Cybersecurity & politics - podcast episode cover

Cybersecurity & politics

Sep 26, 202433 minSeason 2Ep. 4
--:--
--:--
Download Metacast podcast app
Listen to this episode in Metacast mobile app
Don't just listen to podcasts. Learn from them with transcripts, summaries, and chapters for every episode. Skim, search, and bookmark insights. Learn more

Episode description

We're exploring the relationship between cybersecurity and national security—with a spotlight on recent cyber threats in Canada. We welcome guest Aaron Shull, Managing Director and General Counsel at CIGI, to share insight into Canada's election security, highlighting the resilience of our paper-backed ballot system. Next, we turn our attention to the increasingly prevalent cyber attacks on political campaigns and party infrastructures. We also delve into the risks associated with emerging AI technologies, emphasizing the urgent need for strategic governance to prevent their misuse.

Transcript

Cybersecurity Impact on Global Politics

Speaker 1

It's the year 2008 , and a Dutch engineer named Erik van Saben is on a vacation to see his wife's family in Iran . Now Erik has something special with him A computer file not much more than one megabyte in size . In size , he makes a diversion to an Iranian nuclear facility and uploads the file , changing the face of warfare forever .

Speaker 2

We have entered into a new phase of conflict , in which we use a cyber weapon to create physical destruction .

Speaker 1

Eric Van Saben was introducing a new cyber weapon that became known as Stuxnet . It was a computer worm that subtly interfered with settings in the nuclear facility , crashing its technology over years . But staying hidden . Stuxnet had been developed by the US government to sabotage Iran's development of nuclear weapons .

In terms of cyber weapons , this was the equivalent of the moon landing , and when finally revealed years later , it stunned the world , offering an insight into the future of war , terrorism and geopolitics .

Speaker 3

First sign of World War III is gonna be that your lights are gonna turn off and your water's gonna stop working .

Speaker 1

Hackers now have the ability to cause physical damage to critical infrastructure , as well as interfering in elections . So today , on what's Up with the Internet , we want to look at the way cybersecurity is impacting politics , both nationally and globally .

Both nationally and globally , this show is created by CIRA , the Canadian Internet Registration Authority , which is building a trusted internet for Canadians , and I'm your host , takara Small . This is an issue that is already impacting Canadians .

Last year , hackers in India disabled government websites , all in retaliation after Prime Minister Trudeau accused India of being involved in a murder in BC . It was a relatively small incident , but it demonstrated how political decisions can lead to cyber attacks here . The government's baseline cyber threat assessment last year also held this message .

The center is warning Canadians that cyber criminals will likely target Canada's national security and economic prosperity within the next two years . Many experts believe dormant malware could already be embedded in parts of our infrastructure , just waiting to be activated by an enemy in the event a conflict breaks out .

In fact , leaked US intelligence documents last year said that Russian-backed hackers have gained access to Canada's natural gas distribution network , and Russian hackers have promised to attack countries that provide support to Ukraine in the ongoing war . So what is the current state of play when cybersecurity intersects with national security ?

To discuss all of this , we've got a really great guest . Aaron Schull is the Managing Director and General Counsel at CIGI , that's the Centre for International Governance and Innovation in Waterloo , ontario . Aaron is a senior legal executive and is a leading expert on public policy , emerging technology and cyber security .

Can you explain the ways in which cyber security can impact or threaten our politics in Canada ?

Speaker 3

Yeah , sure , I mean , there's actually a lot going on in that question . It sounds kind of simple , but there's a couple of pieces . And you know it's hard because you're living in Canada .

But a lot of our news comes from the US and so we tend to , I think , infuse our understanding of elections and cybersecurity with stuff that we're seeing in the US , and the biggest thing that we saw down there was the , let's say , attacks on Dominion voting systems .

You know , fox News got sued to the tune of about a billion dollars as a consequence of defamation about those voting systems , and so , you know , even some of former President Trump's lawyers were making pretty outlandish claims about .

You know , hugo Chavez , you know , doing the source code or whatever for Dominion Systems like a whole bunch of just nonsense , right . And so I'm going to answer the question as it relates to Canada . But I don't think we can divorce our public understanding of what's going on in Canada without a little bit of you know pepper from the United States .

