By John Adams
It’s time for Ottawa, the Department of National Defence, the CAF to address our cyber war capability shortfall.
Computers and information systems have become a fundamental part of Canadian life. Day-to-day activities, commerce, and statecraft have gone digital. The associated information technology (IT) underpins nearly all aspects of today’s society. It enables much of our commercial and industrial activity, supports our military and national security operations and is essential to everyday social activities.
A vast amount of data is constantly in motion and an astronomical quantity is being stored in cyberspace. Furthermore, owing to market incentives, innovation in functionality is outpacing innovation in security. Additionally, neither the public nor the private sector has been successful at fully implementing existing best-known security practices. Consequently, data is vulnerable whether it is in motion or at rest.
What is cyberspace? According to Daniel Kuehl, “[c]yberspace is an operational domain whose distinctive and unique character is framed by the use of electronics and the electromagnetic spectrum (EMS) to create, store, modify, exchange, and exploit information via interconnected information and communication technology-based systems and their associated infrastructures.”
There are several characteristics of cyberspace worthy of note:
• The cost of entry into cyberspace is cheap.
• For the time being, offence is easier than defence in cyberspace.
• Defence of IT systems and networks relies on vulnerable protocols and open architectures, and the prevailing defence philosophy emphasizes threat detection, not the elimination of the vulnerabilities.
• Exploits occur at great speed, putting defences under great pressure, as an attacker has to be successful only once, whereas the defender has to be successful all the time.
• Range is no longer an issue, since exploitations can occur from anywhere in the world.
• The attribution of exploits is particularly difficult, which complicates possible responses.
• Modern society’s overwhelming reliance on cyberspace is providing any exploiter a target-rich environment, resulting in great pressure on the defender.
People with expertise in software programming and manipulation concentrate their actions on exploiting the intricacies of computer networks and terrorize IT systems as follows:
• Hacktivism: an exploitation motivated by political activism that often involves defacing a website for the explicit purpose of publicly shaming the target.
• Cyber Crime: a criminal offence involving a computer as the object of the crime (hacking, phishing, spamming), or as the tool used to commit a material component of the offence (child pornography, hate crimes, computer fraud).
• Cyber Espionage: an exploitation to access covert information of national interest belonging to others.
• Cyber Terrorism: the systematic threat or use of violence, often across national borders, to attain a political goal or communicate a political message through fear or intimidation of non-combatant persons or the general public.
• Cyber War: disrupting or destroying information and communications systems with the intent of causing catastrophic damage and destruction of critical infrastructure, in the same league as bombs and bullets.
The term cyber attack is an umbrella term often used to include all of the exploitations above. The word ‘attack’ carries a lot of baggage with it. Generally, it implies the destruction of material and/or people, and it could be construed to be an act of war. Consequently, the term cyber attack would be more accurately used to describe only those exploitations in support of a cyber war.
Another term for such exploitations is network warfare operations. The term cyber exploitations is the more accurate umbrella term for all other exploitations enumerated above. The government of Canada has responded to cyber exploitations with its Cyber Security Strategy.
Published in 2010, the strategy is noteworthy for the fact that it limits itself to strengthening the government’s capability to detect, deter and defend against cyber attacks while deploying cyber technology to advance Canada’s economic and national security interests.
It did not militarize cyber security; it was limited to specifying that the Canadian Armed Forces were to strengthen their capacity to defend their own networks, work with other government departments to identify threats to their networks and possible responses, and continue to exchange information about best cyber practices with allied militaries.
The Department of National Defence and the Canadian Armed Forces were also to work with allies to develop the policy and legal framework for military aspects of cyber security, complementing international outreach efforts of Global Affairs Canada.
It is noteworthy that cyber attacks were not on the table. Some may have despaired of this approach believing the best defence to be a good offence.
There are several reasons why a more aggressive approach would have been ill-advised in 2010, in that cyber defence was the focus and the concept of cyber war had not yet sufficiently matured:
• By militarizing relatively low-level cyber threats, governments risk desensitizing the citizenry thereby creating a type of ‘moral hazard,’ which makes ordinary people and companies less likely to take responsibility for protecting themselves. That is exactly the opposite of the sort of behaviour a responsible government should want to encourage.
• Furthermore, one risks negating other “longer-term and more sustainable efforts” to address the new challenges that cyber brings to security systems.
• Finally, one risks creating the impression that one is in a constant state of war where cyber is concerned, but with little evidence of damage or impact on citizens personally which might thereby engender cynicism and complacency.
What has changed since 2010 such that Canada should revisit its 2010 cyber strategy?
To answer that question let us return to our discussion of cyberspace.
Many consider cyberspace to be the newest and most important addition to the global commons, which comprises four domains: maritime, air, space and now cyber. Cyberspace is now used by a quarter of the world’s population, and that number continues to expand. It has “become the centre of gravity of the globalized world, and for nations, the centre of gravity for all aspects of national activity, to include economic, financial, diplomatic, and other transactions including military operations.”
In essence, digitization is now so pervasive that cyberspace is indispensable for transportation systems, electrical transmission grids, weapons systems, command and control systems, inter alia. It is, therefore, a very real concern that successful cyber attacks within cyberspace would have disastrous effects on the ability of states to function. Consequently, cyberspace has become an emerging theatre of operations and all states must be capable of operating therein.
