Monday 16 October 2017

Canada’s plans to fight cyber terrorism                                              

Bill C-59 – the National Security Act 2017 – outlines a new vision for Canadian national security. Reading between the lines of this “anti-terror” bill, there is a clear attempt here to comprehensively rework decision-making mechanisms to enhance oversight and ministerial control over counter terrorism, surveillance and cyberspace operations. The new bill is intended to revise the much-maligned existing Anti-Terrorism Act, known as C-51, enacted by the previous government in the immediate aftermath of the October 2014 terrorist attacks in Quebec and on Parliament Hill. Curiously, the bill was passed with the support of opposition Liberals who are now in power.

While its new measures demonstrates with clarity of vision as to where Prime Minister Trudeau’s administration would like its counter-terror efforts to go, the C-59 document reveals something else that is much more interesting.

For cyber (internet) operators preoccupied with arcane details or procedures, the decision by the Trudeau government to clarify and revise its policy outlook when it comes to cyber operations is substantial. This decision is likely to have far-reaching and enduring significance for both Canada and NATO’s cyberspace operations strategies and force development. The specifics of the proposed legislation may still be revised, however the broader policy shift toward more overt planning and deliberation on cyber defense falls in line with similar developments in other Five Eyes members (UK, US, Australia and New Zealand) capitals). Note that they are the only countries where English is their main language.

Because of this important similarity, many of the same issues and factors that have emerged as cyber operations controversies for these partners may also affect Canada’s new policy approach. More than anything else, C-59 encapsulates the most relevant cyber debates and issues of our time. As such, the Bill should not be considered more than just this; a beginning to coherent Canadian policy on cyber attacks.

What does C-59 really say about cyber attacks?

The focus of cyber operations defined within the proposed Bill (C-59) covers Computer Network Exploitation (CNE), computer network attack (CNA) and Defensive Cyberspace Operations (DCO). In plain English, these different categories can be thought of as spying, sabotaging, or defending one’s respective cyberspace. Of note in C-59, it isn’t the inclusion of these capabilities but is more importantly the absence of another capability area to wit; the Defensive Cyberspace Operations – Response Actions (DUO-RA which verifies the identity of the users with a two-factor authentication.

Heavily present in the US cyber-operations doctrine, DCO-RA will amount to offensive actions taken on sovereign networks or mission infrastructure to counter an adversary’s persistent access, activities, or disruptive behavior. While sounding quite simple on paper, DCO-RA in practice is quite controversial because of its potential impact on civilian third parties who will not be too happy with their government’s intrusion.

In national or allied cyber operations, DCO-RA could also necessitate actions on foreign soil in support of non-cyber activities. Such activities are likely to pose complex oversight challenges to existing or new government plans and oversight instruments. Where in the past clear lines have been defined between involvement vs. non-involvement in coalition operations, future cyber operations could implicate Canada in actions overseas that it might wish to avoid (e.g., avoiding commitment of troops or materiel).

While norms and Rules of Engagement (ROEs) set the limits of permissible actions in cyber operations, collateral effects can make it difficult to constrain unanticipated impacts. Defensive cyberspace operations carry the risk of inadvertent escalation if an adversary misunderstands their impact, or any other Cyber partner of unintended consequences and impacts.

Offense, Dominance and Cyber Defense

It is often asserted by specialists that cyberspace is a computer setting where attack (offense) is easier than defense. The new powers that C-59 allocates for cyber-attack and exploitation must be closely coordinated with defenses of civilian data, networks and public utilities that provide vital services.

Cyber risk management and vulnerability mitigation priorities must be reconciled with defense and intelligence planning. Critical infrastructure cybersecurity is currently the responsibility of Public Safety Canada, (PSC) provincial authorities and private sector business owners. Linking these two roles together may stress existing Canadian government mechanisms for managing cyber risks and collateral effects. Unfortunately, the mechanism for achieving this is not well described in Bill C-59.

More than anything else, C-59 encapsulates the most relevant cyber debates and issues of our time.

Perhaps the bill’s proposed new review agency, NSIRA, (National Security and Intelligence Review Agency) can provide a channel for public discussions on the efficiency of current planning and coordination approaches, but with the Bill’s vague language, it is difficult to tell where NSIRA’s mandate truly begins and ends.

Established entities—respectively CSIS, the RCMP, (Canada’s federal police) DND (Department of National Defence) and CSE (Communications Security Establishment) will likely participate in interagency discussions and planning processes where missions are developed. NSIRA and the new Parliamentary oversight committee will have the opportunity to review these mechanisms and police compliance with legislative and policy guidance.

Playing it safe

Alas, C-59 allocates responsibilities in ways that are while not always clear and yet, not particularly controversial. National defense responsibilities fall to the Department of National Defense, with CSE conducting signals intelligence operations in support of allied and Canadian mission priorities.

Bill C-59 clarifies and extends these mission areas, with the addition of two new roles: Active Defense—Foreign defensive cyber operations (on foreign infrastructure in response to digital attacks) and Foreign Active Cyber Operations on foreign infrastructure with the objective of proactively disrupting a potential threat to Canada or its allies. This addition, however, raises the issue of defensive actions that can be interpreted as offensive in nature especially if they intrude on people’s privacy.

Uncertainties—Risk and Oversight

Even well planned cyber operations present risks to innocent  third parties. These can be managed but never eliminated entirely. Cyber is an uneven domain, offering opportunities for less capable entities to challenge apparently stronger adversaries. What does this mean for the early detection of cyber threats?

While participation in cyber alliances like the Five Eye nations group provides intelligence about common threats, the interdiction of these threats at the national level must still be executed in the context of national laws. However, concerns  with   privacy and civil liberties overlap with the risk management requirements of cyber operations—both at home and abroad.

This apparent overlap can lead to perceived overreach when responding to cyber threats. Enhanced surveillance of networks for detection necessarily means greater risk to personal privacy from surveillance by the government.

C-59’s proposed joint Department National Defence and Foreign Affairs (DNDF) ministerial concurrence on cyber operations is an important threshold governing future developments in cyber operations. It is here that Parliamentary oversight of strategic policies and plans developed by the Communications Security Establishment (CSE) and Department of National Defence (DNS) can have its most significant impact. It provides clearances to parliamentarians so that they can achieve deeper understanding of an issue not typically shared with them in their roles as Members of Parliament is essential.

The mechanism devised in Canada tracks well with the oversight committee models adopted in other Five Eyes capitals. Liaison among these legislative oversight agencies might offer an additional means to deepen collaborative frameworks beyond executive to executive and military to military channels.


Canada’s adoption of a more transparent policy on its cyber capabilities and mission requirements is a notable achievement for the Trudeau government in this particular Bill. Also significant are the experiences of other Western countries that have traveled the same path toward institutionalized cyberspace capabilities that are in the form of national strategies, purpose-designed agencies and executive level oversight mechanisms. The interaction of national and allied cyber plans will require novel mechanisms to ensure interoperability and deconfliction of activities.

Further, oversight at the national level will be challenged by the historically closely-held relationships among Five Eyes’ nations defense and intelligence establishments, which are not frequently the subject of a parliamentary review. It is likely that the Bill C-59 vision is just the opening gambit in a more-lengthy formulation and revision process for enhanced government oversight of cyber operations and associated intelligence activities.

I apologize for the complexity of this article but that is the way I received it however, I made some word changes to simplify the descriptions without changing the meanings.  

No comments: