OTTAWA — Participants in a huge national cybersecurity exercise last fall rarely communicated, had trouble working with authorities and paid too little attention to the damage from breaches, according to an after-action report prepared by Public Safety Canada.

The weaknesses uncovered by the “Cy-Phy 23” exercise will inform new national cybersecurity plans, the department’s top official told Public Safety Minister Dominic LeBlanc in a memo.

The Logic obtained deputy minister Shawn Tupper’s briefing note through an access to information request. The after-action report was published online in July, after multiple delays.

The exercise last October was focused on companies and agencies that run critical infrastructure—sectors such as banking, telecom, food, health services and transportation. Capping two years of planning and preparation, it took three days and involved more than 650 participants from about 150 organizations, including targets, response agencies and observers.

Public Safety would not say which organizations took part. Spokesperson Noémie Allard told The Logic that participation was confidential, because part of the point was to “identify vulnerabilities and gaps in their overall security posture.”

None of the big banks The Logic asked about their possible involvement—CIBC, RBC, BMO, TD and Scotiabank—said whether they took part; nor did telecom giants Rogers and Telus.

Bell spokesperson Tianna Goguen wrote in an email that Bell was not in Cy-Phy 23 but was part of a different exercise this year involving the financial sector and telcos. Electricity utility Ontario Power Generation said it did not take part, either.

Thirty-two “player/victim organizations” in critical infrastructure sectors did, though. Using a virtual platform, they played through a scenario in which cyberattackers from a made-up country called Westinia responded to Canadian sanctions against their government by going after Canadian targets with ransomware and malicious software to steal data and interfere with “operational systems.”

The exercise was complete with simulated news reports, social media, technical blogs, a version of the dark web, emails and phone calls.

“If the purpose of this was to understand what we need to be working on, if the purpose was for the private sector to get a sense of what they need to be working on, then it was hugely successful,” said Jennifer Quaid, executive director of the Canadian Cyber Threat Exchange (CCTX), a clearing house for targets of cyberattacks to share experiences and best practices for response.

Quaid played a bit part in the simulation herself, leading a call among targets of the attacks—as she would for members of the CCTX if they were under attack in real life—to talk about “what they’re seeing, what they’re doing, how they’re reacting.”

Participants got a taste of what it would be like to defend their organizations and the country in a “cataclysmic environment,” Quaid said. It’s one thing to have a plan for a breach in your own company, she said, but what do you do if you lose control of your systems and the telecom services you need to get things working again are down? That’s hard to practise internally, Quaid said.

“If it were to go smoothly and everything happened the way it was supposed to, I’d tell you it was rigged, because life doesn’t work that way,” Quaid said.

The exercise was evidently not rigged, based on the official after-action report.

Players had “minimal interaction” with each other during the game, despite having organized working groups to foster collaboration, the report said.

“This lack of engagement hindered the effectiveness of cross-sector and cross-jurisdictional coordination efforts, highlighting the need for enhanced communication channels and engagement strategies,” it went on.

Corporate teams had trouble working with emergency-management authorities, encountering difficulties in “aligning priorities, exchanging information and coordinating actions.”

This kind of problem isn’t a big surprise to Quaid. “One of the lines that we frequently use here at the CCTX is, ‘A disaster is a terrible time to be meeting your support team,’” she said. “Instant response needs to be a muscle, and you need to be able to use muscle memory in a crisis.”

Even within teams in the exercise—let alone between them—players were bad at sharing key information, because they lacked the means to do it or couldn’t understand important data from each other’s technical systems.

They also didn’t always know how to reach each other when their main communication methods went down. They needed backup copies of contact information for backup communication channels.

“You can’t have it all in your laptop,” said Quaid. “But you don’t think about those things until you go, ‘Damn, it’s all in my laptop.’”

The key lesson, according to the report: “Participants emphasized the requirement to test alternate communication modes before events and the necessity of overcoming organizational silos.”

Besides that, the organizers found that many participants focused too much on cybersecurity itself, “overlooking the importance of addressing physical impacts and understanding interdependencies within the critical infrastructure community,” according to the report.

In other words, they fixated on their digital armour at the expense of tending to the wounds they took when the bad guys got through it.

And broadly, “a noticeable gap was identified across organizations in terms of preparedness, training and adherence to protocols.”

One caveat, according to the after-action report, is that the game itself might’ve been a bit much. “Many participants had competing priorities and some faced some level of exercise fatigue,” the report said, noting that a narrower scope could have focused participants better.

The lessons will be worked into revisions to the national cybersecurity strategy (which hasn’t been overhauled since the first version was published in 2018) and the national critical infrastructure strategy (which dates to 2009). Both are due this year, Public Safety’s Tupper wrote in his memo to LeBlanc.

The department is also readying an exercise kit for critical infrastructure providers to run smaller simulations themselves. Allard told The Logic that Public Safety aims to have a trial version ready by the end of the year.