A simulation exercise to assess the federal government's ability to adequately respond to national emergencies has revealed several shortcomings.
An anti-hacker exercise dubbed Cyber Storm tests a country's communications, policies and procedures in the face of cyber attacks. The mock crisis also evaluates how a government responds to emergencies, both on its own and in tandem with other countries.
Canada - along with the United States, Australia, New Zealand and the United Kingdom - participated in the five-day simulation, conducted by the U.S. Department of Homeland Security.
While the exercise itself took place last February, detailed reports analyzing this country's response were published recently by Canada's Public Safety and Emergency Preparedness Department (PSEPC).
The exercise mimicked a sophisticated cyber attack, which included scenarios such as a leak of social insurance numbers, an aviation control meltdown and tampering with government Web sites.
The PSEPC reports highlighted several weak spots in the federal government's response. In particular:
- National and international secure communications channels are insufficient;
- Coordination with international counterparts has not been established; and,
- Some officials have trouble accessing secure documents in times of crisis.
In addition, it was noted that the mandate of the National Emergency Response System (NERS) had not yet evolved from concept to reality, despite its creation in 2003.
An all hazards response unit, NERS was established to coordinate federal responses to emergencies of national significance. Developed by PSEPC, NERS is staffed by PSEPC and other federal departments.
Highlighting NERS' lack of progress in these reports is a good thing, says Michelle Warren, senior research analyst with Info-Tech Research Group Inc. in London, Ont. "It will really help light the fire under NERS to get them moving. I wish this had come out a little sooner, actually."
She says although most people like to think NERS had made more progress, the reality is that government agencies typically move at a slow pace. "Getting an association of that sort mobilized and moving forward can be very time consuming, given the multiple layers and various influencers trying to steer the organization," says Warren.
As a government agency, NERS is not alone in the category of slow movers, agrees Joe Greene, vice-president of IT security research with analyst firm IDC Canada Ltd. in Toronto.
The same reasons underlie the recent reports of a lack of coordination with international counterparts, he says. "Coordinating any government, let alone several governments, is usually quite difficult, given the procedures and red tape."
He says not only must a government ensure its actions align with the best interests of its country, it needs to reconcile differences between governments.
Despite this, Greene expects that some progress, at least, should have been made in this area. "Obviously, they've got a lot of work to do to get this in the order they want."
Warren doesn't believe the public has been made aware of the entire review of the Cyber Storm initiative. "When it comes to security, so much happens behind the scenes," she says. "I suspect it's a way for the public to know that [the government] is working on it without giving away too much."
The reported lack of coordination with international counterparts, for instance, is a "fairly general finding," according to Warren. She said this is an example of the government not wanting to reveal too much.
But overall, Warren says the post-mortem reports are useful in raising awareness of security vulnerabilities, and building an ecosystem of governments and organizations to address such issues.
Canada's mediocre response to Cyber Storm has exposed its security vulnerabilities on an international level to everyone including hackers, says Warren. "That makes me think that the real purpose of Cyber Storm is to help build an ecosystem for all to get involved and work together."
The government will have to take a critical look at its entire IT infrastructure and security systems, says Greene, given the encouraging message this post mortem has sent to would-be cyber attackers. "It's an open invitation. Come on along, we really aren't quite ready. See what you can do, folks."
Canadians should be concerned that the government scored a mediocre grade in crisis response, says Warren. "We're all at risk, although the government is obviously at a bigger risk than the average human being."