Cybersecurity: Technical and Policy Challenges

Publication No. 2018-05-E 16 February 2018

Holly Porteous Legal and Social Affairs Division Parliamentary Information and Research Service

Library of Parliament Background Papers provide in-depth studies of policy issues. They feature historical background, current information and references, and many anticipate the emergence of the issues they examine. They are prepared by the Parliamentary Information and Research Service, which carries out research for and provides information and analysis to parliamentarians and Senate and House of Commons committees and parliamentary associations in an objective, impartial manner.

© Library of Parliament, Ottawa, Canada, 2018

Cybersecurity: Technical and Policy Challenges (Background Paper)

Publication No. 2018-05-E

Ce document est également publié en français.

CONTENTS

1 BACKGROUND ...... 1

2 THE EVOLVING CYBERTHREAT LANDSCAPE ...... 1

2.1 Attacks on Critical Infrastructures ...... 1

2.2 Attacks for Hire ...... 2

2.3 Attacks on Public Perception ...... 2

2.4 Attacks on Human Rights ...... 2

3 CYBERSECURITY CHALLENGES AND SOLUTIONS ...... 3

3.1 What is Cybersecurity? ...... 3

3.2 Challenges to Cybersecurity ...... 3 3.2.1 Why Is Cybersecurity So Difficult? ...... 3 3.2.2 Cyber Supply Chain Insecurity ...... 5 3.2.3 The Cybersecurity Dilemma ...... 6 3.2.4 “Going Dark” ...... 7

3.3 Proposed Cybersecurity Solutions ...... 8 3.3.1 Can the Internet Be Fixed?...... 8 3.3.2 Internet Governance ...... 9 3.3.3 The United Nations Group of Government Experts in the Field of Information and Telecommunications in the Context of International Security ...... 10 3.3.4 Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations ...... 11

4 OBSERVATIONS AND CONCLUSIONS ...... 12

LIBRARY OF PARLIAMENT i PUBLICATION NO. 2018-05-E

CYBERSECURITY: TECHNICAL AND POLICY CHALLENGES

1 BACKGROUND

Starting with a quick overview of some of the types of cyberthreats confronting Canada and its allies, this paper examines how Canada defines cybersecurity and considers the many human, technical, economic and political factors that make achieving cybersecurity so difficult. Finally, it touches on some of the international initiatives that have been undertaken to enhance cybersecurity.

2 THE EVOLVING CYBERTHREAT LANDSCAPE

The following are a few recent international and domestic cyber events that have been selected to characterize aspects of the current threat landscape.

2.1 ATTACKS ON CRITICAL INFRASTRUCTURES

On 23 December 2015, substations of at least three major power companies in Ukraine were systematically attacked, temporarily disrupting power supply to almost a quarter of a million Ukrainian consumers. Subsequent analysis showed that the computers used in the attack all appeared to be located in the Russian Federation. Unofficially, blame was placed on a Russian hacker group known as “Sandworm” (after a creature in Frank Herbert’s Dune novels; references to the fictional planets in those novels were embedded in the software code of the group’s attack tools).1

A little under a year later, on 18 December 2016, Ukraine’s power grid was attacked once more. This time, the attack was not against substations further down the distribution chain but on a major transmission station in Kyiv. Though the resulting blackout was of a shorter duration, the implications were clear: the attackers had control over Ukraine’s power grid and could shut it down at will.2

On 12 May 2017, ransomware dubbed “WannaCry” explosively came to life, self-propagating through networks and encrypting data on computers in some 150 countries. Ransomware encrypts a victim machine’s files, rendering them useless until a ransom is paid to the attacker, usually in bitcoins. At least 16 hospitals in the United Kingdom, Spain’s largest telecommunications provider, Telefónica, and the U.S. Fedex Corporation were among the organizations infected by WannaCry. Though media reports indicate that some 300,000 systems were affected worldwide, no Canadian organization publicly acknowledged having been infected.3 State-level attribution for a cyberattack is rare, but, significantly, in December 2017 the United Kingdom, the United States, Australia, New Zealand, Canada and Japan all formally attributed the attack to North Korea.4 Such definitive attribution has important implications under international law concerning response and accountability. Simply put, if the source of a cyberattack cannot be attributed with a high degree of certainty, then nobody can be held responsible and the legitimacy of any act of retribution can be called into question.

LIBRARY OF PARLIAMENT 1 PUBLICATION NO. 2018-05-E CYBERSECURITY: TECHNICAL AND POLICY CHALLENGES

On 27 June 2017, Ukrainian banks, government ministries, media outlets and electricity companies were attacked by a modified version of the “Petya” malware that had been used in the widespread “WannaCry” ransomware attack that had taken place a month earlier. At first the goal of this attack, called “NotPetya” by some, appeared be extortion. However, modifications made to the Petya tool for this attack led some analysts to suggest that the goal was rather to cause maximum damage to infrastructure by wiping hard drives.5 On 15 February 2018, both the United States and the United Kingdom formally attributed the NotPetya attack to the Russian military.6

2.2 ATTACKS FOR HIRE

On 8 August 2017, Israeli police arrested two teenagers suspected of operating vDOS, which at the time was one of the most profitable attack-for-hire services online. Over the four years it was in business, vDOS is reported to have had tens of thousands of paying customers and facilitated over 2 million distributed denial of service attacks (DDoS). DDoS rely on covert networks of thousands of hacked computers or “bots” that can be commandeered to attack victim computer systems by overwhelming them with traffic.7

In March 2014, Karim Baratov, a Kazakhstan-born Canadian citizen, was arrested in Ancaster, Ontario, in connection with a massive breach of Yahoo that resulted in the exposure of the account information of 500 million users. Baratov, who was extradited to the United States, and three other individuals face charges of conspiracy, computer intrusion and economic espionage in an intelligence-gathering operation run by the Russian Federal Security Service.8

2.3 ATTACKS ON PUBLIC PERCEPTION

Starting in 2015, hackers working for intelligence agencies of the Russian Federation successfully penetrated the computer network of the Democratic National Committee (DNC) in an operation referred to by U.S. authorities as GRIZZLY STEPPE.9 Some argue that the resulting fallout from the leaked DNC emails tipped the 2016 presidential election in President Donald Trump’s favour.10

For at least a decade, using what RAND Corporation analysts Christopher Paul and 11 Miriam Matthews call a “firehose of falsehood propaganda model,” Russia has been seen by observers as attempting to undermine NATO cohesiveness and public support. In recent years, this campaign has reportedly harnessed the Internet, using blogs and other social media to disseminate fake news and attack views that contradict Russian interests. So-called “troll farms” – legions of individuals who are paid to post Russia-friendly comments on fake social media accounts – are reportedly being used, as well as automated “bot” programs that are capable of disseminating propaganda on a massive scale.

2.4 ATTACKS ON HUMAN RIGHTS

On 19 June 2017, Citizen Lab, a University of Toronto research centre, issued a report on its analysis of a spyware12 campaign conducted against Mexican journalists and lawyers, and human rights and public health advocates. According to Citizen Lab, an Israeli company called NSO Group likely conducted the campaign on behalf of

LIBRARY OF PARLIAMENT 2 PUBLICATION NO. 2018-05-E CYBERSECURITY: TECHNICAL AND POLICY CHALLENGES

elements of the Mexican government. Citizen Lab also noted that “[m]any of the journalists and civil society members who were targeted with infection attempts using NSO links, and their colleagues, were similarly targeted for other forms of 13 harassment, and intimidation.”

As these events indicate, cybersecurity entails far more than securing technology against online attacks. It also concerns protecting individuals and society against cyber-enabled influence campaigns, extortion, surveillance and intimidation.

