Cyber-attack: What Goes Around, Comes Around!

  • Ken Barker University of Calgary


The Canadian Government recently introduced a new document entitled “Strong, Secure, and Engaged” (SSE) outlining Canada’s Defense Policy across a wide-range of its activities.   One very new factor of SSE is the decision to develop active cyber-attack capabilities to potentially employ against potential adversaries. This raises some key issues including: (i) the potential implications of using cyber-attacks, (ii) the potential for unintended consequences arising as a result of using such, and (iii) the risks associated with subsequent use against the attacker either intentionally or accidentally. Overarching questions include defining under what circumstances cyber-attacks should be permitted and what should be done to ensure they cannot subsequently be used against us or lead to harming one of our allies? Canada’s allies have already developed and deployed such weapons with some demonstrable success but with some unintended consequences. What can we learn from the available information about the safe use of cyber-attacks and when is it reasonable to use such a weapon? The nature of this technology is different than other forms of military aggression used in either peace or war time. What checks and balances need to be put in place to ensure that it is used only under appropriate government-authorized military oversight? What protections can be put in place to ensure that the inadvertent release of a cyber-attack cannot occur? Finally, the decision to endorse the development a cyber-attack capability introduces a difficult dichotomy. Cyber-attack technology exploits discovered weaknesses in digital systems. In a regime that only permits cyber-defence activities, the discovery of weaknesses and deploying a repair for the discovered weakness is an obvious choice. However, if Canada is to incorporate a cyber-attack strategy, the decision to repair the weakness must now be traded-off against exploiting the weakness against an enemy. These undiscovered weaknesses are known as zero-day attacks because a previously unknown vulnerability in a computer system (hardware or software) is exploited “on the same day” the vulnerability becomes known to the wider world.
Briefing Papers