Former CSE chief Maj.-Gen. (ret'd) John Adams wants CAF offensive cyber

[MarkOttawa]

A lot of work to be done:

Canada and Cyber

It’s time for Ottawa, the Department of National Defence, the CAF to address our cyber war capability shortfall.

Computers and information systems have become a fundamental part of Canadian life. Day-to-day activities, commerce, and statecraft have gone digital. The associated information technology (IT) underpins nearly all aspects of today’s society. It enables much of our commercial and industrial activity, supports our military and national security operations and is essential to everyday social activities...

It would be neglectful beyond belief to leave the Canadian Armed Forces without access to offensive cyber capabilities and the requisite authority to attack a foreign adversary who is causing catastrophic damage to Canada’s critical infrastructure through cyber war. Only then will the Canadian Armed Forces be relevant in future conflicts. This high priority responsibility and authority must be highlighted in the upcoming Defence Policy Review, thereby ensuring that it is adequately resourced forthwith.

In that regard, it is noteworthy that in spite of days of contentious debate on the floor of the US Congress over the 2015 National Defence Authorization Act, there was a rare bipartisan consensus concerning cyber, and it was fully funded. Also worthy of note is the fact that in April 2015, the United States released a new Cyber Security Strategy. Among other things, for the first time, it explicitly discussed the circumstances (see catastrophic attack above) under which cyber war could be used against an attacker. This is why asking the Department of National Defence and the Canadian Armed Forces to work on the policy/legal framework in 2010 was wise – why and when is easily as important as how, and actually harder to nail down.

Not least of the policy questions is how/where capabilities should be developed and how/when accessed. If that’s not clear, drumming up funding for weaponry development could be wasteful at best and disruptive or dangerous at worst. That work must be finalized, if it hasn’t been already, as part of the Defence Review. It will be an essential component to an update of Canada’s 2010 Cyber Security Strategy, which will be an indispensable complement to the Defence Policy
Review.

The clarification of Canada’s approach to cyber as highlighted above, within the Defence Review, in combination with the updated Cyber Security Strategy, would form the basis for Canada/US discussions regarding a CANUS Cyber Accord. Borders do not inhibit network warfare operations. Furthermore, elements of Canada’s critical infrastructure, currently vulnerable to cyber attack, are shared. Accordingly, such an accord makes eminent sense and would deepen Canada/US defence cooperation.

Finally, to highlight the priority that the United States is placing on this matter, there is draft legislation before Congress which seeks to improve the Pentagon’s defence procurement process for cyber warfare technologies by including these technologies within the Secretary of Defense’s Rapid Acquisition Authority.

In conclusion, the time for the government of Canada, the Department of National Defence and the Canadian Armed Forces to close the shortfall in the authority to engage in cyber war is now, and the perfect vehicle is the Liberal government’s recently announced Defence Review to be done in lockstep with an update of Canada’s Cyber Security Strategy.

Major-General John Adams (Ret’d) is the former Chief of the Communications Security Establishment Canada and Associate Deputy Minister of National Defence. After his retirement from the Canadian Forces, Adams was appointed Assistant Deputy Minister, Infrastructure, and Environment, for National Defence. From 1998 to 2003, he served as Assistant Deputy Minister, Marine Services and Commissioner with the Canadian Coast Guard for Fisheries and Oceans Canada, and from 2003 to June 2005, as Associate Deputy Minister and Commissioner of the Canadian Coast Guard.
http://www.vanguardcanada.com/2017/01/25/canada-and-cyber/

Earlier, including Maj.-Gen Adams:

Canada: “Time to get serious about cyber security”
https://cgai3ds.wordpress.com/2016/08/23/mark-collins-canada-time-to-get-serious-about-cyber-security/

Mark
Ottawa

 

[Jarnhamar]

I'm not saying it's not a priority but I had to tell young soldiers today that clothing stores doesn't have any winter boots to issue them.  The snow here is well past my knees.

 

[MarkOttawa]

Jarnhamar: Which indicates the problem of Canadian governments and the public not being willing adequately to fund a modern military.  Has been thus for a very long time--see from a CIA paper in 1985:

The Politics of Canadian Defense
https://www.cia.gov/library/readingroom/docs/CIA-RDP85T01058R000202840001-0.pdf

A very good analysis really worth reading and very relevant today.  Let's see how much of a squeeze on the current gov't will come from the Trump effect.

Mark
Ottawa

 

[MarkOttawa]

More on CAF and cyber from horse's mouth

Cyber war
We spoke to Canada’s cyber chief about how Canada should handle cyber attacks

To hack or not to hack?

