In 1994, we had a well-defined information warfare strategy, which included solid defensive and offensive doctrine. It was prophetic in that it considered an Internet-of-machines, semantic warfare (influence and interference), social media and global dimensions of cyber power. Foresighting initiatives accurately predicted the impact of information science and technology decades in advance. An integrated risk management framework and the national proactive cyber defence strategy were published, but soon forgotten. The language was softened and diluted. A once forward-leaning strategy, took on a reactionary and conventional approach. Post 9/11, resources and attention was redirected from national security to counter-terrorism.
It would be a decade before there was a renaissance in cyber security and defence in Canada.
By 2010, we had the clean pipes initiative, upstream security and intelligence programs that defined, designed engineered, tested, deployed and demonstrated a nation cyber defence infrastructure. One that was capable of detecting and mitigating ninety-nine per cent of malicious traffic; with demonstrable savings of ten-billion dollars a year. We had enumerated national critical infrastructures and measured critical interdependencies to extraordinary degrees of precision. Systems were able to monitor and mitigate malicious traffic at scale (nationally) and counter the most advanced persistent threats. Canadian teams had investigated and taken down the largest botnets and cyber criminal organizations on the planet and exposed major cyber espionage networks. Cyber threat intelligence sharing was solved. There was hope for Trusted Internet Connectivity. This engineering achievement was documented in a Reference Security Architecture for Cyber Defence. Books were published on based upon this operational experience and findings.
Data was slowly left unanalysed or was sent to ground. Systems were turned off. Taken off-line. Designs were shelved and forgotten. The defence of Canada was no longer seen as a priority by a critical mass of stakeholders who moved onto other things. Many organizations turned their focus inward to defence their own networks. Providers were pressured to sell what people wanted to buy – functionality, speed, availability.
Within a few years, we were back to a pre-1993 state-of-affairs, with only a few silos of excellence in industry and government.
Such is it that a national cyber defence apparatus fell to pressures of: Net-Neutrality, civil liberties objections, economics, market demand, politics and Edward Snowden. Partner organizations did not make the investment to ingest upstream cyber intelligence and were self-limited by internal regulations and policies. Large organizations bought bandwidth solely based on price, transferring security risks to other departments. Canadian consumers were not willing to pay for security, even if it was free.
The Canadian ICT supply chain suffered significant setbacks owing to mismanagement, indifference and espionage. The telecoms industry transformed from being a thought-leader and innovator to fast-follower and re-focused on the consumer market. Billions of dollars in cyber security research and innovation were halted overnight.
Now in 2019, we have another opportunity. There appears to be renewed interest in defending the nation and networks of importance to Canada. There is general willingness for a critical mass of key influencers in government, industry and academia to partner and collaborate on a national cyber defence agenda. There is more money flowing into cyber security research and innovation. Industry associations are aligned in one mission. Legislation has been changed to permit greater collaboration, public and private partnerships.
The good news is that we can apply today’s technology to a challenge that we have already solved few times in the past.
This time, when we approach challenge, we need to revisit past knowledge, designs and research. Pull the teams back together, and collaborate intentionally to orchestrate an effective national cyber defence solution. We need to preserve a sense of urgency on this endeavour, and a commitment to sustain the effort, lest we slip into a period of indifference.