Friday 29 December 2023

International Cyber Cooperation: Reflections on the GFCE & GC3B

I first experienced the frustration inherent in Canada's approach to cybersecurity education last year at the University of Waterloo's CPI conference. There Charles Finlay from the CyberCatalyst talked about how other smaller countries focus on a collaborative approach to cybersecurity that creates a coherent ecosystem of partners who support rather than compete against each other. In the asymmetrical world of cybersecurity where attackers have every advantage in terms of anonymity, it isn't just criminal organizations working the dark end of the internet in 2023, it's authoritarian nation states with fully developed offensive cyber operations. Without collaboration, democracies will dissolve in the chaos of our networked world.

We have the resources,
cooperation is what's missing.
In the year since I've been working to establish connections between the many entities in Canada's cybersecurity industry intent on education and career pathways illumination, but what I've found are siloed organizations (private, public and NFP) fixated on IP and market share whose idea of collaboration is creating partnerships to defeat what they perceive as competition. This isn't collaboration so much as it's combining resources to compete more effectively.

This monopolistic approach is partly the result of how Canada funds cyber-education and industry awareness. By creating competition for funding, potential collaborators are turned into competitors and the possibility of mutual support becomes impossible. A great example are all the competing networks, alliancesconsortiums, catalysts and councils - all of whom claim to be creating a collaborative ecosystem under their leadership. Finding funding and piling onto this chaos seems to be the way in Canada. This has been a great frustration and a repeating theme on Dusty World over the past year:

Creating A Canadian Cybersecurity Ecosystem (Oct '22)

How Cybersecurity Might Become More Diverse, Equitable and Inclusive (Dec '22)

You Want to Teach WHAT?!? Reconfiguring Technology in Schools to Empower Pedagogy (Oct '23)

Cyber Education in Canada is Broken, Here's How to Fix It (Nov '23)


***


The majority of attacks are US focused, but if
you consider Canada has 1/10th the people, we
actually face similar numbers of attacks per capita.
One of the ways I've escaped Canada's siloed approach to, well, pretty much everything, is to look internationally for organizations interested in working collaboratively on the cyber-problem. That would be the one where we put all our critical infrastructure onto a global network that was never designed to be secure and then struggle with wave after wave of increasingly automated cyber-attacks in an environment where the attack surface has become impossibly complicated post COVID.

I started by looking at the World Economic Forum's review of the new US Cyber-Strategy, which is focusing on protecting critical infrastructure and improving collaboration both domestically and internationally to create more effective cyber-defences. Canada's strategy is designed to encourage competition rather than collaboration and has resulted in our being one of the most targeted countries globally

The US strategy seems to be aware of this North American predilection for relentless market dominance fixated competition and is attempting to put resources into a collaborative mindset. That approach became apparent when I attended the Global Conference on Cyber Capacity Building this fall.


***


Through looking into WEF and the UN I came across the Global Forum for Cybersecurity Excellence (GFCE). In June I pitched this proposal on helping cybersecurity practitioners become aware of the coming threats to encryption that quantum computing brings: GFCE Proposal - Cybersecurity in the Age of Quantum Advantage.docx. The elevator pitch is: quantum computing will break most of the encryption standards we depend on for everything from our online financial systems to military communications in the next decade, and likely much sooner.

The GFCE got back to me and said they felt that quantum awareness was an important piece of the puzzle and a good fit with their Global Conference on Cyber Capacity Building (GC3B) happening in Accra, Ghana at the end of November. They invited me to develop the research and present it at the event. I'm currently seconded with both ICTC working on cyber-education outreach and the Quantum Algorithms Institute developing education for quantum readiness. QAI supported this research and I got in touch with Louise Turner, a former student now in the inaugural cohort of cybersecurity at Queens University, and she and I put the paper together.



While doing two jobs I beavered away on the paper in the background and Louise (who was juggling her third year course load) and I managed to get the paper in on time. While all that was going on we were both jumping through the hoops in terms of visas and medical requirements to take what would be both of our first trips to Africa.

It all came together at the end of November and we found ourselves at Pearson Airport in Toronto getting on a plane to Washington and then across the Atlantic to Accra. The entire process felt insurmountable, but I've found that if you chip away at seemingly monumental projects like this you get the pieces in place - just don't expect it to happen all at once and pace yourself.

