This week’s federal budget included millions of dollars to beef up Canada’s detection and advisory capacity against nation-state and criminal attacks on critical infrastructure and democratic processes.
On Wednesday government officials, academics and private sector experts got a view into the future of cyber warfare at the 5th Security and Defence Symposium between Canada and the European Union in Ottawa.
That future, one panelist said in an interview, can be seen in the attacks — usually attributed to Russia or Russian-supported groups — on Ukraine in the past three years. They’re a toxic mixture of military and cyber incidents dubbed hybrid attacks.
Josef Schroefl, deputy director of the Helsinki-based European Centre of Excellence for Countering Hybrid Threats (also known as the the Hybrid CoE), called Ukraine “the whole symphony, hybrid orchestration: Disinformation campaigns, cyber attacks and kinetic [military] attacks.”
A brief roundup of the incidents includes successive power failures in back-to-back Decembers and the recent seizure by Russia of three Ukrainian navy ships in the strait between Russia and the Ukrainian region of Crimea, which Russia annexed in 2014.
“What you see in Ukraine frightens me,” Schroef said. “Ukraine is something like a test lab for maybe something bigger. We don’t know.”
The half-day symposium is one of a number of ways Western countries are working together to exchange best practices for facing defence challenges, including nation-state backed cyber attacks. For example, Canada and the centre held a three-day table-top exercise in January to test their response skills, Schroefl said.
Last fall Canada joined the Hybrid CoE. Other members include Austria, the Czech Republic, Estonia, Denmark, Finland, France, Germany, Italy, Latvia, Lithuania, the Netherlands, Norway, Poland, Spain, Sweden, the U.K. and the U.S.
The organization defines hybrid threats as
- Co-ordinated and synchronized action, that deliberately targets democratic states’ and institutions systemic vulnerabilities, through a wide range of means (political, economic, military, civil, and information);
- Activities exploit the thresholds of detection and attribution as well as the border between war and peace;
- The aim is to influence different forms of decision making at the local (regional), state, or institutional level to favour and/or gain the agent’s strategic goals while undermining and/or hurting the target.
Joining the group followed commitments made by Canada and other G7 countries at their annual meeting last year in Charlevoix, Que., to defend democracy from online foreign threats. Among the promises each country made was to set up a cyber Rapid Response Mechanism. This network will strengthen co-operation. between countries to identify and respond to diverse and evolving threats. Canada is the network co-ordinator, so the budget proposes giving the Global Affairs department $2.1 million over three years to help its work.
It parallels the Cyber Readiness Response Teams and Mutual Assistance in Cyber Security agreement that some European countries set up in 2016 under the EU’s Permanent Structure Co-operation (PESCO) on security and defence. Eight nations have or are setting up teams under the pact, which essentially established a collective cyber defence. To facilitate the teams one PESCO project is the creation of a cyber incident response information sharing platform.
Twenty five of the EU’s 28 countries have joined PESCO, but most have not yet joined the cyber mutual assistance pact.
One panel at Wednesday’s symposium discussed how PESCO — designed to increase EU co-operation — can work with the North Atlantic Treaty Organization (NATO), a military institution. Not all members of the EU are members of NATO.
The other panel dealt with how to confront hybrid attacks, and included Air Commodore John Maas, senior military advisor to the European External Action Service; Colleen Merchant, director general of Public Safety Canada’s national cyber security directorate, Schroefl, and Satyamoorthy Kabilan, vice-president of policy for the Ottawa-based Public Policy Forum.
In a pre-conference interview, Kabilan said one of the biggest problems in dealing with cyber attacks is attribution.
“It’s very difficult to say definitively who’s behind a specific attack,” he pointed out. “In many cases there’s a little speculation involved. If you look at the number of attacks where people speculate nation-states are involved, and you look at the number where there have been indictments or statements from nations saying ‘X was responsible for attack Y,’ there’s a huge difference.”
And while it’s clear under NATO’s agreement when countries can come to the aid of another under physical attack, the rules are less clear when it comes to a cyber attack. That’s even more true for the world as a whole.
“We have nothing equivalent to the Geneva Convention when it comes to hybrid and cyber warfare,” Kabilan said. “So the line in the sand when you cross and it means, ‘This is an act of war’ — there isn’t one when it comes to cyber. No one knows what it is, what it should be. This creates some really difficult problems — how do we defend ourselves?”
European countries have been worrying about this since 2007 when Estonia faced a series of cyber attacks against parliament, government departments, banks and the media amid a conflict over a grave marker with Russia. According to Wikipedia, that led to NATO creating a cyber defence centre of excellence in Estonia.
Following Russia’s annexation of Crimea, NATO beefed up its forces in Baltic countries, with Canada leading the battle group in Latvia. According to the National Post, they have been the target of repeated disinformation as part of a campaign to discredit NATO forces.
The disinformation ranges from stories about Canadian troops being accommodated in luxury apartments at local taxpayers’ expense, to images that purport to show them littering indiscriminately or fixated on buying beer, Latvia’s defence minister told the National Post.
Around the same time, according to the Globe and Mail, Russian media targeted German NATO soldiers in Lithuania, when it fabricated a story accusing the officers of sexually assaulting a teenage girl.
On the other hand cyber attacks might get out of hand. That’s what some experts think happened in 2017 with the global spread of the NotPetya wiper malware. They believe it started as a Russia-backed attack on Ukraine by planting malware in a Ukranian accounting software package. But the malware spread around the world. Among the victims was the Maersk shipping company, which had to replace 4,000 new servers, 45,000 PCs, and 2,500 applications.
Disinformation — better known as fake news — can be an effective weapon, but it isn’t in the same league as compromising critical infrastructure and ‘jiggling the handles’ just to make people nervous. It does have the advantage, though, of being less messy than an invasion or a few warning shots across a border.
A prime example of how big a disinformation campaign can go is the huge alleged Russia-directed effort during the 2016 U.S. elections — which included hacking email of staff from the Hilary Clinton campaign, and creating phony social media accounts to spread disinformation. There were also hacking incidents leading up to the recent German and French national elections.
Disinformation is being confronted by governments encouraging social media platforms to crack down on suspicious content. In the run-up to Canada’s October federal election the government recently passed a law obliging platforms to create a registry showing who is paying for election-related ads. It also created a task force to prevent covert, clandestine, or criminal activities from influencing or interfering with the electoral process.
The thing is, as Schroefl points out, online war is relatively cheap (compared to a missile or a jet bomber). That’s why he believes large nations are unlikely to dominate cyber warfare: There’s lots of room for small countries.
It also makes it harder to get unanimity on norms of behaviour in cyberspace.
So how can hybrid threats be met? “The lessons from the last years are public-private partnerships, don’t forget critical infrastructure and civilian-military relations,” said Schroefl.
The Senior Leader’s Guidebook to Emergency Management and Business Continuity