Today’s news cycle is headlining information and cognitive warfare, propaganda, disinformation, foreign influence and interference - all of which are accelerated by cyberspace and enabled by the industrial ecosystem of our adversaries.
OPERATIONAL TEMPO
Most professionals would agree that information technology is advancing quickly and procurement of new capability is dreadfully slow. Operational tempo in the information domain is astonishingly faster that the speed procurement. Many of our allies and adversaries have found ways and means to close this gap.
Consider that, computational power, bandwidth, processing speed and storage doubles roughly every ten (10) months and is punctuated by sudden leaps in capability levels brought on by a convergence of disruptive technologies like AI, big data, cloud and quantum computing.
Adversary offensive infrastructure, offensive payloads and tactics techniques and procedures (TTP) can evolve and pivot in days. While six-generation polymorphic malware, launch sites and attack networks are in fast flux, in less than a second. Yet, cyber and intelligence procurement with government may take a decade.
More dramatically, persistent engagement, in the information domain, requires enhanced operational tempo, and rapid capability and talent acquisition that is measured within days. One may have only minutes to re-engineer intelligence and counter tradecraft. History has shown that DYI solutions typically take far longer to engineer, are more expensive and less effective than COTS – they may not have full access to the deep tech ecosystem nor can they capitalize on economies-of-scale. This is why agile procurement for solutions which blend commercial products, sources and services to national mission sets, is important.
These days, active cyber defence, intelligence, counter-influence, dis-information and interference must be all-of-nation coordinated initiatives.
In this fast paced game, Canada’s adversaries has some strategic advantages, above all their willingness to field a full team by leveraging their sovereign industrial base and acquiring services at operational tempo.
DEFENCE PROCUREMENT
To recap, CADSI’s research concluded that government and industry agree on the core challenges impacting military cyber procurement, which apply equally well to intelligence:
1. The cyber procurement process is too slow and rigid to keep pace with cyber innovation and obsolescence cycles;
2. Most cyber procurement projects are too large and complex, introducing unnecessary risks for business and government;
3. Procurement professionals need new skills and training to keep pace with cyber innovations and to operationalize new procurement practices better aligned to cyber.
CADSI’s research also concluded that government and industry are not aligned on how to solve these challenges. In part, this discord is attributable to a gap in Canada’s cyber [and intelligence] ecosystem – currently, there is no government-industry forum to discuss these issues and challenges or to collaborate on possible reforms, so little progress has been made.
Canada needs an institutionalized government-industry forum to discuss and obtain consensus around viable procurement reforms, and to support the implementation of solutions.
CADSI believes that industry government dialogue and collaboration are essential to resolving many of Canada’s cyber [and intelligence] challenges, including procurement, which further reinforces the key findings of their 2020 report.
The collaboration imperative rests on several tenets:
· In intelligence and cyber defence, the role of the private sector is different and enhanced;
· Industry drives a speed of innovation and attack that is faster than traditional defence;
· Industry is responsible for more of the innovation, and plays a greater role in delivery of operations; and
· Industry owns and operates most of cyberspace, including the underlying networks and enabling technologies [and has a lead role in intelligence operations, information and cognitive warfare].
Cyber [and intelligence] technologies present a unique risk profile and calculus that challenges current procurement approaches, and may result in a persistent technological mismatch between Canada’s military and its adversaries. Given that adversaries can bring new capabilities online from scratch in weeks, the perceived benefits of taking the time to thoroughly de-risk and compete procurements may be outweighed by the damage caused by an undefended attack;
Developing solutions is best done through rapid iteration, and by breaking down larger problems into smaller, more discrete parts. This new paradigm does not mesh well with current acquisitions approach.
Established government processes cannot meet or exceed cyber innovation cycles. Government needs to bring different expertise and knowledge together in new ways to develop and acquire cyber [and intelligence] solutions effectively and on time. The pace of innovation places a premium on continuous reskilling, training, and knowledge exchange between government, industry, and academia.
Canada’s current procurement system cannot account for cyber’s aggressive obsolescence cycles, cross-platform integration challenges, or the unpredictable impacts of converging technologies. Shared Services Canada effectively summarized the digital-era procurement challenge noting that “we have shifted from discrete problems with fixed answers to holistic messes that require innovative approaches and collaborative solutions.”
