As the Canadian Armed Forces builds its command and control and communications networks, it will simultaneously have to increase its capacity to defend them while also developing the capability to exploit them. Since 2011, Brigadier-General Greg Loos has led Director General, Cyber, a unit within Chief of Force Development tasked to develop the military’s future cyber capabilities. A few days before he began a new assignment as commander of Joint Task Force North, Loos spoke with Vanguard about the unit’s progress.
When DG Cyber was stood up, you had a broad mandate to develop future cyber capabilities. What have been your areas of priority?
A couple of years ago, we started from a position of providing traditional support to the Canadian Armed Forces in the areas of IT/IM support and IT security. And there had been a lot of effort from the ground up inside the organizations that are responsible for those activities to highlight the fact that the environment was changing, that in fact it was evolving into an operating environment that required more attention. That eventually turned into a top-down effort, to turn it into a formal force development effort to look at what we had, what was changing in the world around us and in our use of systems and technology, and what that meant for us in terms of building future cyber forces.
My first task was to take that strategic intent and come up with options to operationalize the cyber environment. There was recognition that cyber was a domain, and that we had to take it from being something different and bring it into the sphere of military operations and normalize it like we do for land, maritime, air or space operations. The first focus was to build a team and then look across all the elements of force development to put a plan in place for building what we need.
Do you now have a Canadian Forces cyber strategy?
Federally we have a strategy, which is a broad whole-of-government approach to looking at what Canada needs. Drawing from that, we don’t necessarily have a strategy but we have a plan and that is what we have been working on for the past couple of years. And it’s not a plan where the ink dries and that’s it. We are dealing with a highly dynamic domain and taking a force development approach means you have to account for those changes and update that plan. It is one thing to say we need new capabilities or we need to improve some capabilities, but that has to be weighed against all the other needs and demands across the Canadian Armed Forces in a time of fiscal restraint.
Have you progressed beyond defence of your networks at home and on operations, to developing offensive capability?
We are aiming to operationalize the cyber domain and that will ultimately yield a range of capabilities. To be honest, our focus has been on a couple of areas in the near-term, evaluating the defensive end of the spectrum of capabilities because the threats and risks are on the rise. One key aspect of operationalizing this is to put it into the command domain, which involves command-driven information requirements, situational awareness, deliberate planning, monitoring and execution. And that certainly includes defensive operations. Ultimately, we want military commanders to have the freedom of action to have key aspects of force protection as it applies to the cyber domain to undertake the things they need to do in any conflict or battle space.
General Keith Alexander [commander of U.S. Cyber Command] has spoken publicly in recent months about the need to expand offensive capability and has even announced the creation of 13 units for that purpose. Where are you in that discussion?
We are looking at the full range of capabilities that are out there from a conceptual perspective. You cannot hope to get better at any defensive capability if you don’t understand how an offense is going to work. There are a lot of actors across the spectrum from hacktivists to criminals, to state-sponsored or state actors, and you need to have defenses that cover all of it. So we look to a layered defensive system that allows you to deal with incidents coming in and manage the consequences after the fact.
I can’t speak to the details of what capabilities we are going to build, but our aim is to make cyber like any other domain. A modern military has to understand where their interests lie in cyber space, where the risks are, where the vulnerabilities are, where the opportunities are, and make best use of them. And in some ways we struggle with cyber and what is offensive and what is defensive and how do we navigate an emerging policy space. It will be an evolving discussion inside the department and within government as to the level of ambition for capabilities. We will ultimately develop what is the right level of ability from a Canadian perspective. But what’s old is new again: we have been in the radio frequency cyber environment, and involved in “cyber operations,” for many, many decades as it applies to electronic warfare, and we have found a way to normalize that.
Where does cyber eventually reside given that it cuts across the air, land, sea and space domains? Does it require its own command or is it part CJOC (Canadian Joint Operations Command)?
As others before me have commented, form has to follow function. We have made leaps and bounds in our progress of the functional analysis. We’re now at the point of specifically addressing the form aspects of the question and we’ll be looking with keen eyes at what some of the options are. If that warrants some changes in structure, then that will be proposed and hopefully implemented. But we are not yet at the point of making those decisions. It ultimately depends on what the level of ambition is for building capabilities and, most importantly, in normalizing cyber operations.
As the army, navy, air force and special forces build their networks, how are you ensuring you are able to protect and operate on them?
From a force development perspective, we have the remit to look at concepts and doctrine and capabilities and identify the gaps, and then look at some of the alternatives for building the future. Underneath my authority as DG Cyber, I now have a C4ISR directorate and their mandate is to look at that joint capability space as it applies to networks, command and control, communication and information systems. They are looking at that future architectural space to determine what we have to build. It’s quite a useful evolution in our organization to bring these things under one director general. Part of my cyber plan for getting better into the future is about building cyber forces, and part of that is getting at how we architect and build our systems so the security layers are built in from the start. If you have to layer it on afterwards, it is infinitely more difficult from a technical and systems perspective.
How does that tie into the cyber capability that NATO and allies are developing? Are you developing compatible skill sets?