According to Fred Schreier, “[s]uccessful exploitation of this domain through network warfare operations could allow an opponent to dominate or hold at risk any or all of the global commons.”
Harking back to the characteristics of cyberspace highlighted earlier, it is a domain where the classic restraints of distance, space, time and investment are reduced, sometimes dramatically, both for us and for potential enemies.
Power based on information resources is not new; cyber power is. As Kuehl defines it, “[c]yberpower is the ability to use cyberspace to create advantages and influence events in other operational environments and across the instruments of power.” Franklin Kramer defines it as “the use, threatened use, or effect by the knowledge of its potential use, of disruptive cyber attack capabilities by a state.” And Schreier argues that cyber power capabilities challenge the strategist to integrate those capabilities with other elements and instruments of power. And this requires the crafting of a cyber strategy, which is “the development and employment of capabilities to operate in cyberspace, integrated and coordinated with the other operational realms, to achieve or support the achievement of objectives across the elements of national power. To develop a national strategy for cyberspace, therefore, is simultaneous to creating cyber resources and procedures that can contribute to the achievement of specific national security objectives. Cyber war means disrupting or destroying information and communications systems with the intent of threatening a state’s sovereignty. It also means trying to know everything about an adversary while keeping the adversary from knowing much about oneself.
There are three forms of what have been called computer network operations:
• Computer Network Attack: operations designed to disrupt, deny, degrade, or destroy information resident in computers or computer networks, or the computers or networks themselves.
• Computer Network Exploitation: retrieving intelligence-grade data and information from enemy computers by information and communications technology (ICT).
• Computer Network Defence: all measures necessary to protect your own ICT and infrastructures from hostile computer network attack and computer network exploitation.
Computer network attack is still in its infancy, but its importance has increased immensely since 2010 and it will certainly increase considerably in the coming years. Some people think that cyber war will sooner or later replace kinetic war. More frequently, cyber war is presented as a new kind of war that is cheaper, cleaner and less risky for an attacker than other forms of armed conflict. In either case, the Canadian Armed Forces have a responsibility not only to protect their own systems, but they also need to have the authority to direct offensive action, in the form of cyber attacks, if that is what it takes to blunt an ongoing catastrophic attack on critical infrastructure at home. It would be neglectful beyond belief to leave the Canadian Armed Forces without access to offensive cyber capabilities and the requisite authority to attack a foreign adversary who is causing catastrophic damage to Canada’s critical infrastructure through cyber war. Only then will the Canadian Armed Forces be relevant in future conflicts. This high priority responsibility and authority must be highlighted in the upcoming Defence Policy Review, thereby ensuring that it is adequately resourced forthwith.
In that regard, it is noteworthy that in spite of days of contentious debate on the floor of the US Congress over the 2015 National Defence Authorization Act, there was a rare bipartisan consensus concerning cyber, and it was fully funded. Also worthy of note is the fact that in April 2015, the United States released a new Cyber Security Strategy. Among other things, for the first time, it explicitly discussed the circumstances (see catastrophic attack above) under which cyber war could be used against an attacker. This is why asking the Department of National Defence and the Canadian Armed Forces to work on the policy/legal framework in 2010 was wise – why and when is easily as important as how, and actually harder to nail down.
Not least of the policy questions is how/where capabilities should be developed and how/when accessed. If that’s not clear, drumming up funding for weaponry development could be wasteful at best and disruptive or dangerous at worst. That work must be finalized, if it hasn’t been already, as part of the Defence Review. It will be an essential component to an update of Canada’s 2010 Cyber Security Strategy, which will be an indispensable complement to the Defence Policy
The clarification of Canada’s approach to cyber as highlighted above, within the Defence Review, in combination with the updated Cyber Security Strategy, would form the basis for Canada/US discussions regarding a CANUS Cyber Accord. Borders do not inhibit network warfare operations. Furthermore, elements of Canada’s critical infrastructure, currently vulnerable to cyber attack, are shared. Accordingly, such an accord makes eminent sense and would deepen Canada/US defence cooperation.
Finally, to highlight the priority that the United States is placing on this matter, there is draft legislation before Congress which seeks to improve the Pentagon’s defence procurement process for cyber warfare technologies by including these technologies within the Secretary of Defense’s Rapid Acquisition Authority.
In conclusion, the time for the government of Canada, the Department of National Defence and the Canadian Armed Forces to close the shortfall in the authority to engage in cyber war is now, and the perfect vehicle is the Liberal government’s recently announced Defence Review to be done in lockstep with an update of Canada’s Cyber Security Strategy.
Major-General John Adams (Ret’d) is the former Chief of the Communications Security Establishment Canada and Associate Deputy Minister of National Defence. After his retirement from the Canadian Forces, Adams was appointed Assistant Deputy Minister, Infrastructure, and Environment, for National Defence. From 1998 to 2003, he served as Assistant Deputy Minister, Marine Services and Commissioner with the Canadian Coast Guard for Fisheries and Oceans Canada, and from 2003 to June 2005, as Associate Deputy Minister and Commissioner of the Canadian Coast Guard.