So , with that giant footnote at the front end , you know , canada , we have a paper backed ballot , and I have yet to see a hacker that can , that can hack a piece of paper , right , like it just so like that . That is the starting point , right , like all in in federal elections , we've got a paperback ballot system .

In the next election , you will walk into a booth and you will , you will take a pencil and you will put your vote on that piece of paper and and then they go through a Scantron . The same way , as you know , every single undergraduate exam in the country , they go through a scantron to count them .

But if you want to count them by hand , it's possible , right , and so all that to say , cybersecurity threatening the actual voting process in Canada is unlikely by virtue of that paperback ballot .

Cyber Attacks on Political Campaigns

That being said , there's a lot of other stuff going on here , right , and so the big one is gonna be cyber attacks on political campaigns and political party infrastructure .

That's a live issue , right , and so the big thing there is gonna be potential breaches of sense of political communications , and so we saw this a little bit in when it kind of started in 2016 . The Secretary Clinton's campaign manager was this guy named John Podesta .

The Russians hacked John Podesta's emails and started leaking sensitive or embarrassing stuff , and then that can be used to manipulate public opinion through social media and other outreach . And so , while our election infrastructure itself is safe because of that paperback ballot .

I would expect that if we're talking about cybersecurity and politics , it's going to be principally attacks on political campaigns and party infrastructure , and then the misinformation or disinformation machine that spins up once they've got access to sensitive political communications or internal emails .

Speaker 1

Okay . So now it feels like this is a threat not just to the Canadian political system , but nationally and internationally as well . At the same time , Is this going to continue to grow ? I can only imagine what the next five , 10 years will be like then .

Speaker 3

Yeah , yeah , I mean . So think about it like this , right , like what's the point of attacking elections to begin with ? Right , like so , because you know someone's doing this . It's not like it's not ethereal , right , it's not a state of nature , like someone's actually taking a positive action here to try and do this stuff .

And I think , if you're a hostile state actor , they're looking at a couple of things , right . The big piece is they want to erode public trust and electoral processes , right and so , and potentially like , sometimes that's just enough , right , throw in a Molotov cocktail and watch it burn . Right , so , just to mess with democracy .

But you know there can be preferential outcomes , and so you can think that they might wish to influence the election outcome or create political instability and uncertainty or damage the reputations of political figures and institutions . So I think that's going to be on the rise for a few different reasons .

The first is relations with certain hostile state actors are not great , right and so , just looking at the trend lines , if this was something that they prosecuted in previous elections , it's not like relations have gotten much better , and so I would expect it to continue for that reason . The second is , we haven't really been very good at consequences .

Right , if someone messes with our elections , there should be a bill for doing that , and we just haven't really got our act together when it comes to meeting out meaningful consequences for that kind of stuff .

And the third is that we're also hooking everything we possibly can up to the internet , right , and so there's just more stuff to attack , right , there's more information to get your hands on , there's more mechanisms to distribute that content , and so the trend lines in my mind don't look great here .

So I guess the short answer to your question is yeah , I would . I would expect this to get worse over the near and medium term , for sure .

Speaker 1

I would also assume there's some level of difficulty , because it can be very hard to identify hackers , right ? I mean , there's this element of plausible deniability from state , from government , from other actors . So how much confusion does that add to the mix as well ?

Speaker 3

Yeah , no for sure . So I mean there's a couple of things going on here , right . So it creates confusion and it undermines accountability . There's difficulties in attributing attacks , and so you don't really know who it came from and maybe you don't trust attributions , and that in and of itself can lead to political and social instability .

I wrote a book chapter on this about , oh God , I don't know , 10 years ago or something like that , and I wrote on attribution of cyber attacks , and the argument that I made there is that there's actually three things going on when you're talking about attributing a cyber attack .

It's a technical calculation , right , like the ones and zeros and where they came from . It's a legal consideration , but it's also a political calculation too , right .

