Thank you for the question.
The threat vector vulnerabilities that we monitor change every day. Every day there are new vulnerabilities that are brought to bear, whether through industry or other governments, and those vulnerabilities are assessed.
A vulnerability is not a threat until it becomes exploited, so we are constantly reacting to what I would call “vulnerabilities”. With that, the same would exist for industry, for Canadians, and for NATO when those vulnerabilities come to our awareness. We work usually as a government, as a collection of government agencies, to bring the right get-well-plan and to shore up those vulnerabilities through patching and the evolution of technology to avoid the moment in time when a vulnerability becomes an exploit.
The way it works is that the good guys are out there trying to learn about vulnerabilities and protect themselves from the exploits. The bad guys are out there trying to figure out how to use a vulnerability to exploit, so it's a race. Our ability to stay in front of that comes back to our security posture and our compliancy with our own standards, whether within government or within National Defence. I would offer that NATO's agency responsible for their cyber would have the same perspective, as they're constantly reacting to the potential vulnerabilities that have come to our attention that we need to react to.
I hope it explains the environment a little bit to know that it's not a single event that happens. It's typically a series of vulnerabilities that have been exploited that you hear about in the news. Our ability to stay in front of those vulnerabilities and stay protected comes back to our ability to interoperate with our allies, to work closely with industry, even academia, as well as with our colleagues in the government. We're constantly reacting to new vulnerabilities.