By Brian Lee Crowley, April 1, 2024
This article is based on Dr. Crowley’s CCOLA talk delivered in April 2024.
Part 1: Introduction and Urgency
When the organizers of this event and I were discussing what I might talk about, I mentioned that one of the things that most preoccupies me these days as the head of a think tank entirely focused on Canadian public policy issues at the national and international level, is cybersecurity.
Canadians have traditionally regarded themselves as safe from many of the dangers the world faces because they were far away. Yet information technology, in annihilating distance, has brought all of the world’s troubles to our doorstep, including terrorism and organized crime. Cybersecurity is no longer just about keeping data safe. It is about the dark side of information technology, and the challenge of how to enjoy IT’s benefits while keeping its dangers within manageable limits.
Now I understand completely that, as Michael Nesbitt of the University of Calgary says, everything feels like national security today: terrorism, war, conflict and cyber warfare, foreign interference in our institutions such as elections; pandemics; espionage, and treason are all the traditional preoccupations of those who care about national security, but to this list we must now add supply chains, migration, and the environment, to pick only a few that are now in the news every day.
So what, then, is national security? Surely it can’t just be “everything” – or at least that can’t be the primary lens through which we see everything? Traditionally, we might say national security is the study of low-probability threats with very high risk/impact outcomes.
But that can’t be true anymore, because cyber intrusions around election and foreign interference aren’t low-probability; they’re virtually guaranteed – and no that is not a pun. The same virtual guarantee applies to the intervention of malign foreign actors in domestic political debates around things like pipelines and energy production.
So, as Professor Craig Forcese says, what we are looking at is anything that poses “serious, plausible threats of substantial harm.”
The purpose of national security, then, is to “preserve the country’s ability to identify and to counter future threats with equal or greater effect,” while ensuring that the activities taken in pursuit of this objective are: “1) lawful; 2) necessary; 3) effective; 4) efficient; and 5) proportionate to the threat.” Put another way, we need to protect Canada’s values and interests in ways that uphold both Canada’s values and interests.
If I plant only one idea in your mind this evening, let it be the existence of a relentless onslaught of cyber threats orchestrated by malign actors both foreign and domestic – actors who are sometimes criminals, sometimes representatives of adversarial states, and sometimes both. The digital world has become a breeding ground for malicious intent, with our adversaries exploiting every vulnerability: manipulating information and undermining our national security with unprecedented frequency and precision, and probing and then exploiting our weaknesses. And, as I will show, Canada, along with other middle powers, is more vulnerable than most – and our capacity to respond is declining, not improving.
History has taught us that we are capable of creating remarkable tools, yet these same tools can be wielded as weapons in the hands of those who seek to sow chaos and discord. The internet, hailed as a beacon of knowledge and connectivity, has been twisted by nefarious players to spread misinformation, infiltrate our critical infrastructure, and erode the trust upon which our democratic institutions are built.
Let me be clear: the threats we face are not merely hypothetical scenarios or distant possibilities. They are real, they are imminent, and they demand our immediate attention. The recent events unfolding in Ukraine serve as a chilling reminder of the ruthlessness of our adversaries and the grave consequences of underestimating their capabilities.
But what exactly are we talking about? What is at stake? What is Canada’s exposure or vulnerability? In short, why should we care?
Let’s begin with a non-cyber example. All of you will doubtless have seen the news about the collision between a freighter and the Francis Scott Keys Bridge in Baltimore, which caused the bridge to collapse. That collision was caused by the freighter’s loss of power while navigating through the Port of Baltimore, a crucial piece of infrastructure. The cost merely to replace the bridge, and the associated costs of disruption, are pegged at roughly US$4 billion, only 10 per cent of which is for the replacement of the bridge per se. It is potentially the largest marine insurance claim in history.
This collision was not caused by a cyber attack, but as IT becomes ever more deeply embedded in everything that we do, it could easily have been a cyber attack – and be quite certain that our adversaries are studying this, as well as other accidents that could serve as models or inspiration for future cyber attacks.
The point is, a single accident like this (or the blocking of the Suez Canal by a different freighter a few years ago, obstructing one of the world’s great commercial arteries) can have huge ramifications, not just on military security but on our economic security and our standard of living.
