Link

Operation Fox Hunt

(Photo by Erik Mclean on Pexels.com)

ProPublica’s Sebastian Rotella and Kirsten Berg have an outstanding piece on the Chinese government’s efforts to compel individuals to return to China to face often trumped up charges. Efforts include secretly sending Chinese officials into the United States to surveil, harass, intimidate, and stalk residents of the United States, and also imprisoning or otherwise threatening residents’ family member who have remained in China.

Many of the details in the article are the result of court records, interviews, and assessments of Chinese media. It remains to be seen whether Chinese agents’ abilities to conduct ‘fox hunts’ will be impeded now that the US government is more aware of these operations. Given the attention and suspicion now cast towards citizens of China, however, there is also a risk that FBI agents may become overzealous in their investigations to the detriment of law-abiding Chinese-Americans or visitors from China.

In an ideal world there would be equivalent analyses or publications on the extent to which these operations are also undertaken in Canada. To date, however, there is no equivalent to ProPublica’s piece in the Canadian media landscape and given the Canadian media’s contraction we can’t realistically expect anything, anytime soon. However, even a short piece which assessed whether individuals from China who’ve run operations in the United States, and who are now barred from entering the US or would face charges upon crossing the US border, are similarly barred or under an extradition order in Canada would be a positive addition to what we know of how the Canadian government is responding to these kinds of Chinese operations.

Link

Standards as the Contemporary Highway System

Jonathan Zittrain, in remarks prepared a few weeks ago, framed Internet protocol standards in a novel way. Specifically, he stated:

Second, it’s entirely fitting for a government to actively subsidize public goods like a common defense, a highway system, and, throughout the Internet’s evolution, the public interest development of standards and protocols to interlink otherwise-disparate systems. These subsidies for the development of Internet protocols, often expressed as grants to individual networking researchers at universities by such organizations as the National Science Foundation, were absolutely instrumental in the coalescence of Internet standards and the leasing of wholesale commercial networks on which to test them. (They also inspired some legislators to advertise their own foresight in having facilitated such strategic funding.) Alongside other basic science research support, this was perhaps some of the best bang for the buck that the American taxpayer has received in the history of the country. Government support in the tens of millions over a course of decades resulted in a flourishing of a networked economy measured in trillions.

Zittrain’s framing of this issue builds on some writing I’ve published around standards. In the executive summary of a report I wrote a few months ago, I stated that,

… the Government of Canada could more prominently engage with standards bodies to, at least in part, guarantee that such standards have security principles baked in and enabled by default; such efforts could include allocating tax relief to corporations, as well as funding to non-governmental organizations or charities, so that Canadians and Canadian interests are more deeply embedded in standards development processes.

To date I haven’t heard of this position being adopted by the Government of Canada, or even debated in public. However, framing this as a new kind of roadway could be the kind of rhetorical framing that would help it gain traction.

The Kaseya Ransomware Attack Is a Really Big Deal

Screen Shot 2021-07-19 at 2.26.52 PM
(Managed Service Provider image by the Canadian Centre for Cybersecurity)

Matt Tait, as normal, has good insights into just why the Kaseya ransomware attack1 was such a big deal:

In short, software supply chain security breaches don’t look like other categories of breaches. A lot of this comes down to the central conundrum of system security: it’s not possible to defend the edges of a system without centralization so that we can pool defensive resources. But this same centralization concentrates offensive action against a few single points of failure that, if breached, cause all of the edges to fall at once. And the more edges that central failure point controls, the more likely the collateral real-world consequences of any breach, but especially a ransomware breach will be catastrophic, and cause overwhelm the defensive cybersecurity industry’s ability to respond.

Managed Service Providers (MSPs) are becoming increasingly common targets. It’s worth noting that the Canadian Centre for Cybersecurity‘s National Cyber Threat Assessment 2020 listed ransomware as well as the exploitation of MSPs as two of the seven key threats to Canadian financial and economic health. The Centre went so far as to state that it expected,

… that over the next two years ransomware campaigns will very likely increasingly target MSPs for the purpose of targeting their clients as a means of scaling targeted ransomware campaigns.

