Canada Doesn't Know How to Regulate Cyber Weapons Sales
The Harper government really doesn't know how to regulate cyber weapons.
How can Canada prevent potential cyberweapons from being sold to malicious actors? Should the goal be to prevent the use of such tools against Canadians, to prevent human rights abuses abroad, or both?
Those are some of the key questions that the Canadian government considered between the beginning of 2012 and the end of 2013, according to an undated briefing note obtained by Motherboard via an access to information request sent to Public Safety Canada. (The rough date estimate is based on the date range for documents specified in the initial request.)
The document includes an early assessment of the potential use of export controls to limit "cyber proliferation"—in other words, the sale and export of computer vulnerabilities, web monitoring and content filtering services, or other computer tools "that could be used for cyber espionage or cyber attack." The government concluded that it was "open to considering the use of export control to limit cyber proliferation," but had yet to conduct a full assessment of the issue.
Export controls are already widely used to limit the sale of so-called "dual-use" technologies, such as military equipment and weapons, as well as certain types of cryptographic hardware and software, with permits granted on a case-by-case basis. These technologies are often referred to as dual-use technologies because while they are nominally civilian products, they may have military applications, or may be use for illegitimate purposes.
Like many countries that produce such tech. Canada broadly uses export controls to ensure that products developed here do not harm Canada or its allies, are not used to undermine national or international security, do not contribute to political instability, or are not used to commit human rights violations, amongst other things.
However, experts who spoke with Motherboard expressed surprise that the government's internal discussions regarding cyber tools were at such an early stage, and conducted seemingly in private.
"We think there is definitely, at the very least, some obligation to prevent companies in Canada from facilitating human rights abuses abroad, and that includes invasions of privacy, massive censorship, as well as privacy abuses that can lead to things like torture," said Tamir Israel, a staff lawyer at the Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic (CIPPIC).
"Just seeing this document is really interesting because we didn't know that this debate was happening within government and we think it's a debate that should be had," he said.
Canada's stance on the use of export controls to limit the sale of cyber weapons and monitoring tools was not made public until December 2013—and only then as one of 41 participating states to agree to new changes to the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies.
Those changes included regulations that apply to intrusion software—which would include previously undisclosed software exploits, commonly known as zero days—and network surveillance systems. According to The Center for Internet and Society at Stanford Law School, the changes are "the first major restrictions on widely used, commercially available software since the introduction of restrictions on encryption products to the Arrangement in 1998."
Though not legally binding, member states use the Wassenaar Arrangement as a basis for crafting their own export control policies at home. But how or when Canada will implement these changes remains unclear.
Just seeing this document is really interesting because we didn't know that this debate was happening within government
According to the Department of Foreign Affairs and International Trade spokesperson Béatrice Fénelon, the government updates its Export Control List (ECL) on an annual basis, but changes to the Wassenaar Arrangement are still under review. But it's worth noting the latest available figures provided by the government are from 2011.
"The government is currently working toward updating the ECL," Fénelon wrote in an email. The spokesperson did not say whether the government had conducted any prior assessments on limiting the proliferation of advanced cyber tools, such as the potential assessments referenced within the briefing note Motherboard obtained.
It's also not clear what the Canadian government's motivation is: to prevent such tools being used against Canada by malicious actors, to prevent human rights abuses and censorship by oppressive regimes, or both.
"The fact that these changes are appearing suggests that human rights concerns are being voiced there, so that's a good thing," said Sarah McKune, senior legal advisor to the Citizen Lab at the Munk School of Global Affairs, University of Toronto, of the Wassenaar changes.
"Whether or not the human rights justification makes its way down to all the states is another issue. You're talking a forum that includes states such as Russia. I think there could be a variety of stances on the human rights justification for these controls," she said.
Indeed, some have questioned whether export controls are really the most effective tool to prevent the inappropriate use of dual-use technologies such as web filtering, monitoring and intrusion software. On the one hand, companies such as BlueCoat Systems, Inc., Gamma International, and the Canadian company Netsweeper have been found to sell software that has been used for surveillance and censorship by repressive regimes.
At the same time, a piece of hardware or software that could be used to censor internet access and restrict free speech might also be used in other circumstances for more benign, perfectly legal means, such as blocking malware from spreading across a network.
You're talking a forum that includes states such as Russia. I think there could be a variety of stances on the human rights justification for these controls
A 2012 paper by Electronic Frontier Foundation members Cindy Cohn, Trevor Timm, and Jillian C. York suggested that "putting the focus on user and potential (or actual) use of the technology for human rights abuses by governments—rather than on the capabilities of the technology itself—presents a more direct path to stopping human rights abuses, and one with fewer collateral risks."
CIPPIC's Israel said that restricting the export and sale of advanced cyber tools is similar to export controls on weapons and missiles. "It doesn't necessarily shut them down," he said.
Part of the problem, according to McKune, is that while export controls are broadly intended to prevent human rights abuses, that's not what they were designed for.
"It's not what they're good at. So I think at some point we're going to need legislation enacted that actually sets up some kind of oversight or accountability mechanism for industry," she explained. "Because unfortunately, I think the industry is not taking it seriously themselves. Their opinion is 'as long as you're not telling me not to do it, I can do it.' And if that's the case, if they're not implementing corporate social responsibility measures as an industry then we need more government involvement."
What McKune suggests is an additional layer of control over the sale of cyber weapons and monitoring software beyond export regulations that explicitly takes human rights abuses into account. But, in Canada at least, it doesn't appear that any such thing is being discussed.
According to the Department of Foreign Affairs, Trade and Development, the government "has no plans to change the way in which it implements WA controls,' and "has no plans to consider the necessity for other controls until the WA changes are in place."
"You do really need to find a more nuanced way that doesn't just say 'You can never sell these,' or 'You can never sell these to country X, Y or Z, but you can always sell them to country A, B, and C,'" Israel said. "You need a more nuanced case-by-case approach, because that would be the only way to get at it. And the nature of dual-use technologies is precisely the problem. Because they can be used either way, that makes them so hard to regulate in a very clear way."
The full set of export controls documents is available below: