Sunday, June 11, 2017

Canadian Forces to get offensive cyber capability — but questions remain

The Liberal government's defence policy statement, Strong, Secure, Engaged, released on June 7th, confirms that the Canadian Forces will acquire an offensive cyber capability:
We will assume a more assertive posture in the cyber domain by hardening our defences, and by conducting active cyber operations against potential adversaries in the context of government-authorized military missions. Cyber operations will be subject to all applicable domestic law, international law, and proven checks and balances such as rules of engagement, targeting and collateral damage assessments. (p. 15)
A slightly more expansive description is provided on p. 72 of the document:
Defence can be affected by cyber threats at home and abroad — from attempts to steal sensitive information from our internal networks, to cyber attacks on the Canadian Armed Forces on deployed operations, to the use of cyberspace by terrorist organizations to spread disinformation, recruit fighters and finance their operations. Indeed, there has been a steady increase in the number of state and non-state actors developing the capability to conduct disruptive cyber operations.

The Defence team works closely with the Communications Security Establishment, Public Safety Canada, Global Affairs Canada and Shared Services Canada on cyber issues. To date, this work has focused on strengthening the defence of important military systems, network monitoring and control, building the future cyber force, and integrating defensive cyber operations into broader military operations.

However, a purely defensive cyber posture is no longer sufficient. Accordingly, we will develop the capability to conduct active cyber operations focused on external threats to Canada in the context of government-authorized military missions. The employment of this capability will be approved by the Government on a mission-by-mission basis consistent with the employment of other military assets, and will be subject to the same rigour as other military uses of force. Cyber operations will be subject to all applicable domestic and international law, and proven checks and balances such as rules of engagement, targeting and collateral damage assessments.
Although few actual details are provided about either cyber operations or planned signals intelligence capabilities in general, the statement does report that:
  • The Canadian Forces will "Acquire joint signals intelligence capabilities that improve the military’s ability to collect and exploit electronic signals intelligence on expeditionary operations" and will "Improve cryptographic capabilities, information operations capabilities, and cyber capabilities to include: cyber security and situational awareness projects, cyber threat identification and response, and the development of military-specific information operations and offensive cyber operations capabilities able to target, exploit, influence, and attack in support of military operations." (p. 41)
  • "The Defence team will increase its intelligence capacity, and will examine its capabilities to understand and operate in the information environment, in support of the conduct of information and influence operations." (p. 66)
  • "[W]e will acquire an airborne intelligence surveillance and reconnaissance platform that will enhance the ability of our Special Operations Forces to improve their understanding of the operational environment." (p. 103)
  • "The Government will provide $4.6 billion for joint capability projects in domains such as cyber, intelligence as well as joint command and control over the next 20 years. This includes... $1.2 billion over the next 20 years for five new equipment projects and one information technology project. For example, the Combined Joint Intelligence Modernization project will provide a modern deployable intelligence centre for land-based operations, building on the lessons learned in recent operations." (p. 103)
  • "To better leverage cyber capabilities in support of military operations, the Defence team will: 87. Protect critical military networks and equipment from cyber attack by establishing a new Cyber Mission Assurance Program that will incorporate cyber security requirements into the procurement process. 88. Develop active cyber capabilities and employ them against potential adversaries in support of government-authorized military missions. 89. Grow and enhance the cyber force by creating a new Canadian Armed Forces Cyber Operator occupation to attract Canada’s best and brightest talent and significantly increasing the number of military personnel dedicated to cyber functions. [Question: Will this new occupation supplement the existing Communicator Research occupation or absorb and replace it? [Update 8 November 2017: Supplement it. The Cyber Operator trade, which received its first members on November 3rd, is separate from the Communicator Research trade.]] 90. Use Reservists with specialized skill-sets to fill elements of the Canadian Armed Forces cyber force." (p. 73)
  • With respect to the last of these items, the Canadian Forces will "Assign Reserve Force units and formations new roles that provide full-time capability to the Canadian Armed Forces through part-time service, including: ... • Cyber Operators; • Intelligence Operators; ... and • Linguists" and "Enhance existing roles assigned to Reserve Force units and formations, including: • Information Operations (including Influence Activities)" (p. 69).
These details are welcome, but it seems to me that a number of important questions remain either unresolved or ambiguous in the defence policy statement.

Most importantly, at several points the document characterizes offensive cyber activities as taking place solely in the context of "government-authorized military missions", which would seem to mean that offensive cyber activities will be restricted to just a few specifically designated operations, such as Op Impact or Op Reassurance. Employment of cyber capabilities is to be approved by the government "on a mission-by-mission basis consistent with the employment of other military assets".

But "mission" could actually have a much broader meaning.

The document also outlines eight "core missions" of the Canadian Forces, covering everything that our military forces do (p. 82). These missions include detecting, deterring, and defending against threats to or attacks on Canada; detecting, deterring, and defending against threats to or attacks on North America in partnership with the United States; leading and/or contributing forces to NATO and coalition efforts to deter and defeat adversaries, including terrorists; leading and/or contributing to international peace operations and stabilization missions with the United Nations, NATO, and other multilateral partners; and providing assistance to civil authorities and law enforcement, including counter-terrorism, in support of national security and the security of Canadians abroad.

Could offensive cyber activities be authorized in support of wide-ranging, fundamental "missions" such as these?

Such a reading may seem implausibly broad.

But on page 60 the document states the Canadian Forces "will ensure that new challenges in the space and cyber domains do not threaten Canadian defence and security objectives and strategic interests, including the economy."

It will take a lot more than cyber operations against ISIS to protect the Canadian economy — or defend a wide range of other Canadian defence and security objectives and strategic interests — from cyber threats.

The document also states that Canada has a "responsibility to contribute to efforts to deter aggression by potential adversaries in all domains", including specifically the cyber domain (p. 50). That's a much broader goal than anything that can be accomplished in the context of a particular expeditionary operation. And it implies an ongoing, continuous mission, not a temporary activity that can be expected to end when this or that operation wraps up in a matter of months or a few years.

A broader reading of "mission" is also necessary if Canada's cyber forces are to take on the sort of roles assigned their Five Eyes partners, notably U.S. Cyber Command.

It would be nice to know just how wide the range of cyber missions envisaged by the government could be.

Another question relates to the role of the Communications Security Establishment.

Will all offensive cyber operations — other than those conducted domestically — be undertaken by military cyber operators (presumably members of the Canadian Forces Information Operations Group) acting under military command? Or will CSE have a role as well?

The CFIOG normally works very closely with CSE (in fact, under its direction much of the time), and CSE's expertise on cyber defence and cyber espionage activities would be of direct relevance to any offensive operations the Canadian Forces might undertake. CSE is also likely to have its own expertise on offensive operations that it may use for computer network defence purposes and may also provide from time to time in support of CSIS "disruption" activities.

So to what extent might CSE be called upon to provide support to the Canadian Forces for the conduct of offensive cyber operations? And to what extent might CSE conduct its own operations? This document is silent on those questions.

[Update 20 June 2017: Bill C-59, which was announced and given first reading today, answers some of these questions. The government is proposing to give CSE the power to conduct both "defensive cyber operations" to help protect systems and networks "of importance" to the government of Canada and "active cyber operations" (i.e., offensive cyber operations) against foreign individuals, groups, or states for defence, foreign policy, or security purposes. The bill would also explicitly enable CSE to provide technical and operational assistance to the Canadian Forces and Department of National Defence, including for cyber operations.]

For some earlier comments that I made on Canada and cyber war, see here.

Update 18 June 2017:

This article (Murray Brewster, "Civilian oversight key to offensive cyber operations, says expert," CBC News, 18 June 2017) suggests that the Special Operations Forces sub-unit that the government will "examine establishing" in the Reserve Force will be tasked with developing "offensive cyber capabilities, particularly in the area of information operations". I don't think that's what the government is considering doing.

As noted above, the new defence policy does call for recruiting Reserve Force cyber operators and assigning cyber and intelligence roles to certain unnamed Reserve Force units and formations, as well as enhancing the information operations role of the Reserves, but I think it's a stretch to suggest that the Special Forces unit under consideration would take on cyber war, or information operations in general, as a primary function.

Update 16 April 2019: According to the 2018 annual report of the National Security and Intelligence Committee of Parliamentarians (NSICOP), the Canadian Forces were given approval to develop capabilities for active cyber operations as early as 2015:


Anonymous Anonymous said...

Bell, Telus ATM and emergency services are presently under False Flag Cyber Attack in Atlantic Canada in order to get changes passed Quickly in September. -August 4, 2017 13h20 Eastern.

August 04, 2017 1:21 pm  

Post a Comment

<< Home