A simulated exercise to assess the federal government’s ability to adequately respond to national emergencies has revealed several shortcomings.
An “anti-hacker” exercise – dubbed Cyber Storm – tests a country’s communications, policy and procedures in the face of cyber attacks. The mock crisis also evaluates how a government responds to emergencies, on its own, as well as in tandem with other countries.
Canada – along with the United States, Australia, New Zealand, and the United Kingdom – participated in the five-day simulation – conducted by the U.S. Department of Homeland Security.
While the exercise itself was conducted last February, detailed reports analyzing this country’s response were published by Canada’s Public Safety and Emergency Preparedness Department (PSEPC).
The exercise mimicked a sophisticated cyber attack, which included scenarios, such as a leak of social insurance numbers, an aviation control meltdown, and tampering with government Web sites.
The PSEPC reports highlighted several weak spots in the federal government’s response. In particular:
• National and international secure communications channels are insufficient;
• Coordination with international counterparts has not been established; and,
• Some officials have trouble accessing secure documents in times of crisis.
In addition, it was noted that the mandate of the National Emergency Response System (NERS) had not yet evolved from concept to reality, despite its creation in 2003.
An “all hazards” response unit, NERS was established to co-ordinate federal responses to emergencies of national significance. Developed by PSEPC, it is staffed by PSEPC and other federal departments.
Highlighting NERS’ lack of progress in these reports is a good thing, says Michelle Warren, senior research analyst with Info-Tech Research Group in London, Ont. “It will really help light the fire under NERS to get them moving. I wish this had come out a little sooner, actually.”
She says although most people like to think NERS had made more progress, the reality is that government agencies typically move at a slow pace. “Getting an association of that sort mobilized and moving forward can be very time consuming, given multiple layers and various influencers trying to steer the organization,” says Warren.
As a government agency, NERS is not alone in the category of slow-movers, agrees Joe Greene, vice-president of IT security research with analyst firm IDC Canada Ltd. in Toronto.
The same reasons underlie the recent reports of a lack of coordination with international counterparts, he says. “Coordinating any government, let alone several governments, is usually quite difficult, given procedures and red tape.”
He says not only must a government ensure its actions align with the best interests of its country, it needs to reconcile differences between governments.
Despite this, Greene expects that some progress, at least, should have been made in this area. “Obviously, they’ve got a lot of work to do to get this in the order they want.”
Warren doesn’t believe the public has been made aware of the entire review of the Cyber Storm initiative. “When it comes to security, so much happens behind the scenes that the average person is not made privy to,” she says. “I suspect it’s a way for the public to know that [the government] is working on it without giving away too much.”
The reported lack of coordination with international counterparts, for instance, is a “fairly general finding,” according to Warren. She said this is an example of the government not wanting to reveal too much.
But overall, Warren says the post-mortem reports are useful in raising awareness of security vulnerabilities, and building an “ecosystem” of governments and organizations to address such issues.
Canada’s mediocre response to Cyber Storm has exposed its security vulnerabilities on an international level, to everyone including hackers, says Warren. “That makes me think that the real purpose of Cyber Storm is to help build an ecosystem for all to get involved and work together.”
The government will have to take a critical look at its entire IT infrastructure and security systems, says Greene, given the encouraging message this post-mortem has sent out to would-be cyber attackers.
“It’s an open invitation. Come on along, we really aren’t quite ready. See what you can do, folks.”
Canadians should be concerned that the government scored a mediocre grade in crisis response, says Warren. “We’re all at risk, although the government is obviously at a bigger risk than the average human being.”