Vanguard Magazine

30 AUGUST/SEPTEMBER 2020 www.vanguardcanada.com CYBER of a newly poisoned relationship! In short, once deployed, it would be diffi- cult if not impossible to remove. • Most of these weapons have an ability to migrate either explicitly as a virus and/ or physically by copying them across multiple devices (e.g., using an infected USB). Thus, even if we know where they were initially deployed, the question of how to ensure that the cyberweapon has not migrated to other machines without the attacker's knowledge is critical. Al- though it might be possible to leave a digital trail within the cyberweapon itself so a forensic expert could attempt to fol- low its path, this would open the pos- sibility that the trail would be discovered by the potential victim, which would lead to the weapon's discovery and it being disabled while still in its active or operational phase. • Given that this software can travel through an enemy's system in difficult- to-track ways, the next concern is: What if this vulnerability shows up on an ally's systems? Several interesting question will likely be asked at this point, but the first one will be: Was it inadvertently migrated from within the attacker's system through normal operations, or is this an attack by the enemy on the ally's systems? If the cy- berweapon was discovered by the enemy and the vulnerability was known to exist in one of the attacker's ally's systems, there is nothing to stop the victim from patch- ing its own systems and using the weapon itself. Furthermore, if this is discovered by the ally and reported to the attacker, how can this be disabled without reveal- ing the danger to which the attacker has exposed the ally? It is likely, especially if this is a cyberweapon used for espionage, that the ally will become suspicious about whether this was placed on its systems ac- cidentally by the attacker, intentionally by the attacker, or intentionally by the victim using it itself. Clearly different kinds of responses would be called for depending on each case. Next Steps To conclude, we turn to identifying what Canada's next steps should be to fully ex- plore and consider the many questions developed above and how to mitigate the risks and consequences of Canada's cyber policy. Although there are likely many dif- ferent directions open, the following seem to be the most key and self-evident initial steps. 1. Canada must define the goals of a cyberattack strategy. Who are poten- tial opponents that could be subject to an attack? What are acceptable reasons to use cyberweapons? How do we de- fine successful attacks and distinguish them from failed attempts? 2. Rules of engagement must be clearly defined. When should cyber- weapons be allowed to be used? When should they be used: before, after or in conjunction with direct kinetic mili- tary actions? Should their use be re- ported upon openly and honestly to the Canadian public? 3. Who has the authority to use cyber- weapons either in peace or wartime? Who should be allowed to authorize their use? Once authorized, who should be allowed to deploy them and under what circumstances? Who has oversight after their use in terms of assessing their effectiveness, their appropriateness, and evaluating any unintended consequenc- es or collateral damage? 4. Rules of war need to be defined for cyberweapons. Canada must work with other nation states to for- mally codify the rules under which states can engage in cyberattack and cyberespionage. These might mir- ror existing kinetic-warfare rules, but they will require articulation through a technological lens. If we do not have clear rules about the use of these cyberweapons as a nation state, then we run the risk of stumbling into a ki- netic war! Thus, a critical next step is undertaking the difficult task of com- ing to international agreements about the use of these weapons, their pro- duction, and their implications. 5. Partnership with cybersecurity stakeholders. The issues of cyber- security are much broader than their application to cyber-military either for offensive or defensive purposes. The question of whether a partnership could be forged between the military and public/private cybersecurity orga- nizations is a valid one to consider. If this kind of partnership is not viable, then how can the military meaning- fully engage with non-military stake- holders to ensure the utility of any weaponry produced and the safety to Canada and its allies? This article is an abridged version of a joint Policy Paper from The School of Public Policy and the Canadian Global Affairs Institute that was published as Cyberattack: What Goes Around, Comes Around on cgai.ca. It is reprinted here by permission. Ken Barker is a professor of computer sci- ence at the University of Calgary. He holds a PhD in computing science from the Uni- versity of Alberta (1990) and has many years of experience working with industrial computer systems. He has interest in sys- tem integration, distributed systems and the privacy and security of data repositories. He has served as the dean of the faculty of science and as head of computer science at the University of Calgary. He is the director of the University of Calgary's Institute for Security, Privacy and Information Assurance and the president of the Alberta body of the Canadian Information Processing Society (CIPS Alberta). He is a past president of the Canadian Association of Computer Science (CACS/AIC) and has served on the Computer Science Accreditation Council. As the direc- tor of research laboratories at the University of Calgary and University of Manitoba he has supervised over 70 graduate students, in addition to several post-doctorates and research assistants. Dr. Barker has published over 250 peer-reviewed publications. The cyberweapons are exploiting vulnerabilities that also exist in "everyone's" systems. All public and private organizations and their infrastructures have an important stake in the use of any cyberweapons.

• Cover