The ubiquitous presence of the Internet and the growing dependency on it for a wide spectrum of human activity has naturally given rise to concerns about the security of cyberspace. According to current estimates, 26 percent of the world’s population, or 1.7 billion people, use the Internet. At all levels, from states to private citizens, reliance on the Internet is growing and interests from national security to individual financial ones are engaged and potentially at risk from cyber attack.
Concerns over cyber security have led several states to formulate national cyber security strategies to address threats to cyberspace. The United States unveiled its strategy in May 2009, the UK in June 2009 and Australia released its national strategy in October 2009. In the Speech from the Throne in March 2010 the Canadian government indicated its intention to set out a national blueprint for cyber security and released its own strategy in early October. Understandably, much of the focus of these national strategies is on developing the domestic capacities to counter cyber crime and other threats to cyber security. At the same time, the Internet is quintessentially a global instrument, and securing cyberspace will necessarily require international cooperation.
The realm of international relations is normally governed by the foreign policy of states. Cyber experts in Canada have decried the apparent lack of a foreign policy for cyberspace. In the words of one leading observer, University of Toronto’s Ron Diebert: “At present, Canada has no foreign and security policy for cyberspace. There is no Canadian Cyber Command, such as that which was recently stood up in the United States, nor does Canada have an Office of Cyberspace in Foreign Affairs. We are not only miserably behind other countries in this respect; we have not even begun to form a strategic policy.”
Of course, policy is more than just the institutional trappings of military commands or divisions within a foreign ministry. It is developing a set of objectives linked to some primary values and interests of a state that governs its interaction in the international arena. While one might search in vain for a volume on a foreign affairs department shelf (or a document on its Web site) entitled “A Cyber Foreign Policy for Canada,” it would be wrong to assume that the emerging phenomenon of cyber security is not being taken into account in the conduct of Canada’s foreign policy. That policy reflects enduring Canadian values and interests, such as advocating respect for human rights, promoting the rule of law and fostering democracy. Contributing to national and global peace and security, economic prosperity and individual and social well-being are key goals of Canada’s international relations. The cyber realm, like other major technological innovations before it, will over time be integrated into the foreign policy of states and the international system as a whole.
This article describes some of the varied activities and forums related to cyberspace, and cyber security in particular, in which Canada is currently engaged. It will also consider some of the challenges facing Canada in defining its cyber foreign policy and possible areas of focus for the nation in this vast and rapidly changing field. One of the principal reasons why foreign policy approaches to cyberspace are only now emerging, is that this realm has developed largely outside the sphere of state-to-state relations that foreign policy normally addresses.
The Internet has been a creation of civil society, and many consider its governance should best be left to nongovernmental entities. Informal associations, such as the Internet Corporation for Assigned Names and Numbers (ICANN), have provided the basis for administering the domain name systems that are at the heart of the Internet. Many users of the Internet believe that this global tool for the free flow of information and human interaction must be protected from those forces that would seek to control or manipulate it for political or commercial purposes.
While one might search in vain for a volume on a foreign affairs department shelf (or a document on its Web site) entitled “A Cyber Foreign Policy for Canada,” it would be wrong to assume that the emerging phenomenon of cyber security is not being taken into account in the conduct of Canada’s foreign policy.
At the same time, the growing importance of the Internet and its potential to connect directly with individuals, without going through “official channels,” has prompted increased attention on the part of governments around the world. There is a predisposition on the part of many states to want to develop some form of regulation of cyberspace, akin to the regulations that have governed earlier forms of telecommunication and broadcasting. As an emerging global public policy challenge, the use of cyberspace is being subjected to scrutiny by the international community, Canada included, and the first outline of a multilateral governance system is beginning to take shape.
At the level of international relations and the United Nations, initial policy development regarding cyberspace occurred in the framework of the World Summit on the Information Society (WSIS), which was held in two stages and in two locales: in Geneva in December 2003 and in Tunis in November 2005. The Geneva stage produced a declaration setting out key principles of the “Information Society” and an associated “Action Plan” to guide follow-on work in support of these principles. The Tunis session mirrored this output with its “Commitment” and “Agenda” documents. Together these consensus outcome documents represent the core of global policy direction on cyberspace and its usage.
This policy guidance, however, is not of a nature to be summarized in a concise one-page communiqué. The first Geneva stage of WSIS adopted a declaration of principles that set out in no less than 67 paragraphs a collective vision for the Information Society. It is worth citing its opening paragraph in full to convey a sense of the direction it provided:
“1. We, the representatives of the peoples of the world, assembled in Geneva from 10-12 December 2003 for the first phase of the World Summit on the Information Society, declare our common desire and commitment to build a people-centred, inclusive and development-oriented Information Society, where everyone can create, access, utilize and share information and knowledge, enabling individuals, communities and peoples to achieve their full potential in promoting their sustainable development and improving their quality of life, premised on the purposes and principles of the Charter of the United Nations and respecting fully and upholding the Universal Declaration of Human Rights.”
