handed approaches. Convention, OECD Guidelines), which in turn protection that related for governments to was also as work towardsitbetter is nowfundamental rights online. (e.g. Concerns and plans to undertake a comparative analysis of nationalcyber security role as sumer protection willother important working group on cyber security, to justification OCED internetformingbe venue and centre of gravity for cyber security strategies among the 34 states. coercive Relatedly, the the concern about the growing the first survey ever on internet regulation issued to its member states (with 46 of the 56 members It noted that some cyber securitycould become strategies. This working states to Finland and should a a human right OSCE:expressed the be an Estoniato address state made press release andwith their citizens having a legalon internationalas a human right. responding). The Access the OSCE measures -- Assembly issued a cyber technologies In monthfor statesOSCE issued technology,of trend of use of exchanges on and resolution to nationalcyber warfareto internet commitments concerning codes creathe results and report 2011, -- usingbe Parliamentaryhave already internet censorship states to work through norm developmentstrategies. access. resolution calls for the of for internet access be considered member certainly buildingan important forum information this declaration, advocated policies,France andtoright forcyberspace,The ensuring that domestic A July confidenceaccess to certain users (see Box 16). Notably, the July cyber in conflicts; prevent debatesthe UK in adopting or considering legislation that prior, not compromise freedom of expression. (June 2011). while tion OSCEdenies Lobbying for openness conduct OSCE: The of 2011, OSCE released a report on internet content regulation in the2011 security which called for internet access to be recognized as a fundamental human for member OSCE legislation does selectively promises to cyber Box 16. In July based on a member survey pointed out that encouraging responding) the report criticizes atechnologies, and right. In part apply to that internet, and inthe Internet. memberactions stood in contrast region, mostly general trendfreedom to freedom of and freedom of the media (46 out and censoring of theCentral Asia, prohibit of 56 Thethat states filtering and20 countries, not recognize Restrictions of expression expression must comply with to international norms: international norms. No compliance could lead to censorship, said Yaman Akdeniz, the author of the report. across Europe towards greater regulation, control The study showed that legislation of emergency andsuch enable to other securitysuspension of Internet blocking equally Europe warns against the measurescountriesadopted also notedcomplete report showed to from report Eastern criticism ofusersgovernment, whereso-called extreme byrules.on and internet with the purpose to that prevent at timesandwar, in a state allegedlyseveral countries allow for the planned in does services access for the internetover many basic human right, which should be respected as much deny threats. Thethe study as an advocacy tool to promote speech-friendlyspeech regulation in the the UK,participatreport also of exercised Dunja Mijatovic, OSCEs chief France that Internet freedom of expression. access as a already in responsemedia freedom observer, said: We will who have violated copyright The report right to Source: Adapted use Internet ing States. emphasized from EDRI, 2011. OSCE: Access to the Internet Should be aOSCE Right. Human as the http://www.edri.org/edrigram/number9.14/oecd-study-internet-freedom UN General Rapporteur for Human Rightson a strongInternet (May 2011) of the right an freedom of In May 2011, the UN Special Rapporteur reportpromotion and protection becoming to international the on case opinion andAssembly. on the promotion and protection of for internet accessis likely to become an imporexpression, human right (see Box 17). The Special Rapporteur intends to pursue this issue in an upcoming report to the Special in the ensuing global debate on cyberspace norms. The freedom Box. 17 UN Special Rapporteur for Human Rights: Internet as a Human Right Frank La Rues report Frank La Rue made human rights law; internet tant marker as prescribed by to disclose private information must report emphasized that: due process; Information on the internet should not be restricted, except in few exceptions and limited circumstances intermediaries international quests for Censorship measures should never be delegated to private entities (like ISPs), and that any rethese be done reportCorporations have a responsibility to respect human rights; and strictly through Universal access to the internet needs to be vigorously pursued. The expressed deep concern bytimes of political unrest; andover: dissemination of information; The increasingly sophisticated and non-transparent blocking and filtering mechanisms being used censorship; Cyber attacks against individuals and organizations working in the areas of human rights organizations, the International Covenant on Civil and Political Rights). States that cut off internet access entirely, regardless of the justification provided, and including during states for(EU): opposition and the censoring countries Inadequate protection of the right to privacy and data protection (in accordance with article 17 of September-- political Restricting sales to Europeanrestrictsuchthe China, Russia, be used EUviolateon the export data transmissionsembargoes. The In speech. Union technologies to export India andtechnologies now need democratic principles or freedom rules human rights, subject from the to technologies 2011, wanting that canto on CyberTurkey Cyber digital a coordinatedarms --for certain intercept Defence well as foreignAtlantic specifically those used revisedtargets cyberthat offers ofapprovalto vision features in regimesthe alliance. Parliament policy Policy on as securitythosenot openness, it authorities. as EU While this dual-use and monitor Defence dual-use telecommunications aim is of June 2011, defineofreleased its Policy open to the NATO the OSCE and OECD. As the latter two a North toacrossforms their agendas for an membership with framework will require review to ensure In reviewEU NATO Organization (NATO): net, cyber security underTreaty NATOs overlappingdeveloping minimuminformation systems by bringing NATO and this organizations centralized secureand operational mechanisms byrequirements for national networks that harmonizedbecauseseeks political NATOs communication and cyber defence into the Defencecyber atapproach. The defense Allies if requested, and cooperate with stakeholders. which NATO can respond to Planning networks critical infrastructure is traditionally under hour monitoring of allis willing to advise national process of connectfully operational by and The policy integrates NATO of its networks. While proProcess,or will be tothe to protection 2012 with 24 state purview, tacks, assist policy NATO information. The policy clarifies tection and government on cyber security issues and coordinate assistance during times of crisis (see Box 18).

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

Executive Summary: Key Takeaways and Recommendations

1. Cyberspace is a core strategic domain for Canada, central to social, economic and political life. It forms critical infrastructure for the public service, healthcare and social service delivery, banking, finance, education, energy and defence. It is key to Canadas future economic growth. 2. Cyberspace has become a conduit for new forms of crime, espionage, exploitation and warfare. Cybercrime costs the Canadian economy some $100 billion per year. Canadian carriers detect over 125 million cyber attacks per hour on Canadians. In 2011, Canada suffered an extraordinary security breach, when foreign hackers penetrated the computer systems of three key federal government departments, stealing highly sensitive documents and forcing the agencies offline for months. Canadas capacity to effectively police cyberspace like most other countries is extremely underdeveloped. 3. Alarmed by growing cyber threats, governments across the globe are moving to exert greater control over cyberspace. State efforts to regulate cyberspace are relatively recent. Historically, cyberspace governance has been exercised by mostly technical bodies and the private sector who have set the rules and norms that shape infrastructure, operating protocols, access and content. Governance has thus far been a voluntary, diffuse and multi-stakeholder process that favours cyberspaces evolution as an open global domain. 4. State efforts to secure cyberspace compromise its openness. This is problematic. Cyberspaces openness meaning its property as a global, inter-operable network of networks that enables unrestricted communication for all users has been key to its explosive growth, rapid development and enduring importance. Openness is central to its success as an enabler of productivity and prosperity, communication, knowledge sharing, good government, personal and communal empowerment, and innovation. State efforts to secure cyberspace require various forms of regulation, monitoring and control that can disrupt its openness and user privacy to differing degrees.

5. In 2011, major Euro-Atlantic players staked foreign policy positions that seek to harmonize cyber security imperatives with the preservation of cyberspace openness and interoperability, multilateral governance and the protection of user privacy and human rights. The list includes the United States, the United Kingdom, the Organisation for Economic Cooperation and Development (OECD), and the Organization for Security and Cooperation in Europe (OSCE), among others. 6. By contrast, a growing number of states such as members of the Shanghai Cooperation Organization (SCO) prefer a more territorialized approach to cyberspace. Most have strong traditions of state intervention into political and economic affairs. They see cyberspace within this frame as a national jurisdiction that requires intervention to preserve collective identity and regime security. This vision seeks to alter the inter-operable, multi-stakeholder constitution of cyberspace, often replacing it with a top-down, non-transparent and government-controlled model. Many have already enacted strict domestic controls to censor cyberspace content, surveil online users and criminalize cyber-enabled demands for political change and human rights. 7. In the contest over the norms that will guide cyberspaces future as an open commons or as gated communities SCO countries are further ahead. SCO countries are harmonizing their domestic policies at the regional level and are pushing the state control agenda at the global level. Proposals are being fielded and their influence felt in various international forums that are important for cyberspace governance. 8. But this contest is not a simple struggle between the forces of liberation and control. The reality is more complex. Many Western governments operate content filtering regimes to screen out child pornography. Their moves to securitize this space have often resulted in domestic security policies that contradict their foreign policy positions on openness. And Western commercial firms are supplying surveillance and censorship software to, or colluding with, regimes that violate human rights. A critical issue is transparency of regulation.

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

ii

9. Canada is a world industry leader in cyberspace deployment and use. It needs to engage in the global debate on cyberspaces future with a clear foreign policy vision. Canadas nascent cyber security strategy is vital, but it requires a broader framework that takes account of the global cyberspace governance issues afoot. This broader framework needs to

harmonize domestic security policies with the equally compelling goal of preserving cyberspace as an open, global commons for all. It also needs to consider the complex architecture of cyberspace global governance, how influence and authority is exercised, and how this is changing.

***

Recommendations
A. Developing a strategic vision
1. Pursue a whole-of-government approach to develop and implement Canadas strategic vision on cyberspace that recognizes its central importance beyond the security agenda. 2. Define a position on cyberspace as an open global commons, consistent with Canadas foreign policy objectives on democratization, human rights and trade. 3. Harmonize domestic cyber security policy with foreign policy objectives on openness to ensure consistency and balance. 4. Demonstrate international leadership in developing accountable mechanisms that balance the goal of securing cyberspace with the imperative to keep it open both domestically and internationally. 5. Develop a code of practice for Canadian businesses to reduce the likelihood of their colluding with cyberspace closure and surveillance abroad, as well as security breaches at home. 6. Define how to coordinate and leverage already existing Canadian assets in global cyberspace decision-making. 7. Define how and where to build broad coalitions of like-minded states. International collaboration is needed in order to define rules of the road, develop mechanisms for information sharing, improve international legal architecture, and resist top-down regulation. An agenda for inter-state discussions should include: promoting norms for mutual restraint; protecting the physical integrity of the internet; developing effective and efficient law enforcement across borders, including non-state, decentralized and distributed security mechanisms; enhancing the transparency of regulating mechanisms; exerting concerted efforts to fight cyber crime activities that originate within their respective territorial jurisdictions, even if the crime itself occurs elsewhere; and, developing minimum common standards of security and codes of conduct for the private sector. 8. Review Canadas experience with leading multi-stakeholder and multilateral treaty processes including the verification for the comprehensive nuclear test ban, and the landmine ban to see whether there are lessons that could be applied to the cyber agenda.

B. Engaging Canadian stakeholders at home and abroad

9. Develop a multi-stakeholder consultation process, bringing together the public sector, private sector and nongovernmental actors. 10. Engage Canadas ICT sector, particularly market leaders and individuals who are key influencers within the existing forums for internet governance. 11. Leverage Canadas academic community, members of whom are global leaders in enumerating and documenting the evolution of internet governance worldwide.

C. Sustaining the effort

12. Seek partnership with academic and corporate actors who can provide additional technical support and enhance capability within DFAIT. 13. Invest in professional training and development at DFAIT to ensure that cyberspace becomes a core competency for employees. 14. Develop a global monitoring and tracking capability on cyberspace issues and actors.

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

iii

Table of contents
Executive Summary: Key Takeaways and Recommendations .................................................................. i Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT ..................................................... 1 Overview.......................................................................................................................................................... 1 Part 1. Canada and Cyberspace: A Foreign Policy Imperative .................................................................. 3 1.1 1.2 1.3 1.4 1.5 1.6 1.7 2.1 2.2 2.3 3.1 3.2 3.3 3.4 3.5 3.6 4.1 Other governments are moving aggressively to shape cyberspace .......................................... 3 Cyberspace is key to our economic interests ............................................................................ 4 Cyberspace openness amplifies Canadian international influence and upholds core values ... 4 Cyberspace is key to our security interests ............................................................................... 6 Much of Canadas digital supply chain is foreign-owned and controlled ................................... 6 Canada is already engaged in diverse international fora, but ............................................... 7 Muddling through wont do: Canada needs a harmonized vision .............................................. 7 Cyberspace as a socio-technical construct: Three interdependent layers ................................ 10 Cyberspace and the internet: The evolution of multipolar governance ..................................... 10 Return of the state: Renewed efforts at state control ................................................................ 14 Demography: Fundamental shifts in the user base .................................................................. 15 Technology: Innovation is affecting usage and norms .............................................................. 16 The private sector: Shaping possibilities and norms ................................................................ 16 Politics: The growing contestation between users and states .................................................. 17 Cybercrime and cyber security: Driving closure ....................................................................... 17 Militarization of cyberspace: National security and the new arms race .................................... 19 Self-constituted private authorities: Technical standards and functional norms ...................... 21

Part 2. Cyberspace Governance: A Backgrounder ..................................................................................... 10

Part 3. Cyberspace: Drivers of Change ....................................................................................................... 15

Part 4. Cyberspace Centres of Gravity: An Introductory Overview ......................................................... 20 4.1.1 Technical standard-setting groups ........................................................................................... 21 4.1.2 Civil society organizations (CSOs) ........................................................................................... 22 4.2 Private sector and commercial authorities: Owners, operators, innovators and gateways to regulation and control .................................... 24

4.2.1 National carriers ....................................................................................................................... 24 4.2.2. Other commercial actors: Acting to preserve human rights, or colluding in their violation ....... 25 4.3 Public sector and government authorities: New actors setting international norms and regulation ............................................................. 26

4.3.1 National governments and regional/inter-state bodies with restrictive policies and practices .. 26 4.3.2 National governments and inter-governmental organizations that favour openness ................ 32 Part 5. Summary and Recommendations ................................................................................................... 39 5.1 Recommendations for DFAIT ................................................................................................... 40 Endnotes and references ............................................................................................................................... 42

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

iv

List of Boxes
Box 1. Canadian companies and human rights 1: BlackBerrys coveted black box ........................................ 5 Box 2. Canadian companies and human rights 2: Netsweepers collusion .................................................... 5 Box 3. Cyber security and cyber openness: Domestic and international linkages and tradeoffs .................. 9 Box 4. ICANN: Keeping the internet stable and open, but increasingly politicized ........................................ 12 Box 5. The drivers of cybercrimes exponential growth .................................................................................. 18 Box 6. Internet governance: Individuals matter .............................................................................................. 22 Box 7. Internet hacktivists: Legitimate protest in the information age? .......................................................... 23 Box 8. An overview of internet censorship and surveillance techniques ....................................................... 27 Box 9. Mexico: Criminals using terror to silence internet users ..................................................................... 28 Box 10. SCO countries: Controlling, surveilling and poised to fundamentally alter cyberspace .................... 29 Box 11. US International Strategy for Cyberspace: Seven priorities .............................................................. 33 Box 12. US DODs Strategy for Operating in Cyberspace.............................................................................. 33 Box 13. UK Cyber Strategy: Seven principles ............................................................................................... 34 Box 14. The e-G8 and cyber security ............................................................................................................ 35 Box 15. OECDs 2011 Internet Policy Principles: A good start, but too open to interpretation ..................... 35 Box 16. OSCE: Lobbying for openness ......................................................................................................... 36 Box 17. UN Special Rapporteur for Human Rights: Internet as a Human Right ........................................... 37 Box 18. NATOs Cyber Defense Policy ......................................................................................................... 38

List of Tables
Table 1. Cyberspace Numbers: At-a-glance ................................................................................................. 2 Table 2. Cyberspace Centres of Gravity ..................................................................................................... 20 Table 3. Canadas priority countries for engagement Information Controls ................................................ 27 Table 4. SCO countries - Information controls ............................................................................................... 29 Table 5. BRICS Countries - Information controls ........................................................................................... 30

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT
A Foreign Policy Framing Paper

Overview
Cyberspace1 is a core strategic domain for Canada, central to social, economic and political life. 79% of Canadians are online.2 $174 billion dollars transit Canadian cyberspace networks every day. It forms critical infrastructure for public service, healthcare delivery, banking, finance, education, energy and defence. It is considered key to Canadas future economic growth.3 Internationally, cyberspace amplifies Canadas global presence, allowing us to punch above our weight. Canadian NGOs, businesses, academics and diaspora communities operate across global networks and act as important ambassadors securing Canadian interests and values. Yet cyberspace also serves as a conduit for new forms of crime, espionage, exploitation and warfare. Canadas vulnerability was exposed recently, when foreign hackers penetrated the computer systems of three key Canadian government departments, stealing highly sensitive documents and forcing the agencies offline for months. In 2011, cyberspace stands at an historic constitutive moment. Its central enabling property unfettered communication for all is under threat, as governments across the globe seek to control this space in the interests of cyber security. State efforts to regulate cyberspace are relatively recent. Cyberspace governance evolved largely under the radar of nation-states, as a myriad of diffuse actors and bodies mostly technical bodies and the private sector set the rules and norms that shaped cyberspace infrastructure, operating protocols, access and content. Governance has been a voluntary, diffuse and multi-stakeholder process that favoured cyberspaces evolution as an open global domain. But now, nation-states are pushing for tighter control, prompted by rising concern over cybercrime, espionage, attacks on critical infrastructure, user exploitation, child pornography, extremism and cyber-enabled civil unrest. In addition, a growing number of states and regimes are acting to censor cyberspace content, surveil online users and criminalize cyber-enabled demands for political change and human rights. Regardless of motives, state moves to regulate and secure cyberspace create compromises with respect to its openness. This is true even in the most democratic countries, as many Western countries are discovering.4 There are no simple solutions, only difficult tradeoffs. Will cyberspace remain an open global domain or be partitioned into national, gated and surveilled communities? The future is being decided now through national practices as much as international policy efforts. But the debate is heating up, as governments with very different visions signal cyberspace as a key domestic and foreign policy issue in multilateral fora, bilateral relations and in relationships with civil society and industry. Canada a world industry leader in cyberspace deployment and use needs to engage in this debate with a clear foreign policy vision. The process of policy development will be challenging. It will require: clear articulation of our domestic and foreign cyberspace interests; understanding the tradeoffs between cyber openness and cyber security; harmonization of domestic roles and jurisdictions; domestic security policies that reinforce our foreign policy commitments; dialogue and cooperation with private sector actors who are active globally; nurturing a broad community of like-minded states to establish shared rules of the road; and, consistent, strategic engagement across the multipolar and diffuse networks of formal and informal institutions that govern cyberspace.

