I think, as we said, we've been quite slow at it. Certainly, the agencies and even to some extent National Defence.... Our siloed approach means we look after ourselves. The agencies look after the government. The CAF looks after the CAF, and industry looks after itself. What we're learning is that the approach we use is not working.
If we want to secure supply chains from the lowest common denominator—which is where a lot of the incursions occur, because the most vulnerable is the small business or the small business provider who may or may not have the equipment or skills to be able to do the cyber-hygiene at the level necessary—then we have to create those institutions or agencies or that outreach to get them to be more cyber-aware and to have the appropriate protections. We have to make those protections available to them. We have to help protect those companies and incentivize them. Incentivizing can involve that stick and carrot, meaning that if they want to do business with the Canadian government, if they want to do business in the supply chains, they need to get their CMMC certification, for example.
We have to impose regulations on companies in order to up our game, with a quid pro quo of “Once you're inside the tent, you're inside the tent.”