[ISN] Cyber Storm blew through holes in Canadian security

From: InfoSec News (alerts@private)
Date: Mon Apr 09 2007 - 01:08:10 PDT


http://www.theglobeandmail.com/servlet/story/RTGAM.20070408.wcyberstorm0408/BNStory/Technology/home

By JENNIFER DITCHBURN
Canadian Press
April 8, 2007

OTTAWA -- An anti-hacker exercise that simulated the leak of social 
insurance numbers, an aviation control meltdown and tampering with 
government websites wound up exposing serious weaknesses in how Canada 
responds to emergencies.

The simulation, called Cyber Storm, took place over five days last 
February and involved four other countries, including the United States. 
The drill was designed to see how countries would react, individually 
and together, to attacks on their critical computer infrastructure by 
hackers, disgruntled employees, or even anti-globalization activists.

One of the main findings by senior officials, spelled out in newly 
released documents, was that the Canadian government's National 
Emergency Response System (NERS) is still just a concept three years 
after it was first initiated.

Conceptual model is widely accepted; the actual system is still nascent, 
an official with the Public Safety and Emergency Preparedness Department 
told colleagues in a lessons learned presentation dated April 2006.

"Conceptual models must be translated into reality."

The NERS was conceived in 2003, when the Public Safety department was 
first formed under the Liberals in the aftermath of the 9/11 attacks. 
The idea was to come up with a co-ordinated government approach to 
dealing with emergencies of national importance.

Two years ago, the federal Auditor-General made note of the slow pace 
getting the system off the ground, saying the government had not 
committed to a completion date for the NERS.

We found that departmental plans are vague on how they would link 
together to form a co-ordinated federal response, Sheila Fraser wrote.

The post mortem on Cyber Storm suggested not much had changed.

Another Public Safety report obtained by The Canadian Press through 
Access to Information, entitled First Impressions, indicated the whole 
exercise fell short of proving the system could work.

Cyber Storm did not fully realize the goal of demonstration of the 
protocols, authorities, notification procedures and co-ordination 
mechanisms . . . reads the report dated May 2006.

The documents also point to specific shortcomings in how the government 
deals with emergencies. Among them:

* National and international secure communications channels are 
  insufficient.

* Co-ordination with international counterparts has still not been 
  formalized.

* Some officials have trouble getting access to secure documents in 
  times of crisis.

We need to work hard to ensure adequate and appropriate distribution of 
information before and during an exercise or real emergency, one 
official reported.

An internal briefing note said one of Cyber Storm's main objectives was 
to improve the visibility and presence of the Public Safety and 
Emergency Preparedness Department with Washington's Department of 
Homeland Security. None of the objectives referred to strengthening 
Canada's own emergency system.

A spokeswoman for Public Safety Minister Stockwell Day wouldn't comment 
on the status of the National Emergency Response System, but said Cyber 
Storm was an important tool for the department.

The exercise highlighted areas where we face challenges and require 
improvement, said Melisa Leclerc. That is exactly why we conduct 
exercises to learn and improve.

Threats to computer software and hardware continue to be a major concern 
to governments as attackers become more sophisticated and more specific 
in their approach.

Symantec Security Response briefed Canadian officials last month on its 
Internet Security Threat Report, noting that governments are the biggest 
targets of data breaches resulting in identity theft. The number of 
threats to enterprises and consumers has risen nearly 300 per cent since 
2005, the company reported.

Al Huger, vice-president of Symantec's security response and security 
services, said it's a certainty that federal government systems will 
eventually become a target of a large-scale infiltration simply because 
it's possible.

He said it's a good sign the government went through the Cyber Storm 
exercise, but Canada is slightly behind the curve when compared to the 
level of preparedness of the United States.

They haven't been victimized to the same degree, Mr. Huger said of the 
federal government.

Generally you see governments kick into high gear once bad things 
happen, unfortunately.


__________________________
Subscribe to InfoSec News
http://www.infosecnews.org



This archive was generated by hypermail 2.1.3 : Mon Apr 09 2007 - 01:17:50 PDT