Canada's Cyber Defense Not #5 - Correcting the MIT Tech Review
I explain in this short essay what and how they got it wrong about Canada and how inaction risks worsening Canada's defense relationship with the United States
Recently the MIT Tech Review released their global cyber defense ratings, which ranked Canada as the 5th top country contributing to cyber defense.
I am here to tell you and explain how this is completely false.
Canada deserves a good score because of its private sector, but the federal government's policies and direction of cyber defense are ad hoc, shallow, and broadly lack coherent direction or recognition of cyberspace as a threat environment.
On paper, there is much good that Canada has planned, it is working towards a classified defense cloud network in the Canadian Armed Forces (CAF), but last I heard, the estimate for delivery/completion is 2030. There are many reasons for the major delay, but a big one is a misunderstanding of how to treat cyber in the procurement system and governing policies related to the administration of the Department of National Defence (DND)/CAF networks and how to protect them.
This is not to say it is only DND/CAF's fault. Equal, or perhaps more, of the blame goes to PSPC and ISED. Canadian leaders simply are not taking cyber capabilities seriously. They're not taking them seriously as either a capability or the threats they can pose if infrastructure, assets, and systems are not sufficiently defended.
This is coming into direct confrontation with the United States and Canada's plans for NORAD modernization. I already hear you: "Isn't NORAD modernization about new radars to deter new ballistic threats and hypersonics?"
Yes, but I will ask you, in return, how does NORAD intend to do this? New air defense and radar capabilities, yes, but the foundation of NORAD modernization is IT infrastructure and connectivity.
Over the horizon radar is the big toy that is coming, but the foundation of #NORAD modernization is fundamentally about Joint All Domain Command and Control (JADC2). JADC2, more or less, is about connecting everything and everyone and feeding that data to leaders.
The focus of JADC2 is on capturing the data produced by radars, sensors, infantry, etc, automatically processing it with AI/ML, and feeding that data to commanders and those who could use it. Taking this strategic concept's idea to its theoretical logical conclusions, senior military leaders will have visibility over all assets that the military possesses.
Fundamentally, this is all about data and information management. There needs to be an increased emphasis on information security and how to protect these networks and data. This is why Canada and DND/CAF's lack of policy and progress is concerning.
It shows that they are not prepared.
The divide between the infosec community and the government hasn't been bridged in Canada. There is a deep mistrust in the community. Policies by Canada which deprioritize cyber defense and cybersecurity have the dual action of demotivating operators from working in government and the military but also broadly reducing the cyber defense of Canada.
I have to wonder and question which policymakers the authors of the MIT Tech Review report actually consulted with? If they did so as their methodology claims, it highlights that the failure of the federal government begins with not even understanding the threat of inadequate cyber defense in the first place.
How can Canada be taken seriously if it perpetuates a culture which says this is okay?
Foremost, Canadian policy/poor leadership has been the top variable holding back cyber defense and cybersecurity at the federal level. There has not been a whole-of-government approach to this because cyberspace is viewed as a tool, not as a domain that must be managed.
Word is there will soon be a new lead (last I heard in PM's office) to address digitization in the Department of National Defence. I called for a similar position, albeit an L2, in my most recent Canadian Global Affairs Institute article "When Empty Promises are Literally Empty: Canadian Cyber Defence Policy by Ad Hoc."
This move places an even higher level of attention than I even recommended, which is potentially a positive sign, but I am trying not to be overly optimistic.
The bottom line: we need action and movement on this file.
The problem with quantitative approaches like the MIT Tech Review's is that cyber defense cannot be gauged by the baseline. The very nature of cyber defense is that your threat model will differ from others.
Overall, I find the report has many issues, particularly with its methodology and methods. To rely on such models gives an incredibly false assumption of what is occurring and leads to additional poor policy.