Unprepared: Canada lacks plan to protect critical infrastructure

Cyber Security Strategy.” A short-lived task force secretariate appears to have been disbanded, but a senior official from the top-secret Communications Security Establishment is to begin work Monday at Public Safety on cyber security and, apparently, to revitalize the idea of a task force.

The consequences of disruption to the Canadian critical cyber infrastructure, on which most other critical infrastructure depends, were spelled out in 2005 speech by Margaret Bloodworth, now Prime Minister Stephen Harper’s national security adviser. “Consider the implications for public safety of an extended disruption — and I’m talking about something as little as a few hours — in the systems that control electricity distribution, water treatment and purification, or the communication networks that dispatch police and fire networks,” she told a Communications Security Establishment cyber-protection forum. “And consider too that a situation, whether physical or cyber, that puts our critical information infrastructure in jeopardy occurs at the very time when we are most reliant on this infrastructure to co-ordinate a response, assure public confidence and bring about an efficient recovery. It is not just the damage it does initially; our ability to be able to respond and recover from any disaster is very reliant on the information infrastructure.”

Creating a national CIP strategy is complex. It could involve more than a dozen federal departments, federal agencies, the RCMP, CSIS, ITAC, ten provinces, three territories, provincial agencies, and countless owner-operators of critical infrastructure, all suffused with various regulations, constitutional considerations, customs and politics. This, writes McLeod, is precisely the point. Consider: The morning of 9/11, with United Airlines flight 93 feared headed for Washington — the World Trade towers and Pentagon were already in flames — President George Bush authorized an F-16 combat air patrol over Washington to shoot down commercial passenger airliners that failed to divert. The “weapons-free” order from the commander-in-chief was relayed by Vice-President Dick Cheney, not once, not twice, but three times. Confusion, however, prevented the command from reaching the Air Force pilots (United 93 crashed in near Shanksville, Pennsylvania). Another example: Senior public and private officials involved with national security and public safety were asked by the Conference Board of Canada last year to identify the greatest threat to the country’s national security and public safety. People such as Chief of Defence Gen. Rick Hillier and Health Canada’s Dr. Arlene King dismissed natural disasters, terrorism, cyber attacks, and pandemics. The greatest threat, they said, is a “lack of clarity around governance.” The report concluded: “They are concerned about effectively establishing direction and control when the response to a disaster involves a wide range of organizations.”

This does not surprise Dave Redman, the recently retired director of Emergency Management Alberta and a chief author of the province’s counter-terrorism crisis management plan. In dealings with federal officials, he witnessed a “process to try and ensure that bureaucrats took a lot of action to show that they took a lot of action, but with absolutely no effective result.” Senior administrative levels were mired in “procrastination (and) fear of responsibility,” he says. Some “tremendous work” has been done by mid-level management at Public Safety (and its previous incarnations), Transport Canada, Industry Canada, and Public Health Canada, “they had no overhead cover, but they had no senior leadership at the director-general and assistant deputy minister level. They are doing the best they can, but without any national program, they’re working in a vacuum … there is no single operational process. They were never given a) guidance and b) the resources to get on with it. There are guys who are just tired of being told to shut up and go back to their room. Nobody’s in charge. My intent is not to be negative. My intent is to protect Canada and I think we need to do more.”

Almost seven years after 9/11, he says the Canadian federal government does not even possess a comprehensive list of essential national critical infrastructure. “One of the biggest fears that (Public Safety Canada and its predecessors) have always had is they do not want to be the owner of a list because if it ever gets leaked, there’ll be hell to pay”… but “if you don’t know what is the most essential components of your infrastructure, how the hell do you tell them when something’s coming at them?”

Tomorrow: How Canada plans to respond to threats to critical infrastructure