Thank you for your question. There are quite a few elements to that question.
Number one, historically—or when I began my career in government—when we looked at these threats, we certainly looked to nation-states, to the Russian threat and so on. It was handled in government, but it was not as pervasive in the private sector. Today, that threat against Canadians is not only a national security concern for governments themselves, but also a national security concern for critical infrastructure. We know that most critical infrastructure is not owned by government and, in a lot of cases, not necessarily regulated by government.
The weakest link is sitting back and thinking you're okay by not having a program, by not measuring risk, whether you're a small, medium or large enterprise.
I enjoyed Jennifer's comments on small and medium-sized enterprises, but I'd also like to highlight that larger enterprises are potentially a more lucrative target for our attackers. Therefore, an advanced persistent threat, such as Russia's, or other state-sponsored threats, is really tough. We have to be 100% vigilant, not only internally to the organization but across our suppliers when we're thinking of third party threats as we're moving to different platforms and so on. It's very important.
Now, the million-dollar or potentially billion-dollar question is, really, what do we do about this? I'd like to highlight some work the National Security and Intelligence Committee of Parliamentarians put together and was tabled not very long ago. They had a framework and activities to defend systems and networks of government. It was tabled in February. It's an extensive report. It's worth reading. By the way, all of the recommendations were accepted.
It raises a couple of issues, one being—and this is a direct quote from the report—“Who is protected depends upon who you ask”. We need to fix that, quite frankly. We need to fix that from both a responsibility and an accountability perspective, but we also need to fix “who do you ask?” That's really important to us.
Another quote is, “The threat posed by...gaps is clear.” We know we have gaps. This is not an effort to blame people or organizations for gaps, but we know we have them and we must be diligent in closing them. We must be doing so in a programmatic way, where we're hitting the high-threat items.
Cybersecurity, in my opinion, is not about dollars spent, because you can spend immeasurable amounts of money on this; there's no question. Cybersecurity is, once again, about team sport and spending your dollars in the right areas that are going to have the best effect on government systems, on critical infrastructure systems or on shared systems.
Sir, does that help?