So it's not just technical , it's not just legal , but there's also politics that go into it , and so determining when you attribute , when you don't , and to whom and on what basis , and what evidence that you use to make a public attribution there's all sorts of considerations that go into that kind of stuff .

And so , yeah , just to say that it's not simply a matter of figuring out whodunit , but there's even if you can get to the whodunit piece , there's still other stuff you're going to want to think about on top of it , so that just to say that you know it yeah for sure , like not knowing who did it can can create confusion . It can undermine accountability .

It's certainly difficult to attribute attacks as a technical matter , and this can create a whole bunch of problems for you .

Speaker 1

But even if you get over the technical hurdle , there's still other stuff going on there too I'm wondering , globally , if there is a government or a country that is really active in terms of cyber security

Digital Warfare and Cybersecurity Concerns

. You know attacks and interference because we hear a lot about it on the news . You know we're always hearing about certain governments or entities , um , but is that accurate ? Are we getting an outside sense of how much they're actually doing , and is it reasonable for the average person to be worried about this ?

Speaker 3

Yeah , I mean . So maybe I'll just take your question head on China , Russia , iran , your question head on China , russia , iran and North Korea . They're the ones that are most active and , for what it's worth , for your audience , I'm not security cleared , I'm just some guy right . So I'm reading the same stuff that you are .

But the point is is based on all publicly available information coming out of the intelligence services . That's what's going on here , and these are concerns that are well-founded and they're based on historical patterns of attacks and there's ongoing monitoring and intelligence to support these concerns .

But there may be within your question there was a , should people be concerned ? You know , yeah , I would say so , but it's maybe a little bit different . So we're talking about major state actors using advanced cyber let's call them cyber weapons for the purposes of our conversation .

It is unlikely that a major state actor is going to use their best stuff to get to a normal person right , like they're not going to use what they call zero day exploits or any of that type of stuff , but what we are seeing is state actors and proxies of states doing the malware stuff to get some dough right .

So it's actually , like you know , I used to say , like no self-respecting state actor would ever go after an individual . Well , maybe some of these state actors aren't self-respecting , but the broad point being is that they see malware as an economic vehicle .

And so , yeah , I mean , you won't see a sophisticated state actor using their best cyber exploits on an individual , but you can see a relationship between them and organized crime that are doing the malware stuff , that's , you know , taking hospitals and schools and companies ransom and that is just a smash and grab straight up kind of cash power play .

Speaker 1

You know , there are a lot of really important elections that are coming up this year , for instance the US , the UK , which is also quite important , but Canada as well in the coming year . I'm just wondering what role cybersecurity and this political interference will have on it .

Speaker 3

Yeah , I mean it's a good question and it's a bit tough to answer because it's somewhat speculative . But I would say that when Canadians are thinking about whom to vote for , cyber security and national security is not top of top of mind as a ballot box issue . Like you know , people are thinking about the price of groceries , taxes like that kind of stuff .

Like it's just it's a rare occurrence that this type of thing would capture the public attention in a way that it makes it something of fundamental import for an election . So I would say , maybe that's part of it .

But I mean , I think people should take it a little bit more seriously because and it's not just individuals , right , like I think we all know people who have now been hacked or suffered a ransomware breach or something like that but like , what's going on right now is that critical infrastructure in Canada is being compromised , compromised .

So the bad guys are doing something called pre-positioning , which is where they they put malicious . Yeah , but let me tell you , like this is not great . They're putting malicious code on our critical infrastructure and they're not using it yet .

But the idea is that if we end up in a conflict or they want to exert pressure , they can activate that stuff , and so I don't want to be too depressing about it , but the first sign of World War III is going to be that your lights are going to turn off and your water's going to stop working . Oh my gosh , right .

And so when I'm thinking about this stuff , people should care about it . Government databases and communication networks , financial institutions , key economic sectors like ports so this is like we have people , so maybe I'll turn it on its head and say people care about the economy . The economy is top of the mind at the ballot box . Everyone knows it .

It's everything from , like I said , the price of groceries to the price of gas , to jobs , to inflation , to fiscal and monetary policy all the stuff , right , people care about that , people vote on that . Well , we have a digital economy , right ? Like I said earlier , we've hooked everything we possibly could up to the internet , and so we have to protect it .

