Image: Tech. Sgt. Tommy Grimes/U.S. Air Force
by Alexander Rudolph
Table of Contents
- Why Does It Seem the Government Does Not Care?
- Where is Canada Now?
- Intelligence and Cyber-Intelligence
- Direction and Prioritization
- Funding Needs Policy
- End Notes
- About the Author
- Canadian Global Affairs Institute
On March 8, 2022, Prime Minister Justin Trudeau committed Canada to confront Russia not just over its invasion of Ukraine, but over its cyber-attacks as well. This declaration included a larger thrust from the West to address the cyber-aspects of Russia’s invasion of Ukraine. Notable examples are the G7 leaders’ commitment to improving co-ordinated cyber-defence and cyber-threat intelligence sharing to support holding bad actors accountable for conducting “destructive, disruptive, and destabilizing activities in cyberspace,” as well as the Statement by NATO Heads of State and Government, which committed to improving cyber-capabilities, defences and “impos[ing] costs on those who harm us in cyberspace.” Each step of the way, Trudeau has voiced Canada’s support, standing together with NATO and its allies with Canada’s cyber-capabilities and responding. But how much can Canada really do?
Canada can say it has the cyber-capabilities to defend itself and its interests abroad. However, when each ministry or institution is taken individually, Canada has a very incomplete, fractured and shallow approach to cyber-defence and foreign policy. The Canadian government should be commended for its progress in building up its e-government services. However, with increased online presence and activity comes a greater exposure to online threats. The federal government has learned this the hard way over the past couple of years with attacks on the Royal Military College, Office of the Secretary to the Governor General, Global Affairs Canada (GAC) and the National Research Council. Provinces do not have it any easier either, with recent attacks including the Saskatchewan Liquor and Gaming Authority, Newfoundland and Labrador’s health-care system and the city of Saint John, New Brunswick. However, the crisis is even more rampant in the private sector, with the Communications Security Establishment (CSE) estimating that at least 235 ransomware incidents occurred in 2021 alone, with the average cost of a data breach being $6.35 million. These are the incidents we know about.
Public disclosures of such incidents by the federal and provincial governments over the past few years correspond with the increase in cyber-attacks since the COVID-19 pandemic began. Of particular concern is the rapidly increasing use of ransomware as a tool of extortion against organizations and governments, which has proven much more nefarious for the private sector. In 2021, a Canadian Internet Registration Authority survey found that a concerning 69 per cent of Canadian organizations paid the ransom. CSE’s 2021 Cyber Threat Bulletin about ransomware noted that in Canada, 2/3 of organizations targeted are small or medium-sized enterprises. In CSE’s own words, “the impact of ransomware can be devastating” and the financial consequences can be “profound.” Thus, it should be no surprise that there is a small but growing sentiment in the Canadian information security sector that they have a right to self-defence and should be able to conduct active defence operations of their own with “cyber letters of marque.”1 Regardless of one’s view about such a policy and potential for such actions to make conditions unfathomably more precarious, it should be considered a warning to the Canadian government. Those who want to conduct offensive operations against criminals, state-supported actors or state actors are resorting to a policy choice of desperation.
The term “desperation” is neither an insult nor a derogatory description of these advocates. Those who argue for giving private industry the legal protection to conduct active defensive or offensive operations simply want to protect themselves and their organizations from the severe impacts of a cyber-attack.2 Such a policy proposal derives from a loss of trust in the government’s ability to address the problem. Asking the government for the legal protection to respond to data theft or extortion with offensive attacks is not a reasonable request; it is a futile attempt to stop the onslaught of cyber-attacks with no apparent end in sight. The foundational issue that Canada must address is not about capabilities or threat posture to deter cyber-attacks, but about the security culture which says these security compromises are permissible. The first step is to develop a robust and transparent cyber-defence strategy to show that the government does care.
