National Defence Committee on Oct. 25th, 2017

First, I want to thank the panel for requesting my presence here in Ottawa to brief these distinguished parliamentary members.

My name is Stuart Wright. I'm attending today as an individual.

I have worked in regulation; energy including oil and gas transmission, distribution, and generation; and audit and information systems in different leadership capacities for many years. I have a degree of expertise and a unique perspective on cybersecurity here in North America.

I'm here today to provide a layman's briefing on the events in the Ukraine and eastern Europe as they relate to cybersecurity. My hope is that this will inform the panel as they assess the appropriate measures and next steps to support our NATO allies and enhance Canada's military capability to respond to a new type of warfare.

This week's cyber-attacks using malware called Bad Rabbit hit Russia and other nations on Tuesday, affecting the Interfax news agency and causing flight delays at Ukraine's Odessa airport. The Bad Rabbit ransomware is a type of virus that locks up infected computers and asks victims to pay a ransom to restore access. While no major outages were reported, several governments have issued warnings on the attack, which followed campaigns in May and June that used similar malware and resulted in what some economists have estimated are billions of dollars in losses. These new rounds of attacks are disturbing because attackers quickly infected critical infrastructure, including transportation operators, indicating it was a well-coordinated attack.

Some cybersecurity firms have indicated that Bad Rabbit appeared to spread through a mechanism similar to June's disruptive NotPetya virus, which took down many Ukrainian government agencies and businesses. It then spread across corporate networks of multinationals with operations or suppliers in eastern Europe. According to early reports on Bad Rabbit, more than half the victims were in Russia, followed by Ukraine, Bulgaria, Turkey, and Japan.

I'd now like to speak to the Ukraine cyber-attack of 2015, as you requested. On December 23, 2015, unknown cyber-forces disrupted energy grid operations for first time, causing large blackouts over 225,000 customers in Ukraine. It affected several regions in the country, which went without power for several hours. This was facilitated by malware called BlackEnergy.

In December 2016, almost exactly one year later, there was another blackout, smaller in scale and lasting only one hour. It hit only one region but was conducted with a more advanced malware, Industroyer, which is suspected to be the cause in this case.

These cyber-incidents impacted operators in the electricity sector, but the tactics used in these attacks could have easily played out against any operators in any sector and in any jurisdiction in any country. The bottom line here is that cyber-threats are no longer the concern of IT network administrators and engineers but must be a central concern in running a safe, efficient, and resilient critical-infrastructure operation.

I'd now like to talk about the global landscape. Global cyber-attacks are now concerted. They're orchestrated efforts to exploit vulnerabilities in people, systems, and processes. They're impactful, long-lasting, and often professional efforts to use an organization's network infrastructure against it in a highly targeted way.

In the traditional understanding of war, critical infrastructure was a sound target of opportunity: hamper the ability of the opponent to utilize it, thus rendering it useless. Public Safety Canada defines critical infrastructure as “processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government.” The disruption of any critical-infrastructure provider could potentially result in catastrophic loss of life, adverse economic effects, and significant harm to public confidence. In other words, critical infrastructure is an ideal and easy target.

Historically, critical infrastructure was easy to defend, as it was available via air-, land-, or sea-based assets of an opponent. The deployment of such capabilities can result in the potential transmitting of movement, and even if the exact target is unknown, can be limited by conventional defensive capabilities. This was particularly relevant in the era of state-versus-state war such as the bombing campaigns we witnessed during the Second World War and the later political-military conflicts of the latter 20th century.

In the modern geopolitical era, however, there is another dimension of assets now operating within the cyber-realm with near global reach and little to no movement of efforts. Effectively, the nature of war and conflict has evolved. These cyber-assets are now deployable quickly and are never physically exposed to the opponent. They are able to target critical infrastructure from within the borders of their state or through third-party proxies, utilizing techniques, tactics, and procedures, TTPs, to carry out effective assaults on their targets.

The Department of National Defence, its partners in NATO, and strategic allies in Europe, Asia, and south of the border need to revisit the military doctrines required to effectively guide cyberwarfare strategies. These include our capabilities and core elements of training, intelligence, and support to ensure security and stability of our allies and regional partners.

