Canadian context to cyber vigilantism and the active cyber defence certainty act.
The unfortunate truth is that in many foreign jurisdictions, industry and organized crime form an integral part of a given nation’s military and intelligence apparatus. Our adversaries finance spying through industrial facilitation (letters of mark) and steal intellectual property for their own industries while criminals profit from the exchange.
§ Cyberspace is predominantly owned, operated and controlled by the private sector;
§ Some in industry and civil society have been decisively and persistently engaged on the front lines, in multiple jurisdictions and within contested space, for decades, and have developed considerable battle-hardened cyber defence capabilities as a result;
§ Individual cyber-vigilantes have been taking matters into their own hands: takedowns of spammers, disrupting fraudulent foreign call centres, gathering evidence, countering hackers, criminals and thwarting nation states espionage efforts. There are plenty of these operations posted to Youtube;
§ Cyber security companies have made progress exposing nation-state spying networks and transnational crime syndicates;
§ Platform providers, industry, academia and civil society have been working diligently in countering global online radicalization, hate speech, propaganda and mis-information for decades;
§ Academic researchers have been conducting operations to keep the Internet open and safe, in advance of public policy;
§ Industry has been conducting active cyber defence and offensive operations (persistent engagement) within administrative authorities afforded to them in legislation and under judicial warrant for decades, including: cyber deception, deterrence, botnet takedowns and sink-holing malicious domains, shaming bad actors and pursuing civil prosecution;
§ Government does not have an exclusive authority under legislation for active defence, nor are there prohibitions in law for this broad category. The restrictions are specifically related to communication intercept of private information and ‘hacking’ of a computer system under the Criminal Code of Canada. However, there are existing exemptions for industry provided under the legislation for system security administration. The private sector can apply to the courts for additional exemptions;
§ The government conducts global cyber operations on and through private network infrastructures where there exists active security monitoring and enforced compliance to acceptable use policies, which are based on international standards, regulations and law;
§ Industry remains a proxy target of nation-state aggression, competition and conflict;
§ Globally there has been a diffusion of power from nation states to non-state actors with cyber leading the way. Experts predict that this to accelerate in the future;
§ The impact of cyber crime and espionage on Canadians is substantive and is rising; and
§ Defending national interests and those of industry are mutually inclusive.
Western governments have long been reticent to involve themselves in the affairs of the private sector, including the defence of industry and citizens, from cyber attacks even when assaults originate from nation-states. The military is unlikely to engage unless an attack breaches the level-of-armed-conflict (defined as physical destruction and casualties.
Industry certainly has the capability for active cyber defence, and has for the most part been able to achieve the same effects within current legislation independently of governments. Certain principles of active cyber defence have been established as cyber security and privacy best practices, underwritten in law where a failure to comply represents tangible risk to large corporations.
Western governments could assume greater responsibility to provide cyber defence nationally. However, industry, which is the most effected by cyber crime and espionage, will need to see clear, timely, and measurable outcomes from governments that include: threat reduction, attribution and prosecution of the threat actors at scale, including the dismantling of adversarial attack infrastructures, and the protection and retrieval of intellectual property. Similarity, citizens will expect crimes to be solved, assets recovered and miscreants prosecuted.
Alternatively, if industry and civil society are left to fend for themselves, then they have the right to self-defence – but not to start a war.
Conversely, governments in their haste to militarize or exploit the domain, will need manage vulnerability equities with industry partners, be careful when engaging in covert or open conflict, so that industry and individual citizens are not collateral damage.
An alterative model provides for a division of labour and responsibility or ‘public-private partnerships’ in which industry provides the talent, technology and operational support, while government can undertake offensive cyber operations under legislative and executive authorities.
This is why the US Active Cyber Defense Certainty Act is highly-relevant to Canadian industry.
The proposed US legislation opens a means and a market to achieve the right effects through active cyber defence for industry in trusted partnership with governments. Entities will need professional certification and regulation while operations require coordination and de-confliction. Similarly, a government’s active cyber defence operations will require a vulnerability equities framework and be jointly coordinated with the cyber security industry and private-sector owner-operators of cyberspace to avoid collateral damage.
Legislation, should it pass, has the potential to go very well or very poorly. What is clear is that current approaches have met with limited success and we need an open dialogue on the issue here in Canada as well as a team approach for the delivery of meaningful effects.
 Commercial entities can seek court warrants for communications intercept, acquisition, search and seize, and take downs just like law enforcement