Beyond the unproductive security culture, Canada has been developing its capacity to engage internationally in cyber for some time, but not all ministries are equal. One reason for this is that cyber-space is ubiquitous, which means ministries and departments will all have their own specific needs and visions that will naturally overlap with others. For example, the goals and objectives of the Department of National Defence/Canadian Forces (DND/CAF) will be dramatically different from that of GAC or CSE, which means they each should be doing different things. This may not seem like a novel position, but policy development on foreign, defence and intelligence policy instruments for cyber has lacked coherent organization and purpose at the federal level. In fact, there is an absence of public-facing policy documents that clarify most federal government policies about cyber-conflict.
Canadian cyber-diplomacy has focused on norm and capacity building. The latter entails supporting the use of cyber-security, through technology or knowledge transfer, for economic mobility and enfranchisement. Norm building, on the other hand, is focused on the creation of norms around the use of cyber-conflict. GAC was active in the United Nations Groups of Governmental Experts (UN GGE) on developments in the field of information and telecommunications in the context of international security and participated in its current predecessor, the UN Open-Ended Working Group (OEWG). These two bodies have been the primary international effort to develop norms about the use of cyber-space for state security. These efforts are more than two decades old and have had little impact on mitigating or decreasing cyber-attacks. However, this enormous and complex process cannot be done in a matter of years. The current laws of armed conflict have been built upon a millennium of armed conflict, so we cannot be shocked that states have not developed norms of cyber-conflict in the approximately 30 years of its existence. In addition, it is hard to build and talk about norms if states refuse to discuss what they are doing in the first place. Building norms about the use of cyber-conflict is monumentally importance, but it will not happen anytime soon. Canada and Canadians must defend themselves.
The Canadian Security and Intelligence Service (CSIS) may play a role in addressing cyber-threats, but according to the DND’s 2020-21 departmental results, CSE is Canada’s “cybersecurity authority.” This language used to describe the Canadian Centre for Cyber Security; this shift to refer to CSE as such is very telling about the current direction of Canadian cyber-defence and DND/CAF deferential treatment of cyber as the primary purview of CSE. CSE is indeed working with DND/CAF to boost their offensive cyber-capabilities, but without stated plans to establish institutional and legal frameworks to formalize the relationship between the two entities, the assumption is that the DND/CAF relies upon CSE for its cyber-defence. Co-ordination is not the same as co-operation. It is becoming increasingly important to clarify and codify this relationship as a matter of strategic imperative. There will be an increasing need to clarify and establish the different roles between CSE and DND/CAF so that they are not competing as DND/CAF improves and acquires cyber-capabilities. Both must be able to achieve their missions and understand what types of cyber-operations are expected. Clarifying these differences in mission set, rules of engagement and operations helps to ensure operators and commanders understand their roles, but it is even more important for all politicians and government bureaucrats who contribute to this work.
To focus on DND/CAF in discussions of cyber-defence would be to ignore the whole picture, but the story begins with where the armed forces are in cyber-defence and why they must rely upon CSE. As I have previously written, DND/CAF has been slow to develop “active cyber operations” and to build up its backbone cyber-infrastructure. “Active operations” are what the Canadian government calls “offensive cyber operations” (i.e., “to degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities”).3 There are a myriad of reasons why DND/CAF has been slow to develop these capabilities, but one significant source to acquire and build these capabilities is to train with or by CSE simply because they have a head start on acquiring these capabilities and by all indications, are quite good at offensive cyber-operations. The CAF also conducts training with private Canadian firms, such as Reticle Ventures and Sapper Labs, but the bulk of operational and tactical learning will come from internal institutional developments, learning and working with CSE, and from allies, primarily the United States. This approach to the force development of cyber-capabilities in the military is similar to how Canada’s closest allies, the Five Eyes in particular, have developed their own militaries’ cyber-capabilities. The advantage of this process is learning the tools and methods of the trade from those who have already learned the ropes of offensive cyber-operations, which enables greater co-operation across operations and campaigns. This aspect is important to consider when understanding that the mandates and purposes of CSE and DND/CAF are entirely different, but complementary. This becomes muddled when CSE is given full co-ordinating authority, and potentially problematic if CSE is expected to take on military operations in the event the CAF is unable to deliver desired effects.
