Threat Exchanges and Freedom of Information Legislation

Dan Michaluk, Hicks Morley1

A threat exchange is an arrangement for sharing information about cyber threats – one
meant to help all members identify, assess, monitor and respond.2 Sharing threat
information is a recognized best practice,3 though confidentiality poses a risk given the
plain existence of adversaries who are motivated to do harm and who may engage in
“threat shifting.”4

In this regard, public sector institutions face a special information sharing constraint
that deserves attention – exposure to freedom of information legislation that makes
most records in organizational “custody or control” presumptively accessible to
members of the public.

This paper provides a digest of some cases in which institutions have raised the
potential harm posed by hackers in denying access to information.5 They show that the
normal burden of proving non-speculative harm6 may be too heavy given hackers are
opportunistic and can put the most seemingly benign information to use.7 This, and the
strong and present need to counteract cybercriminals suggests that legislators should

1A data security, privacy and FOI lawyer and partner at Hicks Morley who has helped organizations
respond to data security incidents, workplace fatalities and other critical events since 2006 and has
represented organizations in numerous privilege-related FOI appeals. Thanks goes to student-at-law Alia
Rashid for her valued research and drafting assistance.
2“Guide to Cyber Threat Information Sharing,” National Institute of Standards and Technology, Special
Publication 800-150, (October 2016), ii.
3 Andrew Nolan, “Cybersecurity and Information Sharing: Legal Challenges and Solutions,”
Congressional Research Service (March 2015), executive summary. See also, “A full year of mandatory
data breach reporting: What we’ve learned and what businesses need to know,” Office of the Privacy
Commissioner of Canada (October 2019): “Pay attention to alerts and other information from your
industry association and other sources of industry news.”
4 “Guide for Conducting Risk Assessments,” National Institute of Standards and Technology, Special
Publication 800-30 Revision 1, 9: “is the response of adversaries to perceived safeguards and/or
countermeasures (i.e., security controls), in which adversaries change some characteristic of their
intent/targeting in order to avoid and/or overcome those safeguards/countermeasures.”
5Courts have recognized that confidentiality is especially warranted in the “law enforcement” context
given the presence of motivated bad actors: Ontario (Attorney General) v Fineberg (1994), 1994 CanLII 10563
(ON SC) , 19 OR (3d) 197 (Div Ct). The question, though, is whether this doctrine offers enough
protection in today’s very demanding context.
6Merck Frosst Canada Ltd v Canada (Health), 2012 SCC 3 (CanLII), [2012] 1 SCR 23, para 199. The institution
resisting public disclosure “must show that the risk of harm is considerably above a mere possibility,
although not having to establish on the balance of probabilities that the harm will in fact occur.”
7 Reconnaissance is the first phase of the so-called “cyber kill chain,” which can include gathering
information to perpetrate a phishing attack. See S. Kottinen, “What Phase Of The Cyber Kill Chain Is
Your Network In?,” Forbes Technology Council (25 November 2019).
 -2-

consider passing outright exclusions from the presumptive right of access to encourage
secure threat information sharing.

Absent such legislative reform, public sector institutions should share information
based on strong information classification schemes that expressly recognize the
importance of sharing and the likely harm associated with public disclosure. In
handling appeals about confidential information shared via threat exchanges,
institutions should be prepared to prove they treat the information at issue as
confidential even though it has been shared and should also adduce other evidence to
give an air of reality to broad claims about hacker capabilities. Reference to
authoritative standards and guidelines that establish the need to keep certain kinds of
information secret may help.

Ontario

Order PO-3300, Appeal PA12-392 (Ministry of Natural Resources) - 2014

The IPC/Ontario upheld a decision to deny access to records containing computer

system information described as “security scans, threat evaluations, and possible
weaknesses and solutions.” It agreed with the institution that release of this information
would render the institution’s computer service and system vulnerable to attack or
disruption by hackers, noting that the Ministry had provided “detailed and convincing”
evidence.

Order MO -1822, Appeal MA-030150-1 (A School Board) - 2004

The IPC/Ontario ordered the following to be disclosed: “the name, model version and
description of the database server used for student record management including
information on how it is networked, and the name, version and brief description of the
software used to input the data and generate the reports from the database.”

The institution made the following argument:

Detailed information about software applications utilized and hardware

installed is commonly used by hackers to break into computer systems. If
a hacker knows what applications are in use and the hardware utilized, it
will provide considerable information about security vulnerabilities.
Hackers target the known vulnerabilities in specific hardware or software
systems.

The IPC dismissed this argument as speculative, noting the lack of evidence provided
by the institution concerning the frequency of hacking into similar systems and the
extent to which the institution’s systems were susceptible to attack. The IPC also noted
the lack of evidence regarding particular software vulnerabilities.
 -3-

Order PO-2765, Appeal PA07-221(Ministry of Health and Long-Term Care) - 2009

The IPC/Ontario ordered partial access to information in privacy impact assessments

(PIAs) for medical information systems.

