Former CSIS head says Canada should have its own cyber-warriors

Canada's former top spymaster says the country's military should have the legal authority and capability to not only defend itself, but also to go on the attack in cyberspace as well.

Documents show Forces are struggling to develop even a defensive cyber capability

Richard Fadden, former national security adviser to the prime minister, and former head of CSIS, says the military should be able to launch offensive cyberattacks to pre-empt action against Canada. (Sean Kilpatrick/Canadian Press)

Canada's former top spymaster says the country's military should have the legal authority and capability to not only defend itself, but also to go on the attack in cyberspace as well.

Richard Fadden, the former director of the Canadian Security Intelligence Service and the ex-national security adviser to prime ministers Stephen Harper and Justin Trudeau, says he's argued in the past that the threat in the online world is as serious as terrorism in the physical world.

At the moment, the Canadian military's nascent cyber capability is restricted from going on the offensive to protect itself. Documents obtained by CBC News show that National Defence appears to be struggling to develop even a defensive stance.

"If we are going to allow that we're going to have Canadian Forces abroad and they are facing cyberattacks, either communications or other, I think it's totally reasonable to think seriously about whether or not we should give them the capacity to reach out and suppress before they are used against them," Fadden told CBC Radio's The Current on Wednesday.

The issue is partially framed in the Liberals' defence policy review statement, which asks the public what sort of role the military should play in the online battle space.

The new Communications Security Establishment Canada complex is in Ottawa. University of Ottawa Prof. Wesley Wark says the agency has the ability to launch offensive actions in cyberspace. (Sean Kilpatrick/Canadian Press)

Debate over whether Western militaries should adopt an offensive, or defensive, posture in cyberspace has been raging for months, particularly in the halls of NATO. The military alliance struggled to come up with a clear, coherent policy in the aftermath of Russia's annexation of Crimea.

Russia's cyber army

The Kremlin, according to defence analysts and cyber experts, conducted an overwhelmingly savvy cyber campaign, which complemented special operations troops when they took over the disputed region in the spring of 2014.

You don't send people in harm's way without doing everything you possibly can to avoid that harm being done to them.- Richard Fadden, ex-director of CSIS

Last winter, published reports in Britain said Moscow was prepared to invest the equivalent of $250 million US to improve an already formidable stable of hackers and software engineers so they can go on the offensive. The Russians argue their build-up is a deterrent, much like a nuclear arsenal, and meant as a response to U.S. plans to improve the National Security Administration and the Pentagon's cyber command.

Fadden said Canadian troops currently deployed face the threat of cyberattack, not only from big players, such as Russia and potentially China, but also extremist groups, such as ISIS.

"You don't send people in harm's way without doing everything you possibly can to avoid that harm being done to them, and I think most militaries that we are facing, for example in Iraq, some of the forces they are opposing have cyber capacity," said Fadden, who also served as deputy minister of National Defence.

Defence is enough: expert

Wesley Wark, a University of Ottawa professor and one of the country's leading experts on intelligence and cyberwarfare, says Canada's electronic spy service, the Communications Security Establishment, which operates independently from National Defence, has the ability to conduct offensive operations.

He conceded that CSE's time and attention are devoted to protecting civilian infrastructure and working with utilities and major corporations to help them protect their networks.

Wark said he believes the military should not put time and resources into developing an offensive posture when other allies, such as the U.S. and Britain, are already way out in front in that manner.

Fadden disagrees.

"The military would be irresponsible to not take into account these types of threats," he said. "You begin by developing as good of defensive capability as possible, and I think the Canadian Forces have a pretty good defensive capability, but at some point you have to ask yourself, and ministers will have to consider, whether they should be given the capacity to push back as opposed to just defending."

A long road to cyber capability

But a trail of documents obtained by CBC News under access to information shows the military has struggled to establish even a defensive cyber capability.

A briefing, dated Nov. 17, 2014, candidly acknowledged that Defence "needs to improve its posture to better anticipate, plan and conduct cyber operations."

The report said establishing an effective military command structure for cyberspace "may require some resource investment [and] realignment" of the existing system, and maybe even a new organization within the Forces.

Another heavily redacted document, dated Dec. 11, 2012, shows that there was, at the time, no mechanism for the military's operations command to reach out to CSE for timely help when commanders in the field needed it.

The briefing also suggests defence department policy advisers were only just beginning to wrap their heads around the emerging implications and that the military considered cyber to be more of a "technical issue" not directly related to the core business of bullets and battleships.