Ottawa creates virtual news agency
CVNN reported on cyber attacks from fictional country of Westinia
The federal government established a short-lived news agency last fall, generating dozens of fake-news items before the exercise wound down.
CVNN, or the Canadian Virtual News Network, “mimicked legitimate news coverage,” with ersatz journalists making telephone calls or email inquiries to produce a series of bogus reports.
The network disseminated some 24 national and 16 regional reports, and produced eight news broadcasts during its brief existence.
CVNN was an integral part of Public Safety Canada’s simulation of a cyber attack by foreign players on Canada’s critical infrastructure, with some 150 private- and public-sector organizations taking part.
The October 24-26 exercise was premised on sanctions Canada had imposed against the fictional country of Westinia, with patriotic Westinians exacting revenge through cyber attacks. The attacks involved ransomware, malicious viruses, data theft and compromised operational systems.
The scenario is suggestive of Russia as the adversary, though project planning began months before the 2022 invasion of Ukraine and Canada’s subsequent sanctions imposed on Moscow.
Dubbed Cy-Phy Capstone, the simulation involved more than 650 people, including observers from Australia’s Cyber Security Centre. The scale and scope was described as “immense,” with some participants reporting “exercise fatigue” over its three intense days.
The elaborate scenario was conducted using a software platform created by Ottawa’s Calian Group Ltd. Calian also operated a phony social-media site called “Chatter,” a facsimile of X (formerly Twitter), which was filled with almost 3,000 fake public posts about the imaginary crisis. The platform also hosted a fictional “dark web” portal, where participants could dig for more information about the bad guys.
I obtained a heavily censored “after-action” report about the so-called Cy-Phy (Cyber-Physical) exercise under the Access to Information Act. Large sections were blacked out, with the department citing exemptions for security, defence and advice, including three annexes removed entirely. The identities of the participants were also censored. (A sanitized version of the report was recently posted on the web by Public Safety.)
Media-relations training for ministers or corporate executives has often involved people - typically former journalists - posing as pesky reporters. But the Canadian Virtual News Network was far more elaborate, with the government attempting to mimic how a real newsroom would cover a major cyber-attack over three days.
Capstone was primarily an effort to expose weak spots in Canada’s preparedness for a genuine attack that could corrupt data systems and potentially damage physical infrastructure, such as power stations. The intention was to test the ability of private and public players to work closely together.
By that measure, Canada failed the test. Many of the key players retreated into silos, and concentrated on their cyber security rather than also managing the attendant threats to their physical infrastructure.
“Despite the establishment of working groups aimed at fostering collaboration, there was minimal interaction between players during the Capstone,” the report concludes. “Many participants predominantly focused on exploring their organizations’ cyber security posture, overlooking the importance of addressing physical impacts and understanding interdependencies within the critical infrastructure community.”
There’s no assessment in the released report about the effectiveness of the government’s Canadian Virtual News Network, perhaps Canada’s most short-lived digital startup.
We have always been at war with Westinia.