It has been almost a year since the Liberal government gave the Canadian military license to conduct offensive cyber operations, but it remains unclear how, when or if the public will learn about the cyber campaigns conducted. (Kacper Pempel/Reuters)
An extraordinary and significant little slice of history unfolded this spring in Britain that had nothing to do with royal nuptials.
The event, which passed almost unnoticed on this side of the Atlantic, was the remarkable disclosure by the head of the Government Communications Headquarters (GCHQ) that Britain had launched its first-ever military-style cyber campaign against the Islamic State.
Jeremy Fleming surprised a cyber conference in Manchester with the revelation in April, telling his audience “the outcomes of these operations are wide-ranging.”
He wouldn’t discuss the details, except to say the sustained campaign ended up “destroying equipment and networks” but was conducted in compliance with international law.
What the head of GCHQ did was pull back the curtain, ever so slightly, on Britain’s notoriously discrete signal intelligence branch and set a bar for public disclosure for other partners in the so-called “Five Eyes community,” including Canada.
It has been almost a year since the Liberal government’s defence policy gave explicit license to the Canadian military to conduct “offensive” cyber operations, the kind Britain feels free to discuss in somewhat opaque terms.
The Liberal government’s intelligence oversight legislation Bill C-59 — is still grinding its way through Parliament. It establishes a National Security and Intelligence Review Agency, among other things.
What remains unclear is how and when if ever the public will learn about Canadians conducting cyber campaigns against foreign adversaries and perhaps even governments.
Greater understanding needed
Alicia Wanless, an expert in information warfare at the Centre for Dynamic Research, said she believes the public should know when instruments of national power are being utilized in cyberspace.
“If you are engaged in warfare information — and I mean the entire gamut, up to and including effect on humans — there needs to be disclosure,” she said.
She qualified her assessment, however, by emphasizing more education is needed at all levels, particularly about the differences between cyber and information warfare.
Without that sound understanding, Wanless said she’s concerned public discourse and debate could turn corrosive.
“There fundamentally isn’t a sound understanding of what we’re dealing with,” Wanless said. “I think the understanding of what is happening — both at a government and a public level — is so weak that I think the debate might be detrimental.”
‘Canadian people need to be told’
The difference between the physical acts of hacking and destroying an adversary’s computer networks and spreading so-called fake news and false information is a critical distinction for University of British Columbia defence expert Michael Byers.
He also said, from a legal perspective, there should be public disclosure about what the military is doing in the cyber realm.
The taking down of infrastructure in another country, for example, could be an act of war “and the Canadian people need to be told” if our country is involved.
“There is no distinction between using a tool over the internet and using a gun or a missile if physical damage is caused in a foreign, sovereign country,” said Byers.
The accountability line, he said, is property damage and loss of life: “Anything that causes physical harm is governed by international law.”
- Russia, China targeting Canada’s secret info and technology, spy agency warns
EXCLUSIVE Liberals urged to let Canada’s military take cyber battle to foes
Byers said he’s not certain the federal government would be politically or legally obliged to disclose its counter-propaganda and disinformation activities.
“If a foreign entity was distributing fake news to disrupt a Canadian election campaign and if you’re going back and targeting the sources of that fake news; it wouldn’t be dealt with by the same international rules,” he said.
A spokesperson for Defence Minister Harjit Sajjan would only say Bill-59 addresses the issue of accountability through Parliament.
“Under the proposed legislation, all of [Communications Security Establishment] activities, including ACO (active cyber operations), which will require approval by both the Minister of National Defence and Minister of Foreign Affairs, will be subject to review by the National Security and Intelligence Review Agency (NSIRA) and by the National Security and Intelligence Committee of Parliamentarians,” said Byrne Furlong in an email.
Byers said that is not the same as public disclosure.
“This is DND saying they don’t need to tell Canadians when they’re conducting a cyber campaign,” he said.