National Defence Committee on March 29th, 2018

Mr. Chair, let me begin by thanking you for inviting me to take part in this committee meeting. Although I am not in the room with you and am participating by video conference, I am very honoured to have the opportunity to address you.

Before I begin my preliminary remarks, I want to express special thanks the High Commission of Canada in the United Kingdom for facilitating this communication today. I am not at NATO headquarters in Brussels, but in London, at the High Commission of Canada in the United Kingdom.

I am speaking French simply to show you that I am fully prepared to respond in English or French to any questions addressed to me during the question period. However, since I can speak English twice as fast as I speak French, I hope you will not mind if I deliver my opening remarks in English.

First of all, if I've understood this correctly, Mr. Chair, your focus today is on cyber issues, cyber defence, and cybersecurity. That's where I'll begin, but I'd just like to say before I start that as somebody who's been around NATO for a very long time, my division, emerging security challenges, deals with a broad portfolio of issues, including cyber issues, but also counter-terrorism, nuclear policy, and strategic forecasting.

If afterwards the members of the committee want to enlarge the discussion to other aspects of NATO's current postural policies, please, I'd be more than happy to stray off the reservoir—or the reservation, if you like—and intervene on that too.

On cyber, you could of course spend many a happy hour talking about this, because it's such a complicated, fast-moving topic. Let me at least briefly try to give you a sense of where NATO stands. For us, cyber represents three very key strategic challenges. The first one, to paraphrase an American sociologist, Clay Shirky, is “here comes everybody”.

Cyber for the first time allows virtually anybody in the world to become a strategic actor—and for a very small investment compared with what states used to have to invest to develop significant capabilities. Cyber allows anybody to attack anything from anywhere at any time. It totally obliterates the traditional security refuge of geography, of being behind borders and declarations of neutrality.

For states or for organizations like NATO, for the first time we have to defend everything all the time, whereas security policy, as you know, for most centuries allowed you to define a particular adversary and particular strategic access and to focus most of your resources on certain nevralgic points. Now you have to make difficult decisions over priorities, whether that's critical infrastructure, the civilian sector, the banking sector, or telecommunications and, as the threats from cyber keep shifting, from one sector to the other. You need an enormous agility to be able to keep up with the changing threat landscape, particularly when a company like Symantec identifies upwards of two million pieces of new malware on the market every year.

The second issue, of course, is that cyber obliterates the old distinction between being at peace and being at war. It condemns us to live in a kind of permanent grey zone, neither peace nor war, where everything is contested and where we are subject to attacks, major or minor, every day of the week. Most of these attacks are below the traditional NATO article 5 threshold, which used to be clearly identified in terms of tanks crossing a defined frontier.

Cyber is in that sort of grey zone where we sometimes find it difficult to determine what is an armed attack or its equivalent, or what is a hostile attack and what is simply a nuisance. Therefore, there's a difficulty in knowing how to respond, because on the one hand you want your response to have an impact, and on the other hand you want to avoid an escalation into a crisis that probably goes beyond where you would like to be.

There are issues of how to classify attacks, how to attribute attacks and how quickly to do so, how much evidence you need before you can make attributions, and what the appropriate response is. Is it diplomatic? Is it economic? Could it even be military? NATO certainly has said, back at our summit in Wales in 2014, that at a certain threshold a cyber-attack indeed could be considered the equivalent of an armed aggression and therefore provoke the activation of article 5 and a NATO response. However, what that threshold would be is something that we have kept ambiguous, because we believe that ambiguity serves the purpose of deterrence.

The third and final opening strategic point about cyber is that it clearly cannot be dealt with by using the tools that you traditionally have within your own organization. When it comes to traditional collective defence—and Canada is participating in that, of course, in leading the multinational division in Latvia at the moment—we have within our own organization the tanks, the aircraft, and the artillery we need, even if sometimes we would like it to be more modern or more ready.

When it comes to cyber, we find that in order to be effective we have to depend on others, the private sector, for instance, which is responsible for 90% of the networks where most of the innovation and much of the cyber-intelligence come from. In the cyber-field, you're only as good as your ability to form those partnerships, to persuade other people to help you out, and to build a true ecosystem for handling the challenge.

Those are three introductory messages.

Very briefly, what is NATO doing? There are four areas. I'm more than happy, of course, to go into these with all of the members of the committee in as much detail as would be helpful to you.

Number one, we of course need to defend our own networks. It sounds simple. It's the starting point, but in a complex organization like NATO, it isn't so simple. We have 55 different sites to protect. We have 35 different IT systems. Some are new and some are legacy systems. Of course, when you combine the old and the new in the cyber-world, you have many more interfaces and therefore many more vulnerabilities and attack surfaces. We have built up, over the last few years, a comprehensive NATO cyber-incident response capability—we call it NCIRC—situated within SHAPE in Mons, that provides our civilian and military networks 24-7 coverage.

A second part of this is bringing the intelligence community, which has forward strategic warning of cyber-attacks, together with the technical community. In the cyber domain, particularly for incident management, it's very important to make sure that what you are seeing corresponds to what you are hearing. In other words, the intelligence piece corresponds to what you are actually seeing in the networks, because the one could, of course, alert the other. We therefore have a cyber-threat analysis cell that brings these communities together.

Mr. Chair, as you know from the time that you and the members of the committee visited NATO headquarters in Brussels, we have established a joint intelligence and security division precisely to bring more of the national intelligence feature into NATO so that we can have better situational awareness and better correlation of the data we are receiving.

Of course, also in this field, as you know—and this is true of all of us—part of the protective task is identifying your critical dependencies. You are often amazed to discover that just when you thought that you had mapped out your cyber-ecosystem, identified all of your critical networks, and brought them up to the same level of protection, there is some new supply chain risk from some other system that you realize is connected to yours, and you don't know exactly what the level of security is there. That constant mapping is important, too.

The second level of our efforts is assistance to allies. We really want to be the heart of a number of cyber-defence services that could help our allies become more resilient at the national level and learn from each other's technologies, people, processes, education methods, and experiences so that we can increasingly benchmark standards in an objective way by allowing allies to assess themselves voluntarily and then compare the results with others.

This is in the form of a cyber-defence pledge that is now in its second year. Indeed, I am hoping that, in the next couple of days, Canada's submission, its self-assessment for the second cycle, will arrive at NATO headquarters. Of course, we'll compare that with what Canada told us just a year ago. I know, from your own national activities over the past few months, there's been a surge of effort in this area. Therefore, I'm sure you can add many good new things to report to us.

The pledge, as I said, allows for comprehensive benchmarking: it allows NATO to have a comprehensive overview of the strengths or weaknesses in the cyber realm of our allies, and therefore to help with feedback and advice; and it encourages nations to both devote more resources to cyber by identifying key NATO priorities and to also join themselves up more at the national level over the various ministries and different departments. Many allies have told us that the pledge was the first comprehensive stock-taking that they were asked to carry out.

Very briefly, before I stop, there are two final elements. The third is where perhaps we might get some questions and discussion, because it's the most ambitious and the most demanding. At our summit in Warsaw in 2016, we declared cyber as an operational domain. In other words, we have to fit the virtual world and cyber together with the four traditional areas of crisis management and conflict: air, sea, land, and space. We have to fit cyber as the fifth domain and therefore understand the implications of conflict in the cyber space and which instruments and doctrine we need to be able to deal with that on the assumption that all future conflicts will probably, or inevitably, have a cyber dimension. Therefore, how does cyber fit with nuclear deterrence, conventional defence, and missile defence, into NATO's posture? What can it do, what can it not do, and what kinds of new capabilities do we need?

You've probably seen, Mr. President and members of the committee, that we've agreed now to establish a cyber operations centre and to incorporate into NATO's posture voluntary national cyber contributions that individual allies who have these capabilities would be willing to make available to us. That work is ongoing.

My last point is that we in NATO of course want to be political in the cyber domain, and not simply technical military, because as with every other area of NATO engagement, we see our security as depending upon political initiatives, arms control initiatives, confidence-building measures, and agreed restraints, and not just in the development of new weaponry. Therefore, we are very engaged—even if we're not negotiating—in the whole domain of international law as it applies to cyberspace, and how we can work with the EU, the United Nations, the OECD, and other institutions.

If your committee is interested in this, I would refer you to the two Tallinn manuals that our centre of excellence has produced on the international law governing cyberspace, which are helping to drive this intellectual debate forward.

I will stop there, but again, I hope we can have good, productive discussion with the committee in the direction you wish to follow afterwards.