A particular frustration was all the dead ends I chased in terms of finding support for both the research and going to the event itself. I was disappointed to not get support from organizations I have long relationships with who claim to champion just this sort of digital engagement. I went out of my way to attend academic events, but when I asked those organizations about support I found the doors firmly closed. Every form of federal support is safely locked to academic partnerships in a way that makes it impossible for anyone but an internal PhD to claim them; those Canadian silos are exceptionally good at taking care of themselves. I talked to many professors in a multitude of schools but they all disappeared back into their funded, tenured worlds after making noises about how important this kind of work is. That's ok, we did it ourselves.

***

It was snaining in Toronto when we left, but on the ground in Ghana after 12 hours of misery in a middle seat next to the only guy bigger than me on the plane (why don't airlines use smart tech to arrange seating better?), we found ourselves on the ground in Africa! The VISA support by the Ghanese government had been spectacular in Canada and the hospitality was just as special at the Accra Airport. A senior military officer ushered us through customs in seconds and out to the GC3B desk where we got connected to our hotel and suddenly found ourselves tearing through Accra traffic, stunned by the sights and sounds... and heat (Accra is only 600kms north of the equator)!
 
The conference flags were all around the city. From our anonymity in Canada, we suddenly found ourselves at a very welcoming international event.

The Accra City Hotel was where we'd been put up for the conference and was only a ten minute drive from the very fancy Kempinski Hotel where the conference was taking place. We had lunch and then collapsed in our rooms for the afternoon after over 24 hours on the road.

The week before we'd built a powerpoint: QAI GFCE cyber in the age of quantum research presentation.pptx that was designed to gently introduce cybersecurity policy and technical practitioners to quantum computing. We went over it after our afternoon naps on the pool deck in the sweltering heat and humidity of an Accra evening. Louise helped pioneer women in cybersecurity in our school back in 2018/19 when she was in grade 10 and I've known her ever since, so we knew each other's strengths and felt ready to go with the presentation the next morning. That night we had a fantastic Ghanan buffet and then hit the hay.

Since we were presenting on the periphery of the main conference we got to meet the Global Forum for Cyber Excellence working groups who were the organizers of the research presentations. This gave us 'behind the scenes' access to the conference before the main event kicked off the next day. It quickly became apparent that the research presentations needed more time to do them justice. We heard from researchers from all over the world studying everything from regionally specific cyber challenges to international projects on how cyber is presented in the media - to call it fascinating would be an understatement.

Louise and I stepped up for our presentation and knocked it out of the park. We'd de-tuned the technical details (Louise was happy to get into explaining how lattice based mathematical encryption actually works), but the GFCE was keen to focus on making it an introduction to quantum computing and how it will change cyber practices in the next few years. My being a teacher was considered a benefit in introducing this technology which is often obscured by academics fixating on its technical complexities. To ensure equitable access we focused on ensuring the paper only included publicly available research that would assist readers in further exploring the technology. This is an area where Canada excels - putting publicly available material online for anyone in the world to access, so we made good use of the many Canadian cyber and quantum resources available.

We must have done well because we were the only presentation who was asked questions by the reviewer and we ended up late to lunch because we had a line of attendees wanting to ask further questions. There is a lot of curiosity out there around quantum technologies but not a lot of people developing accessible education for the public. As a result it tends to be an academically isolated subject.

Our reviewer kept referring to me as Doctor King during her analysis of our paper, but I've always been interested in how technology becomes applied rather than working on the academic/theoretical side of things. Applied technology use has been my focus since I migrated decades old paper based engineering paperwork onto Lotus123 back in 1991. I was happy to use my blue collar technician's approach to putting a pin in the idea that you need a PhD to understand quantum computing. When it comes to the technologies that so influence our lives (as quantum certainly will), I think everyone deserves to understand how they work.

The rest of that first day at the Global Conference on Cyber Capacity Building was fascinating because it wasn't really about the conference, but instead about the mechanics of the GFCE. By the time we were heading back to the hotel I felt like I'd found my tribe and was determined to see what else I could do with them. This was the collaboration and mutually supportive approach to cyber that I'd been missing.