Nevertheless, since 2020 the CAF has made great strides in continuing to train and develop its capabilities, but it is difficult to quantify this with limited information. However, the problems for DND/CAF go beyond the ability to conduct offensive cyber-operations. They also relate to the procurement and development of a broad swath of cyber-enabling infrastructure including modern, classified, cloud-based networks and databases. Similar to many other systems across the federal government, many of DND’s systems and processes date back to the 1950s, and in many cases are simply upgrading to catch up to 2010s technology. This is concerning as the United States Department of Defense is developing its Joint All-Domain Command and Control (JADC2) concept, which relies upon extensive use of cloud networking and storage to share intelligence and data across the military and is a central concept to modernizing NORAD. DND/CAF is presently not close to setting up such a capability. Whereas discussions of radars, F-35s and other expensive capabilities draw widespread attention, arguably the lack of a secure, modern cyber-infrastructure is one of the greatest hurdles to DND/CAF’s objective to modernize.
Brig.-Gen. James Lambert, soon to be the CAF’s former director general of Information Operations, noted that he has access to the necessary money, but he really needs people to do the work. This means the CAF struggles to get the right people, and the defence procurement system is not fit for purpose to address the CAF’s pressing cyber-procurement needs. Conversations are ongoing to determine the force structures between CSE and DND/CAF relative to each entity’s ability to project force in cyber-space, but the lack of clear policy or organization functionally limits what the CAF can do. Even more concerning, although it attempts to at times, it can prevent defence officials from speaking with industry to try to fix some of these problems. Neither of these points to capabilities themselves, but policy issues cannot be fixed by simply throwing money at the problem and hoping for the best. Unfortunately, the lack of prioritization of these issues will mean having to pay much more to catch up.
Although the force development of cyber-capabilities is comparatively cheaper than the acquisition of the F-35 fighter jets or the upcoming Canadian Surface Combatant, it requires billions worth of investment and the necessary manpower. As the federal government and the Bank of Canada continue to take actions to recover economically and control inflation, the government needs to be pragmatic about where it wants to focus its funding to develop Canadian cyber-capabilities. We already get a sense of what its priorities currently are if we follow the money. Budget 2022 contained a range of targeted investments in defence, with $875.2 million specifically going to improve Canadian cyber-security and cyber-defence. Most of this funding is going to CSE to improve its capabilities, such as launching offensive cyber-operations, improving the security of critical infrastructure and assisting the government
One provision in Budget 2022 is an additional $17.7 million to start a research program to develop partnerships between CSE and academics. The program will award grants and provide opportunities to conduct classified and publishable research with CSE. Many questions remain unanswered about this program, but initial details suggest a significant opportunity for greater transparency on Canadian cyber-defence policy and potentially better advice for policy and capability development. This is a great initiative by all means, but the Canadian intelligence community has a sharing and disclosure problem. This is not simply in regard to public disclosures or access-to-information requests, but the National Security and Intelligence Committee of Parliamentarians (NSICOP) has found that Canada’s intelligence organizations have intentionally withheld or delayed the disclosure of pertinent information. If Canada’s intelligence organizations are doing this with each other and with other legal or federal officials, there is little to suggest that this program would be any different. Further, the details provided so far suggest that the program will primarily support technical and capability-centric research with specific mentions of quantum computing and artificial intelligence.
It is quite difficult to forecast Canada’s cyber-force development because its inconsistent approach lacks policy coherence and reasonable public disclosure. Of course, this also assumes that the Canadian government has a strategic policy for cyber-space. Nevertheless, this highlights that the primary constraining trait of Canadian cyber-capabilities is a lack of a pragmatic, enabling policy framework to provide CSE and DND/CAF freedom to maneuver to learn from each other4 and to allow the work to be done to protect Canada’s military and Canadians from cyber-threats. The risk in giving CSE the full capability set and mandate to conduct operations, even when tasked by the government, is that much of this will occur with minimal oversight or disclosure to the public. In light of NSICOP repeatedly chastising Canada’s intelligence community for lack of proper disclosure and information sharing with government authorities, the time to ensure transparency and proper oversight was yesterday.
