New IT Concerns in the Age of Anti-Terrorism: How the Canadian Government has Reacted and How
Business Should React
By C. Ian Kyer, Warren J. Sheffer, and Bruce Salvatore
Fasken Martineau DuMoulin LLP
For every action, there is an equal and opposite reaction – Newton’s Third Law of Motion
Introduction
It is a trite observation that the world continues to react to the harrowing effects of the September 11
terrorist attacks. In the face of the terrible human loss that they caused, governments continue to move on
political, economic and military fronts in an attempt to restore and protect normalcy in an uncertain time.
The attacks, and the governmental reaction they have elicited, have serious business implications. Seeking
to destroy Western-world economic and cultural dominance, terrorists have shown a willingness to take
aim at its heart – commercial activity. Accordingly, businesses with their increasing reliance on
electronically stored information and information technology, must be more wary of becoming victims of
“cyber-terrorism.” Moreover, businesses need to be aware of new post-September 11th legislative
developments that impact information technology law. In Canada, for example, the Anti-Terrorism Act,
S.C. 2001, c.41 (“Anti-Terrorism Act”) which came into force December 24, 2001 creates the new offence
of economic espionage, and facilitates the warrant-less search of computer emails. Internationally, the
Council of Europe Convention on Cyber-Crime, which Canada signed on November 23, 2001, sets out “a
common criminal policy aimed at the protection of society against cybercrime, inter alia by adopting
legislation and fostering international co-operation.”
This article explores information technology law issues, post September 11, in three parts. The first part
will discuss the heightened importance of information in our new knowledge-based economy. Given that
heightened importance of information, the second part will discuss the deeper concern for its security, as
reflected in legislative developments after September 11. Finally, the third part will outline some of the
-2-
considerations of which businesses should be mindful when contracting for the security of their
information.
Part I The Heightened Importance of Information and Knowledge
Information and knowledge increasingly drive the economy. As the Canadian IT and Knowledge-Based
Summit stated in 1997 “[k]nowledge is now … at least as important as physical capital, financial capital
and natural resources as a source of economic growth.” As a source of growth, the processing of
information to create innovative technologies (e.g. the creation of software to run a utility) has become just
as important, as the processing of natural resources (e.g. the creation of steel from ore). In fact, during the
1990s when the economy was experiencing annual growth rates ranging between 2.5 to 4.5 per cent,
knowledge-based industries (for example, computer manufactures, computer service providers and
communication carriers) experienced 17.9 per cent annual growth.1 Employment in these industries grew
commensurately at 13 per cent per year, compared with 2.5 per cent growth in other traditional economic
sectors.2
Perhaps more impressive than this economic data is the degree to which information technologies are
enmeshed in our economic and social activities. George Takach cogently observes that “[t]oday,
businesses could not operate, schools could not educate, the media could not inform, hospitals could not
heal, professionals and other service providers could not provide services, governments could not govern,
political parties could not fight elections, and the military could not fight wars if they did not have
computers and the huge volumes of information stored, processed and disseminated by computers.”
Indeed, the Canadian E-Business Opportunities Roundtable’s recent statement that the “new economy has
become the whole economy” rings true.3
1
G. Takach, “Historic Law Reform” Lexpert (February 2002) 108.
Ibid.
3
Boston Consulting Group (Canada) “Report of the Canadian E-Business Opportunities Roundtable”
(February 2001) 4.
2
-3-
As the foregoing suggests, businesses increasingly depend on information and information technologies to
transform their business functions, to provide better products, enhanced flexibility and superior customer
responsiveness. This is illustrated in the growing number of companies that are using the Internet as a
powerful communication and distribution channel. For example, in 2000, 96 per cent of Canadian
companies with over 500 employees, used the Internet, while 86 per cent of those same companies had a
web site. 4
These businesses are tapping into and generating what in 2000 was conservatively estimated to be 233.4
Billion (USD) worth of international e-commerce. By 2004, eMarketer predicts that this amount will grow
to 2.7 trillion (USD), while Goldman Sachs projects 3.2 trillion (USD) worth of business. 5
The number of business-to-business (B2B) Internet transactions is equally impressive. In Canada, the
federal government reports that Canada’s B2B e-commerce spending is estimated to grow at a compound
annual rate of 67.8 percent between 1999 and 2004 and that 18 percent or $272 billion (CDN) of Canada’s
$1.54 trillion in B2B trade will be conducted over the Internet by 2005.6
Meanwhile, in the Canadian public sector, education institutions are increasingly offering courses online
(10,229 courses were offered in 2001, up from 4,222 in 2000), while twenty-five percent of hospitals are
currently using external networks for electronic patient records. Moreover, the federal government is
proving to be a world leader in providing online services such as the e-filing of tax returns. In 2000, 27.3
per cent of all filed tax returns were done so electronically.7
As we increasingly depend on information and information technology, their protection is taking on a
paramount importance. This new degree of importance is reflected in legislative developments postSeptember 11.
