Canada’s plans to fight cyber terrorism
Bill C-59 – the National
Security Act 2017 – outlines a new vision for Canadian national security.
Reading between the lines of this “anti-terror” bill, there is a clear attempt
here to comprehensively rework decision-making mechanisms to enhance oversight
and ministerial control over counter terrorism, surveillance and cyberspace
operations. The
new bill is intended to revise the much-maligned existing Anti-Terrorism Act, known as C-51, enacted by the previous
government in the immediate aftermath of the October 2014 terrorist attacks in
Quebec and on Parliament Hill. Curiously, the bill was passed with the support
of opposition Liberals who are now in power.
While its new measures demonstrates with clarity of vision as to
where Prime Minister Trudeau’s administration would like its counter-terror
efforts to go, the C-59 document reveals something else that is much more
interesting.
For cyber (internet) operators preoccupied with arcane
details or procedures, the decision by the Trudeau
government to clarify and revise its policy outlook when it comes to cyber
operations is substantial. This decision is likely to have far-reaching and enduring significance for both Canada and NATO’s
cyberspace operations strategies and force development. The specifics of the
proposed legislation may still be revised, however the broader policy shift
toward more overt planning and deliberation on cyber defense falls in line with
similar developments in other Five Eyes
members (UK, US, Australia and New Zealand) capitals). Note that they are the
only countries where English is their main language.
Because of this important similarity,
many of the same issues and factors that have emerged as cyber operations
controversies for these partners may also affect
Canada’s new policy approach. More than anything else, C-59 encapsulates the
most relevant cyber debates and issues of our time. As such, the Bill should
not be considered more than just this; a beginning to coherent Canadian policy
on cyber attacks.
What does C-59
really say about cyber attacks?
The focus of cyber operations defined within
the proposed Bill (C-59) covers Computer Network
Exploitation (CNE), computer network
attack (CNA) and Defensive Cyberspace
Operations (DCO). In plain English, these different categories can
be thought of as spying, sabotaging, or defending one’s respective cyberspace.
Of note in C-59, it isn’t the inclusion of these capabilities but is more
importantly the absence of another capability area to wit; the Defensive Cyberspace Operations – Response Actions (DUO-RA which verifies
the identity of the users with a two-factor authentication.
Heavily present in the US cyber-operations doctrine, DCO-RA will amount
to offensive actions taken on sovereign networks or mission infrastructure to
counter an adversary’s persistent access, activities, or disruptive behavior.
While sounding quite simple on paper, DCO-RA in practice is quite controversial
because of its potential impact on civilian third parties who will not be too
happy with their government’s intrusion.
In national or allied cyber operations, DCO-RA could also
necessitate actions on foreign soil in support of non-cyber activities. Such
activities are likely to pose complex oversight challenges to existing or new
government plans and oversight instruments. Where in the past clear lines have
been defined between involvement vs. non-involvement in coalition operations,
future cyber operations could implicate Canada in actions overseas that it
might wish to avoid (e.g., avoiding commitment of troops or materiel).
While norms and Rules of
Engagement (ROEs) set the limits of permissible actions in cyber
operations, collateral effects can make it difficult to constrain unanticipated
impacts. Defensive cyberspace operations carry the risk of inadvertent
escalation if an adversary misunderstands their impact, or any other Cyber
partner of unintended consequences and impacts.
Offense,
Dominance and Cyber Defense
It is often asserted
by specialists that cyberspace is a computer setting where attack (offense) is
easier than defense. The new powers that C-59 allocates for cyber-attack and
exploitation must be closely coordinated with defenses of civilian data,
networks and public utilities that provide vital services.
Cyber risk
management and vulnerability mitigation priorities must be
reconciled with defense and intelligence planning. Critical infrastructure
cybersecurity is currently the responsibility of Public Safety Canada, (PSC) provincial authorities and private
sector business owners. Linking these two roles together may stress existing
Canadian government mechanisms for managing cyber risks and collateral effects.