In December 2021, four ministers were tasked in their mandate with working together to author Canada’s next National Cyber Security Strategy. No timeline has been given for the completion of this strategy, but the ministers will be hard-pressed to develop a sufficient strategy that maximizes potential in diplomacy, defence and intelligence. The current cyber-security strategy is slated to end in 2024, but largely lacks an engagement with cyber-defence or clarity as to how Canada is addressing cyber-threats other than giving more money to Canadian intelligence. From this year’s federal budget, we see that the government is prioritizing funding to CSE to bolster cyber-defence and across the government. What is their overarching policy to accomplish this and achieve results? Likely still in development, but we may be hard-pressed for the government to release any details about this as long as CSE is the lead organization for these efforts. Additional work is currently being conducted to refine policy questions and gaps across the government, which means there is some awareness of a lack of policy coverage. However, it may be too early to say whether this will translate into an increasing government prioritization of cyber-defence. Policy coverage in this case is not simply about having the policy to inform action, but about having policy to enable action.
Some initial planning and investment appear to be underway, including key investments to improve domestic talent development of information technology security specialists such as the Cyber Security Innovation Network. However, if the government wanted to bring in more industry to assist with Canada’s cyber-defence or to increase public-private collaboration, it should be clear about liabilities. To bring in more of the private sector, the government must be upfront about liability protections, which will create more possibilities for technical operators to step forward for public-private partnerships. When the government collects or is given data and information, be it on Canadian citizens or foreign intelligence, it has an obligation to use that data responsibly and to protect it from unauthorized access and use. These investments and efforts to improve access to opportunities are welcomed and should be supported, but to what degree are policy development and engagement part of the discussion?
In February 2022, NSICOP released a report on Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack, which discussed at length the history of cyber-defence in Canada, including detailed information on policy and governance.5 The report revealed that policy development occurs through a large network of committees to lead, develop and co-ordinate cyber-defence across the government without a particular stated lead. The need for such committees is evident by the need to co-ordinate and co-operate on action across the government, but without a specific lead, this reinforces criticisms of the ad hoc nature of Canadian cyber-security policy. However, the policy and governance outlined in this document should largely be viewed as a starting point. Presently, there appears to be a concerted effort to review and clarify aspects of Canada’s cyber-defence even beyond the upcoming new Canadian National Cyber Security Strategy, but the execution remains questionable.
As a perfect case exemplifying the flippant attitude towards much of the cyber-portfolio, take the recent “release” of the CAF Digital Campaign Plan. On June 17, 2022, the plan was released with a promise to be a document outlining the CAF’s plan to digitally transform and modernize itself. This is the type of document that many Canadian cyber-defence watchers have been waiting for, except it is now more than a month since the release without the campaign plan being released to the public. Despite attempts to obtain the plan, including a Twitter follower contacting the appropriate Public Affairs officers on my behalf, I have had no luck. This is concerning because just three days later, on June 20, 2022, Minister of National Defence Anita Anand announced Canada’s core plan for NORAD modernization, which includes far more of a cyber-component than people realize beyond integration into the cloud-based NORAD Pathfinder initiative.
At the heart of NORAD modernization and Pathfinder is Joint All-Domain Command and Control (JADC2), the United States military’s concept to “connect sensors from all of the military services – Air Force, Army, Marine Corps, Navy, and Space Force – into a single network.” JADC2 is envisioned as a cloud-like network to share all forms of data across communications networks. A large focus of this is to bring data traditionally not digital or on communications networks to the cloud for, as the name implies, better joint all-domain command and control. This is principally not about a cloud-based communications network, but a communications network to connect all sensors, to collect all the data from those sensors, which is processed by artificial intelligence for use by commanders to make informed decisions. It is important to understand these concepts and how they contribute to U.S. military force development, particularly NORAD, because misalignment of Canadian strategy with this concept risks Canada not being taken seriously as an ally, let alone as the United States’ closest ally. A concerning trend in Canada inaccurately portrays and discusses JADC2 as if it is a singular capability rather than a strategic concept about how to modernize the military’s digital infrastructure. This underscores that there is a central, underlying misunderstanding to how many in Canada view cyber-space as a tool or capability. Canadian decision-makers need to understand that cyber-space is a domain just like land, air or water, with its own physics, centres of gravity and risk models, which necessitates a reassessment of what it means to be digitally or cyber-enabled. Cyber-capabilities enable a wealth of options for operating in cyber-space, but simultaneously increase the threat surface. For each cyber-enabled piece of technology, one must consider the risk of how that technology could be attacked or compromised through cyber-space. Balancing increasing capability with the risk of providing new and additional means for adversaries to attack the CAF through cyber-space is the implicit cost-benefit analysis to modernizing cyber-defence. Not considering the full depth of these risks, and subsequently providing the sufficient priority in attention and funding, puts Canadians and Americans alike at risk.