And so , while cybersecurity might not be top of mind for Canadians , everything that they do in their day is enabled by this digital infrastructure , and we're just talking about protecting it .

And so I would just I would encourage , to the extent that we can , to have people pay a little bit more attention and to have political parties take a position on some of this type of stuff . Like I don't think this is the type of area where the ostrich maneuver of just putting your head in the sand will work .

I think we should all be all political parties should be asked to say something about this .

Speaker 1

And that brings me to my next question , which is , you know , wondering what extent has modern warfare moved out of the trenches and into the digital world ?

Speaker 3

Well , so here's an interesting thing , right , like , so we always we talk about warfare and it's a bit hard because , like , and I understand why we do it , but when you think about war and like , there's an answer in this . But I'll just have to wind up for a second here . I'm an international lawyer .

I'm an international lawyer by training , right , and when we're talking about this type of stuff , we start from the UN Charter , which says that there's a prohibition on the use of force . So in the United Nations , the biggest rule of all the rules is you can't use force . That's what it says , quote , use force .

And then you're allowed to defend yourself if quote an armed attack occurs . So that's the status of international law . And you think , well , geez , like , is a cyber attack a use of force ? Like that law was written in 1945 , like before there was computers . And so I'm saying , like is , is that war ? Is it a use of force ? Is it an armed attack ? Like .

And so it makes it a little bit complicated when we're talking about . You know , to the extent that that that modern warfare has changed , because when we wrote the rules surrounding this stuff , cyber was never contemplated , because it wasn't a thing .

But I say that to say this yeah for sure , there's actively hostile cyber operations happening all the time , and there's lower level stuff , and then there's some real sophisticated stuff , and the example I'll give you of the real sophisticated stuff is called Stuxnet , and I don't know why they come up with these like nifty names for all these cyber things .

But anyway , stuxnet . What happened there was the Israelis and the Americans wanted to delay Iran's nuclear program and so , as part of their military strategy , they deployed malicious software that basically crawled around the internet and it was looking for two things . It was looking for what's called a SCADA . It's an industrial control computer .

It was looking for this particular computer hooked up to centrifuges , and it was crawling around the internet looking for this Iran's centrifuge program where they spin .

The uranium was air-gapped , so it wasn't even hooked up to the internet , but I gather what happened is that somebody was using a flash drive at home and brought it in and then it was able to jump the air gap . And then what this piece of software did like this is wild .

It sat and it watched Iran's nuclear program , it watched the centrifuges and it looked at what normal operations looked like , and then it went in and it started over spinning the centrifuges and under spinning them , but telling the control systems that everything was just fine . And so all these centrifuges were destroyed as a consequence of this software .

And so here's the interesting question is so those physical centrifuges were destroyed in like actual real world damage . Had we used a missile , it would have been clear like that's this is . We're in an armed conflict . Now , right , but because we use computer code , was that an armed attack ? Like , was it a use of force ?

And so you know , we're at this place where all this stuff is happening , but we're still struggling a little bit because theant use of malicious cyber tools against us and against others , and we are in a place where we can do physical damage in the real world with nothing but computer code .

But the rules themselves are still somewhat opaque and I think part of our work will be to clean that up , just so that you know what the speed limit is on the road and where the center line is .

Speaker 1

So do we need new agreed terms for cyber war ? And I'm just thinking as an example . You know , during the Cold War and after there were nuclear arms race treaties that went into effect that were reached . Are we at a point in time where we need to rethink what rules already exist and how they apply to cyber warfare ?

Speaker 3

Yeah , I mean , I think it would just be good to know exactly what the red line is right Like , because you don't want to bump into it accidentally . But the problem we're going to run into is that cyber weapons and I'll use that term loosely here , cyber weapons have three characteristics that no other weapon system on Earth shares .

The first is that they're developed completely in secret . The second is that they're deployed in secret , and the third is that the doctrine surrounding their use is secret , like there's no way to deploy a nuclear bomb secretly . Right Like , once you do that , like people know about it . Right Like , once you do that like people know about it , and so .

