Skip to content

Canada's Business and Tech Newsroom

  • Professional Subscription
  • Partnerships & Advertising
  • Licensing & Syndication
Log In Subscribe
Welcome,
  • My Account
  • Log Out
  • Business
  • Tech
  • National
  • The Big Read
  • Briefings
  • Commentary
Search
Log In Subscribe
Welcome,
  • My Account
  • Log Out
News

Major federal cybersecurity exercise found big problems with teamwork, communication, preparedness

OTTAWA — Participants in a huge national cybersecurity exercise last fall rarely communicated, had trouble working with authorities and paid too little attention to the damage from breaches, according to an after-action report prepared by Public Safety Canada.

News

Major federal cybersecurity exercise found big problems with teamwork, communication, preparedness

Simulation with 650 participants focused on critical infrastructure like telecom, transport, banking

By David Reevely
An abstract illustration showing workers with digital devices at the brink of a large, keyhole-shaped opening in the floor that has hellfire coming out of it. The floor has a circuit pattern resembling that of a computer chip.
Photo: Illustration by Paul Kim for The Logic
Sep 16, 2024
A A
A Small A Medium A Large
Share

Gift

Share

OTTAWA — Participants in a huge national cybersecurity exercise last fall rarely communicated, had trouble working with authorities and paid too little attention to the damage from breaches, according to an after-action report prepared by Public Safety Canada.

The weaknesses uncovered by the “Cy-Phy 23” exercise will inform new national cybersecurity plans, the department’s top official told Public Safety Minister Dominic LeBlanc in a memo.

Talking Points

  • A federal cyberattack simulation last fall exposed siloed thinking, misaligned priorities and a focus on digital defences at the expense of the real-world operational consequences of failure, according to a final report from Public Safety Canada
  • Expert Jennifer Quaid told The Logic that exercises like “Cy-Phy 23” are supposed to find weaknesses, or else there’s no point

The Logic obtained deputy minister Shawn Tupper’s briefing note through an access to information request. The after-action report was published online in July, after multiple delays.

The exercise last October was focused on companies and agencies that run critical infrastructure—sectors such as banking, telecom, food, health services and transportation. Capping two years of planning and preparation, it took three days and involved more than 650 participants from about 150 organizations, including targets, response agencies and observers.

Public Safety would not say which organizations took part. Spokesperson Noémie Allard told The Logic that participation was confidential, because part of the point was to “identify vulnerabilities and gaps in their overall security posture.”

None of the big banks The Logic asked about their possible involvement—CIBC, RBC, BMO, TD and Scotiabank—said whether they took part; nor did telecom giants Rogers and Telus.

Bell spokesperson Tianna Goguen wrote in an email that Bell was not in Cy-Phy 23 but was part of a different exercise this year involving the financial sector and telcos. Electricity utility Ontario Power Generation said it did not take part, either.

Related Articles

Shortage of cybersecurity workers a ‘crisis’ at apex of federal government

By David Reevely

Preparing for the ‘boom’ at Ottawa’s new cyber range

By David Reevely

Thirty-two “player/victim organizations” in critical infrastructure sectors did, though. Using a virtual platform, they played through a scenario in which cyberattackers from a made-up country called Westinia responded to Canadian sanctions against their government by going after Canadian targets with ransomware and malicious software to steal data and interfere with “operational systems.”

The exercise was complete with simulated news reports, social media, technical blogs, a version of the dark web, emails and phone calls.

“If the purpose of this was to understand what we need to be working on, if the purpose was for the private sector to get a sense of what they need to be working on, then it was hugely successful,” said Jennifer Quaid, executive director of the Canadian Cyber Threat Exchange (CCTX), a clearing house for targets of cyberattacks to share experiences and best practices for response.

Quaid played a bit part in the simulation herself, leading a call among targets of the attacks—as she would for members of the CCTX if they were under attack in real life—to talk about “what they’re seeing, what they’re doing, how they’re reacting.”

“One line we frequently use is, ‘A disaster is a terrible time to be meeting your support team.’”


Participants got a taste of what it would be like to defend their organizations and the country in a “cataclysmic environment,” Quaid said. It’s one thing to have a plan for a breach in your own company, she said, but what do you do if you lose control of your systems and the telecom services you need to get things working again are down? That’s hard to practise internally, Quaid said.