Recent comments by high-ranking RCAF personnel at the CGAI conference “Defending the Continent” would suggest that the advanced, cloud-based and networked infrastructure will be initially focused on the RCAF before expanding to the rest of the forces. From a planning and logistics standpoint, this would make sense as the RCAF works most closely with NORAD. It was also suggested, in terms of readiness and capabilities, that the RCAF is the most prepared to integrate digitally with NORAD. However, what of everyone else in the CAF? Differences in capabilities are normal between services, but the error is in thinking that digital infrastructure and cyber are a capability as opposed to a threat environment. Regardless of how DND/CAF develops its digital infrastructure and capacity to operate in cyber-space, it exists and has a tangible impact on Canadian defence domestically, abroad and in cyber-space. Acquiring these capabilities provides a host of potential for the RCAF, but it simultaneously provides a potential attack vector for adversaries that may be after the United States and see DND/CAF as the vehicle for access. A central mission of continental defence modernization relies on the DND/CAF’s ability to defend and secure its data networks and infrastructure. What comes with NORAD modernization and JADC2 is greater connectivity between United States and Canadian military networks, which means that the need to protect and modernize military networks becomes a national security, national defence and foreign policy necessity to maintain Canada’s relationship with the United States. If the Canadian government fails to prioritize cyber-defence, there is a real possibility of damaging Canada-United States relations if DND/CAF were considered a risk due to poor cyber-security and cyber-defence.
When Trudeau commits Canada to support NATO and allies with cyber-operations, we can take him at his word that he is serious and that it may lead to an increased role for CSE conducting active cyber-operations. However, the degree to which DND/CAF can support NATO cyber-operations remains to be seen and is in doubt. Further, while CSE can contribute to active operations with allies, it is just as likely to be prevented from doing so because of inadequate policy in a security culture which deprioritizes cyber-defence and disclosure. One thing that Russia’s invasion of Ukraine has taught us is that the over-classification of intelligence is a perilous path which could potentially help Canada’s adversaries. Intelligence sharing, including cyber-threat intelligence, has directly supported and enabled Ukrainian success. Now is the perfect time to push for more targeted intelligence disclosures to assist Canadian cyber-defence. In a world where open-source intelligence is beginning to outpace governments, Canada needs a policy rethink on how it engages with its strategy and leadership in cyber-space. If Canada wants to have a modern intelligence and national defence apparatus, policy must also innovate ahead of capabilities.
In summary, for Canada to begin to advance its cyber-defence, it must:
- Elevate the prioritization of cyber-defence by establishing an assistant deputy minister of cyber-defence with a mandate to lead and oversee the development of Canadian cyber-defence policy and coherency between CSE and DND/CAF. This could occur through the creation of an assistant deputy minister’s committee on cyber-defence that reports to the deputy minister’s committee on cyber-security. Simultaneously, create an L2 co-ordinator in DND to support the ADM cyber-defence and co-lead the ADM committee on cyber-defence.
- Provide additional support across the government. The Clerk of the Privy Council should consider appointing a deputy minister champion of cyber-security. Such a position would help address the broader security culture as it pertains to cyber-security across the federal government.
- Develop a strategy and transparency roadmap to the CAF Digital Campaign Plan that prioritizes clear communication on how the federal government and DND/CAF intend to build the operational capacity to conduct cyber-operations and how they intend to govern the use of active and offensive cyber-operations by CSE and DND/CAF.
