Chapter 1

Canada’s Cyber Security Policy: a Tortuous Path Toward a Cyber Security Strategy ¹

,

 

 

 

1.1. Introduction

In this day and age, no developed nation is immune to computer attacks. The attack on many Canadian federal government servers in January 2011¹ was indicative of the state of affairs in this matter. Canada had been developing a greater awareness of the significance of this type of threat since 2001, a turning point that led to the introduction of more drastic security measures, particularly with regard to electronic security. In 2009, the Office of the Auditor General of Canada then warned the Canadian federal government that: “Threats to computer-based infrastructure, or cyber threats, are increasing and Canada is certainly not immune to them.”² The incidents related to the viruses I Love You in 2000 and MYDOOM in 2004, as well as the Slammer and Blaster worms in 2003³, illustrate the reach and impact of risks emanating from cyberspace and the problems these may cause for Canada’s national security.⁴ Moreover, these “events […] demonstrate cyber-related vulnerabilities resulting from the interdependence among critical infrastructure sectors.”⁵

In this context, a major concern of the Canadian federal government in matters of national security pertains to the protection of the critical infrastructure (CI),⁶ which is defined as “processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government.”⁷ In Canada, CI includes 10 sectors, with each being a complex system in and of itself. Nevertheless, these sectors are interrelated and therefore interdependent. As has been shown, the interdependence of systems, and thus of the CI in this case, leads to an interdependence of risks, which increases the vulnerability of contemporary societies. Canadian society is not exempt from this challenge.

Faced with this reality, “cyber security [is] at the forefront of the transborder challenge to Canada’s critical infrastructure (CI).”⁸ This calls for the public management of the associated risks as well as the need to improve Canadian national cyber security. The protection of CI is inextricably linked to cyber security. According to the Canadian federal government, cyber security is related to cyber attacks in that:

“Cyber attacks include the unintentional or unauthorized access, use, manipulation, interruption or destruction (via electronic means) of electronic information and/or the electronic and physical infrastructure used to process, communicate and/or store that information. The severity of the cyber attack determines the appropriate level of response and/or mitigation measures: i.e., cyber security”.⁹

Canada’s national cyber security strategy thus consists of minimizing the impacts of possible cyber attacks and of conducting effective response actions to incidences. For example, in 2010 Canadian cyber security measures emphasized mitigation (reduction of the impact of possible attacks) and intervention (a wide range of actions to be performed in the case of an attack). The Emergency Management Act, which regulates cyber security, however, also contains provisions on prevention, namely through risk management and preparedness — two dimensions that seem removed from Canada’s national priorities in that domain in terms of implementation. Moreover, in the case of offences, the Canadian government battles against cyber crime, which it defines as “a criminal offence involving a computer as the object of the crime, or the tool used to commit a material component of the offence.”¹⁰ Two categories of cyber crime are targeted: one where the computer is a source of perpetration; and one where the computer is the object of the crime.

To reduce the reach of the risks emanating from cyberspace, the Canadian federal government commits to protect the CI, increase cyber security, and fight against cyber crime, with the view of ensuring the security of the cyberspace within its territory, and so its institutions and population. For this, progress has been made with regard to emergency management, which includes the protection of CI and cyber security. At the legislative level, the Emergency Management Act was adopted in 2007, and at the administrative level developments were instigated to improve coordination, decision-making and cooperation within emergency management. Specifically, with regard to the protection of CI and cyber security, diverse centres were created for monitoring the risks and responding to incidents. In addition, two strategies were developed and one intervention plan was implemented.¹¹ As for cyber crime, legislative and administrative amendments have been made, mainly with the view to improving the investigative powers and the implementation of tools that promote awareness-raising and denunciation.

Although effective and pertinent, the measures to advance Canada’s CI protection, cyber security and fight against cyber crime are too insignificant in scope and the speed of their implementation is certainly too slow, especially considering that the emergence of cyber space goes back to the early 1980s. The lack of speed had been assessed by the Auditor General of Canada in December 2009, mainly with regard to the implementation of emergency management measures.¹²

This finding raises questions as to the capacity of the Canadian federal authorities to identify and respond to current and emerging risks in cyberspace. In other words, is Canada equipped to respond to the threats posed by cyberspace? And, in that context, how does the Canadian federal government ensure the security of cyber space and what strategy has it developed since the emergence of the phenomenon? Finally, has Canada developed a cyber security policy that corresponds to the realities of 2012?

Of importance here is to analyze the role of the Canadian State in its capacity to ensure the security of its population and its institutions against the risks posed by the development of cyberspace. In this chapter, we will determine how the Canadian federal government ensures the security of cyberspace at the national scale and, more specifically, examine the strategy it has developed and promoted since the emergence of the phenomenon.

The chapter begins by presenting the emergence and the constraints of the national security policy in Canada, as well as the initial developments in terms of cyber security. It then proceeds to explain the acceleration of the development of cyber security policies after 9/11 and their relation to the fight against terrorism. Thereafter, the chapter analyzes the slow progression of the diverse initiatives and policies toward a strategy for the protection of CI. In conclusion, the chapter describes Canada’s current cyber security strategy.

1.2. Canada in North America: sovereign but subordinate?

The development of cyber security in Canada is largely concurrent with the development of information and communication technologies (ICTs), and in particular with the emergence of computer and Internet networks in the early 1990s. Overall, the effort of the Canadian federal government to ensure national security through the protection of telecommunications goes back to the end of World War II, and was again spurred with the onset of the Cold War.

The development of cyber security in Canada is also closely tied to its position on security and defense within the North American space. For this, the chapter will provide a brief historical overview illustrating the close link between technological developments and the Canadian military doctrine. This link determines the evolution of Canada’s defense and national security policies, and in the later development of the country’s national cyber security. The significance of this link is explained by the fact that the development of Canada’s national cyber security is largely determined by the level of importance the Canadian federal government has accorded to national and international security, within the context and the priorities established over time. This reality was thus crucial in the development of Canada’s national cyber security in terms of the directions that the Canadian federal government has pursued since the emergence of cyber space.

Canada’s national security and defence policies have always been largely determined by its relations with its immediate neighbor, the United States. To this day, Canada’s geographic location has been a main factor in the development of these policies. Moreover, US–Canadian relations have generally qualified as exceptional, although they have also been marked by tension, in particular as to the expansionist, if not continentalist, project of the US. Historically, the US expansionist drive has been contained by the influence of the United Kingdom. Formerly the motherland of the dominion and recognized as an imposing economic and military power, the UK greatly contributed to the maintenance of Canada’s sovereignty. Thus, the fact that Canada retains privileged relations with both of these two economic and military powers explains in part why, since its creation in 1867, it has experienced sustained peace, if not a certain isolationism.

However, the occurrence of the Second World War changed the course of events and marked the onset of the US–Canadian cooperation for the defense of North America. This cooperation proved to be a determining factor in the development of Canadian defense and national security, and in the reach of the American influence in these areas. We are reminded that in 1938, US President Roosevelt and Canadian Prime Minister Mackenzie King signed the Kingston Dispensation, which stipulated that the security of the neighboring state should be considered a matter of national security.¹³ The treaty contributed to the defense and national security of Canada in that the US committed to cooperate with Canada to ensure continental security as such in the case that Canadian capacities were to become overextended. However, Canada as a country nevertheless remained sovereign in these domains. The treaty obliges Canada to improve its investments in defense and national security and to consider threats directed at the US as being its own. Canadian defense and national security policies were thus to reflect these priorities. In 1940, this cooperation was further strengthened with the creation of the Canada–US Permanent Joint Board on Defence (PJBD) and then, in 1941, with the Hyde Park Declaration on the production of war material.¹⁴

The Cold War then ushered in a new strategic era for Canada with regard to both defense and national security. In terms of defense, this period was characterized by the strengthening of Canada–US cooperation, in particular with the 1946 establishment of the protection of the Arctic as a priority, and then, in 1949, with the signing of the North Atlantic Treaty, which culminated in the creation of the North Atlantic Treaty Organization (NATO) in 1951. In 1957, the newly founded North American Aerospace Defense Command (NORAD) solidified, if not embodied, the Canada–US cooperation on defense.

With the onset of the Cold War, and parallel to this the acme of Canada–US cooperation on defense, the need to ensure national security through the protection of telecommunications then emerged as a further priority for the Canadian federal government. It was in this historical context that Canadian cyber security evolved.

The ghost of the Cold War led to developments in the security of telecommunications, because “[t]he Government of Canada believes that intelligence is the foundation of our nation’s ability to effectively provide for the security of Canada and Canadians.”¹⁵ Then in 1946, by order-in-council, the federal government created the Communications Branch of the National Research Council (CBNRC), giving it the mandate to ensure the security of telecommunications and, more generally, national and international security in the context of the Cold War. To optimize its field of action, the CBNRC collaborated with diverse international partners, among them the US, UK, Australia, and New Zealand.¹⁶ In 1975, the CBNRC became the Communications Security Establishment Canada (CSEC). Since then, it has reported to the Department of National Defence (DND) and is governed by the National Defence Act. Moreover, “CSEC functions entirely within all Canadian laws, including the Canadian Charter of Rights and Freedoms, the Criminal Code, the Canadian Human Rights Act and the Privacy Act.”¹⁷ Following technological developments and emerging priorities concerning national security, the mandate of the CSEC was due for modification.

Further, the considerable development of ICT and the arrival of personal computers in the early 1980s transformed Western societies at all levels: social, political, economic, legal and institutional. That context generated a new notion of the development of societies, while also giving rise to new risks. Especially in the context of the still-ongoing Cold War, the accelerated development of ICT led to a greater recognition among governments of the need to protect citizens and institutions against the risks posed by ICT.

To this end, the Canadian federal government adopted the Canadian Security Intelligence Service Act in 1984.¹⁸ This act gave rise to the Canadian Security Intelligence Service (CSIS), which has the mandate “to investigate threats, analyze information and produce intelligence. It then reports to, and advises, the Government of Canada to protect the country and its citizens.”¹⁹ To realize its mandate, “Parliament has given CSIS extraordinary powers to intrude on the privacy of individuals. SIRC (Security Intelligence Review Committee) ensures that these powers are used legally and appropriately, in order to protect Canadians’ rights and freedoms.”²⁰ CSIS activities consist of the collection, analysis, and sharing of information with diverse partners and the public as well as security screening and research in collaboration with diverse experts.²¹ Lastly, to be discussed later, CSIS had a determining role in the development of Canada’s national cyber security, in particular on the basis of the development of ICT and the emergence of new risks.

The early 1990s were marked by the end of the Cold War and the breathtaking speed of ICT developments, which raised new issues with regard to national and international security. This called for a change in the mandate of some federal organizations, among them the CSEC, which was then expected to advise “the federal government on the security aspects of government automated information systems.”²² From then on, CSEC also functioned as Canada’s national cryptologic organization, which means that it analyzes and approves “cryptographic algorithms for the protection of all sensitive information processed by GC (Government of Canada) information technology systems.”²³

Parallel to these developments concerning ICT security, the end of the Cold War had repercussions on Canada – US cooperation in defense, one being the reduced strategic importance of NORAD, which constituted a decrease in Canada’s power with regard to defense. Nevertheless, NORAD still exists and remains pertinent, particularly with regards to the antimissile defense project and the threat of terrorist attacks. Moreover, a multilateral cooperation in defense was implemented during the Gulf War in 1991, which was considered to be the first war characterized by the extensive use of information warfare.

The Gulf War was influenced by developments in ICT that posed new stakes with regard to defense and national and international security. The Gulf War was also a determining event in the development of cyber security. During the “Desert Storm” operation, information operations (IOs) were executed by the Canadian authorities to compromise the capacities of the adversary.²⁴ IOs are defined as “physical and computer-based operations used by military forces to compromise the access to and viability of information received by the decision-makers of an enemy, while at the same time protecting their own information and information systems.”²⁵ At that time, the concept of IOs referred to a new military doctrine on information warfare. We are reminded that, traditionally, the responsibilities of national defense concern the [translation] “management of the country’s armed forces, the development of defense policies, the building of alliances, the maintenance of selfdefense capacities, and intervention beyond the national territory [and] the maintenance of the technological superiority required for conquering potential enemies on the battle field.”²⁶ The notion of IOs is thus embedded in this framework.

From this perspective, a new area of security and defense evolved that views cyber space as [translation] “a ‘place’ that must be protected, a territory where the risks to the national security must be managed.”²⁷ In this way, IOs became a new military tactic for responding to an emerging need.

However, this raises the question of whether the IOs perpetrated during the Gulf War can be associated with the concept of a [translation] “revolution in military affairs” (RMA) that has its origins in that armed conflict.²⁸ The RMA is defined as [translation] “a drastic change in the weapons systems and in the way of using them”²⁹. It led to the integration of information technologies. In this way, the RMA introduced a new way of planning defense strategies, and even of conceptualizing war.

Since the Gulf War, IOs have thus been regarded as a new technological means for staging attacks. For the US armed forces in particular, IOs have integrated certain military strategies. This recourse to information warfare, through the use of IOs represented a distinct transformation in Canadian military strategy. Nevertheless, the use of IOs by the Canadian national defense does not constitute an RMA per se, as it has not modified Canadian military doctrine. In fact, to this day, [translation] “the integration of technologies that have the capacity to change the structure and characteristics of the armed forces takes place very gradually. At this stage, ‘evolution with a revolutionary potential’ is a more appropriate way of putting it.³⁰”

This finding appears to apply to Canada, even though according to Gagnon DND has been expressing its interest in developing the RMA since about 1994. In fact, Canada’s defense policy, the Defence White Paper,³¹ was silent as to the RMA. It was not until 1999 that a first mention of the RMA was made, namely in Shaping the Future of the Canadian Forces: A Strategy for 2020, the document that launched the official national defense strategy with regard to the RMA.³² However, the fact remains that in 2004 delays were observed and that the resources allocated to this effect were limited.³³ Yet, this reality did not keep Canada from confirming its intention of developing the RMA. According to Gagnon, the Canadian reason for integrating the RMA is to [translation] “minimize the effects of the military imbalance with its neighbor to the south.”³⁴ Moreover, [translation] “by setting up its own RMA, DND is reducing Canada’s subordination to the United States.”³⁵ This finding clearly illustrates the subordination of Canada in the US–Canadian cooperation with regard to defense.

