National Defence Committee on Nov. 20th, 2014

Thank you very much.

Thank you to the members of the committee. It is truly a privilege to address you today on the topic of cybersecurity.

By way of background I am not just a principal of the SecDev Group, which is a Canadian company that works at the intersection of technology and security and has actively worked in an operational capacity in the cyber domain on behalf of the U.S. and U.K. governments in particular. I am also a senior fellow at the London-based International Institute for Strategic Studies, where together with colleagues from the government community we have addressed the more intricate policy implications of both cyber and how it crosses over with other forms of insecurity including hybrid warfare and transnational crime.

Let me start perhaps unconventionally by indulging you in a bit of a story. Last week when I was travelling to the Middle East I was woken up in the morning by an application on my iPhone. As I ate breakfast I watched Russian television streaming on my iPad. On the way to the airport I took an important phone call using an encrypted voice application called Silent Circle to speak securely with my colleagues in the Middle East. As I approached the airport my electronic boarding pass automatically popped up in another application to swiftly get me through security procedures.

What's unusual about this story? Perhaps nothing because everything I've described here one or all of you have experienced in your everyday lives. The unusual thing is that none of these technologies existed five years ago. That's the point. The speed and depth at which the digital world has colonized the physical world is astounding. Twenty-five years ago there were perhaps 14,000 people connected to the Internet. Today over a third of humanity is connected to broadband Internet and there are more cellphones on the planet than there are human beings. This has a significant and profound impact on all of our societies.

Our dependence on digital technologies and networks has expanded faster than our ability to design rules and regulations or adapt existing laws and practices to this new environment. We live in an era that we at SecDev have described as open empowerment, where the ability of individuals to act has scaled faster than the ability of institutions to adapt. The positive side of this empowerment has been perhaps the greatest leap forward in human knowledge ever. More people are empowered to make decisions over their lives through access to information and knowledge than at any other point in human history.

At the same time with great empowerment has come great risk, and these risks are not just those implicit to technical failure or manipulation in a malfeasant manner of information in the information systems on which we depend and which are evident in the kinds of stories that are making regular headlines telling of major breaches of privacy, data loss, data thefts, and other compromises of critical information and communication systems.

There are also important risks implicit to a silent rewriting of the social contract between individuals and states that have emerged as more and more of our everyday lives are now mediated through or assisted in the cyber domain. The risks implicit to these normative challenges are perhaps as complex, if not more so, than the technical challenge of dealing with vulnerabilities and insecurities to our critical digital infrastructure.

Perhaps to illustrate a point, currently Canadian workers who work in bricks and mortar institutions such as car plants or other factories can legally engage in labour action that may involve picketing their workplace. In other words, denying access to new non-union workers or clients to their place of work. But what if that place of work is not a bricks and mortar institution but rather a virtual business, maybe a website rather than a storefront? If workers in this environment decided to deny access to their place of work in cyberspace, say using a denial of service attack, this would be considered a criminal act.

The point here is not to equate a computer denial of service attack with a picket line but merely to point out that there are certain rights and norms that we have struggled decades to establish in physical space that do not have a comfortable or meaningful equivalent in the cyber domain.

Cybercrime also faces us with other challenges to our existing normative order. Criminality in cyberspace, whether directed at individuals or at states, leverages the globally contiguous nature of the cyber environment in order to create a jurisdictional nightmare for law enforcement agencies forced to pursue these cases. Put bluntly, cybercriminals can use the absence of a global convention on cybercrime and agreement among law enforcement agencies to effectively put their activities beyond the reach of national law enforcement. The situation is perhaps viewed best by way of analogy.

During the prohibition era in the U.S., most policing was organized on a local basis. Bootleggers and rum-runners used the absence of a unified legislation or convention across state or national borders to circumvent the reach of local law enforcement authorities. The result was the emergence of national policing in the U.S., and unfortunately doing the same for cybercrime would require a global agreement for which there is very little opportunity at present.

The cyber environment has significant impact for Canadian national security for other reasons. If Canada is a country that was forged by the iron rail, today Canada's economy is held together by the glass fibres of the digital web. Put simply, Canada is the first country of cyberspace because of our geography. Commerce, governance, as well as everyday life, are dependent on telecommunications and the Internet. In this respect cyberspace is a national strategic asset whose disruption or vulnerability to disruption represents a significant risk to national security far greater than that of other physical threats to economic and territorial integrity.