- As part of NORAD modernization efforts, ensure coherency of CAF digital modernization and associated efforts with the U.S.’s core digital and cyber-strategic concepts, particularly JADC2 and persistent engagement, to affirm alignment of strategic policy.
- Use the new Canadian National Cyber Security Strategy to prioritize Canada’s cyber-defence and establish an outline on how the federal government intends to address the pernicious culture that has deprioritized cyber-security and cyber-defence across the Canadian government.
The CAF is on the precipice of significant change across every level, whether it is prepared for it or not. Budget 2022, NORAD modernization, the upcoming defence policy refresh and new National Cyber Security Strategy all impact Canadian cyber-defence, but the Liberal government must not make the same mistakes of previous ones. Previous efforts to improve policy and governance across the government of Canada were not followed through; thus, there is a pressing need to ensure a means to follow through with the policy.
1 Although this speaks to the growing Canadian sentiment, the debate related to supposed “cyber letters of marque” is an international one that has slowly become more popular over the last decade.
2 While some of the impacts of cyber-attacks were mentioned previously, corporations can also face significant reputational, legal and other costs associated with the attack other than paying the ransom or lost business.
3“Active cyber-operations” is a term developed to provide CSE the legal justification to conduct offensive cyber-operations. The definition is noteworthy because it includes definitions of computer network attack and computer network exploitation, two classifications of offensive operations that have traditionally been considered separate in emergent Western/NATO cyber-doctrine.
4 Admittedly, the learning leans heavily to one side in the CSE and DND/CAF relationship.
5 It is my understanding that this is part of a present effort to clarify and disclose more of the federal government’s cyber-defence policies.
Alexander Rudolph is a Ph.D. Candidate in the Department of Political Science at Carleton University. Alex's research explores grand strategy, conflict, and competition in cyberspace. As part of his research in comparative cyber defence policy, Alex incorporates sociology, information security, and open-source intelligence methods to research the strategic thought and doctrine of cyber conflict and how it informs the creation of cyber force structures.
Outside of his academic work, Alex is an American-Canadian ex-pat and regularly contributes to Canadian and international discussions on cyber conflict. Alex has more than 10 years of experience working for non-profits in the public education and advocacy sectors as a project manager and analyst. Presently, Alex is Vice-President of Emerging Leaders in Canadian Security, a non-profit dedicated to supporting young and new professionals in Canadian security and defence, and works in Ottawa as a research coordinator in defence consulting.
The Canadian Global Affairs Institute focuses on the entire range of Canada’s international relations in all its forms including (in partnership with the University of Calgary’s School of Public Policy), trade investment and international capacity building. Successor to the Canadian Defence and Foreign Affairs Institute (CDFAI, which was established in 2001), the Institute works to inform Canadians about the importance of having a respected and influential voice in those parts of the globe where Canada has significant interests due to trade and investment, origins of Canada’s population, geographic security (and especially security of North America in conjunction with the United States), social development, or the peace and freedom of allied nations. The Institute aims to demonstrate to Canadians the importance of comprehensive foreign, defence and trade policies which both express our values and represent our interests.
The Institute was created to bridge the gap between what Canadians need to know about Canadian international activities and what they do know. Historically Canadians have tended to look abroad out of a search for markets because Canada depends heavily on foreign trade. In the modern post-Cold War world, however, global security and stability have become the bedrocks of global commerce and the free movement of people, goods and ideas across international boundaries. Canada has striven to open the world since the 1930s and was a driving factor behind the adoption of the main structures which underpin globalization such as the International Monetary Fund, the World Bank, the World Trade Organization and emerging free trade networks connecting dozens of international economies. The Canadian Global Affairs Institute recognizes Canada’s contribution to a globalized world and aims to inform Canadians about Canada’s role in that process and the connection between globalization and security.
In all its activities the Institute is a charitable, non-partisan, non-advocacy organization that provides a platform for a variety of viewpoints. It is supported financially by the contributions of individuals, foundations, and corporations. Conclusions or opinions expressed in Institute publications and programs are those of the author(s) and do not necessarily reflect the views of Institute staff, fellows, directors, advisors or any individuals or organizations that provide financial support to, or collaborate with, the Institute.