Vanguard
Cyber

Risks and Consequences of Canada’s Cyberattack-friendly Defence Policy

Canada’s defence policy, Strong, Secure, Engaged (SSE) includes a longstanding and fundamental tenet that calls for the protection of “critical military networks and equipment from cyberattack by establishing a new Cyber Mission Assurance Program that will incorporate cybersecurity requirements into the procurement process”. The novelty in this statement is that cyber-related procurement should explicitly consider the threats from cyberattack, a requirement that is either long overdue or a codification of best practices aimed at defending our military’s cyber-infrastructure, which may be going on already. However, this only explicitly speaks to new procurement, while the need to develop protection for existing cyber-assets should also produce an immediate call to action to assess all assets. Unfortunately, the document appears silent on the protection of legacy systems currently in place and the potential threat to them for a number of reasons.

Risks to Current Assets

There are a number of risks associated with the apparent omission of the protection of legacy systems, namely:

A critical risk raised in the SSE, but not addressed adequately by it, is the protection of currently deployed assets and how the impact of new technology, which will be required to maintain its functionality, can best be protected from cyberattack.

The real novelty in the SSE’s policy goes further than the clearly mandatory need for cyberdefence on existing and new assets by explicitly calling for the development of “active cyber capabilities and (their) employ(ment) … against potential adversaries in support of government-authorized military missions.” It is well known that some states have been developing cyberattack capabilities for many years and there is also clear evidence that these attacks have been deployed in the past. However, the decision to do so as a part of an endorsed strategy of a state is significant.

Cyberattacks, by their very nature, are often delivered from multiple sources and are deployed through complex and difficult-to-trace virtual modalities.

A combination of network hops around the world and a co-ordinated cyberattack launch could be authorized in one part of the world but appear to come from anywhere in the world. Tracing the source of the attack may be impossible to verify with complete certainty, which might make it impossible to hold the real culprit to account. Current state-of-the-art forensics may be able to identify the author of malware, but it is exceedingly difficult to identify the precise deployment source. Thus, the technology necessary to definitively identify cyberweapon deployments does not exist and modern cyber-infrastructure does not provide sufficient traceability primitives to identify the source of cyberweapon use with sufficient certainty.

In fact, this actually “encourages” the use of these weapons because their deployer would be difficult to detect. However, there is a substantial risk of other states launching cyberattacks by routing them through Canada to make it appear as if the attacks had originated from here. Thus, before adopting a cyberattack-capacity-building strategy such as the one proposed in the SSE, Canada should develop sufficient checks and balances on the use of cyberweapons to ensure that an attack by another state using Canadian infrastructure can be plausibly denied. This might require difficult changes to the current internet infrastructure or sufficient transparent overhead on the valid use of cyberweapons that are seen as very compelling to the rest of the world.

Although there are likely many other risks, the final issue raised here is related to the appropriate management of the development of cyberweapons. Unlike physical weapons, cyberweapons typically exploit an unknown vulnerability in existing hardware and software. Thus, the weapon developer must find the vulnerability, develop an exploit to take advantage of it, and identify an enemy to use the weapon against. Each of these three stages present unique weapon-management challenges that we consider next.

  1. Identifying these vulnerabilities is a timely process and often involves a fair amount of luck, so they are more likely to be discovered with multiple people working on them. Once discovered, they must be kept secret or patches can be developed to disable the vulnerability (and as a result, the weapon itself) reasonably quickly. The ethics of not warning others about these vulnerabilities is beyond this document’s scope, but at the very least it can lead to significant unintended consequences. 
  2. The challenge of developing an exploit to take advantage of an identified vulnerability may be fairly straightforward in some cases but it could also involve a significant amount of expertise and innovation to accomplish. This is clearly not something that can be readily “outsourced” to other states, and even if it was to be done by verified cyberweapon suppliers, the challenges of managing this process should not be underestimated. If the approach is building capacity within military (or quasi-military) national centres, it will likely require a substantial investment in public dollars that would be difficult to justify given the clandestine nature of the activities and the possibility (ideally) that these cyberweapons would never be meaningfully deployed.
  3. The final challenge of identifying an enemy to use the weapon against and to determine precisely when and how it should be used, given the two points above, is unclear. The hesitance to use cyberweapons at times of military conflict in preference to kinetic weapons suggests that they are unlikely to be the preferred choice once a military conflict has started. Using them beforehand is fraught with risk because their use, if they could be traced back to the originator, could lead to a war that might otherwise have been prevented. In the case of a large, powerful state using these weapons, this will likely be avoided because the weaker state is unable to respond in a meaningful way. 

Overriding each of these potential risks is the need to have oversight on the development, use, and deployment of cyberweapons. Military activities can only be undertaken with the direct oversight of the prime minister, but they would likely involve a wider discussion for political reasons. Given the nature of these weapons and how they would need to be developed, this oversight would likely have to be done in a more secretive way. The ultimate deployment of cyberweapons might occur with the oversight of Parliament, but would those considering this have sufficient understanding of the implications and risks associated with cyberweapons, which could have many unintended consequences? 

Unintended Consequences

The unintended consequences arising from a cyberattack can be grouped into two categories: unintended consequences impacting on those being attacked; and ones impacting those undertaking the attack (or their allies).

