By JENNIFER DITCHBURN
April 8, 2007
OTTAWA -- An anti-hacker exercise that simulated the leak of social
insurance numbers, an aviation control meltdown and tampering with
government websites wound up exposing serious weaknesses in how Canada
responds to emergencies.
The simulation, called Cyber Storm, took place over five days last
February and involved four other countries, including the United States.
The drill was designed to see how countries would react, individually
and together, to attacks on their critical computer infrastructure by
hackers, disgruntled employees, or even anti-globalization activists.
One of the main findings by senior officials, spelled out in newly
released documents, was that the Canadian government's National
Emergency Response System (NERS) is still just a concept three years
after it was first initiated.
Conceptual model is widely accepted; the actual system is still nascent,
an official with the Public Safety and Emergency Preparedness Department
told colleagues in a lessons learned presentation dated April 2006.
"Conceptual models must be translated into reality."
The NERS was conceived in 2003, when the Public Safety department was
first formed under the Liberals in the aftermath of the 9/11 attacks.
The idea was to come up with a co-ordinated government approach to
dealing with emergencies of national importance.
Two years ago, the federal Auditor-General made note of the slow pace
getting the system off the ground, saying the government had not
committed to a completion date for the NERS.
We found that departmental plans are vague on how they would link
together to form a co-ordinated federal response, Sheila Fraser wrote.
The post mortem on Cyber Storm suggested not much had changed.
Another Public Safety report obtained by The Canadian Press through
Access to Information, entitled First Impressions, indicated the whole
exercise fell short of proving the system could work.
Cyber Storm did not fully realize the goal of demonstration of the
protocols, authorities, notification procedures and co-ordination
mechanisms . . . reads the report dated May 2006.
The documents also point to specific shortcomings in how the government
deals with emergencies. Among them:
* National and international secure communications channels are
* Co-ordination with international counterparts has still not been
* Some officials have trouble getting access to secure documents in
times of crisis.
We need to work hard to ensure adequate and appropriate distribution of
information before and during an exercise or real emergency, one
An internal briefing note said one of Cyber Storm's main objectives was
to improve the visibility and presence of the Public Safety and
Emergency Preparedness Department with Washington's Department of
Homeland Security. None of the objectives referred to strengthening
Canada's own emergency system.
A spokeswoman for Public Safety Minister Stockwell Day wouldn't comment
on the status of the National Emergency Response System, but said Cyber
Storm was an important tool for the department.
The exercise highlighted areas where we face challenges and require
improvement, said Melisa Leclerc. That is exactly why we conduct
exercises to learn and improve.
Threats to computer software and hardware continue to be a major concern
to governments as attackers become more sophisticated and more specific
in their approach.
Symantec Security Response briefed Canadian officials last month on its
Internet Security Threat Report, noting that governments are the biggest
targets of data breaches resulting in identity theft. The number of
threats to enterprises and consumers has risen nearly 300 per cent since
2005, the company reported.
Al Huger, vice-president of Symantec's security response and security
services, said it's a certainty that federal government systems will
eventually become a target of a large-scale infiltration simply because
He said it's a good sign the government went through the Cyber Storm
exercise, but Canada is slightly behind the curve when compared to the
level of preparedness of the United States.
They haven't been victimized to the same degree, Mr. Huger said of the
Generally you see governments kick into high gear once bad things
Subscribe to InfoSec News