4
“Key Statistics on ICT Infrastructure, Use and Content,” (October 2001) Industry Canada.
Ibid.
6
ebiz.enable “A call for B2B E-commerce,” online: ebiz.enable
<http://strategis.ic.gc.ca/SSG/ee00040e.html> (date last accessed: 17 March 2002).
5
-4-
Part II Security of Information Post September 11 and the Anti-Terrorism Act
Despite its recent attention in public discourse after the September 11th attacks, cyber-terrorism is not a new
phenomenon. Its roots can be traced to the 1980s when the Internet was still in its non-commercial stage of
growth, used primarily by a small number of researchers. For example in 1988 the “Morris worm” (created
by Cornell University student, Robert Morris) shut down 10 per cent of the some 88,000 computers which
were then connected to what we now call the Internet.8 Since that time, the world has become far more
dependent on the Internet and its related technologies. Now over 350 million computers are connected to
the web. 9 And, as discussed above, most of our economic and social activities are to varying degrees
affected by information technology. Consequently, cyber-terrorism is not to be taken lightly both in terms
of the number of people it can affect and its cost. The Council of Europe reports, for example, that Internet
credit card fraud is thought to cost approximately 400 million dollars each year while virus attacks account
for losses of about 12 billion dollars. Furthermore, losses from stolen patents and trademarks amount to
250 billion every year, or nearly 5 per cent of world trade.10
The events of September 11th have drawn attention to these costs and more generally to Internet and
computer security. A national survey conducted by the Information Technology Association of America
and Tumbleweed Communications on November 26 and 27, 2001 among 800 adults, revealed seventy four
per cent of the respondents feared that personal information could be stolen or used for malicious purposes.
Moreover, seventy five per cent of the respondents had worries about terrorists using the Internet to launch
cyber attacks against critical infrastructure.11 These concerns are reflected in legislation, which has
recently been passed in Canada and in other jurisdictions.
7
Supra note 4.
T. Longstaff et al., “Security of the Internet” The Froehlich/Kent Encyclopedia of Telecommunications
vol. 15 (New York: Marcel Dekker, 1997) pp. 231 – 255.
9
Council of Europe, online: Council of Europe <http://www.coe.int/T/E/Communication_and_Research>
(date last accessed: 16 February 2002).
10
Ibid.
11
J.Geralds, “US citizens express cyber fears,” online: vnunet <http://www.vnunet.com/Print/1127700>
(date last accessed: 03 March 2002).
8
-5-
On October 15, 2001, the federal government introduced anti-terrorism legislation aimed at improving
Canada’s ability to combat terrorism both domestically and internationally. The legislation, which
amended ten federal statutes and ratified two United Nations Conventions, conferred upon federal
authorities a number of new investigative powers while at the same time creating several new terrorism
offences. The bill became law on December 24, 2001.
Our focus here will primarily be on the creation of those new offences and powers that have a direct impact
on information technology law. These include the creation of the offence of economic espionage under the
Security of Information Act (formerly the Official Secrets Act), and the codification of the powers of the
Communications Security Establishment (“CSE”), a branch of the Ministry of National Defence, under the
National Defence Act. Under the amended National Defence Act, the CSE can both acquire and use
information from the “global information infrastructure” and is charged with protecting nationally
important electronic information and information infrastructures. The presence of these provisions in the
Anti-Terrorism Act reflects both the importance of information in our economy as well as the heightened
need to protect it. This is reinforced in the preamble to the Act, which states in part that “acts of terrorism
threaten Canada’s political institutions, the stability of the economy and the general welfare of the
country.”
The pivotal provision of the Anti-Terrorism Act is the definition of terrorist activity in s.83.01. In defining
“terrorist activity,” ss. 83.01(a) incorporates offences in the Criminal Code that pre-exist the Act (for
example, the taking of hostages (s.7 (3.1)), and the suppression of terrorist financing (s.7(3.73)). Subsection 83.01(b), adds to the definition of terrorist activity by including an act in or outside of Canada that
is committed for a political, religious or ideological purpose with the intention of intimidating the public
with regard to its security, including its economic security. With exceptions, such an act is a terrorist
activity if it, among other things, is intended to cause serious interference with or serious disruption of an
essential service, facility or system whether public or private.
