Beruflich Dokumente
Kultur Dokumente
A threat exchange is an arrangement for sharing information about cyber threats – one
meant to help all members identify, assess, monitor and respond.2 Sharing threat
information is a recognized best practice,3 though confidentiality poses a risk given the
plain existence of adversaries who are motivated to do harm and who may engage in
“threat shifting.”4
In this regard, public sector institutions face a special information sharing constraint
that deserves attention – exposure to freedom of information legislation that makes
most records in organizational “custody or control” presumptively accessible to
members of the public.
This paper provides a digest of some cases in which institutions have raised the
potential harm posed by hackers in denying access to information.5 They show that the
normal burden of proving non-speculative harm6 may be too heavy given hackers are
opportunistic and can put the most seemingly benign information to use.7 This, and the
strong and present need to counteract cybercriminals suggests that legislators should
1A data security, privacy and FOI lawyer and partner at Hicks Morley who has helped organizations
respond to data security incidents, workplace fatalities and other critical events since 2006 and has
represented organizations in numerous privilege-related FOI appeals. Thanks goes to student-at-law Alia
Rashid for her valued research and drafting assistance.
2“Guide to Cyber Threat Information Sharing,” National Institute of Standards and Technology, Special
Publication 800-150, (October 2016), ii.
3 Andrew Nolan, “Cybersecurity and Information Sharing: Legal Challenges and Solutions,”
Congressional Research Service (March 2015), executive summary. See also, “A full year of mandatory
data breach reporting: What we’ve learned and what businesses need to know,” Office of the Privacy
Commissioner of Canada (October 2019): “Pay attention to alerts and other information from your
industry association and other sources of industry news.”
4 “Guide for Conducting Risk Assessments,” National Institute of Standards and Technology, Special
Publication 800-30 Revision 1, 9: “is the response of adversaries to perceived safeguards and/or
countermeasures (i.e., security controls), in which adversaries change some characteristic of their
intent/targeting in order to avoid and/or overcome those safeguards/countermeasures.”
5Courts have recognized that confidentiality is especially warranted in the “law enforcement” context
given the presence of motivated bad actors: Ontario (Attorney General) v Fineberg (1994), 1994 CanLII 10563
(ON SC) , 19 OR (3d) 197 (Div Ct). The question, though, is whether this doctrine offers enough
protection in today’s very demanding context.
6Merck Frosst Canada Ltd v Canada (Health), 2012 SCC 3 (CanLII), [2012] 1 SCR 23, para 199. The institution
resisting public disclosure “must show that the risk of harm is considerably above a mere possibility,
although not having to establish on the balance of probabilities that the harm will in fact occur.”
7 Reconnaissance is the first phase of the so-called “cyber kill chain,” which can include gathering
information to perpetrate a phishing attack. See S. Kottinen, “What Phase Of The Cyber Kill Chain Is
Your Network In?,” Forbes Technology Council (25 November 2019).
-2-
consider passing outright exclusions from the presumptive right of access to encourage
secure threat information sharing.
Absent such legislative reform, public sector institutions should share information
based on strong information classification schemes that expressly recognize the
importance of sharing and the likely harm associated with public disclosure. In
handling appeals about confidential information shared via threat exchanges,
institutions should be prepared to prove they treat the information at issue as
confidential even though it has been shared and should also adduce other evidence to
give an air of reality to broad claims about hacker capabilities. Reference to
authoritative standards and guidelines that establish the need to keep certain kinds of
information secret may help.
Ontario
The IPC/Ontario ordered the following to be disclosed: “the name, model version and
description of the database server used for student record management including
information on how it is networked, and the name, version and brief description of the
software used to input the data and generate the reports from the database.”
The IPC dismissed this argument as speculative, noting the lack of evidence provided
by the institution concerning the frequency of hacking into similar systems and the
extent to which the institution’s systems were susceptible to attack. The IPC also noted
the lack of evidence regarding particular software vulnerabilities.
-3-
The IPC order was based on an exacting, line-by-line review. It held that information
about specific risks and details about systems was exempt from the right of public access,
describing some the exempt information as follows:
• “step-by-step screen layouts of the computer screen images which appear, and
the nature of the information to be entered to proceed to the next screen”
• “the diagram on page 149 of the Health Care Branch I & IT Cluster PIA, though
somewhat general in nature, could reasonably be expected to endanger the
security of the system or procedure”
• “fairly detailed information about the data, including field names, stored in
various databases”
The IPC distinguished this information from other, more general, system-related
information.
The IPC/Ontario held that the Ontario Lottery and Gaming Corporation was entitled to
keep the physical location of its data centre a secret. OLG relied on an Ontario
government IT standard and ISO/IEC 27002:2013, both of which recommend obscuring
the role of facilities used to store data.
Alberta
The Alberta OIPC rejected an argument that obtaining a list of cellphone numbers
would allow an individual to infiltrate a system or harm its safety and security. If the
theory was that cellphone numbers could be used to “hack the cellphones of
individuals,” the OIPC said, then the evidence needed to identify why this outcome
was reasonably likely to occur.
-4-
British Columbia
This British Columbia appeal involved a request for access to the following information:
• references to the drive names and paths of LAN storage systems where specific
documents are saved;
The institution adduced a sworn statement from a security architect who stated that
access to that information would make it easier for any hacker to compromise the
system. The architect gave the following opinion about standard practice:
Having considered the institution’s evidence, the OIPC held that drive name
information, LAN storage system information and URL information was exempt from
the right of public access. Conversely, the OIPC held that toll-free teleconference
numbers must be disclosed.
The British Columbia OIPC held that an institution properly denied access to network
configuration and security setting information and to “protocols for internal and remote
communications.” It explained:
What I am able to say about the withheld information under Schedule 20,
without revealing the substance of it, is that it describes how certain software
applications “interact and interface” with one another. This information relates
to matters “within the System exchange information.” Assuming a hacker was
able to breach the firewall, the Ministry’s evidence, including how the
information would assist a hacker’s targeted attack, persuades me that disclosure
of this information would be particularly valuable to hackers. The withheld
information in Schedule 20 provides a “road map” for a hacker to attack desired
targets once inside the government’s security perimeter. I have no difficulty
-5-
The British Columbia OIPC ordered that user IDs be disclosed over Ministry arguments
that such disclosure would give hackers “valuable information to assist in breaching
layers of security of government systems to access extremely sensitive corrections
information.”
The OIPC was not persuaded that a system would likely be compromised if user IDs
were made accessible. The adjudicator noted that there were security measures in place
at the Ministry to detect unauthorized access. She said the institution failed to explain
how a hacker with knowledge of user IDs would be “half again as likely” successful in
bypassing security controls.
The British Columbia OIPC upheld a decision to deny access to information in a series
of manuals that pertained to a retractable roof at a stadium, including a manual relating
to the roof’s SCADA system.
The OIPC held that it was clear that the disclosure of the withheld information could
reasonably be expected to cause harm to the institution and its computerized roof
systems because it provided “a roadmap for a hacker to attack desired targets once
inside…a security perimeter.”
8Prepared for Cybersecurity in Higher Education: Preparing and Improving to Mitigate Risk a CAUBO-
CUCCIO workshop.