So this , this weapon system , doesn't lend itself well to that kind of that conversation about clarity and red lines , because everyone is developing their stuff secretly and they're using it against each other and they're trying purposely to obfuscate the source , like we talked about earlier about attribution , like one of the reason that attribution is hard is because the

people doing it want to make it hard . Right , like they're not . Like you know , they're not leaving calling cards , and so you know I I just in my mind , the the biggest , the biggest thing would be just to clarify where the red lines are so that you know , so that you don't trip over it by accident , right like .

It could very well be that taking down the Canadian power grid as a member of NATO is what they call Article 5 , meaning that there's a collective response as a consequence of that . But you might wish to be crystal clear about that , and just so that everyone knows where the center line on the road is .

Speaker 1

Are we anywhere close to international bodies , to governments , actually agreeing to terms when it comes to cyber warfare ? I know that you have individual nations and their leaders talking about cyber attacks and state-sponsored attacks , but are governments in any place to agree to internationally recognized laws ?

Speaker 3

No , not really . I mean , like there's conversations at the UN about what like responsible practices are in cyberspace and all that type of stuff and , to be fair to them , like they have moved the conversation and it is getting more and more developed all the time , and so kudos to my colleagues that are doing that .

But the problem is , like you know , states reflect the geopolitical realities that they exist in right , and so strong states will interpret existing rules in a manner that befits their geostrategic interest . They will also seek to push new rules in a manner that befits their geostrategic interest .

They will also seek to push new rules in a manner that befits their geostrategic interest . And what's happening right now is that I think many states like the flexibility to use cyber capabilities , right , and so they don't necessarily want to constrain that , and so that's kind of point number one .

Point number two is that there's just such a huge division at the UN right now , Like that crew could not pass a non-binding resolution that apple pie and ice cream go well together , Like they just it's too divisive , right , and so yeah , so I just don't , I doubt it , I'd love to see it , but I just I'm not holding my breath .

Governance Challenges in Emerging AI

Speaker 1

I'm wondering what your thoughts are on the capability for individuals to do great harm with some of the resources that are created through state entities . So , for instance , if I happen to be working on a nuclear weapon for a government , it'd be very challenging for me to take home and use that specific weapon for myself .

But since you've mentioned before how code can easily be adapted and used , sometimes for economic reasons , by proxies , is there any worry that possibly a rogue hacker could get their hands on you know malicious code that's been developed by government entities and use it for themselves , or maybe a gang or other ?

Speaker 3

Yeah , I mean , it's highly portable and replicable , right ? So that's point number one . Point number two is I'm not worried about someone stealing it from a government . I'm worried about the government giving it to them and asking them to do stuff .

Like I'm looking at you , russia , and so it is completely foreseeable that there's going to be more activity of what they call state proxies . So they're not part of the Russian government or they're not part of the Chinese government , but they're working for them on the sly , and so yeah for sure , that kind of stuff , absolutely .

But the other kicker here is that it's not hard now with generative AI . The other totally foreseeable set of circumstances that's emerging is that people use like anybody uses generative AI to develop either cyber exploits in the traditional sense or more sophisticated information campaigns .

You know , and you don't even need a computer science degree now to code , because you can just ask ChatGPT to do it for you . So , again , all that to say like the trend line here is probably going in the wrong direction , and that's just something that we're going to need to factor into our strategy .

Speaker 1

I mean we're into James Bond territory here . You know , like we're slowly veering into the world of tuxedos and shaken not stirred martini glasses . So you know , if there is . You mentioned ChatGPT , the capability for someone to use generative AI . As you mentioned ChatGPT the capability for someone to use generative AI for nefarious reasons to do much damage increases .

Is there any caps then that you think should be required on this type of new AI that is really growing at a rapid pace ?

Speaker 3

Yeah , I mean . So maybe a quick point on the martini . You always want to stir your martini . If you shake it , all the ice breaks and chips off and you just end up with a weak martini . So uh , uh with all , with all due deference yeah , with all due deference to mr bond , he got that wrong . But , um , yeah , no , like we're , we have to .