The same TTPs separate the average cybercriminal from more sophisticated threat actors, and these advanced persistent threats, APTs, are effectively a set of stealthy and continuously computing hacking processes orchestrated by a person or persons targeting a specific entity.

An APT usually targets either private organizations, states, or both. The targeting of critical infrastructure or state-based assets by APTs may include financial institutions; energy systems; transport automation; water and waste-water management; as we witnessed in the last week, communication and first responder systems; and of course our defence capabilities, networks, and core elements.

The fact is that no industry vertical or sector is immune and we are now witnessing the evolution of a hybrid warfare. To provide the context of the narrative, hybrid warfare might be used informally to describe the ever-changing complexity and dynamics of the battlefield, which include the use of cyberwarfare as a precursor to a larger military action.

I will now discuss the attacks that occurred over the last several years on the power grid of Ukraine in 2015 and 2016, as well as in the Baltics back in 2015.

From a timeline perspective, first we will look at the malware used to provide an understanding of the tools utilized in these attacks. Secondly, the timeline will be explored, outlining how the attacks were carried out. Finally, this discussion will look forward, offering a viewpoint of the future of cyber-defence of critical infrastructure as it relates to irregular or as recently coined “hybrid warfare”, and the opportunities for both the Department of National Defence, NATO, and NORAD to enhance our response to this new type of threat.

First, in terms of the malware used in the attacks, typically when a prominent cyber-attack is discussed, there's usually a cursory description of the malware accompanied by a picture. You've all seen it. It's like the Matrix, the green screen superimposed on a black background, or a sinister-looking individual with their face covered asking you to send bitcoins. Things have now evolved.

You see in the news media reports for the technical descriptions to present a catchy narrative or story to keep the readers interested. However, it does not necessarily provide a full understanding of how the attack occurred. Conversely, taking a technical approach to understanding these attacks while providing a robust understanding of the attacks, often limits the audience. This in turn, however, restricts the ability of the work to explore the attacks in the larger picture or global landscape. As such, I hope to provide the committee with a balanced, middle-ground approach to explaining why and how the malware is functioning, without becoming overly technical. The last thing we all need to do is get bored with technical details.

The malware, dubbed BlackEnergy, which was reportedly used in the Ukraine attacks, is a Trojan, a program effectively hiding its malicious intent. It enters the system through a file distribution, through an email spear-phishing campaign. We've all received these types of emails, formerly referred to as a Nigerian email scam, asking us to wire money to specific African nations to secure the release of millions of dollars predicated on immediate action.

In the corporate and government realms, C-levels are constantly being targeted with requests to approve and authorize internal transfers of financials from their operation team, whether it's in general finance or procurement, to facilitate large money transfers to Asian banks, generally when they're about to go on vacation or head to the cottage. These types of campaigns are targeted. We call them whale-phishing campaigns. They appear as normal correspondence that the victims would experience in their day-to-day jobs, rather than a more generic one typical of a phishing campaign, which is treated almost like a numbers game.

Once that malware has been downloaded, it enables the attacker to launch a distributed-denial-of-service attack, as well as download custom spam and information theft plug-ins. In other words, once BlackEnergy had infected the systems in Ukraine, it was able to act as the gateway for the next stage of the attack, bringing in additional malware to allow for intelligence gathering and to facilitate those future attacks.

I wish to convey to this committee that there are multiple variants of these infections. These include BlackEnergy 2, which is a more precise tool used to go through specific systems, and BlackEnergy 3, which is focused on searching a network for specific or enticing systems, including those in government, military, and in overseas infrastructure. They seek to provide network reconnaissance and a mechanism to spread that infection.

The threat is present. This BlackEnergy malware then delivers a KillDisk into the system following the initial infection. This component of the attack made the systems within the infrastructure inoperable and gave the threat actor the potential to remove a central component of the infected systems, thus impeding restoration efforts. Once KillDisk is run, it wipes or overwrites all the key essential systems, including the master boot records, which brings down the systems and prevents a system reboot. This further hides the activity of the attacker within the system and disguises the effective nature and origin of the threat actor.

