Skip to content

Canada's Business and Tech Newsroom

  • Professional Subscription
  • Partnerships & Advertising
  • Licensing & Syndication
Log In Subscribe
Welcome,
  • My Account
  • Log Out
  • Business
  • Tech
  • National
  • The Big Read
  • Briefings
  • Commentary
Search
Log In Subscribe
Welcome,
  • My Account
  • Log Out
News

Major federal cybersecurity exercise found big problems with teamwork, communication, preparedness

OTTAWA — Participants in a huge national cybersecurity exercise last fall rarely communicated, had trouble working with authorities and paid too little attention to the damage from breaches, according to an after-action report prepared by Public Safety Canada.

News

Major federal cybersecurity exercise found big problems with teamwork, communication, preparedness

Simulation with 650 participants focused on critical infrastructure like telecom, transport, banking

By David Reevely
An abstract illustration showing workers with digital devices at the brink of a large, keyhole-shaped opening in the floor that has hellfire coming out of it. The floor has a circuit pattern resembling that of a computer chip.
Photo: Illustration by Paul Kim for The Logic
Sep 16, 2024
A A
A Small A Medium A Large
Share

Gift

Share

OTTAWA — Participants in a huge national cybersecurity exercise last fall rarely communicated, had trouble working with authorities and paid too little attention to the damage from breaches, according to an after-action report prepared by Public Safety Canada.

The weaknesses uncovered by the “Cy-Phy 23” exercise will inform new national cybersecurity plans, the department’s top official told Public Safety Minister Dominic LeBlanc in a memo.

Talking Points

  • A federal cyberattack simulation last fall exposed siloed thinking, misaligned priorities and a focus on digital defences at the expense of the real-world operational consequences of failure, according to a final report from Public Safety Canada
  • Expert Jennifer Quaid told The Logic that exercises like “Cy-Phy 23” are supposed to find weaknesses, or else there’s no point

The Logic obtained deputy minister Shawn Tupper’s briefing note through an access to information request. The after-action report was published online in July, after multiple delays.

The exercise last October was focused on companies and agencies that run critical infrastructure—sectors such as banking, telecom, food, health services and transportation. Capping two years of planning and preparation, it took three days and involved more than 650 participants from about 150 organizations, including targets, response agencies and observers.

Public Safety would not say which organizations took part. Spokesperson Noémie Allard told The Logic that participation was confidential, because part of the point was to “identify vulnerabilities and gaps in their overall security posture.”

None of the big banks The Logic asked about their possible involvement—CIBC, RBC, BMO, TD and Scotiabank—said whether they took part; nor did telecom giants Rogers and Telus.

Bell spokesperson Tianna Goguen wrote in an email that Bell was not in Cy-Phy 23 but was part of a different exercise this year involving the financial sector and telcos. Electricity utility Ontario Power Generation said it did not take part, either.

Related Articles

Shortage of cybersecurity workers a ‘crisis’ at apex of federal government

By David Reevely

Preparing for the ‘boom’ at Ottawa’s new cyber range

By David Reevely

Thirty-two “player/victim organizations” in critical infrastructure sectors did, though. Using a virtual platform, they played through a scenario in which cyberattackers from a made-up country called Westinia responded to Canadian sanctions against their government by going after Canadian targets with ransomware and malicious software to steal data and interfere with “operational systems.”

The exercise was complete with simulated news reports, social media, technical blogs, a version of the dark web, emails and phone calls.

“If the purpose of this was to understand what we need to be working on, if the purpose was for the private sector to get a sense of what they need to be working on, then it was hugely successful,” said Jennifer Quaid, executive director of the Canadian Cyber Threat Exchange (CCTX), a clearing house for targets of cyberattacks to share experiences and best practices for response.

Quaid played a bit part in the simulation herself, leading a call among targets of the attacks—as she would for members of the CCTX if they were under attack in real life—to talk about “what they’re seeing, what they’re doing, how they’re reacting.”

“One line we frequently use is, ‘A disaster is a terrible time to be meeting your support team.’”


