Canada and cyber war
Should Canada have an offensive cyber war capability? Comments by former National Security Advisor Richard Fadden, who retired at the end of March, suggest that Canadians need to debate this question.
Fadden raised the issue in a recent wide-ranging interview with Tom Clark of Global News. (You can watch the interview here.)
The discussion unfortunately conflated the concepts of cyber attack (also known as Computer Network Attack) and cyber spying (Computer Network Exploitation). Chinese cyber espionage operations against Canadian targets were described as "cyber attacks", for example, as if the operations were attempting to destroy or damage Canadian data or systems, or even the physical infrastructure they control, rather than simply trying to steal information.
This blog does not endorse pedantry for the sake of pedantry, but in this case a little terminological clarity would be helpful.
Computer Network Operations are commonly divided into three kinds of activity: Computer Network Attack (CNA), Computer Network Defence (CND), and Computer Network Exploitation (CNE). Stealing information falls into the category of Computer Network Exploitation.
As the diagram above shows, there are important overlaps between these three activities. CNE can be used to find vulnerabilities in an adversary's systems and prepare the ground for CNA. CNA can contribute to the effectiveness of CND. CND can collect information about adversary capabilities that can be used to support CNE operations.
All three activities draw on the same kinds of capabilities and can be used to support the others.
But there is still a crucial distinction to be drawn between cyber espionage and cyber war. One is spying, and Canada—through CSE—is already deeply engaged in it. The other seeks to damage or destroy data or information systems or even, potentially, to destroy physical objects and kill people. Cyber warfare can range from simple disruption, interfering with the communications of a terrorist organization for example, to total war.
Should Canada develop a cyber war capability?
“It may well be that in some circumstances it’s something that we’d want to do,” Fadden suggests in the interview.
But he also says it would be "expensive and dangerous", and he argues for greater emphasis on CND: "Personally I think we should be better at defensive. Really develop our capacity to resist these attacks and to make sure that people understand the level of threat that we’re under."
So, put him down—tentatively at least—as a cyber war skeptic.
It all sounds very hypothetical.
But I suspect Fadden chose to raise the issue because Canada is moving rapidly towards creating a CNA capability, and it is doing so largely in the dark, with very little public awareness or debate.
NITRO ZEUS: CNA against Iran
Recent revelations about U.S. and Israeli contingency plans for a major cyber war campaign against Iran highlight the extent to which CNA capabilities are moving from the theoretical to the real.
The Stuxnet worm, which the U.S. and Israel used to damage and delay Iran's uranium enrichment program, is the best-known example of a state-sponsored CNA operation.
But Stuxnet was only the tip of the iceberg. According to the New York Times (David E. Sanger & Mark Mazzetti, "U.S. Had Cyberattack Plan if Iran Nuclear Dispute Led to Conflict," New York Times, 16 February 2016), preparations were made for a much wider range of attacks against Iran's "air defenses, communications systems and crucial parts of its power grid" in the event that the dispute over Iran's nuclear program escalated into open use of force.
Preparations for the campaign, codenamed NITRO ZEUS, began in early 2009, and ultimately involved "thousands of American military and intelligence personnel, spending tens of millions of dollars and placing electronic implants in Iranian computer networks to “prepare the battlefield,” in the parlance of the Pentagon."
The operation was envisaged as an adjunct, or possibly an alternative, to a traditional military campaign against Iran. Bringing Israel on board was seen in part as a means of restraining the Netanyahu government from launching a unilateral attack that might prematurely foreclose options for resolving the dispute diplomatically. (More about NITRO ZEUS here.)
Unlike traditional military contingency plans, which normally don't involve actual operations within the target country prior to a decision to go to war, preparations for cyber operations require prior entry into the systems that ultimately would be attacked in order to choose targets, ensure access at the moment of attack, and maximize the effects of the operation. Thus, although the cyber warfare plan was never executed, preparations within the Iranian cyber infrastructure undoubtedly took place.
Similar contingency plans are probably also in place for other potential adversaries such as China and Russia.