A related report[2], published by federal news week, found that over 20% of SMBs leaving defence industry every year because doing business with DND is too difficult.
Three things that are reportedly driving business away from the military are:
1. Extremely long sales cycle measured in years rather than days. Meanwhile the adversary is driving the innovation cycle;
2. Heavy bureaucracy, processes, policy and administration; and
3. Obsolete and bespoke requirements that field yesterday’s technology tomorrow with few opportunities to sell into other markets.
Furthermore, foreign military purchase of cyber and intelligence products and services is undermining Canadian industry, introducing bias and risks, while expanding attack surfaces and exposing the military supply chain to risk of compromise.
THREAT FROM MILITARY-CIVIL FUSION INDUSTRIAL PROXIES
Our adversaries are driving the innovation cycle for offensive cyber and influence activities and meeting NATOs overmatch capability by close industrial collaboration and collusion. Russia, China and Iran, in particular, are operationalizing capabilities in days, what Canada takes decades. For one, they are far less risk-adverse and freely employ private actors as proxies.
Canada’s industrial base is highly-targeted by sophisticated threat actors and their proxies aiming to profit from, or disrupt the industrial capability. Rapid digital transformation and introduction of disruptive technology, has vastly expanded the attack surface of the sector overnight. Adversaries use their industry to launch aggressive campaigns of espionage, influence and disruption.
Canadian Centre for Cyber Security (CCCS) says the number of cyber threat actors is rising, and they are becoming more sophisticated. The commercial sale of cyber tools coupled with a global pool of talent has resulted in more threat actors and more sophisticated threat activity. Illegal online markets for cyber tools and services have also allowed cybercriminals to conduct more complex and sophisticated campaigns.[3]
The Canadian Security Intelligence Service reported that foreign interference and espionage continued to persist and pose long-term, strategic challenges for Canada. Activities by hostile states are detrimental to Canada’s economic, industrial, military and technological advantage, and have a corrosive effect on our democratic systems and institutions.[4] Public statements on Chinese interference by the media and intelligence agencies date back before 1995.
The threats to Canadian prosperity are tangible: in 2019 alone, 28 million Canadians had their data compromised. At any given time, 12% of computers, mobile phones and accounts are compromised. The economic impact of cyber crime and espionage in Canada has been measured at greater than $100 Billion per year. Espionage is business and foreign industry has a vested interest and strategic investment.
While cybercrime is the most likely threat, the Canadian Centre for Cyber Security has warned that the state sponsored programs of China, Russia, Iran, and North Korea pose the greatest strategic threats to Canada. State-sponsored actors will almost certainly continue to conduct commercial espionage against Canadian businesses, academia, and governments to steal Canadian intellectual property and proprietary information. The threat of cyber espionage is almost certainly higher for Canadian organizations that operate abroad or work directly with foreign state-owned enterprises.[5] Yet, state programs operate through proxies in the information domain and have a fluid means of procuring these services.
David Vigneault, the director of the Canadian Security Intelligence Service (CSIS) describes foreign interference and espionage, mainly through cyberspace, having done “significant harm” to Canada’s prosperity.
CRITICALITY OF INDUSTRY FOR CANADA, ALLIES AND ADVERSARIES.
The deep technology sector enables applied research and innovation essential to the economic prosperity of our country. Yet, both adversaries and competitors exploit our private sector and your supply chain. Our adversaries have weaponized industry.
Our adversaries benefit from technological and industrial espionage, including the theft of intellectual property, and the threat of coercion through foreign direct investment. Specifically, the industry has been subject of persistent targeted cyber attacks remote and close access operations, illicit venture capital investment, covert procurement, industrial espionage, breaches of research facilities, illegitimate partnerships joint ventures, supply chain infiltration compromised suppliers and a shell game of export of Canadian technologies to dangerous states.
Canada is seen as a permissive target.