Thank you again for the privilege to be able to speak to you this morning.

Thank you.

I can't say that I'm going to be as erudite, as flowing, as Mr. Shea was, particularly in French. I can give you a bit of Welsh, but my French is fairly limited.

Thank you again for inviting me to appear before the Standing Committee on National Defence. I want to start briefly by recognizing the critical role that Canada has played in setting the NATO alliance and the Parliamentary Assembly.

It could be argued that in fact the alliance started when Canada agreed to send more than one million people to serve in the Second World War, including over 14,000 who joined the allies in Normandy on June 24, 1944.

Across the NATO alliance, we do remember the work of Escott Reid, Lester B. Pearson, and Louis St. Laurent, who floated the idea of a temporary military alliance in the north Atlantic region to ensure the stability of democracy and freedom in western Europe, in the face of the communist threat. The North Atlantic Treaty was signed on April, 4, 1949, and included article 2, which became known as the “Canadian article”. The enthusiasm and commitment of Canadian Senator Wishart McLea Robertson and British MP Sir Geoffrey de Freitas initiated the first gathering of parliamentarians in July 1955 to create the NATO conference of parliamentarians, the forerunner of today's NATO Parliamentary Assembly. Senator Robertson was elected as the first president of the new assembly in 1955, and was the first of many important Canadian presidents, vice presidents, chairs, vice-chairs, and rapporteurs who served the alliance and the assembly.

I want to look at today's pressures. I plan to focus on the role NATO plays in the maritime and space domains, and in advancing a women, peace, and security agenda. I've prepared, on behalf of the defence security committee, reports on the maritime and space domains. I will be speaking to those.

Maritime is first, because NATO in many ways was primarily a maritime alliance. The transatlantic link is vital to all member states, but has long been neglected. I think it's been said that you cannot win a war in the Atlantic, but you can certainly lose one there. Control of the sea is vital for communication and freedom of movement, both of which are crucial aspects of NATO's operational efficiency. Alliance naval forces guarantee NATO's strategic defence and are central to the promotion and protection of political, economic, and diplomatic interests.

However, member states' navies, on the whole, have been shrinking in size, largely due, as in most fields, to the increasing cost and sophistication of vessels. This has had two major effects: allied navies have shrunk and the capability gaps have increased. A ship, no matter how sophisticated, can only be in one place at one time. The effect of this trend is that the U.S. is now the only member state with truly full spectrum capability.

Why is the maritime environment so crucial at both a local and global level? Currently 95% of trade is conducted on sea routes, 80% of hydrocarbons are transported by sea, and 95% of Internet traffic goes through undersea cables. A closer look shows that 80% of the maritime trade passes through eight choke points, three of which are crucial to NATO in the Mediterranean, the Black Sea, and the Red Sea.

The figures show that freedom of the seas is a driver of global economic interests. However, it is worth much more than this. Free seas are also a global norm and can be a tool to use in reinforcing international order.

With 80% of the world's population living within 60 miles of the coast, and 75% of the world's major cities being littoral, plus the use of sea lanes growing at 4.7% a year, the maritime domain is only becoming more critical to the alliance.

Threats at sea are increasing. I'll cite just one example. As the Arctic Ocean becomes navigable, the bastion concept is being reinforced with increased numbers of Russian submarines present. The threat to the GIUK gap and our undersea cables is growing. All aspects of naval capability serve as an essential enabler of deterrence and as demonstrators of political will and power.

Naval assets also provide the capacity to manage crises by providing expeditionary capabilities, sea control and denial, and logistical support to amphibious operations, including the enforcement of embargoes and no-fly zones, and the provision of humanitarian assistance. Naval forces also often offer the easiest and quickest route to providing co-operative security by working in partnership on capability building, training, joint exercises and, less directly, through naval diplomacy.

Here I will just put in a quick mention of port security, which we must raise our game on.

I want to move on to the new frontier of space. It's complicated but increasingly important area. Over the last few years, space has become a key pillar of NATO defence. Space is increasingly at the forefront of the security policy and planning debate, and a key area of global geopolitics.

The cost of operating in space is high, and as such the agenda lends itself to collaboration, rather than competition, among the alliance. This is perhaps reflected as a push for some kind of space code of conduct. As far as NATO is concerned, the alliance has no official space policy, but has released an allied joint doctrine for air and space operations. This is an area that NATO should now be looking to consolidate.

