Canada’s electronic spy agency will soon get new authority to launch cyber attacks if the government approves legislation that is in the final stages of being debated. There’s a good chance it will be proclaimed before the October federal election.
But a discussion paper issued Wednesday by the Canadian Global Affairs Institute says Canadians need to debate the pros and cons of using this new power.
“This direction not only opens up new possibilities for Canadian defence, it could also represent significant new risks,” says the report. “Without good answers to the difficult questions this new direction could raise, the country could be headed down a very precarious path.”
Among the possible problems: Cyber retaliation. Another: While Canada might try to target a cyber attack, the impact might be bigger than expected — in fact, it might boomerang and smack us back.
Third is the lack of international agreement on the use of cyber weapons (although this is a double-edged sword: Without an agreement there are no formal limits on what any country is forbidden from doing in cyberspace).
“To move forward at this point to implement or even formally endorse a strategy of cyber attack would be risky and premature,” concludes the report’s author, computer science professor Ken Barker, who also heads the University of Calgary’s Institute for Security, Privacy and Information Assurance. “There are challenging technical controls that must be put in place as well as a critical international discussion on how cyber weaponry fits within the rules of war.”
Barker’s paper is in response to the 2017 strategy setting out Defence Department goals, where the possibility of Canada having a cyber attack capability first raised. It wasn’t written with Bill C-59 in mind — now in its final stage before Parliament — which actually gives Canada’s electronic spy agency, the Communications Security Establishment (CSE), the power to use what’s called “active” as well as defensive cyber operations.
In an interview Tuesday, Barker said “in the desire to push this thing they need to have more carefully thought about the questions I raise in this paper.”
“Maybe it’s late, but at least it’s available.”
He dismisses the argument that by announcing it has an offensive cyber capability Canada will cause other countries to think twice about attacking us with cyber weapons. “They would attempt to find out what Canada is doing to create cyber attack capabilities,” he argued.
“One of the risks once we do endorse this,” he added, “is we open ourselves up to other countries to using Canada as a launching pad for cyber attacks to cover up their involvement, and [then] say ‘That was done by Canada.'”
Nation states are already active in cyberspace. Ottawa has blamed China for the 2014 hack of the National Research Council, Washington suspects China was behind the massive hack of employee files at the Office of Personnel Management, and there is strong evidence that Russia mounted a sophisticated social media attack against the U.S. during the 2016 federal election.
According to the Australian Strategic Policy Institute, The U.S. the U.K. and Australia say they have used offensive cyber operations against the Islamic State. The U.S.-based Council on Foreign Relations notes that Germany increased its offensive cyber capability after a 2016 attack on the country’s legislature blamed on Russia. Last year the New York Times reported the U.S. Cyber Command has been empowered to be more offensive. Meanwhile in April the CSE warned it’s “very likely” there will be some form of foreign cyber interference during the run-up to October’s federal election here,
The most commonly-cited interference in a country were two cyber attacks that knocked out electrical power in Ukraine — in December 2015 and again in December 2016 — largely believed to have been launched from Russia.
All this is why some experts say Canada has to have an offensive cyber capability to at least keep up. In January, Ray Boisvert, former assistant director of the Canadian Security Intelligence Service (CSIS), told a parliamentary committee that “the best defence always begins with a good offense … “When more than five dozen countries are rumoured to be developing active cyber capabilities, in my view that means we must develop capabilities to respond and in some cases that includes outside our borders.”
In 2017 the Trudeau government announced a new defence strategy that included the promise of “conducting active cyber operations against potential adversaries in the context of government-authorized military missions.”
The same year the government introduced Bill C-59, which in part would give the CSE, which is responsible for securing government networks, the ability to take action online to defend Canadian networks and proactively stop cyber threats before they reach systems here. This would be done as part of new legislation governing the CSE called the Communications Security Act.
That act would give CSE the ability to conduct defensive and “active” cyber operations. Active operations are defined as anything that could “degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security.”
Both defensive and active cyber operations can’t be used against any portion of the global information infrastructure within this country. And they have to be approved by the Minister of Defence.
C-59 has been passed by the House of Commons and slightly amended by the Senate. It was scheduled back in the House last night to debate the Senate amendments.
Despite all the cyber incidents blamed on nation states, Barker is reluctant to say we’re in an era of low-level cyber war right now. Many incidents can be characterized as cyber espionage and not trying cause harm to another state, he argues.
“The Myth of the Cyber Offence: The Case for Cyber Restraint,” from the Cato Institute.
“Government’s Defence of Proposed CSE Act Falls Short,” from Citizen Lab.