Sadly, if not surprisingly, this assessment has been entirely correct. It remains to be seen what impact the 2020 threats assessment has, or will have, on Canadian organizations and their security postures. Based on conversations I’ve had over the past few months the results are not inspiring and the threat assessment has generally been less effective than hoped in driving change in Canada.

As discussed by Steven Bellovin, part of the broader challenge for the security community in preparing for MSP operations has been that defenders are routinely behind the times; operators modify what and who their campaigns will target and defenders are forced to scramble to catch up. He specifically, and depressingly, recognizes that, “…when it comes to target selection, the attackers have outmaneuvered defenders for almost 30 years.”

These failures are that much more noteworthy given that the United States has trumpeted for years that the NSA will ‘defend forward‘ to identify and hunt threats, and respond to them before they reach ‘American cybershores’.2 The seemingly now routine targeting of both system update mechanisms as well as vendors which provide security or operational controls for wide swathes of organizations demonstrates that things are going to get a lot worse before they’re likely to improve.

A course correction could follow from Western nations developing effective and meaningful cyber-deterrence processes that encourage nations such as Russia, China, Iran, and North Korea to punish computer operators who are behind some of the worst kinds of operations that have emerged in public view. However, this would in part require the American government (and its allies) to actually figure out how they can deter adversaries. It’s been 12 years or so, and counting, and it’s not apparent that any American administration has figured out how to implement a deterrence regime that exceeds issuing toothless threats. The same goes for most of their allies.

Absent an actual deterrence response, such as one which takes action in sovereign states that host malicious operators, Western nations have slowly joined together to issue group attributions of foreign operations. They’ve also come together to recognize certain classes of cyber operations as particularly problematic, including ransomware. Must nations build this shared capacity, first, before they can actually undertake deterrence activities? Should that be the case then it would strongly underscore the need to develop shared norms in advance of sovereign states exercising their latent capacities in cyber and other domains and lend credence to the importance of the Tallinn manual process . If, however, this capacity is built and nothing is still undertaken to deter, then what will the capacity actually be worth? While this is a fascinating scholarly exercise–it’s basically an opportunity to test competing scholarly hypotheses–it’s one that has significant real-world consequences and the danger is that once we recognize which hypothesis is correct, years of time and effort could have been wasted for little apparent gain.

What’s worse is that this even is a scholarly exercise. Given that more than a decade has passed, and that ‘cyber’ is not truly new anymore, why must hypotheses be spun instead of states having developed sufficient capacity to deter? Where are Western states’ muscles after so much time working this problem?


  1. As a point of order, when is an act of ransomware an attack versus an operation? ↩︎
  2. I just made that one up. No, I’m not proud of it. ↩︎

Vaccination, Discrimination, and Canadian Civil Liberties

Photo by Karolina Grabowska on Pexels.com

Civil liberties debates about whether individuals should have to get vaccinated against Covid-19 are on the rise. Civil liberties groups broadly worry that individuals will suffer intrusions into their privacy, or that rights of association or other rights will be unduly abridged, as businesses and employers require individuals to demonstrate proof of vaccination.

As discussed in a recent article published by the CBC, some individuals are specifically unable to, or concerned about, receiving Covid-19 vaccines on the basis that, “they’re taking immunosuppressant drugs, for example, while others have legitimate concerns about the safety and efficacy of the COVID-19 vaccines or justifiable fears borne from previous negative interactions with the health-care system.” The same expert, Arthur Schafer of the Centre for Professional and Applied Ethics at the University of Manitoba, said, “[w]e should try to accommodate people who have objections, conscientious or scientific or even religious, where we can do so without compromising public safety and without incurring a disproportionate cost to society.”

Other experts, such as Ann Cavoukian, worry that being compelled to disclose vaccination status could jeopardize individuals’ medical information should it be shared with parties who are not equipped to protect it, or who may combine it with other information to discriminate against individuals. For the Canadian Civil Liberties Association, they have taken the stance that individuals should have the freedom to choose to be vaccinated or not, that no compulsions should be applied to encourage vaccination (e.g., requiring vaccination to attend events), and broadly that, “COVID is just another risk now that we have to incorporate into our daily lives.”

