Civilian oversight key to offensive cyber operations, says expert

The Canadian military will be compelled to develop — if it has not already — its own disruptive and destructive cyber weapons for deployment into an increasingly volatile online world, says a leading security expert.

And the use of those cyber bombs will demand the strict supervision of the country's civilian leadership, says Rafal Rohozinski of the SecDev Group, an Ottawa based consultancy specializing in cyber threats.   

The Liberal government's new defence policy gives the military the green light to "develop active cyber capabilities and employ them against potential adversaries," which means it will be able to conduct offensive operations online.

It is unclear how far along the military is in developing its own "destructive" malware programs, or how much it might be piggy-backing off other allies.

Documents released to CBC News under Access to Information legislation last spring talk about "strengthening" cyber capability.

• Canada, NATO defining boundaries of response to cyberattacks
• Former CSIS head: Canada should have its own cyber-warriors

Rohozinski says the decision to conduct offensive operations came after four years of internal "torturous" debate at National Defence about whether it, or the federal government's secretive electronic eavesdropping agency — the Canadian Security Establishment (CSE) — should have authority over cyber weapons.

The hesitation had as much to do with jurisdictional boundaries as it did the Canadian sensitivity about "not wanting to say the 'offence-thing,'" he said.

Rohozinski said he is certain that what tipped the balance was the use of cyberattacks in Russia's annexation of Ukraine and the increasing number of "destructive" as opposed to "disruptive" online attacks around the world.

On Friday, the Trudeau government outlined a plan to secure Canada's electoral system for the next campaign, likely in 2019. A CSE report released as part of the government's strategy says the country's democracy is "not immune" to online threats.

Gen. Jonathan Vance, in a recent interview about the defence policy, said it would be "irresponsible" for Canada not to have the ability to hit back against hackers and organizations that already use cyberspace as a battleground.

"It is a domain of conflict right now. We are attacked every day in cyberspace. Every day," said Vance, who went on to use a hockey analogy, saying a team can't play with just a goalie.

"You need to be on the offence to ensure you're not going to get scored on all the time. And you need to be on the offence if you actually want to win something sometimes. You want to win that game."

Non-state threats

The implications of the defence policy, however, are profound in the sense that the federal government is sanctioning attacks using malware that could potentially be released against other nations, or so-called non-state actors.

• Modernized military will put more emphasis on cyberattacks

The policy says those new kinds of operations "will be subject to all applicable domestic and international law."

But cyber weapons have the potential of being turned back on attackers, said Rohozinski.

It is software code and "a weapon that can only be used once before it's copied," he said.

"It's not like a grenade. You throw it. It explodes and disappears. When you use malware against someone, they can reverse engineer it."

That makes the decision to use it a political as much as a military decision.

And just as important, it is a must for the federal government to define "what the cyber weapon will do [and] under what circumstances, Rohozinski said.

Canada has prohibitions on using certain real-world weapons and the same kind of consideration needs to take place for this emerging capability.

"For example: Canada doesn't use cluster munitions. Perhaps we won't use the equivalent of cluster munitions in cyberspace," he said.

Cyber reservists

To what extent the Liberal government has thought about that issue and developed policy isn't clear, but Rohozinski said some kind of consultation must have taken place.

"It would be highly surprising if the Canadian government had not participated in both Five Eyes and NATO discussions around this topic prior to announcing a policy that declares an offensive capability in cyberspace," he said.

The new government policy for the military also makes hiring cyber operators a recruiting a priority.

There is a reference to creating a special forces reserve unit, which Rohozinski said would develop offensive cyber capabilities, particularly in the area of information operations.

"That was a bit of a surprise, but uniquely Canadian," he said.

It's important from the point of view of attracting top cyber talent.

There will be a focus on recruiting cyber reservists, who work in the private sector by day, where they earn top dollar, but then also get to put their skills to use with the cachet of being a part-time special forces operator.

"Special operations command has a unique incentive structure and unique selection criteria. And because they are mission-oriented — the pointy end of the spear — their ability to motivate people beyond monetary remuneration is pretty significant," said Rohozinski. "Taking that approach to cyber warriors is pretty unique and a pretty clever thing to do."