That's critical when you're determining who your threat actor is and basically, when you're doing your forensics, who you want to chase down if you're going to take a response and recovery measure.

Both BlackEnergy and KillDisk have been seen operating in conjunction with each other, and most notably in the Ukraine power grid attack in 2015. Current and future adversaries are likely to rely more on a blend of conventional and irregular approaches to conflicts, which has been referred to, as I mentioned, as hybrid warfare, and these may be a precursor to kinetic attacks.

In addition, another variant, the Industroyer, has been alleged as the malware behind the 2016 Ukrainian power grid attack. It's highly customizable with malware, and researchers believe it is targeting industrial control systems. If you look at the reports in recent weeks, effectively it's becoming more pervasive. It is a malicious tool in the hands of a dedicated, well-funded, and persistent attacker. This is not something that a script kiddie could take off the dark web and just implement.

The malware is able to persist in compromised networks and directly interferes with the critical working processes in those facilities. The malware is extremely dangerous. Its potential damage depends on the configuration of that particular facility, and can vary, for example, from one substation to another and can be anything from a simple local blackout through a cascading failure to potentially even greater damage to the hardware. The relatively low impacts of recent blackouts stand in great contrast to the technical detail, level, and sophistication of the suspected malware behind Industroyer. These threat-based actors are institutional at a government level.

A possible explanation for this, which is the opinion of many security researchers, is that this was a large-scale test. They're testing our perimeter defences, pushing the envelope, and observing our response and recovery methods. This is a calculated, strategic approach to hybrid warfare.

The security community in North America has compared Industroyer to the Stuxnet cyber-weapon, having formerly worked for Siemens, which was used to target the Iranian nuclear program.

I'm going to skip ahead of the time on the attack. I see the chair....

I will now provide a quick comment on how the power grid attacks unfolded, and the context of each attack.

Three attacks were examined: Ukraine, Baltics, and Ukraine. Before going into the individual attacks, it's important to note the attribution of these attacks.

First the available information only attributes the Ukraine attack to advance persistent threat Sandworm, which was believed to be a hacker group with the Russian government. In the 2015 Baltic attack, researchers claimed they saw evidence of Sandworm, but were unwilling to provide such evidence for operational reasons. This is part of the challenge that we're faced with in the industry in the response and recovery methods. The trust factor is key to a successful response. However, in many cases it takes months or even years to determine all the facts.

Finally, in the Ukraine attack the use of Industroyer had not yet been officially attributed to any country actor. Therefore, for the purposes of this section, the attack has been accepted by experts in the private sector as being launched by the Russians. Again only time and further due diligence will confirm this assessment.

I'm going to skip ahead from the attacks, because I think we've touched on it critically, and I'd like to focus on the prevailing attitudes.

Good afternoon, ladies and gentlemen. Thank you for inviting me here today.

Russia is becoming progressively more paranoid, as a considerable number of ex-Soviet bloc countries have applied for membership in either the EU or NATO. This is unnerving Russia, as it needs to maintain a strategic depth between the former Soviet bloc countries on its vast borders. It will need this battle space to be able to successfully manoeuvre in the event of a potential NATO attack or threat. Considering its history, Russia is not prepared to be invaded again.

When Russia illegally pushed into the Crimea, it utilized a hybrid warfare military strategy that blends conventional warfare, irregular warfare, and cyberwarfare simultaneously to achieve success. Through a combination of kinetic operations and harnessing other subversive efforts, the Russians attempted to avoid attribution and retribution.

In a practical application, the Russian concept of non-linear conflict exemplifies a typical hybrid war strategy. A non-linear war is fought when a state employs unusual, conventional, and irregular military forces in conjunction with psychological, economic, political, and cyber assaults. Hybrid warfare can be described as the use of flexible and complex dynamics of the battle space, which in turn requires a highly adaptable, well-trained, and resilient response. Unfortunately, neither the Ukraine military nor NATO was fully resilient to provide this response when this occurred.

