This week Minister of Public Safety, Democratic Institutions and Intergovernmental Affairs Dominic LeBlanc tabled Bill C-70: An Act respecting countering foreign interference.

This legislation aims to beef up the Government of Canada’s ability to address foreign interference in Canada and provide CSIS with the tools to address it properly. While cyber and digital dimensions are tertiary dimensions of foreign interference, they are critical in how Russia, China, and many others carry out their foreign interference practices. How these countries conduct foreign interference in Canada is multi-pronged and requires Canada to be proactive across domains in human and signal intelligence capacities.

Overall, I have been greatly disappointed with Canada’s approach to foreign interference as reactive instead of proactive. Its attention is merely on what has been public, but little is being addressed about the cyber and digital aspects of foreign interference. There is an assumption that existing tools and laws are sufficient to address cyber-enabled foreign interference attempts, or they simply do not see cyberspace as part of foreign interference. The Canadian Security Establishment (CSE) does have a lot of tools and capabilities, but there appears to be nothing in the bill that would help address the abysmal cooperation and working relationship the CSE, CSIS and RCMP have. If the government believes CSE is appropriately equipped to address foreign interference, it likely shows their ignorance of Canadian intelligence practices. I see the impacts of this legislation being very muted unless the Government fixes how CSE, CSIS, and the RCMP work together because their inability to do so is increasingly a national security problem.

As we have no National Cyber Security Strategy, Canada remains a top target of ransomware groups and state actors, including Russia and China, and the CAF Cyber Command is many years away. Canada is on the wrong footing in its cyber defence, and any developments related to its national security apparatus require additional attention to how they affect Canada's cyber defence.

Bill C-70 has very little to do with cyber or information technology—there are almost none—but the Government has inserted a very interesting addition:

Sabotage — device

Start of inserted block

52.‍2 (1) Every person commits an offence who makes, possesses, sells or distributes a device intending that it be used or knowing that it will be used, in whole or in part, to carry out an offence under subsection 52(1) or 52.‍1(1).

Definition of device
Start of inserted block
(3) For the purposes of this section, device includes a computer program as defined in subsection 342.‍1(2).

Section 52.1 addresses critical/essential infrastructure and the punishments related to sabotages of said infrastructure. Tucked away is a specific section that clarifies that “computer programs” are considered devices under the law when used in sabotage. This is good clarification, but it leaves it open to interpretation about what a “computer program” means. Those who work with computers and cyber security know that malicious software is not always a “program.” However, the courts would likely interpret this broadly to include essentially any digital practice or malware.

In addition, one aspect of this that concerns me is how it could affect those in offensive security and red teaming. The legislation largely concerns itself with sabotage that endangers the safety and well-being of Canadians, which would mean that all my offensive security friends can be relieved… or can they?

Let’s first take a look at what the Government is classifying as critical/essential infrastructure:

Definition of essential infrastructure
Start of inserted block
(2) In this section, essential infrastructure means a facility or system, whether public or private, that provides or distributes services that are essential to the health, safety, security or economic well-being of persons in Canada, including the following:
(a) transportation infrastructure;

(b) information and communication technology infrastructure;

(c) water and wastewater management infrastructure;

(d) energy and utilities infrastructure;

(e) health services infrastructure;

(f) food supply and food services infrastructure;

(g) government operations infrastructure;

(h) financial infrastructure; and

(i) any other infrastructure prescribed by regulations.

We would normally expect much of this here to be considered essential infrastructure, but consider for a moment that McDonald's is food supply and food services infrastructure, and a Shopper’s Drug Mart is health services infrastructure.

Those in offensive security, either in direct operations or those who build software to support operations, must adjust their contracts to explicitly provide an exemption from the Act in executing their duties. The act specifically includes language related to the selling, possessing, and use of a computer program for sabotage that only makes it illegal if it is known that it will be used for malicious purposes of sabotage. However, this will have to be proven in court. I do not trust or have faith in the police to understand the difference between offensive security in information security and criminals. A conviction under this law could net someone 10 years in prison, so it should concern everyone in the offensive security and red teaming industry.

While some may feel this is adequate protection, there is always a risk that we must acknowledge. There have been many stories throughout the industry of a red team going wrong or a client blaming a red team for something that was not their fault. The question is whether this would elicit a criminal charge of sabotaging essential infrastructure?

In the end, if this legislation receives royal assent, it would create new legal liabilities for red teams and offensive security organizations that must be addressed in some capacity. Further, there is also the latent risk of an employee’s mistake, either knowingly or unknowingly, leading to destruction or enabling sabotage by others.

Recommendations

Although the cyber and digital aspects of foreign interference are not a top concern of the government or this bill, Bill C-70 will have a major impact on Canada’s cyber security industry.

• Organizations, especially those engaged in red teaming and offensive security, should review their legal liabilities related to this act.
  

• Introduce legal protections in your contracting immediately to provide protection from laws under Bill C-70 during the course of your contract.
  

• If you are developing offensive security software, review your contracting language to ensure it provides protection from liability if your software is used for malicious purposes.
  

• Contact your Member of Parliament if you are concerned about the potential liabilities associated with this.