From Privacy Policy to Public Policy


Maybelle Szeto

Most of us are experts in privacy law. At least we should be, since Canadians reportedly visit thousands of webpages per month, and high-traffic websites such as Google, Amazon and Facebook all have privacy policies. Yet, how many of us have scrolled past the legal jargon of a website’s Terms of Service in our haste to click “I Accept” at the bottom of the page? As technological improvements allow users to navigate the Internet more rapidly, at a lesser cost and on multiple platforms, consumption of online content has reached new highs.

The increased use of technology is inevitable as businesses and governments alike broaden the scope of their stakeholders. Rapid communication and shared information are now deemed paramount for successful project completion. However, numerous risks exist when the Internet is added to work that encompasses privacy legislation and classified documents. Cyber-security and cyber-terrorism are emerging realms that governments must prioritize to ensure that strategic information remains within the grasps of authorized personnel only. Since 2009, the United States and Canada have adopted intensive national cyber-security strategies, with the European Commission following suit with their equivalent earlier this year.

Even with cyber-security legislation, the United States was unable to suppress the release of sensitive diplomatic and military information in the WikiLeaks scandal. Breaches in cyber-security have resulted in heavy media documentation, and have even publicly unraveled episodes of potential security concerns. Unlike traditional bilateral threats made by states to assert power, cyber-security attacks are directed at firms with considerable economic strength, and at governments, and are typically made by foreign, non-governmental groups seeking to advance their own agenda. Moreover, in the case of cyber-terrorism, successful perpetrating groups are less likely to identify themselves, as opposed to in classic cases of terrorism. There may be a preference for anonymity in these instances, as cyber-terrorism plots thus far entail data gathering, rather than resource and infrastructure destruction in the traditional sense of terrorism.

Canada is not immune to cyber-security or cyber-terrorism attacks. Firms such as the software manufacturer Telvent Canada have found that some client information was compromised as a result of foreign data mining. The energy sector is particularly vulnerable to cyber-security risks, as shown in the case of the cyber-terrorist attack against the Saudi oil company Aramco in 2012. Now, security expert Michael DuBose, formerly of the U.S. Department of Justice, is forecasting the potential “cyber version of Pearl Harbor,” for the energy sector. Cyber-security attacks are no longer limited to forays in uncovering client or staff information, but are also attempts to infiltrate firms’ control systems, thereby rendering each threat more malicious.

Cyber-security fissures pervading foreign policy and private companies are unlikely to cease as global competition increases in the telecommunications and energy industries. Nor is the Canadian government safe from foreign attempts to retrieve sensitive information; several federal departments, including the Department of Finance and the Treasury Board reported “severe cyber-attacks” on their systems in 2011.

The rules of the spy game have continuously evolved over time, and this past decade has been no different. The move toward even more elusive forms of espionage should come as no surprise with the ever-increasing use of technology. Building capacity in specialized task forces to address cyber-security prior to large-scale, publicized attacks is vital to prevent massive disruptions and attacks on private sector and government infrastructure.

As with other law enforcement operations, the challenge that governments face is the action-reaction cycle, wherein legislators are always a step behind perpetrators. Risk aversion and risk mitigation are fundamental to government procedures, with agencies and departments working diligently to provide security for civilians and all levels of government. On the private sector side, the Canadian Cyber Incident Response Centre (CCIRC) exists for a similar purpose; its main responsibility is to protect national infrastructure by mitigating risk sustained by major corporations and non-federal governments. While some argue that the CCIRC’s course of action in detected cyber-security risk scenarios is slow, coordination of a federal response to cyber-security risks remains a relatively new policy concept. Nonetheless, the creation of monitoring groups is not an effective deterrent to “hacktivists,” as they continue their cyber-infiltration efforts.

Heightening federal cyber-risk mitigation efforts is insufficient to address all aspects of the problem. Creating a policy that tackles both awareness and prevention is complex and requires strong civilian support as well as cooperation from the private sector and governance capacity by the federal government. Fostering civilian knowledge of the extent of possible attacks and their direct repercussions on individuals is a crucial first step to fashioning public support and buy-in for future initiatives. The Canadian Wireless Telecommunications Association has created an awareness campaign linking wireless device theft to loss of a wide range of personal or professional information. Linking a tangible consequence to a lesser-observed risk is an effective mechanism to promote consumer awareness on various vulnerabilities relating to mobile devices and related cyber-security risks, including identity theft, fraud and phishing schemes.

Successful policy development in the face of an escalating number of cyber attacks and civilian consequences requires simultaneous top-down and bottom-up approaches. Protecting government information and consumer interests must remain priorities on the federal agenda to ensure maximum preparedness and protection against foreign cyber-security risks. Existing efforts provide an adequate basis upon which further intervention can be built.

While both traditional and cyber terrorism attacks demand a focused agenda and a suitable political arena, the implementation of cyber-security attacks requires less human and physical capital, and involves much more direct action than its predecessors. With a vested interest in our growing energy sector, and accompanying next-generation technologies, Canada must increase its capacity in cyber incident response to face impending large-scale cyber-security threats.

Maybelle Szeto is a 2014 Master of Public Policy candidate at the School of Public Policy and Governance. She holds a BA in Political Science from McGill University. Her policy interests include defence, national security and foreign policy.

One Comment Add yours

  1. Hi, can you point me to the sources used that state cyber attacks are typically made by foreign, non-governmental groups seeking to advance their own agenda? What is an example of such an agenda? It is my understanding that there are two sorts of groups here. non-state actors such as Anonymous, which would fit your argument. And loosely affiliated state, non-state Chinese and Russian hacking groups whose actions are done to serve the state’s agenda but are not formally part of a state’s military structure so as to provide plausible deniability.

    What would an effective deterrent to “hacktivists” look like? What do you propose?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s