Civilian oversight key to offensive cyber operations, says expert

The Canadian military will be compelled to develop if it has not already its own disruptive and destructive cyber weapons for deployment intoan increasingly volatile online world, says a leading security expert.

And the useof those cyber bombs will demand the strict supervision of the country's civilian leadership, says Rafal Rohozinski of the SecDev Group, an Ottawa basedconsultancyspecializing incyber threats.

The Liberal government's new defence policy gives the military the green light to "develop active cyber capabilities and employ them against potential adversaries," which means itwill be able to conduct offensive operations online.

It is unclear how far along the military is in developing its own "destructive" malware programs, or how much it might be piggy-backing off other allies.

Documents released to CBC News under Access to Information legislation last spring talk about "strengthening" cyber capability.

• Canada, NATO defining boundaries of response tocyberattacks
• FormerCSIShead:Canada should have its own cyber-warriors

Rohozinski says the decision to conduct offensive operations came after four years of internal "torturous" debate at National Defence about whether it, or the federal government's secretive electronic eavesdropping agency the Canadian Security Establishment (CSE) should have authority over cyber weapons.

The hesitation had as much to do with jurisdictional boundaries as it did the Canadian sensitivity about "not wanting to say the 'offence-thing,'" he said.

Rohozinskisaid he is certainthat what tipped the balance was the use of cyberattacksin Russia's annexation of Ukraine and the increasing number of "destructive" as opposed to "disruptive" online attacks around the world.

On Friday, the Trudeau government outlined a plan to secure Canada's electoral system for the next campaign, likely in 2019. A CSE reportreleased as part of the government's strategy says the country's democracy is "not immune" to online threats.

Gen. Jonathan Vance, in a recent interview about the defence policy, said it would be "irresponsible" for Canada not to have the ability to hit back against hackers and organizations that already use cyberspace as a battleground.

"It is a domain of conflict right now. We are attacked every day in cyberspace. Every day," said Vance, who went on to use a hockey analogy, saying a team can't play with just a goalie.

"You need to be on the offence to ensure you're not going to get scored on all the time. And you need to be on the offence if you actually want to win something sometimes. You want to win that game."

Non-state threats

The implications of the defence policy, however, are profound in the sense that the federal government is sanctioning attacks usingmalwarethat could potentially be released against other nations,or so-called non-state actors.

• Modernized military will put more emphasis oncyberattacks

The policy says those new kinds of operations "will be subject to all applicable domestic and international law."

But cyber weapons have the potential of being turned back on attackers, said Rohozinski.

It is software code and "a weapon that can only be used once before it's copied,"he said.

"It's not like a grenade. You throw it. It explodes and disappears. When you use malware against someone, they can reverse engineer it."

That makes the decision to use it a politicalas much as a militarydecision.

And just as important, it is a must for the federal government to define "what the cyber weapon will do [and]under what circumstances, Rohozinski said.

Canada has prohibitions on using certain real-world weapons and the same kind of consideration needs to take place for this emerging capability.

"For example: Canada doesn't use cluster munitions. Perhaps we won't use the equivalent of cluster munitions in cyberspace," he said.

Cyber reservists

To what extent the Liberal government has thought about that issue and developed policy isn't clear, but Rohozinski saidsome kind of consultation must have taken place.

"It would be highly surprising if the Canadian government had not participated in both Five Eyes and NATO discussions around this topic prior to announcing a policy that declares anoffensive capability in cyberspace," he said.

The new government policy for the military also makes hiring cyber operators a recruiting a priority.

There is a reference to creating a special forces reserve unit, which Rohozinski saidwould develop offensive cyber capabilities, particularly in the area of information operations.

"That was a bit of a surprise, but uniquely Canadian," he said.

It's important from the point of view of attracting top cyber talent.

There will be a focus on recruiting cyber reservists, who work in the private sector by day, where they earn top dollar, but then also get to put their skills to use with the cachet of being a part-time special forces operator.

"Special operations command has a unique incentive structure and unique selection criteria. And because they are mission-oriented the pointy end of the spear their ability to motivate people beyond monetary remuneration is pretty significant," said Rohozinski. "Taking that approach to cyber warriors is pretty unique and a pretty clever thing to do."