Everyone these days is aware that the internet’s immense benefits come with significant cyber threats. Be these the scourge of scammers or sophisticated state-sponsored cyber attacks, there is a recognized need for enhanced defences.
As a major public-policy focus, cyber security impacts on a wide array of domestic and international interests. Governments in their policies have struggled to keep up with the growth of the internet and the rapidity of technological developments.
The Canadian government’s effort to articulate a national strategy for cyber security dates back to October 2010. That strategy set out three basic aims: securing federal computer systems, partnering to help secure non-federal-government systems, and public education to help Canadians be secure online. There was reference to Public Safety taking the lead in coordinating a set of inter-departmental committees, but little guidance as to how oversight of the implementation of the national strategy was to be realized.
Seven years is a lifetime in cyberspace and there has been little since the fall of 2010 to show the public as to how the government was advancing its strategy. A series of public consultations were carried out in 2016 seeking views on a set of questions, and answers duly compiled.
The government also did an evaluation of the original national strategy, releasing the results in September. This evaluation was one of internal procedure rather than an effort to judge the effectiveness of the national strategy. Its conclusions provided tepid support for the government’s approach.
On the key governance issue, the evaluation said the absence of minutes of inter-departmental meetings and of staff with corporate memory meant that the evaluators could not judge the effectiveness of these arrangements or whether the oversight role they were to provide was fulfilled. The evaluation noted there were still problems with overlapping mandates and a lack of clarity as to what federal agency was the point of contact for the private sector on cyber security matters.
Australia takes the lead
Contrast this rather muddled situation with the Australian government’s efforts to address in a purposeful way the challenges of ensuring cyber security.
Following up on an initial national cyber security released in 2009, the Australian government had taken significant steps in 2011 to put responsibility for cyber security under the Department of the Prime Minister and Cabinet (reflecting a top priority for what necessarily is a whole-of-government exercise) and in 2014 by establishing an integrated Australian Cyber Security Centre.
In April 2016, Prime Minister Malcolm Turnbull released a new national cyber security strategy with major innovations for implementing the five key goals set out in the document: 1) strong cyber defences; 2) global responsibility and influence; 3) growth and innovation; 4) a cyber-smart nation; and 5) a national cyber partnership.
To ensure the necessary political and bureaucratic support for realizing the strategy, the Australian government appointed a minister to assist the PM in cyber security as well as a special adviser residing in the department of the PM. These appointments, the strategy explained, strengthened the department of the PM’s “current lead role on cyber security policy and be the central point for policy issues to ensure a simplified government policy interface for stakeholders.”
The international dimension of the national strategy was to be managed by the appointment of a cyber ambassador located in the Department of Foreign Affairs and the consolidation of cyber-related defence, police, and intelligence entities under a senior Department of Defence official. The government committed itself to annual public updates as to how implementation of the strategy was progressing.
To realize the national strategy’s call for Australia to “work with international partners to champion an open, free, and secure internet,” the appointment of a cyber ambassador was to “ensure Australia has a coordinated, consistent, and influential voice on international cyber issues.”
Beyond the creation of the position at the foreign ministry, the government promised an international cyber engagement strategy recognizing the crucial role that external developments and decisions could have on the national cyber security condition. This strategy was published in October. It set out the goal of achieving “a stable and peaceful online environment,” backing this up with several initiatives including the establishment of cooperative cyber security networks with other countries in the Asia-Pacific region.
Canada needs a stronger international focus
The international dimension of Canada’s cyber security strategy in contrast remains seriously underdeveloped. The Canadian evaluation report devotes little more than a sentence to this aspect, recommending that the government pursue “better engagement with international actors to develop international norms to reduce cyber threats (i.e. developing a cyber foreign policy).” No effective cyber security strategy can be purely domestic in its focus. The development of a considered cyber security foreign policy is overdue.
The Canadian government should proceed beyond taking public soundings and engaging in internally focused evaluation exercises. It should deliver an updated cyber security strategy with more specific objectives, adequate resources, and a governance structure that will ensure meaningful oversight of the strategy’s implementation regularly. We should be no less capable than the Aussies to generate a cyber security strategy at a level commensurate with the magnitude of the threats present in contemporary cyberspace.
Paul Meyer is a Vancouver-based adjunct professor of international studies and fellow in international security at Simon Fraser University, and a senior fellow at the Simons Foundation.
The Hill Times