A 21st Century NORAD? How Canada and the United States can confront our shared cyber threat
As the threat of conventional attacks on the United States continues to diminish, the U.S. and its allies must prepare to defend against the weapons of a 21st century. Cyber-attacks, rare until the last decade, are now frequently used by countries looking to strike anonymously or by non-state actors looking to inflict heavy damage with minimal resources. Preventing such an attack must become a U.S. defense priority. Whatever action is taken, it is critical to include Canada in any cyber defense planning. A cyber-attack could potentially harm our shared power grids, border crossings, air traffic control systems, and waterways. With $1 billion in trade passing between the U.S and Canada every day, it is critical that we protect our shared infrastructure in order to maintain economic stability and national security.
Assuring the easy flow of information between American and Canadian agencies is critical for a bi-national cyber defense system to be effective. Paul Rosenzweig, a Visiting Fellow at the Heritage Foundation and an expert on cyber-security, discussed his concerns at the Wilson Center on December 5. He stressed the need for improved government-to-private and government-to-government information sharing. U.S. intelligence agencies have historically been reluctant to share information between themselves, let alone with a foreign counterpart. While the U.S. has its own shortcomings when sharing information, Mark Fabro, President and Chief Security Scientist of Lofty Perch, pointed out that Canada needs to invest more resources and attention to cyber-security if it wishes to cooperate with the U.S as an equal. Canada currently lacks a 24/7 office where cyber-attacks can be detected and acted upon. Officials on both sides of the border agree that a successful cyber defense system is impossible without a balanced and efficient information sharing structure.
The risk of failing to confront the cyber threat would leave communication systems, transportation infrastructure, and other targets vulnerable. A few keystrokes could create irreversible damage. DHS staged a cyber-attack in 2007 to demonstrate how much damage a simple hack could do to the power grid. In the video, a power generator destroys itself after an off camera engineer hacks the generator’s safeguards and pushes the gears well passed redline. If such an attack were to target one of the 37 electric grid crossings between the U.S and Canada, many people on both sides of the border could find themselves without power for weeks. Even more devastating could be the online theft of classified intelligence documents or financial assets. Countries such as China and Iran have the resources to coordinate a cyber-attack so it is important that the U.S and Canada prepare for all possibilities.
Despite the necessity of a joint U.S-Canada cyber defense system, significant barriers remain to full implementation. A successful system would require intensive oversight of critical companies and infrastructure, many of which are under private ownership. These private asset owners will not voluntarily share information, especially with foreign governments or other private firms, lest they lose their competitive edge. Asset owners would also be required to identify and share their potential vulnerabilities. This would allow others to fix and avoid potential threats but also force firms to divulge potential weaknesses. The solution to this issue is to include incentives for firms who participate in the cyber defense program. An incentive system may be difficult to accomplish politically, but it is necessary if the U.S and Canada are serious about assuring their cyber security. The House and Senate both have proposed information sharing bills but neither has reached the President’s desk. Mark Fabro predicted that because there is nothing in either bill related to granting security clearance to Canadian firms and only the Senate bill has a regulatory provision, Obama will reject both bills in favor of signing an executive order. The order would delay legislation for at least a year but could allow time for legislators to agree upon a more comprehensive bill.
Fortunately, some pieces for a binational cyber security system are already in place. Law enforcement officials on both sides of the border communicate regularly, electricity grids reach across borders, and government officials have called for such an initiative. The Beyond the Border Action Plan did little to create momentum for implementation of a joint cyber-security system, but increased awareness of the issue by both governments will hopefully inspire increased dialogue and a commitment to keep our shared infrastructure safe from foreign threats. To ensure our enhanced security both countries must contribute equally, encourage a cooperative private sector, and agree on the rules of engagement should an attack occur. If the U.S and Canada can come to an agreement on these issues, it is very possible that we could see a “21st Century NORAD” to protect us from cyber threats.