Friday, June 30, 2017

Charter Statement mischaracterizes CSE incidental collection

I'm working on a blog post about the oversight and review provisions proposed in Bill C-59, but I just want to make a quick point about this sentence in the Department of Justice's Charter Statement concerning the bill:
Although CSE is prohibited by subsection 23(1) from directing its activities at Canadians or persons in Canada, the practical realities of acquiring information from the [Global Information Infrastructure] means that despite best efforts to avoid it, CSE may incidentally obtain private communications and other private information of Canadians and persons in Canada.
The clear implication of this statement is that CSE uses its "best efforts" to avoid the incidental collection of private communications (i.e., communications that either begin or end in Canada).

This is simply untrue.

CSE is not permitted to target Canadians or persons in Canada*, but it is permitted when operating under its normal foreign intelligence authorizations to collect the communications of such persons incidentally (i.e., when they communicate with a CSE foreign target that is itself located outside of Canada). It collects such communications with deliberate intent, and the measures proposed in Bill C-59 would not change that fact.

(*For the purposes of this discussion, I'm ignoring those cases where CSE collects private communications on behalf of some other federal agency that has already obtained a judicial warrant for that purpose.)

This shouldn't be terribly surprising. If a foreign terrorist located in Afghanistan telephones someone in Canada and CSE happens to be monitoring that terrorist, the Canadian government—and the Canadian public—is going to want the agency to find out which person in Canada took the call and what it was they talked about.

There are differing views as to whether a judge ought to be involved somewhere in that process (the current proposal would introduce a quasi-judicial process), but that's a separate issue.

Prior to the passage of the Anti-Terrorism Act (Bill C-36) in 2001, it wasn't legal for CSE to collect private communications, incidentally or otherwise. Back then the agency really did have to make its best efforts to avoid incidental collection.

In some cases that was very difficult. But in other cases it was more straightforward. CSE could set its collection systems to ignore calls to or from a phone number in Canada, for example, regardless of who the call might connect to outside of Canada.

After 9/11, the prohibition on incidental collection by CSE was no longer considered acceptable. As Defence Minister Art Eggleton testified,
Under the Criminal Code CSE cannot collect communications that include any communications that originate in or terminate in Canada. This seriously limits CSE's ability to provide intelligence on issues that are critical to Canada's national security.

Let me illustrate what I mean. CSE focuses its collection only on foreign entities located outside Canada. This is about the third time I've said that, but I want to emphasize it. If such a target communicates with someone who is located in Canada, CSE cannot intercept the communication, as things presently stand, which means CSE stands to lose the communications of its targets at exactly the moment when they might have the most direct impact on Canada's interests, when they are communicating with someone in Canada. This constraint creates a serious gap in Canada's intelligence capabilities, which in turn affects our ability to collaborate effectively with our allies on intelligence issues. ...

What will the impact of the proposed amendments be on the National Defence Act? Under CSE's present legal framework, if a terrorist in Afghanistan is communicating with an individual in Toronto, CSE is not allowed to acquire that communication. With this amendment, important information that is now lost will become available to Canada and available to our allies in the fight against terrorism. When CSE has identified the communications of a foreign target abroad, it'll be able to follow those communications wherever they go.
And that's just what the agency now does. The "defeats" that sought to prevent the incidental collection of communications with one end in Canada are no longer in place.

There are undoubtedly efforts to avoid the inadvertent collection of private communications that are unrelated to CSE's foreign targets. And there are probably also efforts to minimize the collection of traffic that may be related to legitimate foreign targets but is considered for one reason or another to be unlikely to produce anything of foreign intelligence value, especially if that traffic might also involve Canadians or other persons in Canada at the other end.

But there are no "best efforts"—there is no effort at all—to avoid all incidental collection.

The Department of Justice is either mistaken or dishonest to suggest that "best efforts" are being used to avoid incidental collection.

I'm not sure which is worse.

Saturday, June 24, 2017

CSE to get foreign cyber operations mandate

Among the changes that the Liberal government is proposing to make via its Bill C-59, announced on June 20th, are several important measures affecting CSE, including an entirely new statutory basis for the agency, the Communications Security Establishment Act, that will replace the current CSE-related provisions of the National Defence Act. The bill also proposes to eliminate CSE's existing watchdog agency, the Office of the CSE Commissioner (OCSEC), and replace it with two newly created entities, the National Security and Intelligence Review Agency (NSIRA) and the Office of the Intelligence Commissioner, which will also be keeping tabs on CSIS and (in the case of NSIRA) a number of other agencies. (See my comments on that aspect of the bill here.)

Together, the proposals affecting CSE comprise a wide-ranging and highly consequential set of measures, but probably the most significant item is the plan to give the agency the power to conduct both defensive and "active" (i.e., offensive) cyber operations against foreign targets.

The addition of this foreign cyber operations mandate would represent the most fundamental change in CSE's role in the agency's 70-year history.

When CSE, originally called CBNRC, was created in September 1946, it had two major complementary functions: analysis of foreign communications intercepted by Canada and its allies (communications intelligence, COMINT, which was later broadened into signals intelligence, SIGINT); and protection of Canadian government classified communications (communications security, COMSEC, which was later broadened into information technology security, ITSEC).

Canada and its allies occasionally engaged in black-bag jobs to steal codebooks, tap cables, or plant bugs for intelligence collection, but CSE did not undertake such operations itself. For most of the agency's history, CSE's SIGINT role was entirely passive: it processed and analyzed the radio communications that could be monitored at Canadian and allied intercept sites.

The first big change in that role happened in the wake of the 9/11 attacks, although it had more to do with the advent of the Internet beginning in the 1990s. Passage of the Anti-Terrorism Act gave CSE the authority to conduct the cyberspace version of the black-bag job—Computer Network Exploitation (CNE)—in support of its SIGINT mandate. CSE was empowered not just to intercept communications ("data in motion"), as it had done in traditional SIGINT activities, but to seek out information residing on foreign computer systems ("data at rest") that CSE could gain surreptitious access to. It became a hunter as well as a gatherer.

But while CNE operations entail breaking into computer systems and networks, disabling security features, implanting specialized malware, and of course copying information, all of these activities are undertaken in the name of SIGINT collection. Any damage inflicted is purely incidental—an undesirable side-effect that might lead to exposure and early termination of the operation.

The proposed CSE Act would enable CSE to conduct deliberate Computer Network Attack (CNA) operations, both to defend Canadian IT systems against foreign CNE and CNA operations and to attack foreign IT systems in furtherance of Canadian foreign policy, defence, or security goals. The bill refers to these two types of CNA operation as "defensive cyber operations" and "active cyber operations" respectively. (For more on the relationships between CNE, CNA, and CND—Computer Network Defence—operations, see this discussion.)

With this change, CSE would no longer be simply an intelligence (and ITSEC) agency: it would also be a covert operations agency, able to intervene outside Canada's borders to disrupt, damage, or destroy the computers, IT networks, or electronic information of foreign individuals, groups, or states.

The bill does propose some limits on the way these powers could be used. Cyber operations must be requested or consented to by the Minister of Foreign Affairs and authorized by the Minister of National Defence. In addition, such operations must not "cause, intentionally or by criminal negligence, death or bodily harm to an individual" or "wilfully attempt in any manner to obstruct, pervert or defeat the course of justice or democracy." These are significant limitations.

More destructive cyber operations are still possible outside the context of the CSE Act, but the government has assigned that job to the Canadian Forces.

Even in that respect, however, CSE might still play a critical role. Under the new CSE Act, CSE would be explicitly permitted to provide operational and technical assistance to the Department of National Defence and the Canadian Forces (as it already does for federal law enforcement and security agencies), and cyber assistance provided under this mandate would not be subject to the limitations applied to CSE's own cyber operations.

Whatever the effect of these limitations in practice, to my mind addition of a cyber operations mandate is a huge change in the nature of the agency, and it raises a number of issues.

Most fundamentally, is it in Canada's interest to further normalize the growing use of CNA activities by states? Should CNA be classified as just another tool of statecraft? Should such capabilities be restricted to a deterrent role? Is cyber deterrence, whether through CNA capabilities or more conventional responses, even a practical goal, given difficulties of attribution and the inevitable overlap between CNE and CNA? Would improved defence and resilience be a preferable, or at least sufficient, response or are all three required?

The recent defence policy statement asserts that "a purely defensive cyber posture is no longer sufficient" (resilience doesn't get mentioned in the cyber context). But not everyone is convinced by that claim. As with most issues, Canada's choices are likely to have a marginal influence at best on the future of cyberspace, but that alone is not sufficient reason to abandon self-restraint or efforts to create global rules of the road and preserve the global commons if we believe that Canada's (and the globe's) ultimate interests would best be served by moving in that direction.

Second, even if Canada does choose to arm itself with, and to use, such capabilities, is CSE the right place to lodge them? There is certainly a case to be made for giving the role to CSE. The knowledge and skills required for CNA activities inevitably overlap with those required for CNE (and for CND), and CSE is Canada's centre of expertise in those activities.

But just as there are different imperatives between intelligence-gathering and law enforcement—the reason CSIS was separated from the RCMP in 1984—there are different imperatives between intelligence-gathering and covert operations. One side seeks to preserve its accesses so it can maintain or even improve its intelligence collection; the other seeks to exploit them for operational purposes, even though such operations may burn the accesses in the process. (A similar conflict already exists between the ITSEC side of the organization, which seeks to shut down IT vulnerabilities to protect against intrusions, and the SIGINT side, which may want vulnerabilities it is currently exploiting to remain unrevealed.)

Furthermore, while the job of the intelligence-gatherers is to report the unvarnished truth, uncontaminated as much as possible by policy considerations, the covert operations side of the agency would inevitably become involved in the development and advocacy of operational plans, and in defending the agency's performance in those operations, giving CSE an undesirable stake in its own intelligence reporting.

Can a single agency effectively do two (really three) tasks that are in many ways complementary but also in important ways contradictory while still giving proper attention and weight to each?

I don't think it's impossible to reconcile these imperatives, but I do think it requires delicate balancing and constant vigilance. This is an area to which the proposed review agency and committee of parliamentarians may want to pay on-going attention.

It's also an area where there is probably a role for the central agencies of the government.

I had a chance to ask about cyber operations decision-making during a stakeholders' teleconference about Bill C-59 that CSE invited me to join.

As noted above, the proposed law would require that such operations be requested or consented to by the Minister of Foreign Affairs and authorized by the Minister of National Defence. This arrangement foresees the possibility that the Foreign Affairs Minister might sometimes make a request for a cyber operation in service of Canadian foreign policy interests. But the ministers themselves are not normally going to be sitting around thinking up plans for CSE cyber operations, nor will they be equipped to assess what might be feasible or balance all the considerations that might arise. So who will be doing the proposing, and who will make sure the resulting plans are reconciled with the broader goals and operations of the Canadian government?

The officials who took part in the teleconference acknowledged that CSE would probably often be the agency proposing such operations, but they agreed that there would still need to be some sort of inter-departmental process to ensure that wider factors are considered, including deconfliction with cyber operations that the Canadian Forces might be undertaking (and deconfliction with allied agencies), but also more general considerations. They added, however, that the bill had not yet been passed and might be amended before passage, and that some of these structural questions had not yet been resolved.