3 CYBERSECURITY CHALLENGES AND SOLUTIONS

3.1 WHAT IS CYBERSECURITY?

Not everybody agrees on what cybersecurity means. To a systems administrator, it means ensuring that networks, computer systems, mobile devices and data residing on each of the aforementioned are appropriately protected against unauthorized actions.14 Civil rights activists often define cybersecurity as protection against online surveillance by government or by private sector corporations. To a nation-state, cybersecurity takes on geopolitical connotations. For example, some states, such as China and Russia, view the borderless nature of the Internet with great suspicion and define cybersecurity in terms of maintaining sovereign control over the online activities of their citizens.

The Freedom Online Coalition, a 30-member group of governments that has committed to work together to support Internet freedom and protect fundamental human rights, has developed this definition, to which Canada contributed:

Cybersecurity is the preservation – through policy, technology, and education – of the availability, confidentiality and integrity of information and its underlying infrastructure so as to enhance the security of persons both online and offline.15

Canada asserts that there can be no trade-off between human rights and cybersecurity, believing that the protections international law affords to these rights apply in the cyber realm.16

3.2 CHALLENGES TO CYBERSECURITY

3.2.1 WHY IS CYBERSECURITY SO DIFFICULT?

If, as this definition suggests, cybersecurity can only be achieved through attention to people, processes and technology, there is a lot that can go wrong. Humans – their awareness of risk and adherence to security best practices that can help mitigate these risks – are always the weakest link in a security system. Too often, people either bypass security measures because they are inconvenient or place too much faith in security measures that are insufficient. Poorly designed technology can give rise to both of these behaviours.

Other factors, such as rapid technological innovation, market forces and geopolitical competition also contribute to the cybersecurity challenge.

LIBRARY OF PARLIAMENT 3 PUBLICATION NO. 2018-05-E CYBERSECURITY: TECHNICAL AND POLICY CHALLENGES

Indeed, beyond user interface considerations, the information and communications technologies (ICT) that form the substance of cyberspace present near-insurmountable security challenges. ICT is particularly hard to secure because it is software-centric.17 Software can comprise millions of lines of code and obscure subroutines, leaving plenty of room for errors and functionality that may not be completely understood and whose provenance may be equally murky. Although various automated software tools can help check for errors in coding, and advances in artificial intelligence – especially machine learning – promise to one day assist or even take over the task of software engineering, much still depends on human coding skills and quality assurance processes.18

Intense competition – spurred on by growing consumer demand19 as well as the globalization of ICT innovation and production – has led to ever-tighter to-market cycles for ICT products. Silicon Valley (and Canadian counterparts in places like Toronto, Waterloo, Vancouver, Montréal and Ottawa) may still be providing the world with stunning ICT innovations,20 but this leadership is being challenged. In June 2017, for example, China achieved a major milestone in the field of quantum computing by successfully using a satellite to transmit a quantum signal.21

Since 2000, Asia-Pacific’s ICT sector has shifted from merely assembling electronic consumer goods built elsewhere to indigenous production and innovation. Today, the world’s third largest smartphone vendor is Huawei, based in Shenzhen, China.22 Huawei may soon overtake those companies currently occupying first and second place – Korea’s Samsung and the United States’ Apple, respectively – but only if it can stay ahead of two other Chinese competitors, Oppo and Vivo.23

Wireless broadband (and, increasingly, fibre-optic cable) has lit up underserved parts of the globe such as Africa, creating millions more tech-hungry consumers virtually overnight.24 Through such initiatives as Google’s CSquared25 and Project Loon,26 Facebook’s Aquila Internet-by-drone project27 and China Communications Services Corporation’s “Eight Vertical and Eight Horizontal” plan,28 Africa is rapidly joining the rest of the digitized world. Like mobile users elsewhere, the new consumers on this continent, who thus far come mainly from relatively affluent urban centres, live their lives through their mobile devices, using them to stream online content and communicate with friends, family and work almost from the moment they get up in the morning. Though only a small number are currently using their mobiles to bank and make small purchases, a high percentage of Africans have indicated an interest in doing so as soon as these services become more widely available.29 For ICT vendors, the goal is clear: to reap the rewards from being first to market with affordable, feature-rich smartphones.

By and large, it is software – not hardware – that delivers the features consumers want and the profit margins vendors desire.30 Moreover, as Africa’s digitization model suggests, mobile devices are rapidly replacing laptops and desktop personal computers as technologies of choice.31 This miniaturization has significant implications for software development. Unlike software that runs on desktop PCs, software applications developed for mobile devices, called “apps,” must be pared down to address constraints such as limited battery life and smaller screen size.

LIBRARY OF PARLIAMENT 4 PUBLICATION NO. 2018-05-E CYBERSECURITY: TECHNICAL AND POLICY CHALLENGES

From a security standpoint, the pared-down nature of apps can be a good thing in that it leaves less opportunity for errors and unnecessary/unknown functionality to be introduced. Nonetheless, because they interact with other systems, apps still require careful and well-documented coding to avoid the introduction of security vulnerabilities.32 Because of the desire to respond rapidly to the seemingly insatiable consumer demand for novel, easy-to-use apps and the fact that many coders either do not know how to produce clean code or have criminal intentions, secure apps are the exception rather than the rule.33 It is also worth bearing in mind that, as hardware continues to evolve, so too will the ability of mobile devices to run ever-more-sophisticated apps, possibly increasing the likelihood that bad code will slip by even when a vendor does vet an app for vulnerabilities.

Whether it is for traditional software applications or mobile device apps, software development has become a sprawling global enterprise. Opportunities abound for faulty code to be introduced, either inadvertently or by design. For example, it is common practice for coders to re-use program components offered by third party– operated open source code libraries such as Github and Bitbucket. Failure to vet re-used third party code for errors has led to the introduction of widespread and significant vulnerabilities in airport surveillance cameras, and in sensors, networking equipment and Internet of Things devices.34

Integrated circuit chip production has also gone global.35 By 2005, most chips were being manufactured in chip foundries located in Taiwan.36 Today, Taiwan still leads in production, but South Korea is catching up, and China has seen the largest overall increase in capacity growth.37

Of course, even if it were possible to relocate the entire IT supply chain onshore,38 adversaries could always influence employees and target parts of the chain, using techniques such as phishing, to introduce vulnerabilities. Western allies, Canada included, have more than a passing acquaintance with IT supply chain infiltration. In 2006, for example, the United States National Security Agency (NSA) – with the possible knowledge of its Canadian counterpart, the Communications Security Establishment39 – is reported to have paid a well-known U.S. cryptography product vendor and the International Organization for Standardization to promote an encryption methodology containing a backdoor.40 Even further back in time, in 1983, a Soviet gas pipeline in Siberia suffered a spectacular explosion which was attributed to a U.S. Central Intelligence Agency–run deception operation that delivered malware-embedded software into the hands of the KGB. For years, KGB agents had been illegally acquiring technology from the West and this was payback.41 A Canadian company is said to have played a key role in delivering this Trojan horse into Soviet hands.42

3.2.2 CYBER SUPPLY CHAIN INSECURITY

Given the aforementioned, it should hardly come as a surprise that cyber supply chain security43 has become a key concern, with some countries, such as the United States, favouring an outright ban on the use of software and hardware components from countries of national security concern, such as China or Russia, in critical systems.44 For their parts, China and Russia appear to be mirroring aspects of U.S. policy.

