Evidence of meeting #49 for National Defence in the 44th Parliament, 1st session. (The original version is on Parliament’s site, as are the minutes.) The winning word was information.
A recording is available from Parliament.
Liberal
The Chair Liberal John McKay
Thank you, Professor Keenan. We don't generally get poetry about our own committee
Conservative
Liberal
The Chair Liberal John McKay
It's not nearly as good as that. I don't think we should be putting to votes the intelligence of either of the political persons mentioned, including the present company.
I noticed that you have a very interesting map behind you: submarine cables of the world.
Professor, School of Architecture, Planning and Landscape, University of Calgary, As an Individual
Yes, sir.
Liberal
The Chair Liberal John McKay
That in and of itself is a pretty interesting discussion. However, we're on to our next witness.
Mr. Rudolph, you have five minutes, please.
Alexander Rudolph Ph.D. Candidate, Department of Political Science, Carleton University, As an Individual
Mr. Chair and members, thank you for inviting me to speak here today.
I am Alexander Rudolph, a doctoral candidate at Carleton University and a Canadian Global Affairs Institute fellow. I am researching how and why countries develop the institutional means to conduct cyber-operations. As part of this research, I look extensively at Canada.
I'll divide my comments between two themes today: the cyber-threat domain and current trends in cyber-conflict; and Canadian cyber-defence.
The cyber-threat domain can best be described as existing in a perpetual state of conflict and tension. This is a result of its long-standing architecture, which, although improved over the years, is still very much present and can produce vulnerabilities and exploits. These vulnerabilities and exploits ultimately form the basis of malware in cyber-operations that we view as cyber-conflicts or cyberwarfare.
Right now, there are a few major trends to keep in mind.
The first is that no norms or international laws currently exist to address cyber-conflict and cyberwarfare. To be clear, this is not the stance of Canada and many NATO allies. Presently, there's no international regime or consensus on how to address international law in cyber-conflict.
The second is that ransomware has completely revolutionized how adversarial states and non-state actors view cyberspace. As an example, North Korea has been very prolific in using cyber-operations, particularly ransomware, to find ways to evade international sanctions, but this also overlooks how Russia and many other actors use ransomware in cyber-operations as well.
There's also the commodification of “zero days”. Zero days are unknown vulnerabilities in a system, computer or piece of software. The commodification of zero days and exploits has significantly contributed to the proliferation of cyber-capabilities and the ability to conduct cyber-operations. In particular, China mandates that all new vulnerabilities or zero days be reported to the government within two days. This is the first type of law of its kind, tending to go against existing norms in an industry that has generally favoured maximum protection of users.
I would be remiss if I did not mention Russia's unprovoked invasion of Ukraine and utilization of cyber-operations with near-simultaneous joint kinetic military operations. I want to echo the comments made at the previous meeting, but I also want to highlight the type of operations that have been most numerous. While the Viasat attack is quite noteworthy, there have also been at least 16 wiper malwares deployed into Ukraine to specifically target Ukraine to date. These are viruses that destroy data completely to prevent recovery. This is novel because it's not what most criminals do. The way they gain money is by holding data for ransom and extorting individuals. Wiper malware has the sole intention of destroying data in systems. It's noteworthy that 16 have been deployed, which is more than there have been in the past 20 years.
I'll now move on to Canadian cyber-defence and what all these trends mean for Canada.
In particular, Canada needs both a whole-of-government cybersecurity response and a very targeted cyber-defence response. Cyber-defence, in particular, includes the CSE and Canadian Armed Forces. Today, I'm going to focus on the Canadian Armed Forces.
The CAF is, in no way, prepared to face cyberwarfare in the event of a conflict. I further question to what degree they are able to even co-operate and work interchangeably with allies, including the United States.
The reasons for such are numerous, but I'll go over a few today.