Confusion and disorder ensue when weaponized information exacerbates the perception of insecurity within the population as political, social, and cultural identities are pitted against one another and plausible liability abounds. To use the Ukrainian conflict as an example, Russian hybrid tactics were used extensively during the annexation of Crimea. The subsequent civil war in eastern Ukraine caught the west totally off guard, particularly the U.S. and the U.K., who were unable to formulate any type of response.

NATO's inaction can at least be partially attributed to the rigid NATO military organization that it currently employs. More critically, Russian military and intelligence experts have accurately identified and exploited international legal frameworks governing the use of force against another sovereign state.

NATO military strategy, above all, must emphasize non-linear thinking in conflict modelling. The Canadian military, while aware of the use of hybrid warfare, is not trained to adopt non-linear thinking when they are undertaking conflict modelling and planning. To date there hasn't been any measurable western or NATO response to Russia's aggression in Crimea or Ukraine, other than providing political and economic assistance.

Unless the legal framework defining the act of aggression is reworked, other liberal democracies may be at risk. It seems increasingly clear that the primary method of ensuring continued rule of law is by overhauling our traditional interpretation of conflict. The west must develop a framework of strategic deterrents of weaponized information, finance, and other subversive forms of aggression. A one-size-fits-all policy will no longer be an effective deterrent in the future.

From the beginning of Russia's engagement in the hybrid war in Crimea, there was a profound emphasis on maintaining a degree of plausible deniability. The Russian flag was raised by residents of Crimea, not Russian soldiers. Russian forces were stripped of any identifying markers or insignia. Cyber-attacks were launched at Ukrainian critical infrastructure facilities and systems. These attacks were structured in a manner that attempted to obscure Russia's involvement.

Of course it's widely understood that Russia was responsible for the violation of Ukraine's sovereignty. However, the confusion that was spawned by the disinformation campaigns, cyber-attacks, unmarked Russian special forces, and later actions in eastern Ukraine would see the west committing further inaction by allowing the Russians to consolidate and then normalize the acquisition of Crimea by the Russian Federation.

Concepts of hybrid warfare are not taught at DND offices, which results in DND not being able to consider the manifestations of hybrid warfare when planning future military operations. Why is this?

It is because we do not utilize a whole-of-government approach, and neither do we fully explore these concepts, which include psychological, educational, economic, military, finance, political, legal, cyber, intelligence, and communications security. To my knowledge, apart from the U.S. military, no other NATO members' planning processes involve planning for hybrid warfare or linear conflicts.

How can we combat, train, and prepare for Russian active hybrid measures in the future, such as those currently being inflicted around the globe, if we do not understand how they work? This change now requires that the U.S. and its allies adopt a new legal, psychological, and strategic understanding of warfare and use of force, particularly by Russia.

In terms of options for Canadian international assistance in Ukraine and a UN peacekeeping mission in the Ukraine, numerous questions need to be asked before committing to any peacekeeping missions, for example, where and how to keep the peace, and how this can be achieved. Russia wants to be involved in any future peacekeeping mission. It will be impossible for Russia to be part of the peacekeeping mission, because Russia is on the side of the conflict as an aggressor.

What would a peacekeeping mission in eastern Ukraine look like? What are Operation Unifier's rules of engagement if they are attacked by hostile forces? Are there plans to deal with implanted Russian actors, both in the government and in the military?

Russia's veto on the Security Council would override a Ukraine-Canada peacekeeping ambition.

Contributing to a UN-led intervention in Ukraine and the troubled breakaway eastern districts, on the surface, might appeal to the current government as it would be in line with their method of the “Canada is now back” mantra, while at the same time fulfill the government's pledge to deliver 600 troops and 150 police officers to UN peacekeeping support operations overseas. There has been talk about a UN peacekeeping mission in the Ukraine since 2015, and so far, nothing has really happened.

In terms of our options, option one being to deploy UN peacekeepers, Russia might agree or not agree to a UN peacekeeping force in Ukraine. The Russians might demand to be part of it, and I don't know how that will be achieved. This peacekeeping mission could possibly be led by Canada; however, Russia might veto Canada as the lead mission as it could be seen as being too close to the U.S.