LIBRARY OF PARLIAMENT 5 PUBLICATION NO. 2018-05-E CYBERSECURITY: TECHNICAL AND POLICY CHALLENGES

On 1 June 2017, for example, a new cybersecurity law came into force in China. Among other things, it empowers the China Information Technology Security Evaluation Center, an office in the Ministry of State Security, to request source code and other intellectual property of tech suppliers operating in the country.45

On 8 September 2017, media reports cited Russian President Vladimir Putin as saying Russian technology firms could lose government contracts if they use foreign-sourced software that Russia deems a national security risk.46 In the meantime, Russia is requiring Western IT security product vendors to hand over source code so that Federal Security Service–accredited labs and the Federal Service for Technical and Export Control (a Ministry of Defence agency whose mandate includes countering cyber espionage) can search for exploitable vulnerabilities and intelligence agency–created backdoors.47 In some instances, Russia is permitting these source code inspections to take place in the vendor’s own secured facilities.48

Other countries, including Canada and the United Kingdom, have also reserved the right to formally test the trustworthiness of these types of foreign-sourced products prior to using them.49

3.2.3 THE CYBERSECURITY DILEMMA

As the growing demand to inspect foreign IT products for backdoors indicates, cybersecurity is hard because we do our best to make it that way. Sometimes exploitable vulnerabilities are deliberately built into IT products at the behest of national security agencies, and sometimes they are simply discovered after a product has come to market. When national security agencies discover or acquire knowledge about a significant vulnerability from underground sources, they often keep quiet about what they know so that they can use the vulnerability to enable signals intelligence collection through cyber operations. Vendors may either be unaware of these so-called “zero-day” flaws or may not yet have engineered a patch for them. An average of 6.9 years can go by before individuals and organizations operating devices and networks with these vulnerabilities learn of their exposure to attack by criminal or state actors.50

This “keep quiet” approach has been referred to in the national security community as “NOBUS,” short for “Nobody But Us.” Cybersecurity scholar Ben Buchanan believes NOBUS has become untenable.51 NOBUS, he says, is based on the mistaken notion that the United States and its Five Eyes signals intelligence partners52 can maintain a monopoly on knowledge about vulnerabilities in the global information infrastructure and, by virtue of this monopoly, control the cybersecurity outcomes. Edward Snowden’s leaks, globalization of the cyber supply chain, efforts to assert national sovereignty over the infrastructure of cyberspace (discussed in greater detail below), not to mention efforts by non-allied nations to verify software source code, are just a few of the reasons why NOBUS is untenable, argue Buchanan and other observers.53 In many ways, NOBUS is security through obscurity and too much has come and is coming to light for this approach to continue working in any predictable manner.

LIBRARY OF PARLIAMENT 6 PUBLICATION NO. 2018-05-E CYBERSECURITY: TECHNICAL AND POLICY CHALLENGES

In the wake of the May 2017 “WannaCry” and “Petya” ransomware attacks, attacks that used leaked NSA cyber exploitation tools and affected critical infrastructures in 65 countries, government stockpiling of zero-days has come under fire.54 Pushing back against calls for the NSA to end this practice, recently retired NSA Deputy Director Rick Ledgett said such a move would be “tantamount to unilateral 55 disarmament in an area where the U.S. cannot afford to be unarmed.” He argued that “[n]either our allies nor our adversaries would give away the vulnerabilities in their possession,” adding that, “our doing so would probably cause those allies to 56 seriously question our ability to be trusted with sensitive sources and methods.”

Unlike other members of the Five Eyes group, the United States has permitted some insight into the interagency process it uses to assess the risks of disclosing or retaining information on zero-days, the Vulnerabilities Equities Process (VEP). For example, in the wake of the 2014 Heartbleed security vulnerability scandal,57 Special Assistant to the President and Cybersecurity Coordinator Michael Daniel discussed the process in detail in a White House blog post.58 Canada has not been so forthcoming about its own VEP.59

On 17 May 2017, a bill that would codify the VEP into law was introduced into both the United States Senate and House of Representatives.60 Significantly, the bill calls for the VEP to include an assessment of the risks to foreign countries and their citizens posed by not sharing or releasing information about vulnerabilities. With respect to the United States’ Five Eyes allies, including Canada, these risks might include loss of an important signals intelligence collection method that they had a hand in discovering.

3.2.4 “GOING DARK”

The recurrent “going dark” debate over strong encryption raises a similar cybersecurity dilemma. The term “going dark” refers to the loss of access by law enforcement and national security agencies to the communications of targeted individuals. Put simply, more Internet service providers and individuals are starting to take cybersecurity seriously, and this makes the work of law enforcement and national security agencies much more difficult. For example, major Internet service providers have started to offer end-to-end encryption,61 following Edward Snowden’s 2013 leaks about a Five Eyes program called MUSCULAR under which signals intelligence agencies bypassed the need to obtain a warrant to collect communications from private-sector service providers, instead tapping directly into the international networks these providers use to transmit customer communications.62 Hoping to win back consumer trust, major providers, such as Google, Facebook and Apple, now offer encryption-secured messaging and email applications.63

Some of Canada’s allies argue that this end-to-end encryption thwarts their ability to detect and disrupt terrorist plots. Following a Five Eyes meeting of public safety, immigration and justice ministers held in Ottawa in June 2017, Australian Prime Minister Malcolm Turnbull called on telecommunications companies to voluntarily ban all systems that enable end-to-end encryption, while British Home Secretary Amber Rudd opined that “real people” do not require end-to-end encryption.64 Here in Canada, Royal Canadian Mounted Police (RCMP) Commissioner

LIBRARY OF PARLIAMENT 7 PUBLICATION NO. 2018-05-E CYBERSECURITY: TECHNICAL AND POLICY CHALLENGES

Bob Paulson told reporters in November 2016 that law enforcement agencies need legal remedies to enable access to encrypted information because “there’s criminal 65 activity going on every day that’s facilitated by technology that we aren’t acting on.” According to media reports, in a 23 June 2016 briefing note prepared for Canada’s National Security and Intelligence Advisor and released under the Access to Information Act, the RCMP depicted itself as falling behind its Five Eyes counterparts with respect to digital investigative capabilities.66

Counter-arguments to these calls to weaken encryption are coming from some surprising sources. Two recently serving heads of signals intelligence agencies – Michael Hayden and Robert Hannigan, former directors of the NSA67 and the United Kingdom’s Government Communications Headquarters, respectively – have spoken out against building backdoors into encryption, saying the overall costs to cybersecurity would be too high. Both men appear to believe that a better approach for national security agencies is to attack endpoint weaknesses – for example, suboptimal user security practices or vulnerabilities in software running on user devices68 – rather than the encryption algorithm itself.69

3.3 PROPOSED CYBERSECURITY SOLUTIONS

3.3.1 CAN THE INTERNET BE FIXED?

By now, most people understand that they face risk every time they go online to bank, make a purchase, or send a text. A smaller number understands that the problem lies with how the Internet was designed. The Internet was built for survivability, not security. The Transmission Control Protocol and Internet Protocol (TCP/IP) – the engineering standard underpinning the Internet – was developed in a time when people worried about partial destruction of the existing network by nuclear weapons. TCP/IP therefore ensures information gets to where it needs to go by breaking it up into lots of data packets and then using whatever viable route exists to deliver these data packets to their final destination for reassembly.

In the TCP/IP architecture, the focus is on connectivity, not content – TCP/IP delivers data packets reliably but without regard to what is being sent. Almost since the inception of the Internet, however, malicious actors have exploited its blindness in order to send data packets embedded with harmful payloads or to simply open the packet delivery “floodgates” against others in DDoS attacks. As connectivity has become both ubiquitous and continuous, so, too, has online criminality. By some estimates, cybercrime will cost the global economy $6 trillion a year by 2021.70

It may come as a surprise, then, that the technology which can eliminate most forms of online maleficence has existed – indeed, has been in use – for nearly 20 years. The inventor of this technology, called the Handle System,71 is Robert Kahn, an American, who, along with another American, Vinton Cerf, invented the TCP/IP standard.72 Put simply, the Handle System takes the focus away from moving around anonymous data packets and instead re-envisions the Internet as a giant database where the emphasis is placed on gaining access to “digital objects” such as web pages, research papers or Internet-connected devices.