For most of its history, CSE laboured under the watchful eye (or heavy thumb, as they may have considered it) of various inter-departmental committees—originally the Communications Research Committee and later the Intelligence Advisory Committee and Security Advisory Committee of the Privy Council Office (PCO). The final form of this system saw the National Security Advisor serving as the deputy minister for CSE for policy purposes. But all of that ended when CSE became a stand-alone agency, with the Chief of CSE serving as the agency's own deputy head, in November 2011. There is no longer any line role for the PCO between CSE and its minister.

But the PCO continues to play a role in coordinating the various elements of the Canadian intelligence community, and in integrating intelligence and defence, security, and foreign policy concerns. And, in my view, it will need to play a very active role in overseeing the planning and conduct of any cyber operations undertaken by CSE and/or the Canadian Forces to ensure that all national policy considerations are taken into account. The PCO is also the place to ensure that the proper balance among CSE's cyber, SIGINT, and ITSEC priorities is maintained.

I also asked the officials what the addition of a cyber operations mandate for CSE might mean for the agency's own structure and resources. Will there be a separate Deputy Chief for Cyber Operations, just as there are Deputy Chiefs for SIGINT and ITSEC? Will CSE be looking to expand its workforce to support the conduct of cyber operations?

According to the officials, those decisions have not yet been made, and the agency did not want to pre-judge the outcome of the legislative process. Still, I'm sure they have some ideas for how it might all work out.

They did say that CSE was likely to enter the cyber operations business only gradually, taking "one step at a time," and adding that "you have to walk before you can run." This would seem to suggest little immediate need for growth on the part of the agency, although the implied eventual goal of "running" opens the door to larger needs over the longer term.

I guess we'll see.

In the meantime, I think it is going to be very interesting watching this soon-to-be three-legged agency relearn how to walk.

I'll look at other parts of the bill that affect CSE, notably the new oversight and review provisions, in a future post.

Wednesday, June 21, 2017

Liberals propose huge changes for CSE

The government's Bill C-59, announced on 20 June 2017, proposes huge changes for Canada's security and intelligence community, including important additions to CSE's mandate and the elimination of its current review agency, the Office of the CSE Commissioner (OCSEC).

The proposal to add explicit defensive and "active" cyber operations mandates to CSE's roles may represent the most fundamental change in the agency's history. The proposed elimination of OCSEC and creation of both the National Security and Intelligence Review Agency and the position of Intelligence Commissioner are also major changes.

I'll be writing more on these and other proposals in the bill, but it will probably take me a few days to get the post together.

So in the meantime, here's CSE's description of the changes.

It's also worth checking out some of the news reporting and commentary on the proposals:

Alex Boutilier, "Spy bill allows government security agency to collect ‘publicly available’ info on Canadians," Toronto Star, 21 June 2017

Justin Ling, "Canada’s cyber spy agency is about to get a major upgrade," Vice News, 21 June 2017

Michael Geist, "Five Eyes Wide Open: How Bill C-59 Mixes Oversight with Expansive Cyber-Security Powers,", 21 June 2017

Alex Boutilier, "Canada’s spies to get green light to launch cyber attacks," Toronto Star, 20 June 2017

Matt Braga, "How, when, and where can Canada's digital spies hack? Government makes some suggestions in CSE Act," CBC News, 20 June 2017

Jim Bronskill, "Security bill limits CSIS disruption powers, boosts review of spy services," Canadian Press, 20 June 2017

Craig Forcese & Kent Roach, "The roses and the thorns of Canada’s new national security bill," Maclean's, 20 June 2017

Wesley Wark, "Liberals’ bold Bill C-59 would redraw the national security landscape," Globe and Mail, 20 June 2017

Update 23 June 2017: A few more items:

Craig Forcese & Kent Roach, "Two of Canada’s foremost experts in national security law give their assessment of Bill C-59: there’s much to like, but also room for improvement," Policy Options, 22 June 2017

Lee Berthiaume, "New national security approach lets electronic spy agency play cyber-offence," Canadian Press, 20 June 2017

Amanda Connolly, "CSE getting 'proactive' mandate overhaul in major national security reform bill," iPolitics, 20 June 2017

Carl Meyer, "Goodale asks Parliament to expand electronic spying powers," National Observer, 20 June 2017

Monday, June 19, 2017

CSE releases report on electoral threats

On June 16th, CSE released Cyber Threats to Canada's Democratic Process, a public report assessing the various ways cyber activities might threaten Canada's electoral system.