At best, Canadian cyber-defence policy can be described as incomplete, ad hoc and inconsistent in strategy and definition with Canada's allies, particularly the United States. I will use CSE's definition of a defensive cyber-operation as an example. The way that CSE in Canada uses it, it generally refers to a purpose—to attack back or to respond to an active threat to Canada. This isn't traditionally how defensive cyber-operations are discussed or explained. They're generally not about an active response back.
While this is maybe just legal language, it creates difficulty in speaking with allies on the exact same topic when you're talking about defensive cyber-operations, which are traditionally just on one's own networks, similar to cybersecurity in many ways. If you're talking about offensive actions, it is a big disconnect between thinkers in Canada and allies on how cyber-operations are conducted and understood.
Liberal
The Chair Liberal John McKay
Mr. Rudolph, I think I'm going to have to ask you to get the balance of your presentation in during the questions. You're past the five-minute mark. I apologize for that, but it is what it is.
With that, Madam Gallant, you have six minutes, please.
Conservative
Cheryl Gallant Conservative Renfrew—Nipissing—Pembroke, ON
Thank you.
My first question would be for Dr. Keenan.
Should there be an open discussion and agreement in Parliament outlining the limits of use of AI for the military?
Professor, School of Architecture, Planning and Landscape, University of Calgary, As an Individual
Yes. I believe there should be. There is a policy on the responsible use of AI on the Canada.ca website. I read it and it's fine, except that it's dated 2021.
The first point I want to make is that you have to do this continuously. It's not one and done. There definitely should be a policy. I've consulted with my friends in industry, particularly Microsoft, because they've put many millions of dollars into ChatGPT. There are moves to ethical AI.
My suggestion would be that, yes, that should be done. It should be done in consultation with industry and academia.
Conservative
Cheryl Gallant Conservative Renfrew—Nipissing—Pembroke, ON
How should Parliament balance the safeguards from the dark side while encouraging the positive discoveries? How do you seek that balance?
Professor, School of Architecture, Planning and Landscape, University of Calgary, As an Individual
That's a million-dollar question. We'd all have the Nobel Prize if we knew that.
The answer is to keep track. I'll give you one little example.
Google has a search engine. We all know about it. By using Google, someone was able to find out the name of a young offender whose name was protected by a publication ban in an Ontario case. The way it worked was that so many people said, “Johnny Smith is a bad boy,” that when you Googled “Johnny Smith” and the heinous crime that happened, Google formed the association. When they were asked about that, Google said, “Oh, we didn't do it. None of us did this. We didn't break the publication ban”—but their algorithm did.
The point of that story is that you have to keep watching. You have to keep looking for examples like that. That was several years ago. I don't know that Google has actually done anything to cover themselves—you might ask them—when they potentially break a publication ban that's ordered by a judge.
It's continued vigilance.
Conservative
Cheryl Gallant Conservative Renfrew—Nipissing—Pembroke, ON
Mr. Rudolph, how does Russia use malware or ransomware during kinetic operations versus just for blackmail and money?
Ph.D. Candidate, Department of Political Science, Carleton University, As an Individual
I'll use one example from a recent invasion. They deployed what looked to be ransomware that was encrypting the system and saying, “Your system is now locked down and your data's encrypted. You now need to pay us x dollars.” Behind it, they were actually deploying wiper malware to destroy all the data.
It's always on a case-by-case basis. Russia in particular uses it to target specific systems and organizations during their invasions, while traditionally it's been used with the intelligence services in various ways to extort money.
Conservative
Cheryl Gallant Conservative Renfrew—Nipissing—Pembroke, ON
At what point should a company, the private sector, get in touch with somebody from government? When should the military be alerted that they have to harden their cybersecurity even more because there is an attack under way, and then link it to the possibility that it's just the beginning of an escalation for a kinetic interaction?
Ph.D. Candidate, Department of Political Science, Carleton University, As an Individual
It's always quite difficult to determine if it will lead to a kinetic response, as cyber-operations can be escalatory. It's oftentimes how it is combined with other efforts. A cyber-operation itself is not necessarily going to cause kinetic damage, but how states respond or use that operation in unison with kinetic operations is the great concern, which is what Russia has attempted to do in Ukraine.
