Sunday, June 19, 2016

Twenty years of OCSEC

Today is the twentieth anniversary of the establishment of the Office of the CSE Commissioner (OCSEC). The first CSE Commissioner, Claude Bisson, was appointed on 19 June 1996.

Since 1996, there have been six CSE Commissioners:
  • Claude Bisson (1996-2003)
  • Antonio Lamer (2003-2006)
  • Charles Gonthier (2006-2009)
  • Peter Cory (2009-2010)
  • Robert Décary (2010-2013)
  • Jean-Pierre Plouffe (2013-present)

OCSEC has been the subject of a lot of criticism over the past two decades, some of it justified and a lot of it not.

Here's one of my own contributions to that literature. (You can decide for yourself whether it falls into the justified or unjustified camp.)

Such criticisms shouldn't blind us to the vitally important role that OCSEC has played over the years in reinforcing an ethos of legal compliance at CSE and ensuring that mechanisms to monitor and assess that compliance are established and implemented. But a strong case can be made that CSE's review body—like those of the Canadian security and intelligence community as a whole—is in dire need of improvement.

Kent Roach and Craig Forcese argue that OCSEC and the review bodies for CSIS and the RCMP should be combined into a single agency that would monitor all components of the Canadian security and intelligence community, as part of a wider set of accountability improvements ("Bridging the National Security Accountability Gap: A Three-Part System to Modernize Canada's Inadequate Review of National Security," Ottawa Faculty of Law Working Paper No. 2016-05, 31 March 2016).

Wesley Wark's recent comments on the future of review ("Canada’s spy watchdogs: Good, but not good enough," Globe and Mail, 1 February 2016) are also worth reading.

The Trudeau government took a major step towards implementation of one aspect of this reform agenda with the introduction on June 16th of Bill C-22, which will establish a committee of parliamentarians to review the S&I community as a whole. (See Forcese's comments on that step here.)

Other changes may be yet in the offing.

For the time being, however, the future of the 20-year-old OCSEC remains undecided.

Friday, June 10, 2016

Australia's participation in Pine Gap



Yet another paper in our on-going series on the SIGINT station at Pine Gap, Australia:

Desmond Ball, Bill Robinson, and Richard Tanter, "Australia’s participation in the Pine Gap enterprise", NAPSNet Special Reports, June 8, 2016. Full text here (1.7 MB PDF).


Earlier reports:

- Desmond Ball, Bill Robinson, and Richard Tanter, "The Antennas of Pine Gap", NAPSNet Special Reports, February 21, 2016;

- Desmond Ball, Bill Robinson, and Richard Tanter, "Management of Operations at Pine Gap", NAPSNet Special Reports, November 24, 2015;

- Desmond Ball, Bill Robinson, and Richard Tanter, "The SIGINT Satellites of Pine Gap: Conception, Development and in Orbit", NAPSNet Special Reports, October 15, 2015;

- Desmond Ball, Bill Robinson, and Richard Tanter, "The Higher Management of Pine Gap", NAPSNet Special Reports, August 17, 2015; and

- Desmond Ball, Bill Robinson, and Richard Tanter, "The militarisation of Pine Gap: Organisations and Personnel", NAPSNet Special Reports, August 13, 2015;

- Desmond Ball, Bill Robinson, Richard Tanter, and Philip Dorling, "The corporatisation of Pine Gap", NAPSNet Special Reports, June 24, 2015.

More to come!


Thursday, June 09, 2016

Moritsugu appointed DG Military SIGINT

According to DND ("The Chief of the Defence Staff announces additional Canadian Armed Forces General and Flag Officer senior appointments, promotions, and retirements," Department of National Defence, 9 June 2016), CFIOG Commander Col Steven Moritsugu has been promoted to Brigadier-General (acting while so employed) and appointed "Director General Defence Military Signals and Intelligence" [sic] at CSE, i.e., DG Military SIGINT.

Moritsugu replaces BGen Martin Girard, who became DG Military SIGINT in 2014.


Saturday, June 04, 2016

Going dark(er): CSE employee numbers no longer published

The federal government has published statistics on-line on the number of employees in its various departments and agencies since at least 2005. The statistics in this "Population Affiliation Report" were updated monthly, and the Communications Security Establishment was among the agencies whose staff numbers were reported.