-6-
Interestingly, the Anti-Terrorism Act, by definition, stipulates that “terrorist activity” is something that can
be directed at both governments and multinational corporations. The fact that the act of interfering with the
public’s economic security is included in the definition of terrorist activity is, in part, the recognition of the
harm that terrorists can bring to bear on the information and information technologies used by multinational
corporations and governments.
This is readily apparent in the newly named Security of Information Act (“Security Act”). Section 3 of this
rather quickly drafted legislation enumerates a number of actions, which are considered prejudicial to the
safety or interests of Canada. For example, an act which interferes with a service, facility, system or
computer program, whether public or private, in a manner that has significant adverse impact on the health,
safety, security or economic or financial well-being of the Canadian people or the functioning of any
Canadian government (ss. 3(d)), is deemed to cause harm to Canadian interests if perpetrated by a foreign
entity or terrorist group. Acts, which cause harm to Canadian interests are, in turn, considered offences
under the Security Act. One such example is the offence of economic espionage, which is defined as
follows:
s.19. (1) Every person commits an offence who, at the direction of, for the benefit of or in
association with a foreign economic entity, fraudulently and without colour of right and to the
detriment of Canada’s economic interests, international relations or security
(a) communicates a trade secret to another person, group or organization; or
(b) obtains, retains, alters or destroys a trade secret.
s.19 (2) Every person who commits an offence under subsection (1) is guilty of an indictable
offence and is liable to imprisonment for a term of not more than 10 years.
s. 19(3) A person is not guilty of an offence under subsection (1) if the trade secret was
(a) obtained by independent development or by reason only of reverse engineering; or
(b) acquired in the course of the person’s work and is of such a character that its acquisition
amounts to no more than an enhancement of that person’s personal knowledge, skill or expertise.
s. 19(4) For the purpose of this section “trade secret” means any information, including a formula,
pattern, compilation, program, method, technique, process, negotiation position or strategy or any
information contained or embodied in a product, device or mechanism that
(a) is or may be used in trade or business;
(b) is not generally known in that trade or business;
(c) has economic value from not being generally known; and
(d) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.
-7-
These open-ended provisions leave much to interpretation. It would appear that the offence of economic
espionage could potentially lie where a person communicates a company’s “trade secret”12 to a foreign
entity, provided that the communication of the trade secret had a significant adverse impact on the financial
well being of the people of Canada. Just how many people of Canada would have to be impacted to trigger
the offence is unclear. However, conceivably, the detrimental revelation of a trade secret of a company, in
which a large number of Canadians are heavily invested (e.g. Nortel Networks prior to Spring 2001), could
attract these provisions.
Recognition of the harm that terrorists can bring to bear on the information and information technologies
multinational corporations and governments utilize is also found in the codification of the powers of the
CSE under the National Defence Act (“NDA”). Section 102 of the Anti-Terrorism Act, which amends the
NDA, confers upon the CSE the following powerful mandate to protect information infrastructures:
(a) to acquire and use information from the global information infrastructure for the purpose of
providing foreign intelligence, in accordance with Government of Canada intelligence priorities;
(b) to provide advice, guidance and services to help ensure the protection of electronic information and
of information infrastructures of importance to the Government of Canada; and
(c) to provide technical and operational assistance to federal law enforcement and security agencies in
the performance of their lawful duties.
Under this mandate the CSE is able to surreptitiously monitor the “global information infrastructure” which
is defined to include electromagnetic emissions, communications systems, information technology systems
and networks, and any data or technical information carried on, contained in or relating to those emissions,
systems or networks. However, the CSE is not to direct its monitoring efforts towards Canadians, which
includes corporations incorporated under federal or provincial legislation (ss. 273.64 (2) NDA as
amended).
In addition to the powers set out in its mandate, the CSE, with ministerial authority, may intercept private
communications for the purpose of obtaining foreign intelligence (ss. 273.65 (1) NDA as amended) or for
12
The new statutory definition of a trade secret is noteworthy. Previously the trade secret concept was only
loosely defined by case law.
-8-
the purpose of protecting the computer systems or networks of the Government of Canada (ss. 273.65 (3)
NDA as amended). This incredible power is ostensibly checked by ministerial conditions for authorization.
