Editor’s Note: The redacted documents discussing the Cyber Incident Management Framework (CIMF) and Saskatchewan Tabletop Exercise are attached here.

From: Canada.com

Jordan Press

OTTAWA — A targeted cyber attack on a private company or organization controlling a piece of Canada’s critical infrastructure could leave the federal government on the sidelines, able to offer help but with no guarantee that it would be accepted.

Nor would there be any way for the federal government to force companies to accept its involvement should a targeted hack take down critical infrastructure such as electrical plants, water systems or rail, an issue identified during two cyber exercises last year.

“Not clear what the federal government could actually do. The federal government does not ‘solve’ the problem for the affected entity, only coordination and providing advice. Ultimately, it’s up to the entity to fix the problem,” reads a summary of issues and questions arising from the summer exercise.

“The effected (sic) entity must ask for assistance. Even then, they are not required to accept federal government help and the federal government cannot impose or force the entity to do anything.”

A presentation summarizing the results for the winter exercise, dubbed “Operation Frozen Pond,” noted that everyone involved, which included government and private-sector officials, determined that the Canadian Cyber Incident Response Centre (CCIRC) should be the lead in dealing with any hacked company, but that there remained larger questions about the role the federal government could play. Among those questions were should the federal government provide “mitigation or defensive assistance” to private companies.

“Unlike in (emergency management), government is not a force of last resort in cyber (mitigation or defensive role),” reads a bullet point from the presentation.

Postmedia News obtained copies of the documents under access-to-information law.

The exercises were designed to gain support for a planning framework to manage cyber incidents outside the federal government, while also pointing out flaws before its release. Those guidelines are supposed to be completed this year, according to the plans and priorities report from Public Safety Canada, and internal emails summarizing the Nov. 29, 2012, exercise note that the Cyber Incident Management Framework is in version 0.9, with 1.0 being the final working draft.

The department wouldn’t say Tuesday when the final draft will be completed.

“The framework will put forward, on a voluntary basis, the roles and responsibilities of all levels of government, critical infrastructure owners and operators, and other public and private sector partners in responding to a significant cyber attack,” spokesman Jean Paul Duval wrote in an email.

The framework will clarify the respective roles of CCIRC and its non-federal partners. Cyber incident management in Canada is a collaborative and voluntary activity. CCIRC cannot compel any organization to take action on its network, and organizations can choose not to report incidents or seek assistance.”

Protecting critical infrastructure has become a focus for governments as concerns about cyber attacks continue to mount. Last year, the federal auditor general warned that there were gaps in how the federal government went about protecting critical infrastructure, about 80 per cent of which is in the control of the private sector.

There are divergent opinions about whether a targeted attack against the electric grid could turn out the lights in every home in the country, but countries such as the United States worry that even a small, successful attack would cause fear of future strikes.

Last summer, then again in late November, the federal government gathered a group of representatives from all levels of government in Canada, along with the owners of critical infrastructure to see how each responded to two cyber incidents: one “pure cyber” incident in which a provincial government network was hacked, and a second “real world consequences” incident where a hack took down power generators and water distribution facilities.

What the exercises showed was that there were inconsistencies with how departments briefed their management and there were issues with how quickly information could be shared between federal agencies, according to a presentation slides summarizing observations from the exercises. The exercise also showed how leery companies and organizations are about sharing information with the federal government, but many companies acknowledged it was time they shared information rather than just taking alerts and information from the Canadian Cyber Incident Response Centre.

“As the scenario unfolded, a general awareness grew amongst the scenario players and observers that more proactive sharing of incident information is required,” senior Public Safety analyst Roger Hatch wrote in an email that was sent to the director general’s office on Dec. 10.

“In side conversations, several (critical infrastructure) operators . . . acknowledged that it was time they began contributing to the community knowledge base and become a provider of information as well as a consumer.”

Those concerns about sensitive information and identities of entities becoming public, either through leaks or access-to-information laws, have been longstanding for private organizations dealing with the federal government. The government can withhold certain pieces of information from being publicly released through the access-to-information law if there are national security concerns or the information originally came from a third party.

Provincially, the situation appears to be different. The federal government has partnered with several provinces, including Alberta, Manitoba, Saskatchewan and Ontario, which has shown a willingness to share data with CCIRC, according to a summary of a pilot project last year.