The current picture in space is complex. Satellite constellations are now vital for the efficient functioning of modern infrastructure, both military and civilian. Indeed, one challenge is the indistinguishability of military and civil spacecraft. It's estimated that 40% of all satellites are military, but that's not to say that civilian craft can't also be used for military functions.

Over the last two decades, both the breadth and depth of possibilities have expanded. A flood of new actors, both national and commercial, is making the three principal geocentric orbits congested and dirty. In part this is due to almost every country now having a satellite, or a stake in space. We've now got approximately 1,100 satellites in orbit; some are saying there are as many as 1,500. On top of this, in recent years new and dynamic commercial actors have ignited a second space race. Costs, although still high, are falling, and this is opening the space arena to many more participants and many more potential threats and problems.

Finally, as the North Atlantic Treaty was being signed, women were leaving the many vital roles they had played in the armed forces during the Second World War. The important role of women in peace and security did not return to the main political agenda for some time. In 2000, the United Nations Security Council Resolution 1325 encouraged member states to involve women and integrate a gender perspective in multilateral security initiatives such as peace settlements, peace missions, disarmament, demobilisation, and reintegration programs.

Additional resolutions now include a focus on sexual violence in the context of armed conflict, and recognizing sexual violence as a serious violation of human rights and international law. Recognition of women's roles in post-conflict recovery and actively integrating them in peace-building, peacekeeping, and aid management, is growing.

More recently, the agenda has expanded from a focus on women and girls to include the impact of conflict on gender relations, recognizing that sexual violence in conflict affects men and boys and those secondarily traumatized as forced witnesses of sexual violence against family members. It also emphasizes the positive role that men and boys play in promoting gender equality during reconstruction efforts. We now recognize that efforts to build peace must benefit both men and women equally.

NATO has taken on all these objectives and subsequent resolutions at different levels of the alliance's structures and activities. The 2013 Parliamentary Assembly report recorded nine strategies deployed by Parliaments of NATO member countries that contribute to the promotion, implementation, and monitoring of the women, peace and security agenda. In four areas there was a commitment to change—the areas of gender-balanced Parliamentary leadership; legislative initiatives; influence and oversight through debates, questions, and reports; and civil society engagement.

This update was published in 2015. The Committee on the Civil Dimension of Security will be sending out another survey this year. The results will be presented in Halifax by Clare Hutchinson, the NATO representative for women, peace, and security, who will be with us to talk about the results.

I'll end on that positive note. Canada has been a key member of the alliance since its inception, and I have many Canadian colleagues.

I look forward to answering your questions.

Thank you very much. It's an honour and a privilege to be in front of the committee in person this morning.

I'd like to predicate my brief comments with a few remarks on position I take on these issues—in other words, where I'm coming from—and the importance of addressing this as a core issue both for Canada's relationship with NATO and Canada's national security.

My remarks this morning will be informed by essentially four activities that I've been involved in over the last 10 years.

First of all, for the last 10 years I've been one of the co-convenors of a Track 1.5 process with the Russian Internet Security Council that has dealt with the issue of cyber-norms and cybersecurity. Initially started as a NATO process 10 years ago, it has continued since then as an engagement activity, year on year, that has created a focal point for at least being able to understand the normative aspects of the use of cyberspace in security.

Second, I'm also a co-convenor, along with American and U.K. colleagues, of a Track 1.5 dialogue around the military use of cyberspace between the U.S., the Russian Federation, and the People's Republic of China.

Third, I'm citizen adviser to the United Nations counterterrorism executive directorate on combatting violent extremism and terrorist use of cyberspace, which brings together industry partners and nation-states around these issues.

Finally, I'm an expert to the World Bank digital economy working group, which is attempting to quantify the economic impact of information and communication technologies worldwide.

Why all this is important is simply the following. As Mr. Shea pointed out, NATO has declared cyber to be an operational domain for NATO countries, and yet this is the domain in which we have the least experience in understanding the levers of escalation and de-escalation. It is also a domain that has come into being at a time of the greatest tensions and degradation of channels of communication between NATO countries and its potential peer partners.