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

This brief responds to a request from the Department of Foreign Affairs and International Trade to frame key issues requiring consideration for a Canadian cyber foreign policy. It is arranged in five parts: Part 1 Canada and Cyberspace: A Foreign Policy Imperative outlines why Canada needs a foreign policy on cyberspace; Part 2 Cyberspace: Background and Key Governance Features introduces three features of this global space; Part 3 Cyberspace Drivers of Change flags six clusters of factors that are driving cyberspace evolution and are key processes to engage and watch; Part 4 Cyberspace Centres of Gravity outlines the levels and forums where decision-making on different aspects of cyberspace governance occurs; and Part 5 Summary and Recommendations summarizes key takeaways from a policy perspective.

Table 1. Cyberspace numbers: At-a-glance

Internet users worldwide: 2.1 billion or 30.2% penetration Internet users in Canada: 27 million or 79% penetration Internet users in the developing world: 885 million, or 21.1% penetration Internet users in China: 420 million or 32% penetration % of global internet users in Asia: 42% and increasing % of global internet users in Europe and North America: 38% and declining % of global internet users under the age of 25: 67% and increasing Fastest growing user-base: Youth in failed and fragile states % of youth users using social media: 80% Potential access to mobile networks: 90% (world population); 80% (rural) Global B2C e-commerce spending: US$ 708 billion Global B2C e-commerce spending in 2015: US$ 1,285 billion Estimated cost of corporate data leaks in 2008 US$ 1 trillion

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

Part 1. Canada and Cyberspace: A Foreign Policy Imperative

Canada does not have a foreign policy for cyberspace. Why do we need one? There are several reasons: 1. 2. 3. 4. 5. 6. Other governments are moving aggressively to shape cyberspace; Cyberspace is key to our economic interests; Cyberspace amplifies Canadian global influence: Cyberspace is critical to our security interests; Much of Canadas digital supply chain is foreign owned and controlled; Canada is already engaged in diverse international fora, but

international venues where cyberspace governance is debated, such as the Internet Corporation for Assigned Names and Numbers (ICANN), the International Telecommunications Union (ITU) and the United Nations General Assembly. And regional security organizations, such as the Shanghai Cooperation Organization (SCO), are being used to coordinate restrictive policies on a broader scale. (See Parts 2 and 4 of this brief). Is the unfolding contest over cyberspace a simple struggle between the forces of liberation and control? No. The reality is far more complex. Many Western governments operate content filtering regimes to screen out child pornography. They are also moving to securitize this space, enacting domestic security policies that contradict their foreign policy positions.5 And Western commercial firms are supplying surveillance and censorship software to, or colluding with, regimes that violate human rights.6 Across the board, a critical issue is transparency of regulation. Canada cannot afford to be a passive bystander as cyberspaces future is decided.

7. Muddling through wont do: Canada needs a harmonized vision.

1.1 Other governments are moving aggressively to shape cyberspace.

The stakes are high as governments across the globe seek to influence the rules of the road that will shape cyberspaces future. In 2011, major players like the United States and the United Kingdom staked foreign policy positions that prioritize cyberspace openness and interoperability, multilateral governance, and security measures that also protect users privacy and human rights. Their positioning is deliberate. They see the looming threat to preserving cyberspace as a global commons for all. This threat emanates from the up-and-coming players who are pursuing a more territorialized and gated future for cyberspace. Some 45 states now implement broad-based content filtering for ambiguously definednational security offenses, including insulting a public figure. Some, like China, have gone so far as to create a national sovereign intranet, which is cordoned off from the global internet. Russia, China, Brazil, India and other states that support a more territorialized vision are assertively engaging in

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

1.2 Cyberspace is key to our economic interests

79% of Canadians are online. As one of the worlds largest landmasses with a widely dispersed population, Canada is deeply dependent on global telecommunications to address economic, social and environmental challenges;7

1.3 Cyberspace openness amplifies Canadian international influence and upholds core values

Internationally, cyberspace allows Canada to punch above its weight. The online global presence of Canadian NGO, business, academic, arts, humanitarian and diaspora communities help to underscore and secure Canadian interests and values. Canadas $174 billion worth of commerce transit voice on the global stage is amplified Canadian networks every day. Canadians through these networks; made some $12.8 billion in online purchases in 2007;8 Cyberspace openness is increasingly Canada ranks third in the world for central to the pursuit of basic human rights e-government development and online worldwide. In democratically-challenged service delivery.9 Cyberspace is also critical states, citizens have leveraged cyberspaces to Canadas healthcare delivery; openness to advocate for (and sometimes achieve) political change. In response, Canadas financial institutions and energy affected governments have proven their sectors are heavily dependent on secure readiness to strangle and surveil cyberspace and efficient flows of global digital access and content, imprison users, and electronic information. Some 67% of trample basic civil liberties. Canada has Canadians used electronic banking or paid always been an ardent defender of human bills online in 2009;10 rights and freedoms, and has a strategic Canadas highly educated population and interest in supporting cyberspace openness renowned institutions of higher learning as a basic human right, as recently as well as the not-for-profit sector rely on advocated by the United Nations. Canada information and communications affirmed its commitment to internet technologies (ICTs) to connect them to openness at the 2011 G8 Deauville Summit international knowledge networks, sources in France.12 and partners; Yet Canadian companies are increasingly Canadas private sector heavyweights like implicated in the growing global censorship Bell and Research in Motion (RIM) are maze, in contravention of Canadian values. world leaders in global telecommunicaFor example, an anchor of the high-tech tions and wireless innovation; industry in Canada RIM, developer of The Information and Communications the BlackBerry has been increasingly Technology (ICT) sector is one of Canadas pressured by foreign governments to provide technological strengths, performing 40% access to its encrypted data streams. The of Canadas private R&D, employing more company is now caught between defending than half a million Canadians and the integrity and security of its services and generating 5% of GDP;11 and, colluding with regimes that may use the information provided to violate human Cyberspace is key to Canadas future rights. In a more direct example, the economic growth according to Industry Canadian manufacturer Netsweeper is Canadas (IC) Business Plan for 2011- 2012. selling its content filtering and surveillance Cyberspace and related industries are the software to regimes that practice internet major features of ICs three strategies, control (See Box 1 and Box 2). absorbing most of the departments humanresources capacity and budget.

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

Box 1. Canadian Companies and Human Rights 1: BlackBerrys Coveted Black Box The Canadian company Research in Motion (RIM) is best known for its highly popular BlackBerry smartphone, which it has been producing since 1999. In the past 24 months, RIM has come under increased pressure from foreign governments to provide authorities with the ability to monitor and decrypt its proprietary BlackBerry Messenger (BBM) traffic and provide access to its secure servers. Among the countries requesting access are India, the United Arab Emirates, Kuwait, Bahrain, Indonesia, Algeria, Lebanon and Tunisia.13 Each has justified its requests by citing national security concerns posed by RIMs encrypted data transmission. Canada has maintained a strong commitment to the maintenance of fundamental human rights, and a specific commitment to preserving internet openness at the 2011 Deauville summit. Companies will be, and already are, caught in the middle between the demands of foreign governments and the national policies of their country of origin. RIM has notoriously been stuck in this untenable position. Among the controversies are UAE claims that because BlackBerry transmissions are encrypted and data is stored offshore, its services operate beyond the jurisdiction of national legislature, and therefore could have serious social, judicial and national security repercussions.14 The Indian authorities expressed similar concerns after it was revealed that the Mumbai attacks in 2008 were coordinated over BBM. Reports on RIMs compliance with these requests are inconsistent, given the companys desire for secrecy over the issue. According to some sources, RIM has provided Indian authorities with the decryption key to BBM traffic, as well as live access to BlackBerry internet service infrastructure. Other reports suggest that RIM has provided access only to non-commercial data, and not to its offshore secure infrastructure.15 The August 2011 riots in London were also reportedly coordinated over BBM. RIM came under intense scrutiny from the British government for facilitating unlawful conduct on its services. RIM has stated that it will cooperate with investigators, but has yet to comment on the implications to its secure services.16 In the early wake of the riots, the British government made calls for the ability to monitor and control access to such telecommunications services and social media.

Box 2. Canadian Companies and Human Rights 2: Netsweepers Collusion Netsweeper Inc. is a Canadian manufacturer of commercial online content filtering and user surveillance software. It supplies these services to businesses, educational institutions, Internet Service Providers (ISPs) and governments around the world.17 A report by the OpenNet Initiative (which includes two Canadian research groups) revealed that Netsweeper sells its products and services to a number of regimes in the Middle East and North Africa that are using the technology to block social and political content (e.g., in Qatar, the United Arab Emirates, and Yemen).18 Netsweeper acknowledges this situation (which broadly contravenes broader Canadian norms and standards on issues like access to information and privacy), but has not stopped selling its products to the censoring regimes, an unsurprising decision given the lucrative market. Clearly, Netsweepers activities contravene Canadas commitment at the 2011 G8 Deauville Summit to an open, safe and accessible internet. Yet, Canada has actively supported Netsweepers development with two National Research Council Grants in 2007 and 2009 totaling $350,000.19 At a minimum, this contradiction is highly embarrassing for the Canadian government. Canada needs to develop a cyber foreign policy that provides guidelines for technology companies operating in this domain. By way of comparison, in the US there is legislation before Congress (the Global Online Freedom Act) that would compel companies in this sector to be more transparent and would impose trade restrictions on countries that limit online freedoms.

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

1.4 Cyberspace is key to our security interests

Cybercrime has grown exponentially in recent years and is incurring large economic costs to governments, businesses and individuals around the globe. The global effort to define and measure cybercrime is still in its infancy. However, experts acknowledge that the scale and impact is significant and growing (see Part 3 of this brief). Hacking, internet fraud and denial of service attacks cost the world economy more than $1 trillion a year.20 A recent UK study conservatively estimated the cost to the UK national economy as $41.6 billion per year (27 billion) and growing; Canadian carriers detect over 125 million cyber attacks per hour on Canadians, with 80,000 new exploits identified every day;21 Cybercrimes impact on the Canadian economy is estimated at $100 billion per year;22 The potential for widespread havoc to Canadian infrastructure, economy and business is omnipresent. Coordinated efforts from foreign sources can threaten and take control of critical Canadian infrastructure used for communication, energy, defence and electricity. Other attacks such as distributed denial of service (DDoS) can overwhelm critical data networks a threat to the Canadian government, financial institutions and businesses. Estimates for the US suggest that a single wave of cyber attacks on critical infrastructures could incur costs over $700 billion;23 In 2011, Canada suffered an extraordinary security breach as foreign hackers penetrated the computer systems of Canadas Department of Finance, Treasury Board Secretariat and Defence Research and Development Canada. The hackers gained access to sensitive documents and forced the agencies to take their networks offline. The cumulative costs of this breach have not yet been publicly shared; Canada has become a threat to others. Canada ranks 6th in the world in the list of where most online crimes originate, up from 12th place in 2010. It also ranks 2nd in the world for hosting the most phishing sites;24

Canadas capacity to effectively police cyber-space like most other countries is extremely underdeveloped. The methods and means for effectively policing cyber space, along with supporting legal frame works, do not yet exist. Tools and legal development, as well as efforts to pursue and apprehend cyber criminals, are confounded by the borderless nature of cyber-crime and the resulting cross-jurisdictional complexity. Rule of law in cyberspace is not yet clear in any domestic arena, let alone internationally. But parameters are being set de facto, as states and regimes act by and for themselves; From a broader perspective, the worlds of cybercrime, espionage and warfare are blurring. Many states now consider cyber space to be a military domain equivalent to those of air, land, sea and space. The rules of the road for both combating cybercrime and waging war in cyberspace are being written de facto as states pursue varied domestic cyber security policies. Often, domestic efforts are antithetical to preserving cyberspace as a global platform for the free flow of information.

1.5 Much of Canadas digital supply chain is foreign-owned and controlled

Canada is heavily reliant on infrastructure and networks outside its borders. Some 80% of organizations active in Canadas critical infrastructure sector outsource some form of their information technology systems, according to a 2007 Bell Canada study.25 Telecommunications and external websites were most commonly outsourced. When considering the importance of external websites to core business activities like e-commerce, the reliance on external providers is concerning. Some studies suggest that outsourcing is a formidable cyber security threat.26

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

1.6 Canada is already engaged in diverse international fora, but

Canada is already engaged in shaping international cyberspace governance, but the effort is as diffuse as the fora and players involved. Global influence requires a coherent foreign policy vision and harmonized framework for action. Current key players include: Industry Canada: Shaping cyberspace as a global economic, development and communications infrastructure. Since the 1990s, Industry Canada has been a leading player at home and abroad on cyberspace issues relating to the global digital economy, international trade, international development and governance norms.27 It has represented Canada in such bodies as the Organization for Economic Cooperation and Development (OECD), the Asia Pacific Economic Cooperation (APEC), World Trade Organization (WTO), International Telecommunication Union (ITU), Internet Corporation for Assigned Names and Numbers (ICANN), the World Summit on Information Society (WSIS) and the Internet Governance Forum (IGF), among others. For DFAIT, it is important to realize that a number of these bodies such as OECD and ICANN are increasingly dealing with issues that will impact cyberspace openness and security, not just economic potential (see Part 4 of this paper); Office of the Privacy Commissioner (OPC): Shaping cyberspace norms. OPCs campaign to ensure that platforms offered by Google and Facebook uphold Canadians right to privacy has resulted in the de facto internationalization of Canadian standards; Private sector players: Shaping the domain space and operational features. Cyberspace functionality is being shaped by private Canadian companies involved in global domain registration (e.g., tucows.com), in telecoms provision (e.g., Bell Canada) and vendors who provide services globally (e.g., Research in Motion, Netsweeper); Private researchers: Shaping global thinking on cybercrime, warfare and espionage. Canadian researchers, most notably the University of Torontos Citizen Lab and associated projects such as the OpenNet Initiative and the Information Warfare

Monitor, have caught the attention of foreign policy makers around the world for their work documenting global censorship and surveillance practices in cyberspace, as well as global espionage networks such as GhostNet; Canadian security establishment: Canadas nascent cyber security strategy is too narrow from a foreign policy perspective. Under the responsibility of the Communications Security Establishment Canada (CSEC) and the Department of Public Safety, the Government of Canadas 2010 Cyber Security Strategy focuses mostly on securing government and other vital cyber systems. While essential, the strategy treats the cyber domain as a mostly criminal and domestic area of responsibility. Importantly, key Canadian players ISPs, the private sector, civil society were not adequately consulted on the strategy, and most observers concur that it does not embody a critically needed wholeof-government approach. There is some recognition of the international dimension of the challenges: DFAIT is tasked with advising on the international dimension of cyber security and developing a cyber security foreign policy that will help strengthen coherence in the Governments engagement abroad on cyber security. However, this security-centric tasking risks furthering an inadequate, piecemeal approach to cyberspace issues at home and abroad.

1.7 Muddling through wont do: Canada needs a harmonized vision

Canada has been an important player in shaping cyberspace norms in the service of global access, economic prosperity and user privacy. But these efforts have been piecemeal, reflecting the diffuse, multilateral approach to cyberspace governance that has evolved over the past 20 years. However, that piecemeal approach to cyberspace governance is changing. As noted above, different states and regimes are acting to protect their perceived security interests, which span the spectrum from protecting citizens to controlling them. Canada is not a disinterested bystander. As the global debate on cyberspace governance heats up in the coming months and years, Canada needs a broad-based foreign policy perspective that reflects its interests and values. This vision needs to reconcile Canadas economic, social, and political

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

interests in cyberspace with the countrys need to ensure cyber security at home and abroad. Canadas current cyber security efforts are vital, but the 2010 strategy requires a broader framework. From a foreign policy perspective, the strategy by itself fails in three areas: It does not take account of the global cyber space governance issues afoot; It does not adequately consider the range and level of international formal and in formal bodies and players that affect cyberspace functioning and norms on a global level, with the attendant consequences for domestic security issues and policies; and, It does not recognize that the goal of securing cyberspace for domestic purposes has tremendous repercussions for the equally compelling goal of preserving cyberspace as an open, global commons for all.

