Operation: Defend The North 2025 (Ottawa)

Join us for breakfast and start your day off right!

Kick off "Defend the North" with an exciting overview of our mission and prepare for a dynamic cyber defence simulation.

The crisis begins with Operation Safe Haven Compromised, as a devastating cyberattack causes state failure in Central America, triggering mass refugee migration north. Canada commits to accepting asylum seekers, but simultaneously, a ransomware attack cripples IRCC systems, disrupting refugee processing, biometric verification, & coordination with border, health, & social services. Adding to the chaos, an AI-powered misinformation campaign spreads false claims that refugees are part of a foreign influence plot, igniting public fears & divisions. The initial hours are a flurry of frantic reports & rudimentary checks. The challenge now is to move beyond simple detection of the widespread system failures & the rapid spread of misinformation, & begin the critical analysis: What is the root cause of the IRCC system compromise? How is the AI-generated misinformation being disseminated? Is this a coordinated attack aimed at destabilizing national unity & government functions?

Recharge with a tasty snack break!

As the scope of the disruption becomes apparent, the initial focus shifts to containment. For Operation Safe Haven Compromised, the priority is to prevent further spread of the ransomware within IRCC systems & isolate affected components to limit damage. Efforts focus on restoring refugee intake operations within 24-48 hours using alternative/manual protocols & authenticating identities despite system compromises using layered identity verification. Simultaneously, the discovery phase intensifies. Technical teams begin a deeper dive into IRCC system logs, network traffic, & any available diagnostic data to identify the ransomware's entry point & scope. In the broader context of Operation Iron Howl, with protests erupting & hybrid attacks targeting 911 services & hospitals via personal device infiltration (wormable zero-click RCE) & drone interference, containment also involves isolating extremist actors without criminalizing peaceful protesters. Discovery efforts expand to include analyzing drone patterns, identifying compromised personal devices, & tracking the origins of AI deepfakes & false flag operations. Understanding the adversary's methods & objectives, across all layers of these unfolding crises, is paramount.

Refuel and re-energize with a warm lunch!

Once the root cause is identified & the extent of the compromise is understood, the eradication phase begins. This involves removing the threat actors, malicious software, & underlying issues from affected systems & the wider environment. For Operation Safe Haven Compromised, eradication would involve removing the ransomware from IRCC systems, patching vulnerabilities, & re-securing compromised accounts. This also extends to rapidly countering the AI-driven anti-migrant disinformation with trusted voices, effectively "eradicating" the spread of false narratives. In Operation Iron Howl, eradication efforts focus on neutralizing cyber-physical attacks on critical infrastructure (911, hospitals, utilities) by applying hardened defenses & backup protocols. This includes removing any wormable zero-click RCE threats from personal devices & dismantling drone interference capabilities. For Operation Shadow Protocol, occurring concurrently with an international summit, eradication involves detecting & isolating SaaS vendor supply chain compromises early to prevent lateral movement, securing political leadership communications against deepfake social engineering, & protecting the summit venue from physical intrusions by operatives. The challenge is amplified by the interconnectedness of these attacks & the need for cross-sector coordination to ensure complete elimination of threats & persistent access.

Recharge with a tasty snack break!

With containment & eradication underway, the response efforts broaden across all scenarios. For Operation Safe Haven Compromised, communication becomes critical – coordinating municipal-federal services to absorb refugee arrivals without visible collapse (housing, healthcare, schooling), & engaging international partners early to show good-faith humanitarian leadership. For Operation Iron Howl, response involves maintaining clear, transparent, frequent communication to the public, owning the narrative early, & engaging academia, civil society, & credible influencers to amplify authentic narratives & de-escalate tensions. In Operation Shadow Protocol, response efforts include integrating cyber & physical incident response teams into a seamless, real-time operational model, & engaging allies & global media with transparent, accurate updates showing resilience & control. Post-incident activity begins even as recovery is ongoing. This involves documenting each incident in detail, preserving evidence for potential legal or investigative purposes, & starting to formulate lessons learned from the complex interplay of these crises. Initial assessments of the incident response process itself are conducted to identify areas for improvement, particularly regarding cross-sector coordination, ethical narrative management, & resilience through agility.

Take a moment to stretch and breathe deep!

As systems are restored & the immediate crisis subsides across Operation Safe Haven Compromised, Operation Iron Howl, & Operation Shadow Protocol, the final phase involves closing remarks & a comprehensive hotwash. Leadership provides an overview of the entire incident chain, the integrated response efforts, & the cumulative impact on trust erosion, infrastructure fragility, & information warfare. The hotwash is a critical debriefing session involving all key stakeholders who participated in the response to all three intertwined scenarios. The goal is to openly & honestly discuss what went well (e.g., successful restoration of refugee intake, effective debunking of deepfakes, early detection of supply chain compromises), what could have been done better (e.g., preventing system collapse, managing public perception more effectively, anticipating foreign adversary exploitation), & to identify concrete action items for improving future preparedness & response capabilities. This session ensures that the lessons learned are captured, documented, & translated into tangible improvements in national security posture, incident response plans for hybrid threats, & strategies for managing complex, cascading crises involving both cyber & physical domains.