By contrast, I wonder how many of you are even aware of the largely invisible cybersecurity crisis facing the US healthcare sector? Change Healthcare, a subsidiary of UnitedHealth Group, is a critical piece of the American system handling billings for most of the healthcare insurers in that country. A ransomware attack has paralyzed payment systems across the United States to the tune of US$1 billion a day, while also threatening the integrity of health records for millions of patients. The ripple effects of this cyberattack extend far beyond financial losses, posing significant risks to patient care and safety. We cannot afford to overlook the critical importance of cybersecurity in safeguarding our healthcare infrastructure and protecting the health and well-being of our citizens.
Note, by the way, that such a ransomware attack may be the work of a foreign state, such as North Korea, which uses such ransomware to fill its state coffers. But it may equally be the work of foreign (or domestic) criminal elements, who simply see cyber vulnerability as an opportunity for criminal enrichment. Cyber is not the sole province of states, and the obscurity of the cyberworld makes the uncertainty of attribution of attacks particularly troubling.
US national security leaders have warned about a significant shift in Chinese cyber activities, particularly through a group known as Volt Typhoon. This group has been targeting critical US infrastructure, posing threats to water, power, and rail services. This evolution underscores the sophisticated nature of state-sponsored cyber threats and highlights the urgent need for strategic reassessment and infrastructure resilience. It is imperative that we prioritize intelligence gathering, offensive countermeasures, and strategic collaboration to effectively confront these evolving cyber challenges.
Cyber weapons are analogous to kinetic weapons – they are components of cyber operations, cyberattacks and ultimately cyberwarfare. Cyber weapons are developing rapidly, and their impact and potential are poorly understood, both at the technical and military level, especially by governments. At present, therefore, the main consequence of the existence of cyber weapons, and cyber operations, is uncertainty. Policy is embryonic; so, rules of engagement range from ad hoc to inconsistent. This is dangerous, as the late 1950s were dangerous for the Soviet Union and the United States: It would be easy for a cyber-incident to spiral out of control because of unintended consequences, with deleterious implications for collective security. However, nuclear attacks are a last strike weapon while cyber attacks might be considered a first strike weapon. Military systems are under constant attack from sources ranging from the trivial, so-called “script kiddies,” up to other states and sophisticated non-state actors, and it is inherently difficult to separate the wheat from the chaff.
In case this feels abstract and unreal, let me follow the example of Michael Nesbitt and offer you a series of ways in which we can illustrate the personal vulnerability cyber-attacks represent to every person in this room. This list is highly selective and is only suggestive of the scale of the problem we face.
- From 2013 to 2016, Yahoo was hacked (by Russia), affecting 3 billion user accounts.
- In July 2021, 60,000 companies had their data breached in a hack of Microsoft Exchange blamed on China.
- First American Corp had 885 million file records leaked in 2019.
- Facebook has been attacked, for example in April 2021, exposing over 530 million users worldwide.
- LInkedIn, too: 700 million user records affected in 2021.
- Going back to 2014, Home Depot was hacked, revealing 56 million payment card numbers and 53 million email addresses.
- Marriott hotels 2018: 500 million guests, names, home addresses, email addresses, DOB, gender, credit card info.
- Ebay, Equifax, Target, CapitalOne, 23AndMe – the latter, based on a saliva sample, creates personalized genetic reports on everything from ancestry composition to traits to genetic health risks. Hackers got the data of 7 million users. As an aside: you know who is building the biggest DNA base in the world? China.
- Alibaba – 1.1 billion users; British Airways too.
All of these examples can tell a shocking story of the scale and complexity of attacks, and of the personal information that can be gathered and used to commit fraud, or put together methods of influence and interference associated with individuals. Certainly this matters for your own personal awareness: if you haven’t, go home and change your passwords and consider a VPN.
This audience, of course, is tied to the public sector in Canada, and so in addition to the personal and economic security angles I have covered, you might be interested in some of the Canadian public sector instances that can be adduced to show that sector’s vulnerability:
- In January, Foreign Affairs Canada was hit by a cyberattack, the second in two years. Best guess is Russia or China was behind one or both. (The US announced last year that China had been fishing around in its computers for some time.)
- In 2023, PMO and Senate websites were disabled.
- FINTRAC (Financial Transactions and Reports Analysis Centre of Canada) was also hit by an attack not long ago.
- But it’s not just the big fish: the small town of Huntsville, Ontario, was hit by an attack earlier this month; universities have likewise suffered attacks; as of course have Canadian businesses big and small, and individuals.