Thus, the recourse to IOs by the Canadian national defense during the Gulf War should be differentiated from the actual development of the RMA in Canada. Nevertheless, the use of IOs by Canadian Forces during that war provides evidence for the fact that concrete modifications had been made to the Canadian military combat strategy, in addition to demonstrating a case in which Canada engaged in information warfare.

Although IOs lived up to expectations of them in terms of effectiveness during the Gulf War, however, they ultimately turned out to be partially counterproductive, to the point of becoming a threat to national security for many nations that had been their instigators. With the expansion of the Internet and its use at a global scale, IOs could be realized by all types of aggressors. From then on, IOs were increasingly directed against the CI of Canada and became a real threat, to the point that the authorities considered them tools of aggression of the same order as the proliferation of weapons of mass destruction or massive corruption.³⁶ In IOs perpetrated by aggressors, the threat can take on diverse forms, among them non-authorized intrusions,³⁷ system operations, material attacks and even cyber-war.³⁸ As is to be expected, the pace of the evolution of these threats is as rapid as the evolution of the technologies they are based on. Thus, vulnerability increases to the extent that the complexity of networks continually evolves. In such a context, “One of the greatest challenges in countering the threat in the realm of IO is that borders have become meaningless to anyone operating in a virtual environment.”³⁹ This finding reaffirms the existence of the challenge that the security of cyberspace represents for national and international security. IO-related risks have thus been determining factors for cyber security, particularly in Canada.

“As a result, governments will have to set procedures in place to allow security initiatives to evolve to deal with new threats as they arise.”⁴⁰ Due to this need for continued adaptation, the concept of IOs has evolved over time and has eventually come to mean “the need for a state to maintain national security by protecting its critical information (CI) infrastructure.”⁴¹ This transformation of the concept of IOs demonstrates the close link between defense, national security, and CI protection. It constitutes the beginnings of Canadian cyber security. Thus, given the importance of CI protection for the Canadian federal government in terms of national security, it has become a priority to take stock of the state of cyber security development.

Thereby, starting in 1997, CSIS initiated the Information Operations program, which has the objective of ensuring national security through the protection of information-based CIs against intrusions and attacks.⁴² This constitutes an expansion of the concept formerly held by the federal government on cyber security in that, in addition to ensuring the security of ICT, it also includes the protection of the CI.

This idea was again brought forth in 1999 by the Senate Special Committee on Security and Intelligence. In its report, the Committee stipulated that the need to protect the CI has arisen due to “the growth of, and our increased reliance on, the critical infrastructure, combined with its complexity, has made it a potential target for physical or cyber-based terrorism.”⁴³ In this context, the Senate Special Committee proposed recommendations, among them the need to develop policies to prevent and evaluate this type of threat, to fend off attacks, or to strike back if required. Moreover, the Committee recommended allocating additional resources and evaluating the existing limits of the CI in view of improving them. Lastly, the report recommends the evaluation of the National Counter Terrorism Plan and its updating as well as the establishment of partnerships between all parties concerned.⁴⁴ This last aspect illustrates that there is a growing interest in adopting an integrated approach to national security.

Following these recommendations, the Canadian federal government created the Office of Critical Infrastructure and Emergency Preparedness. This organization “work[s] closely with the provinces and municipalities, private industry and other countries to protect Canada’s electronic infrastructure against possible cyber-based attacks and natural disasters.”⁴⁵ Thereafter, the government implemented the Liaison/Awareness Program, which is the responsibility of CSIS. This program aims to:

“develop an ongoing dialogue with both public and private organizations concerning the threat posed to Canadian interests from cyber-based attacks. The purpose of the program is to enable CSIS to collect and analyse information that will assist it in its investigation of these threats which could have implications for Canada’s national security”.⁴⁶

The program thus restates the need to develop an integrated approach to national security. It also innovates, by affirming that such an approach has become imperative for fending off cyber attacks, which constitutes a significant progress with regard to Canadian cyber security.

A further milestone in the development of Canadian national cyber security was the 1998 creation of the Canadian Computer Emergency Response Team (CanCert). CanCert “is a trusted centre for the collection, analysis and dissemination of information related to networked computer threats, vulnerabilities, incidents and incident response for Canadian governments, businesses and academic organizations.”⁴⁷ We point out, however, that CanCert activities are almost exclusively executed by Electronic Warfare Associates-Canada (EWA-Canada). Nevertheless, the creation of this center demonstrates the interest in and commitment of the Canadian federal government to the management of the risks related to cyberspace as well as the existence of effective collaborations between the public and private sectors on cyber security. It is known that [translation] “the management of emergency computer systems by for-profit organizations entailed the risk of making the networks less secure.”⁴⁸ In fact, computer security does not constitute a priority for private businesses, because [translation] “their time and money investments are above all focused on profit and client satisfaction.”⁴⁹ It can even be the case that [translation] “flaws of the computer network turn out to be a benefit.”⁵⁰ Thus, although CanCert has contributed to Canada’s cyber security, it has also raised questions as to the presence of the private sector in the sphere of national cyber security, especially as the private sector is often the main holder of the national CI.⁵¹

In other words, is Canada now reliant on private interests for the protection of its CI and cyber security, despite having maintained sovereignty with regard to defense and national security? The subsequent events of 9/11 changed the direction that had been pursued until then in this domain and incited the Canadian federal government to take concrete steps to ensure its national cyber security.

1.3. Counter-terrorism for the improvement of national security

The terrorist attacks of 9/11 were determining with regard to the defense, national security and the development of Canadian national cyber security.

For one, these events modified the perception of the risks. From 9/11 onwards, the sociopolitical risk related to terrorism was real and threatened national and international security. From then on, terrorism changed the notion of national security among the Canadian political authorities, as well as the approach to managing that risk. This, in turn, raised a significant debate within the Canadian federal government as to the existing framework concerning national security. The main topics in question pertained to the inability to anticipate these attacks or detect the risk or any information prior to execution, to the reliability on the exchange, information and communication networks, and to the capacity to respond to such events. In other words, 9/11 revealed the existence of gaps within the Canadian national security system.

This context called for a revision of the direction in which national security was headed, which took place gradually and culminated in the development of an integrated approach.⁵² The task was to improve the collaboration between the parties involved in national security and with international partners, in particular through the sharing of information and the coordination of actions. To improve efficiency, the integrated approach to national security applies a type of risk management that takes into consideration the knowledge of the risks, their evaluation and the management of the consequences, depending on the case.⁵³ Thus, this approach focuses mainly on prevention, preparation and intervention. This integrated approach to national security was made official in 2004 with the adoption of the first Canadian national security policy.

Gradual progress in that direction started to take place after 9/11. Among such progress is the development of statements, policies and legislative and administrative amendments with regard to national security. More concretely [translation]:

“The Canadian government had to, in the months following the attacks of New York and Washington, adopt a certain number of laws to counteract terrorism, increase the budgets of the various security and defence organizations, and enter into many agreements with the United States, in particular on the safety of the borders, thereby implicitly creating what is now referred to as the North-American security perimeter.”⁵⁴

In the following, we will present the milestones toward national security that were determined in the development of the Canadian national cyber security.

Starting with Fall 2001, legislative amendments were made with regard to national security. First, on November 22, the federal government adopted Bill C-42 of the Public Safety Act.⁵⁵ This act aims to improve emergency preparedness in the context of terrorist risk. However, amendments to the initial bill led the government to adoption a new bill, Bill C-44.

This bill affected many acts, in particular [translation] “the Aeronautics Act, the Canadian Air Transport Security Authority Act, the Criminal Code, the Quarantaine Act.”⁵⁶ Bill C-44 received royal sanction on December 18, 2001.

On that same day, the federal government adopted Bill C-36 on the Antiterrorism Act (ATA).⁵⁷ This act “creates offences that criminalize activities, such as participation in a terrorist group, that takes place before a terrorist event can occur.”⁵⁸ The law thereby regulates and promotes the integrated approach at two levels. First, it introduces the level of prevention to risk management. Second, it promotes collaboration between the participants from the federal departments and organizations, namely through information sharing.⁵⁹

Moreover, the ATA led to the amendment of other acts, in particular the National Defence Act,⁶⁰ the Criminal Code,⁶¹ the Canada Evidence Act, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, the Canadian Human Rights Act, the Access to Information Act and the Personal Information Protection and Electronic Documents Act.⁶² Even though these amendments have raised many questions as to the effective reach of the ATA, the government reassures us that “[t]he ATA was designed to create a balance between the need to protect the security of Canadians and the protection of their rights and freedoms. Provisions of the ATA are clearly defined in order to target terrorists and terrorist groups.”⁶³ Moreover, the Act “did not change other pieces of legislation designed in part to address terrorist threats, such as the Immigration and Refugee Protection Act, the Security Offences Act or the Canadian Security Intelligence Service Act.”⁶⁴ Nevertheless, the ATA has improved national security in the face of the risk posed by terrorism, which is crucial for the development of Canadian national cyber security.

The ATA has a specified reach with regard to national cyber security. In fact, “[t]he Government of Canada, in response to growing cyber dependencies and global threats, has recognized the urgent and critical need to address rapidly developing IT security threats and vulnerabilities. The Information Technology Security Program provides the Government of Canada with timely, credible, unbiased insight and the technical leadership required to guide critical IT security decisions [information technologies].”⁶⁵ Given this context, and following the legislative amendments, the next step is to implement administrative amendments.

Due to the ATA and the amendments it has brought about for the National Defence Act, the CSEC assumed a new mandate: it is to develop an integrated approach by optimizing collaboration with national partners to guarantee the protection of the critical information infrastructure.⁶⁶ More concretely, the aim is to improve efficiency in the analysis of threats and vulnerabilities.⁶⁷ “The Anti-Terrorism Act also strengthened CSEC’s capacity to engage in the war on terrorism by providing needed authorities to fulfill its mandate.”⁶⁸ This intention resulted in the allocation of additional resources for improving its actions.⁶⁹ Moreover, the CSEC developed, and then implemented, the Information Technology Security Program, mandated to “ensure the reliability and the safety of the cyber-networks and of the critical infrastructure of the clients of the government of Canada.”⁷⁰ The program adopts a preventive approach by improving knowledge of the risks and by sensitizing collaborators to cyberprotection. Nevertheless, the intervention remains targeted in that it seeks “to make cyber security a business enabler.” ⁷¹

Moreover, even though the ATA “did not change […] the Canadian Security Intelligence Service Act”⁷² or the mandate of the CSIS, the budget of the organization nevertheless increased due to the fact that CSIS is now responding to an increased range of threats.⁷³ More specifically, CSIS contributes to CI protection by protecting “the physical and information technology facilities, the networks and assets […], which, if disrupted or destroyed, could seriously affect the health, safety, security and economic well-being of Canadians.”⁷⁴ Moreover, CSIS monitors the threats related to information security, among them cyber attacks, which it currently defines as “the use of information systems or computer technology either as a weapon or a target.”⁷⁵ Diverse motives are at the origin of cyber attacks, among them malicious attacks and political motivation.⁷⁶ The aggressors include people, information organizations,⁷⁷ terrorists, and criminal and extremist organizations. Moreover, the CSIS is interested in two types of cyber attacks: the denial of services and the operation of networks, both of which aim to generate instability. Nevertheless, the “CSIS confines its investigation to computer intrusions conducted with a ‘political motivation’⁷⁸” because these risks can have impacts on the critical sectors of Canada, in particular the CI. In this regard, CSIS collaborates with many federal departments and organizations,⁷⁹ among them the Royal Canadian Mounted Police (RCMP), which demonstrates the effective development of an integrated approach to national cyber security.

The RCMP is the federal police service and was established by the Royal Canadian Mounted Police Act.⁸⁰ Since the adoption of the ATA, which amended the Criminal Code, the RCMP has been granted increased authority, mainly in view of preventing and combating technological crime.⁸¹ Since this time, the fight against cyber crime has been pursued by enhancing Canadian cyber security. While CI protection remains an imperative of national security, the emergence of a new trend is taking place at the same time to advance the fight against cyber crime. To this effect, we underline that “Canada was one of the first countries to enact criminal laws in the area of computer crime (Convention on Cyber-Crime: 2001).”⁸² Moreover, on June 10, 2002, the government adopted Bill C-15A on the protection of children against sexual exploitation.⁸³

To further combat technological crime, the RCMP developed a Technological Crime Program that allows us to realize diverse types of inquiries concerning “cyber-threats and/or criminal activity on computer networks, which could have the potential to threaten one of Canada’s critical infrastructures.”⁸⁴ In parallel, the organization developed an Integrated Technological Crime Unit that has the mission to investigate “pure computer crimes, to provide forensic expertise in computerassisted crime investigations, and to investigate significant cyber crime incidents.”⁸⁵ Moreover, information and denunciation centers were created in connection with cyber crime, among them the National Child Exploitation Coordination Centre — Child Exploitation Tracking System⁸⁶ and RECOL (reporting economic crime online).⁸⁷ The sum of these legislative and administrative amendments illustrates the emergence and then the improvement of the fight against cyber crime in Canada, which optimizes national cyber security.

Nevertheless, at this time, a lot remains to be done according to the Auditor General. The report of April 2002 stipulates that “the operational and technical standards for IT security are still out-of-date, and plans and a timetable to update them have not been completed.”⁸⁸ This finding demonstrates that the development of Canadian cyber security remains at the preliminary stage.

This context incited the Office of Critical Infrastructure Protection and Emergency Preparedness to present its National Critical Infrastructure Assurance Program in November 2002. The program aimed to stimulate dialog between the diverse participants concerned and the experts, as well as to promote information sharing, partnership building, and ultimately, the development of a national strategy for the protection of the CI, including those related to information.⁸⁹ The program is crucial for designing and then implementing the integrated approach to national cyber security. However, although a declared goal, the development of an integrated approach nevertheless appears to rank second among the government priorities with regard to national security, which is focused more on the improvement of coordination.