As a close NSA ally and a significant CNE player in its own right—one that we know had active operations in Iran at the time NITRO ZEUS preparations were apparently underway—CSE could not fail to be aware at some level of the presence of the U.S.-Israeli operation, although almost certainly not of its details. If nothing else, NSA would have wanted to ensure that CSE's CNE operations did not interfere with or accidentally expose the NITRO ZEUS preparations.
But there is no evidence of any direct Canadian involvement in the NITRO ZEUS preparations, and there's little reason to expect there would have been any Canadian involvement.
CSE and CNA
This 2013 NSA document describing the state of NSA-CSE cooperation confirms that the two agencies work together on CNE operations in the Middle East, among other regions, but it contains no suggestion that they collaborate on CNA operations.
There are many reasons why the U.S. might want to minimize the number of additional players whose participation would complicate as sensitive and tightly-held a CNA operation as NITRO ZEUS.
But the most important roadblock to such collaboration, at least as far as CSE is concerned, is that CSE has had little or no mandate to conduct CNA activities (although it has shown interest in such capabilities; see p. 22 here).
[Update 19 April 2016: An even better example can be found on p. 23 of this presentation, where CSE says "We will seek the authority to conduct a wide spectrum of Effects operations in support of our mandates."]
The 2015 passage of Bill C-51 has probably opened the way for CSE participation in small-scale CNA activities such as efforts to disrupt the operations of terrorist organizations. Since such activities can now be conducted by CSIS under the "disruption" powers granted to the agency in Bill C-51, CSE's Mandate C, which authorizes it to assist CSIS operations, should provide a legal basis for CSE participation in limited CNA activities under CSIS auspices.
Those powers are unlikely to extend to outright cyber warfare, however. Large-scale activities against the armed forces or domestic infrastructure of an adversary state on the scale of the NITRO ZEUS plan would probably require a different set of authorities.
The Canadian Forces and cyber war
Although CSE's CNE operators might be called upon to provide advice and assistance, large-scale offensive cyber operations would probably be executed by the Canadian Forces acting under the laws of war.
In the United States, a similar division of roles has already been formalized, with the Pentagon's Cyber Command, created in 2010, now responsible for CNA. Although run by the same officer who serves as Director of the NSA and able to draw upon NSA knowledge and resources, Cyber Command is a military organization under military command.
Canada does not yet have a direct equivalent to Cyber Command, but the development of CNA authorities and capabilities has been under discussion within the Canadian Forces for a long time.
A draft strategy paper called on the Canadian Forces to develop the ability to conduct offensive computer operations as long ago as July 2000 (Jim Bronskill, “Cyber-attack capability in military’s plans?” Edmonton Journal, 11 March 2001). [Update 19 April 2016: I am reminded by a reader that early discussions of these issues can be found in documents dating to the mid-1990s.]
But few if any steps were taken in the direction of creating an actual CNA capability for many years. A December 2009 report by DND's Centre for Operational Research and Analysis (CF Cyber Operations in the Future Cyber Environment Concept) confirmed that the CF's network operations were still "not established to conduct offensive network operations".
There is reason to believe, however, that this situation has begun to change.
In April 2011, DND created the position of Director General Cyber to help "develop the military’s future cyber capabilities", potentially including offensive capabilities (Chris Thatcher, "Operationalizing the cyber domain," Vanguard, 26 June 2013).
The current DG Cyber (or DG Cyber Warfare, or DG Cyberspace) is Brigadier General Frances J. Allen, a former Commander of the Canadian Forces Information Operations Group (CFIOG) and an early advocate of CNA capabilities for the CF. (Allen wrote a paper recommending the development of CNA capabilities in 2002 when she was still a lieutenant-colonel. [Update 22 April 2016: I mistakenly said major originally.])
More recently, in September 2015, Defence Minister Jason Kenney implied that such a capability either already exists or soon would, saying, "I think you can reasonably assume that when the military develops a command, it has to have the capability to be both offensive and defensive. Potentially hostile countries need to know that, if they are going to launch cyber attacks against our critical systems, Canada and its allies have the capacity to retaliate." (Justin Ling, "Canada’s Defense Minister Talks Fighting the Islamic State, Arming the Kurds, and Cyber Warfare," Vice News, 28 September 2015)
DG Cyber is not a command as such, but Kenney's comments do suggest that Canada may be close to fielding operational CNA capabilities.