With respect to ss. 273.65 (3) these conditions, in large part, include the requirements that “satisfactory”
measures be in place to both ensure that only information that is essential to identify, isolate or prevent
harm to Government of Canada computer systems or networks be used or retained, and to protect the use or
retention of that information (ss. 273.65(4)). What constitutes a satisfactory measure is not stated.13
Consequently, the manner and the frequency with which the government is currently intercepting private
communications under the law are unknown.
Part III Contracting for Security
Through the Anti-Terrorism Act, the Canadian government has taken measures to prevent hacking and
other forms of information technology-related terrorism. How should business react to these concerns?
How should a business contract for the security of its information? This section of the paper will turn to
these considerations. The focus here will be on contractual arrangements which a business with an ecommerce web-site may make with a “back-office” data processing facility. For the purposes of this
discussion, the party owning the data, records and information will be referred to as the “Customer”. The
service provider will be referred to as the “SP”. What does the Customer need to include in such a contract
in order to ensure maximum protection? What features does the SP need to include in order to protect the
integrity of the security systems and to limit its obligations to manageable levels?
Unfortunately, the basic principle in considering computer security must be that all systems are insecure.
No security system can guarantee security or inviolability. A security system can become more secure and
of necessity more complex – at an increase in price – and thus present an increasingly formidable, though
never impregnable, barrier to the unauthorized user. At some point, however, the value of the data will not
support the cost of the measures to protect the data and the increased difficulty of use.
A Security Primer
13
See generally, L. Austin, “Is Privacy a Casualty of the War on Terrorism” in The Security of Freedom:
Essays on Canada’s Anti-Terrorism Bill eds. R. Daniels, P. MacKlem, and K. Roach (Toronto: University
of Toronto Press, 2001).
-9-
Broadly speaking there are four major ways through which security of information can be violated:
-
through physical means
through computer intervention (“hacking” or “cracking”)
by mechanical failure
through employee action (negligent or willful misconduct)
The extent to which each of the above areas can be successfully dealt with by contract varies, but attention
should be given to each area and any weaknesses should, to the extent possible, be minimized.
Physical Security
It is important to recognize that the first area in which security may be compromised does not depend on
the sophisticated computer skills of hackers, but rather on sloppy work habits of employees, or indifference
on the part of employees and management to security concerns.14
It is of little use to have a sophisticated encryption system when hard copies of data are left unprotected on
employees’ desks. Similarly, if hard copies of data or unencrypted computer disks are put into garbage
receptacles which are susceptible to being pillaged, there is little point in putting in place elaborate and
expensive firewalls and password and encryption systems to protect the computer files. Both the SP and
the Customer need to take appropriate steps to secure the data from being compromised by physical action.
Such steps could include locked premises with access only by a card entry system; locks on all doors or
offices containing data; systematic shredding of all hard copy printouts of data or provisions for locking
away hard copies and computer disks containing data outside office hours. Of course, the success of such
measures is dependent upon the extent to which they are followed. Thus, employees’ actions are another
aspect of security concerns (see below).
As well, thought should be given to management of data, records and information stored off-site. If a
company’s files are managed by a third party, the security measures taken by that third party should be
investigated and monitored. While this might not be the subject matter of the contract between the
Customer and the SP, it could form a part of a contract between the Customer and the storage provider.
14
For a description of some of the mundane ways in which computer hackers break into computer
systems such as digging through garbage bins see Katie Hafner and John Markoff, Cyberpunk:
Outlaws and Hackers on the Computer Frontier (New York: Simon and Shuster, 1991).
- 10 -
Logical Security
Because the methods of logical security protection (i.e. firewalls, computer encryption and computer
password security provisions) are always changing, it is not practical to list the precise measures which the
SP will take in order to protect the Customer’s information. The SP would want some input in choosing
the necessary and applicable measures for safeguarding the data or the right to offer the Customer different
options. The SP may also not want specific measures set out in the contract because part of the security
protection is the confidentiality of the measures used. While specific security measures cannot be listed in
the contract, there could, however, be an agreed upon set of specifications or a standard which the service
provider is required to maintain. Thus, “in accordance with the best procedures in the industry” might be a
possible standard to include in the contract.
As dangers to security of data evolve rapidly, both the SP and the Customer will want to periodically
review and change the security provision mechanisms in use. The ability to change needs to be
incorporated into the contract.