For example, starting in 2003, organizational changes were instigated to optimize the coordination of national security. The federal government began with “the integration of the Office of Critical Infrastructure Protection and Emergency Preparedness into the Department of Public Safety and Emergency Preparedness […].”⁹⁰ Then, in the same year, the department became Public Safety Canada (PSC). Created with the goal to “ensure coordination across all federal departments and agencies responsible for national security and the safety of Canadians,”⁹¹ PSC states that “from natural disasters to crime and terrorism, our mandate is to keep Canadians safe.”⁹² To reach this objective, PSC integrates diverse organizations and maintains five fields of responsibilities: national security, emergency management, law enforcement, correctional services, and crime prevention.⁹³ Cyber security reports to the sectors of national security and emergency management, mainly through its participation in CI protection and the fight against cyber crime.⁹⁴ Within PSC, CSIS and the RCMP are the main organizations in charge of national cyber security.

The creation of PSC therefore demonstrates the formal commitment of the federal government to improve national security, in particular by optimizing the coordination of its actions. Moreover, the implementation of such coordination within one and the same department can be expected to promote the development of an integrated approach to national security and therefore to cyber security.

Nevertheless, even though this realization contributes to national security, it is insufficient. In March 2004, “the government did not have a management framework that would guide investment, management, and development decisions and allow it to direct complementary actions in separate agencies or to make choices between conflicting priorities.”⁹⁵ This finding questions the actual willingness or capacity of the federal government to ensure national security through a framework of formal integrated management. Despite this finding, however, the federal government reaffirmed its commitment to reaching this objective by adopting its first Canadian national security policy “Securing an Open Society”, in April 2004.⁹⁶

With this policy, the Canadian federal government officially recognized the security problem posed by cyberspace and affirmed that cyber security is a determining aspect of national and international security. The policy put cyber security on the agenda of federal politics, thereby greatly advancing its development.

Securing an Open Society allows the federal government to reiterate that its “core responsibility […] is to provide for the security of Canadians”.⁹⁷ Moreover, it recognizes that “national security is closely linked to both personal and international security”.⁹⁸ This is explained by the fact that the presence and emergence of new risks give rise to issues concerning both national and international security. Among these are threats posed by terrorism, infectious diseases, natural disasters, and cyber attacks on the CI.⁹⁹ In this context, “strengthening our security is also about managing and reducing risks”.¹⁰⁰ The policy promotes prevention and intervention in particular.¹⁰¹

The general objective of the policy is “to address the security interests of Canadians”.¹⁰² It is categorized into three parts: “1. protecting Canada and Canadians at home and abroad; 2. ensuring Canada is not a base for threats to our allies; and 3. contributing to international security.”¹⁰³ To reach these objectives, the federal government commits to developing an integrated approach to national security at the governmental scale.¹⁰⁴ This approach is based on the collaboration and contribution of diverse partners, as well as coordination in the case of emergency.¹⁰⁵

The policy is “a long-term strategic framework” and will be funded with a budget in the order of C$690 million.¹⁰⁶ This amount will be invested in six principal strategic sectors: information, emergency planning and management, public health, transportation safety, border security, and international security.¹⁰⁷ Of this initial amount, C$105 million is allocated to the second sector, namely emergency planning and management, which cyber security falls under.¹⁰⁸ The improvement of this sector is based on establishing the priorities starting from the gaps identified and developing a national emergency management system via an integrated approach. The main gaps in the emergency management sector concern the “capacity to manage emergencies in the areas of overall strategic co-ordination, critical infrastructure protection and cyber-security”.¹⁰⁹ To absorb these gaps, the policy targets three areas:

– developing a CI protection strategy;

– strengthening the cyber security of federal government systems; and

– forming a public–private working group on a national strategy of cyber security.¹¹⁰

This raised the need to modernize the Emergency Preparedness Act, in particular by improving “mitigation programs, critical infrastructure protection, cyber-security, information-sharing between federal departments, agreements with international and private sector partners, and protection of sensitive private sector information.”¹¹¹

Moreover, in emergency planning and management, “the federal government will often play only a supporting role in the emergency management to provinces and territories, communities, and the private sector.”¹¹² Nevertheless, that role does not limit the contribution that the federal government can and should make to the integrated approach, as it has demonstrated with this policy. According to this role, the government should “provide the leadership, resources and structures necessary to build a fully integrated and effective security system.”¹¹³ More specifically, the government develops orientations, statements of principles, as well as policies and acts concerning national security, and thereby cyber security.

Finally, by guiding the development of an integrated approach, Securing an Open Society constitutes an innovation with regard to national security and cyber security. This position translates into the gradual implementation of administrative amendments concerning national cyber security.

First, the CSEC has experienced a growth in its budget and activities related to prevention, all the while improving its collaboration with multiple partners, which advances the integrated approach promoted by the policy.¹¹⁴ Then, in October 2004, the Integrated Threat Assessment Centre (ITAC) was created.¹¹⁵ This center reports to CSIS and has the mandate to “produce comprehensive threat assessments, which are distributed within the intelligence community.”¹¹⁶ In this way, ITAC exercises a role linked to prevention, by evaluating the threats, and to intervention, by coordinating actions, depending on the situation. The creation of ITAC reflects the dual commitment of the Canadian federal government to promote an integrated approach to national security and to improve the management of risks through prevention. This commitment is important to cyber security.

Then, still in the field of emergency planning and management, the federal government developed a Federal Emergency Response Plan (FERP) in 2004, which constitutes “a framework that outlines a decision-making process to be used to coordinate emergency response activities.”¹¹⁷ FERP was born out of the need to improve the coordination of actions, in particular in the case of cyber threats or attacks. Thus, even though the national security policy recognizes the need to optimize prevention, this plan responds to the immediate priority in emergency management: intervention.

Nevertheless, the development of the integrated approach to national security remains a priority of the federal government and the statement of the national CI protection strategy confirms its commitment in that sense.

1.4. The long path to a national CI protection strategy and national cyber security strategy

First announced in 2002 and then formalized in the national security policy, the federal government released a position paper on the development of a National Critical Infrastructure Strategy on November 10, 2004.¹¹⁸ The overall objective is to reduce the vulnerability of the national critical infrastructure.¹¹⁹ More specifically, the task is to promote a national dialog with the diverse stakeholders in that field, given that “over 85 percent of Canada’s infrastructure is owned and operated by the private sector and the provinces and territories.”¹²⁰ In its mission statement, the paper declared that the strategy — to be part of the integrated approach — was to be completed by the fall of 2005.¹²¹ This demonstrates the commitment of the government to “predicting and preventing cyber attacks.”¹²² CI protection thus depends significantly on the capacity to manage cyberspace-related risks that comprise national cyber security.

The position paper lists nine principal elements that the future strategy should have. They are:

– the guiding principles;¹²³

– the orientations for establishing a framework of integrated risk management;

– the importance of information sharing;¹²⁴

– the development of an inventory of CI assets;

– the analysis and evaluation of threats and the communication required;¹²⁵

– raising awareness of the interdependencies of CIs;

– governance;¹²⁶

– research and development; and

– international cooperation.

In order to achieve this, the federal government restates the three areas targeted by the national security policy.¹²⁷ Then, in terms of actions, the government in the context of trust and governance intends to:

– establish an overview of the current measures with regard to CI;

– establish the priorities and present them, announce the principles and objectives; and

– establish the roles and responsibilities of each of the participants.

Lastly, with this paper, the federal government committed to the development of an integrated and new national CI protection strategy, which can be expected to benefit national cyber security. This commitment will result in concrete realizations at the administrative level.

In February 2005, the federal government launched the Canadian Cyber Incident Response Centre (CCIRC). The center ensures “the protection of national critical infrastructure against cyber incidents”¹²⁸ and is integrated in the Government Operations Centre (GOC).¹²⁹ To realize its mandate, CCIRC performs diverse activities and offers services related to the prevention and detection of cyber attacks coming from within or outside the country.¹³⁰ In this regard, CCIRC collaborates with diverse partners within Canada¹³¹ and internationally, and in the private sector. The creation of CCIRC and GOC are tangible results of the Canadian national security policies, which contribute to improving the integrated national security system as well as the cyber security.

Nevertheless, despite these realizations, the Auditor General emphasized in 2005 that the funds allocated to emergency management remain under-utilized and that the formerly announced legislative and administrative frameworks are still under development.¹³²

Indeed, it took until 2007 for the Emergency Management Act to become adopted.¹³³ Since then, the Act has been regulating the integrated approach to emergency management and national cyber security. The Act improves coordination and collaboration by establishing “clear roles and responsibilities for all federal ministers across the full spectrum of emergency management. This includes prevention/mitigation, preparedness, response and recovery, and critical infrastructure protection”.¹³⁴ Moreover, the Act assigns Public Safety Canada the leadership role concerning the management of national emergencies.¹³⁵ The Act also constitutes a determining tool for structuring the effective implementation of the integrated approach to national security, particularly with regard to emergency management and cyber security.

Then, in April 2009, the Standing Committee on Public Safety and National Security announced the development of a national cyber security strategy.¹³⁶ Although pertinent, this declaration proposed nothing concrete and was limited to repeating the intentions of the national security policy as well as the position paper on CI protection, both dating back to 2004.

Moreover, the slowness of the effective developments in emergency management was again underscored by the Auditor General in November 2009. In fact, one of the main challenges of the federal government consists of developing policies in ways that can be effectively and efficiently implemented.¹³⁷ In addition, PSC is working to improve the coordination of emergency measures, a task that led to the founding of PSC in 2003. Specifically, the gaps identified by PSC concern policy implementation and the responsibility of advisory departments to develop a common, and thereby integrated, approach. In this regard, the Auditor General pointed to the contradiction between the obligation to develop a common approach to emergency management (as stipulated by the Act of 2007) on one hand, and the development of standards unique to each organization according to its respective mandate on the other. This contradiction in part explains why the integrated approach is still under development in the field of emergency management.

This reality impedes the development of tangible measures for improving CI protection and national cyber security. Nevertheless, following the recommendations of the Auditor General on emergency management, the PSC committed to provide “tools and guidance for sectors to determine their processes, systems, facilities, technologies, networks, assets, and services,”¹³⁸ in addition to advising the governmental actors involved in the evaluation of CI-related risks. Moreover, PSC committed to developing “policies and programs to prepare plans for their protection.”¹³⁹ Although remarkable, this commitment illustrates that in that sector, the federal government is still in the development phase, which raises doubt as to the efficiency of the implementation of measures relative to CI protection and national cyber security.

Nevertheless, in the midst of these findings and recommendations, on December 10, 2009 the federal government implemented the Federal Policy for Emergency Management.¹⁴⁰ The objective is “to promote an integrated and resilient whole-of-government approach to emergency management planning, which includes better prevention/mitigation of, preparedness for, response to, and recovery from emergencies.”¹⁴¹ Even though the policy is largely a copy of the Emergency Management Act of 2007, it can be credited with having introduced the notion of resilience into the official discourse. Moreover, the policy is part of an integrated and all-hazards approach, where PSC is in charge of the development, implementation, and coordination of emergency management.¹⁴² The policy can thus be expected to play a crucial role in the development of an integrated approach in cyber security. Moreover, to this effect, the government has also developed learning tools to promote cyber security. The first tool explains the principal dangers existing on the Internet and proposes diverse recommendations to the citizens¹⁴³ and businesses.¹⁴⁴ This awareness-raising was prompted in part by the fact “that in 2008, businesses from all over the world declared losses of over a billion dollars in intellectual property rights due to data theft and cyber crime.”¹⁴⁵

This finding undoubtedly incited the federal government to engage in other actions. At the legislative level, two bills were introduced at the end of December 2009 in view of the [translation] “fight against crime and terrorism in a high-tech environment.”¹⁴⁶ The bills introduced were C-46, on the Investigative Powers for the 21st Century Act,¹⁴⁷ and C-47, on the Technical Assistance for Law Enforcement in the 21st Century Act.¹⁴⁸ These developments are significant in the fight against cyber crime.

At the administrative level, we point to the implementation of the FERP in March 2010.¹⁴⁹ The plan was developed by the Federal Policy for Emergency Management and structures interventions in the case of emergencies. It has the objective of improving coordination between all the participants, in addition to promoting optimal decision-making within the government.¹⁵⁰ FERP subscribes to integrated intervention, which it defined as follows: “All involved federal government institutions assist in determining overall objectives, contribute to joint plans, and maximize the use of all available resources”.¹⁵¹ From then on, the integrated approach in emergency management was based on the collaboration of the participants in the preparation of the intervention. This ‘all-hazards’ plan covers national or international emergencies that have an impact on Canada.¹⁵² In this way, FERP contributes to improving the intervention dimension of emergency management, and by extension the intervention in attacks on cyber security.

Nevertheless, FERP reaffirms the current priority, or at least the state of current developments, in terms of implementation. Even though the Emergency Management Act and the Federal Policy for Emergency Management specify four pillars of emergency management, FERP has limited powers of intervention. This raises doubt as to the efficiency of developments in national and cyber security. Moreover, even though the Federal Policy for Emergency Management and FERP seek to improve emergency management in Canada, their performance is lacking in specifics as to the developments being effected in Canadian cyber security.

As for national defense, there is no specific military doctrine with regard to information warfare in Canada. The Canadian military doctrine of 2009 indicates that it “has yet to fully account for the rapidly developing space and cyber domains, and the operational and strategic level operations and systems within which all these are nested. Nevertheless, their doctrinal foundation, and the driving CF [Canadian Forces] principles within which these will emerge are found herein.”¹⁵³ In summary, the doctrinal foundations are in essence the main principles of the Canadian armed forces. In Canada, the notion of IOs thus appears to encompass information warfare.

Despite this finding, at the level of domestic security the improvement in CI protection was delivered in 2010 with the adoption of the National Strategy for Critical Infrastructure, as well as with the adoption of Canada’s Cyber Security Strategy.