CSE has made basic cybersecurity advice publicly available on its website for many years, but this report—which was requested by the Prime Minister in the mandate letter he issued to Minister of Democratic Institutions Karina Gould in February 2017—was the first of its kind by CSE.

The 38-page report discusses three ways in which cyber activities might be used to affect the electoral process: impeding or corrupting the voting process itself; stealing and exploiting information about politicians and political parties; and covertly influencing the public's political views by manipulating traditional and social media.

The document restricts itself to a general overview of the ways in which these threats might manifest themselves in Canada's federal, provincial, and municipal politics, and concludes (among other points) that:
  • Cyber threat activity against the democratic process is increasing around the world, and Canada is not immune. In 2015, during the federal election, Canada’s democratic process was targeted by low-sophistication cyber threat activity. It is highly probable that the perpetrators were hacktivists and cybercriminals, and the details of the most impactful incidents were reported on by several Canadian media organizations.
  • A small number of nation-states have undertaken the majority of the cyber activity against democratic processes worldwide, and we judge that, almost certainly, they are the most capable adversaries.
  • However, to date, we have not observed nation-states using cyber capabilities with the purpose of influencing the democratic process in Canada during an election. We assess that whether this remains the case in 2019 will depend on how Canada’s nation-state adversaries perceive Canada’s foreign and domestic policies, and on the spectrum of policies espoused by Canadian federal candidates in 2019.
  • We expect that multiple hacktivist groups will very likely deploy cyber capabilities in an attempt to influence the democratic process during the 2019 federal election. We anticipate that much of this activity will be low-sophistication, though we expect that some influence activities will be well-planned and target more than one aspect of the democratic process.
  • Regarding Canada’s democratic process at the federal level, we assess that, almost certainly, political parties and politicians, and the media are more vulnerable to cyber threats and related influence operations than the election activities themselves. This is because federal elections are largely paper-based and Elections Canada has a number of legal, procedural, and information technology measures in place.
  • We assess that the threat to Canada’s democratic process at the sub-national level (i.e. provincial/territorial and municipal) is very likely to remain at its current low level. However, some of Canada’s sub-national political parties and politicians, electoral activities, and media are likely to come under increasing threat from nation-states and hacktivists.
All of this is pretty common sense for anyone who's been paying attention to the world for the past couple of years—although it's certainly noteworthy that, to date, CSE has not observed "nation-states" using cyber capabilities to try to influence Canadian elections.

The document's ultimate value is likely to depend on whether it succeeds in kick-starting action on the part of Canadian political parties and others to actually reduce Canada's future vulnerability to such threats.

This document explicitly is not an action plan to accomplish that goal.

However, the Minister's mandate letter did direct her also to "ask CSE to offer advice to Canada’s political parties and Elections Canada on best practices when it comes to cyber security," and CSE does plan to do that. (In fact, Elections Canada is already a recipient of CSE's cyber defence advice and services.) The agency will discuss the findings of the report with all federal political parties that wish to participate at a meeting to be held next Tuesday, June the 20th.

According to a background briefing that CSE kindly invited me to take part in (along with a number of other researchers), the agency will explore with the parties whether it would be useful to provide further, more detailed advice or training to some or all of them. One possibility would be to provide training to IT staffers at CSE's Information Technology Security Learning Centre. Perhaps more likely, however, would simply be provision of advice on the kinds of services parties should contract for in the private sector.

