A new report questions how well prepared the Canadian military and the federal government are to fight a cyber war that, for all intents and purposes, has started already.
The Canadian Association of Defence and Security Industries (CADSI), which represents major weapons and high-tech manufacturers, warns in a new report that, despite recent investments and policy papers, the country is lagging far behind its allies in preparing to fight a new kind of war.
“The cyber threat to the Canadian Armed Forces (CAF) permeates domestically through vulnerabilities in critical infrastructure, combat systems and equipment, and extends to where the military is deployed abroad,” said the association’s report, released Thursday.
“Russia have proven their ability to launch attacks that cripple critical systems in seconds or quietly collect intelligence for years. The CAF has only recently received approval to engage in active and offensive operations at scale (though specialized activity has been present for years).”
‘A genuine sense of urgency’
To compile the report, researchers at CADSI conducted 70 interviews with government and military officials, as well as defence industry leaders.
Christyn Cianfarani, the association’s president, said the feedback was frank.
“There’s a genuine sense of urgency for Canada to advance in this space,” she said. Even if the public doesn’t feel the country is vulnerable, she added, “we could stand to be vulnerable by not moving forward very quickly.”
The report comes just weeks after a House of Commons committee heard that online attacks on Canada’s financial system and other key infrastructure could become far more destructive as more militaries around the globe get involved in cyber operations.
That testimony came from security expert and former CIA analyst Christopher Porter, an executive at the U.S. cyber security company Fireeye, Inc.
He said the west’s imposition of sanctions on “some countries” has in the past been met with denial-of-service attacks on financial services websites, but those attacks have only been disruptive.
“In the future, they may respond with destructive attacks,” he testified on Feb. 6.
Cianfarani echoed that warning.
“I think, if you look, other nations are attacking Canada,” she said. “Other nations aren’t just attacking Canada in a short-game play. They are attacking Canada and trying to influence things in our country in a long-game play.”
The defence association report also took aim at the federal government’s ponderous procurement system, noting that adversaries and allies have “demonstrated their ability to deploy new cyber capabilities in months or weeks, while the CAF remains burdened by a years-long and sometimes decades-long procurement cycle.”
Time to ‘blow up’ the procurement system?
Cianfarani said the procurement system has to “be blown up” and “torn apart” when it comes to acquiring cyber equipment and services.
It should take six months, not 10 years, to get those kinds of products into the hands of cyber operators, she added.
The study found “government and industry lack the mutual trust required to effectively collaborate in the cyber defence of Canada” and proposed a series of remedies.
“This distrust has been sown over time through a history of unproductive engagements, limited communications and inadequate mutual understanding of each other’s capabilities,” said the analysis.
The Council of Canadian Innovators has delivered a similar message to the federal government on many occasions over the last two years, but Cianfarani said she believes that the upcoming federal election and the possibility of interference in it — foreign or otherwise — will focus the attention of both the public and decision-makers.
“I think around an election is probably when we have the loudest voice, and it’s when we’re probably, as a country, the most vulnerable,” she said.
The report pointed to other countries, such as the United States, where cyber defence strategies are primarily driven by industry, supported by the academic community and funded by the government without bureaucratic limitations.
“A similar approach for Canada could mobilize a strong, sovereign line of defence against rapidly evolving cyber threats,” the report said.