In my remarks, I want to cover two separate areas. The first area is simply understanding the impact of the cyber-environment on national security writ large. Absent understanding of this impact, it's difficult to be able to separate where we have issues that are purely domestic from those that can be influenced or otherwise made more serious by external partners. I also want to talk about the dangerous entanglement between cyber and security at a technical level and a social one—in other words, its social and political impact. I then want to briefly turn to the impact that this now has on NATO's position vis-à-vis cyber in terms of an alliance from our own preparedness point of view and also our relations with potential peer competitors in this field.

The first thing to recognize is that the foundation upon which we have built the global economy and the Canadian economy is largely made of sand. Currently, by projections of the World Bank, 26% of the global GDP will be dependent upon the digital economy by 2025. Of the $107 trillion GDP globally, $1 trillion is being spent on cybersecurity. Why is this the case? From statistics released by the Council of Economic Advisers at the White House in the last week, an amount between $57 billion and $106 billion is attributed to cybercrime losses each year in the U.S. This is occurring because the infrastructure of the Internet at a basic level was built for resilience rather than for security. At its basic, there is less security built into either the technology or the regulatory environment than there would be if I were building a car. To build a car, I have to put in a seat belt. If I'm building the equivalent in cyberspace, I'm effectively putting in an ejection seat.

Let me give you three statistics that indicate just what kind of magnitude we are facing in terms of ill-preparedness in dealing with fundamental issues of security on the Internet to begin with. These are three 90% statistics that you can keep in mind. The statistics are a bit dated, at about 12 months old, but still useful.

First, 90% of malware, code that is meant to do malicious harm on the Internet, uses a single channel to communicate, known as the DNS, and yet more than two-thirds of the Fortune 100 have no perspective on this channel in their security posture. Ask yourself, if 90% of the threat can be seen through one channel, why is it that only one third of the most valuable companies in North America have perspective on that channel?

Second, 90% of all industries are planning to implement the Internet of things as part of their infrastructure, and yet more than 80% of them have absolutely no confidence that the security measures they have in place will give them a perspective on the security coming out of the Internet of things. The reason for this is that our ability to understand what is considered to be bad traffic, malfeasant traffic, on the Internet of things has simply not been developed. It does not yet exist. This is an industry gap problem where the technology is moving faster than the regulation that exists.

The third 90%, which is the most important one, is that 90% of all cybersecurity breaches use the human vector. In other words, they are not dependent on a fault in the technology, but they use human behaviour and human weakness as a way to get in. If you ask any engineer, you cannot engineer a security solution against a human problem. This is a regulatory problem where we have not developed the rules commensurate with the importance of the infrastructure that we currently have and on which our economy depends.

Also, there has been a dangerous entanglement between cyber-capabilities and their social impacts. Quite frankly, in the last five or six years, two-thirds of humanity has gone online to the Internet, globally. Of those, almost all of them are also users of social media. In fact, for many countries, such as Burma/Myanmar, Bangladesh, and others, the first contact that individuals have had with the Internet has been through Facebook. Moreover, more than 50% of this online population is under the age of 25. These are first-time voters.

Last year, we were asked to do a study for the UN in Bangladesh looking at terrorist use of the Internet, and what we found was quite predictable. There are terrorist communities that use the Internet, that speak violent, terrible things, that spread propaganda, but ultimately these groups are quite small.

What we did find, however, on a much larger scale, is that mainstream political parties are now using the Internet and social media as a focus group. They're effectively putting out messages and seeing whether these accrete some form of popular support. What that has meant is that there has been a gradual mainstreaming of extremism across the political spectrum. If that sounds familiar, it should, because the very same kinds of patterns have impacted Canadian politics and also the politics of countries such as our neighbours south of the border.

Why this is important is that, if we focus on the impact of the Internet simply from the point of view of the meddling of international states, we miss a very, very important aspect of how the Internet is changing politics within our own countries, absent any kind of foreign interference.

I'll just leave you with a couple facts.

From testimony given to the U.S. Senate intelligence committee, we know that combined campaigns of Hilary Clinton and Donald Trump spent $81 million on Facebook advertising during their campaigns. That is money that was spent on Facebook ads, absent political action committees. The same testimony indicated that the Russian Internet research bureau, out of St. Petersburg, spent approximately $46,000 on Facebook ads. Even if we inflate that figure up to $1.5 million, say, we're talking about a very, very different percentage of money. Unless we're prepared to attribute the fact that the Russians are much cleverer about political messaging than U.S.-based political operatives are, who are trying to get their constituents elected, we have to be very careful in the way we look at foreign interferences or meddling being a decisive factor in international relations. That's not to say this didn't happen.