That’s the conversation that is happening in an array of Western militaries, as details emerge of Russian interference in the American election, Chinese infiltration of various North American systems, and the recent hacking of the Ukranian power grid.

The question, now, is whether one good hack deserves another, and if NATO militaries ought to be using their military computer systems to hit back at actors and states that have stolen data and attacked critical infrastructure.

In Canada, the woman at the heart of that discussion says that while she can’t talk “conclusively” about how Canada is going to respond to cyber attacks against its systems, the option is definitely on the table.

Brigadier General Francis Allen, Director of Cyber for the Canadian Armed Forces, spoke to VICE News last week about a renewed push to bolster the Canadian Armed Forces’ cyber operations — under the four main pillars of ‘secure, operate, defend, sustain’ — but remained vague about whether Canada would be getting into the hacking business.

“Our focus is on ensuring that we are able to defend ourselves and conduct our military operation despite whatever the intent of adversaries may be, despite the environment,” she said over the phone on Friday.

The cyber chief noted the Department of National Defense has launched a series of consultations with industry to figure out technological solutions to beat hackers and defend Canadian systems. That, she says, will be bolstered by new training programs for military personnel and recruitment specifically targeting skilled technology operators.

“It lets us look at how, when we deliver this in the future, we want to have a heightened ability to defend at advanced threats.”

Allen says she’s not getting into details, yet, because she doesn’t want to preempt a public consultation on the future of the Canadian military that is currently wrapping up — but she did say that cyber attacks are a growing concern for the military...

Allen, who was appointed to the top cyber job in June 2015, could have her marching orders dictated by the defense policy review underway. It highlights the option of building hacking tools into the Canadian military’s armory [emphasis added].

“Cyber capabilities can be used to disrupt threats at their source, and can offer alternative options that can be utilized with less risk to personnel and that are potentially reversible and less destructive than traditional uses of force to achieve military objectives,” a public consultation document explains. It concludes: “We must consider how to best position the Canadian military to operate effectively in this domain.”

Defense Minister Harjit Singh Sajjan himself, in a sit-down interview with VICE News in Halifax last November, sidestepped the question of whether the Canadian military would look to establish, or even use, cyber as a weapon.

“We need to be mindful of how cyber is going to be used, and how we prevent future attacks, and we have had these discussions,” Sajjan said...
https://news.vice.com/story/canada-is-deciding-whether-it-wants-to-get-into-the-business-of-cyberwar

Mark
Ottawa

 

[MarkOttawa]

Problems militaries have with cyber matters:

‘Cyber Defense Is Very Much About Political Decisions’

One of the things the West is least prepared to handle about a cyberattack is how quickly the response to it turns political. Defense officials responding to an attack quickly encounter bureaucratic roadblocks and geopolitical concerns they may be unprepared to navigate. 

That was one of the main takeaways from a first-of-its-kind tabletop cyber exercise Estonia hosted earlier this month. CYBRID 2017 put European Union defense ministers in the hot seat as a fictional scenario “moved from a minor cyber incident up to a real blockade of communications systems that stopped a naval operation on the Mediterranean,” Estonian Defense Minister Jüri Luik said.

“At first, you were not able to recognize whether it was a cyberattack against just the personal computers of the people working there, or was it, for instance…a ransomware attack. And then it became more and more confusing,” Luik told reporters in Washington this week. “There were more hacks, systems were down, computers stopped working, communications stopped working.”

“In the end, we ran into a situation where the whole military communications system was down, and the EU headquarters was not able to contact the ships on the Mediterranean, and there was no clear information about what had even happened to these ships. And from point to point to point, the ministers had to make a decision” about how to respond, he said.

The world hasn’t seen a “9/11-level” cyber incident yet, said Luik, whose country was on the receiving end of one of the most serious to date: a Russian attack in 2007 that shut down the country’s banks, media outlets and government websites. The events played out in CYBRID 2017 didn’t rise to that level either — but one of the things the exercise exposed was just how difficult it is to evaluate how bad things are.

“The biggest issue is that we have no baselines for such attacks,” Luik said. “Our capability to judge what has happened is very complicated, because we even don’t know what these terms mean — is it high-risk, is it low-risk? How do you assess the risk?”..

http://www.defenseone.com/threats/2017/09/cyber-defense-very-much-about-political-decisions/141198/

Mark
Ottawa

 

[Animatesx]

Thank you for the great information you have published here.