A simulated exercise to assess the federal government’s ability to adequately respond to national emergencies has revealed several shortcomings.
An “anti-hacker” exercise dubbed Cyber Storm tests a country’s communications, policy and procedures in the face of cyber attacks. The mock crisis also evaluates how a government responds to emergencies, on its own, as well as in tandem with other countries. Canada, along with the United States, Australia, New Zealand and the United Kingdom, participated in the five-day simulation. It was conducted by the U.S. Department of Homeland Security. While the exercise itself was conducted last February, detailed reports analyzing this country’s response were published by Canada’s Public Safety and Emergency Preparedness Department (PSEPC).
The exercise mimicked a sophisticated cyber attack, which included scenarios, such as a leak of social insurance numbers, an aviation control meltdown and tampering with government Web sites. The PSEPC reports highlighted several weak spots in the federal government’s response. In particular:
• National and international secure communications channels are insufficient;
• Coordination with international counterparts has not been established; and,
• Some officials have trouble accessing secure documents in times of crisis.
In addition, it was noted that the mandate of the National Emergency Response System (NERS) had not yet evolved from concept to reality, despite its creation in 2003. An “all-hazards” response unit, NERS was established to coordinate federal responses to emergencies of national significance. Developed by PSEPC, it is staffed by PSEPC and other federal departments. Highlighting NERS’ lack of progress in these reports is a good thing, sa
id Michelle Warren, senior research analyst with Info-Tech Research Group in London, Ont. “It will really help light the fire under NERS to get them moving. I wish this had come out a little sooner, actually.” Warren said although most people like to think NERS had made more progress, the reality is that government agencies typically move at a slow pace. “Getting an association of that sort mobilized and moving forward can be very time-consuming, given multiple layers and various influencers trying to steer the organization.” A
s a government agency, NERS is not alone in the category of slow-movers, agreed Joe Greene, vice-president of IT security research with analyst firm IDC Canada Ltd. in Toronto.
The same reasons underlie the recent reports of a lack of coordination with international counterparts, he said. “Coordinating any government, let alone several governments, is usually quite difficult, given procedures and red tape.”
He said not only must a government ensure that its actions align with the best interests of its country, it needs to reconcile differences between governments.
Despite this, Greene expects that some progress, at least, should have been made in this area. “Obviously, they’ve got a lot of work to do to get this in the order they want.” Warren doesn’t believe the public has been made aware of the entire review of the Cyber Storm initiative. “When it comes to security, so much happens behind the scenes that the average person is not made privy to,” she said. “I suspect it’s a way for the public to know that [the government] is working on it without giving away too much.”
The reported lack of coordination with international counterparts, for instance, is a “fairly general finding,” according to Warren. She said this is an example of the government not wanting to reveal too much.
But overall, Warren said the post-mortem reports are useful in raising awareness of security vulnerabilities, and building an “ecosystem” of governments and organizations to address such issues. Canada’s mediocre response to Cyber Storm has exposed its security vulnerabilities on an international level, to everyone including hackers, said Warren. “That makes me think that the real purpose of Cyber Storm is to help build an ecosystem for all to get involved and work together.”
The government will have to take a critical look at its entire IT infrastructure and security systems, said Greene, given the encouraging message this post-mortem has sent out to would-be cyber attackers.
“It’s an open invitation. Come on along, we really aren’t quite ready. See what you can do, folks.”
Canadians should be concerned that the government scored a mediocre grade in crisis response, said Warren. “We’re all at risk, although the government is obviously at a bigger risk than the average human being.” 073584