1.5. The adoption of the current strategies for CI protection and cyber security

Adopted in March 2010, the National Strategy for Critical Infrastructure defined CI as referring “to processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government.”¹⁵⁴ The strategy is part of an integrated and ‘all-hazards’ approach that promotes Canada’s resilience in 10 sectors: energy and public services; finances; food; transportation; the Government, ICTs; health; water; safety; and the manufacturing sector.¹⁵⁵ It aims to optimize partnerships, information sharing and data protection in these sectors, mainly in that “responsibilities […] are shared by federal, provincial and territorial governments, local authorities and critical infrastructure owners and operators”¹⁵⁶ and the general public. In compliance with the law, the four pillars of emergency management are considered according to the modalities stipulated in the Action Plan for Critical Infrastructure.¹⁵⁷ Finally, the strategy and action plan are significant developments for increasing Canada’s CI protection, and by extension its national cyber security.

Moreover, the federal government adopted on Canada’s Cyber Security Strategy October 3, 2010, which — responding to the growing number of cyber attacks — has the overall objective to “protect our economic prosperity, national security and quality of life.”¹⁵⁸ To reach these goals, the federal government is mandated to detect, prevent and defend, if need be, the general public and its infrastructures against cyber attacks.¹⁵⁹ In other words, the strategy consists of a “plan for meeting the cyber threat”¹⁶⁰ and, with that in view, “securing our cyber systems”.¹⁶¹

The main goal of the strategy is to assess the cyber threat, namely by identifying and exposing the connection between cyberspace, cyber attacks, and cyber security:

“Cyberspace is the electronic world created by interconnected networks of information technology and the information on those networks. […] Cyber attacks include the unintentional or unauthorized access, use, manipulation, interruption or destruction (via electronic means) of electronic information and/or the electronic and physical infrastructure used to process, communicate and/or store that information. The severity of the cyber attack determines the appropriate level of response and/or mitigation measures: i.e., cyber security.”¹⁶²

The strategy furthermore exposes the context in which the main cyberspacerelated risk vectors exist, in particular:

– cyber espionage and military activities supported by governments,

– the use of the Internet by terrorists, and

– cyber crime.¹⁶³

The presence of these risks entails the need to improve national cyber security, in particular through the present national cyber security strategy. This strategy is based on three pillars:

– protecting the government systems;¹⁶⁴

– building partnerships to protect the essential non-government cyber systems; and

– helping Canadians protect themselves online.

Each of these relies on the implementation of initiatives.

First, the protection of government systems is being pursued through the sharing of clear roles and responsibilities between the federal entities concerned, the increase in the security of the federal cyber systems, and awareness-raising among officials about existing measures to ensure cyber security.¹⁶⁵ This effort also seeks to engage all levels of government, namely by optimizing cooperation and increasing human and financial resources.

The sharing of responsibilities for national cyber security merits further attention. Concretely, PSC “will provide central coordination for assessing emerging complex threats and developing and promoting comprehensive, coordinated approaches to address risks within the Government and across Canada.”¹⁶⁶ Moreover, PSC disseminates information and performs activities in order to increase Canadians’ awareness of the current and emerging risks coming from cyberspace and to allow them to better protect themselves. PSC is thus mandated to prevent the threat of cyber attacks and to coordinate intervention, if necessary, in particular through CCIRC, which is in charge of monitoring cyber threats, communicating advice on tackling them, and directing national interventions in the case of cyber incidents.

In terms of analyses and investigations, CSEC works to enhance “its capacity to detect and discover threats, provide foreign intelligence and cyber security services, and to respond to cyber threats and attacks against Government networks and information technology systems.”¹⁶⁷ CSIS has the mandate to analyze “and investigate domestic and international threats to the security of Canada”.¹⁶⁸ Moreover, the RCMP “will investigate […] suspected domestic and international criminal acts against Canadian networks and critical information infrastructure”.¹⁶⁹

In addition, new players are called on to contribute to national cyber security. The “Treasury Board Secretariat will support and strengthen cyber incident management capabilities across Government, through the development of policies, standards and assessment tools. The Treasury Board Secretariat is also responsible for information technology security in the Government of Canada.”¹⁷⁰

Certain departments also have responsibilities at the national and international level. “Foreign Affairs and International Trade Canada will advise on the international dimension of cyber security and work to develop a cyber security foreign policy that will help strengthen coherence in the Government’s engagement abroad on cyber security.”¹⁷¹

Lastly, in addition to defending their own networks, collaborating with other federal departments in identifying threats, and determining possible interventions, the DND and the Canadian Forces collaborate with international allies in order to share information on best practices and “to develop the policy and legal framework for military aspects of cyber security”.¹⁷² Moreover:

“Canada and our allies understand that addressing these risks requires modernizing our military doctrines. It is for this reason that the North Atlantic Treaty Organization (NATO) has adopted several policy documents regarding cyber defence, and like the militaries of our closest allies, the Department of National Defence and the Canadian Forces are examining how Canada can best respond to future cyber attacks”.¹⁷³

On this matter, the strategy is revealing in many respects. First, it shows the effective implication of the national defense in national and international cyber security. Second, by modernizing the military doctrine to improve its capacity to either respond to cyber attacks or, if need be, to orchestrate an offensive strategy, DND is aligned with the RMA, which confirms the above-mentioned trend.

The second pillar of the strategy consists of establishing partnerships with provincial and territorial bodies or with participants from private sectors, the CI, universities and non-governmental organizations. Though not mentioned as a goal, the strategy could also benefit from effective collaborations at an international scale. In compliance with the preferred integrated approach, the initiative aims to strengthen Canada’s cyber resilience, in particular with regard to the CI. Even though collaborations are already in place in this domain, further efforts must be made to strengthen public–private partnerships, training and exercise programs, and the participation of Canada in international forums.¹⁷⁴ To this effect, the federal government implemented the Defence Research and Development Canada’s Public Security Technical Program, which seeks “to better support cyber security research and development activities.”¹⁷⁵ The program is a tangible example of how the integrated approach has been implemented with regard to national cyber security.

The third pillar of the strategy, which focuses on assisting Canadians with cyber security, emphasizes the fight against cyber crime and the protection of the general public online. To combat cyber crime, “the Royal Canadian Mounted Police will be given the resources required to establish a centralized Integrated Cyber Crime Fusion Centre,”¹⁷⁶ by means of an approach based on risk analysis. Moreover, legislative amendments are being proposed and adopted. For example, a law against identity theft has been adopted and bills are being drafted to “enhance the capacity of law enforcement to investigate and prosecute cybercrime”.¹⁷⁷ Lastly, even though members of the public have the responsibility to ensure their personal cyber security, the government promotes awareness-raising by disseminating information and safety tips on improving online protection. For example, “[t]he Government’s ultimate goal is to create a culture of cyber safety whereby Canadians are aware of both the threats and the measures they can take to ensure the safe use of cyberspace”.¹⁷⁸ The wish to develop a culture of cyber security is a new aspect of the strategy.

Following a slow take-off, Canada’s Cyber Security Strategy was finally adopted. As pointed out earlier, the time prior to the adoption of this strategy was characterized by the “coexistence of many strategies, without a real coordination for facing the computer threats,”¹⁷⁹ which limited efforts to optimize national cyber security and the development of the integrated approach in that field. The adoption of this strategy thus represents significant progress in the effort to improve national cyber security.

The strategy was tested under a true trial-by-fire circumstance through the cyber attacks of March 2010 on the servers of three major Canadian departments.¹⁸⁰ The investigations were conducted by Canada national cryptologic agency, a unit of DND. Still largely classified, these investigations give evidence to the great extent to which the computer systems of the departments concerned have been penetrated.

1.6. Conclusion

A link exists between the preferred approach to national security and the development of cyber security. In fact, the transformation of the perception of risks following 9/11 influenced the development of an integrated approach to national security, which subsequently guided the development of Canadian cyber security.

Significant developments took place concerning national security, resulting in amendments to the legislative and administrative frameworks. At the legislative level, there were amendments, the drafting of bills, and the adoption of acts relative to the fight against terrorism, emergency management, and the fight against cyber crime. At the administrative level, the mandates of some federal organizations were further elaborated and their budgets adapted accordingly. The coordination of national security was improved through the creation of PSC, followed by the adoption of the national security policy, which promotes the development of the integrated approach in particular.

The sum of these developments to national security has been a determining factor for Canada’s national cyber security. It began with the development of an integrated approach to ensure protection of CI, followed by efforts to combat first cyber crime and then cyber security. This manifested in the gradual development of position papers, followed by the adoption and implementation of two strategies — one on CI protection and the other on expanding the national cyber security. We underline that the development of these strategies is the tangible realization of two of the three main pillars of the national security policy for improving the national cyber security.

Even though these developments are significant, their actual implementation probably represents their greatest challenge. For example, according to an analysis and evaluations, the implementation of the cyber security strategy can be expected to face delays similar to those of the emergency management policy and the CI protection strategy. This assessment sheds doubt on the efficiency of the integrated national security system, and thereby on Canadian cyber security.

As for emergency management, intervention is largely focused on the other areas of risk management, despite the existence of a legislative framework that promotes an integrated and all-hazards approach. The same can therefore be expected to apply to cyber security, despite the fact that the strategy is designed to prevent cyber threats and ensure intervention in the case of cyber attacks.

Finally, even though tangible realizations have been achieved with regard to cyber security in Canada, they nevertheless remain preliminary and there is a lack of the required speed in their development and implementation. For example, a considerable delay exists between the emergence and development of cyberspace and the recognition of the risks associated with cyberspace and the development, adoption and implementations of policies, acts and concrete administrative amendments to reduce those risks. This lack of speed impedes the effort to efficiently secure cyberspace and to prepare responses to the risks experienced by members of the public, businesses and institutions in this virtual space.

The arrival of a majority federal government in 2011 and the recognition of Canada’s vulnerability with regard to cyber security will most likely accelerate the process of securing the CI. Moreover, in August 2011 the Canadian government announced the creation of Shared Services Canada. This federal organization is dedicated to bringing together centers of data storage, email services and the streamlining of the 3,000 computer networks within the Canadian government.¹⁸¹ The implementation of this federal agency is the latest initiative of the Canadian federal government with regard to cyber security and can be expected to deliver results by 2015.

1.7. Bibliography

[ARE 00] AREND S. and RABIER C., Le Processus Politique. Environnement, Prise de Décision et Pouvoir, Les Presses de l’Université d’Ottawa, 2000.

[BEC 01] BECK U., La Société du Risque. Sur la Voie d’une Autre Modernité, Paris, Flammarion, 2001.

[BOR 08] BORRAZ O., Les Politiques du Risque, Presses de Sciences, PO, 2008.

[BRU 07] BRUNET S., Société du Risque: Quelles Réponses Politiques? Paris, L’Harmattan, 2007.

[CARR 10] CARR J., Inside the Cyber Warfare. Mapping the Cyber Underworld, O’Reilly, pp. 234, 2010.

[DAV 02] DAVID C.-P. et al., Repenser la Sécurité. Nouvelles Menaces; Nouvelles Politiques, Fides, 2002.

[FOR 02] FORAND A.R., “Les Forces armées canadiennes et le verglas de 1998,” in CONOIR Y.and VERNA G., L’Action Humanitaire du Canada. Histoire, Concepts, Politiques et Pratiques de Terrain, Ste-Foy, Les Presses de l’Université Laval, pp. 338–351, 2002.

[GAG 04] GAGNON B., La révolution dans les affaires militaire au Canada: une erreur stratégique?, Master’s thesis, UQAM, 2004.

[GAG 09] GAGNON B., “Informatique et cyberterrorisme” in LEMAN-LANGLOIS S. and BRODEUR J.-P., Terrorisme et Antiterrorisme au Canada, Les Presses de l’Université de Montréal, 2009.

[GOD 02] GODARD O., HENRI C., LAGADEC P. and MICHEL-KERJAN E., Traité des Nouveaux Risques. Précaution, Risques, Assurances, Paris, Gallimard, 2002.

[HAN 08] HANSON E. C., The Information Revolution and World Politics, Lanham, Rowmann and Littlefield Publishers, 2008.

[HAS 02] HASSAN-YARI H., “Perspectives de changement pour la défense et les forces armées du Canada” in DAVID C.-P. and RAOUL-DANDURAND C., Repenser la Sécurité: Nouvelles Menaces, Nouvelles Politiques, Montreal, Fidès, pp. 233–250, 2002.

[LIB 07] LIBICKI M. C., Conquest in Cyberspace. National Security and Information Warfare, New York, Cambridge University Press, 2007.

[LEM 10] LEMAY L., La gestion publique des risques de sinistres au Québec: Analyse du développement des cadres législatif et administratif de sécurité civile de 1996 à 2009, University of Sherbrooke, Masters thesis, 2010.

[MAC 08] MACLEOD A., DUFAULT E., DUFOUR F. G. and MORIN D., Relations Internationales. Théories et Concepts, 3^rd edition, Outremont, Athéna Editions, 2008.

[NOS 07] NOSSAL K. R., ROUSSEL S. and PAQUIN S., Politique Internationale et de Défense au Canada et au Québec, Les Presses de l’Université de Montréal, 2007.

[ORG 03] ORGANIZATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT (OECD). Les Risques Émergents au XXIe Siècle, Vers un Programme d’Action, Paris, OECD, 2003.

[PAQ 09] PAQUIN S. and DESCHENES D. Introduction aux Relations Internationales: Théories, Pratiques et Enjeux, Montreal, Chenelière-Éducation, 2009.

[PEL 09] PELLETIER R. and TREMBLAY M, Le Parlementarisme canadien, 4^th edition, Quebec, Les Presses de l’Université Laval, 2009.

[RAC 02] RACICOT J.-P., “La lutte antiterroriste et les guerres de quatrième génération” in DAVID C.-P. et al., Repenser la Sécurité. Nouvelles Menaces; Nouvelles Politiques, Fides, pp. 111–133, 2002.

[ROU 03] ROUX-DUFORT C., Gérer et Décider en Situation de Crise. Outil de Diagnostic, de Prévention et de Décision, 2^nd edition, Paris, Dunod, 2003.

[TAG 04] TAGUIEFF P.-A., Le Sens du Progrès. Une Approche Historique et Philosophique, Paris, Flammarion, 2004, 2004.