Here I would add that the risks and threats are not just to cyberspace, but what cyberspace enables, including critical infrastructure and important access to knowledge including genetic, biological, and other areas of science, which in themselves represent unique and important risks to our increasingly complex and technologically dependent societies.

Defending cyberspace is not an easy task. First and foremost this is a synthetic environment that was built for resilience and not for security. Unlike land, air, sea, or space, cyberspace requires constant and continuous attention at the technical, code, and regulatory levels to simply exist. Changes within any of these three levels can cause significant changes to the synthetic environment with cascading impacts for commerce, governance, and everyday life.

While it is sometimes said that cyberspace has no centre, I would argue this is not the case. Cyberspace has its physical manifestation in the switches, routers, and cables operated by the telecommunications industry. Ironically, telecommunications remains among the most regulated industries in Canada and among the G-7 countries, yet very little has been done to leverage the provisions of the existing Telecommunications Act to compel or incentivize operators of this infrastructure to take steps to limit the vulnerabilities that exist within this domain.

Quite simply, many of the critical vulnerabilities implicit to Canadian cyberspace could and should be addressed at the level of operators of the infrastructure where the patterns of malfeasance, the things that make malfeasance work, are best seen and addressed at scale. Thereafter better coordination and cooperation between and within agencies of government and the private sector would go a long way to building a greater resilience into Canadian cyberspace, increasing confidence, and minimizing the potential for catastrophic or black swan events.

I'll turn briefly to the military aspects of cyberspace and its importance for cybersecurity. The critical dependence that advanced industrial societies have on cyber infrastructure, including the way we've chosen to structure and gain efficiencies out of our national defence institutions means that cyberspace has become an active zone of experimentation and development of capabilities, both offensive and defensive. Whether we wish cyberspace to become the domain of military activity or not, the reality is that it will as it offers threat actors—be they states, transnational criminal organizations, terrorist organizations, or superpowered individuals—the ability to create and generate sustained effects. Put simply it offers them an opportunity to leapfrog generations of industrial warfare and to compete on a global scale in the ability to muster the use of force to further political effects.

Our modern military is leveraged on technology. A few years ago I had the privilege of running a senior workshop at the Center for Strategic Leadership at the U.S. Army War College. One of the questions that was asked to a highly selected group of individuals from across the defence and intelligence communities was whether we could rerun the invasion of Normandy today given our current force structure. The answer to the question was no, because we have done away with whole levels of staff positions and functions that are now made possible through technologically mediated processes. Quite simply, we don't have enough trained people to do all the tasks manually.

If this is the case today, in the future operating environment with increased reliance on automated technologies, the risks and vulnerabilities implicit through the technical environment will only increase.

What is also perhaps notable about the use of cyberspace and its military dimension is that the threshold for generating effects does not require the resources available to a state. Groups as disparate as the drug gangs of Latin America and the so-called Islamic State can generate significant effects in and through cyberspace in pursuit of their political agendas. I'll simply put one example here. Last year not the Islamic State but a group aligned with the Syrian government successfully hacked into the AP Twitter stream and put out a false message that the White House was under attack and President Obama had been injured, which caused a 150-point, $1.36-billion drop in the stock markets for a period of three minutes. This was a short-term effect, but this was still a strategic information effect, and I think what we see here is a road map for the future.

What is important perhaps to take away from this larger more complex discussion is that cyberspace operations as understood by many of our peer state and non-state actors are not limited to operations through the network domain but incorporate an understanding of leveraging the information domain as a means of generating effects. This concept is important given that for the most part our tendency in the west—and by this I mean also the Canadian Forces—has been to see information operations and computer network operations as two separate silos. Doing this, I would argue, is a mistake.

Finally, in closing, I'd like to make the observation that despite the vulnerabilities and insecurity that may emanate from an infrastructure that has so deeply and pervasively colonized our everyday lives, governance, and commerce, cyberspace benefits open societies. Therefore, it benefits our national security to maintain it as an open commons. Greater security is not served by building digital borders, fences, or enclaves; rather it is served by taking a more intelligent and intelligence-led approach to understanding the nature of the risks, threats, and opportunities that emanate in and through cyberspace and by developing capabilities and mechanisms within and outside the public sector to ensure resilience and the ability to act decisively in and through this domain in defence of our national interests.