These lofty principles are expanded upon in the rest of the declaration and in the accompanying action plan, but the chief themes are evident in the opening paragraph: people-centred, development-oriented, aligned with the UN Charter and supportive of human rights. Cyber security figures among the various facets of the declaration, although it is approached at a high level of generality: “We support the activities of the United Nations to prevent the potential use of ICT (Information and Communications Technologies) for purposes that are inconsistent with the objectives of maintaining international stability and security, and may adversely affect the integrity of the infrastructure within States, to the detriment of their security.”
The tricky question of who governs the Internet is addressed in an inclusive manner in the declaration: “The management of the Internet encompasses both technical and public policy issues and should involve all stakeholders and relevant intergovernmental and international organizations.” A role for states, the private sector, civil society and inter-governmental and international organizations is affirmed without being overly prescriptive of who actually does what. To a degree, the entire question of governance was punted with the decision to create the Internet Governance Forum. This multi-stakeholder forum was deliberately established as a non-decision-making grouping that would provide a nexus for discussion of issues relevant to cyberspace, but with no authority to determine policy. It has met annually since the 2005 session of WSIS. As its initial five-year mandate is coming to a close, the UN secretary general is directed to develop recommendations regarding the forum’s future for consideration by UN member states.
The WSIS process has also engendered a parallel mechanism for coordinating work by the UN system in implementing the Geneva Action Plan and Tunis Agenda. The United Nations Group on the Information Society (UNGIS) comprises 30 specialized agencies and programs of the UN and has met on an annual basis since its inception in 2006. Among these UN agencies, the International Telecommunications Union (ITU) has been assuming a leadership role on issues relating to WSIS follow-up. It has, in collaboration with UNESCO and the UN Development Program, been responsible for organizing annual sessions of the WSIS Forum, a further multi-stakeholder gathering, established to review progress on WSIS implementation.
Stay in the know with veteran reporter Kathryn May. Sign up for routine and out-of-the-ordinary news about the public service with The Functionary, our new newsletter.
While this description of current international activity on cyber issues has concentrated on the global level represented by the UN, there is also an extensive range of activity undertaken by regional organizations and cross-regional bodies. The Organization for Security and Co-operation in Europe, Organization of American States, Asia-Pacific Economic Cooperation, Organisation for Economic Co-operation and Development, NATO and the Council of Europe are just some of the more salient regional organizations engaged in cyber security work relevant to their mandates and members’ interests. One of the most important products of a regional organization has been the Convention on Cyber Crime, which was developed by the Council of Europe and opened for signature in Budapest in 2001. This convention, which entered into force in 2004, has been signed by 46 states and ratified by 30 states. It represents one of the first efforts to develop a legally binding international agreement requiring states to combat cyber crime within their jurisdiction and to cooperate with official agencies of other signatory governments to facilitate prosecution of cyber crime. The G8’s Roma/Lyon Group, focused on counter-terrorism and counter-organized crime activity, has also been an active grouping of states collaborating behind the scenes to combat cyber attacks by terrorists or criminal entities.
Whether at the global or regional levels, activity on cyber security has tended to fall into four broad areas: i) education and awareness-raising; ii) ensuring integrity of cyber systems; iii) technical assistance and capacity-building and iv) development of norms and standards. Given the complexity and relative newness of cyber security, a great deal of basic work is required to raise awareness within international organizations and their member states as to the nature of cyber threats and the potential negative impact on their interests. After education as to the seriousness of the threat, there is a natural focus on securing the integrity of the informational systems utilized by the organization and member states against these threats. In light of the disparities in cyber security capacities among states, it is also logical to stress the provision of technical assistance and capacity-building to ensure that the less developed member states achieve a modicum of cyber security capability. Finally, there is frequently an interest in developing norms or standards to govern cyber security behaviour. This realm of action, particularly when it tries to move beyond political measures to specify international legal obligations, is extremely challenging. Currently the Budapest Convention on Cybercrime is one of the few international legal instruments extant in the field of cyber security and it has been criticized from several perspectives. In particular, its origins as a Council of Europe agreement and the council’s control of amendments are cited as reasons why the Budapest Convention may not prove acceptable as the global treaty on cyber crime that its proponents had hoped it to be.
The Internet has been a creation of civil society, and many consider its governance should best be left to nongovernmental entities. Informal associations, such as the Internet Corporation for Assigned Names and Numbers (ICANN), have provided the basis for administering the domain name systems that are at the heart of the Internet.
Where is Canada in this vast arena of cyber activity? Canada and its official delegations to the international forums mentioned above have been active in the debates and in shaping the outcomes to date. This involvement has been informed by the main tenets of Canadian foreign policy as our diplomats and representatives have tried to integrate the implications of cyber security into the international system. This process may resemble grafting more than new plantings in the sense that the cyber dimension is added to existing structures or processes aimed at achieving basic goals of Canadian foreign policy. For example, at the Human Rights Council and its forerunner, the Commission on Human Rights, Canada has taken the lead in preparing a resolution affirming the importance of freedom of opinion and expression. Previously, this resolution focused on the role of the printed and electronic media in realising this fundamental freedom. The current version, adopted in October 2009, explicitly recognized, alongside the traditional media, the importance of the Internet “in the exercise, promotion and protection of the right to freedom of opinion and expression.” In this way, the Internet was granted a status similar to the older media forms in the implementation of one of the primary freedoms enshrined in international human rights law. Critics will point out that this is only part of a declaratory policy resolution with no binding power. The fact that the UN’s premier human rights body, in a consensus resolution, has acknowledged the role of the Internet in fostering freedom of opinion and expression has political and practical significance. The resolution provides a key authoritative reference that can be cited if state action subsequently fails to uphold these standards.
