We absolutely do not want the private sector shooting back, because, first of of all, attribution is really hard. I ran cybersecurity for a university. We got hacked all the time and were used as a platform to attack government entities, private sector entities, etc. If someone started shooting back at my university because from their perspective we were the originating source, they would be hitting the end target. It's a fun little shell game.
Attribution is really hard. The private sector absolutely should not be shooting back. That should be a sole responsibility of the federal government, and it should be exercised. I think the challenge from a policy standpoint is, what's policing and what's military? We need better clarity on that, and we do need to flex. It's important that government actually speak forcefully about this.
We saw this with the Biden administration after critical infrastructure attacks in the United States. It was straight from the top: Don't mess with us. Who is the minister that actually is going to respond here in Canada?