The CSE numbers provided an important way to keep track of the evolution of the agency—one of the very few ways available. To prevent their disappearing into the memory hole I made a point of recording these monthly numbers on this blog. (Here are the earliest and most recent examples.)

Unfortunately, the February 2016 numbers, which were published in March, look like the last ones we are going to get. The Treasury Board Secretariat has stopped publishing the statistics.

According to the reply I received when I asked the good folks at TBS why the numbers had stopped appearing, the "internal sources" that the report draws from are currently under review. A public update on plans for the report is promised at the end of the summer, but it doesn't sound like the prior practice is going to pick up where it left off.

The shutdown applies to the entire Population Affiliation Report (i.e., to all the departments and agencies), and I don't see any reason to think that it was intended specifically to stop the reporting of CSE's employee counts. But it certainly has had that effect.

The blackout comes at an unfortunate time, as just a couple of months ago the agency's new minister, Minister of National Defence Sajjan, directed CSE to "find new opportunities to communicate with the public more openly about their activities."

So far, CSE's primary response to that directive has been to launch a Twitter account featuring links to the agency's website and lighthearted comments on donuts. It has not inspired them to reverse the significant shutdown in public reporting that took place in 2011.

And I would venture to guess that those new communications opportunities will also not include monthly reporting on CSE's employee counts.

It may be that the Treasury Board's review will lead eventually to such statistics being accessible in some other form, in keeping with the broader trend towards greater public access to government data and the professed philosophy of the new Liberal government.

But for now, at least, the public picture of what goes on at Canada's national cryptologic agency just got a little bit darker.



Thursday, June 02, 2016

Mistaken metadata-sharing went on for years

The CSE Commissioner's classified report on CSE's bungled metadata-sharing program, parts of which have been made public during the BCCLA's lawsuit against CSE, indicates that the agency's failure to properly remove information that could identify Canadians went on for years and involved both DNR (phone-related) and DNI (Internet-related) metadata.

From the Globe and Mail's report (Colin Freeze, "Spy agency accidentally shared Canadians’ data with allies for years," Globe and Mail, 1 June 2016):
The confidential report was written by Jean-Pierre Plouffe, a retired Quebec judge who heads the Office of the CSE Commissioner, the spy agency’s watchdog agency. In it, he suggests the unlawful seepage of Canadians’ phone and Internet records to foreign intelligence agencies could date back to the mid-2000s, and that the overall amount of compromised material is unclear.

Given this, Mr. Plouffe is urging Parliament to pass laws spelling out how it wants the spy agency to function. “As CSE’s collection posture has strengthened, … the volume of metadata collected has increased considerably,” Mr. Plouffe writes in his 2015 report. He urged federal politicians to give clearer direction on surveillance.

“Metadata” are logs of communications without the content of the conversation. The watchdog’s report reveals that, during its international spying, CSE has been capturing phone logs and sharing them with allies since 2005. Internet logs have been shared since 2009.

In 2014, CSE suspended sharing both sorts of records when it realized its automated systems had failed to scrub out what it calls the “Canadian identifying information” that turned up in the wider mix. Mr. Plouffe, who has the last word on such matters, eventually ruled that although CSE’s system failures were inadvertent, they violated the Privacy Act and National Defence Act. ...

The report reveals that CSE refers to the phone logs it collects as “Dialled Number Recognition” (DNR) metadata. The agency started sharing such material with Five Eyes allies in 2005, thinking it had devised ways to automatically strike out telling portions of any Canadian phone numbers that turned up.

Then, starting two years ago, CSE discovered that “DNR metadata was not being minimized properly,” according to the watchdog report. Mr. Plouffe added: “CSE is unable to determine how many systems were impacted and for how long.”

CSE calls the Internet logs it collects “Digital Network Intelligence” (DNI) metadata, and this material can consist of e-mail addresses and Internet protocol addresses that indicate who is communicating to who.

A scrubbing system was developed for that material as well – but this, too, failed. “DNI metadata was being shared with [Five Eyes] Second Parties … with minimization applied to Canadian e-mail address fields, but no minimization applied to Canadian IP address fields,” Mr. Plouffe writes.

He adds that “CSE was under the impression that minimization was taking place, when in fact it was not.”