CSE will not be providing actual cyber defence services to the political parties, however.

The government considers Canada's democratic institutions to be "of importance to the Government of Canada", which gives CSE a legal mandate to provide IT security advice and guidance to those parties under s.273.64(1)(b) of the National Defence Act (i.e., CSE's Mandate B). But provision of actual protective services is restricted to the IT systems and networks of the government of Canada itself.

Nonetheless, a CSE official did confirm that warnings would be provided if, for example, the SIGINT side of the agency detected a foreign actor stealing data from a political party's computer system. Notification would come through the Public Safety Department's Canadian Cyber Incident Response Centre (CCIRC), which is responsible for assistance to critical infrastructure operators outside the federal government. Such notifications are routinely provided to CCIRC partners in such cases, according to the official.

[Update 20 June 2017: Under Bill C-59, which was announced and given first reading today, the government proposes to give CSE the power to also provide cybersecurity services to protect non-federal information infrastructures designated "of importance" to the government of Canada. Thus, the agency might in the future be able to provide such a service to political parties, if they request it.]

I also asked why CSE was the agency given the job of making the threat assessment in the first place. As the report itself acknowledges, the cyber threat to electoral systems is just one aspect, albeit a very important one, of a broader set of activities that could be used to undermine or improperly influence an election, including traditional espionage, propaganda, disinformation, covert funding, and blackmail or other coercion. Furthermore, as the report also acknowledges, the perpetrators of such actions can be purely domestic Canadian actors—the activities of which CSE should have very little insight into—as well as foreign actors.

Thus, it seems to me that, in both respects, the Canadian Security Intelligence Service would have been a more appropriate agency to make such an assessment, although it would certainly have needed to draw on CSE's cyber expertise when considering those aspects of the issue.

The response, which I didn't find entirely satisfying, was simply that CSE is the agency with the greatest expertise on cyber threat questions. Well, yes, indisputably, but that doesn't answer the points outlined in the paragraph above.

Ultimately, of course, the reason CSE produced the report is that the Prime Minister and the Minister of Democratic Institutions asked it to.

Unsurprisingly, Australia is also concerned about the possibility of interference in its electoral system, and its political parties are also receiving advice from that country's SIGINT/IT Security agency. However, as indicated in this report (Ronald Mizen, "Political parties vulnerable to state sponsored cyber attacks," Financial Review, 16 June 2017), the Australians may also consider providing funding to political parties to help them secure their systems.

Might Canada also consider putting money on the table? An interesting thought.

News coverage of the CSE report:

Lee Berthiaume, "Canada's spy agency expects cyberattacks during 2019 federal election," Canadian Press, 16 June 2017

Alex Boutilier, "Canada’s political parties, media vulnerable to foreign hacks, spy agency says," Toronto Star, 16 June 2017

Daniel Leblanc, "Spy agency to school political parties on cyberthreats," Globe and Mail, 16 June 2017

Justin Ling, "“Low sophistication” actors took aim at the last Canadian election," Vice News, 16 June 2017

Alex Boutilier, "Despite risk of cyber attacks, political parties still handle Canadians’ data with no rules in place," Toronto Star, 19 June 2017

Sunday, June 11, 2017

Canadian Forces to get offensive cyber capability — but questions remain

The Liberal government's defence policy statement, Strong, Secure, Engaged, released on June 7th, confirms that the Canadian Forces will acquire an offensive cyber capability:
We will assume a more assertive posture in the cyber domain by hardening our defences, and by conducting active cyber operations against potential adversaries in the context of government-authorized military missions. Cyber operations will be subject to all applicable domestic law, international law, and proven checks and balances such as rules of engagement, targeting and collateral damage assessments. (p. 15)
A slightly more expansive description is provided on p. 72 of the document:
Defence can be affected by cyber threats at home and abroad — from attempts to steal sensitive information from our internal networks, to cyber attacks on the Canadian Armed Forces on deployed operations, to the use of cyberspace by terrorist organizations to spread disinformation, recruit fighters and finance their operations. Indeed, there has been a steady increase in the number of state and non-state actors developing the capability to conduct disruptive cyber operations.