Canadian foreign policy also needs to take account of its domestic actors commercial and civil society that exert influence on global cyberspace norms. A shared public-private vision will amplify Canadian influence and ensure a consistent approach to upholding Canadian interests and values as the global debate on cyberspaces future unfolds.

The devil is in the details

The challenge of enhancing cyber security and preserving cyber openness is devilish in the details (see Box 3). Canada is not alone in this dilemma. Most countries that uphold international norms to guarantee cyberspace openness, transparency and freedom of expression are finding that their domestic security policies to combat cyber crime and extremism contravene their international commitments. For example, the government of France was recently criticized for proposing executive orders that would give the government broad authority to remove or block content, which appears to be in conflict and contradict Frances commitments under the OECD principles for internet policymaking.28 From the perspective of developing international norms, if liberal democratic countries pass domestic legislation that permits state security services to remove or block content, access data without judicial oversight, mandate their armed forces to mount clandestine cyber attacks, and use extrajudicial means to disable websites, then there is no moral basis for condemning those actions when they occur abroad.29

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

Box 3. Cyber security and cyber openness: Domestic and international linkages and tradeoffs Policies designed to create a safer online environment in Canada can have unexpected and unintended consequences abroad. Countries are actively seeking to define laws which regulate online behavior. But the context in which these laws are applied varies greatly. Democratic countries generally have a robust system of checks and balances to ensure policing powers follow procedures that protect civil liberties and human rights. But in less democratic countries, these protections are often lacking (or poorly implemented). This means that similar-sounding laws and regulations may be applied with quite different effects, and be used to justify everything from unbridled censorship of content to widespread surveillance of private communication. Security issue
Powers to block or remove terrorist or hate websites

Domestic policy
Canada and the EU have considered placing restrictions on access to terrorist and hate websites. This would include the power to request ISPs to block or take down such websites (if located within their respective domestic jurisdictions). Canada rejected this measure in 2006. Europe is still considering it. Cleanfeed initiatives are designed to address the problem of child pornography online. In the UK, and Canada, the Canadian Coalition against Internet Child Exploitation (CCAICE) a nongovernmental organization that brings together internet service providers, federal and provincial governments, and law enforcement provides a transparent framework for enumerating child pornography sites, triggering criminal investigations when the sites are hosted in Canada, and creating block lists that filter content that is hosted abroad. Net neutrality is a principle that all network traffic should be treated equally. In the US and Canada telecommunications companies have been pushing for the right to shape or regulate traffic on their networks.

International effect
A growing number of states are implementing judicial control over internet content. In Pakistan and Kazakhstan for example, legitimate opposition newspapers have been closed down and their websites blocked, because they were defined as spreading hateful and slanderous information. Internet filtering is becoming a global norm. In a growing number of countries (45 at last count) broad-based content filtering is justified for national security offenses that can range from inciting the population to insulting a public figure. Censored content is often that of political opposition movements, independent media, human rights organizations or negative information about public figures. In several Muslim countries, religious reasons are given for declaring content unacceptable. In many cases religion is used as a pretext to prevent scrutiny over the material being censored. In several Central Asian states, arguments against net neutrality have resulted in state policy to create a two speed internet: a lower priced internet consisting only of content that can be found within the nationally operated top-level domain (e.g., .kz), or higher-priced access to the entire internet. This creates a de facto filtering regime based upon economic principles. In September 2011, the Russian Procuracy announced its intent to introduce regulations over social media. The move was quickly adopted in several other CIS states. In all cases, the role of social media in the London riots and subsequent UK government proposals were cited as one of the reasons for the urgent need to develop an implement these controls.

Cleanfeed filtering initiatives (child pornography)

Net neutrality

Restrictions on social media

In the wake of the August 2011 riots, the UK government floated proposals to give police the right to temporarily suspend online social networking sites to prevent rioters from mobilizing and coordinating looting activities.

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

10

Part 2. Cyberspace Governance: A Backgrounder

Cyberspace refers to the systems and spaces where technologically-enabled virtual communication takes place. Specifically, it signals the complex global ecosystem that encompasses the network of interdependent information technology infrastructures, telecommunications networks, computer processing systems and other devices, digitized content and communication, and the rules and regulations that govern them.30 The governance of cyberspace occurs across different levels, bodies and degrees of formality. Mapping how this situation emerged is important for understanding its present structure, players and institutions. This section introduces issues that we return to in Parts 3 and 4 of this paper. 1. Cyberspace as a socio-technical construct: Three interdependent layers; 2. The evolution of diffuse and multipolar governance; and, 3. Return of the state: Renewed efforts at government control

Importantly, innovations within any of these layers and among any of its constituent actors can incur system wide effects in astonishingly short cycles of growth. For example, Twitter, created only five years ago, has some 200 million registered accounts, with an average 460,000 new accounts being created daily. The average number of tweets sent per day has grown from 50 million a year ago to 140 million today. But its impact is not just numerical.31 Recent democratic protests in the Middle East and North Africa (MENA) highlight how social networking sites can be leveraged by end users for political communication and organization. As one Egyptian activist tweeted during the protests: We use Facebook to schedule the protests, Twitter to coordinate, and YouTube to tell the world. The relation of social networking sites to cyberspace governance issues can be illustrated by the reaction of the government: Egyptian authorities invoked a near total shutdown of Egyptian Internet Service Providers (ISPs), Libya turned off internet access for its citizens, and Syrian authorities likely used Facebook to surveil political activists, as its internet army attacked, spammed, and defaced opposition websites.

2.1 Cyberspace as a socio-technical construct: Three interdependent layers

Cyberspace is comprised of three interdependent layers, each embodying complex actors and governance issues in their own right: a physical layer comprised of a vast and distributed physical infrastructure of cables, towers, satellites, mobile and computer devices and radio waves; an operational layer comprised of an intricate, constantly mutable array of operational protocols, codes, and instructions that allow for the multidirectional flow of information across the physical layer; and, a content layer comprised of a vast and extraordinarily valuable layer of information, knowledge, ideas, services, and products that circulate through cyberspace.

2.2 Cyberspace and the internet: The evolution of multipolar governance

Although the term cyberspace is often used as a synonym for the internet, its reference is actually broader. Cyberspace also encompasses traditional communications media that pre-date the internet, such as telephone, radio and television. This distinction is important from a governance point of view. Traditional telecommunications media have well-established regulatory bodies at both the national and international levels. The internet does not.

The International Telecommunications Union (ITU)

At the national level, broadcasting and telecommunications are often regulated as public trusts (in Canada, this function is fulfilled by the Canadian Radio-television Telecommunications Commission, CRTC). At the international level,

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

11

the International Telecommunication Union (ITU) one of the oldest inter-state organizations in existence was set up to regulate international standards and tariff agreements with respect to the interconnection of telephone traffic between countries, the allocation of spectrum frequencies, satellite broadcast footprints and orbital slots.

The Internet Corporation for Assigned Names and Numbers (ICANN)

By contrast, the internet avoided the scrutiny of the ITU because of its peculiar nature and evolution. The internet routes traffic between connected computers, using Internet Protocol (IP) addresses and the domain name system to direct traffic. As a routed rather than a switched network, the internet avoided the ITUs established system of international gateways that regulate and calculate the cost of telephone and data services offered by telecommunication carriers. Rather, the internet operated essentially as an overlay network. Internet Service Providers (ISPs) established their physical links by leasing dedicated international circuits and channels from the telecommunication backbone carriers. As such, the internet came to form a globally distributed network comprised of many voluntarily interconnected autonomous networks and operating without a central governing body. The commercialization of the internet really started in the early 1990s. To maintain global interoperability in the face of rapid growth, all technical and policy aspects of the underlying core infrastructure and allocation of name spaces (previously controlled by the US Government)32 were invested in a new non-profit corporation, the Internet Corporation for Assigned Names and Numbers (ICANN). ICANN was created in 1998 and registered in California. Its mandate is to manage the internets core: namely its address system. In this, its task is to preserve internet stability, openness and growth, and ensure its global governance. It operates the Internet Assigned Numbers Authority (IANA) that oversees the allocation and or administration of global IP addresses, domain names and other protocol parameters. It works in close liaison with the Internet Engineering Task Force (IETF), and delegates internet resources to the regional internet registries (see below).

ICANNs central role in internet governance has attracted the increasing attention of governments who want more control over its decision-making processes and who are unhappy with ICANNs close ties to the US Government. ICANN is increasingly the site of a growing power struggle between its multi-stakeholder board and its stateonly Government Advisory Committee (GAC) (see Box 4 as well as Part 4.1.1 of this paper).

Internet Society (ISOC) and others

Other non-profit, global and regional organizations emerged to provide multi-stakeholder leadership in internet-related standards, education and policy. These include: the Internet Society (ISOC, established 1992) and its technical bodies the Internet Engineering Task Force (IETF) and Internet Architecture Board (IAB); the regional internet registry (RIR), which now has five sub-groupings and manages the allocation and registration of regional internet number resources like IP addresses and autonomous system (AS) numbers delegated by IANA; and, Regional top-level domain administrations. *** Overall, internet rules, norms, and principles have historically been shaped by transnational networks of like-minded engineers and internet supporters based primarily in the United States and Europe. Their decisions on routing protocols and peering arrangements govern the backbone of the network, dictating what can and cannot be done in terms of directing traffic, ensuring internet openness and extracting information about users and content. Historically, operational-level innovations were considered non-political. The decision-making forums worked for the public benefit, dedicated to making the internet stronger, faster, more open and resilient.

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

12

Box 4. ICANN: Keeping the internet stable and open, but increasingly politicized Created as a non-profit corporation in 1998, ICANN is under contract to the US Department of Commerce, but governed by an international board of directors drawn from across the internets technical, business, academic, and other non-commercial communities. ICANNs mandate is to preserve the operational stability of the internet, promote competition and build internet use where it is weak. It is also supposed to achieve broad representation of the global internet community and ensure policies are developed through consensus-based processes. ICANN has a number of advisory committees, encompassing users, security experts, and technical experts and including a Government Advisory Committee (GAC), which has widespread participation of the worlds governments. However, ICANNs efforts at global participation and consensual decision-making have been criticized for insufficient transparency and public disclosure. In addition, the US Department of Commerce continues to have the primary role in approving changes to the DNS root zone that lies at the heart of the domain name system.

Increasing politicization as governments seek greater control

Some governments have long been unhappy with ICANN. Currently ICANN is the home to power struggles taking place between the bodys board and the GAC. The most immediate struggle is linked to the introduction of many more generic top-level domains. Officials are particularly worried about the introduction of new domain names such as .jesus.33 While the board and the GAC have agreed on a problem-solving procedure to deal with unwanted domains, it remains unclear how the system will work in practice. More long-standing objections come from states such as Russia and China who have historically regarded ICANN with some suspicion for a number of reasons: Multi-stakeholder membership. They object to the fact that ICANN is a non-state actor that competes with them in rulemaking forums, which they believe should be monopolized only by governments. They take a similar view of other multi-stakeholder forums, such as the Internet Governance Forum (IGF). US influence. They see ICANN as a tool of the United States government and part of its hegemony over cyberspace.* From 2002 to 2005, China, Russia, and other countries used various forums, including the Internet Governance Forum, to try to build a coalition against ICANN to shift the centre of gravity of cyberspace governance to an intergovernmental institution such as the International Telecommunication Union. Most civil society actors resisted these calls, although the plea to internationalize governance of the internet away from the tight controls of the United States probably contributed to the appeal of the loose coalition and gave legitimacy to other countries efforts. Control over domain name registration. They object to ICANN controlling domain name registration, especially as new technical standards enabled the Domain Name System (DNS) to represent non-Roman scripts. They want to control registration for two reasons: money (national domain name registration represents a potentially very lucrative market for governments and their national companies); and, political control (they reject control of national domain names by non-national entities). In a dramatic move, China created a competing national level domain in its own language characters, separate from the ICANN routing system. This development threatened the unity and coherence of the global internet, especially as Russia was also threatening to build its own Russian internet (circa 2007). However, the friction between China and ICANN was settled by 2009, when the PRC sent a delegation to the ICANN meeting. ICANN agreed to rename the Taiwanese delegation to appease China and to create a fast track for the recognition and creation of new country code top level domains (ccTLDs) in non-Roman scripts. The latter represented a huge political and economic concession to China, Russia, and India, keeping them on board with the ICANN regime.

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

13

Box 4 (continued)... ICANN: Keeping the internet stable and open, but increasingly politicized

China, Russia, India, and other developing countries are now very much re-engaged in ICANN issues, and their presence is a force with which to be reckoned. They share a territorialized vision of cyberspace governance, which they will seek to propagate in decisions that ICANN takes in years to come. Observers fear that moves to fundamentally alter ICANN will risk fracturing the internet. Some experts argue that ICANN and the multi-stakeholder model will remain under challenge until it acquires a proper constitution complete with a bill of rights for stakeholders and a separate review board.
China also objected to the participation of Taiwan in ICANN, especially to its representation in the Governmental Advisory Committee. China suspended sending representatives to ICANN meetings in 2001.
*

The cyberspace/internet friction: unfettering communications, lowering profits, confusing governance

Initially, established telecommunications carriers took little notice of the internet. This changed at the end of the 1990s when e-mail, Voice-overInternet Protocol (VoIP) and internet broadcasting of audio and video content began to compete directly with their own offerings. As the internet overtook and reshaped the more traditional communications of cyberspace, it challenged company profits and state sovereignty. The internet created new markets and services for which no defined legislation existed. It created low-cost global communication by bypassing the tariff system established for international telephony (a source of considerable income for many national governments). It also largely sidestepped the national and international regulations on content that were tied to broadcasting gateways, thereby greatly enhancing the free flow of information across borders. States found themselves with less control over industries and sectors in which they traditionally exercised considerable regulatory control, and with no apparent institution or forum in which to voice displeasure or address concerns. As telecommunication carriers themselves began to operate as ISPs, they became dependent on ICANN and regional IP registries (also operated by private nongovernmental bodies) for growing and scaling the networks rather than the ITU. Sidelining of the ITU meant that national governments no longer had a say in the regulation of emerging telecommunication issues, including those actors and issues that they previously controlled (such as traditional telecommunication carriers now offering VoIP).

Bringing the state back in: The ITU and World Summit for Information Society (WSIS)
By the early 2000s, the importance of the internet to international development and commerce began to be widely recognized. Within the United Nations, the World Summit for Information Society (WSIS) held two summits for member states in Geneva (2003) and Tunisia (2005). These were organized under the auspices of the Secretary General, but with the partnership of the International Telecommunication Union. In the 2003 meeting, the ITU, backed by some member states, pushed for an increased role in the governance of the internet including the takeover of ICANN. This position sparked worries about a looming division of the internet, and was opposed by the US Government which preferred the diffuse model of governance (to undercut the ability of national governments to impose regulatory frameworks over the internet). In 2005, WSIS members agreed to not get involved in the day-to-day and technical operations of ICANN. However they also agreed to set up an international Internet Governance Forum (IGF), with a consultative role on the future governance of the internet.

The IGF
The WSIS Process was superseded by the IGF, whose mandate was recently extended to 2015. The IGF has no binding authority. It provides a multi-stakeholder forum in which nongovernmental organizations, telecommunication carriers and national governments can discuss and consult over issues of internet governance. Points of consensus can then be implemented through the diffuse and multipolar mechanisms that regulate the technical growth and management of the internet.

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

14

State efforts to assume control over internet governance experienced a mild lull after 2005. But the agenda returned with determined vigour by 2010.

2.3 Return of the state: Renewed efforts at state control

By 2010, the strategic importance of cyberspace and its subspecies the internet was clear to most states. At the same time, security concerns be they for citizens or for the regime focused attention on how to regulate or control it. More and more, state actors were concerning themselves with the technical details of cyberspace operations and governance. By 2011, the US Government and other bodies like the OECD and OSCE were tabling official positions on cyberspace freedom and multistakeholder governance, while a growing number of states were seeking to re-exert national and inter-state controls. The strongest calls for inter-state control of cyberspace have come from countries like China and Russia, and members of the SCO. These states also have comprehensive internet censorship and/or surveillance regimes. Unlike previous attempts, however, this time the conversations are at the highest possible political levels, including: policy-coordination amongst SCO members, agitation for the ITU to take charge (by Russia, Brazil, and China), efforts within ICANN (see Box 4 above), calls for a new UN agency, and a draft Resolution at the 66th General Assembly of the United Nations (signed by Russia, China, Tajikistan and Uzbekistan) calling for an international code of conduct for information security with implications for the freedom of political, cultural and religious expression. We return to these state-led efforts and dynamics in the discussion of cyberspaces Centres of Gravity (Part 4.3 below). But first, we consider the many other factors and processes (Drivers of Change) that are shaping and transforming cyberspace operations and norms, even as governments debate their options.

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

15

Part 3. Cyberspace: Drivers of Change

Governments seeking to regulate and shape cyberspace are dealing with a dynamic ecosystem characterized by relentless growth and innovation. Exercising authority in this domain requires awareness of the changing array of factors and actors that influence its core characteristics, function and impacts. As of 2011, six drivers of change are exerting significant influence. Some of these drivers lie beyond the writ of any policy intervention. These require constant monitoring and forward thinking. Others are subject to shaping and control if sufficient numbers of like-minded authorities act: 1. Demography: Fundamental shifts in the user base; 2. Technology: Innovation is affecting usage and norms; 3. Politics: The growing contestation between users and states; 4. The private sector: Shaping cyberspace possibilities and norms; 5. Cybercrime and cyber security: Driving closure; and, 6. Militarization of cyberspace: National security and the new arms race.