Unfortunately, the mechanism for achieving this is not well described in Bill
C-59.
More than anything else, C-59 encapsulates
the most relevant cyber debates and issues of our time.
Perhaps the bill’s proposed new review
agency, NSIRA, (National Security and Intelligence Review Agency) can provide a channel for public discussions on the efficiency of
current planning and coordination approaches, but with the Bill’s vague language,
it is difficult to tell where NSIRA’s mandate truly begins and ends.
Established entities—respectively
CSIS, the RCMP, (Canada’s federal police) DND (Department of National Defence) and
CSE (Communications Security
Establishment) will likely participate in interagency discussions and
planning processes where missions are developed. NSIRA and the new Parliamentary
oversight committee will have the opportunity to review these mechanisms and
police compliance with legislative and policy guidance.
Playing it safe
Alas, C-59 allocates
responsibilities in ways that are while not always clear and yet, not
particularly controversial. National defense responsibilities fall to the
Department of National Defense, with CSE conducting signals intelligence
operations in support of allied and Canadian mission priorities.
Bill C-59 clarifies and
extends these mission areas, with the addition of two new roles: Active Defense—Foreign
defensive cyber operations (on foreign infrastructure in response to digital
attacks) and Foreign Active Cyber
Operations on foreign infrastructure with the objective of proactively
disrupting a potential threat to Canada or its allies. This addition, however,
raises the issue of defensive actions that can be interpreted as offensive in
nature especially if they intrude on people’s privacy.
Uncertainties—Risk and
Oversight
Even well planned cyber
operations present risks to innocent third
parties. These can be managed but never eliminated entirely. Cyber is an uneven
domain, offering opportunities for less capable entities to challenge
apparently stronger adversaries. What does this mean for the early detection of
cyber threats?
While participation in cyber alliances like
the Five Eye nations group provides
intelligence about common threats, the interdiction of these threats at the
national level must still be executed in the context of national laws. However,
concerns with privacy and
civil liberties overlap with the risk management requirements of cyber
operations—both at home and abroad.
This apparent overlap can lead to perceived overreach when
responding to cyber threats. Enhanced surveillance of networks for detection
necessarily means greater risk to personal privacy from surveillance by the
government.
C-59’s
proposed joint Department National Defence and Foreign Affairs (DNDF) ministerial concurrence on cyber operations
is an important threshold governing future developments in cyber operations. It
is here that Parliamentary oversight of strategic policies and plans developed
by the Communications Security Establishment (CSE) and Department of National Defence (DNS) can have
its most significant impact. It provides clearances to parliamentarians so that
they can achieve deeper understanding of an issue not typically shared with
them in their roles as Members of Parliament is essential.
The mechanism devised in Canada tracks well with the oversight
committee models adopted in other Five Eyes capitals. Liaison among these
legislative oversight agencies might offer an additional means to deepen
collaborative frameworks beyond executive to executive and military to military
channels.
Implications
Canada’s
adoption of a more transparent policy on its cyber capabilities and mission
requirements is a notable achievement for the Trudeau government in this particular
Bill. Also significant are the experiences of other Western countries that have
traveled the same path toward institutionalized cyberspace capabilities that
are in the form of national strategies, purpose-designed agencies and executive
level oversight mechanisms. The interaction of national and allied cyber plans
will require novel mechanisms to ensure interoperability and deconfliction of
activities.
Further,
oversight at the national level will be challenged by the historically
closely-held relationships among Five
Eyes’ nations defense and intelligence establishments, which are not
frequently the subject of a parliamentary review. It is likely that the Bill
C-59 vision is just the opening gambit in a more-lengthy formulation and
revision process for enhanced government oversight of cyber operations and
associated intelligence activities.
I apologize for the complexity of this article but that is the way
I received it however, I made some word changes to simplify the descriptions
without changing the meanings.
No comments:
Post a Comment