National Defence Committee on Feb. 10th, 2023

Yes, sir.

Mr. Chair and members, thank you for inviting me to speak here today.

I am Alexander Rudolph, a doctoral candidate at Carleton University and a Canadian Global Affairs Institute fellow. I am researching how and why countries develop the institutional means to conduct cyber-operations. As part of this research, I look extensively at Canada.

I'll divide my comments between two themes today: the cyber-threat domain and current trends in cyber-conflict; and Canadian cyber-defence.

The cyber-threat domain can best be described as existing in a perpetual state of conflict and tension. This is a result of its long-standing architecture, which, although improved over the years, is still very much present and can produce vulnerabilities and exploits. These vulnerabilities and exploits ultimately form the basis of malware in cyber-operations that we view as cyber-conflicts or cyberwarfare.

Right now, there are a few major trends to keep in mind.

The first is that no norms or international laws currently exist to address cyber-conflict and cyberwarfare. To be clear, this is not the stance of Canada and many NATO allies. Presently, there's no international regime or consensus on how to address international law in cyber-conflict.

The second is that ransomware has completely revolutionized how adversarial states and non-state actors view cyberspace. As an example, North Korea has been very prolific in using cyber-operations, particularly ransomware, to find ways to evade international sanctions, but this also overlooks how Russia and many other actors use ransomware in cyber-operations as well.

There's also the commodification of “zero days”. Zero days are unknown vulnerabilities in a system, computer or piece of software. The commodification of zero days and exploits has significantly contributed to the proliferation of cyber-capabilities and the ability to conduct cyber-operations. In particular, China mandates that all new vulnerabilities or zero days be reported to the government within two days. This is the first type of law of its kind, tending to go against existing norms in an industry that has generally favoured maximum protection of users.

I would be remiss if I did not mention Russia's unprovoked invasion of Ukraine and utilization of cyber-operations with near-simultaneous joint kinetic military operations. I want to echo the comments made at the previous meeting, but I also want to highlight the type of operations that have been most numerous. While the Viasat attack is quite noteworthy, there have also been at least 16 wiper malwares deployed into Ukraine to specifically target Ukraine to date. These are viruses that destroy data completely to prevent recovery. This is novel because it's not what most criminals do. The way they gain money is by holding data for ransom and extorting individuals. Wiper malware has the sole intention of destroying data in systems. It's noteworthy that 16 have been deployed, which is more than there have been in the past 20 years.

I'll now move on to Canadian cyber-defence and what all these trends mean for Canada.

In particular, Canada needs both a whole-of-government cybersecurity response and a very targeted cyber-defence response. Cyber-defence, in particular, includes the CSE and Canadian Armed Forces. Today, I'm going to focus on the Canadian Armed Forces.

The CAF is, in no way, prepared to face cyberwarfare in the event of a conflict. I further question to what degree they are able to even co-operate and work interchangeably with allies, including the United States.

The reasons for such are numerous, but I'll go over a few today.

At best, Canadian cyber-defence policy can be described as incomplete, ad hoc and inconsistent in strategy and definition with Canada's allies, particularly the United States. I will use CSE's definition of a defensive cyber-operation as an example. The way that CSE in Canada uses it, it generally refers to a purpose—to attack back or to respond to an active threat to Canada. This isn't traditionally how defensive cyber-operations are discussed or explained. They're generally not about an active response back.

While this is maybe just legal language, it creates difficulty in speaking with allies on the exact same topic when you're talking about defensive cyber-operations, which are traditionally just on one's own networks, similar to cybersecurity in many ways. If you're talking about offensive actions, it is a big disconnect between thinkers in Canada and allies on how cyber-operations are conducted and understood.

Yes. I believe there should be. There is a policy on the responsible use of AI on the Canada.ca website. I read it and it's fine, except that it's dated 2021.

The first point I want to make is that you have to do this continuously. It's not one and done. There definitely should be a policy. I've consulted with my friends in industry, particularly Microsoft, because they've put many millions of dollars into ChatGPT. There are moves to ethical AI.

My suggestion would be that, yes, that should be done. It should be done in consultation with industry and academia.

That's a million-dollar question. We'd all have the Nobel Prize if we knew that.

The answer is to keep track. I'll give you one little example.

Google has a search engine. We all know about it. By using Google, someone was able to find out the name of a young offender whose name was protected by a publication ban in an Ontario case. The way it worked was that so many people said, “Johnny Smith is a bad boy,” that when you Googled “Johnny Smith” and the heinous crime that happened, Google formed the association. When they were asked about that, Google said, “Oh, we didn't do it. None of us did this. We didn't break the publication ban”—but their algorithm did.

The point of that story is that you have to keep watching. You have to keep looking for examples like that. That was several years ago. I don't know that Google has actually done anything to cover themselves—you might ask them—when they potentially break a publication ban that's ordered by a judge.

It's continued vigilance.

I'll use one example from a recent invasion. They deployed what looked to be ransomware that was encrypting the system and saying, “Your system is now locked down and your data's encrypted. You now need to pay us x dollars.” Behind it, they were actually deploying wiper malware to destroy all the data.

It's always on a case-by-case basis. Russia in particular uses it to target specific systems and organizations during their invasions, while traditionally it's been used with the intelligence services in various ways to extort money.

It's always quite difficult to determine if it will lead to a kinetic response, as cyber-operations can be escalatory. It's oftentimes how it is combined with other efforts. A cyber-operation itself is not necessarily going to cause kinetic damage, but how states respond or use that operation in unison with kinetic operations is the great concern, which is what Russia has attempted to do in Ukraine.

I can't comment if it has happened in Canada or not. You would need to ask the military if there have been any attacks on military infrastructure. It's often difficult to determine. With critical infrastructure, much of it is dual use. If it targets explicitly military infrastructure, I would consider that an attack on the military, but I would say that there needs to be another bill to address cyber-defence in the armed forces and CSE. There particularly needs to be a formal force and command structure that organizes CSE and the military, as it currently doesn't exist. It's very ad hoc.

It's quite a big question. I will first state that there needs to be a lot more funding to the Canadian centre for cybersecurity and ways for the centre to interface with the rest of government and for the government to look to what the provinces need and what the federal government needs, as there are very different, diverse needs for both to provide services, as you mentioned, but also protect the government from threats.

The holistic cybersecurity response that I mentioned before would cover aspects of critical infrastructure that are needed, but the Canadian Armed Forces are still very much reliant upon many public systems, in part because their internal systems are very insufficient. There is flatly a need for greater funding and a need to address how to respond to bigger incidents like that and what role the Canadian centre for cybersecurity has in these, similar to how the Cybersecurity and Infrastructure Security Agency in the United States does.

The use of ransomware, I'd say, affects phones just as much as our regular computers—and particularly with the proliferation of surveillance software, which many of you have probably heard of, such as Pegasus or NSO Group. The greater proliferation of these zero days and malware has made any piece of technology a target for potential profits or for targeting by adversarial states.

This is part of the constant tension that I referred to, and part of the responsibility of the government is to face these threats and to address criminals by working with allies to arrest and target some of the ransomware actors who were named yesterday, I believe it was, or the day before.

Canada, I would say, is currently a low-level player in this. They are helping.... CSE is well regarded around the world, but.... The Canadian Armed Forces could do more but simply can't. There are many other initiatives across the government that could look to what they are really contributing to their own department's cybersecurity and the constituents they're helping.

Were you inviting me?