OTTAWA — At the front of a crowded room at the University of Ottawa, IBM’s Brenden Glynn is saying you’d better think through what to do if hackers break into your organization, before they do it.

“It’s three in the morning. As the president, as the CEO, as the dean, [do] you want to be woken up, just to be notified, so that you could potentially make a decision at that point?” he asks.

The room is on the fifth floor of the university’s STEM building. Outside, one whole wall of the building has a multi-storey mural of a pair of stylized eyes gazing out on the Rideau Canal; the windows at the back of the simulation room look out through them. The place is set up Mission Control-style, with wide banks of workstations—screens and keyboards and telephones—facing the front of the room, where Glynn stands before a wall of digital screens.

Today, the stations are occupied by corporate types from the Ottawa tech firm Bane & Ox, getting a taste of cybersecurity training. Hundreds of Canadian companies report breaches affecting private data each year, according to data from the cybersecurity group at law firm Blakes. The Communications Security Establishment (CSE), the federal agency responsible for cyberdefences, says those come from a mix of cybercriminals, state actors and mercenary hackers who blur the lines.

Some insidious attacks target internet infrastructure, snaring numerous organizations’ data in an attack on one company that serves many others. Even arrests don’t necessarily stop decentralized threats.

Glynn continues, talking about what happens once word of a breach spreads: “Once it’s publicly known—it’s in the organization [for now]—once it gets out into the general public …”

A phone rings in a low electronic tone at one of the workstations. The crowd ripples with laughter. A wrong number—now of all times. Glynn smiles.

“You’re part of the Bane & Ox crisis-management centre,” he tells the guy sitting by the ringing phone, indicating he should go ahead and answer it.

The man and the people sitting on each side of him figure out which button to press.

“This is Matt Jones with Canadian public broadcasting,” another man’s cheerful voice—with an American southern twang, oddly—comes over the speaker. “I’ve been trying to get a hold of someone over there for quite a few hours here and I’m just trying to get a comment on the breach at Bane & Ox.”

Ah, we’ll get back to you with a statement within the hour, says the guy who’s answered the phone. How can we reach you?

The southerner gives him a number and slides right into his next thought: “Are you aware that there are millions of records out on CopyDrop of Bane & Ox’s information?”

By now, everyone’s onto it: this is an object lesson, the first to be taught at the University of Ottawa’s new cyber range. Bane & Ox is a fiction, a pretend company that the range will see hacked into dust again and again. The message is that a cyber breach will not happen when you’re calm, rested and ready for it.

Glynn is a major in a U.S. army reserve cyberwarfare unit in addition to his full-time work in cybersecurity at IBM; he’s presenting with Jake Paulson, another IBM cybersecurity expert and a veteran of the U.S. air force. They’ve been talking about the military metaphor of the “boom,” the moment when your world changes.

“Left of boom,” before the thing happens, you have some control. You can prepare, game out, reinforce, drill. Left of boom, you might be able to avert or at least limit the thing, if you get wind of it in time.

In cybersecurity, the boom could be a phone call. It could be a social media post from an anonymous account, a network administrator noticing something odd in the logs, an email, or every screen in the company suddenly displaying a ransomware demand. One really good hack can set off hundreds and hundreds of booms.

“Right of boom,” your time is not your own. You don’t have time to think, only react, ideally by applying the things you’ve practised. Who gets called first, second, third? Whose job is it to scope out what happened? Whose job is it to close the breach? Who tells customers, suppliers, partners, the public, and how do they do it?

Pretty good job dealing with that reporter on the phone, Paulson says to the fellow who answered Bane & Ox’s phone. But do you think you’ll be the only person he calls? Will they handle him as smoothly? Also, how do you know that was a reporter?

Like the “boom,” the idea of a cyber range as a place to prepare for cyberattacks is borrowed from the military.