Unintended consequences potentially impacting an enemy: Once weapons are deployed, the scope of their effect is difficult to anticipate. Ideally an attack would be highly targeted and very specific to a particular computer system or to the real-world resource it controls. There are unique identifiers in most hardware that would allow a cyberweapon to only impact a particular machine. However, the attacker would have to identify that machine in advance of developing and deploying the weapon, and the cyberweapon would become useless if the victim simply changed or upgraded their hardware. Thus, there are very few incentives for a cyberattacker to produce a weapon with such a narrow target and it is unlikely that such a narrowly focused cyberweapon would be effectively deployed except in very limited circumstances.

Most cyberweapons have a virus-like nature to them where they seek to infect as many systems as possible to maximize their impact. This alone would make it difficult to control the unintended consequences that might occur on an enemy. However, even if the cyberweapon does not contain a virus-like nature where it seeks all computer systems that have the vulnerability that allows it to perform its cyberattack, it is still extremely difficult to limit its effect to only the intended target. The unintended consequences on the enemy might be much wider than what has traditionally been considered acceptable in terms of collateral damage. 

Furthermore, best practices in the computer industry demand that systems are updated in a timely and regular way to ensure that the systems are current across an organization’s entire scope. Organizations (the military being no exception) seek to minimize high software/hardware maintenance costs by exploiting as much homogeneity as possible in their deployed systems because this simplifies and streamlines the updating process so is often a requirement in the procurement decision. However, this homogeneity also means that a cyberweapon meant to exploit a vulnerability found in one system can also attack other systems in the organization that have the same vulnerability. 

Unintended consequences potentially impacting the attacker: A cyberweapon is generally victim-agnostic, so it is just as threatening to the attacker’s cyber-systems as it is to the victim’s. The question of how to deploy a cyberattack that cannot subsequently impact on your own systems is an open one. To consider how this might be addressed we consider a number of options:

  1. Use the appropriate vendor’s update mechanism: The mechanism is likely to be the only truly universal way to update all of the potentially vulnerable systems within a state’s critical infrastructure. However, the solution is, by definition, universal, so it would be nearly impossible to convince a vendor to selectively update specific systems to a particular vulnerability. In fact, this would likely lead to a very expensive lawsuit for the vendor if it knowingly left vulnerabilities in software that it sold to its customers, so there would be virtually no incentive for a vendor to do so.
  2. Secretly update all of the attackers’ own systems’ vulnerabilities: Since the attacker knows the vulnerability, developing a patch would likely be possible, if not straightforward, even if it required some reverse engineering of proprietary software. Assuming, for the moment, that this is possible, the question of how to distribute the patch to only a single organization in a confidential way is critical. If such a patch was to become known, any potential victims would likely immediately seek to determine how to protect their own systems. Even if they were not aware that a cyberweapon had been deployed on their system, the desire to patch their systems would be extremely high and, once accomplished, it would disable the attacker’s cyberweapon. 

Finally, consider the challenge of dismantling a cyberweapon. Several issues must be considered:

Next Steps

To conclude, we turn to identifying what Canada’s next steps should be to fully explore and consider the many questions developed above and how to mitigate the risks and consequences of Canada’s cyber policy. Although there are likely many different directions open, the following seem to be the most key and self-evident initial steps.

  1. Canada must define the goals of a cyberattack strategy. Who are potential opponents that could be subject to an attack? What are acceptable reasons to use cyberweapons? How do we define successful attacks and distinguish them from failed attempts?
  2. Rules of engagement must be clearly defined. When should cyberweapons be allowed to be used? When should they be used: before, after or in conjunction with direct kinetic military actions? Should their use be reported upon openly and honestly to the Canadian public?
  3. Who has the authority to use cyberweapons either in peace or wartime? Who should be allowed to authorize their use? Once authorized, who should be allowed to deploy them and under what circumstances? Who has oversight after their use in terms of assessing their effectiveness, their appropriateness, and evaluating any unintended consequences or collateral damage?
  4. Rules of war need to be defined for cyberweapons. Canada must work with other nation states to formally codify the rules under which states can engage in cyberattack and cyberespionage. These might mirror existing kinetic-warfare rules, but they will require articulation through a technological lens. If we do not have clear rules about the use of these cyberweapons as a nation state, then we run the risk of stumbling into a kinetic war! Thus, a critical next step is undertaking the difficult task of coming to international agreements about the use of these weapons, their production, and their implications. 
  5. Partnership with cybersecurity stakeholders. The issues of cybersecurity are much broader than their application to cyber-military either for offensive or defensive purposes. The question of whether a partnership could be forged between the military and public/private cybersecurity organizations is a valid one to consider. If this kind of partnership is not viable, then how can the military meaningfully engage with non-military stakeholders to ensure the utility of any weaponry produced and the safety to Canada and its allies?

This article is an abridged version of a joint Policy Paper from The School of Public Policy and the Canadian Global Affairs Institute that was published as Cyberattack: What Goes Around, Comes Around on cgai.ca. It is reprinted here by permission. 

Related posts

Dashboard: Revealing facts about Data Breach in Canada and the world

Marcello Sukhdeo
June 5, 2017

The Cyber Phantom Menace of COVID-19

Eric Lariviere
September 16, 2020

Feb/Mar 2019 Edition: Shipbuilding, Pilot Training and ISS

Marcello Sukhdeo
February 22, 2019
Exit mobile version