Cyber Support to CJOC / CAF Operations Brief to AFCEA 3 March 2015 LCol Nick Torrington-Smith Team Lead Joint Cyber Operations Team

CAF Cyber Operations Cyber Operations: The application of coordinated cyber capabilities to achieve an objective A clear objective: Defending our networks! This slide is intended to distinguish between what some may know as Cyber Support Operations – or Network operations, and that which I will refer to throughout the presentation as Cyber Operations. Cyber Operations is not network provisioning. It is also not, security and protection. Cyber operations is a deliberate action taken against an adversary. I will elaborate a little on this distinction on the next slide.

Security vs Defence Security is primarily concerned with protection from attacks that may occur proactive and sets conditions for Defence practices, policies, and guidelines that describe ideal operating conditions for a network may additionally prescribe technical controls to enforce these conditions Defence is the deliberate response to an attack that has occurred or is ongoing exists to address a Security condition that has been overcome aim is to return to the operating condition prescribed by Security Defence takes over where Security has been overcome! Across the cyber domain, our actions involve aspects of both security and defence. DND/CAF is responsible under the Financial Administration Act (FAA) to secure its own networks. In close collaboration with other Government Agencies and Departments such as Public Safety and Shared Services Canada, DND/CAF works to ensure its networks are both protected and defended. Cyber Security includes practices, policies, procedural controls, and guidelines that describe the necessary operating conditions for the cyber domain. It also includes the organizing, delivering, and maintaining of secure network architectures; monitoring the health of our networks; and investigating and addressing security infractions. The overall aim of the security effort is to safeguard system availability, integrity, authentication, confidentiality, and mission assurance of DND/CAF networks. Security is primarily concerned with protection from incidents that may occur. Security sets the conditions for operational command and control using Information Technology Systems (ITS). Where security establishes the necessary conditions for mission success, defence is a deliberate activity undertaken to counter a threat or attack by an adversary(ies). The aim of cyber defence is therefore to stop an adversary’s action and return our ITS to a secure operating condition. Our defensive activity can also occur as a precursor to an attack on our command and control systems. In other words, defence is the action of our Forces leading to, during and after an attack to prevent or restore the reliability and availability of the system. This implies that cyber operational effects require a capability for proactive actions if we are to support effectively CAF operational objectives. Security and defense complement one another in the Cyber domain. However, each are different in function, time sensitivity, and response, and each require degrees of specialization. Despite different orientations, both share a common objective, and must synchronize their actions in execution to assure DND/CAF operational and enterprise requirements.

Where does the JCOT fit in?

JCOT C2 Relationships CJOC COS Ops CFIOG D Cyber FD BGen Brennan Col Moritsugu D Cyber FD Col Sabourin Operationally responsive To Comd CJOC OPCON Administrative support JCOT work informs FD efforts Works across all functional areas (CJOC Cyber Champion) Champion for CFIOG mission set within CJOC Positions belong to DG Cyber JCOT Team Lead LCol Torrington-Smith As an evolving organization, the JCOT reporting relationships are still convoluted. The JCOT is OPCON to CFIOG and receives their administrative support and over-arching task lists from the Comd CFIOG. As CFIOG currently owns all the cyber capabilities within the CAF, this relationship is logical. The JCOT also has a dotted line relationship back to DG Cyber and the Force Development activities being conducted within D Cyber FD. This “learn by doing” approach will enable the JCOT to inform the force development of CAF cyber capabilities by providing concrete examples of what does and does not work within the CAF operational context. However, the main focus of the JCOT will be to support the Commander CJOC by supporting CAF operations. By integrating with CJOC staff across all functional areas, the JCOT will be able to provide cyber input into the planning and support of CAF operations worldwide. Because of the cross domain nature of cyber, the JCOT reports through the Chief of Staff Operations in the current CJOC HQ structure. We have very strong connections with the J2, J3, J5 and J6 staff. JCOT Deputy Team Lead Maj Caron JCOT Plans Maj Deschenes JCOT Operations Capt Amberley CSD CJOC SIGINT Analysts Team JCOT Int PO1 Spenst

Cyber Planning In coordination with key functional staffs, participate in various planning groups to provide cyber inputs into the Operational Planning Process within the CJOC Ensure CAF cyber capabilities are represented in the mission planning process Assist in identifying current and future cyber capability gaps in support of CAF operations Provide situational awareness on EW, SIGINT and CNO developments and impacts on CAF operations and CJOC priorities Within the planning cycle, the JCOT Plans officer can help bring cyber knowledge to CJOC planning staffs (J2, J3, J5, J6, J7, J9…). With this input, the planning staffs can gain a better understanding of the CAF cyber capabilities that are available to support a CAF mission, and know the right questions to ask. Additionally, during the planning cycle, specific capabilities may be requested that are not yet available. This will assist the force development teams to help steer capital projects and capability development areas to address shortfalls and provide the cyber capabilities requested by the force employer for future operations. The JCOT will also maintain situational awareness on the developments within the cyber realm both within the CAF and by our Allies and partners. This will allow the JCOT to advise on any impacts (beneficial and detrimental) to CAF operations as a result of these developments.