3.1 Demography: Fundamental shifts in the user base

As the number of online users approaches 3 billion, major demographic shifts are underway: The number of users in Asia and the developing world will soon eclipse those in the North. Collectively, the industrialized countries of Europe and North America now account for less than 40% of the global online population. This proportion will continue to diminish, with implications for the Wests capacity to influence cyberspace governance decisions. The user-base is shifting to digital natives meaning youth who have grown up in the age of cyberspace. Two-thirds of those currently accessing cyberspace are under the age of 25. Over 80% use one form of social media or another. Many digital natives live in failed and fragile states, which are among the fastest growing users of the internet. These youth bring different values, norms and strategic priorities to cyberspace, which enables new economic and political opportunities for the otherwise marginalized.

As the user base shifts, cyberspace will be affected in the areas of social innovation, political action, commerce and economic opportunity as well as criminality.

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

16

3.2 Technology: Innovation is affecting usage and norms

Technological innovation: Dictating infrastructure capabilities. Technological innovation sets the baseline for infrastructure vulnerability, openness and resilience, as well as capacities to respect privacy or enable surveillance. These are critical governance issues that sit at the heart of security versus openness dilemmas. As noted, the historical decision-makers in this realm have tended to be private sector actors and engineers. Mobile and portable computing: Enabling access and activism; enhancing surveillance. In the next three years, the number of cell phones in use will exceed the global population. Mobile ascendancy is affecting cyberspace functioning and norms. Mobile communications have proven vital for extending cyberspace and its benefits to the worlds hinterlands. They are also more effectively leveraged for mass mobilization, and in this capacity have proven threatening to authoritarian regimes as well as democratic governments.34 However, mobile networks operate in different ways than the standard desktop platforms that have anchored the internet since its inception. Mobile communications systems are more open to fine-grained tracking and surveillance. Their uptake portends a gradual shift away from fixed end-use systems based on end-to-end principles, to portable devices that are networked into massive data clouds operating with increasing intermediary liability of various sorts.35 The new Internet Protocol: Enabling devices; enhancing surveillance. The current Internet Protocol address space system, IPv4, is nearing exhaustion. The follow-on protocol, IPv6, operates differently and will alter some of the core characteristics of internet-based routing and communications. First, although offering greater flexibility and provision for a wider range of networked devices, the system also enables fine-grained identification of end users and their instruments. Second, the new protocols fundamental reordering of core standards may open up a Pandoras Box of recommendations for more wholesale changes. Some American policy-makers want to re-engineer the internet from the ground up to resolve long-standing security issues. In light of more assertive state controls being exercised in the cyberspace ecosystem, the possibility of radical shifts is not out of the question.

3.3 The private sector: Shaping possibilities and norms.

Private sector actors have always shaped cyberspace functioning and norms through their ownership and operation of cyberspaces infrastructure and services.36 Not only do they drive change through their own commercially-guided inventions and actions, they are also coming under intense pressure to conform to the bidding of censoring states: Corporate decisions taken for commercial reasons such as sharing data streams or filtering certain types of content can incur cascading political effects. Websites and services that are removed for perceived violations of terms of service can affect thousands and even millions of peoples communications, and often take place in jurisdictions far removed from the affected users. Private sector players are also under increasing pressure from national governments to filter or control various aspects of cyberspace. Democratically-challenged states are increasingly requiring their national carriers to filter internet content, and retain/release user information. In addition, other private corporations are under pressure to conform with national-level cyberspace controls that sometimes violate standard legal and human rights principles and due process. For example, the manufacturer Siemens was recently accused of aiding torture in Bahrain through its sales of surveillance technology to the Bahraini government.37 We have already provided some Canadian examples of these dilemmas in Boxes 1 and 2 above. We return to these issues in Part 4.2 of this paper.

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

17

3.4 Politics: The growing contestation between users and states

The users of cyberspace are driving change as they leverage this domain to extend personal and communal agency. Their activities in turn are driving states to exert greater regulation and control. We return to these issues in Part 4 below: Users are leveraging cyberspace to extend all forms of personal and communal agency. Some are using cyberspace to pursue fundamental rights and democratic political change. Others are pursuing less civil interests, from the exploitation of fellow users to crime, espionage, rioting and warfighting. Recent examples of cyber-enabled popular uprisings include the 2011 Arab Spring protests that rocked the Middle East and North Africa and the rioting that shook the United Kingdom a few months later. In all cases, the regimes and governments concerned were keenly aware of the role of cyberspace. In the Middle East, regimes acted to control, contain, surveil or shutdown cyberspace;38 in the UK similar types of options were discussed although not enacted.39 States are hitting back. As users exercise new forms of agency, states have become major players seeking to regulate, police, control and shape cyberspace at home through national policies, legislation and actions, and increasingly in any forum where decisions about cyberspaces functionality and governance are made. Some states are intervening to protect critical infrastructure, systems and their citizens; others are intervening to protect their regimes and silence political opposition. In all cases, moves to securitize the internet have repercussions for its openness. As the UK and MENA examples cited above attest, the tradeoffs between securing cyberspace and preserving openness and accessibility is present in all countries, from liberaldemocratic to authoritarian. Some strong states are becoming more aggressive with cyberspace censorship and surveillance practices. Their actions change the global character of the internet within domestic jurisdictions, while setting broader normative precedents. Strong states are asserting their nationalized visions of cyberspace controls in regional and international fora. An important trend is

the move by non-democratic states outside of Europe, North America, and parts of Asia to forcefully assert their domestic and foreign policy interests in international venues where cyberspace governance is debated and using regional security organizations to coordinate their policies. Canadas allies are also staking out their foreign policy visions for cyberspace that emphasize openness and multi-stakeholder governance. The United States has led the way with its 2011 International Strategy for Cyberspace. Other governments and organizations are signaling likewise, as discussed in Part 4 below.40

3.5 Cybercrime and cyber security: Driving closure

Cybercrimes pervasive economic impact as well as its growing connections to national security issues like espionage and war-fighting are driving change as states seek to counter these threats (see Box 5). Cybercrime and cyber extremism are driving the securitization agenda of states. As noted, cybercrime has grown exponentially in recent years. The range of activity is huge: from national level assaults on critical infrastructure that costs billions of dollars, to scams and privacy violations of individual users, to child pornography. Cybercrime has propelled the public debate on policing this domain, particularly on issues of surveillance and filtering at the national level, and the need for increased regional and international cooperation. Even states that strongly value the individuals right to privacy and freedom of speech are articulating cyber security policies that compromise these rights. The growing demand for cyber security products and services is driving investment, innovation, and policy. States demands for advanced products to mine user data and shape and control information flows have created lucrative business opportunities for US, Canadian and European firms. There is extensive documentation of Western cyber security technology being sold to authoritarian regimes who use it to filter content, surveil social networking platforms used by dissidents, and launch offensive computer attacks. Western manufacturers are even tailoring

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

18

their filtering products to the specifications of government clients, regardless of their human rights records. We return to this issue in Part 4.2 below. The computer security community provides a global but largely informal cyberspace protection and policing function. This community cuts across public and private sectors, and has been responsible for numerous effective policing episodes. Working in cooperation with law enforcement agencies and security firms in the United States, Microsoft disabled a major botnet called Rustock that resulted in a one-third decrease in global spam levels,

dropping the United States from 2nd to 17th in terms of national origins of spam traffic. However, numerous other botnets are not prosecuted or disabled. The security community itself lacks transparency and public accountability. It is constituted by actors that both cooperate and compete with each other, and its actions as a whole can be inconsistent and ad hoc. It also lacks an even global distribution, being concentrated mostly among North American and European law enforcement agencies, academic institutions, and security firms.

Box 5. The drivers of cybercrimes exponential growth A number of factors have driven cybercrimes exponential growth: the emergence of greater data sharing, social networking, and cloud computing practices; the massive amounts of data that traverse global networks, in combination with the potential to automate and anonymize user activities and identities; sophisticated technical surveillance capabilities, in combination with an inadequate legal framework to ensure that due process and civil liberties are protected (authorities can scoop up enormous amounts of data, but have impoverished capacities for follow-on analysis of only those activities that warrant legal investigation); the global, cross-jurisdictional nature of many crimes, with criminal users acting outside their national borders; the notable lack of international legal frameworks and cooperation around cybercrime policing. Law enforcement and intelligence agencies that could ostensibly control and police the sector have difficulties cooperating and sharing information. Apart from the Council of Europes Convention on Cybercrime (itself an inadequate and criticized arrangement), there is no harmonized legal framework for prosecuting cyber criminals. State law enforcement agencies are reluctant to pursue criminals independently due to the risk of prolonged, complicated and expensive investigations spanning multiple legal jurisdictions; and, the militarization of cyberspace (see Part 3.6 below).

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

19

3.6 Militarization of cyberspace: National security and the new arms race
States are actively developing domestic capabilities to fight and win wars in cyberspace, which they equate in importance to the domains of air, land, sea, and space. The establishment of the US Cyber Command in 2010 triggered a major industrial shift in the defence industry as well as fundamental force restructuring. This has had ripple effects around the world with other major powers. The militarization process is causing the worlds of cybercrime, espionage and warfare to blur. There is evidence that Russia, China, and other states, unable to compete on the same level in this domain, are exploiting cyber criminals and patriotic hackers to provide this capacity.41 That is, they are cultivating cybercrime to pursue strategic interests. India and Iran have both gone on public record endorsing hackers who work in the states public interest. Major incidents of cyber espionage, such as those uncovered by Canadian researchers in the Tracking Ghostnet and the Shadows in the Cloud investigations, were characterized by commonly used cybercrime techniques to achieve intelligence goals. Chinese opposition and human rights groups operating in foreign jurisdictions have been systematically targeted by exploitation networks tracing back to mainland China. The Distributed Denial of Service (DDoS) attacks on the Estonian and Georgian government and economic infrastructures were both traced back to well-known cybercriminal botnets. Researchers studying the advanced Trojan Horse that targeted and debilitated Iranian nuclear enrichment facilities (Stuxnet) have noted that while sophisticated in many ways, the weapon was built upon existing cybercrime tool kits and techniques. Attribution is a growing problem, as it is now extremely difficult to determine who is committing or directing attacks against government or corporate infrastructure. Increasingly, criminal and espionage activity involves complex and submerged public-private partnerships. Cyberspace militarization has had a direct negative impact on cyberspace governance. A huge market for offensive cyber exploitation capabilities has emerged, offering a variety of new techniques for armed forces and other actors. The covert nature of offensive capability development has engendered

a general climate of mistrust, which inhibits cooperation around the mitigation of cyber crime and other malicious activities. The focus is on securing domestic networks from attack while exploiting and even promoting vulnerabilities abroad, instead of facilitating access to a secure global cyberspace platform that is characterized by the free flow of information. Traditional approaches to arms control may not apply to cyberspace. It is widely agreed that arms in cyberspace cannot be controlled in the same manner as traditional weapons systems. Rules of the road for war in cyberspace have yet to materialize. Challenges around attributing attacks to specific actors present considerable difficulties for verification. Behavioural and domain-based approaches to cyberspace arms control, for which there are numerous models in other areas (e.g. Outer Space and the Antarctic Treaty), may have some potential.

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

20

Part 4 Cyberspace Centres of Gravity: An Introductory Overview.

Cyberspace has no centre. Rather, authority over the internet is multipolar and distributed. For governments seeking to influence cyberspaces future, there are three groupings that require engagement. These Centres of Gravity (CoG) can be characterized as: 1. Self-constituting private authorities, who set the technical standards and protocols that make the internet function as a global network of networks; 2. Private sector or corporate authorities, who own and operate cyberspaces technical networks, devices and software; and, 3. Public-sector government authorities, who are just beginning to define and assert regulatory control at different levels.42 Different CoGs have different degrees of influence over different parts of cyberspace governance, as Table 2 indicates. The diffuse nature of cyberspace governance makes it difficult for government institutions with limited resources, expertise and budgets to know where and how to articulate and defend Table 2. Cyberspace Centres of Gravity

national interests in this global domain. For Canada, effective engagement will require: Knowing the key issues and authorities within each CoG; Engaging and influencing those actors/forums that are key to decisions of concern to Canada; and, Calibrating the approach and resources to expected outcomes.

The remainder of this section outlines the key CoGs as of 2011. The mapping is not comprehensive. It is intended as a starting point for a more fine-grained analysis, which will be essential to the formulation of Canadas strategy for foreign policy engagement.

Technical CoG 1: Self organizing private authority Civil society Uncivil society (cybercrime) CoG 2: Commercial vendors and operators of service National Transnational CoG 3: Public sector or government authority National Regional International x x

Normative x x

Regulatory x x

x x

x x

x x x

x x

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

21

4.1 Self-constituted private authorities: Technical standards and functional norms

Self-constituted private authorities that exercise strong influence over cyberspace governance are made up of two main groups: 1. 2. International technical and standardsetting groups; Civil society organizations.

4.1.1 Technical standard-setting groups

Self-constituted private authorities like ICANN, ISOC and their various technical committees43 set the technical standards and protocols. These technical decisions exert strong influence on user experiences and vulnerabilities when it comes to issues like privacy and information access/ control, and in this way they shape the de facto normative environment. As already detailed in Part 2, these groups have been around since the early days of the internet and represent its technical governance core. While they have open membership, in reality they are highly self-selective and represent a fairly closed technical community, largely still centred in Silicon Valley and biased towards ensuring internet openness and access. In this, it is important to realize the importance of individuals in internet governance (see Box 6). As noted in Part 2, Russian and Chinese officials, backed by Indian, Brazilian, and other governments, have lobbied for greater national control over bodies like ICANN (specifically IANA) and the IETF who control backbone and infrastructure routing policies. They are seeking to wrestle control away from what is perceived to be a US-dominated status quo around these institutions. A crisis of legitimacy is emerging as a result of this tension. The approval and growing use of linguistic domains and characters signals a greater nationalization of internet standards. These measures could introduce significant divisions in global communications networks along territorial and linguistic lines. Overall, coalitions of likeminded states are using international fora to limit multi-stakeholder participation and legitimize a more traditional state-based form of cyberspace governance. Should they succeed in doing so, the character of cyberspace will likely change in ways detrimental to Canadas core values and interests.

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

22

Box 6. Internet governance: Individuals matter Individuals with technical skills and savvy have always played a central role in internet governance. Within ICANN and its many technical boards, membership is voluntary. But in practice participation is based on the capacity to contribute in a technically meaningful way. This acts as an effective filter against generalists from ministries of foreign affairs and other non-technical backgrounds. Those who currently hold executive positions within ISOC and ICANN and their technical committees are largely drawn from a community that has remained stable over the last decade and functions as a collective. This has meant that historically, important decisions were often reached without a lot of debate, and implemented by key individuals, sometimes with interesting and unintended consequences. For example, a single individual - Jon Postel - was responsible for distributing most of the top-level country domains (ccTLD - that is, the 2 or 3 letter ISO codes that are assigned to individual country addresses on the internet, for e.g. .ca, .uk, etc). He did so on a first-come, first-serve basis without discriminating between organizations.44 As a result, during the 1990s Rwandas top-level domain was controlled by a company headquartered in the Democratic Republic of Congo a country which at that time was in a state of war with Rwanda. Similarly, for most of the 1990s and early 2000s, Tajikistans top-level domain .tj was used by a US based company to serve pornographic content. Not until 1995, when virtually all country level top-level domains had been assigned, was a policy finally published that required managers of ccTLDs to act as trustees on behalf of the nation, and the global internet community. In Pakistan in 2008, an internet operator attempting to block specific YouTube content (at the behest of the Pakistani government) briefly interrupted global YouTube access.45 Some countries have been quick to understand the importance of private industry, bodies and individuals in this realm. For example, Russias National Security Council takes a leading role in convening national telecommunication operators and working through the Academy of Sciences, and industry has sought to gain consensus around technical standards which are favorable to the Russian Federation. This includes standards for the use of encryption, surveillance, and, notably, working with ICANN for the creation of the Cyrillic language domain.46

4.1.2 Civil society organizations (CSOs)

CSOs are relatively new actors in the area of internet norm-setting, but have become vocal and influential at both the national and international levels. This diverse group can be split into four broad categories: Research and advocacy groups include activists, academics, think tanks, and their associated funders. They often focus on specific issues such as gender, freedom of expression, access to information, transparency, etc.47 They exercise influence by staking out clear normative positions on the right to internet access and use at a myriad of national, regional and international seminars, symposia and meetings, as well as in the global media. Some CSO efforts have had profound effects. For example, the US Congressional decision

to release large amounts of money to the State Department for initiatives related to internet freedom was at least partially prompted by intense lobbying. In addition, internet freedom is now a core US foreign policy objective (as per the 2011 Strategy for Cyberspace). Many of these groups have also been active participants in international decision-making bodies such as the IGF, where their membership is weighted equally with state members (see above). Technical tool-makers are non-profit organizations dedicated to producing tools to protect internet user anonymity and privacy or enable users to circumvent state censorship efforts. These NGOs influence internet norms because their tools can be gamechangers in terms of the behaviour they enable on the internet. In this sense they can

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

23

exercise authority similar to commercial tool providers (see next section), although the latter innovate largely to deliver capability and generate revenue, whereas the NGO groups have a specific normative agenda.48 Increasingly, large scale broadcasters such as the BBG and BBC have been leveraging some of these technical tools to ensure their global audiences have access to online content, further enhancing the global impact and influence of these set of NGOs. Information vigilante groups and direct action organizations. Organizations such as WikiLeaks, LulzSec and Anonymous are driving change by the actions they take and the reactions they provoke. WikiLeaks sharing of documents and video footage some of which have been highly sensitive, classified

and/or embarrassing to governments has prompted powerful players such as the US Government to engage and act on a range of normative issues relating to freedom of information and internet transparency, privacy and security.49 Hacktivist groups like LulzSec and Anonymous have undertaken direct hacking/attacking of computer systems and websites as well as information leaks and security breaches. Their early motivations were mostly about creating mayhem because we can. But lately these groups are asserting more ethical claims like enhancing transparency and holding companies and political actors to better account. Their actions raise a host of important issues: is hacktivism a new form of legitimate protest in the information age (see Box 7)?