Participants got a taste of what it would be like to defend their organizations and the country in a “cataclysmic environment,” Quaid said. It’s one thing to have a plan for a breach in your own company, she said, but what do you do if you lose control of your systems and the telecom services you need to get things working again are down? That’s hard to practise internally, Quaid said.

“If it were to go smoothly and everything happened the way it was supposed to, I’d tell you it was rigged, because life doesn’t work that way,” Quaid said.

The exercise was evidently not rigged, based on the official after-action report.

Players had “minimal interaction” with each other during the game, despite having organized working groups to foster collaboration, the report said.

“This lack of engagement hindered the effectiveness of cross-sector and cross-jurisdictional coordination efforts, highlighting the need for enhanced communication channels and engagement strategies,” it went on.

A portrait of Jennifer Quaid wearing a blue blazer.
Jennifer Quaid, executive director of the Canadian Cyber Threat Exchange. Photo: CCTX/Handout

Corporate teams had trouble working with emergency-management authorities, encountering difficulties in “aligning priorities, exchanging information and coordinating actions.”

This kind of problem isn’t a big surprise to Quaid. “One of the lines that we frequently use here at the CCTX is, ‘A disaster is a terrible time to be meeting your support team,’” she said. “Instant response needs to be a muscle, and you need to be able to use muscle memory in a crisis.”

Even within teams in the exercise—let alone between them—players were bad at sharing key information, because they lacked the means to do it or couldn’t understand important data from each other’s technical systems.

They also didn’t always know how to reach each other when their main communication methods went down. They needed backup copies of contact information for backup communication channels.

“You can’t have it all in your laptop,” said Quaid. “But you don’t think about those things until you go, ‘Damn, it’s all in my laptop.’”

The key lesson, according to the report: “Participants emphasized the requirement to test alternate communication modes before events and the necessity of overcoming organizational silos.”

“If everything happened the way it was supposed to, I’d tell you it was rigged, because life doesn’t work that way.” 


Besides that, the organizers found that many participants focused too much on cybersecurity itself, “overlooking the importance of addressing physical impacts and understanding interdependencies within the critical infrastructure community,” according to the report.

In other words, they fixated on their digital armour at the expense of tending to the wounds they took when the bad guys got through it.

And broadly, “a noticeable gap was identified across organizations in terms of preparedness, training and adherence to protocols.”

One caveat, according to the after-action report, is that the game itself might’ve been a bit much. “Many participants had competing priorities and some faced some level of exercise fatigue,” the report said, noting that a narrower scope could have focused participants better.

Gift the full article

The lessons will be worked into revisions to the national cybersecurity strategy (which hasn’t been overhauled since the first version was published in 2018) and the national critical infrastructure strategy (which dates to 2009). Both are due this year, Public Safety’s Tupper wrote in his memo to LeBlanc.

The department is also readying an exercise kit for critical infrastructure providers to run smaller simulations themselves. Allard told The Logic that Public Safety aims to have a trial version ready by the end of the year.

#critical infrastructure #cybersecurity #economy #infrastructure #Public Safety Canada #Tech

Loading...

Thanks for sharing!

You have shared 5 articles this month and reached the maximum amount of shares available.

Close
This account has reached its share limit.

If you would like to purchase a sharing license please contact The Logic support at [email protected].

Close
Want to share this article?

Upgrade to all-access now

Close
Gift the full article!

You have gifted 0 article(s) this month and have 5 remaining.

Copy link and gift
Copy Link
Email to a friend
Send Email
Gift on Social Media

Recipients will be able to read the full text of the article after submitting their email address. They will not have access to other articles or subscriber benefits.

An abstract illustration showing workers with digital devices at the brink of a large, keyhole-shaped opening in the floor that has hellfire coming out of it. The floor has a circuit pattern resembling that of a computer chip.

Photo: Illustration by Paul Kim for The Logic

A portrait of Jennifer Quaid wearing a blue blazer.

Jennifer Quaid, executive director of the Canadian Cyber Threat Exchange.

