OTTAWA — Fears over digital threats to Canada’s critical infrastructure — concerns that may be misplaced — are fuelling an arms race that experts believe countries need to better control, especially after the discovery of a powerful online surveillance tool on a Canadian commercial server.
Federal law prohibits the sale or transfer of technology that would allow anyone to hack into a computer or network. Domestic law enforcement agencies, such as local police and the RCMP, are responsible for enforcing the law in Canada; the Canada Border Services Agency polices the import and export of such technology.
Experts suggest that traditional ways of thinking about arms control can’t apply to cyberspace, where passing software around the world can be done easily and beyond the control of governments.
“We’re in a classic arms race,” said Ron Deibert, director of Citizen Lab, an elite research centre that monitors how countries use cyberspace. “That’s a pretty dangerous situation to be in when we’re talking about the domain of war fighting not being the land, sea or space, but the ecosystem of information.”
International experts will gather Monday in Toronto to determine how nations can regulate a market where private companies are developing products and countries are developing digital capabilities, with all concerned that doing nothing could lead to a cataclysmic event that could take down networks controlling power grids or water systems.
That worse-case scenario has materialized into a phrase top American defence officials have used repeatedly in the last few months: A “cyber Pearl Harbor.” Those fears, however, may be misplaced, according to a Department of National Defence briefing note.
That briefing note, sent to Canada’s top soldier in April of last year, paraphrased panelists at a CSIS security forum who argued that a cyber-attack taking out large portions of a the country’s critical infrastructure “would be very difficult.”
“The complexity of the U.S. power grid would make it very difficult for any entity to commit a cyber attack that would cause it to shut down entirely,” said the briefing note. ”An attack on the grid would likely only affect an isolated area and would be aimed more at undermining a population’s confidence in essential public services than crippling the economy.”
Postmedia News obtained the briefing note under the access to information law.
“There are a lot of people who benefit from hyping the situation and using the fear of these threats to defend huge defence expenditures or civil liberties’ violations,” Deibert said.
One such piece of technology was revealed last week to have made it way onto a Canadian network. The discovery by Citizen Lab researchers of a product called FinFisher,raised questions about how the software made its way to Canadian commercial servers, and more questions about who was using it and for what ends.
As the name suggests, the program allows its owners to gain sweeping access to personal computers, private emails and conversations — all without the knowledge of the target.
“What you’re seeing here is that the rule of law doesn’t really apply,” said Tom Kellermann, a vice-president of cyber-security for IT firm Trend Micro. ”Right now you have this ‘lord of war,’ arms bizarre of cyber-weaponary.”
In response, countries have created military units dedicated not only to defending domestic networks from attacks through cyberspace, but also having the capability of launching a digital strike against an enemy. Last week, the head of U.S. Cyber Command, Gen. Keith Alexander, told American legislators that his “defend-the-nation team” is also “an offensive team” that would “defend the nation if it were attacked in cyberspace.”
Developing and trading the technology allowing for attacks on portions of, for instance, the power grid, has been made possible largely because countries have yet to agree on an international framework to control to trade of such technology, or agreed upon punishments for hackers who steal or destroy information on target computers.
“The real problem that nation states have right now is that you’ve emboldened the non-state actors of the world to realize this (attack) is plausible,” Kellermann said. “This is a tremendously significant shift because of the lack of international cooperation and prosecution.”
Deibert said experts coming to the University of Toronto event Monday are split on how to approach the matter. Some argue that regulation would be futile unless every country in the world agrees to the same norms. Others argue that focusing on technology misses the real problem of why the technology is being used.
“It’s possible for both to be right. It’s something that at least (requires) some considered dialogue,” he said.