Conservative
Cheryl Gallant Conservative Renfrew—Nipissing—Pembroke, ON
We have a new cybersecurity bill that has been proposed, but it's geared more towards civilians. Should there be another cybersecurity bill specifically to address your concerns for the military? Should it dovetail with the civilian cybersecurity? At what point does a civilian attack interface with military infrastructure? How can that happen? Has it happened?
Ph.D. Candidate, Department of Political Science, Carleton University, As an Individual
I can't comment if it has happened in Canada or not. You would need to ask the military if there have been any attacks on military infrastructure. It's often difficult to determine. With critical infrastructure, much of it is dual use. If it targets explicitly military infrastructure, I would consider that an attack on the military, but I would say that there needs to be another bill to address cyber-defence in the armed forces and CSE. There particularly needs to be a formal force and command structure that organizes CSE and the military, as it currently doesn't exist. It's very ad hoc.
Conservative
Liberal
Liberal
Darren Fisher Liberal Dartmouth—Cole Harbour, NS
Thank you, Mr. Chair.
Thank you, gentlemen, for being here.
When the Rogers system went down, I was on the way to Cape Breton, Nova Scotia, for work meetings. It basically shut down all our critical infrastructure. You couldn't get gas. You couldn't go to an ATM machine. Nothing was working. Then I think about Atlantic Canada when Fiona hit. Gone are the days of having a newspaper on your doorstep. You couldn't get news. You couldn't pay a bill. You couldn't do anything when our critical infrastructure went down because of Fiona.
I highlight those two examples essentially to show the reliance on our critical infrastructure and how important it is to everybody in every neighbourhood across the country and around the world.
I guess I'll go to you, Mr. Rudolph, first.
How can the federal government along with provinces and territories better protect and defend this critical infrastructure that is so absolutely necessary in the lives of Canadians?
Ph.D. Candidate, Department of Political Science, Carleton University, As an Individual
It's quite a big question. I will first state that there needs to be a lot more funding to the Canadian centre for cybersecurity and ways for the centre to interface with the rest of government and for the government to look to what the provinces need and what the federal government needs, as there are very different, diverse needs for both to provide services, as you mentioned, but also protect the government from threats.
The holistic cybersecurity response that I mentioned before would cover aspects of critical infrastructure that are needed, but the Canadian Armed Forces are still very much reliant upon many public systems, in part because their internal systems are very insufficient. There is flatly a need for greater funding and a need to address how to respond to bigger incidents like that and what role the Canadian centre for cybersecurity has in these, similar to how the Cybersecurity and Infrastructure Security Agency in the United States does.
Liberal
Darren Fisher Liberal Dartmouth—Cole Harbour, NS
When we think about emerging technologies, things that Canadians adopt on a mass scale, like cellphones and things like that, which trends represent the greatest cybersecurity risks? What initiatives could the federal government undertake to mitigate these risks when you think about smart phones and things like that?
Ph.D. Candidate, Department of Political Science, Carleton University, As an Individual
The use of ransomware, I'd say, affects phones just as much as our regular computers—and particularly with the proliferation of surveillance software, which many of you have probably heard of, such as Pegasus or NSO Group. The greater proliferation of these zero days and malware has made any piece of technology a target for potential profits or for targeting by adversarial states.
This is part of the constant tension that I referred to, and part of the responsibility of the government is to face these threats and to address criminals by working with allies to arrest and target some of the ransomware actors who were named yesterday, I believe it was, or the day before.
Canada, I would say, is currently a low-level player in this. They are helping.... CSE is well regarded around the world, but.... The Canadian Armed Forces could do more but simply can't. There are many other initiatives across the government that could look to what they are really contributing to their own department's cybersecurity and the constituents they're helping.
Liberal
Professor, School of Architecture, Planning and Landscape, University of Calgary, As an Individual
Were you inviting me?