In situations where individuals are unable to be vaccinated, either due to potential allergic responses or lack of availability of vaccine (e.g., those under the age of 12), then it is imperative to ensure that individuals do not face discrimination. In these situations, those affected cannot receive a vaccine and it is important to not create castes of the vaccinated and unable-to-be-vaccinated. For individuals who are hesitant due to historical negative experiences with vaccination efforts, or medical experimentation, some accommodations may also be required.

However, in the cases where vaccines are available and there are opportunities to receive said vaccine, then not getting vaccinated does constitute a choice. As it stands, today, in many Canadian schools children are required to received a set of vaccinations in order to attend school and if their parents refuse, then the children are required to use alternate educational systems (e.g., home schooling). When parents make a specific choice they are compelled to deal with the consequences of said decision. (Of course, there is not a vaccine for individuals under 12 years of age at the moment and so we shouldn’t be barring unvaccinated children from schools, but adopting such a requirement in the future might align with how schools regularly require proof of vaccination status to attend public schools.)

The ability to attend a concert, as an example, can and should be predicated on vaccination status where vaccination is an option for attendees. Similarly, if an individual refuses to be vaccinated their decision may have consequences in cases where they are required to be in-person in their workplace. There may be good reasons for why some workers decline to be vaccinated, such as a lack of paid days off and fear that losing a few days of work due to vaccination symptoms may prevent them from paying the rent or getting food; in such cases, accommodations to enable them to get vaccinated are needed. However, once such accommodations are made decisions to continue to not get vaccinated may have consequences.

In assessing whether policies are discriminatory individuals’ liberties as well as those of the broader population must be taken into account, with deliberate efforts made to ensure that group rights do not trample on the rights of minority or disenfranchised members of society. Accommodations must be made so that everyone can get vaccinated; rules cannot be established that apply equally but affect members of society in discriminatory ways. But, at the same time, the protection of rights is conditional and mitigating the spread of a particularly virulent disease that has serious health and economic effects is arguably one of those cases where protecting the community (and, by extension, those individuals who are unable to receive a vaccine for medical reasons) is of heightened importance.

Is this to say that there are no civil liberties concerns that might arise when vaccinating a population? No, obviously not.

In situations where individuals are unhoused or otherwise challenged in keeping or retaining a certification that they have been vaccinated, then it is important to build policies that do not discriminate against these classes of individuals. Similarly, if there is a concern that vaccination passes might present novel security risks that have correlate rights concerns (e.g., a digital system that links presentations of a vaccination credential with locational information) then it is important to carefully assess, critique, and re-develop systems so that they provide the minimum data required to reduce the risk of Covid-19’s spread. Also, as the population of vaccinated persons reaches certain percentages there may simply be less of a need to assess or check that someone is vaccinated. While this means that some ‘free riders’ will succeed, insofar as they will decline to be vaccinated and not suffer any direct consequences, the goal is not to punish people who refuse vaccination and instead to very strongly encourage enough people to get vaccinated so that the population as a whole is well-protected.

However, taking a position that Covid-19 is part of society and that society just has to get used to people refusing to be vaccinated while participating in ‘regular’ social life, and that this is just a cost of enjoying civil liberties, seems like a bad argument and a poor framing of the issue. Making this kind of broader argument risks pushing the majority of Canadians towards discounting all reasons that individuals may present to justify or explain not getting vaccinated, with the effect of inhibiting civil society from getting the public on board to protect the rights of those who would be harmfully affected by mandatory vaccination policies or demands that individuals always carry vaccine passport documents.

Those who have made a choice to opt-out of vaccination may experience resulting social costs, but those who cannot opt to get a vaccine in the first place or who have proven good reasons for avoiding vaccination shouldn’t be unduly disadvantaged. That’s the line in the sand to hold and defend, not that protecting civil liberties means that there should be no cost for voluntarily opting out of life saving vaccination programs.

Link

Does Canada, Really, Need A Foreign Intelligence Service?