How does all of this relate to NATO's position vis-à-vis cyber? First of all, it's important to recognize that the vulnerabilities I have just described are vulnerabilities that we all share, and have have very little to do with an external threat but a lot more to do with a threat that was ascribed in a Pogo cartoon in 1936, which simply stated, “We have met the enemy, and he is us.” Unless and until we're able to shore up our own domestic regulatory environment, being able to deal with the potential impact of a volatile external actor becomes more and more difficult.

Moreover, the problems of defending cyberspace, which I described in the three 90 per cents, essentially hit every single NATO country. The additional challenge we have is that NATO's interoperability and the development of appropriate doctrines on the military side to address how we deal with these vulnerabilities are simply underdeveloped, and yet they're occurring at a moment when we have a period of grand confrontation with a particular peer actor.

It's important to recognize that Russia is only among what IISS has identified as 140 countries currently developing cyber capabilities. This means that the spectrum of threat is much, much larger than a single country in itself. Moreover, it's also important to recognize that, since 1997, the Russian Federation has been one of few states that have used the UN mechanism to try to define a pathway for addressing stability in cyberspace through a treaty-based approach that addresses issues both above LOAC—law of armed conflict—and below LOAC.

Why is this important to deal with right now? Although I don't have recommendations for the committee on what we should do, there are certainly clear things that we should not be doing. These include, for one, not degrading the operation of confidence-building measures that give us an opportunity to discuss the impact of a cyber on interstate relations between NATO and among NATO countries writ large, and, two, not cutting off channels for engagement to be able to discuss these issues and find common ground.

This is important for a number of reasons, but perhaps one of them is most important for us to consider. The Russian Federation, which is the object of most of our concerns in the cyber domain, has very clearly linked the escalatory ladder between cyber and nuclear. For them, this is an area where they see the threat to national security spanning two critical domains.

We spent many years prior to and after 1989 creating confidence-building measures in the nuclear security chain. Nunn-Lugar is one manifestation of legislation in the U.S. They put in place multiple points of discussion, multiple breakwaters, if you like, for us to be able to deal with this issue. Those are now being rolled back, and they're not being replaced by anything.

Moreover, we have not had an active channel to discuss cyber issues with the Russians for a number of years, either bilaterally, or, more importantly, within a multilateral session. If there is one thing we should not be doing, it is engaging in an escalatory ladder without thinking through our end game. What is it that we are trying to achieve? What constitutes deterrence in cyberspace, and is there such a thing if we've been unable to define, from a strategic point of view, what cyber means for us?

The most important thing is that absent a policy, we should not be entering into a game of chicken with a nuclear power without a strategy and a map for what we want, as a country and as an alliance.

Thank you.

The question pertains to this entanglement between the nuclear and cyber domains, as it pertains to the development of new classes of both nuclear weapons, as well as the actors that are involved. This isn't a physics lesson, but one of the characteristics of nuclear weapons, particularly thermonuclear ones, is their ability to generate an electromagnetic pulse.

Electromagnetic pulse weapons are weapons that have been optimized for that, and have the characteristic of being able to affect any electrical system that is not adequately protected. What that means for countries and economies that are now increasingly dependent upon the digital economy and digital technologies is that deterrence is not just defined by the ability to deter an actor who can create mass damage in the physical domain. We can threaten hundreds of cities with nuclear weapons, but a single nuclear weapon generating an electromagnetic pulse can create mass effects that would bring chaos across a wide range of infrastructure.

That means that the threshold for countries to effectively join an elite club and be able to hold the world's digital economy to ransom has become much, much less. North Korea doesn't have to pursue the creation of thousands of nuclear weapons in order to threaten the world. It needs a few nuclear weapons that are able to create this kind of effect.

Second, and perhaps more importantly from the perspective of NATO-Russia relations, both the Russian Federation and the United States are now modernizing their nuclear capabilities. That includes replacing decades-old command and control systems that previously operated in a much more robust analogue way. There are concerns that this modernization means that we are going to be implementing technologies that are, first of all, much more susceptible to effects that can be generated through nuclear weapons designed to effect an electromagnetic pulse, and, secondly, that one of the ways of effecting deterrence may no longer be simply nuclear, but may be cyber itself. In other words, a cyber-attack against the command and control infrastructure may be a better way of being able to deal with it than necessarily doing a one-for-one missile cap.