The Defence team works closely with the Communications Security Establishment, Public Safety Canada, Global Affairs Canada and Shared Services Canada on cyber issues. To date, this work has focused on strengthening the defence of important military systems, network monitoring and control, building the future cyber force, and integrating defensive cyber operations into broader military operations.

However, a purely defensive cyber posture is no longer sufficient. Accordingly, we will develop the capability to conduct active cyber operations focused on external threats to Canada in the context of government-authorized military missions. The employment of this capability will be approved by the Government on a mission-by-mission basis consistent with the employment of other military assets, and will be subject to the same rigour as other military uses of force. Cyber operations will be subject to all applicable domestic and international law, and proven checks and balances such as rules of engagement, targeting and collateral damage assessments.
Although few actual details are provided about either cyber operations or planned signals intelligence capabilities in general, the statement does report that:
  • The Canadian Forces will "Acquire joint signals intelligence capabilities that improve the military’s ability to collect and exploit electronic signals intelligence on expeditionary operations" and will "Improve cryptographic capabilities, information operations capabilities, and cyber capabilities to include: cyber security and situational awareness projects, cyber threat identification and response, and the development of military-specific information operations and offensive cyber operations capabilities able to target, exploit, influence, and attack in support of military operations." (p. 41)
  • "The Defence team will increase its intelligence capacity, and will examine its capabilities to understand and operate in the information environment, in support of the conduct of information and influence operations." (p. 66)
  • "[W]e will acquire an airborne intelligence surveillance and reconnaissance platform that will enhance the ability of our Special Operations Forces to improve their understanding of the operational environment." (p. 103)
  • "The Government will provide $4.6 billion for joint capability projects in domains such as cyber, intelligence as well as joint command and control over the next 20 years. This includes... $1.2 billion over the next 20 years for five new equipment projects and one information technology project. For example, the Combined Joint Intelligence Modernization project will provide a modern deployable intelligence centre for land-based operations, building on the lessons learned in recent operations." (p. 103)
  • "To better leverage cyber capabilities in support of military operations, the Defence team will: 87. Protect critical military networks and equipment from cyber attack by establishing a new Cyber Mission Assurance Program that will incorporate cyber security requirements into the procurement process. 88. Develop active cyber capabilities and employ them against potential adversaries in support of government-authorized military missions. 89. Grow and enhance the cyber force by creating a new Canadian Armed Forces Cyber Operator occupation to attract Canada’s best and brightest talent and significantly increasing the number of military personnel dedicated to cyber functions. [Question: Will this new occupation supplement the existing Communicator Research occupation or absorb and replace it? [Update 8 November 2017: Supplement it. The Cyber Operator trade, which received its first members on November 3rd, is separate from the Communicator Research trade.]] 90. Use Reservists with specialized skill-sets to fill elements of the Canadian Armed Forces cyber force." (p. 73)
  • With respect to the last of these items, the Canadian Forces will "Assign Reserve Force units and formations new roles that provide full-time capability to the Canadian Armed Forces through part-time service, including: ... • Cyber Operators; • Intelligence Operators; ... and • Linguists" and "Enhance existing roles assigned to Reserve Force units and formations, including: • Information Operations (including Influence Activities)" (p. 69).
These details are welcome, but it seems to me that a number of important questions remain either unresolved or ambiguous in the defence policy statement.

Most importantly, at several points the document characterizes offensive cyber activities as taking place solely in the context of "government-authorized military missions", which would seem to mean that offensive cyber activities will be restricted to just a few specifically designated operations, such as Op Impact or Op Reassurance. Employment of cyber capabilities is to be approved by the government "on a mission-by-mission basis consistent with the employment of other military assets".