LIBRARY OF PARLIAMENT 8 PUBLICATION NO. 2018-05-E CYBERSECURITY: TECHNICAL AND POLICY CHALLENGES

Under Kahn’s system, these digital objects are assigned persistent identifiers, called handles. Handles provide metadata about an object, such as where it is available, what formats it is available in, who is permitted access to it, and whether payment is required for access. In a privacy-respecting scenario, persons wanting access to a resource should be permitted to retain some anonymity, creating a user identity that is used for that service alone. Libraries and academic institutions were early adopters of this system, using handles to identify and manage access to information resources in their possession.73

Viewed through a security lens, digital object identification is attractive because it enables greater and more granular control over Internet-connected resources. As more and more devices join the Internet of Things (IoT), the Handle System would seem to offer some hope that these Internet-connected objects, such as dolls, refrigerators and fish tanks,74 will not be turned against us.

But, of course, unique identifiers can also be applied to people, enabling greater control over their online and offline lives. It is not by coincidence that China, Russia and Saudi Arabia are all enthusiasts of an implementation of the Handle System called the Digital Object Architecture (DOA). Each of these countries has been criticized by human rights groups for their heavy-handed approach to civil liberties.75 China and Russia have long been clear that they see the goal of cybersecurity as securing information rather than information systems.76 At the November 2016 meeting of the United Nations’ International Telecommunication Union (ITU)77 World Telecommunication Standardization Assembly in Tunisia, they were among those countries that pushed hard to have a series of resolutions to incorporate the DOA in the ITU’s work adopted.

Arguing that such a move would run contrary to the ITU’s technology-neutral tradition – DOA is a proprietary technology, and a private corporation called the DONA Foundation administers the Global Handle System – a number of countries (including Canada), led by the United States, successfully defeated each of the six resolutions attempting to incorporate DOA by name.78 This is not the first time that the ITU has served as a battleground for control over the Internet, nor is it likely to be the last.

3.3.2 INTERNET GOVERNANCE

In 2015, at the Tenth Plenipotentiary Conference of the ITU in Guadalajara, Mexico, Russia and a group of former Soviet nations proposed that the ITU take over the work of the Governmental Advisory Committee (GAC) to the Internet Corporation for Assigned Names and Numbers (ICANN). ICANN is an internationally organized, non-profit organization that has been coordinating the assignment of IP address space, top-level domain names79 and other technical elements that keep the Internet functioning.80 Essentially, ICANN controls the Internet’s “address book.” In keeping with ICANN’s multi-stakeholder, consensus-driven model, GAC is just one entity among many that drive ICANN’s work. Other ICANN stakeholders include private sector corporations, technical experts and academics, civil society organizations and members of the public.

LIBRARY OF PARLIAMENT 9 PUBLICATION NO. 2018-05-E CYBERSECURITY: TECHNICAL AND POLICY CHALLENGES

Russia’s bid to have the ITU take over GAC’s work failed, but had it succeeded, the changes to Internet governance would have been profound. The ITU operates under a system of “one nation, one vote.” It is for this reason that Canada and its allies have fought hard to ensure that matters related to Internet governance and cybersecurity stay off of the ITU’s agenda. Given the success that a collection of authoritarian regimes have had in making the Handle System the de facto approach to identity management for the IoT, it is clear that leaving decisions that have implications for cybersecurity to states alone could have serious implications for Internet freedom. Implemented without thought for human rights, the Handle System or, for that matter, any technology that is used to permanently assign unique identifiers to devices and people,81 is an ideal way for authoritarian regimes to lock down their part of the Internet.

3.3.3 THE UNITED NATIONS GROUP OF GOVERNMENT EXPERTS IN THE FIELD OF INFORMATION AND TELECOMMUNICATIONS IN THE CONTEXT OF INTERNATIONAL SECURITY

Up until recently, there had been some reason to hope international consensus might eventually be achieved on how states conduct themselves in cyberspace. Efforts to examine norms of behaviour in cyberspace have been taking place in the United Nations Group of Government Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE) since its establishment in 2004. Canada was a member of the UN GGE in 2012–2013 and in 2016–2017.

The UN GGE is credited with setting the global cybersecurity agenda and promoting the norm that international law applies to state behaviour in cyberspace.82 While not legally binding, UN GGE reports have served to articulate norms of behaviour and support for confidence- and capacity-building measures. For example, in 2015, UN GGE members agreed that

[a] State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public.83

However, in its most recent working group meeting, held from 19 to 23 June 2017, the UN GGE was unable to achieve consensus on the issue of what options nations should have to respond to cyberattacks and what role, if any, the UN has in sanctioning cyberattackers. Some believe that the UN GGE’s inability to agree on these key issues, as well as the ongoing flouting of agreed norms through attacks on critical infrastructure, place this forum’s future in question.84 At the very least, the UN GGE impasse highlights the fact that many of the core questions surrounding cyber operations remain unsettled.

China is among those nations that have refused to engage on the specifics of how current international law should be applied in cyberspace. Along with Russia, it has for some time argued that, rather than discussing how to regulate cyber warfare using existing international law, nations should be working through the UN to develop a treaty. In this connection, China, Russia, Kazakhstan, Kyrgyzstan, Uzbekistan and Tajikistan have repeatedly proposed a draft international code of conduct for

LIBRARY OF PARLIAMENT 10 PUBLICATION NO. 2018-05-E CYBERSECURITY: TECHNICAL AND POLICY CHALLENGES

information security which they developed in 2011. A revised version of this proposed code was submitted to the UN Secretary-General in 2015,85 two years after China had indicated in the UN GGE’s 2012–2013 consensus report that it accepted that international law – including the United Nations Charter 86 – applies in cyberspace.87

In a 17 August 2017 paper, U.S. legal expert Julian Ku examined China’s views of the law of jus ad bellum – the conditions under which states may go to war or use armed force – and how these views might inform its thinking on cyber warfare.88 Ku notes that though China’s interpretation of the law of jus ad bellum – as codified in the United Nations Charter – accepts the use of force against an armed attack, China has a much narrower view than the United States of the circumstances under which states may legitimately use force and under which they can claim self-defence. Essentially, says Ku, China is of the view that, except for self-defence, all decisions to use force should be sanctioned by the UN Security Council. Ku goes on to state that:

Chinese scholars are uniformly skeptical of any right to self-defense before an actual armed attack has occurred. While they follow the “imminence” requirement stated in the famous Caroline case,89 neither are they willing to accept any loose or broad definition of this requirement.90

For these reasons, argues Ku, Chinese interpretation of jus ad bellum holds that the mere planning of an armed attack cannot be considered an armed attack triggering self-defence.

3.3.4 TALLINN MANUAL 2.0 ON THE INTERNATIONAL LAW APPLICABLE TO CYBER OPERATIONS

Unlike China, the United States (and, presumably, close allies like Canada91) appears to believe that there may be circumstances where anticipatory self-defence can be justified long before a cyberattack rises to the level of an armed attack. These circumstances are discussed in Rule 73 of the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Tallinn Manual).

Now in its second iteration, the Tallinn Manual is a non-binding but highly influential examination of the application of international law to cyber operations. Led by American legal scholar Michael Schmitt, a multinational group of international law experts, drawn mainly but not exclusively from NATO member countries, drafted the manual. Canada participated in the drafting of both iterations. China also contributed its thoughts on the draft92 but, according to Ku, Chinese media and scholars expressed widespread skepticism about the final version.93

Though Rule 73 in the Tallinn Manual acknowledges division on the issue of anticipatory self-defence, it states that the majority of the international group of experts responsible for drafting the manual rejected a strict temporal analysis, favouring instead the idea of “last window of opportunity” as being the correct standard. According to Rule 73, “[t]his window may present itself immediately before the attack 94 in question, or, in some cases, long before it occurs.” However, the Tallinn Manual also notes that the majority view was that the “last window of opportunity” should not be viewed as a licence to dispense with the temporal standard completely. The further an attack is from being realized, they argued, the greater the likelihood that other response options will be available.

LIBRARY OF PARLIAMENT 11 PUBLICATION NO. 2018-05-E CYBERSECURITY: TECHNICAL AND POLICY CHALLENGES

4 OBSERVATIONS AND CONCLUSIONS

As the preceding discussion highlights, cybersecurity is a challenging and multi-dimensional issue that draws the attention of many stakeholders. Technical solutions offer both promise and peril. Strong encryption and privacy-protective Internet protocols enable citizens to engage in commerce and conversation without fear. However, such protections also enable criminality and complicate the work of national security and law enforcement agencies significantly.

The seeming trend towards states demanding to inspect source code prior to deploying IT products, coupled with continued advancements in code inspection tools, may provide a sense of how we might go about re-establishing trust. Knowing that there is a good chance such inspections will uncover vulnerabilities and backdoors incentivizes developers to build things right in the first place. The trick will be in scaling up sound engineering and assurance testing at the system and network levels. This is not impossible, but it is challenging.95

Policy solutions, specifically those concerning Internet governance and cyber norms, offer starkly different views of the way ahead. Governed by states alone, the cyber domain could certainly be made more secure, but Canada and its allies believe this solution would come at an unacceptable cost to human rights. Governed as it is now by a broad array of interested parties working through an equally broad array of international fora, the Internet is relatively free and open, but there is no guarantee that it will remain that way. States such as Russia and China have already shown their determination to exert sovereign control over their cyberspace through such measures as requiring the localization of data storage, blocking access to Internet content and regulating the use of virtual private networks.

NOTES

1. Andy Greenberg, “How An Entire Nation Became Russia’s Test Lab for Cyberwar,” Wired, 20 June 2017. Dragonfly, the Russia-connected threat agent believed to be behind the attacks on Ukraine, has also been implicated in a long-running campaign of reconnaissance activities against European Union, United States and Canadian energy infrastructure. See Kevin Poulsen, “Russia-Linked Hackers Breached 100 Nuclear and Power Plants Just This Year,” Daily Beast, 6 September 2017. 2. Greenberg (2017). 3. However, a hospital in Oshawa, Ontario, said its anti-virus software stopped an attempted infection by blocking an incoming email containing WannaCry malware. See Howard Solomon, “WannaCry just a taste of NSA-charged cyber attacks to come,” IT World Canada, 15 May 2017; and Nicole Thompson, “‘We were lucky’: Massive ‘WannaCry’ cyberattack avoids Canada,” Globe and Mail, 13 May 2017. 4. Howard Solomon, “Canada helped confirm North Korea behind Wannacry ransomware, says U.S.,” IT World Canada, 19 December 2017. 5. Jacob Kastrenakes, “Petya virus is something worse than ransomware, new analysis shows,” The Verge, 28 June 2017. See also Alex Hern, “‘NotPetya’ malware attacks could warrant retaliation, says Nato-affiliated researcher,” The Guardian, 3 July 2017.

LIBRARY OF PARLIAMENT 12 PUBLICATION NO. 2018-05-E CYBERSECURITY: TECHNICAL AND POLICY CHALLENGES

6. “UK and US blame Russia for ‘malicious’ NotPetya cyber-attack,” BBC News, 15 February 2018. 7. Brian Krebs, “Alleged vDOS Operators Arrested, Charged,” Krebs on Security blog, 9 August 2017. 8. United States District Court for the Northern District of California, United States of American v. Dmitry Dokuchaev, aka “Patrick Nagel,” Igor Sushkin, Alexsey Belan, aka “Magg,” and Karim Baratov, aka “Karim Taloverov,” aka “Karim Akehmet Tokbergenov”, 28 February 2017. See also Kevin Poulsen, “Russian Spies’ Hacker-for-Hire Pleads Not Guilty to Cracking Yahoo,” Daily Beast, 23 August 2017; Kelly Bennett, “Karim Baratov, alleged Yahoo hacker, pleads not guilty in U.S. court,” CBC News, 23 August 2017; and “Karim Baratov, the Canadian man accused in Yahoo hack, pleads guilty in American court,” Toronto Star, 28 November 2017. 9. United States Department of Homeland Security and Federal Bureau of Investigation, GRIZZLY STEPPE – Russian Malicious Cyber Activity, Joint Analysis Report, JAR-16-20296A, 29 December 2016. 10. See Thomas Rid, “How Russia Pulled Off the Biggest Election Hack in U.S. History,” Esquire, 20 October 2016. For a detailed discussion of Russia’s broader active measures campaign, see Garrett M. Graff, “A Guide to Russia’s High Tech Tool Box for Subverting US Democracy,” Wired, 13 August 2017. 11. See Christopher Paul and Miriam Matthews, “The Russian ‘Firehose of Falsehood’ Propaganda Model: Why It Might Work and Options to Counter It,” Perspective, RAND Corporation, 11 July 2016. To read more about the use of bots to spread propaganda, see The Computational Propaganda Project, Oxford Internet Institute, University of Oxford. 12. Spyware is software that is secretly implanted on a targeted computer so as to enable covert monitoring of its user. 13. John Scott-Railton, Bill Marczak, Bahr Abdul Razzak, Masashi Crete-Nishihata and Ron Deibert, Reckless Exploit: Mexican Journalists, Lawyers, and a Child Targeted with NSO Spyware, The Citizen Lab, 19 June 2017. 14. Or, more accurately, a systems administrator needs to be concerned about maintaining the confidentiality, integrity and availability of data and systems. 15. Freedom Online Coalition, “Blog #8: Why do we need a new definition for cybersecurity?,” Freedom Online Coalition Working Group 1 Blog Series, updated September 2015, accessed 20 January 2018. Please note that with the inclusion of “availability, confidentiality and integrity,” this definition incorporates the ISO 27000 definitions of these terms. ISO, which stands for ”International Organization for Standardization,” is an independent, non-governmental organization headquartered in Geneva, Switzerland. 16. See “Blog #10: Four common myths about human rights and security in cyberspace” (post adapted from remarks made by Michael Walma, Cyber Coordinator for Global Affairs Canada, at the Freedom Online Coalition Working Group 1 workshop on “A Multistakeholder and Human Rights Approach to Cyber Security,” at the 10th annual Internet Governance Forum in João Pessoa, Brazil, 10–13 November 2015), Freedom Online Coalition Working Group 1 Blog Series, accessed 20 January 2018.

LIBRARY OF PARLIAMENT 13 PUBLICATION NO. 2018-05-E CYBERSECURITY: TECHNICAL AND POLICY CHALLENGES

17. Though some cyber exploits, such as side-channel attacks that analyze power usage to glean information about the encryption key used to secure data on a computer, are enabled by flaws in the hardware or firmware from which computers and computer networks are fabricated, poorly designed and tested software provides the basis for most attacks. Nonetheless, security experts highlight two recently announced cyber vulnerabilities referred to as “Spectre” and “Meltdown” as evidence of the growing threat posed by design flaws at the microprocessor level. See Bruce Schneier, “The Effects of the Spectre and Meltdown Vulnerabilities,” Schneier on Security blog, 26 January 2018. 18. For example, see Esther Shein, “How AI is Changing Software Development,” Communications of the ACM, 26 January 2017. 19. Current trends indicate that broadband subscriptions are growing at a 20% annual rate, with China leading the way. To read more on international ICT trends, see United Nations International Telecommunication Union [ITU], ICT Facts and Figures 2017. 20. For example, Burnaby, British Columbia–based D-Wave Systems is the world’s first and largest quantum computing company. Google has purchased every system D-Wave has produced and has a multi-year contract to buy every system it will produce. To learn more about quantum computing and D-Wave, listen to Rob Reid, Quantum computing’s terrifying promise, Podcast posted on Boing Boing blog, 6 September 2017. 21. Davide Castelvecchi, “China’s quantum satellite clears major hurdle on way to ultrasecure communications,” Nature, 15 June 2017. Quantum computing, when it becomes viable, will have enormous impact on a pillar of cybersecurity – encryption. First, the enormous processing capacity of quantum computers will make child’s play of breaking most, if not all, existing encryption keys that rely on computationally difficult-to-solve algorithms. Second, being based on physics, not math, quantum cryptography is expected to usher in an era of unbreakable encryption. 22. Saheli Roy Choudhury, “Chinese tech giant Huawei sees 15% revenue jump in first half,” CNBC, 27 July 2017. 23. “Huawei narrows gap with Samsung, Apple in smartphone sales: Gartner,” Reuters, 23 May 2017. 24. Steve Song, Unlocking Affordable Access in Sub-Saharan Africa, Global Commission on Internet Governance, Paper Series no. 43, Centre for International Governance Innovation and Chatham House, November 2016. 25. CSquared website. 26. Project Loon website. 27. Mark Zuckerberg, “The technology behind Aquila,” Facebook, 21 July 2016. 28. Li Yan, “Chinese company builds network to boost internet access in Africa,” People’s Daily Online, 29 March 2017. 29. Deloitte, Game of Phones: Deloitte’s Mobile Consumer Survey – The Africa Cut 2015/2016, 30 August 2016, p. 32. 30. According to BlackBerry Chief Operating Officer and General Manager for Devices Ralph Pini, investment in hardware development only pays off in instances where the vendor is vertically integrated and the creation of a vendor-controlled “eco-system” is the goal. See Pini’s explanation of BlackBerry’s 2016 decision to cease manufacturing hardware. Brian Heater, “BlackBerry’s device head outlines the company’s post-hardware future,” TechCrunch, 29 September 2016.

LIBRARY OF PARLIAMENT 14 PUBLICATION NO. 2018-05-E CYBERSECURITY: TECHNICAL AND POLICY CHALLENGES

31. Benedict Evans, an analyst with Silicon Valley–based venture capital firm Andreessen Horowitz, projects that there will soon be 5 billion smartphone users world-wide. He notes that, as of June 2016, smartphone apps accounted for 60% of online time for the United States. See Benedict Evans, Mobile is eating the world (PowerPoint presentation), Andreessen Horowitz, December 2016. 32. For example, apps interact with the underlying operating system of the mobile device. They can also interact with back-end services, such as when a mobile banking app enables the user to transfer funds to third parties. In addition, it should be noted that malicious actors sometimes use counterfeit apps as a means to fool consumers into providing their credentials and other sensitive personal information during the process of downloading the app. 33. The security risks posed by free and open-source apps are well documented, but even apps that are developed in-house by ICT vendors have issues. A recent study by the Ponemon Institute of 640 businesses indicates that, on average, only 29% of mobile apps are tested for vulnerabilities and 33% are not tested at all. Sixty-nine percent of respondents in the Ponemon study cited pressure to release apps to market as the reason why they contain vulnerable code. Ponemon Institute, 2017 Study on Mobile & IoT Application Security, independently conducted on behalf of IBM and Arxan Technologies, January 2017 (requires free registration). 34. See, for example, Tom Spring, “Bad Code Library Triggers Devil’s Ivy Vulnerability in Millions of IoT Devices,” Threat Post blog, 19 July 2017. 35. Chips – they are sometimes also called “semiconductor chips” because the material they are made of, silicon, is a semiconductor – are the brain of digital devices. By turning switches on and off, the integrated circuits contained on chips translate binary code into action. Programmers normally work in natural language programs such as Perl or C++ but, at the hardware level, such inputs are read through a binary system of 1s and 0s. Typically, intermediary programs referred to as “compilers” convert programming language into machine language. To see natural language text converted to binary code, see Convert text to binary, unit-conversion.info. 36. Clair Brown and Greg Linden, Semiconductor Capabilities in the U.S. and Industrializing Asia, Presentation paper for Alfred P. Sloan Foundation Industry Studies 2008 Annual Conference, Boston, 1–2 May 2008, p. 4. 37. See IC Insights, “Taiwan Maintains Largest Share of Global IC Wafer Fab Capacity,” News release, 23 February 2017. 38. When U.S. national security observers talk about IT “onshoring” or “reshoring,” they generally mean moving all aspects of production back onto United States–controlled territory. 39. The New York Times has reported on leaked National Security Agency (NSA) memos that indicated that the Agency had seized control of a Communications Security Establishment (CSE)–led standards development process for dual elliptic curve cryptography. According to the New York Times article, one of the memos states, “After some behind-the-scenes finessing with the head of the Canadian national delegation and with C.S.E., the stage was set for N.S.A. to submit a rewrite of the draft.” This language leaves open the possibility, observers have suggested, that CSE was aware of the NSA’s intentions and acquiesced. See Nicole Perlroth, “Government Announces Steps to Restore Confidence on Encryption Standards,” New York Times, 10 September 2013. See also the following note.

LIBRARY OF PARLIAMENT 15 PUBLICATION NO. 2018-05-E CYBERSECURITY: TECHNICAL AND POLICY CHALLENGES

40. The faulty encryption technology refers to an algorithm in a pseudo-random bit generator known as Dual_EC_DRBG. Good sources of randomness are necessary to generate encryption keys that cannot be predicted and, for various reasons, the Dual_EC_DRBG algorithm has been shown to generate predictable outcomes. The NSA is reported to have paid a major U.S. manufacturer of encryption products, RSA, $10 million to make Dual_EC_DRBG the default entropy source in its encryption products, thus ensuring that the Agency had a backdoor to anything encrypted using keys derived from this source. See Nick Sullivan, “How the NSA (may have) put a backdoor in RSA’s cryptography: A technical primer,” Ars Technica, 5 January 2014. Reporting based on documents leaked by Edward Snowden allege that the CSE may not have provided any effective opposition to the NSA’s promotion of Dual EC_DRBG as an international standard. See, for example, Jesse Brown, “NSA says it ‘finessed’ Canada, seizing control of global crypto,” Macleans, 11 September 2013; Kim Zetter, “New Discovery Around Juniper Backdoor Raises More Questions about the Company,” Wired, 8 January 2016; and Omar El Akkad, “The strange connection between the NSA and an Ontario tech firm,” Globe and Mail, 20 January 2014. 41. Gus W. Weiss, “The Farewell Dossier: Duping the Soviets,” Studies in Intelligence, United States Central Intelligence Agency Center for the Study of Intelligence, 14 April 2007. 42. See Radio-Canada, Bon baiser du Canada (From Canada with Love), 10 January 2013. To view an excerpt from this documentary, where the president of the company is interviewed about the operation, see Vincent Frigon, “Bon baiser du Canada – From Canada with Love – Extrait 4,” YouTube, posted 10 January 2013. 43. Please note that, in discussing software and hardware manufacturing, this paper applies a narrow scope to the term “cyber supply chain security.” This term is also frequently used to reference the larger issue of the security risks posed by IT service vendors to organizations. For example, recent massive breaches of customer credit card information at Home Depot and Target exemplify this broader supply chain issue in that these attacks began with the hacking of third-party vendors. To read more on these incidents, see Brian Krebs, “Home Depot: Hackers Stole 53M Email Addresses,” Krebs on Security blog, 7 November 2014. To read more on supply chain security as it applies to software, see Carol Woody and Robert J. Ellison, Supply-Chain Risk Management: Incorporating Security into Software Development, Software Engineering Institute, Carnegie Mellon University, March 2010. 44. That said, the recent discovery that even the United States Department of Defense is using anti-virus products from a Russian vendor, Kaspersky, suggests that outright bans are difficult to enforce. See Nicholas Weaver, “On Kaspersky,” Lawfare blog, 25 July 2017; and Saqib Shah, “FBI reportedly advising companies to ditch Kaspersky apps,” Engadget, 21 August 2017. 45. Insikt Group, “China’s Cybersecurity Law Gives the Ministry of State Security Unprecedented New Powers Over Foreign Technology,” Recorded Future Blog, 31 August 2017. 46. “Putin tells Russia’s tech sector: Ditch foreign software or lose out,” CNBC, 9 September 2017. 47. Dustin Volz, Joel Schectman and Jack Stubbs, “Tech firms let Russia probe software widely used by U.S. government,” Reuters, 25 January 2018. 48. Joel Schectman, Dustin Volz and Jack Stubbs, “Under pressure, Western tech firms bow to Russian demands to share cyber secrets,” Reuters, 23 June 2017.

LIBRARY OF PARLIAMENT 16 PUBLICATION NO. 2018-05-E CYBERSECURITY: TECHNICAL AND POLICY CHALLENGES

49. See United Kingdom Cabinet Office, National Security Secretariat, Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board Annual Report 2017: A report to the National Security Adviser of the United Kingdom, April 2017. See also Electronic Warfare Associates-Canada, Ltd. [EWA-Canada], High Assurance Testing; Nestor Arellano, “Ontario, Huawei Canada partner in $300M 5G project,” Canadian Government Executive, 9 March 2016; and Rose Behar, What Huawei’s historic 5G test means for the future of wireless in Canada, mobilesyrup, 17 July 2017. 50. For a study of the average life-span of zero-days and how they are used, see Lillian Ablon and Timothy Bogart, Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits, RAND Corporation, 2017. 51. See Ben Buchanan, Nobody But Us: The Rise and Fall of the Golden Age of Signals Intelligence, Aegis Series Paper No. 1708, Hoover Institution, Stanford University, 30 August 2017. 52. The term “Five Eyes” refers to a signals intelligence alliance forged during the Second World War among the United States, the United Kingdom, Canada, Australia and New Zealand. This alliance persists and has served as the basis for cooperation among the national security and law enforcement agencies of these five countries. It should also be noted that CSE cooperates and shares information with foreign entities other than the Five Eyes group. 53. Respected U.S. cryptography expert Bruce Schneier has also long argued that NOBUS is “not a useful concept” and that the NSA’s cyber defence activities are too often overlooked in favour of cyber offence. See, for example, Bruce Schneier, “Simultaneous Discovery of Vulnerabilities,” Schneier on Security blog, 25 February 2016. 54. For a summary of recent expert commentary on the issue, see Taylor Armerding, “Should governments keep vulnerabilities secret?,” Naked Security, 1 August 2017. See also Bruce Schneier, “WannaCry and Vulnerabilities,” Schneier on Security blog, 2 June 2017; and Benjamin Dean, “‘Zero-day’ stockpiling puts us all at risk,” The Conversation blog, 4 August 2015. 55. Rick Ledgett, “No, the U.S. Government Should Not Disclose All Vulnerabilities in Its Possession,” Lawfare blog, 7 August 2017. 56. Ibid. 57. See Bruce Schneier, “Heartbleed,” Schneier on Security blog, 9 April 2014; and Valerie Boyer, “CSEC aware of Heartbleed bug day before CRA website shutdown,” CBC News, 16 April 2014. 58. Michael Daniel, “Heartbleed: Understanding When We Disclose Cyber Vulnerabilities,” The White House blog, 28 April 2014. 59. See, for example, Matthew Braga, “When do Canadian spies disclose the software flaws they find? There’s a policy, but few details,” CBC News, 6 September 2017. 60. The bill, the Protecting Our Ability To Counter Hacking [PATCH] Act of 2017, is sponsored by Senators Brian Schatz (D–Hawai’i), Ron Johnson (R–Wisconsin) and Cory Gardner (R–Colorado) and Representatives Ted Lieu (D–California) and Blake Farenthold (R–Texas). See United States Congress S.1157 – PATCH Act of 2017 and H.R.2481 – PATCH Act of 2017. For an overview of the proposed PATCH Act, see Mailyn Fidler and Trey Herr, “PATCH: Debating Codification of the VEP,” Lawfare blog, 17 May 2017. 61. End-to-end encryption ensures that only the sender and receiver can read an encrypted communication because the communication is encrypted directly on their device using a key that only they possess. To read further, see Andy Greenberg, “Hacker Lexicon: What Is End-to-End Encryption?,” Wired, 25 November 2014.

LIBRARY OF PARLIAMENT 17 PUBLICATION NO. 2018-05-E CYBERSECURITY: TECHNICAL AND POLICY CHALLENGES

62. Zack Whittaker, Meet ‘Muscular’: NSA accused of tapping links between Yahoo, Google datacenters, ZDNet, 30 October 2013. 63. Danny Yadron, “Facebook, Google and WhatsApp plan to increase encryption of user data,” The Guardian, 14 March 2016. 64. Megan Squire, “End-to-end encryption isn’t enough security for ‘real people’,” The Conversation blog, 13 August 2017. See also Jim Bronskill, “Five Eyes alliance stress ‘more timely and detailed’ information sharing to detect terrorists,” Toronto Star, 28 June 2017. See also Public Safety Canada, Five Country Ministerial 2017: Joint Communiqué, 27 June 2017. 65. Robert Cribb, Dave Seglins and Chelsea Gomez, “Top Mountie lobbying PM for greater digital surveillance powers,” Toronto Star, 16 November 2016. 66. Ibid. 67. Michael Hayden also served as Director of the United States Central Intelligence Agency between 2006 and 2009, but he argues for strong encryption based on his experience as director of the NSA. 68. To read further on potential methods to gain access to plaintext content through endpoint vulnerabilities, see Orin S. Kerr and Bruce Schneier, “Encryption Workarounds,” 20 March 2017 draft, Georgetown Law Journal [forthcoming], and George Washington University [GWU] Law School Public Law Research Paper no. 2017-22, and GWU Legal Studies Research Paper no. 2017-22. 69. See Tom DiChristopher, “US safer with fully encrypted phones: Former NSA/CIA chief,” CNBC, 23 February 2016; and “End-to-end encryption back door ‘a bad idea’,” BBC News, 10 July 2017. 70. Steve Morgan, “Cybercrime damages expected to cost the world $6 trillion by 2021,” CSO, 22 August 2016. 71. See Corporation for National Research Initiatives, Overview of the Digital Object Architecture, 28 July 2012; and Sally Adee and Carl Miller, “We can stop hacking and trolls, but it would ruin the internet,” New Scientist, 9 August 2017. 72. Vinton Cerf often and erroneously receives sole credit for inventing the TCP/IP standard. 73. Under the current TCP/IP architecture, users must rely on an IP address to find a specific Internet-connected server and then on a Uniform Resource Locator [URL] to locate the specific directory on that server where the information resource they seek can be found. Anyone who has bookmarked an online article only to find that their link no longer works a week later knows the shortcomings of a non-handle system. So long as one keeps the metadata up to date, assigning a handle to an information resource solves the dead-link problem and ensures that the resource remains accessible to those who have a right to access it. 74. Selena Larson, “A smart fish tank left a casino vulnerable to hackers,” CNNTech, 19 July 2017. 75. See, for example, Freedom House, Freedom in the World 2018: Democracy in Crisis. 76. See, for example, Robert Coalson, “New Kremlin Information-Security Doctrine Calls For ’Managing’ Internet In Russia,” Radio Free Europe/Radio Liberty, 6 December 2016. See also Timothy Thomas, “Information Security Thinking: A Comparison of U.S., Russian, And Chinese Concepts,” The Science and Culture Series, Nuclear Strategy and Peace Technology, International Seminar on Nuclear War and Planetary Emergencies, July 2001, pp. 344–358. 77. The United Nations International Telecommunication Union (ITU) is the United Nations’ specialized agency for information and communication technologies.

