Canada's Military Gets More Cyber, and the Headaches That Come With It
Alex Grigsby is the assistant director of the Digital and Cyberspace Policy program at the Council on Foreign Relations.
Earlier this month, Canada released a white paper that set outs the country's defense policy for the next twenty years. The headlines have focused on the massive spending increase, mostly to placate President Trump, who has criticized NATO countries for not pulling their own weight. The government intends on increasing the Canadian Forces' budget by 70 percent--mostly to buy big ticket items like eighty-eight fighter aircraft to replace its aging CF-18 (a variant of the U.S. F/A-18 Hornet) and six arctic patrol ships, and to grow the regular force by 3,500 to a total of 71,500, and to add 1,500 to the reserves.
Beyond the new toys and quintessentially Canadian hand wringing about the role the military should play in peacekeeping missions, the white paper signals a shift in Canada's approach to cyberspace. For the first time, the government has acknowledged that the Canadian Forces will build an offensive cyber capability deployable in support of government-authorized military missions.
Canada has had the ability to engage in offensive cyber operations for a while now, depending on how you define them. The country's signals intelligence agency, Communications Security Establishment (CSE), breaks into foreign networks to extract foreign intelligence all the time, much like its other Five Eyes partners. It also supports the Canadian Forces with intelligence support when on deployment, as it did when Canadian troops were deployed to Afghanistan and in contributions to combating the self-declared Islamic State.
Traditionally, the Canadian Forces have been limited in cyberspace to protecting their own networks and personnel online, akin to what the U.S. military does to protect the .mil domain. That limitation was partly the result of a policy impasse but was also dictated by capacity. On the policy front, the creation of U.S. Cyber Command in 2009 sparked a debate whether something similar should be created north of the border. No decision was made. On the capacity front, the majority of the offensive cyber expertise in Canada rests with CSE, and to a lesser extent the Canadian Security and Intelligence Service. Building an offensive capability within the Canadian Forces would be like robbing Gord to pay Paul.
Although the government has jumped over the policy hurdle by signalling the Forces' offensive role, it's still unclear how they're going to fill the capabilities gap. There's nothing in the white paper that mentions how much of the new 3,500 regular troops and 1,500 reservists will be dedicated for cyber operations. There also is no mention of how much of the 70 percent budget increase will be allocated to cyber operations. For the time being, it's safe to assume the Forces will continue to rely on CSE, especially considering that Canada's SIGINT agency's powers are expanding to conduct disruption and influence activities in cyberspace. It will take a few years for the Canadian Forces to build up their offensive capabilities and credibility.
But even when it does eventually gets up to speed, Canada is likely to confront the same problems the United States and others have faced when launching military cyber operations. It has been over a year since the United States started dropping "cyber bombs" on the self-declared Islamic State, and news reports indicate that the results are mixed at best. The nature of cyberspace means that many of the tools at a warfighter's disposal are only as good as the enemy's patch cycle and the cost of cyber weapons can't be amortized over time. Nor are cyber operations the easiest to deploy. The distributed nature of the internet means that efforts to take down ISIS propaganda, disrupting their communications, or altering their payroll data could mean accessing servers in Poland, the United Arab Emirates, or the Philippines--all of whom would want a heads up if the Pentagon or Canadian Forces were about to mess around in their respective jurisdictions.
By being the latest nation to signal an offensive cyber capability within its military, Canada is joining the ranks of the United States, United Kingdom, Russia, and China. It's also inheriting a set of logistical and diplomatic headaches that its close allies have yet to figure out. I hope the country's generals and senior defense officials have Advil by their side.