Box 7. Internet hacktivists: Legitimate protest in the information age? Internet hacker groups like Lulzsec and Anonymous may be re-defining our understanding of legitimate protest action in the Information age. LulzSec targets have ranged from Fox News Channel, to ATM machines in the UK, to companies such as Sony. Initially LulzSec seemed intent on causing mayhem and revealing the security foibles of organizations. For example, the organization launched a Denial of Service (DoS) attack against the Central Intelligence Agency which took the agency offline for a few hours. Lately, their attacks are taking on more of a political tone as operatives declare they want to expose the racist and corrupt nature of the military and law enforcement. Anonymous and loosely associated groups have undertaken hacking and computer attacks that often purport to be in the service of freedom of information. Actions range from uploading pornographic videos onto YouTube, disrupting the Church of Scientology (to protest the organizations practices), disabling Australian Government websites (through DDoS attacks in protest of internet filtering legislation related to pornography), disabling websites of Arab regimes in support of the civilian protestors during the Arab Spring, and launching attacks against various commercial and government entities in support of WikiLeaks. The acts of groups such as LulzSec and Anonymous have prompted proposals to reengineer the internet to enable greater national jurisdictional controls, and in some cases, creation of separate secure intranets for governments and corporations. But both groups assert that their actions are ethical and responsible. This raises an interesting question for our times. Hacking and denial of service attacks are considered criminal under Canadas criminal code, and that of most Western countries. But this legislation may need to be revisited. The right to strike has been recognized under Canadian law since 1872. Prior to that, worker protests were regularly broken and strikers imprisoned. As more key services and industries move online it may be important to consider extending legal protections to online strike actions. There are interesting parallels. Picket lines preventing workers from entering workplaces may find their analogy in denial of service attacks against corporate websites and services. At the moment these issues remain largely unexplored. However, erring on the side of enforcing existing laws without examining the revised context where cyberspace has become central to social and political life may lead to a diminishment of existing rights and protections. It is also important to consider the consequences of state action against actors who are claiming to enhance transparency and accountability, in terms of the signal it sends to other countries with less tolerance for legitimate protest.

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

24

4.2 Private sector and commercial authorities: Owners, operators, innovators and gateways to regulation and control.
Private sector and commercial actors own and operate the vast majority of cyberspace. They are responsible for the infrastructure that supports the internet at the national and international level. They are the leading source of innovation and proliferation of services and industries dependent on the global network. They include national and international telecommunication carriers, equipment vendors and network providers such as RIM, and online and new media services such as Google, YouTube, Facebook and Twitter.

indication of the scale of the problem, a recent Public Safety study counted 528 billion illicit or malicious emails in 2010, or 98% of e-mails sent).51 Carriers solve these issues through informal agreements, 99% of which are sealed by a handshake.52 Collective operator actions, which are neither sanctioned nor regulated by any official body, range from filtering spam through to the takedown of servers or networks that are disrupting service (including to mitigate DoS attacks or internet worms). A recent example comes from Russia where Russian carriers acted collectively to take down the Russian Business Network home to a particularly successful cybercrime network. In effect, carriers undertake a fair deal of policing activity role on the internet, but without any legal or regulatory framework to guide actions. In the absence of such a framework, it is impossible to ensure that commercial actors are acting solely to protect service delivery and the rights of customers and users. Just as Canada should be concerned about what its mining companies are doing at home and abroad, so too should it care about what Canadian telecoms companies and other service providers are doing in the areas of internet security and openness. National carriers can easily apply content controls across the board from censoring child pornography to eliminating the internet presence of inconvenient political groups. They can also implement broad-based and fine-grained surveillance of users and user activity, giving authorities a greater range of powers for tracking criminals or targeting any groups or individuals deemed to be of interest. These capacities have not been lost on many governments who increasingly leverage national operators to impose control over national cyberspace domains. Authoritarian states, in particular, are increasingly requiring carriers to assist them in the application of first, second and third generation information controls (see below).

4.2.1 National carriers

National carriers, such as Bell Canada, exert broad functional authority over the governance of cyberspace. During the last two decades, telecommunication companies and internet service providers have converged as carriers adopted internet protocols for the delivery of basic services such as voice communication and entered into new internet-dependent services such as video-on-demand. In many cases they have become the de facto operators of the national internet backbone, and provide most international connectivity. National carriers exert influence over internet capacities and norms in three ways: Tariff regulations. Carriers exercise influence by setting the policies and tariffs that shape access. As motivated economic actors, they stand to gain or lose revenue as a result. In Kazakhstan, for example, there is a two-tier internet. A lower cost version gives access to content that is registered in the .kz domain only. Access to the international internet costs more (although even this content is subject to government filtering). In North America, we see a similar sort of debate around the issue of Net Neutrality, with telecoms carriers debating whether to create faster and better services for higher premiums.50 Inter-operator agreements: Policing the net. Carriers who act as internet service providers (ISPs) exercise considerable informal authority when they band together to solve operational level problems like spam or DoS attacks. Malicious network activity significantly affects the efficiency and speed of services that carriers are bound contractually to offer their clients. It is an essential economic interest to solve these problems as quickly and efficiently as possible. (As an

International governance fora. National carriers are often members of decision-making fora such as the ITU and its working committees, exercising considerable influence over decisions affecting interconnection agreements, spectrum allocation and the adoption of new mobile technologies and standards for internet delivery.

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

25

4.2.2. Other commercial actors: Acting to preserve human rights, or colluding in their violation.
A number of large companies like Google, Yahoo!, YouTube, Twitter and makers of encryption software (for example) are game-changers in terms of what behaviour they have enabled on the internet and the accompanying evolution of norms. While many of these changes have been towards more openness and individual empowerment, Western cyberspace companies are becoming more implicated in ethical dilemmas related to internet censorship and surveillance and the violation of more established human rights. Governments engaged in censorship are demanding that foreign commercial providers abide by domestic laws. One result, as a recent report by The SecDev Group points out, is that major Western internet companies have been aiding and abetting Chinas censorship and surveillance regime. At times this has resulted in major abuses of human rights.53 Some of these companies have developed fragile self-governance pacts meant to regulate their operations in ways that protect and preserve human rights. Google, Microsoft and Yahoo! are founders of the Global Network Initiative (GNI), a multi-stakeholder initiative to consider ways that businesses can operate effectively while at the same time preserving freedom of expression and privacy online. But to date, these voluntary codes have proven ineffective. No legal remedies exist to deter and correct Western corporate complicity in aiding and abetting internet-related human rights abuses in foreign countries.54 The relationship between private industry and the protection of human rights has forced commercial actors into the public policy realm. Legislation has been periodically debated in both the United States and Europe that would restrict the activities of telecommunications and other companies operating or selling products and services to regimes that violate human rights. These are also important issues for Canada, as the cases around BlackBerry and Netsweeper illuminate (see Boxes 1 and 2 in Part 2 above).

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

26

4.3 Public sector and government authorities: New actors setting international norms and regulation.
National governments and intergovernmental organizations are of increasing importance to the governance of the internet, particularly in the setting of international norms and regulation through policies as well as practice. The first half of 2011 witnessed a spate of new activity in this regard as states struggled to navigate the security versus openness dilemmas of cyberspace and to coordinate rules of the road with allies and adversaries alike. At the country level, top-level domains (ccTLDs) have been taken away from private actors and relegated to government designated bodies often agencies responsible for security. Governments in Australia, Brazil, Canada, China, Germany, India, Poland, the US and the UK have launched initiatives, offices and programs to secure cyberspace. While comprehensive legislation has not yet been enacted in most countries, policy makers are deepening their commitments to improve cyber security and reduce risk at the national level. At the same time, some governments and regional and international organizations are advocating the need to balance security measures with those to protect internet openness, access and multi-stakeholder governance. In this, the US, UK, Finland, Estonia and France have assumed leading roles. Governments sharing similar normative inclinations have sought to harmonize their policies through regional and international organizations. Efforts range from joint statements of principles on cyber security and cyberspace policy, to more active programmes of technical corporation, including the sharing of blocking lists. Overall on the question of security versus openness, two main blocks seem to be emerging. We look at each in turn: 1. National governments and regional/interstate bodies advocating more restrictive policies and practices; 2. National governments and inter-state bodies that favour preservation of openness.

4.3.1 National governments and regional/inter-state bodies with restrictive policies and practices
Of particular concern to Canada are the growing number of countries that are instituting more pervasive censorship and surveillance controls in the interest of regime security. These countries are important because their domestic policies shape the global debate on norms. In addition, many of these countries are working at the regional and international levels to harmonize their cyberspace-restricting policies. In this effort, they are far ahead of those states concerned with preserving openness. A few facts: More than 45 countries now operate national firewalls. Internet controls span a broad range of increasingly sophisticated techniques and methods. First generation controls such as blocked lists of key words, domains and/or IP addresses, are giving way to more subtle and pervasive second and third generation controls, many of which act to encourage user self-censorship (See Box 8). At least half of Canadas priority engagement countries are known to practice one or more forms of internet control.55 Table 3 below provides an overview of the priority countries that are known to exercise some degree of control over the internet. Robust information is not available for countries in the latter half of the table. Likely, some of these countries also engage in restrictive practices. Mexico is the only country where testing has revealed no restrictive technical practices. However, in September 2011, two Mexican internet users were arrested and charged with terrorism and sabotage after they used social media sites to publish rumours of an unconfirmed drug gang attack on a school.56 In addition, criminal gangs are using murder to encourage user self-censorship (see Box 9).

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

27

Box 8: An overview of internet censorship and surveillance techniques As documented by the OpenNet Initiative (ONI) internet censorship follows four main patterns: technical blocking, which includes IP and URL blocking as well as DNS tampering; search result removal, where search services cooperate with government requests to omit certain results; takedown, where regulators can demand the removal of websites or deregister web sites; and, encouragement of self-censorship, through the threat of legal action, promotion of social norms, or informal methods of intimidation.

Censorship methods fall into three generations of internet control techniques (as defined by the ONI) : First generation controls: Lists of IP addresses, keywords and/or domains are programmed into routers or software packages that are situated at key internet choke points, typically at international gateways or among major ISPs. Second generation controls: create a legal and normative environment and technical capabilities that enable actors to deny access to information resources as and when needed, while reducing the possibility of blowback or discovery. Increasing pressure is being exerted on ISPs, services, and content providers to conform to repressive state laws. Third generation controls: focus less on denying access than on successfully competing with potential threats through effective counter-information campaigns that overwhelm, discredit, or demoralize opponents. [These controls] integrate extensive surveillance and data mining capabilities with intimidation and punitive responses, including targeted computer network attacks.

Table 3. Canadas Priority Countries for Engagement Information Controls57 First Generation
Policing Cyber Filtering Cafes Legal Environment for Informational Control
u u u u u u u u u u u

Second Generation
Informal Removal Requests
u u

Third Generation
State sponsored information campaigns
u

Technical Shutdowns
u

Computer Network Attack

u u u

Warrantless National Surveillance Cyberzones

u u

Direct Action
u u

China India Brazil Afghanistan Pakistan Mexico Venezuela Cuba Belize Honduras

u u

u u

u u u u u u

u u

Costa Rica N/A

N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A

Guatemala N/A Nicaragua N/A Panama N/A El Salvador

N/A

Haiti N/A

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

28

Box 9. Mexico: Criminals using terror to silence internet users Mexico offers a disturbing perspective on internet censorship: criminal organizations, which already heavily influence traditional media networks, are targeting internet users who speak out against the countrys problems with drugs, crime and and violence. In September 2011, two Mexican bloggers were tortured and killed following their anonymous anti-crime blogs. Their bodies, swinging from a bridge outside of Nuevo Laredo, were accompanied by a warning that this is what will happen to all internet busy bodies.58 The internet in Mexico is awash with civilian posters who blog and report on crime and violence all over the country. Crowd-sourced crime maps have surfaced where users log in and report crimes in their neighbourhoods. The avid use of social media to report on crime is a reflection of many civilians despair at Mexicos out-of-control criminal groups in the face of an intimidated traditional media and the seeming helplessness of government authorities. For some time now, criminal gangs have been using social media sites like Facebook to identify potential targets for kidnapping and extortion. Now, the gruesome murder of users who had posted anonymously will no doubt achieve its intended result: greater self-censorship of Mexicos beleaguered civil society.

We now consider a sampling of regional and international efforts at policy harmonization and positioning for a more restricted and stateadministered cyberspace: 1. SCOs 2008 information security agreement; 2. BRICS (Brazil, Russia, India, China, South Africa) 3. IBSAs (India, Brazil and South Africa) statement on Internet Governance; 4. 2011 UN Draft Resolution on International code of conduct for information security; 5. Russias Convention on International Information Security; and, 6. Chinas statement to the First Committee of the General Assembly (October 2011).

SCOs 2008 information security agreement

The SCO represents 32% of the worlds total internet population. 99% of its denizens are subject to some degree of internet control (see Table 4 below).59 In 2008 the SCO countries signed an agreement Cooperation in the Field of International Information Security that pays special attention to controlling the content layers of cyberspace. The information security of states and regimes is considered paramount; threats include information that criticizes the government. To counter such threats, the signatories agreed to harmonize national policies and technical cooperation including the synchronization of information monitoring and collection methods (see Box 10 below). Through this agreement, the SCO is poised to exercise considerable de facto authority over the future of regional cyberspace creating gated and surveilled communities. These efforts may yet be game-changing on a global level.

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

29

Table 4. SCO countries - Information controls

First Generation Second Generation
Computer Technical Network Shutdowns Attack
u u u u u u u u u u u u u u u u u u

Third Generation
Warrantless National Surveillance Cyberzones
u u u u u u u u u u

Legal Policing Environment Informal SCO Cyber for Informational Removal COUNTRIES Filtering Cafes Control Requests Kazakhstan China Kyrgyzstan Russia Tajikstan Uzbekistan India Iran Mongolia Pakistan Belarus Sri Lanka
u u u u u u u u u u u u u u u u u u u u u u u u

State sponsored information campaigns

u u

Direct Action
u

N/A
u u u

N/A
u u

N/A
u u u

N/A
u u u

N/A
u u

N/A
u u

N/A
u

N/A
u

N/A
u

N/A
u u u

Box 10. SCO countries: Controlling, surveilling and poised to fundamentally alter cyberspace The Shanghai Cooperation Organization (SCO) countries represent 1.5 billion people and 32% of the worlds total internet population. 99% of SCOs internet users are subject to some degree of internet control. SCO considers the information space as a critical area for government control, and for policy coordination with like-minded states. The SCO is positioned to have an enormous impact on the norms, rules and evolution of cyberspace. Current SCO members include Kazakhstan, China, Kyrgyzstan, the Russian Federation, Tajikistan and Uzbekistan along with four observer states (India, Iran, Mongolia, and Pakistan) and two dialogue partners (Belarus and Sri Lanka). India, Iran and Pakistan have expressed interest in full membership. While the organization is not without some internal divisions (as exemplified by Chinas refusal to support Russia in its 2008 war with Georgia)60 it has engaged in joint military exercises and missions, described by some observers as simulations of how to reverse colour-style revolutions and popular uprisings.61 With respect to cyberspace, SCOs 2008 agreement on Cooperation in the Field of International Information Security pays special attention to the content layers of cyberspace that is, to the ideas that are accessible on the internet and how they impact their societies and individuals. Information which is considered to negatively target the public perception of their respective governments is considered mass psychologic[al] brainwashing to destabilize society and state.62 To counter these and other threats, the agreement outlines specific areas for cooperation, including synchronizing information collection methods, formalizing information sharing, monitoring and responding to threats, and personnel and resources to facilitate integration and cooperation. The agreement also asserts that developed states dominate the information space and represent a significant threat, because they deliberately constrain the development of other countries and access to information technologies. It accuses developed states of monopolizing the hardware and software industries, refraining from knowledge sharing, and covertly embedding surveillance and control functions in to the software and hardware that they export. SCO meetings tend to be highly secretive and so are not easily subject to outside scrutiny. But they are likely to become important vehicles for policy coordination, giving unity, normative coherence, and strength to the individual countries beyond the sum of their parts. SCO is poised to become a global force in the coming battle over cyberspaces future.