The spy agency suspended sharing when the problems were discovered in 2014, and apparently have not resumed it.
CSE Chief Greta Bossenmaier confirmed in testimony to the Standing Committee on National Defence on May 19th that, as at that date, metadata-sharing has not yet resumed.

Update 3 June 2016:

- Michelle Zilio & Colin Freeze, "Ottawa accused of breaking intelligence agency transparency vow," Globe and Mail, 2 June 2016.

- "The 'top secret' surveillance directives," Globe and Mail, 2 June 2016.

- Brian Gable, "On with the day" (editorial cartoon), Globe and Mail, 3 June 2016. Another example of "Canadian Security Establishment", sadly.

- Jim Bronskill, "Court disclosure could mean spy allies cut Canada off, CSE warns," Canadian Press, 3 June 2016.

- "Media Release: Civil Liberties Watchdog Fights in Federal Court for Release of Documents on Illegal Spying On Canadians," British Columbia Civil Liberties Association, 2 June 2016.


Saturday, April 30, 2016

Recent items of interest


Recent news and commentary related to CSE or signals intelligence in general:

- Matthew Braga, "Canada Needs to Revive the Encryption Debate It Had in the 1990s," Motherboard, 26 April 2016.

- "Minister Sajjan delivers keynote address at the 2016 SINET IT Security Entrepreneurs Forum," Government of Canada news release, 20 April 2016. Text of the speech here. [Update 6 May 2016: I don't know where the Minister or his speechwriters got the idea that CSE has been around for "close to 75 years". CSE (then called CBNRC) was born on 1 September 1946, or close to 70 years ago.]

- Alex Boutilier, "Canada’s spies closely watching quantum tech developments," Toronto Star, 20 April 2016.

- Victoria Ahearn, "5 moments from The Good Wife’s visit to Toronto," Canadian Press, 18 April 2016. CSE makes a cameo appearance in the U.S. TV series The Good Wife. But they got the CSE badge wrong (HT to Justin Ling).



- Jordan Pearson & Justin Ling, "Exclusive: How Canadian Police Intercept and Read Encrypted BlackBerry Messages," Motherboard, 14 April 2016. See also Justin Ling & Jordan Pearson, "Exclusive: Canadian Police Obtained BlackBerry’s Global Decryption Key," Vice News, 14 April 2016; Jordan Pearson, "Canada Desperately Needs to Have a Public Debate About Encryption," Motherboard, 14 April 2016; and Justin Ling, "BlackBerry's CEO Won’t Answer Media Calls, Instead He Blogged About Cooperating With Canadian Cops," Vice News, 18 April 2016. Chen's blog post. CSE's March 2011 warning on the (in)security of Blackberry PIN-to-PIN messaging. Chris Parsons on the vulnerability of BlackBerry messages.

- Ben Makuch, "The 'Darth Vader' of Cyberwar Sold Services to Canada," Vice News, 11 April 2016.

- "Spy Shit," Canadaland podcast episode 129, 10 April 2016. Matt Braga and Jesse Brown discuss "the Panama Papers, CSIS, C-51, and Ben Makuch's ongoing battle with the RCMP". Well worth a listen, but the statement (at about 13:50) that the CSE Commissioner has never declared CSE in violation of the law is not correct.

- Leslie Young, "Former CSIS head Richard Fadden says Canada could someday carry out cyber attacks," Global News, 6 April 2016. More here.

- Sunny Dhillon, "Edward Snowden's talk in Vancouver had an 'electric quality'," Globe and Mail, 6 April 2016.

- Ron Deibert, "My conversation with Edward Snowden," Ronald Deibert blog, 3 April 2016. Video here: "Fireside Chat: Ron Deibert, Edward Snowden & Amie Stephanovich," RightsCon, 1 April 2016. Interesting Snowden comment: "It's true, [CSE's] oversight is hideous, because it was never really thought about. But there's a reason for that. In my experience of the Five Eyes, the Canadian intelligence services were always the least aggressive, they were the least adventurous, they didn't really push the legal boundaries. It was difficult to target Canadians, legally and so on and so forth, for surveillance. And it wasn't until the recent government—I'm not Canadian so I'm not going to name [garbled], I believe it was the Harper government—that things really started to change and oversight became much more important because they became much more aggressive in a short period of time."

