Risks and Consequences of Canada’s Cyberattack-friendly Defence Policy

Canada’s defence policy, Strong, Secure, Engaged (SSE) includes a longstanding and fundamental tenet that calls for the protection of “critical military networks and equipment from cyberattack by establishing a new Cyber Mission Assurance Program that will incorporate cybersecurity requirements into the procurement process”. The novelty in this statement is that cyber-related procurement should explicitly consider the threats from cyberattack, a requirement that is either long overdue or a codification of best practices aimed at defending our military’s cyber-infrastructure, which may be going on already. However, this only explicitly speaks to new procurement, while the need to develop protection for existing cyber-assets should also produce an immediate call to action to assess all assets. Unfortunately, the document appears silent on the protection of legacy systems currently in place and the potential threat to them for a number of reasons.

Risks to Current Assets

There are a number of risks associated with the apparent omission of the protection of legacy systems, namely:

• Potential attack surfaces are already in place in the form of flaws in existing software and hardware assets currently deployed. Many of these systems are well beyond their anticipated lifetime and remain critical parts of our military’s capacity. Cyberattacks on these systems should be carefully assessed and appropriate changes made either to the existing asset, or better, by replacing it with a current, state-of-the-art version.
• Maintenance of these legacy systems will likely require software alterations that may open new attack surfaces either embedded in the alterations themselves or because of unanticipated interactions between the original software and the update. Legacy heterogeneous systems are notoriously difficult to protect from unanticipated attacks because they may be vulnerable due to: the legacy software/hardware, the updates made to modernize the systems, or from the interaction of the old systems with the new ones.
• As legacy hardware becomes more difficult to procure or there emerges a desire to increase the functionality of deployed military assets, novel risks from the new technology will open up additional attack surfaces. For example, an IoT (Internet of Things) device with enhanced communication ability will bring significant advantages to an asset, but may do so at the risk of making other, older elements in the asset vulnerable to cyberattacks that it would otherwise not be exposed to.

A critical risk raised in the SSE, but not addressed adequately by it, is the protection of currently deployed assets and how the impact of new technology, which will be required to maintain its functionality, can best be protected from cyberattack.

The real novelty in the SSE’s policy goes further than the clearly mandatory need for cyberdefence on existing and new assets by explicitly calling for the development of “active cyber capabilities and (their) employ(ment) … against potential adversaries in support of government-authorized military missions.” It is well known that some states have been developing cyberattack capabilities for many years and there is also clear evidence that these attacks have been deployed in the past. However, the decision to do so as a part of an endorsed strategy of a state is significant.

Cyberattacks, by their very nature, are often delivered from multiple sources and are deployed through complex and difficult-to-trace virtual modalities.

A combination of network hops around the world and a co-ordinated cyberattack launch could be authorized in one part of the world but appear to come from anywhere in the world. Tracing the source of the attack may be impossible to verify with complete certainty, which might make it impossible to hold the real culprit to account. Current state-of-the-art forensics may be able to identify the author of malware, but it is exceedingly difficult to identify the precise deployment source. Thus, the technology necessary to definitively identify cyberweapon deployments does not exist and modern cyber-infrastructure does not provide sufficient traceability primitives to identify the source of cyberweapon use with sufficient certainty.

In fact, this actually “encourages” the use of these weapons because their deployer would be difficult to detect. However, there is a substantial risk of other states launching cyberattacks by routing them through Canada to make it appear as if the attacks had originated from here. Thus, before adopting a cyberattack-capacity-building strategy such as the one proposed in the SSE, Canada should develop sufficient checks and balances on the use of cyberweapons to ensure that an attack by another state using Canadian infrastructure can be plausibly denied. This might require difficult changes to the current internet infrastructure or sufficient transparent overhead on the valid use of cyberweapons that are seen as very compelling to the rest of the world.

Although there are likely many other risks, the final issue raised here is related to the appropriate management of the development of cyberweapons. Unlike physical weapons, cyberweapons typically exploit an unknown vulnerability in existing hardware and software. Thus, the weapon developer must find the vulnerability, develop an exploit to take advantage of it, and identify an enemy to use the weapon against. Each of these three stages present unique weapon-management challenges that we consider next.