We wrapped up day one feeling the burn. I've never felt so good jumping into a pool after a day of sweating through a suit. While in the water I bumped into one of Nigeria's cybersecurity leaders and we had a nice chat while watching the sun go down.

The next morning we were up again at midnight our time for a 6am start, and on our way to the Kempinski for the opening of the main event. The conference had swollen in size since we'd seen early setup the day before. Instead of a hundred of so people, over 800 were coming in from over 100 different countries, all intent on seeing how we might work together to make digital transformation more equitable and accessible.

I use Twitter as a way to bookmark ideas and resources so I can find them later when I'm building one of these blog posts. My feed from the conference probably tells the story better than a summary here, but to say it was engaging and eye opening would be underselling it. The GC3B worked every angle from policy and diplomacy to technical cooperation and regional partnerships all the way through to international collaboration. It changed the way I see cybersecurity because it moved me beyond the veiled, siloed and somewhat paranoid world of Canadian cyber.

At the end of the second day we were bused over to the park where Ghana's first president is interred for an end of conference dinner. Like everything else that week, it fundamentally challenged my preconceptions. If indigenous people had overthrown European colonization and established their own representative democracy in the wake of that oppression in Canada, that's where Ghana is today. The story of Kwame Nkrumah and his efforts to awaken a pan-African culture were fascinating, especially from the perspective of someone living in a resource consumption focused culture where we continue to struggle with our colonial past.

Kwame Nkrumah Mausoleum in Accra - well worth a visit.

On the bus ride over (which was an adventure in itself - African commuter buses have drop down seats so the bus is shoulder to shoulder in every row without an exit aisle), I was at a loss to understand how we appeared to be the only Canadians at an international conference where over 100 countries were in attendance. The US State Department had helped fund the event, as had the EU, and we'd met Australians and many other Commonwealth nationalities, but not a single Canadian. The Australian told us about how her government's local office had picked her up at the airport, taken her out for lunch and made sure she was OK at her hotel. Ours sent us a PDF of things to do in Accra.

All of this prompted me ask the Swede sitting next to me how Canada is seen in the international community. I'd honestly expected to hear nice things and assumed we'd simply not been involved in all the clandestine activities of our government at this event, but that's not what came out. The Swede described Canadian participation in world cyber cooperation to be 'selfish and minimalist', which came as a shock despite what I'd observed (it's a teacher survival mechanism to ignore the worst and assume it's my misunderstanding). The Estonian in front of us chipped in with, "I think Canada asks what the minimum is to look like they are involved in a project, give it and then that's the last we hear from them." Attendees from a dozen other countries all nodded in agreement. I did the most Canadian thing imaginable and apologized for my government and all the organizations that are funded by it - even though they'd all ignored my own requests for support prior to the event.

A wonderful evening with people looking to change the world for the better. Ghana knows how to put on a party too...

***


As I floated into the pool later that night pondering how I'm going to dress for the final day of the conference with a suit jacket soaked through with sweat (I went with just a shirt for the final day), I found that I wasn't cowed by what seems to be an insurmountable cultural problem we face as a country. Internally we have the resources and education to make cybersecurity a viable pathway. Canada should be poised to help solve the world's cyber-skills shortage, but instead our plan is to (as it has been in so many other cases) take that talent from other places that need it for our own ends, and do as little as possible to support international cyber development to ensure an equitable digital transformation for all.

I'm a fan of Paul Theroux's travel books. His trip across Oceania ends in Hawaii where he stays at one of the top resorts that is staggeringly expensive. Over the week he finds it coddling and restful, but he comes to the conclusion that when people have money, they mainly use it to keep other people away. The fancy resort provided privacy and a lack of bother from others - that was its main purpose and where the money got spent. Canada is a wealthy country and it seems we use our wealth in much the same way, to isolate ourselves from others. It's not very flattering.

Over 100 countries in attendance. Didn't see a single Canadian in any of the dozens of presentations and none were presenting. I know for a fact that Canada has some of the top cybersecurity practitioners on the planet, but they don't like to share?



