Cyber Security Information Sharing: A Case Study of Olympic Proportions

Cyber Security Information Sharing: A Case Study of Olympic Proportions Lynne Genik, Scientist, DRDC CSS Luc Beaudoin, Chief of Cyber Operations, CCIRC Presentation for CRHNet Symposium October 24, 2012

V2010 DRDC CSS Major Events Coordinated Security Solutions (MECSS) Project Privy Council Office Public Safety Canada SA Federal RCMP Major Events SA Partners RCMP Integrated Security Unit SA MECSS Regional British Columbia Integrated Public Safety SA Joint Task Force Games (CF) SA G8/G20 ISU SA SA: Scientific Advisor S&T: Science and Technology 1 S&T Clusters National Science and Technology Community Centres of Federal Labs Excellence Academia S&T Resources InternationalIndustry S&T

Vancouver 2010 (V2010) Winter Olympics Focused the world spotlight on Canada 10,000 accredited, 4000 unaccredited media Cooordination and cooperation of many organizations All levels of government and private sector V2010 Exercise Gold: 140 agencies, 45 coordination centres, 2000 participants Budgets in the billions Security: V2010 $1B, G8/G20 $1B Broadcasting rights: NBC US$2.2B for 2010/2012 Olympics Infrastructure costs: V2010 Canada Line $2B, Seato-Sky Highway expansion $1B 2

Why is Cyber Security Important? Relied on by all sectors for operations Significant cyber security incident would reflect badly on Canada Major events information space: Cyber Security Schedule of Events Results + Key Messages Media broadcasting 3

Major Events Cyber Threats Direct and indirect (e.g. power outages) denial of service on critical IT services; Hacktivism (criminal, copyright infringement, intellectual property, brand, etc.); Malware distribution scheme leveraging the event Phishing emails to organizers and participants Broad distribution (e.g. social media, video, search engine optimization (SEO) poisoning, etc.) Cyber incident affecting a guest/diplomat/vip involving Canadian IT assets 4

V2010 Cyber Security Preparations V2010 Cyber Security Working Group V2010 Integrated Exercises Series Integrated Threat Assessment Centre (ITAC) Joint Intelligence Group ISU Critical Infrastructure Unit (physical security) Individual organizations 5

V2010 Cyber Issues Issues identified in lead up to Games: Gaps in cyber threat situational awareness Planning occurring in silos Lack of coordinated response capability across agencies 6

V2010 MECSS Cyber Security Project Getting started Generally, those familiar with cyber operations saw value Resistance from some key offices/people Support of several influential people was critical Not a lot of time Goals Identify/close gaps ( low hanging fruit ) Establish cyber response capability across key stakeholders 7

V2010 MECSS Cyber Security Project 8 Approach Gathered small team of experts from different departments Identified key cyber stakeholders Performed cyber security review Short list of questions Face-to-face meetings Outputs Summary and recommendations provided to: Integrated Security Unit Canadian Cyber Incident Response Centre Chart of key cyber stakeholders distributed amongst stakeholders

Observations Organisations priorities varied by mandate and structure Lack of actionable cyber intelligence information No one organisation aware of all IT assets Density of assets very high Shared critical assets, sometimes without awareness Some assets holistically critical No system, authority, or forum for de-conflicting potential issues 9

10

Key Cyber Stakeholders Event Office of Prime Interest Main web portal Shared services (schedule, media, connectivity, etc.) Support Organisations Cellular and fibre service providers Weather systems Air traffic systems and other transport services Hotel/venue data services First Responders VHF/UHF radios Dispatch system Emergency phone (911) Physical Security Police and military information networks Area monitoring (camera network) Access control systems Satellite, unmanned aerial vehicles 11

12

Lessons Learned during V2010 Review Establishing trust and credibility critical Access to right subject matter experts (SMEs) key Not all levels of government have computer emergency response team capability Stakeholder buy-in varied Value of cyber information sharing not recognized from onset Threat and risk assessments not formally completed by many key organisations Cyber security knowledge in tacit form with SMEs Audit checklist too formal and overwhelming 13

Operational Challenges Distributed Ownership No clear national owner of the cyber security puzzle - everyone has a piece Liability Damages can be embarrassing and affect others (data exfiltration, infrastructure leveraged for sending spam and attacks, web defacement, etc.) Expertise Terminology and complexity requires direct interactions between cyber professionals for diagnosing incident root cause and mitigation strategy 14

Canadian Cyber Incident Response Centre 15 coordinating the national response

CCIRC s Mandate during V2010* Assist government departments, critical infrastructure owners and international partners with cyber security issues Coordination point for Government of Canada (GC) cyber response Receive significant incidents reports from federal departments Engage Cyber Triage Unit Provide cyber inputs into the Government Operations Centre (GOC) for situational awareness and risk assessment International point of contact for Canada for cyber security events 16 * Federal cyber security issues are now coordinated by the Communications Security Establishment (CSEC) while CCIRC focuses outside the federal government, coordinating the national response to cyber events affecting provinces, territories, municipalities, and CI owners/operators

Lessons Learned Regarding Operations Establishing trust and credibility critical Face-to-face Dedicated support staff Enable reporting Regular teleconferences Simple incident exchange mechanism Incident report template Provide secure communication channels (e.g. PKI, PGP) 17

Games Cyber Security Events Vaucouver2010.com Copy of Vancouver2010.com Hosted in Ukraine Video codec Search engine optimization (SEO) poisoning of Google index Olympic hats and mittens 2014 Winter Olympics David Atkins artist Luge Accident video Olympics Apollo Ono Speed Skater Closing Ceremony Olympics 2010 Closing Ceremony Olympics Tickets Olympian Tweeting Nodar Kumaritashvili Death US short track speed skating K.D. Lang Olympics Olympic Parade of Nations 18

19 Vancouver2010.com

20 Vaucouver2010.com

CCIRC Awareness Bulletin 21 http://www.publicsafety.gc.ca/prg/em/ccirc/2010/in10-001-eng.aspx

Final Thoughts Cyber security does not fit well in existing emergency management frameworks Distributed ownership No geographical boundaries Time scale DRDC was well-positioned to undertake this work Expertise Trust (e.g. security clearances) Impartial Identifying key stakeholders, building trust amongst them, and providing an information sharing forum was an efficient and effective way to mitigate cyber risks 22

Paper Review and Coordination of Cyber Security for Vancouver 2010, Luc Beaudoin and Lynne Genik Available from http://www.aiai.ed.ac.uk/project/coalition/ksco/ksco- 2010/papers/10-04-Genik-Beaudoin-Cyber.pdf 23

24 Questions?

25