1. Identifying these vulnerabilities is a timely process and often involves a fair amount of luck, so they are more likely to be discovered with multiple people working on them. Once discovered, they must be kept secret or patches can be developed to disable the vulnerability (and as a result, the weapon itself) reasonably quickly. The ethics of not warning others about these vulnerabilities is beyond this document’s scope, but at the very least it can lead to significant unintended consequences. 
2. The challenge of developing an exploit to take advantage of an identified vulnerability may be fairly straightforward in some cases but it could also involve a significant amount of expertise and innovation to accomplish. This is clearly not something that can be readily “outsourced” to other states, and even if it was to be done by verified cyberweapon suppliers, the challenges of managing this process should not be underestimated. If the approach is building capacity within military (or quasi-military) national centres, it will likely require a substantial investment in public dollars that would be difficult to justify given the clandestine nature of the activities and the possibility (ideally) that these cyberweapons would never be meaningfully deployed.
3. The final challenge of identifying an enemy to use the weapon against and to determine precisely when and how it should be used, given the two points above, is unclear. The hesitance to use cyberweapons at times of military conflict in preference to kinetic weapons suggests that they are unlikely to be the preferred choice once a military conflict has started. Using them beforehand is fraught with risk because their use, if they could be traced back to the originator, could lead to a war that might otherwise have been prevented. In the case of a large, powerful state using these weapons, this will likely be avoided because the weaker state is unable to respond in a meaningful way. 

Overriding each of these potential risks is the need to have oversight on the development, use, and deployment of cyberweapons. Military activities can only be undertaken with the direct oversight of the prime minister, but they would likely involve a wider discussion for political reasons. Given the nature of these weapons and how they would need to be developed, this oversight would likely have to be done in a more secretive way. The ultimate deployment of cyberweapons might occur with the oversight of Parliament, but would those considering this have sufficient understanding of the implications and risks associated with cyberweapons, which could have many unintended consequences? 

Unintended Consequences

The unintended consequences arising from a cyberattack can be grouped into two categories: unintended consequences impacting on those being attacked; and ones impacting those undertaking the attack (or their allies).

Unintended consequences potentially impacting an enemy: Once weapons are deployed, the scope of their effect is difficult to anticipate. Ideally an attack would be highly targeted and very specific to a particular computer system or to the real-world resource it controls. There are unique identifiers in most hardware that would allow a cyberweapon to only impact a particular machine. However, the attacker would have to identify that machine in advance of developing and deploying the weapon, and the cyberweapon would become useless if the victim simply changed or upgraded their hardware. Thus, there are very few incentives for a cyberattacker to produce a weapon with such a narrow target and it is unlikely that such a narrowly focused cyberweapon would be effectively deployed except in very limited circumstances.

Most cyberweapons have a virus-like nature to them where they seek to infect as many systems as possible to maximize their impact. This alone would make it difficult to control the unintended consequences that might occur on an enemy. However, even if the cyberweapon does not contain a virus-like nature where it seeks all computer systems that have the vulnerability that allows it to perform its cyberattack, it is still extremely difficult to limit its effect to only the intended target. The unintended consequences on the enemy might be much wider than what has traditionally been considered acceptable in terms of collateral damage. 

Furthermore, best practices in the computer industry demand that systems are updated in a timely and regular way to ensure that the systems are current across an organization’s entire scope. Organizations (the military being no exception) seek to minimize high software/hardware maintenance costs by exploiting as much homogeneity as possible in their deployed systems because this simplifies and streamlines the updating process so is often a requirement in the procurement decision. However, this homogeneity also means that a cyberweapon meant to exploit a vulnerability found in one system can also attack other systems in the organization that have the same vulnerability. 

Unintended consequences potentially impacting the attacker: A cyberweapon is generally victim-agnostic, so it is just as threatening to the attacker’s cyber-systems as it is to the victim’s. The question of how to deploy a cyberattack that cannot subsequently impact on your own systems is an open one. To consider how this might be addressed we consider a number of options:

• Explicitly identify which machines will allow the cyberattack to be performed. It is extremely difficult to identify the victim’s machine and to ensure that changes in hardware do not disable the efficacy of the attack. This “white list” approach, which specifies where a cyberattack is allowed to occur, is not feasible in a cyberwar scenario. The alternative is a “blacklist” that states where the cyberattack is not allowed to execute. This will only work if a complete list of all of the attacker’s assets could be produced and could then be deployed with the cyberweapon to limit its functionality. 

• Protecting the attackers from their own weapons. This essentially requires an update to the attacker’s vulnerability to the cyberweapon. This can be done in two ways:

1. Use the appropriate vendor’s update mechanism: The mechanism is likely to be the only truly universal way to update all of the potentially vulnerable systems within a state’s critical infrastructure. However, the solution is, by definition, universal, so it would be nearly impossible to convince a vendor to selectively update specific systems to a particular vulnerability. In fact, this would likely lead to a very expensive lawsuit for the vendor if it knowingly left vulnerabilities in software that it sold to its customers, so there would be virtually no incentive for a vendor to do so.
2. Secretly update all of the attackers’ own systems’ vulnerabilities: Since the attacker knows the vulnerability, developing a patch would likely be possible, if not straightforward, even if it required some reverse engineering of proprietary software. Assuming, for the moment, that this is possible, the question of how to distribute the patch to only a single organization in a confidential way is critical. If such a patch was to become known, any potential victims would likely immediately seek to determine how to protect their own systems. Even if they were not aware that a cyberweapon had been deployed on their system, the desire to patch their systems would be extremely high and, once accomplished, it would disable the attacker’s cyberweapon. 