Western governments have long been reticent to involve themselves in the affairs of the private sector from cyber attacks and espionage even when assaults originate from nation-states. Although this is slowly changing, industry is a proxy target in renewed power struggle between nation states – rogue and criminal. Most vulnerable are Canadian deep tech start-ups who are directly targeted by hostile intelligence services, malevolent competitors and proxy criminal organizations. Intelligence gathering and espionage remained the primary motivation for state-sponsored cyber intrusions in 2019[6] and will be through 2023.
PACING THREAT AGENTS
Through the theft of intellectual property, misinformation, and deception, Russia looks to re-establish itself as a major world player in a multipolar world while China seeks to gain increasing economic and political advantage.[7] As the gap with the West closes, the use of the cyber domain would serve as an effective coercive tactic in a time of conflict to target critical infrastructure.[8] The Russian intelligence services have long been active in Canada and against Canadian interests. Canadian based private sector organizations have been subject to cyber exploitation, intimidation, dis/mis/mal-information, influence, close-access operations and violence.[9]
According to the Canadian Centre for Cyber Security, foreign state-sponsored cyber programs are probing Canadian critical infrastructure for vulnerabilities. [10]
CrowdStrike Intelligence observed an 82% increase in ransomware-related data leaks. Targeted intrusion adversaries continued to adapt to the changing operational opportunities and strategic requirements of technology and world events. Russian, Chinese, Iranian and North Korean adversaries were all observed employing new tradecraft or target-scopes meant to respond to global trends. This included: Russia’s targeting of service providers to exploit trusted relationships; China’s weaponization of vulnerabilities at scale to facilitate initial access efforts; Iran’s use of ransomware to blend disruptive operations with authentic eCrime activity; and Democratic People's Republic of Korea’s (DPRK) shift to cryptocurrency-related entities in an effort to maintain illicit revenue generation during economic disruptions caused by the pandemic.[11]
ADVERSARY PROGRAMS
Let’s look at how Russia, China and Iran use their industry to procure capability at the speed of cyber.
The Russian information warfare ecosystem is both vast and complex. Like a Matryoshka doll, it consists of nested layers of corporate entities, vicarious state-owned research institutes, military units, universities and soviet-era research facilities associated with the state security apparatus developing signals intelligence and cryptographic capabilities. Complicating matters, the Russian state actively encourages and employs criminal hackers. Similarly, troll farms for dis-information/influence operations work independently from decentralized actors and crowdsourced campaigns. The Russian Intelligence Services like the Federal Security Service or FSB, the Foreign Intelligence Service, or SVR and the Main Intelligence Directorate, or the GRU are all active players in this space. These organizations frequently both cooperate and compete against each other and industry. There is no central authority.
Capability development is managed through the network of former Soviet research institutes that have generally morphed into Federal State Unitary Enterprises (FSUE), and organizations such as the State Corporation for Assistance to Development, Production and Export of Advanced Technology (ROSTEC). In the past decade, the Russian state has attempted to kick-start the deep technology sector, and close the perceived 20-year gap with Western technology, by investing heavily in ‘innovation initiatives’ such as the Skolkovo[12] Innovation Center, the Innopolis[13] Special Economic Zone and ERA[14] Technopolis. These efforts to spark the development of the high-tech sector are in fact focused on the development and production of ‘dual-use’ technologies, that being deep tech that can be easily adapted for use by the military and security intelligence services.
This complex environment exists within a system that has long practised political warfare referred to as ‘hybrid-warfare’. Digital interconnectedness allows Russia to conduct activities with global reach, speed and scale. The modern inheritors of the tradecraft of the Soviet security services continue to apply the concepts of deniability, covert action and the use of proxy organizations, which has been carried over to the Russian approach to the conduct of information and paramilitary operations:
· State associated and connected corporate entities, such as Federal Statue Unitary Enterprises (FSUE), is similar to a Crown Corporation in Canada. These entities are directly connected to the Russian state apparatus;
· Private corporations/corporate entities. There are two types of Russian joint-stock companies, public (open) and private (closed). There may be examples of JSCs that are State-owned, where the Russian state acts as a normal shareholder; and
· International corporations/corporate entities with ties to Russia. Typically, these are large multinational corporations, which were founded in Russia or by Russians.