What about the national microbiology lab in Winnipeg fiasco? The two scientists implicated were sharing IP and accessing electronic information about research and accused of using it to aid China – and China’s military in particular. This, too, is a failure of cyber-security.
The risk of targeting extends to people like you and me and people that we know. Ask yourself a few pertinent questions: do you know or talk to people making important business, justice, or political decisions? Do you make important economic or policy decisions yourself, or have the ear of that person by virtue of friendship or your job? Are you an advocate for a community or idea, one that speaks out to the next generation, to newspapers, and/or to Parliament? Do you have access at work to propriety research and information? Students in labs and university professors and think tank heads, in other words, are equally targets, and often accessed with greater ease yet of a similarly high value. Just consider that nine of my institute’s senior fellows, as well as the institute as a whole, have all been sanctioned by the Kremlin. MLI has been denounced by Beijing. We would be foolish not to think that cyber threats come in the wake of such overt actions.
America’s Cybersecurity and Infrastructure Security Agency, along with other of our democratic allies, has issued warnings of heightened cyber activity emanating from Russia, with Canada squarely in the crosshairs. The scope and sophistication of these attacks far exceed what has been publicly reported, posing a clear and present danger to our critical infrastructure, our economy, and our way of life.
The cyber-threat landscape is evolving at an alarming pace, with state-sponsored actors honing their capabilities to disrupt, dismantle, and destroy. Our adversaries are not bound by geographical boundaries or ethical constraints. They operate with impunity, exploiting every vulnerability to achieve their strategic objectives.
But perhaps the most concerning aspect of this threat is the insidious nature of disinformation campaigns designed to sow division and undermine public trust. Our adversaries have weaponized information – infiltrating social media platforms, spreading falsehoods, and amplifying extremist voices to manipulate public opinion and erode the very foundation of our democracy.
In the face of this serious threat, we must act decisively and resolutely. We must strengthen our cybersecurity defences, enhance our intelligence capabilities, and forge robust partnerships with our international allies to confront this menace head-on.
But let me be clear: government action alone is not the solution. We must embrace a whole-of-society approach that harnesses the collective expertise of government, industry, academia, and civil society to safeguard our digital and other infrastructure, and the integrity of our institutions and economy, all while protecting our shared values.
It is urgent that we act now. The stakes could not be higher, and the consequences of inaction are dire.
Part 2: The Dangers and Vulnerabilities for Canada
The expanding use of cyber operations amid broadening geopolitical instability has particular implications for traditional middle powers, notably Canada, Australia, Norway, and the Netherlands, among others.
They occupy privileged positions at the core of the global political economy but have limited ability to shape the geopolitical environment and few resources to protect and project their national interests. Many of the world’s most influential middle powers are also long-standing US allies, have high levels of digital connectivity, strong knowledge-based economies, leading research institutions, and membership in coveted multilateral groupings and security alliances.
Compounded by their relatively limited hard-power capacities, middle powers like us represent low-risk, high-reward targets for exploitation by adversaries in cyberspace. Middle powers thus have strong incentives but limited capacity to prevent the cyber-enabled degradation of their sovereignty, stability, and economic competitiveness.
As in so many other fields, this means that Canada can and must work with other like-minded countries to achieve our objectives in cyber-security. But alas, the message we have been sending to our friends and allies is that we do not take national security as a whole seriously and are unable or unwilling to invest the resources necessary to play a role proportionate either to the risks we run or to the resources others are devoting to the problem.
Many people do not realize the extent to which, say, Canada’s failure to honour its NATO commitments is related to these issues. We are now barely middle-of-the-pack among NATO nations in terms of our honouring our promise to spend two per cent of GDP on defence. The intelligence community in the West is painfully aware of the extent to which foreign adversaries see Canada as a soft target that Canadians are doing little to protect. Yet precisely because middle powers lack the resources to go it alone (unlike superpowers like the US, China, and Russia, and older great powers like Britain, France, and Germany) having the full confidence and trust of our allies is the condition of being able to participate in their collective cyber-defences.