A group of former senior Canadian government officials who have been heavily involved in the intelligence community recently penned an op-ed that raised the question of “does Canada need a foreign intelligence service?” It’s a curious piece, insofar as it argues that Canada does need such a service while simultaneously discounting some of the past debates about whether this kind of a service should be established, as well as giving short shrift to Canada’s existing collection capacities that are little spoken about. They also fundamentally fail to take up what is probably the most serious issue currently plaguing Canada’s intelligence community, which is the inability to identify, hire, and retain qualified staff in existing agencies that have intelligence collection and analysis responsibilities.

The Argument

The authors’ argument proceeds in a few pieces. First, it argues that Canadian decision makers don’t really possess an intelligence mindset insofar as they’re not primed to want or feel the need to use foreign intelligence collected from human sources. Second, they argue that the Canadian Security Intelligence Service (CSIS) really does already possess a limited foreign intelligence mandate (and, thus, that the Government of Canada would only be enhancing pre-existing powers instead of create new powers from nothing). Third, and the meat of the article, they suggest that Canada probably does want an agency that collects foreign intelligence using human sources to support other members of the intelligence community (e.g., the Communications Security Establishment) and likely that such powers could just be injected into CSIS itself. The article concludes with the position that Canada’s allies “have quietly grumbled from time to time that Canada is not pulling its weight” and that we can’t prioritize our own collection needs when we’re being given intelligence from our close allies per agreements we’ve established with them. This last part of the argument has a nationalistic bent to it: implicitly they’re asking whether we can really trust even our allies and closest friends? Don’t we need to create a capacity and determine where such an agency and its tasking should focus on, perhaps starting small but with the intent of it getting larger?

Past Debates and Existing Authorities

The argument as positioned fails to clearly make the case for why these expanded authorities are required and simultaneously does not account for the existing powers associated with the CSE, the Canadian military, and Global Affairs Canada.

With regards to the former, the authors state, “the arguments for and against the establishment of a new agency have never really been examined; they have only been cursorily debated from time to time within the government by different agencies, usually arguing on the basis of their own interests.” In making this argument they depend on people not remembering their history. The creation of CSIS saw a significant debate about whether to include foreign human intelligence elements and the decision by Parliamentarians–not just the executive–was to not include these elements. The question of whether to enable CSIS or another agency to collect foreign human intelligence cropped up, again, in the late 1990s and early 2000, and again around 2006-2008 or so when the Harper government proposed setting up this kind of an agency and then declined to do so. To some extent, the authors’ op-ed is keeping with the tradition of this question arising every decade or so before being quietly set to the side.

In terms of agencies’ existing authorities and capacities, the CSE is responsible for conducting signals intelligence for the Canadian government and is tasked to focus on particular kinds of information per priorities that are established by the government. Per its authorizing legislation, the CSE can also undertake certain kinds of covert operations, the details of which have been kept firmly under wraps. The Canadian military has been aggressively building up its intelligence capacities with few details leaking out, and its ability to undertake foreign intelligence using human sources as unclear as the breadth of its mandate more generally.1 Finally, GAC has long collected information abroad. While their activities are divergent from the CIA or MI6–officials at GAC aren’t planning assassinations, as an example–they do collect foreign intelligence and share it back with the rest of the Government of Canada. Further, in their increasingly distant past they stepped in for the CIA in environments the Agency was prevented from operating within, such as in Cuba.

All of this is to say that Canada periodically goes through these debates of whether it should stand up a foreign intelligence service akin to the CIA or MI6. But the benefits of such a service are often unclear, the costs prohibitive, and the actual debates about what Canada already does left by the wayside. Before anyone seriously thinks about establishing a new service, they’d be well advised to read through Carvin’s, Juneau’s, and Forcese’s book Top Secret Canada. After doing so, readers will appreciate that staffing is already a core problem facing the Canadian intelligence community and recognize that creating yet another agency will only worsen this problem. Indeed, before focusing on creating new agencies the authors of the Globe and Mail op-ed might turn their minds to how to overcome the existing staffing problems. Solving that problem might enable agencies to best use their existing authorizing legislation and mandates to get much of the human foreign intelligence that the authors are so concerned about collecting. Maybe that op-ed could be titled, “Does Canada’s Intelligence Community Really Have a Staffing Problem?”


