Public Safety committee  That is correct. As we've said repeatedly, we have a tendency to re-victimize the victims of cybercrime. We publish, and we punish them. We're looking for them to take ownership and respond. Our goal is to help them recover, to help them defend, and then to share the information widely.

Public Safety committee  No. However, one of the trends I have certainly seen with larger companies and boards of directors is that cyber-risk is becoming the number one topic. I think we're starting to see that trend now. It is becoming a huge reputational risk, but also a huge business continuity risk to organizations, so they're taking it seriously.

Public Safety committee  In our discussions, and the discussions I've had with numerous companies' C-suites or boards of directors, it's very much about the reputational damage. It's hard for them to calculate the cost of that. We certainly saw reputational damage in some of the larger U.S. breaches. I think the key thing for us is that—you're right—the equipment we're buying does not come secure by default.

Public Safety committee  When you look at this, you're absolutely right. The human factor is part of cybersecurity. We tend not to put security on top of our products sometimes if it makes it harder for a user. It's all about usability. I think part of it is also education, but you can't rely on that. For example, some of the cybercrime tools and some of the cybercrime spear-phishing types of things that we've seen are incredibly sophisticated.

Public Safety committee  I think there are a few. Typically, we would call that the “insider threat” side of things, where somebody who's going.... There are a few ways to do this. Number one is actually the credentials that we talked about earlier—making sure that people can do only the things that are absolutely necessary as part of their jobs, from the IT perspective.

Public Safety committee  I think the key thing we were referring to there in terms of nation-states is that they have specific objectives. Absent a major international conflict, etc., we said the threat of disruption was very low, in terms of the threat to Canadian infrastructure, but there is some nation-state interest in private information and in some of the other information that's out there.

Public Safety committee  I think the goal is to leverage the Team Canada approach and bring in the proper authorities. Obviously, it's Parliament's role to debate those authorities and assign them to organizations, so I won't comment on that. For us, the key thing here is that we want to bring in the right authority.

Public Safety committee  If it's coming from within Canada, that doesn't change. The provision still says that CSE cannot direct its activities against Canadians.

Public Safety committee  We're using whatever tool is the appropriate one at the time. If Bill C-59 is passed by the Senate, gains royal assent and comes into force, then we would re-evaluate how we approach these problems, given those new—

Public Safety committee  I'm not sure I quite understand the question. I think the key thing is that, when you're travelling, it depends on whether you can get to the services: for example, connect to your bank. Or is it that—

Public Safety committee  I think that really goes to it. It is a little bit outside of our mandate, but, fundamentally, we've chosen to have a very open Internet in Canada, where we block very little. Other than specific content providers stopping you from watching, for example, NBC, because Canadian stations have rights, we tend to have a very open Internet.

Public Safety committee  From our perspective, one of the things we highlight in the national cyber-threat assessment is that we have to be vigilant against every nation-state, and certainly cyber-techniques are within the realm of every nation-state. Some are more aggressive. Certainly in the past, CSE has been asked to attribute malicious cyber-activity to certain countries, and that's one of those things that we'll continue to do as per government's broader policy.

Public Safety committee  I think we should be vigilant against anybody who doesn't hold our values.

Public Safety committee  I think there are a few things. Maybe I'll turn to Eric to talk about some of the specifics. First of all, in terms of our collaboration with the RCMP, we want to ensure that we are never in the way of the police doing their function of investigations and pursuing cybercriminals.

Public Safety committee  I think the key thing is looking at the supply chain risks. That's one of the things we highlighted in the national cyber-threat assessment. Businesses need to be particularly conscious of the supply chain they're engaging in and the companies they're engaging with, and they need to put proper security provisions into their contracts, so that they can hold them accountable and make sure they get proper breach notification, etc.