Public Safety committee  For the sake of brevity, I won't read it all because I believe you've all got a copy on your desk. Good afternoon, Mr. Chair, members of the committee and ladies and gentlemen. My name is David Masson, and I'm the country manager for Canada of Darktrace, a cybersecurity company.

Public Safety committee  Those are a lot of questions. On the social media bit, can I ask the professor to step in first? I think his take will be slightly more interesting than mine.

Public Safety committee  I will give you a quick example of GDPR working. When Facebook got hacked last year, they told the Irish data commissioner within 24 hours that they had been hacked, and the provision under the GDPR is 72 hours. They didn't hang about. They admitted it pretty damn quick. So there

Public Safety committee  I go to a lot of conferences and trade shows, and for the last couple of years everybody has been talking about the GDPR. As a new immigrant to Canada, I was a bit upset that nobody seemed to be concerned about the Digital Privacy Act and the upgrade to PIPEDA that we were going

Public Safety committee  I think one of the best steps in the right direction was absolutely setting up the Canadian Centre for Cyber Security as a one-stop shop, because prior to that, there was a bit of confusion about whom to talk to. I mean, if anybody gets hacked, whom do you call? Nobody is really

Public Safety committee  I'll go first, Professor, but I'll be very quick. A lot of effort in Canada goes into what we'll do after it happens. We'll wait until it happens and then we'll deal with it. A lot of effort goes into dealing with it afterwards. I really would like to see Canada put more effort

Public Safety committee  Yes; I will say yes. I mean, you need a carrot and a stick, but you probably do need a bigger stick. The DPA is saying that you have to report breaches as soon as possible. Really? Why not go for the 72 hours like everybody else? Yes, definitely you could beef up the stick part;

Public Safety committee  I used to be a British diplomat. I remember 12 or 14 years ago having it explained to me that a cyber-attack by a nation state or another state was an act of war. However, ever since then, it seems to have become a very, very grey issue. I was at a conference the other week where

Public Safety committee  It's already the case that some attacks that large actors carry out might be targeted against a particular target, but they don't consider collateral damage. There was an attack a few years called NotPetya. It targeted Ukraine, but it spread worldwide and caused havoc absolutely

Public Safety committee  Any offensive that a country like Canada is likely to have will have been thought through very carefully. It's not just a case of being able to judge the impact you're going to have; that's absolutely what they'll be doing before they launch this.

Public Safety committee  You will have to be absolutely accurate on what they're going to do.

Public Safety committee  Minutes.

Public Safety committee  When you talk of a patch, you should patch the minute they tell you.

Public Safety committee  A zero-day is an attack that nobody has seen before. It's completely new and novel.

Public Safety committee  I would highly recommend the efforts of the Province of New Brunswick, which has has been teaching cybersecurity in school for some years now, to the point where major companies are now snapping up kids when they graduate at 18.