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

30

Table 5. BRICS Countries - Information Controls

First Generation
BRICS COUNTRIES Legal Policing Environment Cyber for Informational Filtering Cafes Control
u u u u u u u u u u

Second Generation
Informal Removal Requests
u u u u u

Third Generation

State Computer sponsored Technical Network Warrantless National information Shutdowns Attack Surveillance Cyberzones campaigns
u u u u u u u u u u

Direct Action

Brazil Russian Federation India China South Africa

u u u

BRICS (Brazil, Russia, India, China, South Africa)

BRICS is another regional organization that will likely become another forum for more restrictive internet policy-making, given the proclivities of its member states, whose populations represent some 30% of the global population. (See Table 5. Note that BRICS and SCO membership overlap). By contrast, the United States represents only 13% of all global and net users, and the EuroAtlantic alliance a declining 40%.

Digital Objects Number Authority (DONA) meeting at the ITU (May 2011)
In May 2011, the report from the DONA meeting at the ITU shows that a number of countries will be pushing to have the ITU become the global supervisory body for internet governance (rather than create a new UN body, see below). At the meeting, Russian Prime Minister Vladimir Putin met with the Secretary General of the ITU, Hamadoun Toure to express Russias interest in further strengthening its cooperation with the body. Putin noted that Russia was a co-founder of the ITU, and suggested that the ITUs monitoring and supervisory capabilities should be used to establish international control over the internet.63

IBSAs (India, Brazil, South Africa) statement on Internet Governance (September 2011)
On 2 September 2011, the IBSA Global Internet Governance meeting released an official statement asserting that the current model of internet governance is no longer valid. It recommended the creation of a new United Nations body to coordinate and evolve coherent and integrated global public policies pertaining to the internet. This new UN entity would govern all existing bodies involved in the technical and operational functioning of the internet and also be responsible for crisis management and arbitration. The intention was to present this proposal at the 66th UN General Assembly (September 2011).64

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

31

UN 66th General Assembly: Draft Resolution for an International Code of Conduct for Information Security (September 2011)
In September 2011, China, Russia, Tajikistan and Uzbekistan (all members of the SCO) submitted a resolution to the UN 66th General Assembly concerning a voluntary code of conduct for information security.65 The proposed code has 11 clauses that call for international cooperation on a range of issues including the protection of critical infrastructure, ensuring ICTs are not used for hostile activities, and the establishment of multilateral, transparent and democratic international internet management. Given the restricted national information environments of the co-signors, the control of content is a primary concern. A key provision urges every country to cooperate in combating criminal and terrorist activities that use information and communications technologies, including networks, and in curbing the dissemination of information that incites terrorism, secessionism or extremism or that undermines other countries political, economic and social stability, as well as their spiritual and cultural development. Many aspects of the UN resolution mirror those articulated by Russia a few weeks later in its Convention on International Information Security (see next).

The principles proposed to guide normative action in cyberspace emphasize state sovereignty over the information environment within its borders. Information and communication technologies should be subject to the rules and regulations of the nation state in which they are used.

Chinas Statement to the First Committee of the United Nations General Assembly (October 2011).
In October 2011, China addressed the First Committee of the UN General Assembly (in charge of international security) and reiterated its position on cyberspace as a sovereign domain: Sovereign states are the main actor in effective international governance of information and cyberspace respect for sovereignty and territorial integrity enshrined in the UN Charter and other universal basic norms of international relations should also be respected. This foundational position is vital context for understanding the attendant calls for international cooperation to ensure a peaceful, secure and equitable information and cyber space. Also of note, in light of the SCO position on national content controls, is Chinas signalling of the need for countries to build a comprehensive and integrated national management system comprised of legal norms, self-discipline by the industries, security safeguards and social education. Also significant was Chinas reiteration of the Draft Resolution presented to the 66th session of the UN General Assembly (see above) calling for the United Nations to become the seat of governance for cyberspace: The United Nation is the most appropriate forum for the formulation of norms and rules[to regulated the traffic] on the information highway. 67

Russias Convention on International Information Security (22 September 2011)

In September 2011, Russia released a concept note, Convention for International Information Security, at the International Meeting of High Ranking Officials Responsible for Security Matters.66 The convention is highly state-centric and concerned with information control. Key cyber threats with consequences for international stability are those that target state economic and political structures in the information space, as well as misinformation campaigns aimed at undermining the political, economic, and social system of another government and ... carried out against the population of a State with the intent of destabilizing society.

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

32

4.3.2 National governments and inter-governmental organizations that favour openness

2011 saw the first national government policy positions on cyberspace openness. Supportive statements were also issued by key intergovernmental bodies. Key players and events that we review below are: 1. US Cyber Strategy (May 2011) 2. UK Cyber Strategy (February 2011) 3. G8: Commitment to openness, protection of individual rights and security (May 2011) 4. OECD: Nascent principles on internet Openness (June 2011) 5. OSCE: Access to the internet should be a human right (July 2011) 6. UN Special Rapporteur for Human Rights report on Internet (May 2011) 7. European Union: Restriction of dual-use technologies (September 2011) 8. North American Treaty Organization (NATO) Policy on Cyber Defence (June 2011).68

with current US legislation contained within the PATRIOT act;70 and, US-based commercial companies are increasingly finding themselves colluding or aiding the censorship and surveillance regimes in countries like China, Iran, Yemen, Burma and others.71 One clearly contentious issue is found in the passage affirming that the United States will respond to hostile acts in cyberspace as we would to any other threat to our country. This element was elaborated in a later policy document issued by the US Department of Defense in July 2011 (see Box 12). Of related interest to global norm setting is the recent agreement between the US and Russia to exchange cyber security information and to establish a constant communications system on cyber security threats.72

UK Cyber Strategy
In his February 2011 speech to the Munich Security Council, UK Foreign Secretary William Hague outlined a nascent foreign policy on cyberspace that emphasized universal access, openness, freedom of expression and individual privacy as well as collective action on cybercrime and respect for rule of law (see Box 13).73 As already noted, the UKs intentions to uphold individual liberties and cyberspace openness were tested in the summer of 2011, when cyberspace-enabled civilian riots rocked the country. In response, Prime Minister David Cameron announced the government was investigating whether it will be right to stop people communicating via these websites and services. Other MPs demanded the suspension of the BlackBerry Messenger service. The UK Governments reaction highlights the elasticity of the term security threat. Observers expressed alarm at the proposed counter-measures, especially with respect to the global precedent they would set for the practice of censorship and surveillance. Whereas such extreme measures may be warranted when backed by a robust system of checks and balances and a certain degree of transparency, they could result in extreme violations of human rights when applied by regimes that are intolerant of political opposition or minorities.

US Cyber Strategy
Clearly, a constitutive force in all of the current normative positioning is the policy of the United States. The United States has been exceptionally active across all the major cyberspace and cyber security forums. In May 2011, the US released its International Strategy for Cyberspace which aims to bring together, for the first time under one framework, all the different policies that the United States is pursuing into an integrated whole-of-government approach.69 The strategy lists seven key policy priorities (see Box 11) that emphasize cyberspace openness, multi-stakeholder governance and balancing security efforts with protection of user rights, such as the individuals right to privacy. It notes that while governments need to assume a more active regulatory role, this should not come at the expense of openness and interoperability. This position statement is very important on both domestic and international fronts. However, the intricate balance proposed between prosperity, security and openness will not come easily. For example: the emphasis on intellectual property protection chafes against internet freedom; the commitments to individual privacy stand uneasily

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

33

Box 11. US International Strategy for Cyberspace: Seven priorities The US International Strategy for Cyberspace, released in May 2011, contains seven core priorities: Promote innovative, open markets; Enhance security, reliability and resilience of global networks; Improve law enforcement collaboration to fight cyber crime, domestically and internationally; Prepare for 21st century security challenges (that is: military cooperation among allies to fight cyber threats); Promote effective and inclusive internet governance structures; Build capacity, security and prosperity through international development; and, Support fundamental freedoms and privacy.

To coordinate these priorities, the State Department has created a new senior position Coordinator for Cyber Issues and announced $30 million in grant funding to increase internet access, support digital activism and counter internet repression.

Box 12. US DODs Strategy for Operating in Cyberspace The US Department of Defenses (DoD) Strategy for Operating in Cyberspace, released 14 July 2011, focuses on four threat vectors: external actors, insider threats, supply chain vulnerabilities, and threats to DoDs operational ability. Interestingly, the strategy focuses exclusively on defensive capabilities. This is surprising given that the US clearly reserved the right to treat a cyber attack as an act of war in its International Strategy for Cyberspace. One possible reason for this approach is that the US may consider a certain degree of ambiguity regarding its thresholds in cyberspace as a more effective deterrent. The strategys five core priorities are: Treat cyberspace as an operational military domain, requiring US forces to organize, train and equip for effective capabilities and to develop the cyber resiliency of networks; Protect DOD networks and systems; Partner to create a whole-of-government cyber security strategy, and involve the private sector to better monitor the global technology supply chain, both in hardware, software and knowledge base; Build robust global cooperation with US allies and international partners, including the development of shared situational awareness and development of like-minded coalitions for joint practices, early warning, burden sharing and mitigation of risk; Build a cyber work force and promote technological innovation within DOD, which will encourage private sector cooperation through rewards and joint ventures.

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

34

Box 13. UK Cyber Strategy: Seven principles In 2011, UK Foreign Minister William Hague indicated that the UKs upcoming policy on cyberspace would emphasize seven principles: proportionality and respect for national and international law; universal access to cyberspace; tolerance and diversity in cyberspace; ensuring cyberspace openness to innovation, information and expression; the individuals right to privacy and protection of intellectual property; collective action to combat cybercrime; and, promotion of a competitive environment which ensures a fair return on investment in network, services and content.

The new cyber strategy will require coordination with the existing Cyber Security Strategy, first released in 2009 and updated continuously in response to the perceived exponential growth in threats. The approach, which has involved the creation of new cyber security offices, is to require collaboration across government, as well as with industry and international allies and partners to increase resilience and joint operational capabilities.74

G8: Commitment to openness, protection of individual rights and security

In May 2011, at the highest level meeting on the internets future to date, G8 member states committed to preserving internet openness, transparency, freedom and multi-stakeholder governance at the Deauville summit, hosted by the French government. The final statement characterized the internet as a lever for economic development and an instrument for political liberty and emancipation, stating that arbitrary or indiscriminate censorship or restrictions on access to the internet are inconsistent with States international obligations and are clearly unacceptable.75 The statement underlined the need to achieve freedom, security and respect for confidentiality and individual rights simultaneously. This outcome is to be achieved through international norm development and government regulation informed by all key stakeholders. The references to cyber security mentioned the Roma-Lyon group, which is the G8s anti-crime and counter-terrorism experts group.76 The challenges arising from the G8 principles are evident in the recent public criticism of Frances domestic cyber security proposals, which contravene the G8 commitments. No doubt the G8 will be an important forum where the conundrum of how to balance openness, privacy and security will be debated (see Box 14). Russias participation in this forum will also be of interest.

OECD: Nascent principles on internet openness

The OECD has been active around internet economy, governance, and cyber security issues for many years.77 In June 2011, the OECD hosted a High Level Meeting on the Internet Economy in Paris aimed at developing shared principles for an open internet economy. The meeting was praised for fostering robust multi-stakeholder discussions amongst the 34 governmental member delegations, the Business and Industry Advisory Committee (BIAC) and the Civil Society Information Society Advisory Council (CSISAC).78 In the end, the CSISAC did not endorse the final wording of the Internet Policy Principles, expressing concerns about the ambiguity of certain provisions (see Box 15). OECDs initial statement of principles stands in stark contrast to those being articulated by more regulatory-minded governments such as China and Russia in the SCO and the ITU.79 As such, the OECD may prove to be a useful forum for cyber policy development amongst like-minded governments who prioritize internet openness, user control, privacy protection and free expression (as well as security).

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

35

Box 14. The e-G8 and cyber security The Deauville Summit, hosted by the French Government in May 2011, has been lauded for underlining the critical importance of internet openness and multi-stakeholder governance. But these principles do not sit easily with other essentials, including the protection of intellectual property and domestic concerns about cyber security. The summit was preceded by the E-G8 forum, an initiative of President Sarkozy to involve a variety of stakeholders that are typically not part of G8 discussions, particularly businesses and civil society. While some very prominent people were invited, there was a great deal of angst among many civil society groups who held a shadow summit of their own, and issued their own communique that criticized the E-G8 forum for its narrow participant umbrella, and the emphasis given to intellectual property and copyright concerns. Going into the summit, cyber security was signaled to be an important topic of discussion. The final communique alludes to cyber security issues in several places, including the following: 17. The security of networks and services on the Internet is a multi-stakeholder issue. It requires coordination between governments, regional and international organizations, the private sector, civil society and the G8s own work in the Roma-Lyon group, to prevent, deter and punish the use of ICTs for terrorist and criminal purposes. Special attention must be paid to all forms of attacks against the integrity of infrastructure, networks and services, including attacks caused by the proliferation of malware and the activities of botnets through the Internet. In this regard, we recognize that promoting users awareness is of crucial importance and that enhanced international cooperation is needed in order to protect critical resources, ICTs and other related infrastructure. The fact that the Internet can potentially be used for purposes that are inconsistent with the objectives of peace and security, and may adversely affect the integrity of critical systems, remains a matter of concern. Governments have a role to play, informed by a full range of stakeholders, in helping to develop norms of behaviour and common approaches in the use of cyberspace. On all these issues, we are determined to provide the appropriate follow-up in all relevant fora. Notable here is the emphasis on norm development, multi-stakeholder approaches, and the work of the Roma-Lyon group. The Roma-Lyon group has evolved into several working groups that meet three times a year to discuss, debate, and develop strategies to address public security issues surrounding terrorism and transnational crime. The Group may become an important coordination point for cyber crime issues.

Box 15. OECDs 2011 Internet Policy Principles: A good start, but too open to interpretation OECDs high level meeting in June 2011 established Internet Policy Principles, which reaffirm a commitment to keeping the internet open, innovative and free of undue regulatory burdens. However, the CSISAC did not endorse the final version, expressing reservations about certain provisions related to intellectual property protection, intermediary liability and governmental regulation. Concerns centered on ambiguous language that could be interpreted as encouraging Internet Service Providers to police content that flows through their networks. (Internet intermediaries, like other stakeholders, can and do play an important role by addressing and deterring illegal activity, fraud and misleading and unfair practices conducted over their networks and services as well as advancing economic growth.) A second set of concerns was around cyber security issues and this clause: While promoting the free flow of information, it is also essential for governments to work towards better safeguarding personal data, the freedom of expression, cyber security, protection of children, protection of intellectual property rights, consumer protection and other fundamental rights online. Some are concerned that this phrasing equates cyber security with other fundamental rights as opposed to presenting it as an emerging international legal norm (e.g. COE Convention, OECD Guidelines), which in turn could mean that cyber security could become a justification for coercive authority or heavy handed approaches. Relatedly, the OCED is now forming a working group on cyber security, and plans to undertake a comparative analysis of national cyber security strategies. This working certainly will be an important venue and centre of gravity for cyber security strategies among the 34 states.

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

36

OSCE: Access to the internet should be a human right

In July 2011, the OSCE issued the results of the first survey ever on internet regulation issued to its member states (with 46 of the 56 members responding). The report expressed concern about the growing trend of internet censorship and advocated for internet access to be considered as a human right. It noted that some member states Finland and Estonia have already made this declaration, with their citizens having a legal right to internet access. A month prior, the OSCE Parliamentary Assembly issued a press release and resolution to prevent cyber warfare (June 2011).

The resolution calls for the creation of confidence building measures to address state use of cyber technologies in conflicts; national debates on international commitments concerning codes of conduct for states using cyber technology, and information exchanges on cyber security policies, technologies, and strategies. The OSCE promises to be an important forum for encouraging member states to work through norm development in cyberspace, while ensuring that domestic legislation does not compromise freedom of expression. Notably, the July 2011 report criticizes France and the UK for adopting or considering legislation that selectively denies access to certain users (see Box 16).

Box 16. OSCE: Lobbying for openness In July 2011, OSCE released a report on internet content regulation in the OSCE region, which called for internet access to be recognized as a fundamental human right. In part based on a member survey (46 out of 56 member states responding) the report showed a general trend across Europe towards greater regulation, control and censoring of the internet, and pointed out that such actions stood in contrast to international norms: Restrictions to freedom of expression must comply with international norms. No compliance could lead to censorship, said Yaman Akdeniz, the author of the report. The study showed that legislation in many countries that enable filtering and blocking does not recognize that freedom of expression and freedom of the media equally apply to that exercised over the Internet. The report also noted that 20 countries, mostly from Eastern Europe and Central Asia, prohibit so-called extreme speech on the internet with the purpose to prevent criticism of the government, where several countries allow for complete suspension of Internet services at times of war, in a state of emergency and in response to other security threats. The report also warns against the measures already adopted by France and planned in the UK, to deny Internet access for users who have allegedly violated copyright rules. The report emphasized internet access as a basic human right, which should be respected as much as the right to freedom of expression. Dunja Mijatovic, OSCEs chief media freedom observer, said: We will use the study as an advocacy tool to promote speech-friendly Internet regulation in the OSCE participating States.
Source: Adapted from EDRI, 2011. OSCE: Access to the Internet Should be a Human Right. http://www.edri.org/edrigram/number9.14/ oecd-study-internet-freedom

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

37

UN Special Rapporteur for Human Rights report on Internet (May 2011)

In May 2011, the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue, made a strong case for internet access becoming an international human right (see Box 17).80 The Special Rapporteur intends to pursue this issue in an upcoming report to the General Assembly.