This entanglement is something that is now starting to come to the fore. It certainly came to the fore in the case of North Korea, but I would also caution that with the modernization of nuclear arsenals on both sides, this entanglement will only grow.

Thank you very much for that question.

The threat of hybrid warfare, as I said, is that it erases the traditional distinction between war and peace, and leads us into a world where everything is constantly contested, where domestic security is becoming as strategically important as the traditional defence of our borders. I am referring to the security of populations and critical infrastructures, the ability of our societies to function well, and the ability of people to lead their lives normally without being subject to threats.

In hybrid warfare, the focal point of defence shifts in a sense from our territory or borders to our populations. It even affect what is on the minds of our citizens. How do they perceive reality? What messages seem most credible to them? What confidence do they have in their leaders' abilities? In the past, NATO's role was fairly simple: it was simply to physically defend our borders. It now has a dual role. It must first defend our borders, which is still important, in particular with the growth of Russian forces in Eastern Europe. That is why you currently have nearly 500 Canadian soldiers deployed in Latvia. At the same time, we must become increasingly competent in analyzing threats to the smooth functioning of our societies.

What do we have to do? We are currently pursuing six avenues.

The first thing is intelligence. How can we better anticipate and detect this kind of hybrid threat and make a distinction between a spontaneous attack and a deliberately orchestrated attack? How can we more quickly and more accurately identify and define threats in order to respond? If we spend months talking just to conclude that something that walks like a duck and talks like a duck is in fact a duck, we will be overtaken by the speed of events. So the first thing is to improve our anticipatory intelligence capabilities.

The second is crisis management. Can we make decisions quickly, in real time? Intelligence is very important, but do we have a series of special intervention measures planned in the event of crisis? How can we expand the tool box of measures we can take? As I said, there are diplomatic measures. For example, you learned this week of the expulsion of more than 100 Russian diplomats by various countries to protest the use of chemical weapons in Salisbury, England. So economic measures are needed, as well as a whole series of other measures that allow for a flexible response. At NATO, if we stick to the wording of article 5 of the treaty, we do of course have to wait for an actual war to be declared before we respond. So we need to increase the flexibility of our response options.

Third is strategic communication. Can we more effectively identify fake news and information operations and respond to them?

Next is the resilience of our infrastructures. How can we make our nuclear plants, electrical systems, and communications systems more resistant? That is also very important.

Finally, how can we be more effective in cyberspace and how can we learn from our partners? Take a country like Ukraine, which is an important partner to NATO. A lot hybrid tactics are used against that country. We have to help Ukraine, but at the same time learn from its experiences in order to prevent the same thing from happening to us.

It's a broad question, but I'll give you a small slice of it, which I think pertains specifically to the cyber-environment itself.

One of the interesting paradoxes is that some of the more successful employments of code-based attacks—if you want to call them that—against critical infrastructure over the last three years have effectively been the repackaging of NSA attack code that was stolen during the Shadow Brokers incident. For example, there was the takedown of the systems at Maersk's major maritime operations. It was repackaged code that was effectively employed.

I think one of the things we've seen from a perspective of looking at how Russia and other countries employ information operations is this. Let's focus on how Russia has done so. One of the things we've seen is that their ability to develop techniques, tradecraft, and process around employment of a cyber-operation has been quite significant. In other words, there's been an intentionality in what they've tried to do.

From a technical point of view, their sophistication really hasn't been anything different—larger or smaller—than what we've had. I think there's a reason why the Russians have done this. I think it's partially due to the fact that they feel there's a certain existential threat that has occurred as a result of NATO's growing resolve around Russia's claims along its borders. I think it's a hardening of Russian positions in general. Does it necessarily reflect a capability that is more sophisticated than what we have from a technological point of view? My answer would be no.

No, I don't think so. On the technical level, I'd say that the United States especially still is the paramount cyber-power in the world. I think that's quite undisputed.

In terms of the level of scope or openness to be able to experiment in the operational domain, I think the Russians have been much more promiscuous, so to speak. As a result, their ability to generate effects has been more evident, perhaps, than ours. That's not to say that NATO member countries haven't individually been able to mount very successful cyber-operations, both publicly known and less publicly known, but they've been different in political intent from those that have been run by the Russian Federation, hence why I think we spend a lot more attention focused on that.

