This article originally appeared in the Ottawa Citizen.
By Alex Wilner, May 18, 2022
In an era when malware can be more devastating than bombs in terms of disabling a nation’s operational stability, Canada’s cybersecurity strategy is evolving — finally.
In their 2021 mandate letters, the federal ministers of Global Affairs, Public Safety, National Defence, and Innovation, Science and Industry were tasked to find ways to “deter cyber threat actors.” The 2022 federal budget, meanwhile, earmarked $875 million over five years to help the Communications Security Establishment (CSE) “prevent and defend against cyber attacks.” As well, major initiatives to internationalize Canadian cybersecurity, modernize critical infrastructure protection and renew the national cyber strategy have begun in earnest.
This new urgency is welcome. However, deciding to apply deterrence is one thing; making it work is quite another.
Deterrence entails using a combination of threats and incentives to persuade adversaries not to attack. It hinges on intent, capability and communication. To be effective, Canadian cyber deterrence requires a combination of all three.
First, we need to develop the resolve to punish adversaries for their aggression. This requires Canada to create its own national deterrence posture, something we’ve never had to do. In past conflicts Canadian deterrence flowed from our allied relationships; we leveraged the awesome power of the United States, United Kingdom, NORAD and NATO.
We could continue this path to deter egregious forms of cyber aggression, such as wanton attacks on civilian infrastructure, but Canada also faces a range of other challenges that rest below the threshold upon which multilateral cyber deterrence can function. We cannot rely on others to deter these types of malicious activity. Our cyber deterrence should be tailored to the specific threats that Canadians face, and incorporate a unique blend of homegrown resources, experience and expectation.
Second, we must expand our capability to actually respond to cyber aggression. Adversaries need to believe that Canada has the ability to retaliate whenever it is required.
Unlike Cold War deterrence, cyber deterrence isn’t solely or even chiefly about military power. Nor must our response rest within cyberspace alone. Instead, Canadian cyber deterrence should rely on a range of capabilities that can harm challengers in both cyber and physical space.
At times the Department of National Defence may be called upon to retaliate, so we must ensure it can do so inside and beyond cyberspace. But, as cyber deterrence is the sum of numerous parts and processes, other Canadian departments and agencies can also significantly help our deterrent capability.
The RCMP and Department of Justice, for instance, can leverage cybercrime investigations and the threat or prosecution towards deterrence. With Global Affairs, they might explore how best to use economic sanctions or publicly attribute malicious cyber activities to deter some adversaries. These tools should be adapted to contend with both domestic and international challenges.
Public Safety, CSE and Shared Services Canada can better protect digital infrastructure, deterring aggression by denying easy access to Canadian targets.
Global Affairs should continue promoting Canada’s position on multilateral cyber norms, thereby establishing red lines against which aggressors can be judged and punished. And, alongside National Defence, it should help enshrine cyber deterrence within Canada’s major alliance partnerships.
Third, we need to communicate our cyber deterrence posture. Adversaries must appreciate the risks they run when contemplating an attack on Canadian interests. A coercive threat left unsaid is a threat unheeded.
Here, Canada should consider pulling a page from the U.S. playbook. American declaratory deterrence policy is often reserved to The White House. President Joe Biden’s recent Executive Order on Improving the Nation’s Cybersecurity provides a loud, clear and detailed list of emerging considerations adversaries need to weigh when targeting the U.S.
Canada doesn’t have an equivalent blow-horn and we need to build one, perhaps carving something out at the Privy Council Office or at Public Safety. But somebody, somewhere, will need to be provided the means to tie all of Canada’s disparate cyber deterrence activities into a unified and collective voice.
Cyber deterrence is a worthy objective. It’s also much harder than it sounds. Canada needs to plan for it accordingly.
Alex Wilner is an associate professor of International Affairs at Carleton University, and a Munk Senior Fellow at the Macdonald-Laurier Institute. His research on cyber deterrence is funded by SSHRC, National Defence, and Ontario’s Early Researcher Award program.