Bill C-59 – the National Security Act 2017 – outlines a new vision for Canadian national security. Reading between the lines of this “anti-terror” bill, there is a clear attempt here to comprehensively rework decision-making mechanisms to enhance oversight and ministerial control over counter terrorism, surveillance and cyberspace operations.
While it’s new measures demonstrate a clarity of vision as to where the Trudeau administration would like its counter-terror efforts to go, the document reveals something else that is much more interesting.
For cyber-wonks, the decision by the Trudeau government to clarify and revise its policy outlook when it comes to cyber operations is substantial. This decision is likely to have far-reaching and enduring significance for both Canada and NATO’s cyberspace operations strategies and force development. The specifics of the proposed legislation may still be revised, but the broader policy shift toward more overt planning and deliberation on cyber defense falls in line with similar developments in other Five Eyes (UK, US, Australia and New Zealand) capitals.
Because of this important similarity, many of the same issues and factors that have emerged as cyber operations controversies for these partners may also affect Canada’s new policy approach. More than anything else, C-59 encapsulates the most relevant cyber debates and issues of our time. As such, the Bill should not be considered more than just this – a beginning to coherent Canadian policy on cyber.
What does C-59 really say about cyber?
The focus of cyber operations defined within the proposed Bill (C-59) covers computer network exploitation (CNE), computer network attack (CNA) and defensive cyberspace operations (DCO). In plain English, these different categories can be thought of as spying, sabotaging, or defending one’s respective cyberspace. Of note in C-59 isn’t the inclusion of these capabilities but more importantly the absence of another capability area – the Defensive Cyberspace Operations – Response Actions (DCO-RA).
Heavily present in the US cyber-operations doctrine, DCO-RA can amount to offensive actions taken on sovereign networks or mission infrastructure to counter an adversary’s persistent access, activities, or disruptive behavior. While sounding quite simple on paper, DCO-RA in practice is quite controversial because of its potential impact on civilian third parties.
In national or allied cyber operations, DCO-RA could also necessitate actions on foreign soil in support of non-cyber activities. Such activities are likely to pose complex oversight challenges to existing or new government plans and oversight instruments. Where in the past clear lines have been defined between involvement vs. non-involvement in coalition operations, future cyber operations could implicate Canada in actions overseas that it might wish to avoid (e.g., avoiding commitment of troops or materiel).
While norms and Rules of Engagement (ROEs) set the limits of permissible actions in cyber operations, collateral effects can make it difficult to constrain unanticipated impacts. Defensive cyberspace operations carry the risk of inadvertent escalation if an adversary misunderstands their impact, or any other host of unintended consequences and impacts.
Offense, Dominance and Cyber Defense
It is often asserted by specialists that cyberspace is a setting where attack (offense) is easier than defense. The new powers that C-59 allocates for cyber-attack and exploitation must be closely coordinated with defenses of civilian data, networks and public utilities that provide vital services.
Cyber risk management and vulnerability mitigation priorities must be reconciled with defense and intelligence planning. Critical infrastructure cybersecurity is currently the responsibility of Public Safety Canada, provincial authorities and private sector business owners. Linking these two roles together may stress existing Canadian government mechanisms for managing cyber risks and collateral effects. The mechanism for achieving this is not well described in Bill C-59.
Perhaps the bill’s proposed new review agency, NSIRA, can provide a channel for public discussions on the efficacy of current planning and coordination approaches, but with the bill’s vague language, it is difficult to tell where NSIRA’s mandate truly begins and ends.
Established entities -– respectively CSIS, the RCMP, DND and CSE – likely participate in interagency discussions and planning processes where missions are developed. NSIRA and the nascent Parliamentary oversight committee will have the opportunity to review these mechanisms and police compliance with legislative and policy guidance.
Playing it safe
C-59 allocates responsibilities in ways that are – while not always clear – not particularly controversial. National defense responsibilities fall to the Department of National Defense, with CSE (the Communications Security Establishment) conducting signals intelligence operations in support of allied and Canadian mission priorities.
Bill C-59 clarifies and extends these mission areas, with the addition of two new roles: Active Defense – Foreign defensive cyber operations (on foreign infrastructure in response to digital attack) and Foreign Active Cyber Operations (on foreign infrastructure – with the objective of proactively disrupting a potential threat to Canada or its allies). This addition, however, raises the issue of defensive actions that can be interpreted as offensive in nature.
Uncertainties, Risk and Oversight
Even well planned cyber operations present risks to third parties. These can be managed but never eliminated entirely. Cyber is an asymmetric domain, offering opportunities for less capable entities to challenge apparently stronger adversaries. What does this mean for the early detection of threats?
While participation in cyber alliances like the Five Eye nations group provides intelligence about common threats, the interdiction of these threats at the national level must still be executed in the context of national laws. Concerns with privacy and civil liberties overlap with the risk management requirements of cyber operations – both at home and abroad.
This apparent overlap can lead to perceived overreach when responding to cyber threats. Enhanced surveillance of networks for detection necessarily means greater risk to personal privacy from surveillance.
C-59’s proposed joint DND – Foreign Affairs ministerial concurrence on cyber operations is an important threshold governing future developments in cyber operations. It is here that Parliamentary oversight of strategic policies and plans developed by CSE and DND can have its most significant impact. Providing clearances to parliamentarians so that they can achieve deeper understanding of an issue not typically shared with them in their roles as Members of Parliament is essential.
The mechanism devised in Canada tracks well with the oversight committee models adopted in other Five Eyes capitals. Liaison among these legislative oversight agencies might offer an additional means to deepen collaborative frameworks beyond executive to executive and military to military channels.
Canada’s adoption of a more transparent policy on its cyber capabilities and mission requirements is a notable achievement for the Trudeau government in this bill. Also significant are the experiences of other Western countries that have traveled the same path toward institutionalized cyberspace capabilities – in the form of national strategies, purpose-designed agencies and executive level oversight mechanisms. The interaction of national and allied cyber plans will require novel mechanisms to ensure interoperability and deconfliction of activities.
Further, oversight at the national level will be challenged by the historically closely-held relationships among Five Eyes’ nations defense and intelligence establishments, which are not frequently the subject of granular parliamentary review. It is likely that the Bill C-59 vision is just the opening gambit in a more-lengthy formulation and revision process for enhanced government oversight of cyber operations – and associated intelligence activities.
This article originally appeared on Tripwire's State of Security Blog