Thank you for the question.
Salt Typhoon is a threat actor affiliated with a foreign jurisdiction that infiltrated and subverted American telecommunications infrastructure for several years. The risks of surveillance and the risks to privacy were quite substantial.
SolarWinds refers to an IT management system that is used throughout critical infrastructure. In 2020, we saw a supply chain attack where 18,000 of their customers had malicious updates installed that went undetected.
In terms of manipulation, we had a circumstance in 2016 where, for six months, Internet traffic between Canada and Korea was rerouted through China.
Volt Typhoon was an instance whereby multiple IT environments for critical infrastructure organizations, mainly in the U.S., were compromised. There is a high likelihood that this is a form of pre-positioning, so that should there be kinetic warfare, that would then be a vector to attack the United States in relation to that.
We also see a high degree of hybridization—that's the term used—in relation to the war in Ukraine. There have been cyber-attacks associated with that in relation to supporters of Ukraine.
The Colonial Pipeline ransomware attack in 2021 shut down this critical infrastructure in the northeast United States.
We also have had a ransomware attack that affected AT&T: the ShinyHunters attack.
That's the tip of the iceberg, but with the set of hostile foreign adversary countries that are routinely attacking critical infrastructure, with the growth of ransomware, which is more profitable due to the use of cryptocurrency, and with the rapid increase in damages due to extreme weather events such as forest fires or hurricanes, or issues around even just human error, which happens with the growing complexity of the system, such as what we saw with the Rogers outage in 2022, this is a set of issues that touch our work and Canadians every day, frankly.
The scope of the issues is what really keeps us up at night. Certainly, one can imagine extreme examples where there is an emergency, and that is very much a real thing as well, but it's dwarfed by all of the ongoing management that goes into telecommunications regulation and oversight. It's quite substantial and it's quite routine, and people don't notice it until there's an issue. Then they notice it and then they really care.
I'm a policy wonk who does the legislative part, and it's my colleagues in the engineering part who really have to operationalize this stuff. I see what they have to do every day, and it's really something. The range of threats—cyber, natural disaster and human error—is substantial and ever-present in terms of an ongoing management context.