LIBRARY OF PARLIAMENT 18 PUBLICATION NO. 2018-05-E CYBERSECURITY: TECHNICAL AND POLICY CHALLENGES

78. What Governments Decided on Digital Object Architecture for IoT, Wiley Connect blog, 8 November 2016. The blog post also notes that, though it does not specify Handles or the Handle System, the International Telecommunication Union’s overarching standard for discovery of identity management information is already based on the Digital Object Architecture. See also International Telecommunication Union, X.1255: Framework for discovery of identity management information, 4 September 2013. It should also be noted that DOA is considered by many to be a relatively old and flawed technology. For example, the ITU’s Study Group 20 currently has a work item examining counterfeiting based on DOA, which appears to be the basis for a resolution tabled in 2016 at the ITU’s World Telecommunication Standardization Assembly in Tunisia. See International Telecommunication Union, Telecommunication Standardization Sector of ITU (ITU-T), Resolution 96 – ITU Telecommunication Standardization Sector studies for combating counterfeit telecommunication/information and communication technology devices, Hammamet, Tunisia, 25 October–3 November 2016. 79. A top-level domain is the last segment of a domain name, or the part that follows the “dot” symbol, such as.com or.org. 80. Internet Corporation for Assigned Names and Numbers, About ICANN. 81. For example, IP version 6 (IPv6), the next iteration of the protocol used to denote address space on the Internet, could be implemented in such a way as to assign fixed IP addresses to every connected device on the planet. However, IPv6 addresses can also be implemented using privacy extensions that shield users’ identities by allocating them dynamically and randomly. 82. To read more, see United Nations Office for Disarmament Affairs, Developments in the field of information and telecommunications in the context of international security. See also Geneva Internet Platform (Digital Watch Observatory in partnership with the Internet Society), UN GGE. 83. United Nations General Assembly, Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, 70th Session, Item 93 of the provisional agenda, No. A/70/174, 22 July 2015. 84. Though they ultimately support continued use of the UN GGE as the venue to discuss cyber norms, Melissa Hathaway, Joseph S. Nye and Eneken Tikk all raise questions in a recent report about what has been accomplished to date. See Fen Osler Hampson and Michael Sulmeyer, eds., Getting beyond Norms: New Approaches to International Cyber Security Challenges, Centre for International Governance Innovation, 7 September 2017. 85. See United Nations General Assembly, Letter dated 9 January 2015 from the Permanent Representatives of China, Kazakhstan, Kyrgyzstan, the Russian Federation, Tajikistan and Uzbekistan to the United Nations addressed to the Secretary-General, 69th Session, Agenda item 91, No. A/69/723, 13 January 2015. 86. United Nations, UN Charter. 87. See United Nations General Assembly, Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, 68th Session, Item 94 of the provisional agenda, No. A/68/98, 24 June 2013 (reissued for technical reasons on 30 July 2013). 88. Julian Ku, How China’s Views on the Law of Jus ad Bellum Will Shape Its Legal Approach to Cyberwarfare, Aegis Series Paper No. 1707, Hoover Institution, Standford University, 17 August 2017.

LIBRARY OF PARLIAMENT 19 PUBLICATION NO. 2018-05-E CYBERSECURITY: TECHNICAL AND POLICY CHALLENGES

89. The “Caroline case” refers to a historical event that gave rise to the doctrine of anticipatory self-defence. In 1837, a diplomatic crisis arose when an American ship supporting Canadian rebels, the Caroline, took refuge on Navy Island on the Niagara River with the help of some nearby Americans. Crossing the international boundary, British forces then boarded the Caroline, killing an American crew member in the process. After towing the ship into the current, the British set it ablaze and sent it over the Niagara Falls. The British later claimed that they attacked the Caroline in self- defence. In response, the U.S. Secretary of State argued that the claim of self-defence could only be justified where the response is proportionate and the threat is instant and overwhelming, leaving no choice, and no time for deliberation. These elements eventually came to be referred to as the ”Caroline test.” See Christine D. Gray, International Law and the Use of Force, 3rd ed., Oxford University Press, 2008; and Ryan J. Hayward, “Evaluating the ‘Imminence’ of a Cyber Attack for Purposes of Anticipatory Self-Defense,” Columbia Law Review, Vol. 117, No. 2. 90. Julian Ku (2017), p. 14. 91. Indeed, in the Communication Security Establishment’s own words, “CSE’s foreign signals intelligence has played a vital role in … [p]roviding early warning to thwart foreign cyberthreats to Government of Canada and critical information infrastructure and networks.” (Communications Security Establishment, Foreign signals intelligence.) Bill C-59, An Act respecting national security matters, proposes to create a new CSE mandate that would enable it to engage in “active cyber operations” to “degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security.” This would appear to set the stage for CSE to undertake anticipatory self-defence operations. See Bill C-59, An Act respecting national security matters, 1st Session, 42nd Parliament, s. 20 of the proposed Communications Security Establishment Act, found in cl. 76 of the bill (first reading on 20 June 2017). 92. Professor Zhixiong Huang from the Wuhan University Institute of International Law is listed as a member of the International Group of Experts who contributed text for consideration. 93. Julian Ku, “Tentative Observations on China’s Views on International Law and Cyber Warfare,” Lawfare blog, 26 August 2017. 94. “Rule 73 – Imminence and immediacy,” in Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, 2nd ed., ed. Michael N. Schmitt, Prepared by the International Group of Experts at the Invitation of the NATO Cooperative Cyber Defence Centre of Excellence, Cambridge University Press, 2017, p. 351. 95. Protection of intellectual property is, of course, another important concern. An international legal regime for copyright protection certainly exists, but not all states are party to each convention and not all convention members live up to their obligations equally. For example, China is a member of the World Trade Organization TRIPS [Trade-Related Aspects of Intellectual Property Rights] Agreement and the WIPO [World Intellectual Property Organization] Copyright Treaty (WCT), both of which would cover software code. However, Chinese companies have frequently been accused of copyright infringement, and stealing intellectual property has been a key aspect of Chinese espionage activities since the late 1970s. At the same time, China’s 2008 national intellectual property strategy suggests that it intends to become capable of generating, using and protecting intellectual property by 2020. See V. K. Unni, “Specialized Intellectual Property Enforcement in China: Implications for Indian Companies,” LiveLaw.in blog, 6 September 2017; and United Kingdom Intellectual Property Office, Software Copyright Registration in China, know before you go, re-posted by Berkman Klein Center for Internet & Society at Harvard University, 2013.

LIBRARY OF PARLIAMENT 20 PUBLICATION NO. 2018-05-E