1.7.1. Scientific and media articles

[DES 04] DESCHENES D., “La politique de sécurité nationale du Canada à la lumière des enjeux contemporains en sécurité publique”, Sécurité Mondiale, vol. 12, pp. 2, 2004.

[FLE 08] FLEURY G., “Internet comme vecteur de pouvoir”, Études Internationales, vol. 39, no. 1, pp. 83–104, 2008.

[JAC 07a] JACOB S. and SCHIFFINO N., “Docteur Folamour apprivoisé? Les politiques publiques du risque”, Politique et Société, vol. 26, no. 2–3, pp. 45–72, 2007.

[JAC 07b] JACOB S. and SCHIFFINO N., “Les politiques publiques du risque”, Politique et Société, vol. 26, no. 2–3, pp.1–6, 2007.

[LEM 06] LEMAN-LANGLOIS S., “Question au sujet de la cybercriminalité, le crime comme moyen de contrôle du cyberespace commercial”, Criminologie, vol. 39, no. 1, pp. 63–81, 2006.

[LOI 09] LOISEAU H. and LEMAY L., “L’hégémonie coopérative et le cyberespace: le défi de la coopération multilatérale”, Paper presented at the annual meeting of the Canadian Political Science Association, Carleton University, Ottawa, May 27–29, 2009.

[WES 12] WESTON G., “Foreign hackers attack Canadian government Computer systems at 3 key departments penetrated”, CBC News, 17 February 2011, www.cbc.ca/news/politics/story/2011/02/16/pol-weston-hacking.html, accessed January 29, 2012.

1.7.2. Primary Data

CANADIAN LEGAL INFORMATION INSTITUTE, National Defence Act, www.canlii.org/en/ca/laws/stat/rsc-1985-c-n-5/latest/rsc-1985-c-n-5.html, accessed January 29, 2012.

CANADIAN LEGAL INFORMATION INSTITUTE, Police Act, RSQ, c. P-13.1, www.canlii.org/fr/qc/legis/lois/lrq-c-p-13.1/derniere/lrq-c-p-13.1.html, accessed January 29, 2012.

CANADIAN LEGAL INFORMATION INSTITUTE, An Act respecting the ministère de la Sécurité publique, RSQ. c. M-19.3:www.canlii.org/eliisa/highlight.do?text=s%C3%A9curit%C3%A9+publique&language=fr&searchTitle=Qu%C3%A9bec&path=/fr/qc/legis/lois/lrq-c-m-19.3/derniere/lrq-c-m-19.3.html, accessed January 29, 2012.

COMMUNICATIONS SECURITY ESTABLISHMENT CANADA, National Security, http://www.cse-cst.gc.ca/home-accueil/nat-sec/index-eng.html, accessed January 29, 2012.

COMMUNICATIONS SECURITY ESTABLISHMENT CANADA, An Overview, www.cse-cst.gc.ca/home-accueil/about-apropos/overview-survol-eng.html, accessed January 29, 2012.

COMMUNICATIONS SECURITY ESTABLISHMENT CANADA, Cryptographic Services, www.cse-cst.gc.ca/its-sti/services/crypto-services-crypto/index-eng.html, accessed January 29, 2012.

COMMUNICATIONS SECURITY ESTABLISHMENT CANADA, The Anti-Terrorism Act and CSEC’s Evolution, www.cse-cst.gc.ca/home-accueil/nat-sec/ata-lat-eng.html, accessed January 29, 2012.

CANADIAN SECURITY INTELLIGENCE SERVICE, Role of CSIS, www.csis-scrs.gc.ca/bts/rlfcss-eng.asp, accessed January 29, 2012.

CANADIAN SECURITY INTELLIGENCE SERVICE, History of CSIS, www.csis-scrs.gc.ca/hstrrtfcts/hstr/brfcssndx-eng.asp, accessed January 29, 2012.

CANADIAN SECURITY INTELLIGENCE SERVICE, Integrated Threat Assessment Centre, http://www.itac.gc.ca/index-eng.asp, accessed January 29, 2012.

CANADIAN SECURITY INTELLIGENCE SERVICE, Examples of Electronic Attacks, http://www.csis-scrs.gc.ca/prrts/nfrmtn/xmpls-eng.asp, accessed January 29, 2012.

DEPARTMENT OF HOMELAND SECURITY, The National Strategy to Secure Cyberspace, February 2003, p.1, http://www.dhs.gov/xlibrary/assets/National_Cyberspace_Strategy.pdf, accessed January 29, 2012.

DEPARTMENT OF JUSTICE, Constitutional Documents, http://laws-lois.justice.gc.ca/eng/const/, accessed January 29, 2012.

DEPARTMENT OF JUSTICE, Canadian Charter of Rights and Freedoms, http://lois.justice.gc.ca/eng/Charter/1.html, accessed January 29, 2012.

DEPARTMENT OF JUSTICE, Canadian Human Rights Act, http://laws-lois.justice.gc.ca/eng/acts/H-6/, accessed January 29, 2012.

DEPARTMENT OF JUSTICE, Criminal Code, http://laws-lois.justice.gc.ca/eng/acts/C-46/, accessed January 29, 2012.

DEPARTMENT OF JUSTICE, The Anti-terrorism Act, http://canada.justice.gc.ca/fra/antiter/loiact/index.html, accessed January 29, 2012.

DEPARTMENT OF JUSTICE, The Anti-terrorism Act. Context and Rationale, http://canada.justice.gc.ca/antiter/contextandrational-contexteetraisondetre-eng.asp, accessed January 29, 2012.

DEPARTMENT OF JUSTICE, The Anti-terrorism Act; The ATA in Perspective, http://canada.justice.gc.ca/antiter/actloi/perspective-perspectives-eng.asp, accessed January 29, 2012.

DEPARTMENT OF JUSTICE, Emergency Management Act, http://laws.justice.gc.ca/PDF/Loi/E/E-4.56.pdf, accessed January 29, 2012.

DEPARTMENT OF JUSTICE, Emergency Preparedness Act, http://laws-lois.justice.gc.ca/eng/acts/E-4.6/, accessed January 29, 2012.

DEPARTMENT OF JUSTICE, Royal Canadian Mounted Police Act, http://lois-laws.justice.gc.ca/eng/acts/R-10/index.html, accessed January 29, 2012.

DEPARTMENT OF JUSTICE, Canadian Security Intelligence Service Act, http://lois.justice.gc.ca/PDF/Loi/C/C-23.pdf, accessed January 29, 2012.

DEPARTMENT OF JUSTICE, Privacy Act, http://lois-laws.justice.gc.ca/eng/acts/P-21/index.html; accessed January 29, 2012.

DEPARTMENT OF NATIONAL DEFENCE, CanadaFirst Defence Strategy p. 6, www.forces.gc.ca/site/pri/first-premier/June18_0910_CFDS_english_low-res.pdf, accessed January 29, 2012.

GOVERNMENT OF CANADA, Securing an Open Society: One Year Later; Progress Report on the Implementation of Canada’s National Security Policy, April 2005, p. IX, http://pco-bcp.gc.ca/docs/information/Publications/secure/secure-eng.pdf, accessed January 29, 2012.

GOVERNMENT OF CANADA, Public Works and Government Services Canada, Fiche de Renseignements: Services Partagés Canada, www.tpsgc-pwgsc.gc.ca/apropos-about/fifs/its-sct-fra.html, accessed January 29, 2012.

GOVERNMENT OF CANADA, Federal Emergency Response Plan, December 2009 www.publicsafety.gc.ca/prg/em/_fl/ferp-2011-eng.pdf, accessed January 29, 2012.

GOVERNMENT OF CANADA, Communications Security Establishment Canada, www.csecst.gc.ca/index-eng.html, accessed January 29, 2012.

GOVERNMENT OF CANADA, National Defence and Canadian Forces. http://www.forces.gc.ca/site/home-accueil-eng.asp, accessed 29 January 2012.

OFFICE OF THE AUDITOR GENERAL OF CANADA, Report of the Auditor General of Canada, December 2009, www.oag-bvg.gc.ca/internet/English/osh_20091202_e_33489.html, accessed January 29, 2012.

OFFICE OF THE AUDITOR GENERAL OF CANADA, Report of the Auditor General of Canada, March 2004, http://oag-bvg.gc.ca/internet/English/parl_oag_200403_03_e_14895.html, accessed January 29, 2012.

OFFICE OF THE AUDITOR GENERAL OF CANADA, Report of the Auditor General of Canada, April 2002, http://oag-bvg.gc.ca/internet/English/parl_oag_200204_03_e_12376.html, accessed January 29, 2012.National Defence. Canadian Forces Joint Publication, Canadian Military Doctrine (CFJP 01), 2009, www.cfd-cdf.forces.gc.ca/sites/page-eng.asp?page=10770, accessed January 29, 2012.

NATIONAL WHITE COLLAR CRIME CENTRE OF CANADA, Reporting Economic Crime On-Line, www.rcmp-grc.gc.ca/scams-fraudes/recol-eng.htm, accessed January 29, 2012.Privy Council Office. Securing an Open Society: Canada’s National Security Policy, April 2004, p. 16, www.pco-bcp.gc.ca/index.asp?lang=eng&page=information&sub=publications&doc=natsec-secnat/natsec-secnat_e.htm, accessed January 29, 2012.

PUBLIC SAFETY CANADA, www.publicsafety.gc.ca/index-eng.aspx, accessed January 29, 2012.

PUBLIC SAFETY CANADA, Canada’s Cyber Security Strategy. For a Stronger and more Prosperous Canada, p. 2, www.publicsafety.gc.ca/prg/ns/cbr/_fl/ccss-scc-eng.pdf, accessed 29 January 29, 2012.

PUBLIC SAFETY CANADA, National Strategy for Critical Infrastructure, http://www.publicsafety.gc.ca/prg/ns/ci/ntnl-eng.aspx, accessed January 29, 2012.

PUBLIC SAFETY CANADA, Action Plan for Critical Infrastructure, http://www.publicsafety.gc.ca/prg/ns/ci/index-eng.aspx, accessed January 29, 2012.

PUBLIC SAFETY CANADA, Canada-United States Action Plan for Critical Infrastructure, www.publicsafety.gc.ca/prg/ns/ci/cnus-ct-pln-eng.aspx, accessed January 29, 2012.

PUBLIC SAFETY CANADA, Critical Infrastructure Partners, www.publicsafety.gc.ca/prg/ns/ci/prtn-eng.aspx, accessed January 29, 2012.

PUBLIC SAFETY AND EMERGENCY PREPAREDNESS CANADA, Government of Canada Position Paper on a National Strategy for Critical Infrastructure Protection, www.acpa-ports.net/advocacy/pdfs/nscip_e.pdf, accessed January 29, 2012.

PUBLIC SAFETY CANADA, Federal Policy for Emergency Management, December 2009, www.publicsafety.gc.ca/prg/em/_fl/fpem-12-2009-eng.pdf, accessed January 29, 2012.Public Safety Canada. About CCIRC, http://www.publicsafety.gc.ca/prg/em/ccirc/abo-eng.aspx, accessed January 29, 2012.

PUBLIC SAFETY CANADA, Government Operations Centre, http://www.publicsafety.gc.ca/prg/em/goc/index-eng.aspx, accessed January 29, 2012.

PUBLIC SAFETY CANADA, Security Publications, http://www.publicsafety.gc.ca/prg/em/ccirc/anre-eng.aspx, accessed January 29, 2012.

PUBLIC SAFETY CANADA, Cyber Security. Cyber Security Matters to Everyone, Everyday, www.publicsafety.gc.ca/prg/em/cbr/csi-fra.aspx, accessed January 29, 2012.Public Safety Canada. Information Security Threats, www.csis-scrs.gc.ca/prrts/nfrmtn/index-eng.asp, accessed January 29, 2012.

PUBLIC SAFETY CANADA, Working Against Information Security Threats, www.csis-scrs.gc.ca/prrts/nfrmtn/wrkng-eng.asp, accessed January 29, 2012.

PUBLIC SAFETY CANADA, Sharing Information with the Public, www.csis-scrs.gc.ca/bts/shrngpblc-eng.asp, accessed January 29, 2012.

PUBLIC SAFETY CANADA, Backgrounder No. 11 — Information Operations, www.csis-scrs.gc.ca/nwsrm/bckgrndrs/bckgrndr11-eng.asp, accessed January 29, 2012.Public Safety Canada. International Counterparts, www.publicsafety.gc.ca/prg/em/ccirc/inc-eng.aspx, accessed January 29, 2012.

ROYAL CANADIAN MOUNTED POLICE, Technological Crime, www.rcmp-grc.gc.ca/tops-opst/tc-ct/index-eng.htm, accessed January 29, 2012.

ROYAL CANADIAN MOUNTED POLICE, Integrated Technological Crime Unit, www.rcmp-grc.gc.ca/on/prog-serv/itcu-gict-eng.htm, accessed January 29, 2012.

ROYAL CANADIAN MOUNTED POLICE, National Child Exploitation Coordination Centre, www.rcmp-grc.gc.ca/ncecc-cncee/index-accueil-eng.htm, accessed January 29, 2012.

ROYAL CANADIAN MOUNTED POLICE, Internet Security, www.rcmp-grc.gc.ca/qc/pub/cybercrime/cybercrime-eng.htm, accessed January 29, 2012.

SECURITY INTELLIGENCE REVIEW COMMITTEE, About SIRC, www.sirc-csars.gc.ca/abtprp/index-eng.html, accessed January 29, 2012.

STANDING COMMITTEE ON PUBLIC SAFETY AND NATIONAL SECURITY, Evidence, April 2, 2009, www.parl.gc.ca/HousePublications/Publication.aspx?DocId=3801940&Mode=1&Parl=40&Ses=2&Language=E, accessed January 29, 2012.

STATISTICS CANADA. Cyber-Crime: Issues, Data Sources, and Feasibility of Collecting Police-Reported Statistics, 2002, p. 6, http://dsp-psd.pwgsc.gc.ca/Collection/Statcan/85-558-X/85-558-XIE2002001.pdf, accessed January 29, 2012.Sûreté du Québec. Cybercriminalité, www.sq.gouv.qc.ca/cybercriminalite/cybercriminalite-surete-du-quebec.jsp, accessed January 29, 2012.

