Cyber-warfare could be entering a new and alarming phase, ex-CIA analyst tells MPs
Future attacks, says Christopher Porter, could target the global financial system and government debt
Online attacks on Canada's financial system could become far more destructive as more militaries around the globe get involved in cyber operations, a security expert and former CIA analyst told a House of Commons committee Wednesday.
Christopher Porter, the chief intelligence strategist for the cyber security company Fireeye, Inc., testified that as NATO countries share their expertise on how to defend against and defeat online threats, "major cyber powers outside the alliance" will likely do the same.
The consequences, he said, could be dire.
The West's imposition of sanctions on "some countries" has in the past been met with denial-of-service attacks on financial services websites, he said — attacks that have only been disruptive.
"In the future, they may respond with destructive attacks aimed at permanently disabling financial services or altering data in ways that undermine trust in the global financial system, such as by delaying or impairing the trustworthy settlement of collateralized government debt," Porter said.
"For countries sufficiently sanctioned and therefore increasingly outside that financial system anyway, there is little incentive not to do so during a confrontation."
Where the threat comes from
He did not name the countries he believes pose an imminent threat, but North Korea, Russia and Iran are widely known to possess sophisticated cyber capabilities and — in some cases — loose associations with groups of private hackers.
The Commons public safety committee is studying security in the financial sector. Wednesday's hearing focused on online threats.
"I am gravely concerned about the militarization of cyber operations," said Porter, who spent nearly nine years at the CIA and served as the cyber threat intelligence briefer to White House National Security Council staff.
"(The) proliferation of cutting-edge offensive cyber power, combined with an increased willingness to use it with minimal blowback and spiraling distrust, has set the stage for more disruptive and destabilizing cyber events, possibly in the near future."
The cyber espionage threat Canada faces is still "moderate," said Porter, but his organization has noted at least 10 groups from China, Russia and Iran that have targeted Canada in the last few years.
His grim assessment was echoed by another private sector expert who appeared before the committee. Jonathan Reiber, head of cybersecurity at Illumio, an American business data center, said most of Washington's efforts to get everyone to step back from the cyber-warfare brink have gone nowhere.
He also suggested that online militarization was inevitable. "Adversaries have escalated in cyberspace, despite U.S. efforts at deterrence," he said.
The United States, Canada and other western nations must take a more aggressive stance to deter cyber aggression by "defending forward" and conducting offensive cyber operations to disrupt hacking, Reiber said.
The Liberal government's defence policy, released in June 2017, gave the Canadian military permission to conduct those kinds of operations.
"Nation states have the right to defend themselves in cyberspace just as they do in other domains," Reiber said.
Determining the point at which a online attack provokes a real world military response is something that NATO and many western countries have been grappling with over the last five years.
The alliance has a mutual assistance clause, known as Article 5, which requires NATO nations to aid an ally under attack.
Liberal MP John McKay, head of the public safety committee, asked whether NATO's decision-making mechanisms are nimble enough to keep pace with cyber attacks.
Porter said he believes the system is sound. The challenge, he said, is to get all allies on the same page.
"I think a bigger issue is who is going to call for such a response and under what circumstances," he said. "In the States, I think, you're always waiting for a cyber Pearl Harbour destructive event."
Such a massive attack is still less likely than a series of smaller events, he said, "a death by a thousand cuts" that might not rise to the level of provoking allies.