“If it were to go smoothly and everything happened the way it was supposed to, I’d tell you it was rigged, because life doesn’t work that way,” Quaid said.

The exercise was evidently not rigged, based on the official after-action report.

Players had “minimal interaction” with each other during the game, despite having organized working groups to foster collaboration, the report said.

“This lack of engagement hindered the effectiveness of cross-sector and cross-jurisdictional coordination efforts, highlighting the need for enhanced communication channels and engagement strategies,” it went on.

A portrait of Jennifer Quaid wearing a blue blazer.
Jennifer Quaid, executive director of the Canadian Cyber Threat Exchange. Photo: CCTX/Handout

Corporate teams had trouble working with emergency-management authorities, encountering difficulties in “aligning priorities, exchanging information and coordinating actions.”

This kind of problem isn’t a big surprise to Quaid. “One of the lines that we frequently use here at the CCTX is, ‘A disaster is a terrible time to be meeting your support team,’” she said. “Instant response needs to be a muscle, and you need to be able to use muscle memory in a crisis.”

Even within teams in the exercise—let alone between them—players were bad at sharing key information, because they lacked the means to do it or couldn’t understand important data from each other’s technical systems.

They also didn’t always know how to reach each other when their main communication methods went down. They needed backup copies of contact information for backup communication channels.

“You can’t have it all in your laptop,” said Quaid. “But you don’t think about those things until you go, ‘Damn, it’s all in my laptop.’”

The key lesson, according to the report: “Participants emphasized the requirement to test alternate communication modes before events and the necessity of overcoming organizational silos.”

“If everything happened the way it was supposed to, I’d tell you it was rigged, because life doesn’t work that way.” 


Besides that, the organizers found that many participants focused too much on cybersecurity itself, “overlooking the importance of addressing physical impacts and understanding interdependencies within the critical infrastructure community,” according to the report.

In other words, they fixated on their digital armour at the expense of tending to the wounds they took when the bad guys got through it.

And broadly, “a noticeable gap was identified across organizations in terms of preparedness, training and adherence to protocols.”

One caveat, according to the after-action report, is that the game itself might’ve been a bit much. “Many participants had competing priorities and some faced some level of exercise fatigue,” the report said, noting that a narrower scope could have focused participants better.

Gift the full article

The lessons will be worked into revisions to the national cybersecurity strategy (which hasn’t been overhauled since the first version was published in 2018) and the national critical infrastructure strategy (which dates to 2009). Both are due this year, Public Safety’s Tupper wrote in his memo to LeBlanc.

The department is also readying an exercise kit for critical infrastructure providers to run smaller simulations themselves. Allard told The Logic that Public Safety aims to have a trial version ready by the end of the year.

#critical infrastructure #cybersecurity #economy #infrastructure #Public Safety Canada #Tech

Loading...

Thanks for sharing!

You have shared 5 articles this month and reached the maximum amount of shares available.

Close
This account has reached its share limit.

If you would like to purchase a sharing license please contact The Logic support at [email protected].

Close
Want to share this article?

Upgrade to all-access now

Close
Gift the full article!

You have gifted 0 article(s) this month and have 5 remaining.

Copy link and gift
Copy Link
Email to a friend
Send Email
Gift on Social Media

Recipients will be able to read the full text of the article after submitting their email address. They will not have access to other articles or subscriber benefits.

An abstract illustration showing workers with digital devices at the brink of a large, keyhole-shaped opening in the floor that has hellfire coming out of it. The floor has a circuit pattern resembling that of a computer chip.

Photo: Illustration by Paul Kim for The Logic

A portrait of Jennifer Quaid wearing a blue blazer.

Jennifer Quaid, executive director of the Canadian Cyber Threat Exchange.