Individual companies often have evolved over a number of years and through multiple iterations with companies being registered and dissolved, spun off and re-registered under different names. State-owned entities (FSUE) have been used to contract services through corporate entities in order to deliver capability to the security services. Other relationships exist directly between corporate entities and the government agencies and relationships exist between the corporations with no overt indication of government involvement.
RUSSIAN OFFENSIVE TECH FIRMS
For example, six companies have been sanctioned of providing expertise, developing tools and infrastructure, and facilitating malicious cyberattacks on behalf of the Russian Federal Security Service (FSB), Main Intelligence Directive (GRU) and Foreign Intelligence Service (SVR) by providing expertise, developing tools and infrastructure, and facilitating malicious cyberattacks. The companies sanctioned by the U.S. Treasury Department are: Positive Technologies; AST; Neobit; Pasit; SVA; and ERA Technopolis.
Positive Technologies was accused of hosting large-scale conventions that are used as recruiting events for the FSB and GRU and providing network security solutions to foreign governments, Russian businesses and Russian government clients, including the FSB.
AST allegedly provided technical support to cyber operations conducted by the FSB, GRU and SVR, and counts the Russian Ministry of Defense, SVR and FSB among its client base, the Treasury Department said. Meanwhile, Neobit conducted research and development in support of the cyber operations conducted by the FSB, GRU, and SVR, and has the Russian Ministry of Defense as a client.
Pasit is accused of conducting research and development in support of the SVR’s malicious cyber operations, and SVA of conducting research and development in support of the SVR’s malicious cyber operations. According to the U.S. Treasury Department, SVA is a Russian state-owned research institute specializing in advanced systems for information security.
The Russian Ministry of Defense operated ERA Technopolis and is housing and supporting GRU units responsible for offensive cyber and information operations. The research centre and technology park leverages the personnel and expertise of the Russian technology sector to develop military and dual-use technologies, according to the U.S. Treasury Department.
APT 29 or Cozy Bear operated by SVR perpetrated of the SolarWinds hacking campaign put at risk the global technology supply chain. US officials concluded that the $1 billion Russian cyber company POSITIVE is a major provider of offensive hacking tools, knowledge, and even operations to Russian spies. Positive is believed to be part of a constellation of private sector firms and cybercriminal groups that support Russia’s geopolitical goals, and which the US increasingly views as a direct threat. American intelligence agencies have long concluded that Positive also runs actual hacking operations itself, with a large team allowed to run its own cyber campaigns as long as they are in Russia’s national interest.
The biggest Russian cybersecurity company, Kaspersky, has been under fire for years over its relationships with the Russian government—eventually being banned from US government networks. Kaspersky has always denied a special relationship with the Russian government.
Russian similarly outsources paramilitary, extralegal and intelligence operations to outfits such as Russia’s Wagner Group, a private mercenary army and transnational criminal organization, and dis-information to Internet Research Agency, both owned by Oligarch Yevgeny Prigozhin. Wagner Group opened its first official headquarters and innovation centre in the Russian city of Saint Petersburg.
“The PMC Wagner Centre is a group of buildings with venues for inventors, project developers, IT specialists, experimental manufacturers and various start-ups, all free of charge. The mission of the PMC Wagner Center is to provide a comfortable environment for generating new ideas to improve Russia’s defence capability” - read Prigozhin.
The Wagner Center sponsored a Hackathon earlier this year. Participants were asked to develop program for UAV navigation in the absence of GPS. The winning teams were identified which included members of ARTYSTRAZH LLC, a Moscow-based company involved in artificial intelligence; SR SPACE JSC, a private Russian space company; and LLC SMYSLOLYOT a Russian drone development company.
CHINA’S INDUSTRIAL STRATEGY
Chinese industry, central government, intelligence services and the military form an cohesive partnership around joint national initiatives: Road and Belt initiative, Thousands Talent Plan, United Front Work, Military-Civil Fusion and Three Warfares Strategy. There is no analog in the West for this degree of integrated public-private partnership on a unified national strategy.