  1. As an example of the questionable breadth of the Canadian military’s intelligence function, when the military was tasked with assisting long-term care home during the height of the Covid-19 pandemic in Canada, they undertook surveillance of domestic activism organizations for unclear reasons and subsequently shared the end-products with the Ontario government. ↩︎
Quote

We have come a long way in routing the taboos that stand in the way of justice for victims of sexual assault. But there is still a distance to go. The problems are complex and rooted in centuries of culture and myth. The law, imperfect as it may be, is a powerful tool in achieving lasting change. But real justice will come only when we change attitudes—when respect for the autonomy of every person replaces old myths grounded in ownership, control, and power.

– Beverly McLachlin, Truth Be Told: My Journey Through Life and the Law

Link

Towards A Genuinely Progressive Feminist Foreign Policy

Gabrielle Bardall has written an article on the current failings of Canada’s feminist international assistance policy, which is part of the government’s broader feminist foreign policy. In part, she writes:

A feminist approach to democracy development must be more than a simple numbers game to increase the number of women and minority groups in democratic institutions that sustain existing power structures. A feminist approach must instead involve people of all genders working together to advance democratic institutions, processes and values that disrupt those patriarchal power structures and prioritize gender equality across diverse populations and partisan lines. It is measured by the extent to which those institutions and processes are transformed by feminist principles and feminist actors (male and female), not just by the percentage of seats held by each sex.

In past professional settings I’ve been critical of Global Affairs Canada’s modes of applying gendered lenses and feminism into foreign policy processes, not because I disagree with doing so conceptually, but because it has so routinely felt non-progressive by focusing less on feminism and more on sex. Bardall‘s framing, of needing to move towards a non-neoliberal concept of feminism, nicely captures my disquiet and does so far more elegantly that I’ve managed in the years I’ve been stewing on this issue. Until a model of feminism is adopted into Canada’s foreign affairs policies that is explicitly anti-patriarchal then any adopted feminist approach will serve to principally adjust who is at the table without striving to redistribute power itself in a more equitable manner.

Link

Russia, China, the USA and the Geopolitical and National Security Implications of Climate Change

Lustgarden, writing for the New York Times, has probably the best piece on the national security and geopolitical implications of climate change that I’ve recently come across. The assessment for the USA is not good:

… in the long term, agriculture presents perhaps the most significant illustration of how a warming world might erode America’s position. Right now the U.S. agricultural industry serves as a significant, if low-key, instrument of leverage in America’s own foreign affairs. The U.S. provides roughly a third of soy traded globally, nearly 40 percent of corn and 13 percent of wheat. By recent count, American staple crops are shipped to 174 countries, and democratic influence and power comes with them, all by design. And yet climate data analyzed for this project suggest that the U.S. farming industry is in danger. Crop yields from Texas north to Nebraska could fall by up to 90 percent by as soon as 2040 as the ideal growing region slips toward the Dakotas and the Canadian border. And unlike in Russia or Canada, that border hinders the U.S.’s ability to shift north along with the optimal conditions.

Now, the advantages faced by Canada might be eroded by a militant America, and those of Russia similarly threatened by a belligerent and desperate China (and desperate Southeast Asia more generally). Regardless, food and arable land are generally likely to determine which countries take the longest to most suffer from climate change. Though, in the end, it’s almost a forgone conclusion that we are all ultimately going to suffer horribly for the errors of our ways.

Link

Provincial Governments Have Failed to Protect Us

Lauren Dobson-Hughes.

“Across the country, governments failed to invest enough resources in test, trace and isolate systems. In most provinces, they did not make timely investments in school ventilation or hire more teachers, or prepare the restaurant industry for prolonged winter closing, or shut down workplaces that exposed minimum-wage workers to infection, or hire more long-term care home workers. They issued conflicting, byzantine communications to individual people that boiled down to ‘don’t do any activities unless you’re paying a private company to host them’.

Provincial governments did not come up with compassionate policies that addressed structural barriers to people staying safe. They came up with “personal responsibility,” telling citizens to knock it off or they’ll turn the car around right now. The only realm of life governments seemed willing to regulate was our social lives. It does no good being scolded to stay home if you live in a tiny, cold apartment and have to take public transit to your low-paid, unsafe workplace because you need the income.