- Alex Boutilier, "Canada’s spy agencies looking to work together more, say top secret documents," Toronto Star, 2 April 2016.

- Jim Bronskill, "Government instructions to CSIS on bill C-51 to remain largely secret," Canadian Press, 27 March 2016.

- Jim Bronskill, "Federal agencies sharing information under Bill C-51 provisions," Canadian Press, 24 March 2016.

-Ian MacLeod, "Spy agency watchdog ‘in a difficult position’ with huge budget cuts looming," Ottawa Citizen, 24 March 2016. Possibly a sign the government is planning a major overhaul of the various review agencies?

- Colin Freeze, "RCMP, CSIS see no significant support for operations from federal budget," Globe and Mail, 23 March 2016.

- Colin Freeze, "B.C. multimillionaire pleads guilty to hacking into U.S. military for China," Globe and Mail, 22 March 2016.

- Kyle Matthews & Chantalle Gonzalez, "Our mission against ISIL has one major flaw — it ignores the Internet," National Post, 22 March 2016.

- Dylan Robertson, "Canada Doubles Spending on Counter-Radicalization," Vice News, 22 March 2016.

- Matthew Braga & Colin Freeze, "Agencies did not get federal authorization to use surveillance devices," Globe and Mail, 11 March 2016.

- Emma Loop, "The Drone And The Damage Done: How Canada’s UAV Operation Wounded Its Own," Buzzfeed, 16 March 2016.

- Karen DeYoung, "Canada to boost its advise-and-train mission, intelligence capabilities in Iraq," Washington Post, 11 March 2016.

- B.C. Civil Liberties Association et al., "The necessary components of an effective and integrated national security accountability framework for Canada," 9 March 2016.

- Susan Lunn, "Ralph Goodale says Ukraine cyberattack caused 'international anxiety'," CBC News, 8 March 2016.

- Alex Boutilier, "Cyber security review still in early days, Public Security officials tell Senate," Toronto Star, 7 March 2016.

- Peter Zimonjic, "CSIS head says new powers to disrupt plots used almost 2 dozen times," CBC News, 7 March 2016.

- Colin Freeze, "Documents reveal CSIS wary of Bill C-51 reforms," Globe and Mail, 3 March 2016. The documents.

- David Christopher, "Adopting the UK model won't be enough for Ralph Goodale to address Canada's spy oversight woes," OpenMedia, 26 February 2016.

- Editorial, "Give Parliament the power to scrutinize spy agencies," Toronto Star, 24 February 2016. Response from CSE Chief Greta Bossenmaier.

- Matthew Braga, "Why Canada isn’t having a policy debate over encryption," Globe and Mail, 23 February 2016.

- Alex Boutilier, "Canada’s spies expecting a budget boost," Toronto Star, 23 February 2016. More on CSE's budget here.

- Amanda Connolly, "‘It’s impossible’ to know impact of CSE metadata glitch: commissioner," iPolitics, 22 February 2016. More here.

- Alex Boutilier, "CSE can assist in ‘threat reduction’ without a warrant, documents show," Toronto Star, 20 February 2016.

- Daniel Lang, "Why don't we charge more people with terrorism?" Toronto Sun, 19 February 2016.

- Lucas Powers, "Apple's encryption battle with the FBI could spill into Canada," CBC News, 19 February 2016.

- Bruce Campion-Smith, "Canada’s spy agency CSIS gears up for expanded role in Islamic State fight," Toronto Star, 18 February 2016.

- Luc Portelance & Ray Boisvert, "It’s time for Canada to get serious about national security," National Post, 16 February 2016. See also Stewart Bell, "Canadian security agencies under strain while threats have ‘seldom been so high,’ former senior officials say," National Post, 16 February 2016.


Also of interest: CSE now has a twitter feed. Maybe this is what the Minister had in mind when he said he has "directed CSE to find new opportunities to communicate with the public more openly about their activities." I can't say it has done much to demystify the place so far. I have a suggestion that I've made in the past, but which I think bears repeating. How about reinstating the degree of public reporting that existed prior to November 2011, when CSE became a stand-alone agency?

Do "old" opportunities not count?


