Preserving capacity, General Tom Lawson, Chief of the Defence Staff, Keys to Canadian SAR
Issue link: http://vanguardcanada.uberflip.com/i/1283033
26 AUGUST/SEPTEMBER 2020 www.vanguardcanada.com CYBER an unknown vulnerability in existing hard- ware and software. Thus, the weapon developer must find the vulnerability, de- velop an exploit to take advantage of it, and identify an enemy to use the weapon against. Each of these three stages present unique weapon-management challenges that we consider next. 1. Identifying these vulnerabilities is a timely process and often involves a fair amount of luck, so they are more likely to be discovered with multiple people working on them. Once discovered, they must be kept secret or patches can be developed to disable the vulnerabil- ity (and as a result, the weapon itself) reasonably quickly. The ethics of not warning others about these vulnerabil- ities is beyond this document's scope, but at the very least it can lead to sig- nificant unintended consequences. 2. The challenge of developing an exploit to take advantage of an identified vul- nerability may be fairly straightforward in some cases but it could also involve a significant amount of expertise and innovation to accomplish. This is clearly not something that can be read- ily "outsourced" to other states, and even if it was to be done by verified cyberweapon suppliers, the challenges of managing this process should not be underestimated. If the approach is building capacity within military (or quasi-military) national centres, it will likely require a substantial investment in public dollars that would be difficult to justify given the clandestine nature of the activities and the possibility (ide- ally) that these cyberweapons would never be meaningfully deployed. 3. The final challenge of identifying an enemy to use the weapon against and to determine precisely when and how it should be used, given the two points above, is unclear. The hesitance to use cyberweapons at times of military con- flict in preference to kinetic weapons suggests that they are unlikely to be the preferred choice once a military conflict has started. Using them be- forehand is fraught with risk because their use, if they could be traced back to the originator, could lead to a war that might otherwise have been pre- vented. In the case of a large, power- ful state using these weapons, this will likely be avoided because the weaker state is unable to respond in a mean- ingful way. Overriding each of these potential risks is the need to have oversight on the devel- opment, use, and deployment of cyber- weapons. Military activities can only be undertaken with the direct oversight of the prime minister, but they would likely involve a wider discussion for political rea- sons. Given the nature of these weapons and how they would need to be devel- oped, this oversight would likely have to be done in a more secretive way. The ulti- mate deployment of cyberweapons might occur with the oversight of Parliament, but would those considering this have suf- ficient understanding of the implications and risks associated with cyberweapons, which could have many unintended con- sequences? Unintended Consequences The unintended consequences arising from a cyberattack can be grouped into two categories: unintended consequences impacting on those being attacked; and ones impacting those undertaking the at- tack (or their allies). Unintended consequences potentially impacting an enemy: Once weapons are deployed, the scope of their effect is dif- ficult to anticipate. Ideally an attack would be highly targeted and very specific to a particular computer system or to the re- al-world resource it controls. There are unique identifiers in most hardware that would allow a cyberweapon to only impact a particular machine. However, the attack- er would have to identify that machine in advance of developing and deploying the weapon, and the cyberweapon would be- come useless if the victim simply changed or upgraded their hardware. Thus, there are very few incentives for a cyberattacker to produce a weapon with such a narrow target and it is unlikely that such a nar- rowly focused cyberweapon would be ef- fectively deployed except in very limited circumstances. Most cyberweapons have a virus-like na- ture to them where they seek to infect as many systems as possible to maximize their impact. This alone would make it difficult to control the unintended consequences that might occur on an enemy. However, even if the cyberweapon does not contain a virus-like nature where it seeks all com- puter systems that have the vulnerability that allows it to perform its cyberattack, it is still extremely difficult to limit its ef- fect to only the intended target. The unin- tended consequences on the enemy might The unintended consequences arising from a cyberattack can be grouped into two categories: unintended consequences impacting on those being attacked; and ones impacting those undertaking the attack (or their allies).