OTTAWA - An anti-hacker exercise that simulated the leak of social insurance numbers, an aviation control meltdown and tampering with government websites wound up exposing serious weaknesses in how Canada responds to emergencies.
The simulation, called Cyber Storm, took place over five days last February and involved four other countries, including the United States. The drill was designed to see how countries would react, individually and together, to attacks on their critical computer infrastructure by hackers, disgruntled employees, or even anti-globalization activists.
One of the main findings by senior officials, spelled out in newly released documents, was that the Canadian government's National Emergency Response System (NERS) is still just a "concept'' three years after it was first initiated.
"Conceptual model is widely accepted; the actual system is still nascent,'' an official with the Public Safety and Emergency Preparedness Department told colleagues in a "lessons learned'' presentation dated April 2006.
"Conceptual models must be translated into reality.''
The NERS was conceived in 2003, when the Public Safety department was first formed under the Liberals in the aftermath of the 9/11 attacks. The idea was to come up with a co-ordinated government approach to dealing with emergencies of national importance.
Two years ago, the federal auditor general made note of the slow pace getting the system off the ground, saying the government had not committed to a completion date for the NERS.
"We found that departmental plans are vague on how they would link together to form a co-ordinated federal response,'' Sheila Fraser wrote.
The post mortem on Cyber Storm suggested not much had changed.
Another Public Safety report obtained by The Canadian Press through Access to Information, entitled "First Impressions,'' indicated the whole exercise fell short of proving the system could work.
"Cyber Storm did not fully realize the goal of demonstration of the protocols, authorities, notification procedures and co-ordination mechanisms . . .'' reads the report dated May 2006.
The documents also point to specific shortcomings in how the government deals with emergencies. Among them:
- National and international secure communications channels are "insufficient.''
- Co-ordination with international counterparts has still not been formalized.
- Some officials have trouble getting access to secure documents in times of crisis.
"We need to work hard to ensure adequate and appropriate distribution of information before and during an exercise or real emergency,'' one official reported.
An internal briefing note said one of Cyber Storm's main objectives was to improve the visibility and presence of the Public Safety and Emergency Preparedness Department with Washington's Department of Homeland Security. None of the objectives referred to strengthening Canada's own emergency system.
A spokeswoman for Public Safety Minister Stockwell Day wouldn't comment on the status of the National Emergency Response System, but said Cyber Storm was an important tool for the department.
"The exercise highlighted areas where we face challenges and require improvement,'' said Melisa Leclerc. "That is exactly why we conduct exercises to learn and improve.''
Threats to computer software and hardware continue to be a major concern to governments as attackers become more sophisticated and more specific in their approach.
Symantec Security Response briefed Canadian officials last month on its Internet Security Threat Report, noting that governments are the biggest targets of data breaches resulting in identity theft. The number of threats to enterprises and consumers has risen nearly 300 per cent since 2005, the company reported.
Al Huger, vice president of Symantec's security response and security services, said it's a certainty that federal government systems will eventually become a target of a large-scale infiltration simply because it's possible.
He said it's a good sign the government went through the Cyber Storm exercise, but Canada "is slightly behind the curve'' when compared to the level of preparedness of the United States.
"They haven't been victimized to the same degree,'' Huger said of the federal government.
"Generally you see governments kick into high gear once bad things happen, unfortunately.''
