Preserving capacity, General Tom Lawson, Chief of the Defence Staff, Keys to Canadian SAR
Issue link: http://vanguardcanada.uberflip.com/i/235053
CYBER SECURITY C Q You have argued that we are trying to put new ideas into old forms. Are the rules of engagement different in cyber space than they are in other domains? I firmly believe that the laws of armed conflict apply in the cyber domain as much as they do in physical space. The principles of proportionality, distinction, necessity – those are all the laws of war and they apply in the cyber domain, too. But cyber is still so new… In the other domains – land, sea, air, space – the government has a role and, more or less, a generally agreed role like police forces and fire departments and armies and the centres for disease control. We have worked out what it is we want the government to do and what it is we will allow the government to do in physical space. We have not done that in the cyber domain yet. We are still debating what it is we want the government to do for us there and what it is we will let the government do for us there. That's what I mean by old patterns and which of these apply or don't apply to this new cyber space. Q How clearly do we understand doctrine in the cyber domain? We are still working that issue. For example, what constitutes an attack in the cyber domain? We are very sloppy with our language. We throw the term "cyber attack" anytime anything unpleasant happens to us in the domain. Well, we shouldn't. The Chinese stealing intellectual property? That's cyber espionage. It's bad, but it is not quite an attack. If the Iranians attack American banks with distributed denial of service attacks and make it impossible for you or I to check our bank account, something that does more than just steal data, something that affects a network, that's more moving in the range of an attack. Finally, if someone used a weapon comprised of ones and zeros to create physical destruction to a supply system or a grid, that definitely is an attack. We are still working our way through, first, what is an attack in the cyber domain, and second, what is an act of war in the domain. Q Does the response need to be proportional to the attack in this domain? The American government has issued a declaratory policy which states we will calibrate our response based upon the effects of an act, not upon its means. I think that is actually pretty good. Q What of second and third order effects in the cyber domain: How well do we understand the ripple effects? That comes back to the principles of armed conflict and the principle of distinction, which means that, if you think you have a military necessity and you can distinguish between combatant and non combatant, can you be sure a) that you can make that distinction and b) when you commit whatever act you are planning, that the results are proportional to the military need. You are relying on your ability to precisely predict the outcome of your attack. We have mastered that pretty well in physical space, though bad things sometimes happen, but perhaps we haven't nearly mastered we are at a fundamental moment here in terms of the traditional ways that sovereign states have defended themselves in the past with their intelligence services. it quite as well in cyber space that we can absolutely predict with confidence that this will happen and nothing more. Q Given the integration of critical infrastructure across our borders, do we need to consider something like cyber NORAD to better defend that space? I really do. Our cyber space is more integrated than our air space. Therefore, it is absolutely clear to me that this requires close coordination between our two countries. That also means broad agreement on what constitutes a threat, what constitutes an appropriate response, what constitutes suitable privacy, and so on. We have two democracies that have figured out how to do that when you are controlling air space; now we are challenged with how do we do that in this entirely new domain. Q Do you know if that discussion is taking place? I truly don't know. We have historical cooperation between our two countries' militaries and intelligence services, so I am sure there is work being done here, but I just don't know the details. Q The Snowden revelations of recent months have probably left many of us pondering the scope of national surveillance of electronic data, without really understanding the roles of certain government agencies: What are intelligence agencies actually doing? When you are doing espionage, you divide the work up largely by method of collection: You have an imagery agency, a human intelligence agency, and a technical or signals intelligence agency. The collection for each of those is quite different and requires different technology, different skills and even a bit of a different culture. Most intelligence organizations around the world are organized along those lines. With regard to signals intelligence, your effort is to go after communications in a lawful way – communications that your law does not protect – that allow you to provide meaningful intelligence to your nation's policymakers. Q Privacy commissioners in Canada have begun to talk of a new paradigm in which we need to re-think the concepts of privacy and security, particularly in light of new technology, big data, analytics and so forth. Do you see that? www.vanguardcanada.com DECEMBER 2013/JANUARY 2014 17