SIGINT history:

The word on the grapevine is that CSE, in a fit of brainlessness some time ago, destroyed the only copies of A History of the Examination Unit: 1941-1945, Gilbert Robinson's July 1945 history of Canada's first cryptanalytic organization. If true, the significantly redacted but still somewhat useful version released many years ago under the Access to Information Act, preserved by me and presumably some other folks, may be all we have left. I'd be very pleased to report that this is not true and the document does still exist in its complete form.

Saturday, April 16, 2016

Canada and cyber war


Should Canada have an offensive cyber war capability? Comments by former National Security Advisor Richard Fadden, who retired at the end of March, suggest that Canadians need to debate this question.

Fadden raised the issue in a recent wide-ranging interview with Tom Clark of Global News. (You can watch the interview here.)

The discussion unfortunately conflated the concepts of cyber attack (also known as Computer Network Attack) and cyber spying (Computer Network Exploitation). Chinese cyber espionage operations against Canadian targets were described as "cyber attacks", for example, as if the operations were attempting to destroy or damage Canadian data or systems, or even the physical infrastructure they control, rather than simply trying to steal information.

This blog does not endorse pedantry for the sake of pedantry, but in this case a little terminological clarity would be helpful.

Computer Network Operations are commonly divided into three kinds of activity: Computer Network Attack (CNA), Computer Network Defence (CND), and Computer Network Exploitation (CNE). Stealing information falls into the category of Computer Network Exploitation.



As the diagram above shows, there are important overlaps between these three activities. CNE can be used to find vulnerabilities in an adversary's systems and prepare the ground for CNA. CNA can contribute to the effectiveness of CND. CND can collect information about adversary capabilities that can be used to support CNE operations.

All three activities draw on the same kinds of capabilities and can be used to support the others.

But there is still a crucial distinction to be drawn between cyber espionage and cyber war. One is spying, and Canada—through CSE—is already deeply engaged in it. The other seeks to damage or destroy data or information systems or even, potentially, to destroy physical objects and kill people. Cyber warfare can range from simple disruption, interfering with the communications of a terrorist organization for example, to total war.

Should Canada develop a cyber war capability?

“It may well be that in some circumstances it’s something that we’d want to do,” Fadden suggests in the interview.

But he also says it would be "expensive and dangerous", and he argues for greater emphasis on CND: "Personally I think we should be better at defensive. Really develop our capacity to resist these attacks and to make sure that people understand the level of threat that we’re under."

So, put him down—tentatively at least—as a cyber war skeptic.

It all sounds very hypothetical.

But I suspect Fadden chose to raise the issue because Canada is moving rapidly towards creating a CNA capability, and it is doing so largely in the dark, with very little public awareness or debate.


NITRO ZEUS: CNA against Iran

Recent revelations about U.S. and Israeli contingency plans for a major cyber war campaign against Iran highlight the extent to which CNA capabilities are moving from the theoretical to the real.

The Stuxnet worm, which the U.S. and Israel used to damage and delay Iran's uranium enrichment program, is the best-known example of a state-sponsored CNA operation.

But Stuxnet was only the tip of the iceberg. According to the New York Times (David E. Sanger & Mark Mazzetti, "U.S. Had Cyberattack Plan if Iran Nuclear Dispute Led to Conflict," New York Times, 16 February 2016), preparations were made for a much wider range of attacks against Iran's "air defenses, communications systems and crucial parts of its power grid" in the event that the dispute over Iran's nuclear program escalated into open use of force.

Preparations for the campaign, codenamed NITRO ZEUS, began in early 2009, and ultimately involved "thousands of American military and intelligence personnel, spending tens of millions of dollars and placing electronic implants in Iranian computer networks to “prepare the battlefield,” in the parlance of the Pentagon."

The operation was envisaged as an adjunct, or possibly an alternative, to a traditional military campaign against Iran. Bringing Israel on board was seen in part as a means of restraining the Netanyahu government from launching a unilateral attack that might prematurely foreclose options for resolving the dispute diplomatically. (More about NITRO ZEUS here.)

Unlike traditional military contingency plans, which normally don't involve actual operations within the target country prior to a decision to go to war, preparations for cyber operations require prior entry into the systems that ultimately would be attacked in order to choose targets, ensure access at the moment of attack, and maximize the effects of the operation. Thus, although the cyber warfare plan was never executed, preparations within the Iranian cyber infrastructure undoubtedly took place.

Similar contingency plans are probably also in place for other potential adversaries such as China and Russia.

As a close NSA ally and a significant CNE player in its own right—one that we know had active operations in Iran at the time NITRO ZEUS preparations were apparently underway—CSE could not fail to be aware at some level of the presence of the U.S.-Israeli operation, although almost certainly not of its details. If nothing else, NSA would have wanted to ensure that CSE's CNE operations did not interfere with or accidentally expose the NITRO ZEUS preparations.

But there is no evidence of any direct Canadian involvement in the NITRO ZEUS preparations, and there's little reason to expect there would have been any Canadian involvement.


CSE and CNA

This 2013 NSA document describing the state of NSA-CSE cooperation confirms that the two agencies work together on CNE operations in the Middle East, among other regions, but it contains no suggestion that they collaborate on CNA operations.

There are many reasons why the U.S. might want to minimize the number of additional players whose participation would complicate as sensitive and tightly-held a CNA operation as NITRO ZEUS.

But the most important roadblock to such collaboration, at least as far as CSE is concerned, is that CSE has had little or no mandate to conduct CNA activities (although it has shown interest in such capabilities; see p. 22 here).

[Update 19 April 2016: An even better example can be found on p. 23 of this presentation, where CSE says "We will seek the authority to conduct a wide spectrum of Effects operations in support of our mandates."]

The 2015 passage of Bill C-51 has probably opened the way for CSE participation in small-scale CNA activities such as efforts to disrupt the operations of terrorist organizations. Since such activities can now be conducted by CSIS under the "disruption" powers granted to the agency in Bill C-51, CSE's Mandate C, which authorizes it to assist CSIS operations, should provide a legal basis for CSE participation in limited CNA activities under CSIS auspices.

Those powers are unlikely to extend to outright cyber warfare, however. Large-scale activities against the armed forces or domestic infrastructure of an adversary state on the scale of the NITRO ZEUS plan would probably require a different set of authorities.


The Canadian Forces and cyber war

Although CSE's CNE operators might be called upon to provide advice and assistance, large-scale offensive cyber operations would probably be executed by the Canadian Forces acting under the laws of war.

In the United States, a similar division of roles has already been formalized, with the Pentagon's Cyber Command, created in 2010, now responsible for CNA. Although run by the same officer who serves as Director of the NSA and able to draw upon NSA knowledge and resources, Cyber Command is a military organization under military command.

Canada does not yet have a direct equivalent to Cyber Command, but the development of CNA authorities and capabilities has been under discussion within the Canadian Forces for a long time.

A draft strategy paper called on the Canadian Forces to develop the ability to conduct offensive computer operations as long ago as July 2000 (Jim Bronskill, “Cyber-attack capability in military’s plans?” Edmonton Journal, 11 March 2001). [Update 19 April 2016: I am reminded by a reader that early discussions of these issues can be found in documents dating to the mid-1990s.]

But few if any steps were taken in the direction of creating an actual CNA capability for many years. A December 2009 report by DND's Centre for Operational Research and Analysis (CF Cyber Operations in the Future Cyber Environment Concept) confirmed that the CF's network operations were still "not established to conduct offensive network operations".

There is reason to believe, however, that this situation has begun to change.

In April 2011, DND created the position of Director General Cyber to help "develop the military’s future cyber capabilities", potentially including offensive capabilities (Chris Thatcher, "Operationalizing the cyber domain," Vanguard, 26 June 2013).

The current DG Cyber (or DG Cyber Warfare, or DG Cyberspace) is Brigadier General Frances J. Allen, a former Commander of the Canadian Forces Information Operations Group (CFIOG) and an early advocate of CNA capabilities for the CF. (Allen wrote a paper recommending the development of CNA capabilities in 2002 when she was still a lieutenant-colonel. [Update 22 April 2016: I mistakenly said major originally.])

More recently, in September 2015, Defence Minister Jason Kenney implied that such a capability either already exists or soon would, saying, "I think you can reasonably assume that when the military develops a command, it has to have the capability to be both offensive and defensive. Potentially hostile countries need to know that, if they are going to launch cyber attacks against our critical systems, Canada and its allies have the capacity to retaliate." (Justin Ling, "Canada’s Defense Minister Talks Fighting the Islamic State, Arming the Kurds, and Cyber Warfare," Vice News, 28 September 2015)

DG Cyber is not a command as such, but Kenney's comments do suggest that Canada may be close to fielding operational CNA capabilities.

