Yes, absolutely. Thank you for the question, Mr. Chair.
The good news and bad news is that because cyber-policy is still so nascent, and your allies are still grasping at something that will actually work, Canada has a de facto opportunity to be a leader in this field by finding a solution that works. I think that's absolutely achievable.
I'll start by reorienting the question just a little bit. Within the NATO alliance there's a general attitude that governments will learn secret things and they will take some action to defend mostly their own networks, and then maybe companies and individuals as well. Maybe occasionally they will declassify that and share that with companies. That process is typically very slow and very long term. In the private sector, if we don't turn around actionable threat intelligence in 48 hours, we really have let our clients down. I think governments typically operate on timelines of several months. In some cases this is for good reason. I'm not going to pretend like there aren't good reasons for doing that. There often are.
I would encourage you to think that everything I just said about cyber-intelligence sharing was once true of counterterrorism, for example, until...threats to aviation and with 9/11. There was a much greater emphasis on pushing that information out to local governments, to individual actors and to companies in the U.S., and much greater information sharing and declassification.
I think we need the same thing in cyber-threat intelligence, where the allies are willing to tolerate more risk and push that defensive information out to the private sector more rapidly. It's unrealistic to think that a small business, for example—large enterprises, maybe—would be able to keep up with changes in major threats in a competent way. Between the large private sector cybersecurity companies and better information sharing from the government to those key partners, I think that would go a long way. You would have to tolerate some risk, of course.
The current situation where governments tend to view themselves as the central repository for information and will collect everything and then tell you what to do about it is just not how things work in cyberspace. Governments are still the largest actors, but they're not the only ones.