The creation of norms and standards regarding the use of cyberspace, and cyber security in particular, is one of the chief avenues for Canadian foreign policy action in this realm. Some norm-setting comes through the patient craft of multilateral diplomacy and the fashioning of declaratory policy statements such as the WSIS outcome documents or UN resolutions. A more demanding expression of norm-making is the negotiation of international legal instruments that are binding on those states that sign on to them. There are relatively few such agreements governing cyberspace. This reflects the newness and complexity of the subject and the degree of obligation represented by these instruments. The Budapest Convention on Cyber Crime is a rare example of a binding instrument, but the problems it has encountered in gaining global acceptance do not augur well for future treaties on cyber security. The requirements for developing implementing legislation and regulation are also an obstacle for treaty ratification even for states with the political intent to achieve the treaty’s aims. Canada, for example, has still not ratified the Budapest Convention even though it was among its initial signatories in November 2001. The protracted process for negotiation, signature and ratification of treaties has led some observers to conclude that treaty-making is not the most promising approach to address as complex and rapidly changing an environment as cyberspace.
An alternative to treaty-making in the cyber realm is the development of so-called politically binding measures. These can take various forms, such as confidence-building measures, codes of conduct or rules of the road. In the international security field, such measures have been popular as a substitute or supplement to the more demanding treaty form. At times such measures have served as precursors for legally binding instruments to follow. For example, the confidence-building measures in the Helsinki Final Act and the Stockholm Agreement preceded the mandatory measures for notification and observation negotiated in the Conventional Forces in Europe (CFE) treaty. For those concerned with preventing cyber warfare and developing norms of state behaviour in the conduct of cyber operations, the option of developing a set of political measures may prove a more practical avenue to explore than initiating formal treaty negotiations. Canada has been associated in the past with the promotion of such confidence-building measures in the international security field (e.g., in outer space security) and could contribute to the formulation of new measures to prevent or moderate conflict in the cyber realm.
Given the wide disparities in cyber capabilities globally, it is not surprising that technical assistance and capacity-building are prominent themes in international cyber discussions.
Extrapolating from its long association with international development efforts, Canada is well positioned to aid less developed countries in bridging what has been termed “the digital divide.” Much activity has already been supported by Canada in this field as key development goals such as public health, poverty eradication, education and gender equality are promoted through cyber-related projects. Canada can also contribute in the crucial, if at times sensitive, realms of democratic development, promotion of human rights and upholding the rule of law as these pertain to cyber-focused activity. The Open Net Initiative, which monitors steps taken by some governments to censor and control cyberspace, is but one example of the vital work that is underway and that will require sustained support in the future.
While this brief account of Canadian action internationally shows that cyber-related interests are already being woven into the fabric of Canada’s foreign policy, what should the priorities be in future? There would seem to be at least three areas that require priority attention if a Canadian cyber foreign policy is to be developed. The first is to seek to fashion an integrated cyber foreign policy, rather than a disconnected series of foreign policy actions with cyber elements to them. In other words, to set out a cyber foreign policy rather than simply a foreign policy that happens to contain some cyber aspects. This is more than a semantic difference, but rather a qualitatively different approach that strives to identify cyber-relevant aims Canada wishes to pursue and integrate these into a coherent foreign policy. Only in this way can a view of the whole be achieved and the latent synergies of cyber activity in a myriad of international forums be realised.
The second priority is to harness this foreign policy to a strategy for its implementation in the international arena. It is not sufficient to have clear and laudatory goals for one’s cyber foreign policy; there needs to be a diplomatic strategy for their achievement. This will require careful analysis of the comparative advantages of various forums for advancing Canadian cyber objectives and how best to build the likeminded coalitions to gain support for these aims. It will also entail some prioritization of Canadian objectives as it will not be possible to give them all the same level of attention and resources.
The third priority is investing in the policy and research capacity to support the development of the cyber foreign policy and strategy described above. At present, no new resources have been provided to DFAIT for carrying out an enhanced policy effort on cyberspace. What activity has been undertaken has been ad hoc and incremental to existing tasks of officers working on files such as counter-terrorism, anti-crime and legal affairs. While certain other departments and agencies of the Canadian government have had some international engagement on dimensions of cyberspace (e.g., Industry Canada on promotion of the digital economy), none have the mandate or capacity to develop a foreign policy for cyberspace.
Such an effort will demand a substantial commitment of policy capacity and diplomatic resources to ensure that a cyber foreign policy of real international impact is created and successfully carried out. This in turn will require the support of a government that wants to see Canada help influence the emerging global public policy regime for cyber space, rather than simply accept one designed by others.