The appointment in early 2015 of a Canadian Forces liaison officer to the U.S. Cyber Command also suggests the potential existence of Canadian CNA capabilities.
The discussion document prepared by the government for the current defence policy review (Defence Policy Review: Public Consultation Document 2016) is uninformative about the state of Canada's current cyber warfare capabilities, but it does at least admit that the question is one that needs to be addressed:
Cyber capabilities can be used to disrupt threats at their source, and can offer alternative options that can be utilized with less risk to personnel and that are potentially reversible and less destructive than traditional uses of force to achieve military objectives. Some of our key allies, such as the US and the UK, have stated that they are developing cyber capabilities to potentially conduct both defensive and offensive military activities in cyberspace. We must consider how to best position the Canadian military to operate effectively in this domain.
CNA versus ISIS
CSE and/or the Canadian Forces may already be operating offensively in the cyber domain in a limited way, conducting CNA operations against the Islamic State.
Fadden floated this possibility in a hypothetical way in his interview with Global:
If we have Canadian troops somewhere around the world, Iraq as an example, and they can use somewhat offensive cyber initiatives in order to reduce the threat that they and allies are facing, I would say that’s not an unreasonable thing for the public service to pull together and ask the government if they want to do.My own suspicion (see Murray Brewster, "Canada's electronic spy service to take more prominent role in ISIS fight," Canadian Press, 18 February 2016) is that this possibility is considerably less hypothetical than Fadden's comments suggested. The only thing that has been confirmed to date, however, is that CSE is playing a force protection role in Operation Impact.
The U.S. recently acknowledged that its own forces have begun using cyber warfare capabilities against ISIS (Phil Stewart & David Alexander, "U.S. waging cyber war on Islamic State, commandos active," Reuters, 29 February 2016), and, unlike the NITRO ZEUS plan, it seems likely that a Canadian contribution to CNA operations against ISIS would be welcomed by the U.S.
The bigger picture
The development and spread of cyber warfare capabilities poses significant new security problems for Canada and other countries.
In principle, CNA operations can be very precise and limited, but they may also have the potential to produce indiscriminate nationwide or even global effects, destroying or disabling vital infrastructure, paralyzing government operations and economic activity, and causing significant civilian casualties.
The potentially game-changing nature of cyber warfare capabilities has been compared to that of nuclear weapons.
There are of course many important differences between cyber weapons and nuclear weapons. Nuclear weapons pose a true existential threat to human civilization. Cyber weapons might cause catastrophic damage in a worst-case scenario, but they are more likely to be used like conventional weapons to produce much more limited and localized (although not necessarily entirely predictable) effects.
Still, a world with widespread cyber weaponry could prove highly unstable. Cyber weapons pose a significant attribution problem (how do you know who's actually attacking you?), and the barriers to the acquisition of cyber weapons are low, meaning a wide range of states, groups, and even individuals may be able to develop significant cyber capabilities. In addition, the effectiveness of cyber capabilities may depend on maintaining access to and even deliberately introducing vulnerabilities into potential target systems during peacetime, which could end up increasing the likelihood of hostilities. Finally, the huge range of possible damage levels in cyber warfare and the overlap between CNA and CNE activities mean there is no clear threshold between cyber peace and cyber war, and thus the possibility of blundering into an unintended conflict is potentially very high. With no clear agreement on cyber rules of the road, there are many ways even a CNA strategy focused on deterrence could fail catastrophically.
It is not necessary to frame the risks posed by cyber warfare in apocalyptic terms to nonetheless recognize that, as Fadden suggested, CNA activities could be both expensive and dangerous. A focus on defence and resilience may well be the best path to take.
At the very least, Canadians should have an open debate on the pros and cons of taking the cyber war path before the government launches us down that road.