Sure. Thank you very much for the questions.
With respect to your first question, yes, I think we have to recognize the fact that one of the costs of openness is the fact that the environment itself will always provide a degree of insecurity. That's absolutely right. The problem, however, is that the nature of the kinds of threats that exist in malware code can be aggregated and seen when you look at them at scale. In other words, that which affects your computer that's difficult to detect is actually much better viewed by someone who's providing you your services and can see multiples of the same thing happening at the same time.
This is where I would come back to the comment that I made in my testimony, that we have not really leveraged where that sort of concentration point actually exists, the point of seeing the risk and threat that affects individuals. In Canada, 95% of what we call cyberspace is actually operated by a single operator, Bell Canada. It's through a variety of different mechanisms, but the reality is that there's a high concentration of it. There are telecom regulations acts, as they exist currently, to compel those operators to work in certain ways—interchange, etc. Security is not one of those things. In other words, we have not used the most valuable mechanism that we have already on the books as a way of being able to address what you might call the “95% problem” of a dirty ecosystem that is currently polluted by opportunistic cybercrime, for which we pay $150 to hopefully be able to defeat on our individual computers.
By way of background we, SecDev, participated in a study with Bell Canada that tried to look at the scale of what you might call malfeasant behaviour existing online. This study was done a couple of years ago now. We found that at any given time between 5% and 12% of all devices connected to the Internet belonged to a botnet. In other words, they were under the control of some form of malfeasance software, which was not intended by the operator of the system itself. This is a fairly significant problem. The fact that we haven't regulated or incentivized the telecommunications industry to provide that first line of defence, I think, is one of the critical failures that we've had in addressing cybersecurity.
With the question of—if I understand the question correctly—who should be leading on the cybersecurity portfolio, I think if I look across our colleagues in the Five Eyes, one thing has happened there that has not happened in Canada. In Canada, the issue of cybersecurity has not been elevated to a national security priority—in other words, something that works across the interagency or the intergovernment, as they call it in the U.S. In the U.S. there is an executive-level entity that looks after coordination of cybersecurity across the whole of government. Similarly, in the U.K. the mechanisms that bind together their version of public safety, their version of CSE, and industry are far stronger and far better developed than they are here at the moment.
I think, in answer to your question directly, we do need Public Safety Canada to be taking a lead in terms of the coordination of cybersecurity as it applies to aspects of public safety and security, meaning the interface between the public and the private sector. We equivalently do need to have an institution that provides those capabilities on the military side, which I don't think we currently have.