This is absolutely a team sport. It involves whole-of-government effort at home and close interaction with our traditional Five Eyes allies as we all go through the same process of trying to operationalize and bring traditional warfighting into the environment. We have significant involvement with NATO. With my C4ISR mandate, we are involved in some of their architecture for their systems development. And for cyber, we are involved in some key projects to improve NATO situational awareness in the cyber domain. We’re also leveraging to pretty good effect NATO efforts for collective cyber training in ways that will only help build the human relationships that have to sit behind the networked relationships.
In 2009, the Canadian Forces School of Communications and Electronics launched a campaign plan to start defining the “Net Ops Warrior.” Do you have a better sense today of who that individual is?
I would say we have a better sense but we have not landed on any final answers. I believe our cyber forces of the future will involve a mix of Regular, Reserve, civilian and perhaps contractor or managed services support, integrated in the right way. In terms of individuals, we have a two-phased approach. We have classifications and trades today that draw from some of the right technical backgrounds to offer a starting point to develop higher order cyber functions, skills and knowledge. That’s providing a bit of a filter in terms of aptitude and interest, and in building teams. We have also engaged our personnel specialists for the full analysis – job analysis, skills analysis, training needs – to come up with more formal options.
I can’t tell you if the trades and classifications we have today will be the right pools to feed future cyber forces, or if we will need separate trades and classifications. I will say the human resources piece of this is by far the most difficult. What we call the cyber environment is the cyber marketplace for everyone else – there is a lot of growth in cyber security looking for the same kind of talent. So to retain the talent you need will be an immense challenge. And it’s a broader whole-of-government issue. Now, if we train a cyber warrior or operator and they go on to work somewhere else in government, that’s not a bad thing; we end up with a more cyber-savvy public service in the broader sense.
Defence Research and Development Canada as begun embedding scientists to understand operational needs. Are there projects you can discuss that illustrate this stronger relationship?
Absolutely. For the cyber environment, although it may not have been labelled as such, there has been longstanding connections between our force development efforts and our S&T folks working in these areas, whether it be in C4ISR or in cyber as it has emerged. There has been a specific effort to fully align S&T efforts with the overall Chief of Force Development campaign plan; we’ve integrated across all capability areas to have a more joined up effort so that DRDC’s plans are based on our desires for immediate outcomes and ultimate objectives. Cyber was a pilot effort in their own transformation – as they have changed their business model, they have used cyber specifically. So we now have an S&T cyber program that is fully aligned with our own future cyber forces campaign plan. The questions we need to have answered are now on their short list. That is a real success story.
Given how quickly technology changes, how do you manage the pace of change in this domain?
It’s a huge challenge. From an operations and maintenance of information technology perspective, our government procurement systems do not always lend themselves to keeping pace. That is going to be an even bigger challenge from a cyber perspective: not only do you have to keep pace with the changes in technology, you also have to keep pace with how unsavory actors might use that technology against you.
You have to have the right individuals as part of the force development team, to be connected with S&T, and you have to have better connections with industry because they are at the forward edge of this battle. You have to accept that the model for cyber force development is not like air, land or sea where you are going to build a big platform and keep it for 40 years. Your platform is changing on a daily basis. It speaks to a force development team that understands change and is queued to respond to those changes.
How successful have you been at shifting peoples’ mindsets?
I think we are at the front end of that. There is always a balance between what we in uniform consider to be an absolutely critical requirement to be addressed now and the limitations of government systems and resources. Procurement, for example, is not just a Defence challenge. Other government security agencies will also have to deal with the fact that the pace of change will necessitate a new approach to how we respond. I think that is increasingly understood by senior actors in the government.
The weak link in cyber defence is still the individual. What’s your role in internal cyber education?
That’s a key question. It highlights the point that at times we narrow our focus, in this case to the network space and how to make it more secure. There are all the traditional aspects of security that we still have to be mindful of, from emission security to transmission security, what you talk about, where, with whom – how you compartmentalize your work. There is a departmental program looking at that and there is obviously a nexus of interest between that security transformation effort and our own look at cyber defence. There are at least four important components to this. The first is everyone in the department, military and civilian; they are sitting at a keyboard and they have to understand the consequences of their actions. We have worked with our Provost Marshal to develop some of the computer-based training to help users. Above that, there are the people who maintain our systems and network environments; they are more switched on than most but we have to reframe their information protection, information assurance activities so they understand that this is an actual operational environment – they are looking after command and control and weapon systems, and there are implications and repercussions if you don’t get it right. Then there are commanders and staffs, and we have a role to play so that every operational headquarters understands how they integrate cyber operations into their normal command post operations as they do land, air and maritime. And last, there are the folks who are going to be involved in executing cyber operations, and they have a different level of sophistication. But normalizing this across the Canadian Armed Forces means everyone has to get it.
What lessons are you taking away about cyber?
Probably the biggest thing I have learned is the importance and, at times, great difficulty of reaching out across government to knit up that whole-of-government effort. It is so important, shifting from what at times can be a competitive inter-departmental environment to a more collaborative one. I firmly believe that for the government to get better in cyber space, it means a number of key federal departments must integrate their efforts and share information. That has been evolving over the past two years. As a typical, impatient military officer, it is always too slow for what you want, too slow for what you think the circumstances demand, but it is vitally important and it’s encouraging to see amongst these departments with a key stake in cyber that there is a growing realization that we are in this for the long haul and that the sum of our efforts should be greater than the individual contributions.