There are two areas that I would focus on, given my understanding, which is not as deep as yours.
The first is the cross-border emergency management capacity. If there is a cyber-attack in Detroit, say, in the auto industry, in the OEMs, what capacity, what communications and what structures are in place that are going to essentially treat it as a borderless response? Because it has to be. It's going to impact both countries. It's going to impact, as we've seen with some of the protests recently, border crossings and our capacity to move across the border. Primarily, that would be one.
There's the other thing in terms of what the mandate should be for the emergency manager, because I agree with you. I think the distinction between public safety and emergency management can be hard at times. I said one requirement, but there are two requirements. What is the minister requiring in terms of what we call, in my space, “all hazards” response? In other words, you can't focus just on what the cyber-response is going to be. It's going to have all sorts of impacts. The same is true of climate and the same is true of a terror attack. The consequences are going to be generally the same.
I sometimes think—and I know you certainly do—that in the way the government is structured, and in the way the ministries are structured, we put information security off to the side in protecting our networks. I would just get much more forceful in terms of what reviews are being conducted, what capacity there is, what the consequences would be physically of a cyber-attack on major industry and then what we are doing to close that gap between information security and physical security.
I will tell you that I now advise a lot of companies to not have chief information security officers, chief security officers, and to just have chief preparedness officers, because it's too hard to figure out what the risk might be.