North Atlantic Treaty Organization (NATO): Policy on Cyber Defence

In June 2011, NATO released its Policy on Cyber Defence that offers a coordinated vision for cyber security across the alliance. While this policy targets cyber security and not openness, it features in this review because of NATOs overlapping membership with the OSCE and OECD. As the latter two organizations define their agendas for an open net, the NATO framework will require review to ensure a harmonized approach. The defence policy seeks to secure NATOs communication and information systems by bringing NATO networks under centralized protection and developing minimum requirements for national networks that process or connect to NATO information.81 The policy integrates cyber defence into the Defence Planning Process, and clarifies the political and operational mechanisms by which NATO can respond to cyber attacks, assist Allies if requested, and cooperate with stakeholders.82 The policy will be fully operational by 2012 with 24 hour monitoring of all of its networks.83 While protection of critical infrastructure is traditionally under state purview, NATO is willing to advise national government on cyber security issues and coordinate assistance during times of crisis (see Box 18).84

European Union (EU): Restricting sales to censoring countries

In September 2011, the EU Parliament revised EU rules on the export of dual-use telecommunications technologies specifically those used to intercept and monitor digital data transmissions to certain foreign regimes such as China, Russia, India and Turkey as well as those subject to arms embargoes. The aim is to restrict technologies that can be used to violate human rights, democratic principles or freedom of speech. EU forms wanting to export dual-use technologies now need approval from the authorities.

Box 17. UN Special Rapporteur for Human Rights: Internet as a Human Right Frank La Rues report on the promotion and protection of internet freedom is likely to become an important marker in the ensuing global debate on cyberspace norms. The report emphasized that: Information on the internet should not be restricted, except in few exceptions and limited circumstances as prescribed by international human rights law; Censorship measures should never be delegated to private entities (like ISPs), and that any requests for these intermediaries to disclose private information must be done strictly through due process; Corporations have a responsibility to respect human rights; and Universal access to the internet needs to be vigorously pursued.

The report expressed deep concern over: The increasingly sophisticated and non-transparent blocking and filtering mechanisms being used by states for censorship; Cyber attacks against individuals and organizations working in the areas of human rights organizations, political opposition and the dissemination of information; States that cut off internet access entirely, regardless of the justification provided, and including during times of political unrest; and Inadequate protection of the right to privacy and data protection (in accordance with article 17 of the International Covenant on Civil and Political Rights).

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

38

Box 18. NATOs Cyber Defence Policy The catalyst for NATOs flurry of activity around cyber policy was the attacks against Estonia in 2007. The Estonian Government insists that the Kremlin was responsible, an assertion that evidence supports but cannot prove. In the event, a Distributed Denial of Service (DDoS) attack involving a million computers took dozens of Estonian government departments, banks and media outlets offline. It was the first time that a coordinated cyber attack represented a comprehensive threat to national security.85 Estonia, a NATO member, is protected under Article 5s collective security whereby an attack against one member nation constitutes an attack against all member nations. At the time cyber attacks were not considered a military attack and therefore NATO did not invoke Article 5, which would have set a seminal precedent for its cyber defence strategy.86 While NATO was not compelled to act, the scope of the problem and implications for the alliance put cyber security on the agenda.87 At the 2008 Bucharest Summit, cyber security was discussed by NATO Heads of Government for the first time. The Summit leaders announced a Policy on Cyber Defence that focused on the protection of telecommunications infrastructure and developing NATOs cyber defence capabilities. A Cooperative Cyber Defence Centre of Excellence was formally established in Estonia, an ad-hoc Cyber Defence Management Authority was established in Brussels, and the prospect of new cyber challenges to the alliance became a hot button issue.88 NATOs Strategic Review in 2010 and the Lisbon leaders summit statement recognized the criticality of cyber security threats leading to an interim NATO Concept on Cyber Defence in March 2011 and the official adoption of NATOs new strategy in June. Cyber attacks are transnational and often non-attributable, and therefore directly at odds with a security organization that is bound by collective security. Coordinated assistance in the event of a cyber attack is part of the new cyber policy, but NATO reserves the right to determine thresholds for collective action by integrating ambiguity and flexibility into its responses to crises that contain a cyber component. NATO has been forced to reconsider its strategic thresholds that could compel action. Operationally, NATO has been challenged to develop a cyber defence policy that respects the sovereignty of nation states to protect their own critical infrastructure, while pursuing policies designed to protect the alliance as a whole. As a result of these considerations, the policy predictably focuses on the technical protection of networks, the sharing of best practices across member states and cooperation with key stakeholders.

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

39

Part 5. Summary and Recommendations

The current mechanisms for governing cyberspace are in need of an overhaul. The internet was designed to scale as a technical network; it was not designed to accommodate the complexities that have arisen as cyberspace has become a core strategic domain for most nation-states. Although the private sector will continue to play a vital role in cyberspace management and governance, the growing problems of cybercrime and cyber war require government engagement. The world needs global rules of the road for cyberspace. For liberal democracies, inter-state discussions on cyber global governance should focus on: promoting norms for mutual restraint; protecting the physical integrity of the internet; developing effective and efficient law enforcement across borders, including nonstate, decentralized and distributed security mechanisms; enhancing the transparency of regulating mechanisms; exerting concerted efforts to fight cyber crime activities that originate within their respective territorial jurisdictions, even if the crime itself occurs elsewhere; and, developing minimum common standards of security and codes of conduct for the private sector.89

identity and regime security. This vision seeks to alter the inter-operable, multi-stakeholder constitution of cyberspace, replacing it with a top-down, non-transparent and governmentcontrolled model. SCO countries and others have already enacted comprehensive censorship and surveillance controls at the domestic level. They are harmonizing these controls at the regional level and are pushing the state control agenda at the global level. Proposals are being fielded, and their influence felt, at the United Nations, the ITU, ICANN, and the IGF. In contrast with the SCO block, Euro-Atlantic states have not yet articulated a common approach to cyberspace governance.90 Nor have they harmonized policies. The G8, OSCE, and OECD are beginning to declare principles in support of the right to cyberspace access, openness, freedom of expression and user privacy. But these principles do not sit easily with domestic measures to ensure the safety and security of internet users and national critical infrastructure. There are important distinctions between measures that aim to enhance the security of cyberspace backed up by appropriate checks and balances and those that seek to silence and control cyberspace users in the interest of regime preservation. These distinctions can be opaque, however, when controls lack transparency or accountability. In addition, the governance challenges are not limited to state actors. Private sector actors in liberal democratic countries have been aiding and abetting cyberspace censorship and human rights abuses beyond their borders. Suppliers of cyber security products and services in the US, Canada and Europe are the main producers of tools that enable deep packet inspection, content filtering, social network mining, cell phone tracking and computer network attacks.91 These products have been marketed to foreign regimes who have used them to limit democratic participation, constrict information, and identify and apprehend opposition.92

Pursuing this agenda will be difficult. Common definitions of basic elements are lacking and national approaches to cyberspace governance are wide ranging. Implementation will be challenging. Moreover, some of these norms will be meet with resistance. A growing number of states prefer a more territorialized vision of cyberspace. Most have strong traditions of state intervention into political and economic affairs. They see cyberspace within this frame as a national jurisdiction that requires shaping to preserve collective

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

40

Similarly complicit are Western-based internet service providers and companies that sell mobile devices and essential hardware like routers. Their products have inbuilt capabilities to track users, monitor network traffic, and filter content. Censoring governments around the world are leveraging these capabilities, or requiring their Western suppliers to do so (by requiring them to conform to domestic laws).93 Overall, legitimate measures to securitize cyberspace in liberal democratic countries both the principles and the tools make it easier for authoritarian states to justify and implement their own definitions of legitimate control. Protecting the global commons of cyberspace will require determination. Agreement on principles and norms is a critical first step. Treaty-building, if it is applied and possible, will need to be specific and rolling. Consensus on more amenable issues such as protecting the physical integrity of the internet should generate momentum to address more contentious areas.

Canadian interests and is consistent with our core values, trade objectives and our commitments to international instruments like the Universal Declaration of Human Rights.94 3. Harmonize domestic cyber security policy with foreign-policy objectives on openness to ensure consistency and balance between the two objectives. Security is important. Canadas critical infrastructure, public administration and economy are dependent on an internet that is reliable, secure, and defended against unlawful or dangerous use. So some regulation and effective policing measures are necessary. But, transparency and accountability are key.95 4. Demonstrate leadership in developing accountable mechanisms that balance the goal of securing cyberspace with the imperative to keep it open domestically and internationally. At the international level, Canada should consider how to promote and strengthen the nascent decentralized and distributed security mechanisms that already exist, like the transnational peer groups of network computer security professionals, engineers and academic monitoring and research projects. 5. Develop a code of practice for Canadian businesses to reduce their likelihood of colluding with cyberspace closure and surveillance abroad, and security breaches at home. This may include standards around mandatory disclosure of security breaches, privacy protections built by design and restrictions on sale of technologies that are used by regimes to violate human rights. This code of practice should balance ethical considerations with ensuring the competitiveness of Canadian businesses abroad. It should also include a review of mechanisms like the GNI to better determine whether regulatory measures are needed. 6. Define how to coordinate and leverage Canadian assets in global cyberspace decisionmaking. Tapping the richness of Canadas already engaged players could be the fastest way to bootstrap government efforts to define a voice in shaping the future governance of cyberspace (see Recommendation 10 below). 7. Define how and where to build broad coalitions of like-minded states. International collaboration is needed to define rules of the road, develop mechanisms for information sharing, improve international legal architecture, and resist top-down regulation.

5.1 Recommendations for DFAIT

Canada needs to articulate a clear policy position on cyberspace, with propositions that are in harmony with established Canadian values and international commitments and implemented consistently across government, the private sector and civil society. Key recommendations for this effort include: Developing a strategic vision Engaging Canadian stakeholders at home and abroad Sustaining the effort

Developing a strategic vision

1. Pursue a whole-of-government approach to develop and implement Canadas strategic vision on cyberspace that recognizes its central importance beyond the security agenda. The effort requires expert input from the many departments that deal with, and/or are fundamentally affected by, cyberspace, as well as the harmonization of complex jurisdictions. 2. Define a position on cyberspace as an open global commons, consistent with Canadas foreign-policy objectives on democratization, rights and trade. An open cyberspace clearly benefits

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

41

8. Review Canadas experience with leading multi-stakeholder and multilateral treaty processes including the verification for the comprehensive nuclear test ban, and the landmine ban. Canada has played an important role in brokering complex multi-stakeholder normative and technical agendas. DFAIT should review this experience to see whether there are lessons that could be applied to the cyber agenda.

international relations as are the domains of land, air, space, and sea, and foreign service officers should be equipped to engage policies relevant to this domain at all levels. 14. Establish a global policy monitoring and tracking capability. Cyberspace and internet governance will remain in flux for the foreseeable future. Canadas abilityto make rapid and informed decisions requires mechanisms for ongoing situational awareness and an understanding of the key actors and issues at play.

Engaging Canadian stakeholders at home and abroad

9. Develop a multi-stakeholder consultation process. Public sector, private sector and nongovernmental actors should be consulted when identifying and defining issues for inclusion in Canadas overall strategy on cyberspace. 10. Engage Canadas IT sector, particularly market leaders and individuals who are key influencers within the existing forums for internet governance. Canada has valuable but unexploited resources already at play in the internet governance domain. Canadian corporations such as RIM and Bell Canada are significant players on the global stage, and increasingly have to contend with policy and regulation of this domain domestically and in their international markets. Canadian individuals are also important assets. At present, a serving senior policy advisor acts as a trustee of ICANN, and a former executive from the same ministry retains an advisory position within ISOC.96 Both act in their private capacity. 11. Leverage Canadas academic community, members of whom are global leaders in enumerating and documenting the evolution of internet governance worldwide. These communities should also be engaged to help educate the wider Canadian population on key issues and choices

Sustaining the effort

12. Seek partnership with academic and corporate actors who can provide additional technical support and enhance capability within DFAIT. This is particularly important given the technical aspects of internet governance. 13. Invest in professional training and development to ensure that cyberspace becomes a core competency amongst DFAIT professionals. Cyberspace is as important to Canadian

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

42

Endnotes

1.

Throughout this paper, the term cyberspace signals the complex ecosystem that combines technical networks and devices, digitized content and communication, and the rules and regulations that govern them. Internet World Stats. 2011. http://www.internetworldstats.com/ stats14.htm#north See Industry Canada. Industry Canadas Business Plan 20112012. http://www.ic.gc.ca/eic/site/ic1.nsf/eng/06588.html Note for example, recent debates in the UK around shutting down social media in response to the summer 2011 civil riots. See: Szoka, Berin. 2011. UK Riots and the Internet: What Would Hayek Do? The Technology Liberation Front. 12 August 2011. http:// techliberation.com/2011/08/12/uk-riots-what-would-hayek-do/ The landmark model for large-scale blocking comes form the UK (Cleanfeed), developed to block access to child pornography sites. Implemented in British Telecoms network in 2004, the model was subsequently adopted for the same purpose by Canada in 2006, and Australia in 2007. See Deibert, R. 2011. Rescuing the Global Cyber Commons: An Urgent Agenda for the G8 Meeting in Deauville. Information Warfare Monitor. 23 May 2011. http://www.infowar-monitor. net/2011/05/rescuing-the-global-cyber-commons/ Canadian Banks Association, as cited in the Public Safety Technical Program et al. 2010. Dark Space Project on the Analysis of Darknet Space for Predictive Indicators of Cyber Threat Activity. Industry Canada. 2008. E-Commerce: Shopping on the Internet. The Daily. Monday 17 November 2008. http://www.statcan.gc.ca/ daily-quotidien/081117/dq081117a-eng.htm United Nations. 2010. United Nations e-Government Survey. Economic and Social Affairs. http://unpan1.un.org/intradoc/ groups/public/documents/un/unpan038851.pdf Statistics Canada. 2010. Internet Use Survey. The Daily. Monday 10 May 2010. http://www.statcan.gc.ca/daily-quotidien/100510/ dq100510a-eng.htm Industry Canada. 2009. Canadian ICT Sector Profile. Information and Communications Technology Branch. August 2009. http://www. ic.gc.ca/eic/site/ict-tic.nsf/eng/h_it07229.html See Part 4.3 of this report. Parsons, Christopher. 2010. Decrypting Blackberry Solutions, Decentralizing the Future. Technology, Thoughts and Trinkets. http://www.christopher-parsons.com/blog/technology/decryptingblackberry-security-decentralizing-the-future/ Emery, Daniel. 2010. Blackberry Poses Security Risk Say UAE Authorities. BBC News. http://www.bbc.co.uk/news/technology-10761210 Clark, Jack. 2010. Rim denies security kowtowing to governments. ZDNet UK. 4 August 2010. http://www.zdnet.co.uk/news/ mobile-it/2010/08/04/rim-denies-security-kowtowing-to-governments-40089733/ Lennighan, Mary. 2011. Friday Review: Dont Shoot the

Messenger. Total Telecom. http://www.totaltele.com/view. aspx?ID=466996 17. Noman, Helmi and Jillian C. York. 2011. West Censoring East: The Use of Western Technologies by Middle East Censors 2010-2011. OpenNet Initiative Bulletin. Netsweeper. Netsweeper Overview For Telcos. http://www.netsweeper.com/site/index.php?page=downloads&type=entry&id=51&r oot=1&keep_session=1388426898&keep_has_js=1 Thomas, Nicki and Dempsey, Amy. 2011. Guelph-based software censors the Internet in the Middle East. The Toronto Star. http://www.thestar.com/news/article/1007399--canadian-madecensorship?bn=1 McAfee and SAIC. 2011. Underground Economies. Santa Clara, CA. http://www.mcafee.com/us/resources/reports/rp-undergroundeconomies.pdf See The Canadian Cyber Security Situation in 2011. (Unpublished document). Public Safety Technical Program et al. 2010. Dark Space Project on the Analysis of Darknet Space for Predictive Indicators of Cyber Threat Activity. 2007 research from the U.S. Cyber Consequences Unit, as cited by the Global Centre for Securing Cyberspace. http://gcsc.org/index. php/public/cybercrime/ Websense. 2011. The Next Hotbed of Cyber Crime Activity is. Canada?. Websense Security Labs Blog. 11 May 2011. http:// community.websense.com/blogs/securitylabs/archive/2011/05/11/ the-next-hotbed-of-cybercrime-activity-is-canada.aspx Bell Canada. 2007. State of Readiness in Canadas Key Infrastructure Sectors. Final Report for Milestone 3b. Part 1: Report. Of the 80%, most outsourced up to 30% of their IT operations, whereas 10% outsourced more than half their operations. Moscaritolo, Angela. 2008. Forecast: Security threats 2009. SC Magazine. http://www.scmagazineus.com/forecast-securitythreats-for-2009/article/122779/ For a full listing of ICs activities and roles, see the departments website: http://www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/home Jamart, A and Llans E. 2011. French Policy-Making Approach Inconsistent with OECD Principles. CDT Policy Blog. 14 July 2011. http://www.cdt.org/blogs/147french-policy-making-approachinconsistent-oecd-principles Deibert, R. 2011. Rescuing the Global Cyber Commons: An Urgent Agenda for the G8 Meeting in Deauville. Information Warfare Monitor. 23 May 2011. http://www.infowar-monitor.net/2011/05/rescuingthe-global-cyber-commons/ See also endnotes 70 (on the U.S. Patriot Act) and 95 (on Canadas surveillance proposals) below. The definition of cyberspace remains an ongoing discussion amongst experts. An alternative definition, proposed by Dan Khuel An operational domain whose distinctive and unique character is framed by the use of electronics and the electromagnetic spectrum to create, store, modify, exchange and exploit information via interconnected information-communication technology (ICT) based

2. 3. 4.