• Protecting the attacking state’s non-military infrastructure. The cyberweapons are exploiting vulnerabilities that also exist in “everyone’s” systems. All public and private organizations and their infrastructures have an important stake in the use of any cyberweapons. No state will want to deploy a cyberattack that quickly comes back and shuts down key national institutions, such as banking systems, financial markets, transportation and power systems, non-military communication systems, etc. 

Finally, consider the challenge of dismantling a cyberweapon. Several issues must be considered:

• If a cyberweapon has been deployed but a decision is made to withdraw it, a key question is: Can these deployment sites be accessed again? It is unlikely that a cyberattacker would be willing to notify the victim about the latent weapons buried within its system, so the only way to remove it is to once again get access to it. One potential solution would be to send the victim a “friendly patch” that the attacker strongly encourages them to apply, but this will likely raise suspicion, at best, and could lead to the need to deploy the cyberweapon anyway because of a newly poisoned relationship! In short, once deployed, it would be difficult if not impossible to remove.

• Most of these weapons have an ability to migrate either explicitly as a virus and/or physically by copying them across multiple devices (e.g., using an infected USB). Thus, even if we know where they were initially deployed, the question of how to ensure that the cyberweapon has not migrated to other machines without the attacker’s knowledge is critical. Although it might be possible to leave a digital trail within the cyberweapon itself so a forensic expert could attempt to follow its path, this would open the possibility that the trail would be discovered by the potential victim, which would lead to the weapon’s discovery and it being disabled while still in its active or operational phase.

• Given that this software can travel through an enemy’s system in difficult-to-track ways, the next concern is: What if this vulnerability shows up on an ally’s systems? Several interesting question will likely be asked at this point, but the first one will be: Was it inadvertently migrated from within the attacker’s system through normal operations, or is this an attack by the enemy on the ally’s systems? If the cyberweapon was discovered by the enemy and the vulnerability was known to exist in one of the attacker’s ally’s systems, there is nothing to stop the victim from patching its own systems and using the weapon itself. Furthermore, if this is discovered by the ally and reported to the attacker, how can this be disabled without revealing the danger to which the attacker has exposed the ally? It is likely, especially if this is a cyberweapon used for espionage, that the ally will become suspicious about whether this was placed on its systems accidentally by the attacker, intentionally by the attacker, or intentionally by the victim using it itself. Clearly different kinds of responses would be called for depending on each case.

Next Steps

To conclude, we turn to identifying what Canada’s next steps should be to fully explore and consider the many questions developed above and how to mitigate the risks and consequences of Canada’s cyber policy. Although there are likely many different directions open, the following seem to be the most key and self-evident initial steps.

1. Canada must define the goals of a cyberattack strategy. Who are potential opponents that could be subject to an attack? What are acceptable reasons to use cyberweapons? How do we define successful attacks and distinguish them from failed attempts?
2. Rules of engagement must be clearly defined. When should cyberweapons be allowed to be used? When should they be used: before, after or in conjunction with direct kinetic military actions? Should their use be reported upon openly and honestly to the Canadian public?
3. Who has the authority to use cyberweapons either in peace or wartime? Who should be allowed to authorize their use? Once authorized, who should be allowed to deploy them and under what circumstances? Who has oversight after their use in terms of assessing their effectiveness, their appropriateness, and evaluating any unintended consequences or collateral damage?
4. Rules of war need to be defined for cyberweapons. Canada must work with other nation states to formally codify the rules under which states can engage in cyberattack and cyberespionage. These might mirror existing kinetic-warfare rules, but they will require articulation through a technological lens. If we do not have clear rules about the use of these cyberweapons as a nation state, then we run the risk of stumbling into a kinetic war! Thus, a critical next step is undertaking the difficult task of coming to international agreements about the use of these weapons, their production, and their implications. 
5. Partnership with cybersecurity stakeholders. The issues of cybersecurity are much broader than their application to cyber-military either for offensive or defensive purposes. The question of whether a partnership could be forged between the military and public/private cybersecurity organizations is a valid one to consider. If this kind of partnership is not viable, then how can the military meaningfully engage with non-military stakeholders to ensure the utility of any weaponry produced and the safety to Canada and its allies?

This article is an abridged version of a joint Policy Paper from The School of Public Policy and the Canadian Global Affairs Institute that was published as Cyberattack: What Goes Around, Comes Around on cgai.ca. It is reprinted here by permission.