I thank you for your attention and welcome your questions.

Sure. Thank you very much for the questions.

With respect to your first question, yes, I think we have to recognize the fact that one of the costs of openness is the fact that the environment itself will always provide a degree of insecurity. That's absolutely right. The problem, however, is that the nature of the kinds of threats that exist in malware code can be aggregated and seen when you look at them at scale. In other words, that which affects your computer that's difficult to detect is actually much better viewed by someone who's providing you your services and can see multiples of the same thing happening at the same time.

This is where I would come back to the comment that I made in my testimony, that we have not really leveraged where that sort of concentration point actually exists, the point of seeing the risk and threat that affects individuals. In Canada, 95% of what we call cyberspace is actually operated by a single operator, Bell Canada. It's through a variety of different mechanisms, but the reality is that there's a high concentration of it. There are telecom regulations acts, as they exist currently, to compel those operators to work in certain ways—interchange, etc. Security is not one of those things. In other words, we have not used the most valuable mechanism that we have already on the books as a way of being able to address what you might call the “95% problem” of a dirty ecosystem that is currently polluted by opportunistic cybercrime, for which we pay $150 to hopefully be able to defeat on our individual computers.

By way of background we, SecDev, participated in a study with Bell Canada that tried to look at the scale of what you might call malfeasant behaviour existing online. This study was done a couple of years ago now. We found that at any given time between 5% and 12% of all devices connected to the Internet belonged to a botnet. In other words, they were under the control of some form of malfeasance software, which was not intended by the operator of the system itself. This is a fairly significant problem. The fact that we haven't regulated or incentivized the telecommunications industry to provide that first line of defence, I think, is one of the critical failures that we've had in addressing cybersecurity.

With the question of—if I understand the question correctly—who should be leading on the cybersecurity portfolio, I think if I look across our colleagues in the Five Eyes, one thing has happened there that has not happened in Canada. In Canada, the issue of cybersecurity has not been elevated to a national security priority—in other words, something that works across the interagency or the intergovernment, as they call it in the U.S. In the U.S. there is an executive-level entity that looks after coordination of cybersecurity across the whole of government. Similarly, in the U.K. the mechanisms that bind together their version of public safety, their version of CSE, and industry are far stronger and far better developed than they are here at the moment.

I think, in answer to your question directly, we do need Public Safety Canada to be taking a lead in terms of the coordination of cybersecurity as it applies to aspects of public safety and security, meaning the interface between the public and the private sector. We equivalently do need to have an institution that provides those capabilities on the military side, which I don't think we currently have.

I can't comment on the capabilities of CSEC, seeing as I'm not really speaking on its behalf nor am I an employee nor do I have privilege to be able to access it at that level. However, if I talk about it from an institutional point of view, I think CSEC has definitely taken a leading role in cybersecurity in Canada because, quite frankly, that's the institution where government has been able to bring together the expertise and know-how to do so. Whether that should continue to be the centre, going forward, I think is a very good question.

Again, I think, the past is prologue here. Air traffic control, at one point in time, was the responsibility of the Department of Defense in the U.S. Currently a civilian agency is responsible. I think there are capabilities that currently exist within CSEC that have to be migrated out into law enforcement and other government departments that have a responsibility for ensuring those components of cybersecurity that apply to very specific sectoral areas. I think overall, though, from an institutional point of view, there has to be an understanding and I think a recognition of the fact that cyberspace requires an emphasis equal to what we put to territorial security, economic security, and energy security. We should treat it in the same kind of way in terms of the kind of intergovernmental and interagency coordination that would allow us to have a coordinated policy.

On the issue of vulnerability, I think the reality is that our systems are very vulnerable. The reality is that they're vulnerable for two reasons: first, because security was never at the heart of how these systems were engineered to begin with, and second, we haven't put in those kinds of regulatory demands to ensure that operators of critical infrastructure take security not just as a responsibility to their shareholders, as businesses, but also as part of their responsibility to Canada, quite frankly, or to national security. That, I think, is the principal failure we have.