1.7.3. Websites

AUSTRALIAN GOVERNMENT, GovCERT: www.ag.gov.au/www/agd/agd.nsf/page/GovCERT, accessed January 29, 2012.

CHAIRE EN DROIT DE LA SECURITE ET DES AFFAIRES ÉLECTRONIQUE, Cybercriminalité. Lois Canadiennes, Université de Montréal, www.gautrais.com/Cybercriminalite, accessed January 29, 2012.

ELECTRONIC WARFARE ASSOCIATES (EWA), CanCert Overview. www.ewa-canada.com/cancert/index.php, accessed January 29, 2012.

GOVERNMENT COMMUNICATIONS SECURITY OFFICE OF NEW ZEALAND, Centre for Critical Infrastructure Protection, www.ncsc.govt.nz/, accessed January 29, 2012.

MARKETWIRE, Le gouvernement du Canada annonce le Plan Fédéral d’Intervention d’Urgence, www.marketwire.com/press-release/Le-gouvernement-du-Canada-annonce-le-Plan-federal-dintervention-durgence-1131647.htm, accessed January 29, 2012.

MCAFEE, Unsecured Economies: Protecting Vital Information, www.dorsey.com/files/upload/mfe_unsec_econ_pr_rpt_fnl_online_012109.pdf, accessed January 29, 2012.

RADIO-CANADA, Archives, http://archives.radio-canada.ca/guerres_conflits/conflits_moyen_orient/dossiers/581/, accessed January 29, 2012.

UNITED KINGDOM GOVERNMENT, Centre for the Protection of National Infrastructure, www.cpni.gov.uk, accessed January 29, 2012.

 

 

1 Chapter written by Hugo LOISEAU and Lina LEMAY.

1 Cyberattaque contre le gouvernement Canadien, La Défense nationale aussi ciblée, February 17, 2011, [Online]: http://www.radio-canada.ca/nouvelles/National/2011/02/17/001-cyberattaque-federal-reactions.shtml, accessed January 29, 2012.

2 OFFICE OF THE AUDITOR GENERAL OF CANADA, Report of the Auditor General, December 2009. available at: www.oag-bvg.gc.ca/internet/English/osh_20091202_e_33489.html, accessed January 29, 2012. The Office of the Auditor General of Canada is the equivalent of the Cour des comptes in France and of the Government Accounting Office in the USA.

3 CANADIAN SECURITY INTELLIGENCE SERVICE, Examples of Electronic Attacks, www.csisscrs.gc.ca/prrts/nfrmtn/xmpls-eng.asp, accessed January 29, 2012.

4 P. VAN LOAN, Standing Committee on Public Safety and National Security, 40^th Parliament, 2^nd Session, Evidence of the Minister of Public Safety, April 2, 2009, www.parl.gc.ca/HousePublications/Publication.aspx?DocId=3801940&Language=E&Mode=1&Parl=40&Ses=2, accessed January 29, 2012.

5 CANADIAN SECURITY INTELLIGENCE SERVICE, Examples of Electronic Attacks, www.csisscrs.gc.ca/prrts/nfrmtn/xmpls-eng.asp.

6 In fact, “Cyber-attacks are a growing concern that have the potential to impact on a wide range of critical infrastructure that is connected through computer networks.” Privy Council Office, Securing an Open Society: Canada’s National Security, April 2004, pp. 11. www.pco-bcp.gc.ca/index.asp?lang=eng&page=information&sub=publications&doc=natsecsecnat/natsec-secnat_e.htm, accessed January 29, 2012.

7 PUBLIC SAFETY CANADA, National Strategy for Critical Infrastructure, www.publicsafety.gc.ca/prg/ns/ci/index-eng.aspx, accessed January 29, 2012.

8 PUBLIC SAFETY AND EMERGENCY PREPAREDNESS CANADA, Government of Canada Position Paper on a National Strategy for Critical Infrastructure Protection, pp. 3, www.acpaports.net/advocacy/pdfs/nscip_e.pdf, accessed January 29, 2012.

9 PUBLIC SAFETY CANADA, Canada’s Cyber Security Strategy. For a stronger and more prosperous Canada, pp. 3, www.publicsafety.gc.ca/prg/ns/cbr/_fl/ccss-scc-eng.pdf, accessed January 29, 2012.

10 STATISTICS CANADA, Cyber-Crime: Issues, Data Sources, and Feasibility of Collecting Police-reported Statistics, 2002, pp. 5, http://dsp-psd.pwgsc.gc.ca/Collection/Statcan/85-558-X/85-558-XIE2002001.pdf, accessed January 29, 2012.

11 The newly created organizations were the Government Operations Centre, the Integrated Threat Assessment Centre and the Canadian Cyber Incident Response Centre. In 2010, two strategies were adopted: the “National Critical Infrastructure Protection Strategy” and “Canada’s Cyber Security Strategy. For a Stronger and More Prosperous Canada.” In December 2009, the Federal Emergency Response Plan was adopted, which has enabled intervention in the case of national emergencies.

12 OFFICE OF THE AUDITOR GENERAL OF CANADA, Report of the Auditor General of Canada, December 2009.

13 The Kingston Dispensation was signed on August 18, 1938. K. R. NOSSAL, S. ROUSSEL and S. PAQUIN. Politique Internationale et de Défense au Canada et au Québec, Les Presses de l’Université de Montréal, 2007, p. 61 and 71.

14 K. R. NOSSAL, S. ROUSSEL and S. PAQUIN, Politique Internationale et de Défense au Canada et au Québec, pp. 61–63.

15 COMMUNICATIONS SECURITY ESTABLISHMENT CANADA, National Security, www.csecst.gc.ca/home-accueil/nat-sec/index-eng.html, accessed January 29, 2012. Government of Canada, Communications Security Establishment Canada, www.cse-cst.gc.ca/index-eng.html, accessed January 29, 2012.

16 This may well be the beginning of cooperation in cyber security, as these same partners collaborated in 2010.

17 COMMUNICATIONS SECURITY ESTABLISHMENT CANADA, CSEC: An Overview, www.csecst.gc.ca/home-accueil/about-apropos/overview-survol-eng.html, accessed January 29, 2012. DEPARTMENT OF JUSTICE, Canadian Charter of Rights and Freedoms, http://laws.justice.gc.ca/eng/Charter/; Criminal Code, laws-lois.justice.gc.ca/eng/acts/C-46/; Canadian Human Rights Act, http://laws-lois.justice.gc.ca/eng/acts/H-6/; Privacy Act, http://lois-laws.justice.gc.ca/eng/acts/P-21/index.html; sites consulted January 29, 2012.

18 DEPARTMENT OF JUSTICE, Canadian Security Intelligence Service Act, http://lois.justice.gc.ca/PDF/Loi/C/C-23.pdf, accessed January 29, 2012.

19 CANADIAN SECURITY INTELLIGENCE SERVICE, Role of CSIS, www.csis-scrs.gc.ca/bts/rlfcsseng.asp, accessed January 29, 2012; Canadian Security Intelligence Service, History of CSIS, www.csis-scrs.gc.ca/hstrrtfcts/hstr/brfcssndx-eng.asp, accessed January 29, 2012.

20 The Security Intelligence Review Committee (SIRC) monitors operations of the CSIS. SIRC has been an independent organization since 1984 and reports to the Parliament of Canada. Security Intelligence Review Committee, About SIRC, www.sirccsars.gc.ca/abtprp/index-eng.html, accessed January 29, 2012.

21 CANADIAN SECURITY INTELLIGENCE SERVICE, Role of CSIS, www.csis-scrs.gc.ca/bts/rlfcsseng.asp.

22 CANADIAN SECURITY INTELLIGENCE SERVICE, Backgrounder No. 11 — Information Operations, www.csis-scrs.gc.ca/nwsrm/bckgrndrs/bckgrndr11-eng.asp, accessed January 29, 2012.

23 COMMUNICATIONS SECURITY ESTABLISHMENT CANADA, Cryptographic Services, www.csecst.gc.ca/its-sti/services/crypto-services-crypto/index-eng.html, accessed January 29, 2012.

24 IOs are synonymous with “computer network operations” (CNO). J. CARR, Inside the Cyber Warfare. Mapping the Cyber Underworld, O’Reilly, 2010, p. VI.

25 CANADIAN SECURITY INTELLIGENCE SERVICE, Backgrounder No. 11 — Information Operations, www.csis-scrs.gc.ca/nwsrm/bckgrndr11-eng.asp.

26 A. MACLEOD, E. DUFAULT, F. G. DUFOUR and D. MORIN. Relations Internationales. Théories et Concepts, Outremont, 3^rd edition, Athéna Editions, pp. 64–65.

27 B. GAGNON, Informatique et Cyberterrorisme, pp. 135. In: S. LEMAN-LANGOLIS and J.-P. BRODEUR, Terrorisme et Antiterrorisme au Canada, Les Presses de l’Université de Montréal.

28 B. GAGNON. La Révolution dans les Affaires Militaires au Canada: une Erreur Stratégique? Masters thesis, University of Quebec, Montreal, 2004. J.-P. RACICOT, “La lutte antiterroriste et les guerres de quatrième génération” in C.-P. DAVID, et al. Repenser la Sécurité. Nouvelles Menaces; Nouvelles Politiques, Fides, 2002, pp. 111–133. (

29 B. GAGNON, La Révolution dans les Affaires Militaires […], p. IV.

30 J.-P. RACICOT, “La lutte antiterroriste et les guerres de quatrième génération”, […], pp. 131.

31 In 1994, the Canadian federal government presented its Defence White Paper. The position paper discusses the use, management and planning of the Canadian armed forces, the vision of a safe world, and Canadian values and interests, which it tackles at three levels: 1. the protection of the nation; 2. the US?Canadian collaboration; and 3. the maintenance of global security. See also: GAGNON, B. La Révolution dans les Affaires Militaires […], pp. 65, 68 and 69.

32 B. GAGNON, La Révolution dans les Affaires Militaires au Canada […], pp. 76.

33 B. GAGNON, La Révolution dans les Affaires Militaires au Canada […], pp. 2.

34 B. GAGNON, La Révolution dans les Affaires Militaires au Canada […], pp. 92.

35 B. GAGNON, La Révolution dans les Affaires Militaires au Canada […], pp. 94.

36 Public Safety Canada, Backgrounder No. 11 — Information Operations.

37 Among these are viruses, worms, Trojan horses, etc. Public Safety Canada, Backgrounder No. 11 — Information Operations.

38 The term “cyberwar” appears in official documents of the Government of Canada. Public Safety Canada, Backgrounder No. 11 — Information Operations.

39 CANADIAN SECURITY INTELLIGENCE SERVICE, Backgrounder No. 11 — Information Operations.

40 CANADIAN SECURITY INTELLIGENCE SERVICE, Backgrounder No. 11 — Information Operations.

41 CANADIAN SECURITY INTELLIGENCE SERVICE, Backgrounder No. 11 — Information Operations.

42 That program is mandated by the CSIS Act. Public Safety Canada, Backgrounder No. 11 — Information Operations.

43 CANADIAN SECURITY INTELLIGENCE SERVICE, Backgrounder No. 11 — Information Operations.

44 CANADIAN SECURITY INTELLIGENCE SERVICE, Backgrounder No. 11 — Information Operations.

45 CANADIAN SECURITY INTELLIGENCE SERVICE, Backgrounder No. 11 — Information Operations.

46 This program also serves to protect against economic espionage. Public Safety Canada, Sharing Information with the Public, www.csis-scrs.gc.ca/bts/shrngpblc-eng.asp, accessed January 29, 2012. Public Safety Canada, Backgrounder No. 11 — Information Operations.

47 ELECTRONIC WARFARE ASSOCIATES (EWA), CanCERT Overview, www.ewacanada.com/cancert/index.php, accessed January 29, 2012.

48 B. GAGNON, Informatique et Cyberterrorisme, pp. 132.

49 B. GAGNON, Informatique et Cyberterrorisme, pp. 130.

50 B. GAGNON, Informatique et Cyberterrorisme, pp. 130.

51 In the US, 85% of the CIs belong to private interests. B. GAGNON, Informatique et Cyberterrorisme, pp. 130.

52 CANADIAN SECURITY INTELLIGENCE SERVICE, Integrated Threat Assessment Centre, www.itac.gc.ca/index-eng.asp, accessed January 29, 2012.

53 PRIVY COUNCIL OFFICE, Securing an Open Society: Canada’s National Security, April 2004, p. 16, www.pco-bcp.gc.ca/index.asp?lang=eng&page=information&sub=publications&doc=natsec-secnat/natsec-secnat_e.htm, accessed January 29, 2012.

54 K. R. NOSSAL, S. ROUSSEL and S. PAQUIN. Politique Internationale et de Défense au Canada et au Québec, Les Presses de l’Université de Montréal, 2007, pp. 69.

55 H. HASSAN-YARI, “Perspectives de changement pour la défense et les forces armées du Canada” in C.-P. DAVID and C. RAOUL-DANDURAND. Repenser la Sécurité: Nouvelles Menaces, Nouvelles Politiques, Montreal, Fidès, 2002, p. 239.

56 H. HASSAN-YARI, “Perspectives de changement pour la défense […]”, pp. 240.

57 DEPARTMENT OF JUSTICE, The Anti-terrorism Act. Context and Rationale, http://canada.justice.gc.ca/antiter/contextandrational-contexteetraisondetre-eng.asp, accessed January 29, 2012.

58 DEPARTMENT OF JUSTICE, The Anti-terrorism Act. Context and Rationale, http://canada.justice.gc.ca/antiter/contextandrational-contexteetraisondetre-eng.asp, accessed January 29, 2012.

59 The participants from the federal departments and organizations are “intelligence, foreign policy, border and customs, immigration, critical infrastructure, and law enforcement and prosecution communities.” DEPARTMENT OF JUSTICE, The Anti-Terrorism Act. Context and Rationale.

60 DEPARTMENT OF JUSTICE, The Anti-terrorism Act. The ATA in Perspective, www.justice.gc.ca/antiter/actloi/perspective-perspectives-eng.asp, accessed January 29, 2012.