The appointment in early 2015 of a Canadian Forces liaison officer to the U.S. Cyber Command also suggests the potential existence of Canadian CNA capabilities.

The discussion document prepared by the government for the current defence policy review (Defence Policy Review: Public Consultation Document 2016) is uninformative about the state of Canada's current cyber warfare capabilities, but it does at least admit that the question is one that needs to be addressed:
Cyber capabilities can be used to disrupt threats at their source, and can offer alternative options that can be utilized with less risk to personnel and that are potentially reversible and less destructive than traditional uses of force to achieve military objectives. Some of our key allies, such as the US and the UK, have stated that they are developing cyber capabilities to potentially conduct both defensive and offensive military activities in cyberspace. We must consider how to best position the Canadian military to operate effectively in this domain.

CNA versus ISIS

CSE and/or the Canadian Forces may already be operating offensively in the cyber domain in a limited way, conducting CNA operations against the Islamic State.

Fadden floated this possibility in a hypothetical way in his interview with Global:
If we have Canadian troops somewhere around the world, Iraq as an example, and they can use somewhat offensive cyber initiatives in order to reduce the threat that they and allies are facing, I would say that’s not an unreasonable thing for the public service to pull together and ask the government if they want to do.
My own suspicion (see Murray Brewster, "Canada's electronic spy service to take more prominent role in ISIS fight," Canadian Press, 18 February 2016) is that this possibility is considerably less hypothetical than Fadden's comments suggested. The only thing that has been confirmed to date, however, is that CSE is playing a force protection role in Operation Impact.

The U.S. recently acknowledged that its own forces have begun using cyber warfare capabilities against ISIS (Phil Stewart & David Alexander, "U.S. waging cyber war on Islamic State, commandos active," Reuters, 29 February 2016), and, unlike the NITRO ZEUS plan, it seems likely that a Canadian contribution to CNA operations against ISIS would be welcomed by the U.S.


The bigger picture

The development and spread of cyber warfare capabilities poses significant new security problems for Canada and other countries.

In principle, CNA operations can be very precise and limited, but they may also have the potential to produce indiscriminate nationwide or even global effects, destroying or disabling vital infrastructure, paralyzing government operations and economic activity, and causing significant civilian casualties.

The potentially game-changing nature of cyber warfare capabilities has been compared to that of nuclear weapons.

There are of course many important differences between cyber weapons and nuclear weapons. Nuclear weapons pose a true existential threat to human civilization. Cyber weapons might cause catastrophic damage in a worst-case scenario, but they are more likely to be used like conventional weapons to produce much more limited and localized (although not necessarily entirely predictable) effects.

Still, a world with widespread cyber weaponry could prove highly unstable. Cyber weapons pose a significant attribution problem (how do you know who's actually attacking you?), and the barriers to the acquisition of cyber weapons are low, meaning a wide range of states, groups, and even individuals may be able to develop significant cyber capabilities. In addition, the effectiveness of cyber capabilities may depend on maintaining access to and even deliberately introducing vulnerabilities into potential target systems during peacetime, which could end up increasing the likelihood of hostilities. Finally, the huge range of possible damage levels in cyber warfare and the overlap between CNA and CNE activities mean there is no clear threshold between cyber peace and cyber war, and thus the possibility of blundering into an unintended conflict is potentially very high. With no clear agreement on cyber rules of the road, there are many ways even a CNA strategy focused on deterrence could fail catastrophically.

It is not necessary to frame the risks posed by cyber warfare in apocalyptic terms to nonetheless recognize that, as Fadden suggested, CNA activities could be both expensive and dangerous. A focus on defence and resilience may well be the best path to take.

At the very least, Canadians should have an open debate on the pros and cons of taking the cyber war path before the government launches us down that road.


Update 22 June 2016: More from a somewhat less skeptical-sounding Fadden here: Murray Brewster, "Former CSIS head says Canada should have its own cyber-warriors," CBC News, 22 June 2016. Transcript of Fadden's remarks to CBC The Current, 22 June 2016.