Canada is Unprepared for Cyber Warfare
As a witness for the National Defence committee, I explain why Canada is not ready for cyber warfare.
On 10 February, I appeared as a witness before the House of Commons Committee on National Defence for their study on Cybersecurity and Cyberwarfare. My testimony revolved around a discussion of current trends in cyber conflict, but a focus was on Canadian Armed Forces cyber defence and Canadian cyber defence policy.
After the testimony of the CAF’s Cyber Force Commander earlier this week, I am even more certain of my primary point: The Canadian Armed Forces are not ready to face cyber warfare in the event of a conflict.
DND/CAF’s ad hoc and haphazard policies have hindered the CAF’s digital transformation and development of modern information infrastructure and capabilities. This dates back at least a decade, when the DND/CAF’s IT capabilities were gutted and given to Shared Services Canada (SSC).
While this shift was a centralization of services and cost-cutting, the result was a deep indifference to the IM/IT needs of National Defence. In addition, this move of much of the knowledge base and expertise of IM/IT to SSC meant that DND/CAF’s ability to address and undertake digital transformation was severely impacted, which also affected the procurement of advanced cyber defence capabilities.
In addition to the issues of force development, there are major issues with force posture. To use the words of the CAF’s Cyber Force Commander, the Communications Security Establishment (CSE) and CAF have “embedded personnel” as part of their cooperation and interaction. Having one or two personnel that work alongside the other is not what allows a modern military to conduct cyber operations in a war-like scenario. This would be akin to saying that Canada can interoperate with all of its allies using individual liaison officers.
This is a grossly immature way of understanding cyber operations, like the type CSE and DND/CAF will conduct. A look at other militaries with more developed military cyber defence capabilities, an integrated organization of signals intelligence and military cyber organizations, like US CYBERCOM, is needed for multiple reasons. Such an organization is needed to mediate cooperation between CSE and DND/CAF, who is doing what and why, what needs to be done by whom, and principally a close sharing of intelligence. Cooperation has to occur between operators, firing officers, and commanders, not between liaison officers. Any overlap in capabilities would be minor and used differently than the other. This also helps to professionalize the cyber force by developing greater expertise and learning between CSE, Canada’s present active cyber experts, and the CAF.
There are more mechanisms and processes between Global Affairs Canada and CSE to address cyber defence than between DND/CAF and CSE. This is a serious problem for Canadian cyber defence and Canadian credibility.