In the cyber field information and intelligence are king, but here, too, Canada is losing authority and credibility. We depend centrally, for example, on the Five Eyes intelligence gathering and sharing alliance, where we are more intelligence takers than intelligence makers. But leaks from sources such as the Pentagon paint a disturbing image of allies not just losing faith in Canada but seeing our country as an active source of risk, in that intelligence shared with us may not be secure. There are murmurings of an attempt to reduce the Five Eyes to the Three Eyes of the US, UK, and Australia, the latter proving that the problem is not one common to all middle powers.
Nor are our friends wrong to see us as a weak link that is a free rider on the cyber intelligence and security efforts of others. Look, for example, at Harvard’s Belfer Center’s 2022 National Cyber Power Index. In it we can see that Canada, which in 2020 was in the Top Ten Cyber Powers, in two short years had fallen 5 ranks to 13th while adversaries like Russia and Iran moved up the rankings and North Korea was just behind us.
Speaking of North Korea, they were ranked by Telfer the Number One Financial Cyber Power in the world, as befits a criminal regime that pays its way in the world through sanctions-busting and looting financial institutions.
Other adversaries, such as China and Russia, achieve top rankings in areas such as surveillance and use of cyber to promote national commerce and prosperity. Our friends and allies do well, particularly the US, UK, Australia, and France – but that only underlines the vital importance of our maintaining the trust of these allies, on whom we will become increasingly dependent for the means to protect ourselves from cyber thieves, thugs and bullies.
According to the Belfer Report, it is clear that states seek to not only destroy and disable an adversary’s infrastructure and capabilities, but also to strengthen and enhance national cyber defences, gather intelligence in other states, grow national cyber and commercial technology competence, control and manipulate the information environment, and extend their influence through defining international cyber norms and technical standards. On virtually all these measures, Canada is falling behind. One measure particularly leapt out at me, namely the one that measures a country’s participation in defining and adopting the rules to try to tame the dangers represented by cyber. On this measure Canada ranks an appalling 23rd out of 30 nations ranked, a measure of the lack of seriousness that we bring to the whole discussion.
Part 3: Scale and Determination of Attackers
Foreign state actors, particularly Russia, China, Iran and North Korea have demonstrated a relentless commitment to exploiting our vulnerabilities and undermining our national security for their own strategic objectives.
The recent invasion of Ukraine by Russia serves as a stark reminder of the lengths to which these adversaries are willing to go in pursuit of their geopolitical ambitions. Beyond the conventional battlefield, cyberspace has emerged as a critical domain for waging hybrid warfare, where the lines between state-sponsored espionage, cyber sabotage, criminal activity and disinformation blur with alarming ease.
The Canadian Centre for Cybersecurity’s warning of extensive cyber operations linked to the Russian invasion of Ukraine underscores the gravity of the situation. These sophisticated and widespread cyber campaigns, targeting not only Ukraine but also other NATO countries as well as Canada, pose an imminent threat to our critical infrastructure, economic stability, and democratic institutions.
The recent bulletin from the Canadian Centre for Cybersecurity highlights the heightened cyber espionage targeting NATO countries, indicating a concerted effort by Russia to gather intelligence and disrupt allied operations. This aggressive posture, coupled with Russia’s growing collaboration with other authoritarian regimes like China, poses a serious threat to our national security and collective defence.
Furthermore, the interconnected nature of our globalized world means that the consequences of these cyber attacks extend far beyond our borders. A successful breach of our critical infrastructure could have cascading effects, disrupting supply chains, undermining economic stability, and compromising our ability to respond effectively to emerging threats.
Leaks revealing China’s cyberespionage efforts shed light on the expansive arsenal aimed at international targets, while the Biden administration’s response shows that at least some in the West grasp the strategic imperative to safeguard our critical infrastructure.
We must strengthen our alliances and partnerships with like-minded nations to coordinate our response and share intelligence on emerging threats. By standing united against our common adversaries, we can send a clear message: that attempts to undermine our democracy, compromise our security, and violate our sovereignty will not go unpunished.
The scale and determination of foreign state attackers demand a robust and active response from Canada and its allies. It will only be through a strategy of innovation, collaboration, and resilience that we will have any hope of safeguarding our digital future and preserving the values and institutions that define us as a nation. On the current showing, however, Canada is far from meeting this challenge and we are being left behind by our allies and our adversaries.
Part 4: Potential Solutions
Building upon the insights provided by experts at MLI like Christian Leuprecht, Peter Menzies, and Cristian Worthington, as well as Michael Nesbitt, whom I have acknowledged several times in this talk, I have a few suggestions about how to rise to the challenge posed by the threats I have described and strengthen our cyber defences.