As someone who lives in a city going into lockdown I cannot agree more strongly.

The Roundup for May 1-31, 2020 Edition

Welcome to this edition of The Roundup! Enjoy the collection of interesting, informative, and entertaining links. Brew a fresh cup of coffee or grab yourself a drink, find a comfortable place, and relax.


For the past several weeks I’ve been sorting through all of the hundreds of photographs I’ve taken during the current state of pandemic we’re all living within. My photography is often a reflection—often unbeknownst to myself—of my thoughts and attitudes. The earliest weeks of the pandemic saw me making images of the city as though it were empty, grey, or isolated. And while those moods still pervade through later photos, there are increasingly also bursts of colour and joy, though still mixed with an emptiness to the city that calls into question what things will be like in six, twelve, or twenty-four month’s time. Many of the shots I’m taking, now, still feel almost documentary in nature, but at what point does the documentation end, and it simply becomes contemporary street photography?


Inspiring Quotation

More simply, real change only happens when the thing that white supremacists fear becomes true: that the mainstream increasingly becomes rather than simply appropriates the “ethnic.”
-Navneet Alang

Personal Photography Shots

I’ve been going out, once a week or so, to get a walk and make photos while walking around my city. Unlike past months, I’ve contributed a set of these rather than other artists’ images.

Music I’m Digging

  • Neisha Neshae-Never Know (Single) // I remain entranced by Neisha’s voice, though have to admit that this lacks the potency of her EP, Queenin’.
  • ZHU & Tinashe-Only (Single) // Beats by ZHU and vocals by him and Tinashe make for a very danceable track. I’m really hoping that they do more work together or, failing that, that we at least get more work from ZHU for the summer.
  • Yiruma-Room With A View (EP) // Without a doubt, Yiruma has created some of the most beautiful classical piano work that I’ve heard this year.
  • Kenlani-It Was Good Until It Wasn’t // The tracks “Can I” and “Everybody Business” are, for me, the real standouts on this album. I admit that I was hopeful that “Grieving”, with James Blake would be really awesome, but their styles just didn’t quite seem to come together. Her work with Tory Lanez, as well as Jhené Aiko, are far more balanced given how their styles compliment Kehlani’s own.

Good Reads

  • Barton Gellman—Dark Mirror // Gellman was one of three reporters who were directly entrusted with the Snowden archives, and spent years reporting out of the documents. His assessment of what it was like to report on what he learned, the nature of the surveillance apparatus, working with Ed Snowden, and his broader thoughts on the relationship between public government and national security are erudite and fantastically interesting. I’ve just devoured this book and cannot recommend it highly enough.
  • How Should Biden Handle China? // This piece is less useful, to be honest, in thinking through what policy the United States or its allies should adopt than is assessing engagement strategies that aren’t working. Setting aside the irregularities and chaos associated with the Trump administration’s approach, the assessment of how European efforts have been equally unhelpful are informative for guiding policy makers on what hasn’t worked even when policy activities have been carried out by governments with comparatively competent foreign policy bodies. While an understanding of what doesn’t work isn’t inherently useful in knowing what does work, it at least provides a set of strategies that seem to be unproductive to take up in a new administration.
  • 1989-1996 Canadian Housing Collapse Looks Eerily Similar to Today // Economists around the world have been warning of a Canadian housing bubble for a very long time. But Canadians have ignored the warning and dove into the market on the dual fear that they would otherwise never be able to buy a home, and the notion that renting amounts to throwing money away. The result has been a lot of Canadians owning homes they can’t afford. As the bubble pops, we’re going to see just how much economic havoc is going to follow from these decisions for the housing market as well as the economy more broadly (housing, in Canada, constitutes one of the largest sectors in the economy).
  • The Jungle Prince of Delhi // I’ve had this article open to read for months and months, but kept not getting to it. That’s a shame, as it is (and remains) a terrific story filled with past dynasties, the histories of British colonialism, the hard task of journalism, and the capability of truth to be creatively imagined into being. I can’t recommend this detective piece highly enough.