Thank you very much for inviting me. It's my pleasure to join you today.
I'm going to probably say some things here that are maybe a little bit different from what you might be expecting from a security expert. Specifically, I'm going to talk about how the cyber-attack vulnerabilities really have not changed since the start of the Russia-Ukraine war. What I'm talking about is that the vulnerabilities haven't changed, not necessarily the threat posture.
Basically, exactly the same threats exist now that were available before. The Russians are unlikely to have gotten any better at their attacks in the last two months or with the onset of the Russia-Ukraine war. Nothing's really changed, so what's going on with Canada's vulnerability?
As an energy producer, Canada is more likely to be targeted by an attack from Russia. Obviously, the pressures from sanctions, etc., are causing them to look for potential opportunities to attack alternative sources that might support the west. Attacks on these sectors have occurred since the start of the war, but it appears the sector—as a vulnerable resource and as part of Canada's critical infrastructure—was well prepared and has actually successfully defended the attacks that we have seen over the last two months.
Attacks are actually quite different from successes. There are actually a staggering number of attacks from all actors, state and stateless, on a daily basis and they've been going on for years. If these were not appropriately defended, this would have been a serious problem long before the war itself. In fact, it has been a serious problem and we've done a lot of things to try to protect ourselves.
However, we don't know what we don't know, so there is something called zero-day attacks that could occur. These are unknown attacks from before. These can be launched at different times on us unsuspectingly because we're just not prepared for them. We don't know that they're out there or what these vulnerabilities are. However, we haven't seen an increase of those over the last two months. Likely if attacks were being launched at this point of unknown origin then we would probably have had some kinds of cracks in the systems, but we haven't really seen that in the way that many people expected.
Canada's making an investment through the CSIN program and I think this is a key step in the right direction. It's a critical investment in Canada's current and future cybersecurity. This was initiated in 2019, long before this occurred, so the reality is that Canada has actually made some pretty good steps in the last little while in order to set itself on a very solid footing.
What we really want to do is build some sort of a cyber-safe ecosystem. Canada's critical infrastructure in general is vulnerable because it's built on legacy systems that are known to be particularly vulnerable. What I mean by legacy systems is that they're systems that were in existence before the Internet of things started to occur. With the advent of the IoT and the need to replace old components with Internet-connected ones, we are actually opening up a potential threat and attack on some of our critical infrastructure. This is part of what's being investigated both in terms of research and at the corporate level within the private sector.
Large corporations are actually likely to be reasonably well protected right now. The reality is that lots of money has been invested by the private sector because they recognize their vulnerability. As a result, they've managed to move things forward quite a bit over the last 20 years. Small and medium-sized enterprises, however, are simply vulnerable to various attacks and additional investment needs to be made to protect them in some sort of way. However, they are unlikely to be a specific target from Russia unless they exist in certain cybersecurity sectors and/or are suppliers to the critical infrastructure.
The key issue is that we have a critical shortage of experts in this area. Post-secondaries are trying to address that. We need to upskill and re-skill existing workers. We have a lack of education and knowledge in the workforce and in the general public, and hiring international expertise might help but it's unlikely to be sufficient simply because they're so much in demand.
With that, I'm done.