Security is always a joint responsibility. The SP may provide the technology, but the Customer will have
to implement and maintain the security provisions to some extent. Even the most sophisticated system will
be rendered useless if all employees, for example, use the company name as their password. Thus the SP
will want to be protected from breaches of the system caused by the Customer’s refusal to use the password
system or other security system correctly.
Mechanical Failure
Another danger to security is mechanical failure. If there is a power failure the SP should ensure that there
are alternative power supply facilities which will prevent loss of data. As well, there should be an orderly
shutdown procedure using the alternative power source which will allow systems to be turned off without
damage to data or records. It should be clear that such a provision is merely a stop-gap measure which, in
effect, allows the system to turn off until the problem has been corrected.
Sophisticated users may require additional protection in the form of a back-up site with hardware and
software to continue processing the Customer’s data in case of disaster. In effect, the SP would have to
- 11 -
have a second site from which it could carry on its operations. Such a provision would have to be
specifically negotiated (for a price) to be included in the computer security contract.
Finally, the computer agreement should also contain requirements relating to off-site storage of computerstored data and files. The SP should be required to provide such a back-up facility, and there should also
be a provision requiring an adequate level of physical security for that site (including, if appropriate,
fireproofing).
Employee Concerns
The final area through which computer security can be compromised is by the employees of either the SP
or the Customer. Paradoxically, the employees who have the most knowledge of a protection system are
those with the greatest ability to compromise it. The computer programmer who sets up the security
system, and the Customer’s liaison with the SP are persons with a unique ability to compromise the system.
Unfortunately, this is the area which is least susceptible to protection by way of legal contract. A
disgruntled employee will not be deterred by having signed a confidentiality agreement. This aspect of
computer security is as much a management issue as a technical or legal one.
Audits
The most important aspect of any security system is that it functions correctly. Providing some mechanism
for verifying that the system actually works – “auditing” – is an important part of any computer security
agreement. Audits serve to ensure both that the agreed upon procedures are being followed and that the
system itself is functioning. There are two types of audits: physical audits where the auditors enter the SP’s
premises to check compliance, and audits which are performed electronically only on records and data.
Audits are typically done by the Customer as well as by external, third party, auditors (usually hired by the
SP). Audit provisions raise important issues for both the SP and the Customer. First, the SP will not want
the Customer to have access to secure premises except under strict control, if at all. Every attendance by
outsiders at the SP’s secure premises potentially compromises the security of these premises, and the
security of the protection systems. As well, attendance of outsiders might disrupt the work of the SP’s
staff. Thus the SP will want to limit the Customer’s access to records and files. The Customer, on the
- 12 -
other hand will want its auditor to inspect the site where the data processing occurs to ensure that correct
procedures are being followed.
Access problems are not as acute with respect to external auditors, as these are professionals retained by the
SP and can be directed by the SP to adhere to its procedures. External audits are typically performed by the
large accounting firms who conduct audits to ensure that the security systems work. Ought the Customer
be able to receive a copy of all of the relevant portions of the external auditor’s report? An auditor’s report
might serve as a roadmap to the weaknesses in the SP’s systems, thus allowing someone to break into the
computer system. Thus, disclosing the report to the Customer in itself might compromise the security
system. Failure to disclose the report, however, means in effect that the Customer has simply to trust that
the SP is doing the right thing. A compromise could be reached by providing the customer with a summary
of the external auditor’s report in detail sufficient to acknowledge problems with the security system but
without identifying problems in such a way as to enable readers of the report to defeat the system.
Also, the Customer will want to be provided with a list of unsuccessful attempts to log onto the Customer’s
user number where a successful attempt would permit access to data. It is possible for the SP to provide an
on-line data capture file and procedure to record this information and the Agreement should contain a
requirement for the SP to do this. This type of information is crucial to any well-audited system. Failed
attempts at entry must be taken seriously and not regarded as mere hacker pranks. As well, the SP should
notify the data holder of any fraudulent activity, which comes to the SP’s attention.
Conclusion
This article has attempted to draw attention to the heightened importance of the security of information in
our new knowledge-based economy and the associated deeper concern for its security post September 11.
Such concern is reflected in the Anti-Terrorism Act, however there is some question concerning the
overreaching breadth of the government’s new powers to protect our information infrastructure. The way
in which the government exercises these powers will undoubtedly be a source of debate in the near future.
Regardless, of how such debate unfolds, the fact remains that businesses must more than ever before be
aware of information security issues.