Like the dawn of the aerospace domain a century ago, today cyber is posing unique challenges. Though the Canadian Forces has recognized it as a domain of operations, cyber is cluttered with nomenclature such as defence, security, computer operations and information operations that all imply different things, depending on your vantage point within the military or government.
Brigadier-General Steve Noonan is Director General of Information Management Operations, a unit within the Information Management Group tasked with furthering the CF’s understanding of both its exploitation capabilities and its defensive imperatives. He spoke with editors Robert Beaudoin and Chris Thatcher.
How does National Defence, particularly the Information Management Group, define cyber?
We believe that cyber represents a new domain within which operations will be conducted, both from a military and a civilian perspective. We haven’t developed or established domains in recent years, so we’re coming to grips with how to do that. Is cyber that unique? Do we integrate cyber operations within each of the already established domains of air, land and maritime warfare? Those are the types of questions that we are grappling with right now.
The genesis of the air domain was technology with a military application. And our understanding of how to use that technology, both defensively and offensively, has evolved over time. So where are we now when it comes to cyber? This emerging and evolving domain will take a number of years to truly understand how it is affecting us and how we can manage those effects upon us or leverage potential effects upon others. We’re at that stage of evolution.
We have, I believe, an emerging understanding of what cyber is within a government context. Public Safety Canada and others are trying to come to grips with this from an inter-departmental perspective and develop the security policy and framework within which the Government of Canada is going to operate. And that GOC initiative requires each of the departments to do that sober second thought: what does cyber mean for them? You can’t come to the table for a holistic talk about cyber unless you have a common language; that requires a discussion within your own department. We’re doing that now, understanding from a CF and DND perspective what cyber is all about. We don’t have a cyber policy yet, but we’re in the process of developing one.
This is policy development while you’re in the thick of a fight, is it not?
We’re in the fight now. We have a bottom-up driven capability that exists within the Canadian Forces Information Operations Group called the Network Operations Centre that monitors both classified and unclassified systems across the Department. It has some unique capabilities that will allow it to address any of the intrusions that could occur on a minute-to-minute basis. The actual capabilities are classified, but the fact that we have a defence capability is not. Is it nascent? Absolutely. This is a smart group of people, operating with key partners that include the Communications Security Establishment, CSIS, the RCMP, Foreign Affairs – all of us are trying to understand what needs to be brought to bear. So information sharing is huge because, as with NATO, an attack on one is an attack on all, and all tend to have common characteristics. We need to move from a need-to-know environment to a need-to-share environment.
How close are you to that or is it still developing?
Development phase for sure. What is really neat, though, and I have seen it over the last 10 to 15 years, is we are thinking that way. We’re not there yet. It takes time to change cultural mindsets and the way you do business, so we’re still evolutionary in our approach. But I think we’ve taken that revolutionary step of understanding how important it is to share information as opposed to compartmentalizing it.
Without focusing this in one central place, do you risk things falling through the cracks?
Yes, but that’s a risk that we take on a daily basis, depending on the structure. We expend a lot of effort on horizontal integration. The cyber security piece that Public Safety is leading is a horizontal effort across departments, and we have similar mechanisms inside the department to do that horizontal integration. But we need to leverage those mechanisms to do this in a more sustained and institutionalized fashion, which then allows us to grow the skill set and the technology enhancements in a robust and deliberate manner.
The structural piece will come in due course. We will either imbed a cyber savvy community into the current structure or we will establish a centralized point like the Americans, but we are not yet ready to make those types of decisions. Everything is relative and size does matter. The Americans are out in front because they have to be. The Brits are very close behind because they must be. We are very close behind them, but we are not at the same level as they are now.
So a centralized cyber command remains an option?
Form follows function. We haven’t had the full functional discussion yet. Everybody tends to go to the organizational charts right off the bat and say, this is what we need. And then we create something that isn’t exactly what we want. Given that this issue crosses all domains, it is not clear yet whether it needs its own command. With this particular domain, we’re already in the fight – we’re defining the domain from the inside out.
What are the internal challenges to understanding this space?
