Canadian Armed Forces Hunt Forward Operations
An overview on what we know about Canada's hunt forward operations
Russia invaded Ukraine for the second time since 2014 to overthrow the Ukrainian government and install a puppet state for its purposes. What is not talked about often enough, as it should be, is that the opening attacks were not airborne and traditional long-range standoff capabilities but were cyberattacks, including one of the world’s largest global satellite communications organizations. Russia launched malware against ViaSat modems, essentially knocking them offline because it was the system used by Ukrainian Armed Forces for command and control. This cyberattack was part of the opening attacks to support the airborne assault of Russian special forces (VDV), who were able to successfully capture the Hostomel Airport on the outskirts of Kyiv, which was a crucial part of Russia’s invasion plans to take Kyiv and end its invasion quickly. However, Russia was initially successful in capturing the airfield.
As Russia began moving against Ukraine, the Canadian Armed Forces (CAF) watched closely. As Russia’s invasion of Ukraine appeared imminent, the CAF moved its Operation UNIFIER forces in Ukraine to Poland and Latvia, where Canada leads the NATO Enhanced Forward Presence Battle Group Latvia. Operation UNIFIER is Canada’s military training and “capacity building” mission to support Ukraine’s Armed Forces. Noteworthy for cyber analysts during this time was the Canadian government’s first public admission they were working with the Canadian Security Establishment (CSE) to support “cyber security and cyber operations.” What does this mean for Canada and the CAF to support Ukraine with cyber operations through Operation UNIFIER? We do not know. The Government of Canada has not clarified its strategy or views on cyber conflict and how CSE/CAF is using cyber operations to defend Canada/its allies. Further, as we know little about when and how cyber operations are being used, it is difficult to assess the reliability or validity of CSE/CAF cyber operations outside of reviewing force structures, doctrine, training, funding, taskings, and ARAs.
To this effect, Canada’s deployment of personnel to conduct cyber operations shows some tacit reasoning and thought behind this. At the very least, it shows that Canada and the CAF recognize the validity of hunt forward cyber operations. As a result, it becomes important for the public to track what Canada is doing from a transparency and analytical point of view. This article will provide a timeline of statements and actions related to how Canada deploys the CAF to conduct hunt forward operations.
Timeline
Last updated: March 2024
(Please message me or comment if I am missing anything)
January 2022
DND: “In the coming days, an additional 60 troops will be deployed to Ukraine to join the approximately 200 women and men already on the ground, with the ability to increase the total number to 400 CAF personnel. The CAF will also work with the Communications Security Establishment on measures to support enhanced intelligence cooperation and cyber security and cyber operations. This increased support will help Ukraine strengthen its security and ability to defend itself against a range of threats.”
July 2022
Latvia: “CERT.LV, the Information Technology Security Incident Response Institution of Latvia, and Canadian cyber protection experts have successfully implemented a threat hunting operation to assess the integrity of national information and communication networks.
CERT.LV and Canadian cyber security experts carried out joint real-time Threat Hunting Operations on real infrastructure instead of on simulated environments to enhance collaboration and interoperability, and test and develop the existing skill set. Joint teams tested and developed the existing procedures, as well as identifying and eliminating technical and coordination ‘bottlenecks’, thus enhancing cyber protection capacity on both sides.”
November 2022
Latvia: “To carry out this operation, CERT.LV approached international partners, forming a joint cyber team with cyber experts of the Canadian Armed Forces, representatives from the Canadian Cyber Security Center…
The team searched for threats in several critical information systems of the Republic of Latvia. This joint operation was a unique opportunity to test cyber threat intelligence sharing and incident response procedures between several NATO Allies in cyberspace, as well as to further develop operational capabilities and improve interoperability.”
May 2023
USCYBERCOM: “The U.S. team worked in tandem with Canadian Armed Forces and Latvian allies, to support their defensive operations, as well-- marking the first time American and Canadian forces have conducted hunts simultaneously.”
June 2023
DND/CSE Annual Report: The CSE annual report reveals that the Minister of National Defence signed two ministerial orders which designated the “electronic information and networks of Ukraine and Latvia as systems of importance (SOIs) to the Government of Canada.”
July 2023
March 2024
Analysis
As shown, more is needed to explain a unifying strategy or principle to inform how Canada deploys hunt forward operations. Despite this, it may indicate that Canada’s cyber posture and activities mirror its inactivity in other defense and security matters. To this point, the bulk of such operations have been conducted about Canada’s NATO obligations and support to Ukraine against the invasion of Russia.
The ministerial orders to classify Latvian and Ukrainian networks as systems of importance clarify an important component of how Canada deploys hunt forward operations. A system of importance is a legal designation that can be declared via a ministerial order from the Minister of National Defence, which “access an information infrastructure designated under subsection 21(1) as an information infrastructure of importance to the Government of Canada and acquire any information originating from, directed to, stored on or being transmitted on or through that infrastructure for the purpose of helping to protect it, in the circumstances described in paragraph 184(2)(e) of the Criminal Code, from mischief, unauthorized use or disruption.”
However, it should be noted that this predominantly covers the ability of the Communications Security Establishment to conduct hunt forward operations as the CAF’s cyber activities have legal justification under crown prerogative. Despite this, this is not to say that the CAF is not operating nor assisting in these operations, but that the authorizations for such are different from that of CSE.
For example, DND announced in January 2022 that the CAF and CSE were deploying to Latvia to support cybersecurity and cyber operations (hunt forward operations). However, the CSE Annual Report 2022-2023 indicates that the Minister of National Defence did not sign the ministerial orders declaring Ukraine and Latvia’s electronic information systems as systems of importance until March 2022. This gap suggests something is missing.
This raises a few questions:
What operations were conducted in January and February 2022 versus March 2022 and later?
(Apart from the invasion) What changed between January 2022 and March 2022 that motivated the signing of these ministerial orders?
Assuming the changing context of Russia’s invasion of Ukraine motivated the change, to what degree is this change authorization active (offensive) cyber operations?
To what degree is a designation of a system of importance allow CAF/CSE to support allied governments versus supporting allied militaries?