Canada’s long awaited defence policy update has finally been released and has made a bigger splash in cyber than I had expected. For years, from my first Canadian Global Affairs Institute paper to my testimony before the House of Commons Standing Committee on National Defence, I have stressed there is a dire need for the Canadian Armed Forces (CAF) and Communications Security Establishment (CSE) to develop force structures to better organize cyber operations. The reasons for this is because a formal structure that includes CAF and CSE in a single organization significantly helps with coordination and cooperation on cyber operations, which allows greater ability to operate and conduct operations. A CAF Cyber Command is something needed for a long time.

This is finally happening.

In the Defence Policy Update titled “Our North, Strong and Free: A Renewed Vision for Canada’s Defence,” Canada says that it will establish a Canadian Armed Forces Cyber Command and develop a “joint Canadian cyber operations capability.” This approach is increasingly the standard amongst Western allies for how to organize and structure cyber operations capabilities, which is that there needs to be a force structure comprised of the military and signals intelligence organizations to cooperate and execute operations.

DND/CAF is getting a very sizeable amount of money to stand up this organization as well, but there are some initial concerns. Approximately $917 million over five years will be spent to “enhance Canada’s intelligence and Cyber Operations,” which is a sizeable amount of funding, but my concerns grow when we recognize that this funding is for more than just standing up the CAF Cyber Command. Nevertheless, this is a sizeable portion of funding to be injected into DND/CAF cyber capabilities which will have a great impact overall. When asked about some of these changes, officials alluded to the large amount of money for cyber going towards this reorganization and standing up CAF Cyber Command. Officials also said that Global Affairs Canada would have a small contingent based in CAF Cyber Command as well, this is due to GAC having a large role in how Canada decides to conduct offensive operations.

How this may look is through an increase in civilian employees. Standing up an entirely new command for a domain that has unique characteristics compared to other domains is one of the best places for civilian expansion, especially considering ongoing recruitment problems for the CAF. I have also increasingly been hearing about staffing and training issues with DND/CAF and CSE for cyber operators as well. Joining the CAF and CSE in a CAF Cyber Command may help to mitigate these issues by potentially allowing CSE and CAF to support each other. However, I am hesitate to fully belief this is the case due to the differences in how CSE and CAF draw justification for its cyber operations.

Half of DND/CAF’s authorities to conduct cyber operations derives from Crown prerogative, which basically means, “We can do this because the King says so.” It’s more complicated than that, obviously, but it is more or less that the military derives its authority to defend the country from the Crown.

For CSE it is much more clear and rigid as it derives its authorities from the CSE Act, which was most recently updated in 2019 to specifically update the CSE Act and provide CSE the authority and ability to conduct cyber operations, amongst a host of other changes. The CSE Act allows CSE to work alongside DND/CAF on cyber operations, and specifically take on DND/CAF mandate and authorities to do so. This is what has enabled the CAF and CSE to already work together on cyber operations for years now, with even recent admissions that the CAF and CSE have conducted operations together. As far as I know this means that there shouldn’t be any major legal barriers to standing up a CAF Cyber Command with CSE, but I am not a lawyer.

Some other Thoughts:

Delivery Afterthought

In its section on how it intends to deliver on the Defence Policy Update, “Digital Transformation” is tagged on at the end. While I am happy for its inclusion, with how much digital transformation is at the center of most DND/CAF modernization efforts at the moment, it does draw some concerns about how much digital transformation is at the center of achieving results outlined in the update. I get the impression that it was added as an afterthought, but could also be a reminder of, “Hey, we’re still doing digital transformation too!”

Although Digital Transformation feels like an afterthought here, it is not being treated as such by DND/CAF in practice. A lot was potentially missed in centering a lot of these modernization efforts around the already underway digital modernization effort. However, at this point it may be nitpicky when DND/CAF are placing cyber as one of the central pillars of the Defence Policy Update.

Forget Pan-Domain, To the Cloud!

The update has multiple mentions of cloud-computing/cloud-based environments, which is great. Secret cloud will be a cornerstone to pan-domain operations and pan-domain command and control and become vital to DND/CAF operations. However, there are policy barriers to achieving secret cloud at treasury board. With multiple mentions of cloud-based environments, it did surprise me that there was not anything about pan-domain. Although concepts are still being developed, pan-domain is at the center of everything the CAF does, so it was a little odd there was no mention of it.