61 “Prior to September 11, 2001, the Criminal Code had been amended as required to implement UN counter-terrorism instruments adopted since 1970. Law enforcement relied on the normal processes of investigation, prosecution, and conviction under the Criminal Code to address terrorism. After September 11, 2001, the Government determined that it was necessary to include specific terrorist offences in the Criminal Code, in large part to confront the issue that once a terrorist event takes place, it is too late.” Moreover, the Criminal Code was subject to amendments that had an impact on cyber security, well before the adoption of the ATA. Among these, in 1985, were the non-authorized use of a computer (section 342.1), mischief in relation to data (section 430.1.1), possession of device to obtain telecommunication facility or service (section 327), and theft of telecommunication service (section 326). In 1997, an amendment introduced diverse modifications to the Criminal Code, in particular as to the possession of devices to obtain computer service (section 342.2). STATISTICS CANADA, Cyber-Crime: Issues, Data Sources, and Feasibility of Collecting Police-Reported Statistics, p. 7, http://dsp-psd.pwgsc.gc.ca/Collection/Statcan/85-558-X/85-558-XIE2002001.pdf, accessed January 29, 2012. DEPARTMENT OF JUSTICE, The Antiterrorism Act. Context and Rationale.

62 DEPARTMENT OF JUSTICE, The Anti-terrorism Act. The ATA in Perspective, www.justice.gc.ca/antiter/actloi/perspective-perspectives-eng.asp, accessed January 29, 2012.

63 DEPARTMENT OF JUSTICE, The Anti-terrorism Act. Context and Rationale.

64 DEPARTMENT OF JUSTICE, The Anti-terrorism Act. The ATA in Perspective, www.justice.gc.ca/antiter/actloi/perspective-perspectives-eng.asp, accessed January 29, 2012.

65 COMMUNICATIONS SECURITY ESTABLISHMENT CANADA, Information Technology Security Program, www.cse-cst.gc.ca/home-accueil/about-apropos/its-program-sti-eng.html, accessed January 29, 2012.

66 Specifically, the Act “officially recognized CSEC’s three-part mandate: A) To acquire and use information from the global information infrastructure for the purpose of providing foreign intelligence, in accordance with Government of Canada intelligence priorities; B) To provide advice, guidance and services to help ensure the protection of electronic information and of information infrastructures of importance to the Government of Canada; C) To provide technical and operational assistance to federal law enforcement and security agencies in the performance of their lawful duties.” Moreover, the CSEC retains its initial mandate of advising the Canadian government in matters of information technologies. Communications Security Establishment Canada, Information Technology Security Program. Communications Security Establishment Canada, What we do. Department of Justice, The ATA in Perspective.

67 COMMUNICATIONS SECURITY ESTABLISHMENT CANADA, The Antiterrorism Act and CSEC’s Evolution, www.cse-cst.gc.ca/home-accueil/nat-sec/ata-lat-eng.html, accessed January 29, 2012.

68 COMMUNICATIONS SECURITY ESTABLISHMENT CANADA, What we do.

69 The attacks of September 11 have led to a 25% increase of the CSEC budget. Moreover, CSEC performs analyses of the vulnerabilities, by “working to predict and prevent cyber attacks, developing and approving cryptographic systems, supporting research and development, and providing IT security advice and services in support of national interests.” Privy Council Office, Securing an Open Society […]; Communications Security Establishment Canada, CSEC: An Overview, www.cse-cst.gc.ca/home-accueil/about-apropos/overview-survol-eng.html, accessed January 29, 2012.

70 COMMUNICATIONS SECURITY ESTABLISHMENT CANADA, Information Technology Security Program.

71 COMMUNICATIONS SECURITY ESTABLISHMENT CANADA, Information Technology Security Program.

72 DEPARTMENT OF JUSTICE, The Anti-terrorism Act. Context and Rationale.

73 The terrorist attacks of 2001 have led to a 30% increase in the CSIS budget. Since then, CSIS has monitored diverse threats, among them “terrorism, the proliferation of weapons of mass destruction, espionage, foreign interference and cyber-tampering affecting critical infrastructure”. CANADIAN SECURITY INTELLIGENCE SERVICE, Role of CSIS, www.csisscrs.gc.ca/bts/rlfcss-eng.asp, accessed January 29, 2012; PRIVY COUNCIL OFFICE, Securing an Open Society […].

74 PUBLIC SAFETY CANADA, Information Security Threats, www.csisscrs.gc.ca/prrts/nfrmtn/index-eng.asp, accessed January 29, 2012.

75 PUBLIC SAFETY CANADA, Information Security Threats.

76 Please note that “[t]here is an increasing potential for politically motivated DoS [denial of services] or network exploitation activities.” PUBLIC SAFETY CANADA, Information Security Threats.

77 This concerns espionage from certain governments. PUBLIC SAFETY CANADA, Information Security Threats.

78 “CSIS focuses its investigations on threats or incidents where the integrity, confidentiality or availability of critical information infrastructure is affected. Three conditions must be present in order for CSIS to initiate an ‘information operations’ investigation. The incident must: be a computer-based attack; appear to be orchestrated by a foreign government, terrorist group, or politically motivated extremists; and be done for the purpose of espionage, sabotage, foreign influence, or politically motivated violence (terrorism).” PUBLIC SAFETY CANADA, Working Against Information Security Threats, www.csisscrs.gc.ca/prrts/nfrmtn/wrkng-eng.asp, accessed January 29, 2012.

79 Among these are Office of Critical Infrastructure Protection and Emergency Preparedness, the Department of National Defence, through the Communications Security Establishment Canada (CSEC), and the RCMP.

80 DEPARTMENT OF JUSTICE CANADA, Royal Canadian Mounted Police Act, http://lois-laws.justice.gc.ca/eng/acts/R-10/index.html, accessed January 29, 2012.

81 Technological crime is defined as “the use of computers or other high-tech equipment in the commission of a criminal act.” ROYAL CANADIAN MOUNTED POLICE, Technological Crime, www.rcmp-grc.gc.ca/tops-opst/tc-ct/index-eng.htm, accessed January 29, 2012.

82 STATISTICS CANADA, Cyber-Crime: Issues, Data Sources, and Feasibility of Collecting Police-Reported Statistics, 2002, pp. 7, http://dsp-psd.pwgsc.gc.ca/Collection/Statcan/85-558-X/85-558-XIE2002001.pdf, accessed January 29, 2012.

83 The objective of the Act is to prevent the proliferation of child pornography. STATISTICS CANADA, Cyber-Crime: Issues, Data Sources, and Feasibility of Collecting Police-Reported Statistics, pp. 7.

84 ROYAL CANADIAN MOUNTED POLICE, Technological Crime.

85 ROYAL CANADIAN MOUNTED POLICE, Integrated Technological Crime Unit, www.rcmp-grc.gc.ca/on/prog-serv/itcu-gict-eng.htm, accessed January 29, 2012.

86 This centre is aligned with Canada’s “National Strategy to Protect Children from Sexual Exploitation on the Internet”. It has the mandate to “reduce the vulnerability of children to Internet-facilitated sexual exploitation by identifying victimized children; investigating and assisting in the prosecution of sexual offenders; and, strengthening the capacity of municipal, territorial, provincial, federal, and international police agencies through training and investigative support.” ROYAL CANADIAN MOUNTED POLICE, National Child Exploitation Coordination Centre, www.rcmp-grc.gc.ca/ncecc-cncee/index-accueil-eng.htm, accessed January 29, 2012.

87 RECOL is a part of the National White Collar Crime Centre of Canada and allows for the online reporting of acts of white collar crimes, among them those related to cyber crime. National White Collar Crime Centre of Canada, Reporting Economic Crime On-Line, www.rcmp-grc.gc.ca/scams-fraudes/recol-eng.htm, accessed January 29, 2012.

88 OFFICE OF THE AUDITOR GENERAL OF CANADA, Report of the Auditor General of Canada, April 2002, http://oag-bvg.gc.ca/internet/English/parl_oag_200204_03_e_12376.html, accessed January 29, 2012.

89 PUBLIC SAFETY AND EMERGENCY PREPAREDNESS CANADA, Government of Canada Position Paper on a National Strategy for Critical Infrastructure Protection, pp. 5–6.

90 “[…] which merged into a single area the Government’s strategic response capabilities for both non-terrorist emergencies and terrorist emergencies, and buttressed the ability of the Government to effectively connect with provincial and territorial emergency preparedness networks.” Privy Council Office, Securing an Open Society […], pp. 20; PUBLIC SAFETY CANADA, Backgrounder No. 11 — Information Operations.

91 PUBLIC SAFETY CANADA, About us, www.publicsafety.gc.ca/abt/index-eng.aspx, accessed January 29, 2012.

92 PUBLIC SAFETY CANADA, About us.

93 PUBLIC SAFETY CANADA, Donnez un Sens à Votre Avenir, publication of the Government of Canada, pp. 2–3.

94 The management of emergencies is regulated by the Emergency Preparedness Act. DEPARTMENT OF JUSTICE, Emergency Preparedness Act, http://lawslois.justice.gc.ca/eng/acts/E-4.6/, accessed January 29, 2012.

95 The federal government has invested more than additional C$7 billion over five years to ensure the public safety and to counter terrorism. OFFICE OF THE AUDITOR GENERAL OF CANADA, Report of the Auditor General of Canada, March 2004, http://oagbvg.gc.ca/internet/English/parl_oag_200403_03_e_14895.html, accessed January 29, 2012.

96 PRIVY COUNCIL OFFICE, Securing an Open Society […].

97 PRIVY COUNCIL OFFICE, Securing an Open Society […], pp. 1.

98 PRIVY COUNCIL OFFICE, Securing an Open Society […], pp. 3.

99 PRIVY COUNCIL OFFICE, Securing an Open Society […], p. 8. Government of Canada, Securing an Open Society: Progress Report on the Implementation of Canada’s National Security Policy, April 2005, pp. IX, www.pco-bcp.gc.ca/docs/information/publications/secure/secure-eng.pdf, accessed January 29, 2012.

100 PRIVY COUNCIL OFFICE, Securing an Open Society […], pp. 11.

101 The prevention consists of the evaluation of the threats and of interventions in the management of threat-related effects. Privy Council Office, Securing an Open Society […], pp. 12.

102 PRIVY COUNCIL OFFICE, Securing an Open Society […], pp.12.

103 PRIVY COUNCIL OFFICE, Securing an Open Society […], pp.vii.

104 In a report, the Auditor General states that the lack of integration was a major weakness of national security. With this policy, the government wishes to respond to this critique by developing the integrated approach. PRIVY COUNCIL OFFICE, Securing an Open Society […], pp. 12.

105 The partners involved in national security policy are the provinces, territories, communities, the private sector, and allies as well as individual Canadians. PRIVY COUNCIL OFFICE, Securing an Open Society […], p. iv, 9.

106 This amount is added to the C$8 billion already invested in the effort to reduce the gaps previously observed. These investments have allowed the realization of organizational changes. PRIVY COUNCIL OFFICE, Securing an Open Society […], preface.

107 PRIVY COUNCIL OFFICE, Securing an Open Society […], pp. 4–6.

108 PRIVY COUNCIL OFFICE, Securing an Open Society […], pp. 22.

109 PRIVY COUNCIL OFFICE, Securing an Open Society […], pp. 20 and 22.

110 PRIVY COUNCIL OFFICE, Securing an Open Society […], pp. 22.

111 PRIVY COUNCIL OFFICE, Securing an Open Society […], pp. 25.

112 PRIVY COUNCIL OFFICE, Securing an Open Society […], pp. 22.

113 PRIVY COUNCIL OFFICE, Securing an Open Society […], pp. 9.

114 An increase in the budget allocated to the emergency planning and management sector allowed CSEC to improve its capacities for data collection, analysis, and evaluation, to increase its antiterrorist activities, and to improve collaborations and interdepartmental communications. Among the achievements was the cryptography modernization project as well as the creation, in January 2005, of a forum on cyberprotection, in collaboration with diverse participants such as government representatives, computer security professionals, and representatives from the private sector. The emergency planning and management sector has a budget of C$56 million over five years. Moreover, the 2005 budget for national safety granted additional financial resources of C$1 billion over five years. If including this amount, the overall investment has amounted to C$9.6 billion since September 11, 2001. PRIVY COUNCIL OFFICE, Securing an Open Society […], pp. 5, 19 and 24. COMMUNICATIONS SECURITY ESTABLISHMENT CANADA, The Anti-terrorism Act and CSEC’s Evolution, www.csecst.gc.ca/home-accueil/nat-sec/ata-lat-eng.html, accessed January 29, 2012.

115 ITAC is a new component of the national safety policy. PRIVY COUNCIL OFFICE, Securing an Open Society […], pp. 13 and 15. The centre has been in operation since October 15, 2004 and reports to the CSIS. It has a five-year budget of C$30 million. CANADIAN SECURITY INTELLIGENCE SERVICE, Integrated Threat Assessment Centre.

116 This community consists mainly of PSC, the CSIS, Canada Border Services Agency, Communications Security Establishment Canada, the DND, Foreign Affairs and International Trade Canada, the Privy Council Office, Transport Canada, Correctional Service Canada, the Financial Transactions Reports Analysis Centre of Canada, the RCMP, the Ontario Provincial Police, and Sûreté du Québec. If need be, other partners can be invited, such as the Agriculture and Agrofood, Health, Environment, and Natural Resources departments of Canada. CANADIAN SECURITY INTELLIGENCE SERVICE, Integrated Threat Assessment Centre.

117 However, at the end of 2009, the plan was still under development. OFFICE OF THE AUDITOR GENERAL OF CANADA, Report of the Auditor General of Canada, December 2009.

118 PUBLIC SAFETY AND EMERGENCY PREPAREDNESS CANADA, Government of Canada Position Paper on a National Strategy for Critical Infrastructure Protection, www.acpaports.net/advocacy/pdfs/nscip_e.pdf, accessed January 29, 2012. The development of such a strategy was one of the innovative aspects of the national security policy of 2004. PRIVY COUNCIL OFFICE. Securing an Open Society […], pp. 23 and 35.