The discussion, organization, and deployment of a future UN peacekeeping force could take a considerable amount of time before deployment, somewhere between two to three years. At this time, Canada has agreed that a future mission would assist, while at the same time indicating that Canada has not yet decided where to commit the CAF in a peacekeeping role.

In terms of option two, what is required in training to provide full-spectrum military operations training to the Ukraine military? It is not just basic training and policing training, but more dynamic, full-spectrum training. The answer is to staff a command college to provide full-spectrum hybrid military operational training to Ukraine senior and junior military officers. There is a requirement to provide cyber-training and systems threat assessments to the Ukraine government, as well as the military.

A number of questions still need to be asked. What are the Canadian Armed Forces rules of engagement and resident capability to extricate those 200 Canadian troops if required to do so? If they are attacked, surrounded, or told to surrender, how does DND plan for another Russian offensive wave into the Ukraine? Has the CAF developed suitable evacuation plans to respond to all possible scenarios, and have these plans been tested? Is Canada prepared for an escalation in fighting, and what would be the ramifications to the military training teams currently in the Ukraine?

The rest of my presentation basically mirrors what my colleague mirrored, so I will not go that far. I will provide a complete breakdown of my presentation if anyone requires it to read later.

Thank you very much.

I do apologize. My wife has always indicated to me that I'm long-winded, so I'll give you the call to action, the bottom line here.

My recommendation is, first, revise and adapt the existing Department of National Defence's official doctrine to provide more prescriptive details on how the DND and its strategic partners, including NATO, might incorporate military approaches to warfare, including cyber.

Second, provide and adopt a handbook for how to adaptively counter the countermeasures, and establish a mechanism to share these response and recovery tool kits only with trusted partners, including what my colleague had indicated with that fusion centre concept.

Third, consider adopting a community or practice guideline or framework to enhance response and recovery measures, as it is likely that we are to be hit, and with ever-increasing attacks, our resilience and our flexibility to respond will need to be honed.

Fourth, adopt appropriate measures, including tools, techniques, and people—TTP—to support the above-mentioned efforts.

Finally, continually test and adapt response measures and ensure operational capabilities both abroad and domestically.

If you look at recent incidents in the United States with the Equifax attacks or other incidents like the Dyn attack, which paralyzed the east coast's Internet security measures, you see that you have best-of-breed industry best practices currently being utilized here in North America. We should be leveraging those toolsets, knowledge, and learnings, and applying those in the remote jurisdictions, including in Ukraine.

The defence and depth measure and approach that they've currently adopted to protect their critical infrastructure is good. We need to start thinking in terms of response and recovery. We know we're going to get hit. We know the sophistication of the attacks. They're going to keep cascading and escalating up. We need to be able to work with Ukraine to basically provide current-level threat intelligence and respond appropriately with appropriate tactical teams.

To date. Again, these are the ones that have been reported in the Ukraine and eastern Europe. From our understanding, these are the ones that were widespread. They were able to disrupt the operations and take down the grid, and it took a significant level of effort to restore the power and critical infrastructure.

What we're seeing here is that they're testing the perimeter. They're determining how we're responding. They're looking at this not as a mechanism to take down the grid for a larger effort. They're testing how quickly we can respond, who we're bringing to task, and the measures and mechanisms. We need to start looking at this from a strategic perspective. They're testing the perimeter right now. We haven't been fully hit.

Sure.

We're an international security consulting company, and most of our work is done in hostile countries around the world.

I spent 23 years in the British Special Forces. I immigrated to Canada and I've had my company going now for 21 years.

Thank you very much.

I think it will be difficult to achieve without Russia's consent because they hold veto powers at the UN and they can really dictate what they want to do. They could force themselves into that mission in whatever way they wanted to portray themselves, and I don't see how the UN can stop them from doing that.

Yes. It's going to be difficult because we don't know what the Russians' intentions are. They stopped in the Donbass region. At this time next week they could be somewhere else. We don't know what they're going to do. The fact that NATO was inactive and didn't really stop them from doing that and didn't really hold them to account for it will probably ensure that they get more and more adventurous in their actions. The other former Soviet bloc countries on their border are also worried that they could be next, and that this could be the first of many incursions into their countries as well.

Yes.