There is something very quaintly Canadian about the notion of a vast array of cyberwarfare weapons that we possess but were forbidden by our own laws to use. It’s sweet, in a way. But it’s also stupid, and policy we’re best rid of.
The policy in question were the restrictions formerly placed on the Communications Security Establishment (CSE), Canada’s (much more modest) version of the American National Security Agency (NSA). Like the NSA, the CSE is tasked with monitoring communications of interest to our leaders, and collaborating closely with our allies, particularly the Five Eyes — us, the United States, Britain, Australia and New Zealand.
Intercepting and decoding foreign transmissions is nothing new; that kind of warfare is as old as the telegraph or even simple handwritten messages.
What is new is the federal government’s proposed Communications Security Establishment Act, announced on Tuesday along with a series of other changes and tweaks to Canada’s national security laws.
Under the proposed new CSE Act, the CSE would be authorized — with the direct approval of the ministers of National Defence and Foreign Affairs — to conduct offensive cyberwarfare operations against individuals, groups or nations, if they posed a threat to Canadian security. Currently, it is only able to defend Canadian servers against direct attack, and provide advice and guidance if it detects an attack against private sector assets.
WATCH: Federal government unveils revamped national security legislation
That’s important, but it’s a very small piece of a rapidly evolving global battlefield. In addition to the possibility of offensive operations, the ability of the CSE to respond defensively to attacks on Canadian assets as they developed would be dramatically expanded — but would still require ministerial approval, a potentially problematic delay should our cyber infrastructure be hit without warning. (Let’s hope, for instance, that a cyberattack doesn’t disrupt our communications, leaving the ministers unable to give their consent for defensive operations to begin. That would be, for lack of a better term, rather silly.)
These are significant changes, but they are important ones, bringing old legislation in line with modern realities. Twenty or so years ago, the internet was that weird thing I used from time to time (sometimes by borrowing a friend’s AOL password). Today, any significant disruption to the internet would not only be a disaster for the economy — ever tried to go shopping when the credit/debit machines are down? — but could also threaten lives.
In Britain, during a recent cyberattack, hospitals lost the ability to effectively treat patients due to computer disruptions. An attack on a country’s energy grids could leave people cold in the dark for days, or longer. Most of us never think about how reliant we are on electricity for almost everything. Imagine five days without it. Imagine a week or two. And recall that most of the world’s great cities rely on electrical pumps to pipe clean drinking water to your faucet.
None of this is to be alarmist. I’m not digging my survival bunker quite yet. But these threats are real. They exist. We know that our enemies and adversaries are advancing their capabilities in these areas. We’d be crazy not to do the same.
But Canadian governments are often crazy when it comes to security matters, which they routinely treat as less than an afterthought. For generations, our national security policies have, to a depressing extent, essentially been some combination of “The United States will protect us” and “Nothing bad will ever happen, everything’s fine, la la la la la.”
WATCH: NDP accuses Liberal national security legislation of being ‘draconian’
In today’s world, it’s getting harder to buy either of those propositions. Canada must continue to be a reliable ally, but we also have to ponder the grim reality that we’re actually going to have to look out for ourselves sometimes, and the world can be a scary place. Those little Maple Leafs on our backpacks may get you a smile in Amsterdam, but we are kidding ourselves if we believe there aren’t groups and nations who’d do us harm by any means they can, including cyberwarfare.
There is another reason beyond prudence to bulk up our capabilities, both technological and legislative. This is an area where Canada truly can punch above its weight, which we constantly flatter ourselves by pretending we often already do. We have a thriving high-tech sector in this country, with the knowledge base to match. There is no reason we can’t work to turn ourselves into a cyber power to be reckoned with, in close partnership with our Five Eyes allies.
WATCH: Defence minister prioritizes cyber warfare in new defence policy
In much the same way that Canada has worked hard to offset the small size of our military forces by making small but critical contributions of well-trained troops at key moments, we likewise can develop specialist cyber capabilities and put them at the disposal of our closest friends, while also keeping them available, of course, for our own use.
This would make a change from the norm. Some might even say developing that kind of offensive capability is un-Canadian. But these are necessary steps to protect our collective well-being. The law used to be an obstacle to Canada developing effective cyberwarfare capabilities, but those restrictions are being removed. The only remaining challenges are national commitment and money. Both can be found, if we decide to make this a priority. We should.