Canada, NATO attempt to define boundaries of response to cyberattacks

Military planners in both Ottawa and Brussels are wrestling with the notion that keystrokes are as much of a threat as Kalashnikovs in this summer's deployment of the Canadian-led NATO battle group to Latvia.

They are weighing how to respond to a significant cyberattack on the Baltic nation, one that would target civilian, rather than military infrastructure in a manner similar to the one that took down government agencies and banks in Estonia in 2007.

A few weeks ago Canada's chief of defence staff pledged a sizable contingent of so-called cyber warriors would be part of the deployment.

But how far they will be able to go in countering cyber and information warfare threats coming from Russia is still a matter of debate.

"To the best of my knowledge, our [rules of engagement]are still under development, certainly from a cyber perspective," said Brig.-Gen. Paul Rutherford, commander of the military's Joint Forces Cyber Component. "I must leave it there."

But he underlined there is no intention on the part of NATO or Canada to conduct offensive online operations against hackers, state-sponsored or otherwise.

• Canadian military works to iron out challenges ahead of Latvia deployment
• Canadians prepare to face cyberwarriors and fake news in Latvia mission
• Liberals commit $350 million for Latvia mission to deter Russian aggression

And there will be clear rules before the 450 Canadian troops depart, Rutherford said.

"It will be a strong, defensive cyber posture," he told CBC News in a recent interview. "We will work closely with ourallies, with our battle group partners, and to include the Latvians."

Getting the rules just right is crucial from both a military and political perspective, say defence experts.

Two years ago, NATO placed massive cyberattacks on member nations on the same level as those conductedwith bullets and ballistic missiles. The notion was reinforced at last summer's summit among the alliance's 28 leaders in Warsaw, Poland.

"NATO is ready for the Allies to invoke collective defence in response to a significant cyberattack, the equivalent of an armed attack through cyberspace," officials said at the time.

But defining specifically what the threshold is for a "significant cyberattack," when it triggers the alliance's self-defence clause known as Article 5 and when response moves from the online to the real world is a matter of debate.

The deliberation is made more important by the fact that the West is already engaged in an undeclared cyberwar with Russian hackers on a daily basis and the most likely form of attack Canadians will face in Latvia will come from the internet, said Anthony Seaboyer, the director of the Centre for Security, Armed Forces and Society at the Royal Military College in Kingston, Ont.

Having a precisely calibrated response is also important because one of the main reasons for the NATO deployment to Latvia and the other Baltic States is to act asdeterrence.

Failure to respond to a massive online assault on civilian infrastructure such the banking system or the power grid could undermine the alliance's credibility.

Plausibledeniability

But Seaboyer saidthere's good reason for the hesitation on the part of Canadian and NATO officials.

Hackers can launch cyberattacks off laptops anywhere in the world, cover their tracks and create a haze of deniability something the Russians did masterfully during the annexation of Crimea.

"You can find the IP address, but how do you prove who was operating the computer at the time?" Seaboyer said. "How do you prove who paid the person who was behind the attack? They don't leave their CVs,or a card,for you to know who has hacked."

That makes the decisions by troops on the ground at NATO headquarters more complicated.

"There are huge problems," he said. "You can't just retaliate by sending a Hellfire missile,or drone strike. You just can't retaliate that way. We don't have a cyber army to send anywhere. And I don't know what a cyber army would look like other than hackers. It's a completely different space."

The rules and the systems NATO has set up over the decades "in many cases don't fit to the cyber domain" because nations can't strengthen their border or buy and aircraft carrier, Seaboyer added.

"The hammer we've had in hand doesn't fit here," he said.

NATO's cyber strategy places a lot of emphasis on member countries taking responsibility for defence of their own national computer networks, but NATO defence officials say the alliance is still struggling with how to engage each country.

Canadian cyber technicians deployed with the battle group will naturally guard against intrusions into the military networks, but what they can do for the people they are to protect remains foggy at best.

"If the rules of engagement allow us to be good coalition partners in cyber defence, then we will be so," said Rutherford.