***

I arrived at the last day of the conference with a head full of thoughts. This lack of engagement by my country (at least in person, evidently Canada was one of the first to endorse the Accra Call) suggested that the lack of cooperation I see domestically is reflected in our international engagement too. My background and interest is in educational engagement with cybersecurity and other emerging technologies that I feel are essential to students making smart decisions about their futures, so to end the conference I attended Session 4.26: Thinking out of the box to inspire a new generation of cybersecurity talent:
  

You might not have watched that video, but this sort of brainstorming and mutual support is just what we need if we're going to produce a cybersecure future. This doesn't happen behind closed doors or at a distance. I hear a lot of Canadians talking about the Canadian government as though it's distinct from them. This cool distance creates problems with how Canadians understand their own country and their role in it, but it also freezes out possibilities for international collaboration which must be about more than sending money.

I had a great chat in that session on developing cyber talent with a young man from Ghana who had started off as a hacker before coming over to the defenders. He described that journey, especially in a place where you can't drink the water and social services are often non-existent, as difficult because the payouts for being a bad guy are always going to be better. To hear people who are living in what Canadians would consider poverty talking about how they can work together to create equitable digital transformation that will improve standards of living for all was inspiring. You'd have to be the worst kid of self-serving bureaucratic robot to think otherwise.

***

On the final morning we reconvened at the Kempinski and ended the conference with many promises of future work together. It was inspiring and I couldn't help but get a bit teary, especially when they included the presentation awards for Ghana's Student National Cybersecurity Competition...

An all-female team won Ghana's student cybersecurity challenge

Having been deeply involved in Canada's student cybersecurity competition since its inception, I was interested to see this presentation. Some stats for comparison:

Ghana has 475 high schools, 50 participated in the national student cybersecurity competition, that's an 11% participation rate. You might think that low but Canada is currently at 0.6% of high schools participating nationally in CyberTitan which has been running for six years (the Ghanan CCS is in its third year). The siloed nature of Canada's regionalized education system (we are the only developed country in the world without a national education strategy) has a lot to do with that.

An all-girl team won the 2023 edition of their SCC. No all-girl team in Canada has ever come close, which makes for an interesting comparison on access to STEM education opportunities between the two countries. If money is used to keep people at a distance, male dominance in cybersecurity is certainly operating along similar lines in Canada. There is much to do in terms of gender equity in the Canadian tech ecosystem.

There were two ministers and other members of parliament at the awards celebration for these students. No member of Canadian parliament, minister or not, has ever attended CyberTitan nationals. Another example of our remote/arms-length governing? At the very least it highlighted the lack of value we seem to place on securing our critical infrastructure in a digital future that will increasingly depend upon cyber skills.

***

On the long plane ride home I was reflective. Was it easy doing this thing? Not at all. I spent a lot of time talking myself out of it for various reasons, and burned a lot of cycles trying (unsuccessfully) to find support to get myself and others to it. Without Louise coming on and helping carry the research load I think I may well have talked myself out of going, and what a shame that would have been.

Winnie knows how it feels. Whoever is doing Xmas
decorating at Dulles is a bit... chaotic in their approach,
but I like it!
Doing the research outside of my regular working hours wasn't easy, and managing the many logistical requirements both medical and paperwork wise was also a heavy load to carry, but it's these extras that I always get the most out of in my work. If you look at my LinkedIn you won't see me bragging about the work I'm paid to do, but rather the projects I chase beyond those expectations. At the end of the day I'm mission driven. After twenty-years in the classroom and building one of the most successful digital skilling programs in Canada in the most unlikely of places, I want to take what I've learned and spark opportunities like that nationally so more Canadian students can access emerging technologies and make informed decisions about where to go next. That this is a struggle continues to baffle me, but I'm committed to climbing that mountain.

Regrets? None. This wasn't easy but that's exactly why we need people to put the work in and make this sort of connection happen. Am I frustrated by Canada's approach? Yes, but that too is a challenge, and one that we will overcome with vision and determination. With a renewed commitment we will see a meaningful Canadian presence at the next Global Conference on Cyber Capacity Building taking place in Geneva in two years. I intend to be working with the GFCE by then in their education working group if not elsewhere in the organization. I hope I can bring more Canadians into it too.