18.

19.

20.

5.

21. 22.

6.

23.

7.

24.

8.

9.

25.

10.

26.

11.

27. 28.

12. 13.

29.

14.

15.

30.

16.

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

43

systems and their associated infrastructures. See Khuel, Dan. From Cyberspace to Cyberpower: Defining the Problem. Information Resources Management College / National Defense University. 31. 32. See #numbers. 2011. Twitter Blog. 14 March 2011. http://blog. twitter.com/2011/03/numbers.html The internet system was initially developed by the United States Advanced Research Projects Agency (ARPA) to address the U.S. militarys concern about the robustness of their communications networks, and the desire to be able to interconnect the computer systems of strategic U.S. institutions. This eventually led to the development of the TCP/IP protocols in the mid-1970s and the construction of the National Science Foundation NET (NSFNET) network backbone in the mid 1980s. Separate networks were created over the 1980s, but all eventually merged and became inter-operable because of the adaptability of the TCP/IP protocol. The open availability of the specifications and code enabled commercial vendors to build interoperable network components such as routers, which aided in the further rigorous standardization of the TCP/IP on UNIX and every other common operating system. This, in turn enabled the rapid global growth of the internet, as it came to encompass almost all other previously existing public computer networks. The rapidity of internet growth is often attributed to the lack of central administration and non-proprietary open nature of the protocols, which allows the network to grow organically, encourages vendor interoperability and prevents any one country from exerting too much control. Economist. 2011. Who should run the internet? 1 October 2011. http://www.economist.com/node/21530955 As demonstrated by the 2011 democratic revolutions in the Middle East and North Africa (MENA) and riots in the U.K. See, for example, United Nations General Assembly, 2011. Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue. 17th Session, 16 May 2011. http://daccess-dds-ny.un.org/doc/UNDOC/GEN/ G11/132/01/PDF/G1113201.pdf?OpenElement As such, the private sector represents a critical Centre of Gravity for cyberspace informal governance, as discussed in Part 4 below. This equipment was used to harvest personal mobile phone conversations of human rights activists that the government then detained and tortured. See: Silver, Vernon and Elgin, Ben. 2011. Torture in Bahrain Aided by Nokia Siemens. Bloomberg Markets Magazine. 22 August 2011.http://www.bloomberg.com/news/2011-08-22/ torture-in-bahrain-becomes-routine-with-help-from-nokia-siemensnetworking.html See, for example, The SecDev Group, 2011. Censorship and Social Activism in the Middle East and North Africa. Morozov, Evgeny. 2011. Repressing the Internet Western-style. As politicians call for more online controls after London and Norway, authoritarian states are watching. The Wall Street Journal. 13 August 2011. http://online.wsj.com/article/SB10001424053111 903918104576502214236127064.html?mod=WSJ_hpp_MIDDLE_Video_Top Including: U.K. Sweden, France, Iceland, the Netherlands, Finland, Estonia, the OECD, OSCE, G8. See Part 4 for further discussion. See for example, a recent unintentional leak from a Chinese military university that revealed a China-based cyberattack against the main website of the Falun Gong hosted by a US university. Robertson, M. 2011. Chinese Military TV Show Reveals More Than Intended. The Epoch Times. 21 August 2011. http://www.theepochtimes.com/ n2/china-news/slip-up-in-chinese-military-tv-show-reveals-morethan-intended-60619.html This categorization is not exclusive, as some actors can be 55. 56. 48. 49.

simultaneously corporate entities and act as self constituting private authorities -- as is the case with the Internet Corporation for Assigned Names and Numbers (ICANN) which is a Corporation registered in the state of California, and also a self constituted international nongovernmental organization that sets most of the meaningful standards that guide the technical development of the internet. Likewise, in some countries telecommunication carriers are both a private corporation as well as the de facto extension of public authority. 43. These include the Internet Assigned Numbers Authority (IANA), The Internet Engineering Task Force (IETF), Internet Architecture Board (IAB). Yu, Peter Yu. 2003. The Neverending CCTLD story. http://home. uchicago.edu/mferzige/ccTLDs.pdf OpenNet Initiative. 2010. Pakistan Country Study. http://opennet.net/research/profiles/pakistan Report on the Delegation of the . (R.F.) domain representing the Russian Federation to Coordination Centre for TLD RU. IANA. http://www.iana.org/reports/2010/rf-report-07apr2010.html Example organizations include: The Open Net Initiative (ONI), Citizen Lab (Munk Centre, University of Toronto), Association for Progressive Computing, Global Internet Freedom Coalition, Privacy International, Centre for Democracy and Technology, Freedom House, Reporters without Borders, etc. These longer-standing actors have been joined by newcomers who increasingly see internet access and freedom as a basic human right, such as Amnesty International, Human Rights Watch, Witness, and Access Now. Example organizations include: Tor, Dan Guardian, PSIPHON, UltraReach and FreeGate. For more information, including types of leaks and government reactions/attempts at prosecution, see: Wikileaks. Wikipedia. http://en.wikipedia.org/wiki/WikiLeaks A two-tier system violates the model of internet equal access for all. For more detail see: Network Neutrality. Wikipedia. http:// en.wikipedia.org/wiki/Network_neutrality Public Safety Technical Program et al. 2010. Dark Space Project on the Analysis of Darknet Space for Predictive Indicators of Cyber Threat Activity. Woodcock, Bill and Adhikari, Vijay. 2011. Survey of Characteristics of Internet Carrier Interconnection Agreements. Packet Clearing House. 2 May 2011. http://www.pch.net/docs/papers/peeringsurvey/PCH-Peering-Survey-2011.pdf The SecDev Group. 2011. Collusion and Collision: Searching for guidance in Chinese cyberspace. http://www.scribd.com/ doc/65531793/Collusion-Collision Google is a notable exception, having decided to withdraw its operations in China rather than continue to act as a censor on behalf of the government. Google has begun to articulate a kind of foreign policy for cyberspace governance; it sees threats to internet freedom (access to information and freedom of speech) as a threat to its core business operations. See: The SecDev Group. 2011. Collusion and Collision: Searching for guidance in Chinese cyberspace. http://www.scribd.com/doc/65531793/Collusion-Collision See OpenNet Initiative. http://opennet.net/ Hernandez, D. 2011. Terrorism charges for 2 in Mexico who spread attack rumor on Twitter, Facebook. La Plaza, Los Angeles Times. 1 September 2011. http://latimesblogs.latimes.com/ laplaza/2011/09/twitter-tweets-veracruz-mexico-terrorism-drug-warcensorship-rumors.html N/A means no reliable information as of yet available. Sources

44. 45. 46.

47.

33. 34. 35.

50.

36. 37.

51.

52.

38. 39.

53.

54.

40. 41.

42.

57.

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

44

include: Kelly, Sanja and Sarah G. Cook. 2011. Freedom on the Net: A Global Assessment of internet and Digital Media. Freedom House. 18 April 2011. http://www.freedomhouse.org/images/File/ FotN/FOTN2011.pdf ; Reporters Without Borders. Internet. http:// en.rsf.org/internet.html ; OpenNet Initiative. Country Profiles. http:// opennet.net/country-profiles 58. Logan, S. 2011. Mexico: Death by Social Media. ISN Insights. 28 September 2011. http://www.isn.ethz.ch/isn/Current-Affairs/ISNInsights/Detail?lng=en&id=133075&contextid734=133075&contextid735=133074&tabid=133074&dynrel=4888caa0-b3db-146198b9-e20e7b9c13d4,0c54e3b3-1e9c-be1e-2c24-a6a8c7060233 By contrast, the United States represents only 13% of all global and net users, and the euro Atlantic alliance a declining 40%. Scheineson, Andrew. 2009. Backgrounder: The Shanghai Cooperation Organization. New York: Council on Foreign Relations. http:// www.cfr.org/international-peace-and-security/shanghai-cooperation-organization/p10883 Weitz, Richard. 2010. Whats happened to the SCO? The Diplomat. 17 May 2010. http://the diplomat.com/2010/05/17/ what%E2%80%99s-happened-to-the-sco/ Shanghai Cooperation Organization. 2008. Agreement between the governments of the member states of the Shanghai Organization on Cooperation in the Field of International Information Security. 61st Plenary Meeting. 2 December 2008. http://media.npr.org/ assets/news/2010/09/23/cyber_treaty.pdf ITU. 2011. Meeting Report for the ITU - CNRI Roundtable to Discuss The Framework for the Management of the Digital Object Architecture. 19 May 2011. Geneva. http://isocbg.files.wordpress. com/2011/09/dona_meeting_report-final-16june2011.pdf ; and, Government of the Russian Federation. 2011. Prime Minister Vladimir Putin meets with Secretary General of the ITU. 15 June 2011. http://premier.gov.ru/eng/events/news/15601/ IBSA Multistakeholder meeting on Global Internet Governance. 2011. Recommendations. 1-2 September 2011. http://www. culturalivre.org.br/artigos/IBSA_recommendations_Internet_Governance.pdf The Permanent Representatives of China, the Russian Federation, Tajikistan and Uzbekistan to the United Nations. 2011. Letter dated 12 September 2011 and Annex to the letter dated 12 September 2011: International code of conduct for information security. United Nations General Assembly: 66th session. International Meeting of High Ranking Officials Responsible for Security Matters. 2011. Convention on International Information Security (Concept). Ekaterinburg, Russia. 21-22 September 2011. English.xinhuanet.com. 2011. China proposes traffic rules for information, cyberspace security. 21 October 2011. http://news. xinhuanet.com/english2010/china/2011-10/21/c_131203323.htm. And, English.xinhuanet.com. 2011. China calls for joint efforts for peaceful, secure and equitable cyberspace. 21 October 2011. on:http://news.xinhuanet.com/english2010/china/201110/21/c_131203292_2.htm While this policy focuses on cyber security (not openness), it is included here because of the member states who are signators, and because its positions and protocols will require review if/when policies on openness are developed. See Clinton, Hillary. 2011. Remarks on the Release of President Obama Administrations International Strategy for Cyberspace. http://www.state.gov/secretary/rm/2011/05/163523.htm. The strategy itself is available on: http://www.whitehouse.gov/sites/default/ files/rss_viewer/international_strategy_for_cyberspace.pdf The post 9/11 PATRIOT Act expanded the scope for electronic 78. 74. 72.

surveillance. One important consequence of the discussion around norms in cyberspace is their bringing into light practices that were either previously shrouded in secrecy or obscured and confused in some manner. For example, the United States recent admission of offensive cyber attack capabilities, long understood to be operational but classified, opens up the possibility for more public discussion of when and where such capabilities are exercised and by extension how they might be controlled. 71. See The SecDev Group. 2011. Collusion and Collision: Seeking Guidance in Chinese Cyberspace. http://www.scribd.com/ doc/65531793/Collusion-Collision See also Deibert, Ron and Rohozinski, Rafal. 2010. Risking Security: Polices and Paradoxes of Cyberspace Security. International Political Sociology. 4:15-32. Montalbano, Elizabeth. 2011. U.S. Russia Forger Cybersecurity Pact. InformationWeek Government. 12 July 2011. http://www. informationweek.com/news/government/security/231001440 Foreign Secretary William Hague. 2011. Security and Freedom in the Cyber Domain: The Rules of the Road. Speech delivered at Munich Security Conference, 4 February 2011. http://www.fco.gov. uk/en/news/latest-news/?view=Speech&id=544853682 Offices include: The Office of Cyber Security and Information Assurance in the Cabinet, a Cyber Security Operations Center in Government Communications Headquarters (GCHQ) and a Defense Cyber Operations Group tasked with mainstreaming cyber security throughout the Ministry of Defence. Note also the UK and US have singed a comprehensive Memorandum of Understanding to institutionalize the sharing of cyber security information. G8 Declaration. 2011. Renewed Commitment for Freedom and Democracy. Deauville. 27 May 2011. http://www.g8.utoronto.ca/ summit/2011deauville/2011-declaration-en.html G8. The Roma-Lyons Group. http://www.g8italia2009.it/G8/Home/ News/G8-G8_Layout_locale-1199882116809_AppGiustizia.htm OECD produces a regularly updated set of ICT indicators (http:// www.oecd.org/sti/ICTindicators) that measure national progress around ICT development. It also published a Digital Economy Papers series that covers protection of children online, the evolving privacy landscape, and digital identity management (http://www. oecd-ilibrary.org/science-and-technology/oecd-digital-economypapers_20716826). The main emphasis of the OECDs work is around the promotion of a digital economy, while protecting privacy and security of users and businesses. A major ministerial meeting was held in Seoul, Korea in June 2008 on the Future of the Internet Economy. The two Canadian speakers at the event were Mr. Richard Dicerni, Deputy Minister, Industry Canada, and Ms. Jennifer Stoddart, Privacy Commissioner. See blog by Milton Mueller on the Internet Governance Project. http://blog.internetgovernance.org/blog/_archives/2011/6/28/4847563.html) Some countries like Russia are advocating that the ITU should take control over key pieces of internet infrastructure with the authority to regulate internet content and services. United Nations General Assembly, Human Rights Council. 2011. Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue. 17th Session, 16 May 2011. A/HRC/17/27 http://www2.ohchr.org/ english/bodies/hrcouncil/docs/17session/A.HRC.17.27_en.pdf North Atlantic Treaty Organization. 2011. Defending the networks: the NATO policy on cyber defence. http://www.nato.int/nato_static/ assets/pdf/pdf_2011_09/20111004_110914-policy-cyberdefence. pdf North Atlantic Treaty Organization. 2011. NATO and Cyber

59. 60.

73.

61.

62.

63.

75.

76. 77.

64.

65.

66.

67.

79.

68.

80.

69.

81.

70.

82.

SecDev Analytics

Canada and Cyberspace 2012: Key Issues and Challenges for DFAIT

45

Defence. 8 June 2011. http://www.nato.int/cps/en/SID-EEBE98D906E44D77/natolive/topics_78170.htm? 83. 84. Network monitoring is provided by the NATO Computer Incident Response Team (NCIRC). NATO sets 2012 Cyber-Defence Policy. Security and Defence Agenda. 15 June 2011. http://www.securitydefenceagenda.org/ Contentnavigation/Library/Libraryoverview/tabid/1299/articleType/ ArticleView/articleId/2690/NATO-sets-2012-cyber-defence-policy. aspx Davis, Joshua. 2007. Hackers Take Down the Most Wired Country in Europe. Wired. 21 August 2011. http://www.wired.com/politics/ security/magazine/15-09/ff_estonia?currentPage=all Herzog, Stephen. 2011. Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational Responses. Journal of Strategic Security. 4:2:49-60. Ibid. Hughes, Rex. 2009. NATO and Cyber Defense: Mission Accomplished? http://www.carlisle.army.mil/DIME/documents/NATO%20 and%20Cyber%20Defence.pdf For further discussion see: Deibert, Ron. 2011. Rescuing the Global Cyber Commons (op.cit); Economist. 2011. Cybersecurity in America and Europe. Freedom and security in cyberspace. 6 October 2011. http://www.economist.com/blogs/charlemagne/2011/10/ cybersecurity-america-and-europe; and, Koumartzis N. And Veglis, A. 2011. Internet regulation. First Monday. Vol 16, No.10. http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/ viewArticle/3266/3071#p1 Note that elements within the U.S. State Department have resisted the characterization of cyberspace as a commons, arguing that this would diminish U.S. sovereignty (paradoxically, the same argument used by countries like China, Russia, and others). The U.S. remains committed to a multi-stakeholder governance process, correctly judging that this effectively means that the centre of gravity will remain with ICANN and the largely U.S.-based engineering community and ethos. See for example ISS World Americas. 11-13 October 2011. Washington, DC. http://www.issworldtraining.com/ISS_WASH/ See for example: Roads, Christopher and Chao, Loretta. 2009. Irans Webspying aided by Western Technology. The Wall Street Journal. 22 June 2009. http://online.wsj.com/article/ SB124562668777335653.html See Boxes 1 and 2 in Part 2 of this paper for Canadian examples. Also see The SecDev Group. 2011. Collusion and Collision: Searching for Guidance in Chinese Cyberspace. See Part 2 of this paper. In 2010, three bills on issues of lawful access were tabled to the House of Commons: Bill C-50 Improving Access to Investigative Tools for Serious Crimes Act, Bill C-51 Investigative Powers for the 21st Century, and Bill C-52, Investigating and Preventing Criminal Electronic Communications Act. They proved hugely controversial for the significant power delegated to law enforcement agencies to monitor personal online communications and log activity. The bills were thrown out after their first readings. Public Safety Minister Vic Toews has committed to pursuing these issues in the upcoming session of Parliament. Measures also include not requiring law enforcement agencies to acquire a warrant before accessing electronic information and obliging ISPs to retain electronic evidence. See: CBC News. 2011. Lawful access FAQs: Clearing confusion about surveillance proposals. 4 October 2011. http://www.cbc.ca/ news/technology/story/2011/10/04/f-lawful-access.html

96.

Canada is represented on the ICANN board by Heather Dryden, a senior policy advisor at Industry Canada (acting in a private capacity). Canada is represented on the ISOC board by a retired industry Canada executive.

85.

86.

87. 88.

89.

90.

91. 92.

93.

94. 95.

SecDev Analytics