China's road and belt initiative is intended to shift the balance of economic technological and military global power. Thousands Talent Plan recruits leading international experts in scientific research, innovation, and entrepreneurship. United Front Work gathers intelligence on, manages relations with, and attempts to influence or intimidate individuals and organizations inside and outside China using industry, government, military, intelligence services and organized crime. China’s Military-Civil Fusion Strategy has companies become direct benefactors of intelligence. China’s Three Warfares strategy is a political and information pre-kinetic warfare calculus of the People's Liberation Army (PLA) encompassing media or public opinion warfare, psychological warfare and legal warfare. Huawei has been named as an industrial lead in China’s road and belt initiative, Military-Civil Fusion, Unified Front and Three Warfares Strategy for Information Communications Technology (ICT) by the Chinese government.
According to ubiquitous media reporting, China is engaged in a widespread effort to acquire Canadian trade secrets of companies using espionage, exploitation of commercial entities and a network of scientific, academic and business contacts.
The Cybersecurity and Infrastructure Security Agency has reported that the People’s Republic of China (PRC) engages in malicious cyber activities to pursue its national interests. Malicious cyber activities attributed to the Chinese government targeted, and continue to target, a variety of industries and organizations including healthcare, financial services, defense industrial base, energy, government facilities, chemical, critical manufacturing (including automotive and aerospace), communications, IT (including managed service providers), international trade, education, video gaming, faith-based organizations, and law firms.[15]
Chinese Telecoms Providers have reportedly rerouted the Internet traffic thousands of Canadian companies through China multiple times by altering/poisoning global Internet routing to facilitate systematic exploitation and IP theft.[17]
TARGETED DEEP TECHNOLOGIES IN THE CHINESE FIVE-YEAR PLAN
The People’s Republic of China (PRC) 14th Five-Year Plan (FYP), for 2021 to 2025 set the overall direction and objectives for economic espionage.
The Strider Global Intelligence Team discovered rapid adaptations in PRC overseas talent recruitment and IP acquisition TTPs during the COVID-19 pandemic. Traditional, in-person recruitment and travel, to China have been replaced by new online-recruitment tactics. [18]
Canadian deep tech companies working in the following areas can expect to be targeted by the PRC government talent recruitment and technology acquisition initiatives by hostile intelligence services, foreign militaries and organized crime:
Seven Digital Economy Key Sectors
1) Cloud Computing
2) Big Data
3) Internet of Things
4) Industrial Internet
5) Blockchain
6) Artificial Intelligence
7) Virtual Reality and Augmented Reality
Eight Manufacturing Sectors to Increase Core Competitiveness
1) High-End New Materials
2) Major Technology Equipment
3) Smart Manufacturing and Robotics Technology
4) Aero Engines and Gas Turbines
5) Beidou Industrialization Applications
6) New Energy Vehicles and Smart (Network) Vehicles
7) High-End Medical Equipment and Innovative Pharmaceuticals
8) Agricultural Machinery and Equipment
Seven Frontier Technology Areas to Attack
1) Next Generation AI
2) Quantum Information
3) Integrated Circuit
4) Brain Science and Brain-Like Intelligence Research
5) Gene and Biotechnology
6) Clinical Medical and Health
7) Deep Space, Deep Earth, Deep Sea, and Polar Exploration
Chinese espionage was in part responsible for the fall of Nortel and erosion of Canada’s Sovereign ICT supply chain and industrial funding for innovation.
RESEARCH EXPOSURES
Foreign states aggressively exploit academic openness to steal Canadian commercial technology, using “campus proxies” and industrial partnerships. For example, Chinese scientists are exploiting western government funding and research institutes to leapfrog in dual-use quantum technologies.[19] Under Chinese law and strategy called “military-civil fusion,” Chinese companies and researchers must share technology with the Chinese military. Meanwhile, under the Thousand Talents Plan China steals industry IP through academic partnerships.[20]
The Director of CSIS (Vigneault) said China represents “the most significant and clear” challenge when it comes to espionage targeting Canadian campuses. China and Russia” were engaged in the “monitoring and/or coercion” of students, faculty and university officials in an effort to further their influence.
Canadian academics have collaborated on dozens of projects with Chinese military researchers – may whom have deliberately obscured their defence ties – raising concerns that Canada is inadvertently helping China modernize its armed forces.[21] It has been reported that academic exchanges, jointly advancing technologies such as secure communications, satellite-image processing and drones, include the enrolment of Chinese defence scientists as graduate students and visiting scholars at Canadian universities. The PLA refers to a strategy of “picking flowers in foreign lands to make honey in China.”
