Thank you for having me. One of my former students is now an MP. Taleeb was in there... I can't see a thing, but it's a thrill to be here.
When I was asked to be here, I made it clear, because I wanted to declare, that the exact risk assessment for Canada is not something I'm an expert in. I'm an expert in what in our space and what I've worked on globally is called “right of boom”, which is essentially what the capacities are, especially in the cyber-field, assuming that a bad thing is going to happen.
Like Ken was saying, there are a lot of questions about increased vulnerability for a country like Canada, given the Russian conflict. There is a big issue in my space, in the sort of preparation space, around why we haven't seen more activity. The answers to that may be be multiple. The best one we know so far is that maybe, much like military capacity, Russian cyber-capacity to destroy as compared to disrupt—disruptions we can handle—was overestimated. It could also be that the invocation of article 5 by NATO might have had a disciplining effect, the idea that any attack on critical infrastructure that impacted individuals would be viewed as an attack similar to a military attack. We don't know and we're not done yet, so what does that mean for preparation for that?
Overall—and I was just in Canada getting a briefing on this about two weeks ago, so it's a funny coincidence—much like the United States, Canada's focus and its private sector critical infrastructure focus have been on what we call “left of boom” capabilities—in other words, stopping some sort of infiltration, some sort of boom, so to speak. Those are important and those are essential, but what hasn't been done enough, especially in coordination with the United States and the northern states, is what would happen if there was a disruption.
We measure success on whether you can stop more harm from occurring. In other words, how quickly can you respond? How quickly can you get systems back up? My standard is this: Can you make something less bad? In the cyber critical infrastructure space, as Ken was describing, there's a tremendous amount of focus on stopping the hack, the ransomware or the nation-state, and less on what you would you do if that were to happen. Do you have more than an on-off switch, which is generally what these have?
There have been lots of lessons learned so far because of this. We've learned this from Colonial Pipeline in the United States, which didn't have much capacity.
A lot of it has to do with response time. Do you know when your system has been infiltrated? How quickly can you protect yourself from what we call cascading losses? In other words, even if there is a disruption or a destruction, which is something even greater, can you stop the cascading losses and can you require the private sector to do that?
What does cascading losses mean? It's just essentially that there is the initial thing, and then there are all the things that happen after the fact that could have been stopped if you had been able to manage the harm.
The second is what sort of regional planning has occurred. We certainly know in this space that no company acts alone, no locality acts alone, but in terms of regional planning and communication, we know that there is a need for a greater understanding of what the consequences of the vulnerability are. It's not just what the risk is, not just what the vulnerability is, but what the consequences of the vulnerability are.
Then the third area where there is a lack is, I would say—and this is going to sound familiar, I think, across every country—more communication about whatever risk you are seeing in the government to the private sector so we could begin to prepare.