OP LADON Mission CDS Intent. DND/CAF will develop a comprehensive operational framework for the conduct of DCO to maintain DND/CAF freedom of manoeuvre in the cyber domain. CDS Intent. My intent is to maintain freedom of manoeuvre across all domains including the cyber domain. This will be achieved by operationalizing the conduct of DCO to defend , on a continuous basis, DND/CAF CIS, data, and associated infrastructure critical to the deployment, conduct and sustainment of DND/CAF missions, and to the command and control of military forces at home and abroad. Words are taken from the CDS Initiating Directive – signed 2 Feb 2015. This is a deliberate planning effort to attempt to fix the convoluted way DND/CAF performs network defence now. Authorities, Responsibilities and Accountabilities are spread among a number of different organizations with no clear focus, and a perceived lack of operational priority. CJOC will lead the deliberate planning effort to operationalize cyber defensive operations through a framework of a standing named operation – OP LADON.

OP LADON MA brief to Comd CJOC: 9 Mar 2015 COA development: Feb – Apr 2015.  Decision brief to Comd CJOC early May 2015 BB to CDS NLT end May 2015 (implies prior socialization with other L1 stakeholders by this date) Plan development Jun – Jul 2015. Approval of plan by Comd CJOC NLT Sept 2015 Execution order signed by CDS NLT Nov 2015. Although the CDS Initiating Directive was only recently signed, work has been ongoing since September 2014. In the CAF Operational Planning Process, the first two stages (Initiation and Orientation) are complete and will conclude with a mission analysis briefing to the Comd CJOC in the coming weeks. The development of courses of action has now commenced with an anticipated decision brief for the Comd to decide on the course of action he would like to pursue in early May 2015. This will be followed up in depth plan development, with a proposed date for the CDS to sign an execution order by the end of the calendar year. Coupled with this effort is the Cyber Force Development work ongoing to formalize a cyber command and control structure for the DND/CAF. These two efforts are independent, but complimentary. Where OP LADON will likely use a cyber component commander construct for assigning cyber defensive tasks, who that component commander is, or which organization they belong to is the work Cyber FD will complete with their C2 analysis. In Greek mythology, LADON was the serpent-like dragon that twined and twisted around the tree in the Garden of the Hesperides and guarded the golden apples.

Cyber Operations Maintain awareness of developments in current CAF operations that have a cyber nexus or which could be better supported by existing cyber capabilities, and inform and advise appropriate CJOC staff and external agencies as appropriate Provide cyber situational awareness to Comd CJOC and key staff Evaluate lessons learned from CAF operations which have a cyber relevance to ensure capability development efforts are initiated as appropriate Cyber capabilities are constantly changing. By maintaining a knowledge base about what is in the realm of the possible, the JCOT operations officer can advise key CJOC staff on how Cyber capabilities can assist in CAF operations. Conversely, any changes in CAF operations can then be fed back to supporting agencies to ensure they are better aligned to assist in providing cyber capabilities should the need arise. Providing the Comd CJOC with Cyber situational awareness is becoming more important as reliance on Cyber capabilities across CAF operations continues to grow. As the DND representative on the Assistant Deputy Minister Emergency Management Committee (ADM EMC) – typically represented by the D Comd Continental – any Cyber incident affecting the Government of Canada will need visibility at the highest levels of command within the CJOC. The primary responsibility to provide this SA rests with the JCOT. Presently the JCOT briefs the Command team of CJOC on items of interest as they arise during the Commander’s Update Brief each morning. Additionally, periodic written updates are provided at higher classification levels to provide a snapshot of global cyber activity that is of interest to CJOC. Capturing lessons learned from CAF operations will be important to ensure that cyber capabilities are responding to the needs of the operators.

Cyber Intelligence Link into CFINTCOM intelligence capability supporting cyber operations from strategic to tactical Provide SA on adversarial cyber activities Coordinate cyber related CCIRs Propose cyber intelligence collection tasks to satisfy CJOC operational requirements (cyber IPB) Advise on potential cyber threat / risks for CAF operations With an intelligence analyst in the team, the JCOT can maintain a close linkage with J2 staffs and CFINTCOM to provide the all source intelligence needed to develop a robust cyber situational awareness products. Providing information on potential adversarial capabilities will also inform CJOC staff on potential risks and threats for CAF operations.

Intelligence Assessments The JCOT provides cyber specific threat assessments to assist with current operational planning. This map is a snapshot in time illustrating areas where the JCOT intelligence assessments have been focused. It is not surprising that the coloured countries have a direct correlation to areas where CAF operations are currently being conducted. Complete In progress Contribution to other products

Summary - Current Activities Operations CJOC CUB – Situational Awareness Products OP CHAMPION (Improved defensive posture) Support to Allies / Collaborative efforts Intelligence Threat Assessments Support to planning Planning OP LADON – Deliberate planning effort for DCO Cyber inputs to CONPLANS / OPLANS / SOODOs Other support Cyber play in exercises and joint training events Other CJOC committees and boards

Questions / Discussion