Richard Fisher, a senior fellow on Asian military affairs at the International Assessment and Strategy Center think tank, refers to the strategy as “the global Chinese intelligence vacuum cleaner” – an effort to scour the world for dual-use technology, which has both civilian and military value. The aims have been broad, from seeking materials for space weapons to technology for next-generation hypersonic missiles, and such work “has been immensely profitable for China’s military modernization.”
Chinese President Xi Jinping has called for “rejuvenating the military with science and technology,” and China’s military budget is now the second-largest on Earth.
IRANIAN MILITARY OUTSOURCES OFFENSIVE CYBER
Tehran continues to develop cyberwar capabilities, carrying out attacks through a network of intermediaries, allowing regime to strike at Canada while denying direct involvement.[22]
Iran’s cyberwarfare capability lies primarily within Iran’s Islamic Revolutionary Guard Corps, a branch of the country’s military. However, rather than employing its own cyberforce against foreign targets, the Islamic Revolutionary Guard Corps appears to mainly outsource the offensive cyber operations as it is far more cost effective and agile. Islamic Revolutionary Guard Corps uses trusted intermediaries to manage contracts with independent groups. These intermediaries are loyal to the regime, but separate from it. They translate the Iranian military’s priorities into discrete tasks, which are then auctioned off to independent contractors. There are many as 50 organizations compete for these contracts. Several contractors may be involved in a single operation. Iran’s use of intermediaries and contractors makes it harder to attribute cyber attacks to the regime.
Iran engages in both espionage and sabotage operations. It employs both off-the-shelf malware and custom-made software tools, according to a 2018 report by the Foundation to Defend Democracy. Iran’s cyber espionage campaigns gain access to networks in order to steal proprietary and sensitive data in areas of interest to the regime. APT33 is especially noteworthy. It has conducted numerous espionage operations against oil and aviation industries in the US, Saudi Arabia and elsewhere. APT35 has attempted to gain access to email accounts belonging to individuals involved in a 2020 US presidential campaign.
CONCLUSION
The renewal of capability development and procurement frameworks has three (3) principal considerations:
1. Cyber space is owned and operated by the private sector, who have been leading active cyber defence, open source intelligence and counter influence operations in this space for decades;
2. Canada’s allies and adversaries outsource a significant portion of cyber and influence operations to industry using very agile procurement mechanisms that field capabilities and deliver effect in days not decades. Procurement stands at the centre of win or defeat against an adversary whose outsourcing framework is light-speed ahead of our own; and
3. National security, intelligence and defence are team sports requiring robust public private partnerships.
[1] https://www.defenceandsecurity.ca/UserFiles/Uploads/publications/reports/files/document-37.pdf [3] https://cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2020 [4] https://www.canada.ca/en/security-intelligence-service/corporate/publications/2018-public-report.html [5] https://cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2020 [6] Report: Hackers target defense contractors, telecoms By Derek B. Johnsonmar, CrowdStrike 04, 2020. [7] Clairvoyance Cyber Corp [8] Ibid [9] Potemkin Pages & Personas: Assessing GRU Online Operations, 2014-2019 Renée Diresta and Shelby Grossman, Stanford Cyber Policy Center. [10] https://cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2020 [11] https://go.crowdstrike.com/global-threat-report-2022.html [12] http://community.sk[.]ru/ [13] sezinnopolis[.]ru/ [14] era-tehnopolis[.]ru/ [15] https://www.cisa.gov/uscert/china [16] The Globe and Mail 30 March 2017 [17] https://www.theglobeandmail.com/politics/article-china-telecom-hijacked-internet-traffic-in-us-and-canada-report/ [18] https://www.striderintel.com/ [19] https://www.striderintel.com/ [20] https://www.state.gov/wp-content/uploads/2020/05/What-is-MCF-One-Pager.pdf [21] The Globe and Mail, 2019 [22] https://theconversation.com/how-irans-military-outsources-its-cyberthreat-forces-129536