There is an intelligence nexus, an operations nexus and a technology nexus to cyber. All three need to work together to produce an effect within the domain. What does that mean from the perspective of an organizational structure? Assistant Deputy Minister Information Management (ADM IM) is the chief information officer and is responsible for IT security, providing the defences around the networks within which we operate. The Group provides the conditions upon which cyber operations can be conducted. But cyber operations are not an ADM IM-specific responsibility. Operations are a CF responsibility. So the other players include the Chief of Defence Intelligence, the Chief of Force Development, and the Strategic Joint Staff. All of these players have a huge interest within this domain. There are others who will enable the domain to be established. ADM Policy, for example, will assist in providing a coherent policy framework that agrees with the government’s policies, which defines our operational limitations.
The Pentagon has acknowledged being under almost constant attack; is it any different for the CF?
Yes and no. Quantity has a quality all of its own. We’re not as big as the States so we’re not as big a target. When you come to a cost-benefit analysis of conducting an attack on a particular network, are you going to get more out of an attack on the Americans or the Canadians? So we’re somewhat less, but we’re not a negligible concern.
Given that we are synchronized on so many levels and within so many systems, do cyber criminals view us as a backdoor to the United States?
Absolutely. One of our main efforts within a cyber security concept is to make sure that we’re pulling our weight and upholding our responsibilities in a multinational context. There are two characteristics of the cyber domain that I think are unique to other military capabilities. With an armoured fighting vehicle, we can make it unique: we can take advantage of available technologies and design it to specific Canadian requirements, taking into account that it would have to work within a multinational context. In the end, it’s our decision what the vehicle looks like. Cyber is unique in that it is global. It can be a truly multinational threat or advantage, depending on how you look at the domain. And because of its transnational nature, it is a truly an interagency piece, both nationally and internationally.
In that multinational context, do you need to rethink what you protect? The Navy, for example, shares unclassified information through Internet protocols.
Information is so readily available, you really have to put some thought into how much money do you want to spend on protecting information that you don’t really need to protect, information that has value for only a limited period of time.
One of the differences, though, between a military and a civilian capability is the concept of unlimited liability: we can order our people into dangerous places. Cyber isn’t the same. So what are the military characteristics of cyber? Does a soldier need to conduct cyber in a military context? Not necessarily. So what is the role of the military? What does a cyber warrior look like? Those are the types of questions we need to ask. He or she will have access to a huge amount of technology to bring to bear. Pulling the trigger on any kind of kinetic activity in the cyber domain will have different connotations.
Since most military communications goes through commercial telecom networks, how do you protect them? And how do you work with private industry to protect the security of military programs?
I don’t know the numbers but I would agree that an awful lot rides on the civilian backbone. Mechanisms already exist. We ask the defence industry to embed within their organizations the security aspects of their work. Our contractual agreements seek to ensure the integrity of the systems themselves, and then we build in redundant capabilities should one go down. It comes at a cost, but we do a risk analysis for each capability. Each time an operation like Op Podium in Vancouver is undertaken, we examine the multiplicity of systems that will allow us to exercise the required command and control.
Where is the focus of R&D in exploitation and protection? Are there specific challenges you are trying to address?
There are some classified activities ongoing within the R&D community. Suffice to say that where R&D can be very useful to us now is in the realm of technology – understanding what is out there. One of the best ways to become a good defender is to become a good attacker; then you have a better idea of what you are up against. We know that some organizations hire the people that have attacked them or are active in this domain. R&D will start to move in that direction. We need to have a robust red team capability. That’s a first step. But then you need to build that red team bigger so that you can actually use it from your side of the fence onto others. That will be a decision of policy and the legal framework yet to come down range.
Given the constant threat that you face, does cyber defence receive the recognition and necessary investment within DND that it requires?
There’s a balance right now between leadership intent, willingness and capability. We are experiencing the highest operational tempo we’ve had – the Olympics, Afghanistan, support to the G20 and G8, and then out of the blue, Haiti. We’re stretched. Our senior leadership has its head in the trenches right now, making sure that we’re all doing the best job we can. What’s important now? We have to win the battle we’re in now, and at the same time set conditions for future battles. But unless you win now, there is no future.
An interview with BGen Steven Noonan