Canada to join NATO’s cyber defence research centre
It may be a late start, but joining allies at NATO’s cyber defence centre will help Canada better defend its interests in cyberspace. Josh Gold explains why the move is welcome.
Research assistant, Citizen Lab
On November 28 in Tallinn, Estonia, Canadian Governor General Julie Payette visited the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), which Canada is in the process of joining. Canada is among the last NATO countries to become a member of the 11-year-old defence hub, after years of delays both bureaucratic and logistical.
Better late than never; this is a welcome and beneficial move for Canada, and one that should be finalized in the coming months. But Canadian defence and foreign policy must further advance alongside our allies to keep pace with global cyber threats.
That cyberspace is vulnerable to malicious activity — including by states — is generally understood today. Estonia learned this earlier, and more painfully, than most nations. It has the unenviable distinction of suffering from the world’s first-ever politically motivated cyberattacks against an entire state. This occurred for three weeks in spring 2007 when, during a time of heightened political tension with Russia, coordinated cyberattacks targeted Estonian government, banking and media sites, as well as specific routers and servers. In their aftermath, the Tallinn-based CCDCOE was born, and it remains one of the most promising dividends from Estonia’s 2007 experience with cyber conflict.
The CCDCOE is a military think-tank that leads the world in crafting cyber defence solutions through multinational and interdisciplinary analyses of cyber conflict issues. It is not directly within NATO’s military command structure and neither launches, nor defends against, cyberattacks. The centre and its international team include parties from 25 states (22 NATO nations and three NATO-allied contributing participants). Eight more are lined up to join in addition to Canada, including NATO partner states Australia, Japan and South Korea. CCDCOE staff conduct research, training and exercises within four areas of cybersecurity: technology, strategy, operations and law.
Further to regular research, training programs and exercises, the CCDCOE is the custodian of several world-class flagship projects. Perhaps most well-known is the Tallinn Manual process, a non-binding and academic study on how international law applies to cyber conflicts. Continuously developed by the CCDCOE with input from nearly 50 states, including Canada, it represents one of the most authoritative and comprehensive international instruments of its kind. Another flagship project, Locked Shields, is organized annually by the CCDCOE and constitutes the world’s largest and most complex cyber defence exercise. In 2014, Canada donated $1 million to help develop Locked Shields and, upon joining the CCDCOE, will be able to officially participate in it, too.
Moreover, with CCDCOE membership Canada will be able to play a more active role in developing NATO cyber doctrine, rather than just receiving it. Membership gives Canada access to a unique multilateral forum wherein joint challenges can be worked out collaboratively. Researchers, lawyers and computer engineers from different countries team up to better understand and defend against various threats in cyberspace. This can include writing joint reports, analyzing new legal challenges, building training programs and assessing new technologies and potential vulnerabilities therein. Such a forum fosters trust and brings us closer to our allies.
Membership will also grant Canadians access to research, exercises and training programs. These can help build Canadian cyber capacity, for example, through programs designed to familiarize decision-makers within defence, strategy, law and policymaking with the challenges and nuances of digital technology and cyber conflict.
Formal membership comes with some short-term costs. In addition to funding, the government will have to send an expert or two at a time to the CCDCOE, during a period when the government’s cybersecurity talent is in great demand but scarce supply. But after a few years’ tenure at the CCDCOE, this talent will return to Canada with deepened knowledge and unique international experience: this is an opportunity to simultaneously train up staff while building lasting multinational bonds.
Canadian involvement in other NATO cybersecurity efforts has yet to be made clear. Informed by CCDCOE research, NATO is developing its cyber operational doctrine and has opened its Cyberspace Operations Centre in Belgium — though this centre is only slated to be fully operational by 2023. Nine NATO allies — including the United States, the United Kingdom and even Estonia, but not yet Canada — have officially offered NATO their cyber capabilities in the event a military cyber operation is needed in response to an attack.
Updated Canadian approaches to cyber activities suggest we could offer our capabilities too. In 2017, Canada’s military announced in its defence strategy that it would “assume a more assertive posture in the cyber domain by conducting active cyber operations against potential adversaries in the context of government-authorized military missions.” This June saw the passing of Bill C-59, which empowers Canada’s signals intelligence agency, the Communications Security Establishment, to also conduct “active cyber operations.” (“Active” is a common, but unnecessary, euphemism for the word “offensive.”)
New powers bring new questions. Robust rules and joint strategies are required to face challenges in an increasingly militarized cyberspace. Rather than showing up late to the party, as with the CCDCOE, Canada should be at the centre of joint efforts to uphold a free and open internet, and a stable and secure cyberspace in which international law is respected and human rights are protected. Canadian democracy and prosperity rely on such freedom and stability; unreliable US commitment to multilateralism makes Canadian leadership more meaningful now than ever.
Joining the CCDCOE will be one step in the right direction — but Canada must keep moving. Canada could outline its position on how international law applies vis-à-vis cyber conflict, as many of its allies — including Estonia yet again — have done. Both this and an international strategy for cyberspace, which Canada also lacks, would provide important signalling for allies and adversaries alike. Following its allies in this regard could also support the priorities of the new Trudeau cabinet, such as to “advance international efforts to ban the development and use of fully autonomous weapons systems,” as outlined in the recently-unveiled foreign minister’s mandate letter.
Cybersecurity challenges and threats will not abate anytime soon, and these challenges require multilateral and global solutions. Close collaboration with our friends is the surest way forward.