119 In 2004, the national critical infrastructures are defined as the “physical and information technology facilities, networks, services and assets, which if disrupted or destroyed would have a serious impact on the health, safety, security or economic well-being of Canadians or the effective functioning of governments in Canada.” The national critical infrastructures have been divided into the following 10 sectors: energy and utilities; ICT; finance; healthcare; food; water; transportation; safety; government; and manufacturing. PUBLIC SAFETY AND EMERGENCY PREPAREDNESS CANADA, Government of Canada Position Paper […],pp. 5.

120 PUBLIC SAFETY AND EMERGENCY PREPAREDNESS CANADA, Government of Canada Position Paper […], pp. 5.

121 By the end of 2009, PSC was still in the process of developing “an implementation plan for its proposed national critical infrastructure strategy and has taken the first step in drafting the strategy. […] However, progress has been slow and it has not yet determined what infrastructure is critical at the federal level or how to protect it.” OFFICE OF THE AUDITOR GENERAL OF CANADA, 2009 Fall Report of the Auditor General, December 2009.

122 Public Safety and Emergency Preparedness Canada, Government of Canada Position Paper […], pp. 3

123 The guiding principles are: awareness, integration, participation, accountability, and an all-hazards approach. PUBLIC SAFETY AND EMERGENCY PREPAREDNESS CANADA, Government of Canada Position Paper […], pp. 6.

124 Given the diversity of participants involved in the CI, the federal government is taking on the mandate of coordinating information sharing. PUBLIC SAFETY AND EMERGENCY PREPAREDNESS CANADA, Government of Canada Position Paper […], pp. 8.

125 ITAC has a determining role with regard to this. PUBLIC SAFETY AND EMERGENCY PREPAREDNESS CANADA, Government of Canada Position Paper […], pp. 10.

126 This applies to coordination at the national scale. PUBLIC SAFETY AND EMERGENCY PREPAREDNESS CANADA, Government of Canada Position Paper […], pp. 11.

127 We are reminded of the creation of a working group, the development of a national cyber security strategy, and the revision of the Emergency Preparedness Act.

128 PUBLIC SAFETY CANADA, About CCIRC, www.publicsafety.gc.ca/prg/em/ccirc/aboeng.aspx, accessed January 29, 2012.

129 GOC retains an operational role by ensuring coordination at the national level of interventions in the case of disasters or incidents related to the national security. PUBLIC SAFETY CANADA, Government Operations Centre, www.publicsafety.gc.ca/prg/em/goc/index-eng.aspx, accessed January 29, 2012. GOVERNMENT OF CANADA. Securing an Open Society […], pp. XI, 4 and 19.

130 CCIRC monitors cyber-related threats, manages information (collect, analyze, and disseminate), ensures the national coordination of responses to cyber incidents, fosters information sharing, and builds partnerships. In addition, it issues security publications and provides encryption services, diverse products and recommendations. It also has a Cyber Duty Officer as a point of contact. PUBLIC SAFETY CANADA, About CCIRC; PUBLIC SAFETY CANADA, Analytical releases 2011, www.publicsafety.gc.ca/prg/em/ccirc/anre-eng.aspx, accessed January 29, 2012. Privy Council Office, Securing an Open Society […], pp. 23.

131 CCIRC collaborates with many federal departments, among them the RCMP, CSIS, CSEC, DND, the Treasury Board of Canada Secretariat, Foreign Affairs and International Trade Canada (DFAIT) and Health Canada. It also collaborates with “provincial and territorial governments and owners of major critical infrastructure.” PUBLIC SAFETY CANADA, About CCIRC.

132 OFFICE OF THE AUDITOR GENERAL OF CANADA, Report of the Auditor General, April 2005, http://oag-bvg.gc.ca/internet/English/parl_oag_200504_02_e_14933.html, accessed January 29, 2012. PRIVY COUNCIL OFFICE, Securing an Open Society […], pp. X.

133 This Act replaces the Emergency Preparedness Act and results from the announcement made by the federal government, in the national security policy of 2004, to modernize the Emergency Preparedness Act. DEPARTMENT OF JUSTICE, Emergency Management Act, http://laws.justice.gc.ca/PDF/Loi/E/E-4.56.pdf, accessed January 29, 2012.

134 PUBLIC SAFETY CANADA, Emergency Management Act.

135 OFFICE OF THE AUDITOR GENERAL OF CANADA, Report of the Auditor General of Canada, December 2009.

136 STANDING COMMITTEE ON PUBLIC SAFETY AND NATIONAL SECURITY, Evidence, April 2, 2009, www.parl.gc.ca/HousePublications/Publication.aspx?DocId=3801940&Mode=1&Parl=40&Ses=2&Language=E, accessed January 29, 2012.

137 For this, the risk analysis, resources, and impacts of the policies should be improved prior to their implementation. OFFICE OF THE AUDITOR GENERAL OF CANADA, Report of the Auditor General of Canada, 2009 Fall Report, www.oag-bvg.gc.ca/internet/English/parl_oag_200911_e_33252.html, accessed January 29, 2012.

138 OFFICE OF THE AUDITOR GENERAL OF CANADA, Report of the Auditor General of Canada, Fall 2009.

139 OFFICE OF THE AUDITOR GENERAL OF CANADA, Report of the Auditor General of Canada, Fall 2009.

140 This policy is tied to the Emergency Management Act of 2007 and the National Security Policy of 2004. PUBLIC SAFETY CANADA, Federal Policy for Emergency Management, December 2009, www.publicsafety.gc.ca/prg/em/_fl/fpem-12-2009-eng.pdf, accessed January 29, 2012.

141 This replaces the Federal Policy for Emergency Management of 1995.

142 PUBLIC SAFETY CANADA, Federal Policy for Emergency Management, pp. 2.

143 Cyber security threats to citizens include hacking and malicious logic, offensive material, traditional offences, unsolicited emails, the protection of privacy, and risks to children. To this online fraud, threats, and harassment are added. Moreover, PSC disseminates information on identity theft and the sexual exploitation of children, the latter through the Cyberaide.ca site, Canada’s national tip line for reporting the online sexual exploitation of children. This tool allows us to optimize the fight against cyber crime. THE ROYAL CANADIAN MOUNTED POLICE, Internet Security, www.rcmp-grc.gc.ca/qc/pub/cybercrime/cybercrime-eng.htm, accessed January , 2012. PUBLIC SAFETY CANADA, Cyber Security Information for Canadians, www.publicsafety.gc.ca/prg/em/cbr/csi-fra.aspx, accessed January 29, 2012. Cyberaide.ca “received and analyzed almost 30,000 tips about potential cases of online child exploitation since September 2002”. PUBLIC SAFETY CANADA, Cyber Security Information for Canadians.

144 Cyber security threats to businesses include the theft of confidential information and intellectual property. The federal government informs businesses of the measures to take, in particular, for improving the monitoring of threats or reporting of cyber incidents. Threat monitoring is performed through CCIRC and the reporting of cyber incidents through RECOL. PUBLIC SAFETY CANADA, Cyber Security Information for Canadian Businesses, www.publicsafety.gc.ca/prg/em/cbr/csb-fra.aspx, accessed January 29, 2012.

145 MCAFEE, Unsecured Economies: Protecting Vital Information, www.dorsey.com/files/upload/mfe_unsec_econ_pr_rpt_fnl_online_012109.pdf, accessed January 29, 2012. PUBLIC SAFETY CANADA, Cyber Security Information for Canadian Businesses.

146 PUBLIC SAFETY CANADA, Cyber Security Information for Canadian Businesses.

147 Bill C-46 [translation] “modernizes certain offences and creates new investigative powers to efficiently combat crime in the modern computers and telecommunications environment.” PUBLIC SAFETY CANADA, Cyber Security Information for Canadian Businesses.

148 Bill C-47 [translation] “will oblige service suppliers to install equipment facilitating the interception of their networks.” PUBLIC SAFETY CANADA, Cyber Security Information for Canadian Businesses.

149 The publication date of the official document is December 2009. Nevertheless, the press release was issued on March 15, 2010. The plan had been announced as early as 2004. Marketwire, Le Gouvernement du Canada Annonce le Plan Fédéral d’Intervention d’Urgence, www.marketwire.com/press-release/Le-gouvernement-du-Canada-annonce-le-Plan-federal-dintervention-durgence-1131647.htm, accessed January 29, 2012. GOVERNMENT OF CANADA, Federal Emergency Response Plan, December 2009, www.publicsafety.gc.ca/prg/em/_fl/ferp-2011-eng.pdf, accessed January 29, 2012.

150 The principal participants are federal, provincial, and territorial governments, nongovernmental organizations, and the sector private.

151 GOVERNMENT OF CANADA, Federal Emergency Response Plan, December 2009, pp. 2.

152 FERP considers certain specific situations as requiring the integrated intervention of the Canadian goverment. Among these are the request for help from a province or a territory or any emergency situation requiring the intervention of several departments and where the coordination of intervention is necessary. The integrated intervention of the government of Canada has also provided for any emergency situation that directly [translation] “concerns the assets, services, employees, powers conferred by the law, or responsibilities of the federal government, that compromises the trust in the federal government, […or that] affects other elements of national interest”. GOVERNMENT OF CANADA, Federal Emergency Response Plan, pp. 3, http://tvanouvelles.ca/lcn/infos/national/archives/2010/03/20100315-162149.html, accessed 29 January 2012.

153 NATIONAL DEFENCE, Canadian Forces Joint Publication, Canadian Military Doctrine (CFJP 01), 2009, www.cfd-cdf.forces.gc.ca/sites/page-eng.asp?page=10770, accessed January 29, 2012.

154 We are reminded that this strategy was implemented almost six years after the Government of Canada Position Paper […], published in November 2004. PUBLIC SAFETY CANADA, National Strategy for Critical Infrastructure.

155 PUBLIC SAFETY CANADA, National Strategy for Critical Infrastructure.

156 PUBLIC SAFETY CANADA, National Strategy for Critical Infrastructure, www.publicsafety.gc.ca/prg/em/ci/ntnl-eng.aspx, accessed January 22, 2010

157 This plan is based on three components: partnerships, risk management, and information sharing. To this effect, diverse activities are foreseen. PUBLIC SAFETY CANADA, Action Plan for Critical Infrastructure, www.publicsafety.gc.ca/prg/ns/ci/index-eng.aspx, accessed January 29, 2012.

158 GOVERNMENT OF CANADA, Canada’s Cyber Security Strategy. For a stronger and more prosperous Canada, 2010, pp. 14; PUBLIC SAFETY CANADA, Government of Canada launches Canada’s Cyber Security Strategy, October 3, 2010, www.publicsafety.gc.ca/media/nr/2010/nr20101003-eng.aspx?rss=false, accessed January 29, 2012.

159 “The Government is entrusted with safeguarding some of our most personal and sensitive information in its electronic databases. It provides services to Canadians and the private sector through its websites and electronic processing systems. And the Government transmits highly classified information essential to our military and national security operations via its classified communications systems.” GOVERNMENT OF CANADA, Canada’s Cyber Security Strategy […], pp. 9.

160 GOVERNMENT OF CANADA, Canada’s Cyber Security Strategy […], pp. 7.

161 GOVERNMENT OF CANADA, Canada’s Cyber Security Strategy […], pp. 14.

162 GOVERNMENT OF CANADA, Canada’s Cyber Security Strategy […], pp. 2–3.

163 GOVERNMENT OF CANADA, Canada’s Cyber Security Strategy […], pp. 5–6.

164 The protection of government systems involves the development and implementation of structures, tools and personnel to ensure cyber security.

165 An increase in the security of federal cyber systems will require new investments, allowing the emerging risks to be addressed. In this context, the expertise, systems, and existing frameworks will also have to be improved. The awareness-raising component consists of the effective application of the main protection measures in the field of cyber security.

166 GOVERNMENT OF CANADA, Canada’s Cyber Security Strategy […], pp. 9–10.

167 GOVERNMENT OF CANADA, Canada’s Cyber Security Strategy […], pp. 10.

168 GOVERNMENT OF CANADA, Canada’s Cyber Security Strategy […], pp. 10.

169 GOVERNMENT OF CANADA, Canada’s Cyber Security Strategy […], pp. 10.

170 GOVERNMENT OF CANADA, Canada’s Cyber Security Strategy […], pp. 10.

171 GOVERNMENT OF CANADA, Canada’s Cyber Security Strategy […], pp. 10.

172 GOVERNMENT OF CANADA, Canada’s Cyber Security Strategy […], pp.10.

173 GOVERNMENT OF CANADA, Canada’s Cyber Security Strategy […], pp.5.

174 GOVERNMENT OF CANADA, Canada’s Cyber Security Strategy […], pp.13.

175 GOVERNMENT OF CANADA, Canada’s Cyber Security Strategy […], pp.11.

176 GOVERNMENT OF CANADA, Canada’s Cyber Security Strategy […], pp. 13.

177 The Bill has objectives that include “Making it a crime to use a computer system to sexually exploit a child; Requiring Internet service providers to maintain intercept capable systems, so that law enforcement agencies can execute judicially authorized interceptions; Requiring Internet service providers to provide police with basic customer identification data, as this information is essential to combatting online crimes that occur in real time, such as child sexual abuse; and Increasing the assistance that Canada provides to its treaty partners in fighting serious crimes.” GOVERNMENT OF CANADA, Canada’s Cyber Security Strategy […], pp. 13.

178 GOVERNMENT OF CANADA, Canada’s Cyber Security Strategy […], pp. 13.

179 B. GAGNON, Informatique et Cyberterrorisme.

180 G. WESTON, “Foreign hackers attack Canadian government; Computer systems at 3 key departments penetrated”, CBC News, February 17, 2011, www.cbc.ca/news/politics/story/2011/02/16/pol-weston-hacking.html, accessed January 29, 2012.

181 GOVERNMENT OF CANADA, Public Works and Government Services Canada, Fiche de renseignements: Services partagés Canada, www.tpsgc-pwgsc.gc.ca/apropos-about/fi-fs/its-sct-fra.html, accessed January 29, 2012.