Thank you, Chair.
Chair and members of the committee, I'm grateful for this invitation to appear and give testimony.
The terms of reference of your study touch on many facets of the cyber-threat, but I will focus on just one here in the five minutes I have for this opening statement, and that's the Russian invasion of Ukraine, which has provided important real-world insights into the ways in which cyber-weapons can and will be used in wartime in conjunction with more conventional military attacks.
This alignment was first exemplified in the Viasat hack of satellite-based Ukrainian communications on the opening morning of the Russian invasion. You've heard previous speakers from CSE mention that attack.
What do we know of events since February 24, 2022? Let me take you to two open-source studies. I've provided links to these studies to the clerk of the committee.
In June 2022, CSE's Canadian centre for cybersecurity produced a threat bulletin that catalogued significant Russian cyber-activity in conjunction with military attacks on Ukraine for the period from February 2022 through to May 2022.
Among the key judgments in that CSE bulletin were that the scope and severity of Russian cyber-operations were more sophisticated and widespread than had been reported in open sources and that, beyond the Ukraine theatre itself, Russian cyber-threat actors were engaged in widespread cyber-espionage campaigns against NATO countries and looking to develop further cyber-capabilities against such targets, including Canada.
In January 2023, the Ukrainian cybersecurity agency released a report—translated, fortunately, into English—using a methodology very similar to that employed by CSE, which documented the scale of Russian cyber-attacks and their alignment with conventional bombardments from February through to November 2022.
A key finding in the Ukrainian report concerns the ways in which Russian cyber-attacks have targeted energy infrastructure in Ukraine as part of a ramped-up Russian effort to destroy Ukrainian sources of civil power supply and undermine morale. According to the Ukrainian security service—SBU—report, Russia carried out on average more than 10 cyber-attacks on Ukrainian critical energy infrastructure per day in November of 2022.
Ukraine's cybersecurity leadership wants the world to recognize the reality of cyberwarfare as they have experienced it. They urge a common approach to cyber-aggression, the use of sanctions to undermine the cyber-capabilities of an aggressor, the need for enhanced sharing of information about cyber-threats and a clear designation of cyber-attacks on civilian critical infrastructure as a war crime, along with a determination to pursue accountability for such crimes.
How should Canada respond to this set of appeals? I would suggest the following.
First, ensure that CSE is able to provide the maximum possible aid to Ukraine in terms of signals intelligence and cybersecurity support.
Second, the Government of Canada should continue to provide financial support to ensure the resilience of Ukraine's cyber-systems.
Thirdly, along with our allies, we should be using targeted sanctions to undermine Russian state and proxy cyber-capabilities. I think we should also continue to document and publicly call out Russian cyber-aggression against Ukraine and NATO. I would urge us to take a lead role in supporting Ukraine's call to designate cyber-attacks on critical infrastructure as a war crime in international law and assist Ukraine to pursue accountability.
Finally, we should ensure that we maintain a robust capacity to monitor and learn from the use of Russian cyber-weapons against Ukraine. This should include research support for Canadian academic and NGO studies and engagement with expertise in the private sector.
We have learned three things from the Russian cyberwar against Ukraine. First, civilians are prime targets. Second, cyber-weapons are not precision munitions, and third, that cyber-aggression knows no rules or bounds.
Worse still is what might be waiting in the wings: the looming possibility of another—I'm going to refer to this operation in Russian—NotPetya malware attack, with global ramifications. NotPetya was a Russian GRU—that is the military intelligence agency—hacker operation launched in June 2017 against Ukraine. It morphed out of control, as many of these malware attacks will do, crippling global container shipping. It was described by one Homeland Security adviser to the President of the United States as “the equivalent of using nuclear bomb to achieve a small tactical victory”.
The cyber-nuke outcome is one we must strive to avoid, just as we strive to avoid escalation to nuclear war over Ukraine.
Mr. Chair, I'll conclude by saying that I hope this doesn't sound too much like Dr. Strangelove.
Thank you.