We are lagging in getting instant reporting in place now. We have Canadian organizations that are going to be telling the United States what has potentially happened to them, and we're completely in the dark. The push to start with federally regulated industries, such as transportation, banking, energy, telecommunications, that's good, but the pain is often outside of those federally regulated industries.
What Europe has done is set certain size thresholds. What size of businesses has a meaningful impact on the economy? Then it set thresholds for participation and reporting on that. That's important, because a small and mid-sized business.... In the case of Sunwing, it was the IT provider for the ticketing system that got hit in the U.S. It wasn't Sunwing that got hit; it was the IT provider.
How do we get the lessons learned and how do we share them, so that we can find and fix vulnerabilities and learn lessons? We have to move beyond blame culture in cyber. This organization was a victim. Why was it a victim? How can we learn from that? For example, for our hospitals, how can 100 other hospitals not get hit after we have one hit so that we get better?