We have to get our hands on on on generative ai like , and it's not just for cyber stuff , but there's um , there's a , there's a storm storm coming here , and how we choose to govern or not , this technology will define the way that people live generations from now and so .

But it's a little bit hard because in some ways , you're asking policy makers to predict the unpredictable Right , like if we were having this conversation 24 months ago and I said to you hey , listen , I've got this cool tool . You can just put in a couple words and it can write a full essay for you . That sounds great .

Or it can make any pictures of anything you want , or it can create a movie about anything that you want . It could do it in any language . It takes two seconds and it'll cost you 20 bucks a month . You would have thought I was out of my mind . Like that conversation . I would have been . You would have thought I was out of my mind .

Like that conversation . I would have been indistinguishable from magic two years ago . And here we are . And so , yeah , like it's for me , it's not just cyber stuff . I'm just like if we're going to constrain the conversation to the security side of the shop , this will turbocharge everything bad .

That we've already seen in a huge way , and so I think we need to be realistic about that .

Whether or not that leads to some form of international regulation , it's tough to say , because there's so much advantage in kind of the move fast , break stuff thing Like here's a good example for you , right , like again , looking at people's interests , there's a big fight going on right now with the New York Times and OpenAI on copyright .

Right , they're like well , you know the New York .

Speaker 1

Times and six other papers have joined .

Speaker 3

Yeah , yeah , right , so exactly . And so I talk to people about it and they're like well , you know , and I'm you know , like I said , I'm a lawyer , so I know a thing or two about this stuff .

And they're like well , you know , is it just training it , like because some people , you know people can read textbooks and be trained and that's not an infringement of copyright . Or is it actually like stealing the text and modifying it , in which case it could be derivative work or it could be some other form of copyright breach ?

And I'm like what if the answer is who cares ? And everyone's like , oh , like , what do you ? What do you mean ? And I'm like what if the answer it's a calculated risk , but the answer is who cares ? So this thing , what , however , it goes with the new york times at all won't be resolved for , like I don't know , three , four , five years .

Yeah right , open ai will have cornered and dominated the ai market by then and so . And then it's like well , what ? What the New York Times gets at the end of it is probably , if they win damages , they'll get a check , they'll get some money . Well , open AI will have dominated the AI market .

They will have been built into Microsoft , they'll be built into everything , they'll be in the very fabric and DNA of digital society and the digital economy and they'll be making dough , and so it could very well be that the answer to that question is who cares ? All that to say , like this is a fundamental shift , and we're just not there yet .

Like , and I mean maybe part of it is that policymakers are still getting their head around what this stuff is . Part of it is that we don't really know where it's going to go , and part of it is that there's large incumbent players that are parked on this space , that are going to , that are going to throw their weight around against regulation .

Right , this is ? This is old wine and new bottles .

Speaker 1

This is like you know this is early days of Facebook type stuff , but that's kind of where we're at , amazing . Well , thank you for breaking all of that down , giving me new nightmares .

Speaker 3

Yeah , I'm sorry about that .

Speaker 1

But no , nonetheless , this has been so incredibly , it's been an incredibly great chat , so thank you so much .

Speaker 3

All good , my pleasure . It was great chatting with you .

Speaker 1

And that was Aaron Schull from CG . Aaron talked about the challenges of legislating at the end there and that's going to be the focus of our next episode . Yes , we're going to be looking at what the Canadian government is doing to combat everything we've talked about so far in this series and where it's sometimes falling short .

Speaker 2

We still have a federal government where we are castle and moat , and so they are concerned with protecting the castle , without realizing that the castle lives off the proceeds of the village , that they will starve to death without the rest of us , and we are getting pillaged by the cyber Vikings left , right and center .

Speaker 1

We'll hear more from Aaron , as well as some other guests , from throughout the series . That's next week . And remember if you have any questions or want to learn more about cybersecurity in Canada , you can visit siraca slash cybersecurity . Please join us again next time and thanks for listening you .

Transcript source: Provided by creator in RSS feed: download file
For the best experience, listen in Metacast app for iOS or Android