Again, I think part of the problem is that currently the heart of the capabilities that the government has for doing attribution-type work lies in an institution that was never designed to do so—the CSE—hence my comment earlier on that I think there are capabilities that currently are, for all the right reasons, centralized within CSE, but that actually have to be migrated out. Either they have to be migrated out to other government departments or we should be looking at creating a civilianized, non-military, non-intelligence institution that would coordinate cybersecurity across the board.

Again, I would emphasize that we have much to lose here. We are not Estonia, where you can drive across the country in six hours, or Israel. We are Canada, where it takes six or seven hours to fly across the country. What we lose by losing critical infrastructure can be far more catastrophic, and therefore, this really does require a strong policy emphasis.

Yes and no. I would separate two things.

Yes, there has been, not just amongst the Five Eyes, but across, if I'm not mistaken.... We did a study for the strategic balance for the IISS, and about 90 countries are starting to develop the equivalent of what would be a cyber command, which means a military organization that effectively looks at cyberspace as a domain for operations and that trains, equips, and develops a doctrine for being able to conduct operations therein. Clearly that's happening in other Five Eyes countries.

However, within the U.K. and the U.S., you've also seen coordination amongst the civilian agencies, such as Homeland Security, for example, and the critical infrastructure protection office in the U.K., which have taken capabilities from GCHQ and NSA and moved them into civilian agencies that have responsibility for critical infrastructure, the financial sector, the energy sector, etc.

Excellent question, and I'll predicate my answer by saying that I'm testifying in front of a Senate committee on the issue of cyberterrorism on Monday. We have been involved in working with Public Safety Canada under the Kanishka program, specifically looking at social media, the Internet and radicalization, and what measures can be taken, both within the public sector as well as at the community level, in order to be able to detect and provide early intervention to individuals at risk of radicalization.

The longer answer, I would say, is that I think your observations are quite right, that as the Internet, or the population of the Internet, more and more reflects that of society at large, it will include the good, the bad, and the ugly—individuals who are predicated towards mobilization and others. That has certainly been exploited by groups like Daesh Islamic State.

I think the principle difference, I would say, between al Qaeda and Islamic State is that al Qaeda was a conspiracy. At some point in time the individual was always vetted by someone else who knew someone else. There was a physical contact. Daesh, or the so-called Islamic State, is much more like a brand. It provides an aspirational message and those who are interested in those aspirational messages will choose to act on their own. That's terribly difficult to be able to detect because, although technology allows us at one level to be able to identify individuals who access content that may cause radicalization, having that technology at the disposal of law enforcement without grounds effectively means that we are creating a system of surveillance that may actually be far worse or outweigh any benefits that we would have by identifying individuals who are at risk.

However—

Sure. I'll give the short-form answer to it.

Effectively, the standards that currently define the interoperability between hardware using the Internet protocol came out of a governance structure that was initially put in place when the Internet globalized in 1995. That included both the creation of an entity, ICANN, that effectively regulated the address space, but it also included subcommittees that dealt with security, and for example, the engineering aspects of cyberspace itself.

Initially, in the first 15 years of the Internet, if you like, from 2000 until the mid-2000s, a lot of that was dominated by engineers, researchers, who may have worked for corporations but really were looking for writing protocols that would make it easier for devices to start working together. In the recent past, cyberspace has started to be seen as a strategic aspect by countries like China, Russia, and others. There's been a greater intervention both by corporations as well as government-sponsored engineering groups to define standards that worked in terms of their own favour.

Certainly, one aspect, as I said, since cyberspace is very much a synthetic domain, is understanding how the introduction of standards may change that domain in ways that are either consistent with our norms and values, or not consistent with our norms and values. That really should be part of the watch list of a cybersecurity institution that should exist at the government level.

Certainly, one of the things that we have developed as a criterion when we work with other states who are seeking to develop national cybersecurity strategies, is to understand the role of standards, and participation in standards-making bodies as a way of ensuring that the technical aspects of cyberspace don't start going against either national interests or a common interest.

I think the issue is more the ecosystem itself.

If you take a look at it, consumer protection laws that exist for the building of a device—for example, a car—compel the manufacturers to look at safety and security as the basic design of what they're building, whether it's seatbelts, airbags, or whatever.

That is not the case when you buy a piece of software. It was built for interoperability and not for security. I think that's the consequence of the fact that we essentially had a massive gold rush in building a global domain over the last 15 years, and security really took a back seat. I think that's going to change, but certainly that's not the environment in which we live.