There are differences between kinetic and cyber attacks, and it’s crucial for us to recognize the unique characteristics of cyberspace as a distinct domain of operation. Unlike kinetic weapons, cyber weapons neither shoot things nor blow them up. They use information, technology, and networks to generate effects. Why would an adversary attack us militarily, using conventional weapons, when they can infiltrate our society, institutions, networks, etc. to call into question our security and public safety, corrode our social fabric, deprive us of our prosperity, and delegitimize our democratic and public institutions?
This qualitative difference between kinetic and cyber presents a range of policy challenges, from deterrence to attribution and response. Offensive cyber weapons, while capable of achieving similar effects to those of traditional weapons, work in different environments and are relatively cheap, making them a first-strike capability rather than a last resort.
Democracies, guided by deliberate rule-of-law processes, seek to develop doctrines and rules of engagement to govern their use, distinguishing themselves from other actors in the cyber domain. As states grapple with the complexities of cyber warfare, the need for a strategic framework to contain and deter their use becomes increasingly apparent, emphasizing the importance of understanding the collective-security and defence implications for policymakers. It is precisely in this area that the Belfer rankings showed Canada to be especially absent.
So here are the main elements of a possible strategy:
First and foremost, we must continue to impose severe costs on Russia for its aggression against Ukraine. By supporting Ukraine’s sovereignty, independence, and territorial integrity, and working with our allies to uphold the rules-based international order, we can deter further acts of aggression and demonstrate our unwavering commitment to defending our shared values.
Next, recognizing our vulnerability and the necessity of relying on like-minded allies, we must take all possible steps to reassure them that we are not a defence free-rider, that we can contribute significantly to collective cyber-security efforts and that intelligence shared with us is used intelligently and protected vigorously from the intelligence-gathering efforts of our adversaries. This means meeting the two per cent commitment to NATO, devoting more of our defence effort to cyber issues, and joining energetically with our allies in helping to define the legal, institutional, and other frameworks that will help to tame the dangers cyber represents without strangling the benefits information technology confers.
Beyond this, we must invest in accredited post-secondary cyber defence training programmes to cultivate a skilled workforce capable of defending against sophisticated cyber threats. By partnering with provincial and territorial governments, we can ensure that our cyber defence capabilities remain at the cutting edge of innovation and expertise. Then we must build our capacity actually to put these people to work. There is no point in training them if we don’t employ them strategically to complement the efforts of our friends and allies and obstruct the destructive and destabilising efforts of our adversaries.
In addition, we must enhance our National Cyber Security Strategy to ensure that operators and enterprises connected to critical infrastructure have the necessary resources and expertise to defend against and recover from malicious cyber activity. This includes establishing cyber-security standards, providing technical assistance, and reporting on compliance to ensure accountability and transparency.
To support small- and medium-sized enterprises in adopting cyber security standards, the Government of Canada should establish incentives such as accelerated capital cost allowances or other tax measures. By rewarding investment in cyber security, we can mitigate the risk of cyber attacks and protect the backbone of our economy from disruption.
Moreover, we must require critical infrastructure operators to prepare for, prevent, and report serious cyber incidents, with accompanying reporting timelines, technical assistance, and protections for sensitive information. By fostering a culture of cyber resilience and accountability, we can ensure that our critical infrastructure remains secure and resilient in the face of evolving threats.
Finally, we must maximize coherence, coordination, and timely action in relation to cybersecurity across the federal government. By streamlining cyber roles, responsibilities, and structures, and submitting annual reports to Parliament on these efforts, we can enhance our collective ability to detect, deter, and respond to cyber threats with agility and effectiveness.
The challenges posed by foreign state actors in cyberspace require a concerted and coordinated response from government, industry, and civil society. By implementing the recommendations outlined above, we can strengthen our cyber defences, protect our national security, and preserve the digital sovereignty of our nation while ensuring that Canadians continue to benefit from the freedoms and efficiencies that information technology makes possible. We can strike this balance, but to do so we must take cyber far more seriously. Others are busy defining the cyber world. Canada needs to be at the table but has a long way to go to earn its place there.
Merci de votre attention.
Brian Lee Crowley is the founder and managing director of the Macdonald-Laurier Institute.