The IPC order was based on an exacting, line-by-line review. It held that information
about specific risks and details about systems was exempt from the right of public access,
describing some the exempt information as follows:

• “step-by-step screen layouts of the computer screen images which appear, and
the nature of the information to be entered to proceed to the next screen”

• “the diagram on page 149 of the Health Care Branch I & IT Cluster PIA, though
somewhat general in nature, could reasonably be expected to endanger the
security of the system or procedure”

• “fairly detailed information about the data, including field names, stored in
various databases”

• “detailed procedures and architecture features to address identified security

risks”

The IPC distinguished this information from other, more general, system-related
information.

Order PO-3670 (Ontario Lottery and Gaming Corporation) – 2016

The IPC/Ontario held that the Ontario Lottery and Gaming Corporation was entitled to
keep the physical location of its data centre a secret. OLG relied on an Ontario
government IT standard and ISO/IEC 27002:2013, both of which recommend obscuring
the role of facilities used to store data.

Alberta

Order F2013-13 (Edmonton Police Services) - 2013

The Alberta OIPC rejected an argument that obtaining a list of cellphone numbers
would allow an individual to infiltrate a system or harm its safety and security. If the
theory was that cellphone numbers could be used to “hack the cellphones of
individuals,” the OIPC said, then the evidence needed to identify why this outcome
was reasonably likely to occur.
 -4-

British Columbia

Order F17-23 (Ministry of Energy and Mines) - 2017

This British Columbia appeal involved a request for access to the following information:

• references to the drive names and paths of LAN storage systems where specific
documents are saved;

• a reference to a secure system URL; and,

• toll-free teleconference phone numbers and the ID numbers necessary to obtain

access to teleconferences.

The institution adduced a sworn statement from a security architect who stated that
access to that information would make it easier for any hacker to compromise the
system. The architect gave the following opinion about standard practice:

In my experience, any sophisticated organization keeps information similar in

nature to the Information [in dispute] confidential for security purposes. That is
because if a hacker were to have access to such information, they would be able
to narrow the potential methods to hack into the system, thus increase their
chances of successfully attacking that system.

Having considered the institution’s evidence, the OIPC held that drive name
information, LAN storage system information and URL information was exempt from
the right of public access. Conversely, the OIPC held that toll-free teleconference
numbers must be disclosed.

Order F15-03 (Transportation Investment Corporation) - 2015

The British Columbia OIPC held that an institution properly denied access to network
configuration and security setting information and to “protocols for internal and remote
communications.” It explained:

What I am able to say about the withheld information under Schedule 20,
without revealing the substance of it, is that it describes how certain software
applications “interact and interface” with one another. This information relates
to matters “within the System exchange information.” Assuming a hacker was
able to breach the firewall, the Ministry’s evidence, including how the
information would assist a hacker’s targeted attack, persuades me that disclosure
of this information would be particularly valuable to hackers. The withheld
information in Schedule 20 provides a “road map” for a hacker to attack desired
targets once inside the government’s security perimeter. I have no difficulty
 -5-

concluding that disclosure of the withheld information could reasonably be

expected to expose the electronically stored personal information of many
citizens if hackers were able to breach the government’s security firewall. The
Ministry is therefore authorized to withhold it under s. 15(1)(l) of FIPPA.

Order F-15-72 (Ministry of Public Safety) - 2015

The British Columbia OIPC ordered that user IDs be disclosed over Ministry arguments
that such disclosure would give hackers “valuable information to assist in breaching
layers of security of government systems to access extremely sensitive corrections
information.”

The OIPC was not persuaded that a system would likely be compromised if user IDs
were made accessible. The adjudicator noted that there were security measures in place
at the Ministry to detect unauthorized access. She said the institution failed to explain
how a hacker with knowledge of user IDs would be “half again as likely” successful in
bypassing security controls.

Order F18-13 (British Columbia Pavilion Corporation) - 2018

The British Columbia OIPC upheld a decision to deny access to information in a series
of manuals that pertained to a retractable roof at a stadium, including a manual relating
to the roof’s SCADA system.

The manuals included hundreds of pages of detailed information regarding procedures,

instructions, drawings, photographs clearly outlining the operation of the roof. The
institution released approximately 90 pages of the manuals, withholding the rest. It
adduced evidence about its significant efforts to secure the manuals and keep them
confidential as well as evidence about the number of attempted “malicious cyber-attack
attempts” it experienced in the last year.

The OIPC held that it was clear that the disclosure of the withheld information could
reasonably be expected to cause harm to the institution and its computerized roof
systems because it provided “a roadmap for a hacker to attack desired targets once
inside…a security perimeter.”

November 25, 20198

8Prepared for Cybersecurity in Higher Education: Preparing and Improving to Mitigate Risk a CAUBO-
CUCCIO workshop.