Most Popular This Week

A shot of a sign bearing the Pfizer logo, with a lowrise office building in the background.
News

So far, foreign-owned firms have dominated Buy Canadian contracts

By Laura Osman
Exclusive

PCO clerk Sabia stayed on Mastercard Foundation board for a year with no conflict screen

By Joanna Smith
Nakisa CEO Babak Varjavandi in a screencapture from the floor of a tech show. He's wearing a suit jacket and open-collared shirt.
News

Canadian firms are ready to help with digital sovereignty. Their challenge is getting approved

By Laura Osman
A shot of a small rocket sitting on a launch pad attached to its launch equipment. The backdrop is open sea and a light blue sky.
News

Canada’s submarine decision just paid off for Nova Scotia’s spaceport

By David Reevely

In-depth, agenda-setting reporting

Great journalism delivered straight to your inbox.

A shot of Catherine Saine and Sam Ramadori seated at a table in front of screen with LawZero's logo on it.
The Big Read

The small team in Montreal trying to save the world from AI

By Martin Patriquin

Briefing

First Quantum said to consider selling stake in Argentina mine

By Anita Balakrishnan   |   Jul 15, 2026 | 3:43 PM ET

Sagard’s private credit fund raises US$1B

By Anita Balakrishnan   |   Jul 15, 2026 | 3:36 PM ET

Electrovaya shares surge after striking major deal with Amazon

By Catherine McIntyre   |   Jul 15, 2026 | 3:32 PM ET

Best business newsletter in Canada

Get up to speed in minutes with insights and analysis on the most important stories of the day, every weekday.

Exclusive events

See the bigger picture with reporters and industry experts in subscriber-exclusive events.

Membership in The Logic Council

Membership provides access to our popular Slack channel, participation in subscriber surveys and invitations to exclusive events with our journalists and special guests.

Recent Popular Stories

Commentary: Quebec Ink

Quebec’s era of endless, cheap electricity is coming to an end

By Martin Patriquin   |   Jul 6, 2026
A cityscape featuring two tall buildings; the right one has a large orange "Q" logo and a Quebec flag atop. The sky is clear and blue.
News

So far, foreign-owned firms have dominated Buy Canadian contracts

By Laura Osman   |   Jul 14, 2026
A shot of a sign bearing the Pfizer logo, with a lowrise office building in the background.
Exclusive

PCO clerk Sabia stayed on Mastercard Foundation board for a year with no conflict screen

By Joanna Smith   |   Jul 13, 2026
News

Canada’s submarine decision just paid off for Nova Scotia’s spaceport

By David Reevely   |   Jul 8, 2026
A shot of a small rocket sitting on a launch pad attached to its launch equipment. The backdrop is open sea and a light blue sky.
News

Meta to spend $13B on sprawling Alberta data-centre complex

By Meghan Potkins   |   Jul 8, 2026
An aerial-style rendering of a massive data centre on a prairie landscape of farm fields and trees.
News

Alberta wants to be a model for government AI and power Canada-wide adoption

By Murad Hemmadi   |   Jul 10, 2026
A shot of Nate Glubish at a lectern, against a backdrop of exposed brick partly covered by a white film screen.

Canada's most influential executives and policymakers are reading The Logic

  • CPP Investments
  • Sun Life Financial
  • C100
  • Amazon
  • Telus
  • Mastercard
  • bdc
  • Shopify
  • Rogers
  • RBC
  • General Motors
  • MaRS
  • Government of Canada
  • Uber
  • Loblaw Companies Limited
logic-logo

Canada's Business and Tech Newsroom

100% human-crafted journalism

Newsroom

  • News Tips
  • AI Policy
  • Editorial Disclosures
  • Story Pitches

Company

  • About Us
  • Terms of Service
  • Privacy Statement
  • Corporate Information

Contact

  • Contact Us
  • Advertise
  • FAQs
  • Work at The Logic

© 2026 The Logic Inc. All Rights Reserved.

Trusted by leaders

Error

Account creation failed.

Please email us at [email protected].

Create Account

[wppb-register form_name=”cozmo-registration-form-for-modal”]

I do have an account
Login
or

[wppb-login]

I don’t have an account