First of all, yes, of course there is a diffusion of technology for a number of reasons. The first reason is that 30 years ago most of the advances came from the military industrial complex, as President Eisenhower would have called it. You remember the invention of the Internet, or Teflon from the space program.

Today, much of military know-how is coming from the civilian sector. Cyber is an example of that, as are artificial intelligence and social media. Also, of course, civilian technology is far more widespread around the world. More and more countries invest in it, naturally, for their economies. In terms of the military technology, I think we just have to recognize that fact.

The second fact is that many countries around the world have spent a lot of money on developing their own domestic R and D and military capabilities. Brazil now produces submarines and first-class aircraft. I saw a couple of days ago that even Saudi Arabia is intending now to start up its own autonomous defence industry. There are more and more countries below the level of the great powers, if you like, who are now selling advanced military equipment and know-how to each other. Brazil sells to South Korea. South Korea sells to Israel. There is going to be a diffusion in the world.

The other thing, of course, is that countries such as China—let's be frank—are investing in certain areas far more than we are. For example, in artificial intelligence, it's investing about four times what the United States is investing at the moment. China now has the world's biggest and fastest supercomputer, and to date China graduates about eight times more engineering Ph.D.'s from its universities than the United States.

That's not to say that they're all 10 feet tall, of course not: they have their weaknesses as well. That is something that we learned from the Cold War, where we systematically overestimated the Soviet Union for many years. But it does mean that we need to take our own science and technology much more seriously.

You've seen R and D levels decline in many NATO countries. You've even seen people openly criticizing the value of science, scientific evidence, and scientific knowledge. There's the idea that came out in the U.K. Brexit campaign, which was that we don't want to hear from experts any longer—we're tired of that. I think we also need to pay more attention to our own science and technology base.

In NATO, of course, we also need to look more intensively at the impact that artificial intelligence, bioengineering, and new drones and so on are having on our defence posture, and not just to raise our awareness—the ambassadors, for example, had an away day on artificial intelligence last week—but also to look at how these are going to affect the future.

By the way, if I may continue for just one second, don't forget also that the new technologies not only influence the conventional battlefield, such as artificial intelligence, but it may also mean more hybrid warfare as well. They play both in the external aspect, which I was talking about, and in an internal aspect. You can do a lot of things with it that you can't do with a tank, and that's why we need to look at these very seriously.

My own sense is that the free societies, provided they pay attention to this, will generally have the superior technology in the long run.

If you're looking for a world free of nuclear weapons, the U.K. is a good place to start. We have been working toward it, along with other allies within NATO, for some considerable time. However, it takes more than two to tango. You need people to agree that it's a good idea.

Part of the problem we have is that some countries, like North Korea, are emerging and developing their skills. We have tried to contain others, such as Iran, that have been working on developing their skills. We're very unsure about where Russia is going with its talk of creating new capability.

There is an increased tension about whether or not we are moving toward a different nuclear risk in the world today. We also have indications from Russia that commitment to non-use of first strike is not as strong as it used to be. As such, I think we have to be aware that we have to protect ourselves and that nuclear weapons are part of our arsenal. We're very clear that NATO is a defensive alliance and that there will be no first strike. But we also have to look at emerging economies and emerging threats where nuclear capability is being developed and try our best to make sure that this technology is limited and does not spread into areas where tension and conflict would be more likely to create a problem with the actual use of such weapons without agreements about non-use of first strike.

NATO's position remains NATO's position. As many of the American senators have said to you and to me, President Trump says what President Trump says, but the louder voice is what the alliance says.

You always need champions in any field. You need somebody who is going to drive the agenda.

Importantly, women, peace and security has almost morphed into gender, peace and security. There is a recognition now that gender is an issue not only in military activity and war but also within our politics, and how our politics are driven, as well as in who is in our military and who is going to be serving us and representing the values of our nations. It's happening on lots of different levels.

I hope that having someone who is going to focus on that agenda will mean that agenda will drive faster. You have to remember that in any alliance you are only able to go as fast as your slowest member. In some countries the issue of equality is not as advanced as it is in others. How we see women in the world, the military, and politics, and how we protect civilians—because the majority of civilians in any war zone are women, children, and the elderly—are critical questions we have to address.