Monthly Rewire - February 2024
Stories affecting Canadian cyber defence policy you should know
CAF cyber force hindered by lack of staff and training, assessment team warns
On 20 February 2024, the Ottawa Citizen reported that the Department of National Defence and Canadian Armed Forces’ (DND/CAF)’s cyber force is hindered by a lack of staff, training, and security clearances take too long. Positions being allocated across the forces are unable to be filled, which has reduced DND/CAF’s capacity to handle both defensive and offensive operations.
While this has been known for some time, the article does well to highlight many of the inconsistencies in DND/CAF cyber policies. The article notes that a response from DND about the cyber forces produced a response saying operational security dictates not revealing any details about the size, capacity, capabilities, qualified of the cyber forces. Despite this, DND/CAF has released many reports and information previously that at least comments on each of those in some capacity. Canadian media has not often
Important to note is that the report and audit cited is a couple years old, which do predate some policy changes including additional pay or bonuses, among others, which saw an increase in cyber operators. The exact composition is unclear, but I at least know they improved their offensive cyber personnel. I am unsure to what degree this has helped, but based on Departmental Results and my sources, this has had a noticeable improvement.
Operation Cronos Disrupts Lockbit Ransomware Group
On 20 February, the United Kingdom’s National Crime Agency announced that they had successfully infiltrated Lockbit ransomware group and compromised their systems. The UK was joined by an international law enforcement task force called Operation Cronos, which included Canada.
Lockbit was first launched in 2019, but rose to be one of the most prolific ransomware groups in recent years. The takedown of Lockbit’s primary administration environment along with a host of intelligence, source code, and decryptors.
Lockbit has since launched a new website and released a verbose, likely lie-filled statement. I will not be linking to the letter, but suffice it to say that Lockbit is coping hard and trying to act like this is only a minor inconvenience.
National Cybersecurity Consortium 2024 Call for Proposals
The National Cybersecurity Consortium (NCC) is a Canadian network dedicated to advancing the cybersecurity ecosystem within Canada through research and development, commercialization, and training. This month, NCC announced their 2024 call for proposals has opened, calling for proposals that:
“Support research and development projects with Technology Readiness Levels (TRL)1-6 via the design and implementation of innovative cybersecurity technologies, advancing the “state-of-the-art”, and supporting studies into emerging cybersecurity issues.
Support commercialization of new technology with TRL 7-9, developing products and services that address cybersecurity challenges in critical infrastructure protection, human-centric cybersecurity, network security, software security, and privacy protection.
Provide and build opportunities for training, upskilling, and reskilling of cybersecurity professionals across myriad disciplines. “
Government of Canada ends the Canadian Digital Adoption Program Early
The Canadian Digital Adoption Program (CDAP) ended with a fizzle and no plan on how they intend to use the money. The CDAP was meant to usher billions of loans and grants to Canadian businesses to upgrade its digital technology, but the Government only distributed less than a quarter of the $4 billion allocated.
Businesses and associations alike criticized the program for its barriers to entry, including the requirements to qualify, the being too complicated, and time-consuming.
RCMP Networks Targeted by Cyberattack
On 23 February, CBC News reported that the RCMP is currently managing a “cyber event.” The RCMP said that the size of the attack is alarming, but the they were able to quickly mitigate the attack to prevent impacts on RCMP operations. Few details have been released, which is generally the norm for the Canadian government to provide very little to the public about the impact of attacks on their government.
M&M Vending Machines Are Watching You?
The University of Waterloo M&M vending machines have apparently been running facial recognition software, unbeknownst to even the University. The company responsible has stated that their machines comply with GDPR (despite it not being law in Canada) as an explanation that this information is used responsibly. However, the company does admit such data is used and stored locally, which begs the question about the local security of this vending machine.
United States Military Achieves ‘Minimum Viable’ Version of CJADC2
The United States announced that they reached a minimal viability with Combined Joint All Domain Command and Control (CJADC2). Operation OLYMPUS is the US military operation to use existing US exercises with allies to transition from a CJADC2 pilot into an initial forces-wide operating capability.
So why does this matter to Canada?
The CAF is undergoing a transition to adopt CJADC2 concepts, which they call Pan-Domain or Pan-Domain Command and Control. T3he CAF is working to ensure it can operate with the United States in CJADC2. If the CAF cannot do this, it will significantly harm the US-Canada defence relationship.
Government of Canada joins international partners in endorsing shared 6G principles
Huawei’s dominance in 5G became a significant political and security liability, and since then the United States and allies agreed to not let China dominate the development of future standards and principles in the future. This is at the core of the announcement that Canada, the United States, and other allies countries have endorsed the Joint Statement of Principles for 6G.