The U.S. Defense Advanced Research Projects Agency (DARPA) let it be known that it was assembling a cyber range in 2008. The U.K. opened one in 2010. Michigan opened one in 2012 in concert with universities and the private sector, which it boasts is the most extensive unclassified one in the United States. Since then, they’ve proliferated. The University of Ottawa’s is at least the third university-hosted one in Canada: Toronto Metropolitan University has one in a joint venture with Rogers, and the University of Calgary opened one just days before Ottawa did.

These facilities vary in function and complexity, from virtual sandboxes where cybersecurity trainees can practise simple hacking and responses, to DARPA’s, whose Phase 1 goals included “realistic testing of Internet/Global Information Grid (GIG) scale research” and simulating the Pentagon’s “complex, large-scale, heterogeneous networks and users.”

As a site for university research and tailored simulations for corporate clients, the University of Ottawa’s is in between. The third such site set up by IBM’s security division, which it calls X-Force, it follows projects in Cambridge, Mass., and Bangalore, India. The company pledged $21 million in equipment and labour; the university put in $7 million.

Some of the labour has been from Dustin Heywood. A Canadian—from Airdrie, Alta., just north of Calgary—his business card is black and gives his name only as “Evil Mog,” his hacker handle, and his title as “Chief Architect of X-Force.”

Heywood designs cybersecurity centres. Cybersecurity is having a moment, and it’s about time, he said in the hall outside the simulation room.

“People are realizing that cybersecurity is integral to making money, to being trustworthy,” he says. “If a company can’t be trusted to keep things secure, they’re not going to get clients, they’re not going to get customers. They’re going to get investigations, they’re going to eventually get dragged out in the court of public opinion, and they’re going to get shut down.”

Heywood said he got his start as a teenager, breaking into school networks. His education included network engineering and computer science, but cybersecurity just wasn’t on the curriculum. “I think this is transformational to Canada’s best interests.”

The simulation room is just part of the operation. Next door is a server room, running the cloud where Bane & Ox—the made-up company where range trainees will pretend to work—lives. On the other side, behind one-way glass, is a room for observers and researchers to watch how participants handle their simulations.

The range is in the university’s STEM building, but Jacques Beauvais, dean of the engineering faculty, said its work is to cross disciplines, into business, arts and social sciences.

“​​There’s also the psychology of people facing a cyberattack. How do you react? What is the best way and how do you not panic?” Beauvais said.

A couple of kilometres south along the Rideau Canal, Ottawa cybersecurity company Field Effect Software has a cyber range that began as a training environment in 2009.

“If you have a class of 20 people and each person requires 30 simulated computers, how do you spin that up 20 times?” said Field Effect CEO Matt Holland in an interview with The Logic. The solution Field Effect devised has expanded.

“Over the years, we found a ton of interest in governments for this type of technology,” he said. “Over time, we’ve built it out into a platform that allows us to do various types of wargaming simulations as part of cyber-operator training.”

Field Effect has a variety of cellphones—a frequent vector for cyberattacks—stored in a Faraday cage so they stay digitally sterile. It can add the phones to the network, but its cyber range remains mainly virtual. Holland said it allows instructors to watch what cybersecurity trainees do as they respond to threats and make sure they react by the book.

“Perhaps I’m looking for a bad file. Did somebody open Explorer and actually find the file?” Holland says. “It’s like when you’re in school—when you’re learning math, they say, ‘Show your work.’”

Holland was a security researcher at the CSE, before he left in 2007 to found a previous firm. 

“Probably the biggest thing that people don’t talk about enough is the distance between what is offensively possible and what the world generally thinks is possible,” Holland said. You can defend against skilled hackers, but you have to understand what they’re capable of.

Does CSE have a cyber range? In an email, spokesperson Robyn Hawco acknowledged it has “a lab environment in which we test code for impacts.”

Although CSE didn’t help design any of the Canadian cyber ranges, Hawco wrote, “we absolutely believe these are valuable facilities.” The agency, which struggles to get and hold talent—a problem across the industry—is eager to recruit from among the students who train in them, she added.