Most Popular This Week

A man wearing a dark shirt is pictured against a brick wall. He is looking directly into the camera. with a serious facial expression.
The Big Read

How Sheldon McCormick brought Communitech back from the brink

By Catherine McIntyre
A skyscraper on Bay Street in Toronto, viewed from street level looking up, with a traffic light and street sign in the foreground against a blue sky with clouds.
Analysis

Canada’s AI hiring boom has reached Bay Street’s top executives

By Chaimae Chouiekh
A shot from above of five people clustered around a table, all working on near-identical laptop computers. Their computer bags lie on the floor and some are wearing yellow lanyards.
News

1 in 3 professionals are using unauthorized AI on the job, global survey finds

By Anita Balakrishnan
A head-on shot of James Neufeld seated with others at a round table in a meeting room. Eleanor Olszewski is seated to his left. There's a laptop open in front of Neufeld.
News

For this Alberta tech firm, ‘Buy Canadian’ isn’t working as advertised

By David Reevely

In-depth, agenda-setting reporting

Great journalism delivered straight to your inbox.

Carney and Trump at a photo op in Sharm El-Sheikh, Egypt, against a white backdrop that features a peace-themed logo for the gathering. Carney is leaning toward a scowling Trump and pointing his index finger at the U.S. president.
News

What to expect as the CUSMA review talks finally get underway

By Joanna Smith

Briefing

Alberta to submit West Coast pipeline proposal to the federal Major Projects Office this week

By Meghan Potkins   |   Jun 30, 2026 | 3:58 PM ET

Magnificent Seven lost a combined US$2.2T in market value in June

By Murad Hemmadi   |   Jun 30, 2026 | 3:48 PM ET

Radical Ventures, Gomez, Hinton back Etched to build hardware to run AI

By Murad Hemmadi   |   Jun 30, 2026 | 3:42 PM ET

Best business newsletter in Canada

Get up to speed in minutes with insights and analysis on the most important stories of the day, every weekday.

Exclusive events

See the bigger picture with reporters and industry experts in subscriber-exclusive events.

Membership in The Logic Council

Membership provides access to our popular Slack channel, participation in subscriber surveys and invitations to exclusive events with our journalists and special guests.

Recent Popular Stories

Analysis

It turns out Trump does need something from Canada—aluminum

By Joanna Smith   |   Jun 25, 2026
A close-up of a made-in-Canada stamp on the end of a cylindrical piece of raw aluminum.
Exclusive

Ssense has laid off photo and make-up teams and says AI will do much of their work

By Catherine McIntyre   |   Jun 22, 2026
News

Alberta to free up a huge amount of power to attract Big Tech and its data centres

By Meghan Potkins   |   Jun 24, 2026
A wide landscape shot of high-tension power lines over green and golden fields in rolling countryside.
News

What makes a nuclear reactor Canadian? Billions of dollars ride on the answer

By David Reevely   |   Jun 23, 2026
A bowl-shaped structure surrounded by concrete barriers. A white sign with a blue Westinghouse logo is suspended across one side of the structure.
News

How a former Russian TV anchor ended up suing Canada’s go-to rocket company

By David Reevely   |   Jun 22, 2026
A shot across an expanse of low forest of a rocket launching into blue skies.
Analysis

Canada’s AI hiring boom has reached Bay Street’s top executives

By Chaimae Chouiekh   |   Jun 23, 2026
A skyscraper on Bay Street in Toronto, viewed from street level looking up, with a traffic light and street sign in the foreground against a blue sky with clouds.

Canada's most influential executives and policymakers are reading The Logic

  • CPP Investments
  • Sun Life Financial
  • C100
  • Amazon
  • Telus
  • Mastercard
  • bdc
  • Shopify
  • Rogers
  • RBC
  • General Motors
  • MaRS
  • Government of Canada
  • Uber
  • Loblaw Companies Limited
logic-logo

Canada's Business and Tech Newsroom

100% human-crafted journalism

Newsroom

  • News Tips
  • AI Policy
  • Editorial Disclosures
  • Story Pitches

Company

  • About Us
  • Terms of Service
  • Privacy Statement
  • Corporate Information

Contact

  • Contact Us
  • Advertise
  • FAQs
  • Work at The Logic

© 2026 The Logic Inc. All Rights Reserved.

Trusted by leaders

Error

Account creation failed.

Please email us at [email protected].

Create Account

[wppb-register form_name=”cozmo-registration-form-for-modal”]

I do have an account
Login
or

[wppb-login]

I don’t have an account