But "mission" could actually have a much broader meaning.

The document also outlines eight "core missions" of the Canadian Forces, covering everything that our military forces do (p. 82). These missions include detecting, deterring, and defending against threats to or attacks on Canada; detecting, deterring, and defending against threats to or attacks on North America in partnership with the United States; leading and/or contributing forces to NATO and coalition efforts to deter and defeat adversaries, including terrorists; leading and/or contributing to international peace operations and stabilization missions with the United Nations, NATO, and other multilateral partners; and providing assistance to civil authorities and law enforcement, including counter-terrorism, in support of national security and the security of Canadians abroad.

Could offensive cyber activities be authorized in support of wide-ranging, fundamental "missions" such as these?

Such a reading may seem implausibly broad.

But on page 60 the document states the Canadian Forces "will ensure that new challenges in the space and cyber domains do not threaten Canadian defence and security objectives and strategic interests, including the economy."

It will take a lot more than cyber operations against ISIS to protect the Canadian economy — or defend a wide range of other Canadian defence and security objectives and strategic interests — from cyber threats.

The document also states that Canada has a "responsibility to contribute to efforts to deter aggression by potential adversaries in all domains", including specifically the cyber domain (p. 50). That's a much broader goal than anything that can be accomplished in the context of a particular expeditionary operation. And it implies an ongoing, continuous mission, not a temporary activity that can be expected to end when this or that operation wraps up in a matter of months or a few years.

A broader reading of "mission" is also necessary if Canada's cyber forces are to take on the sort of roles assigned their Five Eyes partners, notably U.S. Cyber Command.

It would be nice to know just how wide the range of cyber missions envisaged by the government could be.

Another question relates to the role of the Communications Security Establishment.

Will all offensive cyber operations — other than those conducted domestically — be undertaken by military cyber operators (presumably members of the Canadian Forces Information Operations Group) acting under military command? Or will CSE have a role as well?

The CFIOG normally works very closely with CSE (in fact, under its direction much of the time), and CSE's expertise on cyber defence and cyber espionage activities would be of direct relevance to any offensive operations the Canadian Forces might undertake. CSE is also likely to have its own expertise on offensive operations that it may use for computer network defence purposes and may also provide from time to time in support of CSIS "disruption" activities.

So to what extent might CSE be called upon to provide support to the Canadian Forces for the conduct of offensive cyber operations? And to what extent might CSE conduct its own operations? This document is silent on those questions.

[Update 20 June 2017: Bill C-59, which was announced and given first reading today, answers some of these questions. The government is proposing to give CSE the power to conduct both "defensive cyber operations" to help protect systems and networks "of importance" to the government of Canada and "active cyber operations" (i.e., offensive cyber operations) against foreign individuals, groups, or states for defence, foreign policy, or security purposes. The bill would also explicitly enable CSE to provide technical and operational assistance to the Canadian Forces and Department of National Defence, including for cyber operations.]

For some earlier comments that I made on Canada and cyber war, see here.

Update 18 June 2017:

This article (Murray Brewster, "Civilian oversight key to offensive cyber operations, says expert," CBC News, 18 June 2017) suggests that the Special Operations Forces sub-unit that the government will "examine establishing" in the Reserve Force will be tasked with developing "offensive cyber capabilities, particularly in the area of information operations". I don't think that's what the government is considering doing.

As noted above, the new defence policy does call for recruiting Reserve Force cyber operators and assigning cyber and intelligence roles to certain unnamed Reserve Force units and formations, as well as enhancing the information operations role of the Reserves, but I think it's a stretch to suggest that the Special Forces unit under consideration would take on cyber war, or information operations in general, as a primary function.

Update 16 April 2019: According to the 2018 annual report of the National Security and Intelligence Committee of Parliamentarians (NSICOP), the Canadian Forces were given approval to develop capabilities for active cyber operations as early as 2015: