Transcript: Is Canada's Critical Infrastructure Vulnerable? | May 26, 2021

Steve sits in a room with white walls, a low slanted ceiling and several framed pictures on the walls including one of George Drew. He's slim, clean-shaven, in his fifties, with short curly brown hair. He's wearing a pale blue shirt and a striped blue tie.

A caption on screen reads "Is Canada's critical infrastructure vulnerable? @spaikin, @theagenda."

Steve says EARLIER THIS MONTH, HACKERS EFFECTIVELY TOOK A PIPELINE IN THE U.S. HOSTAGE, RETURNING CONTROL ONLY AFTER A HEFTY RANSOM WAS PAID. JOINING US NOW ON THE POTENTIAL FOR SUCH AN ATTACK ON CRITICAL INFRASTRUCTURE HERE IN CANADA, AND AS IS OUR CUSTOM, WE'LL INTRODUCE THEM FROM FURTHEST AWAY TO CLOSEST TO OUR STUDIO, STARTING IN THE NATION'S CAPITAL WITH: ROBERT GORDON, HE'S EXECUTIVE DIRECTOR OF THE CANADIAN CYBER THREAT EXCHANGE...

Robert is in his sixties, clean-shaven, with short gray hair. He's wearing glasses, a gray suit and a pale blue shirt.

Steve continues IN KINGSTON, ONTARIO: CHRISTIAN LEUPRECHT, PROFESSOR IN LEADERSHIP AT THE ROYAL MILITARY COLLEGE, DIRECTOR OF QUEEN'S UNIVERSITY'S INSTITUTE OF INTERGOVERNMENTAL RELATIONS, AND CO-AUTHOR OF THE FORTHCOMING BOOK, "INTELLIGENCE AS DEMOCRATIC STATECRAFT."

Christian is in his late forties, with short brown hair and a trimmed goatee. He's wearing a white shirt.

Steve continues AND IN OSHAWA, ONTARIO: STEPHANIE CARVIN, ASSOCIATE PROFESSOR OF INTERNATIONAL RELATIONS AT CARLETON UNIVERSITY'S NORMAN PATERSON SCHOOL OF INTERNATIONAL AFFAIRS, AND SHE IS AUTHOR OF "STAND ON GUARD: REASSESSING THREATS TO CANADA'S NATIONAL SECURITY."

Stephanie is in her forties, with chin-length wavy brown hair. She's wearing a dotted black blouse.
A picture of her book appears briefly on screen. The cover is dark red, with a picture of a dark waterfront city skyline.

Steve continues IT'S GREAT TO HAVE YOU THREE WITH US HERE ON TVO TONIGHT. I JUST WANT TO READ A COUPLE OF BRIEF PARAGRAPHS HERE TO GET SOME BACKGROUND ON THE RECORD TO BRING OUR LISTENERS AND VIEWERS UP TO SPEED ON THIS.

A slate appears on screen, with the title "Pipeline hacked."

Steve reads data from the slate and says
EARLIER THIS MONTH, THE COLONIAL PIPELINE, A NEARLY 8900-KILOMETRE PIPELINE BETWEEN TEXAS AND NEW JERSEY, WHICH TRANSPORTS NEARLY HALF OF THE U.S. EAST COAST'S FUEL SUPPLIES, IT WAS HACKED. TO AVOID LOSING CONTROL OF THE PIPELINE, THE COMPANY SHUT DOWN OPERATIONS. COLONIAL PAID 4.4 MILLION DOLLARS TO THE RANSOMWARE GANG DARK SIDE TO GET THE PIPELINE BACK UP AND RUNNING AND THE BBC IN ITS REPORTING DESCRIBED THIS AS ONE OF THE MOST SIGNIFICANT ATTACKS ON CRITICAL NATIONAL INFRASTRUCTURE IN HISTORY. STEPHANIE, THAT'S THE WAY THE BBC DESCRIBES IT. HOW WOULD YOU DESCRIBE IT?

Stephanie says A VERY SERIOUS INCIDENT THAT I THINK HAS SERVED AS A WAKE-UP CALL TO PRETTY MUCH ANY CRITICAL INFRASTRUCTURE OPERATOR, WHETHER THEY BE THE GOVERNMENTS, THE PRIVATE SECTOR, AND, YOU KNOW, HOPEFULLY MOST INDUSTRIES, WHICH NOW ACTUALLY CONTAIN A LOT OF OUR PRIVATE DATA. SO, YOU KNOW, THIS REALLY SHOWS THAT THESE KINDS OF ATTACKS CAN HAPPEN TO ANYONE PRETTY MUCH ANYWHERE, INCLUDING HERE IN CANADA TODAY. AND I THINK, YOU KNOW, WE'VE SEEN SO MANY DIFFERENT KINDS OF SERIOUS CYBER INCIDENTS IN THE LAST SIX MONTHS. THIS IS REALLY JUST ANOTHER INDICATION. BUT IT'S ALSO FURTHER EVIDENCE THAT THERE IS, YOU KNOW, SOMETHING OF A SECOND PANDEMIC HAPPENING DURING THE CoVID-19 PANDEMIC, AND THAT IS REALLY A CYBER SECURITY CRISIS.

Steve says HUH. I'VE NEVER HEARD THAT METAPHOR USED BEFORE, A SECOND PANDEMIC IN CYBER SECURITY. CHRISTIAN, I'M VERY INTERESTED TO KNOW WHAT YOUR INITIAL REACTION WAS WHEN YOU HEARD ABOUT THIS STORY.

The caption changes to "Christian Leuprecht. Royal Military College."

Christian says NOT PARTICULARLY SURPRISED. RANSOMWARE IS AN 18 BILLION DOLLARS A YEAR INDUSTRY AND YOU HIT CRITICAL INFRASTRUCTURE, THEY'RE EVEN MORE LIKELY TO PAY UP BECAUSE THEY KNOW THEY NEED TO GET THE OIL FLOWING AGAIN. IT REMINDS US OF THE VULNERABILITY OF OUR SYSTEM OVERALL. I THINK IT'S THE SORT OF THING THAT PEOPLE IN NORTH AMERICA THOUGHT HAPPENED ELSEWHERE IN THE WORLD. IT DOESN'T HAPPEN. HERE IT ALSO REMINDS US TO WHAT EXTENT WE'RE VULNERABLE NOT ONLY TO STATE-BASED AS WE SAW WITH SOLAR WINDS OR THE MICROSOFT, BUT TO NON-STATE ACTORS THAT ARE SUBSEQUENTLY HOSTED BY STATE ACTORS AND TO SOME EXTENT ARE WORKING IN COLLUSION TO UNDERMINE OUR SECURITY, OUR DEMOCRACY ON A DAILY BASIS. THIS IS A TIP OF THE ICEBERG OF WHAT HAPPENS ON A DAILY BASIS, THE THREAT THAT WE'RE UNDER.

Steve says ROBERT, DID THE ATTACK CATCH YOU OFFGUARD AT ALL?

The caption changes to "Robert Gordon. Canadian Cyber Threat Exchange."

Robert says NO, NOT SPECIFICALLY, NOT THAT PARTICULAR ATTACK. WE'VE SEEN ALL THE INDICATORS POINT IN THE DIRECTION OF SOMETHING BIG IS GOING TO HAPPEN, BUT WE DIDN'T KNOW WERE SOME OF THE SPECIFICS OF IT. WE DIDN'T KNOW SORT OF WHICH INDUSTRY WAS GOING TO BE ATTACKED, WHICH CRITICAL INFRASTRUCTURE WAS GOING TO BE DONE. WE DIDN'T KNOW THE EXACT TIMING OF IT. AND WE DIDN'T KNOW THE CONSEQUENCES OF IT. WHAT ARE THE SECONDARY ISSUES OR THINGS THAT HAPPEN WHEN AN ATTACK OCCURS. AND THAT'S EXACTLY WHAT PLAYED OUT IN SOLAR WINDS. AN ATTACK IN ONE PART OF THE COMPANY HAD AN IMPACT ON ANOTHER PART OF THE COMPANY, OPERATIONAL PART OF THE COMPANY, AND THAT'S WHAT ACTUALLY HAD AN IMPACT ON THE GENERAL PUBLIC.

Steve says STEPHANIE, I'M INTERESTED IN YOUR REACTION TO THE GROUP THAT IS CLAIMING RESPONSIBILITY FOR THIS. IT'S CALLED DARK SIDE. THEY'RE THOUGHT TO RESIDE IN RUSSIA. THEY DENY HAVING ANY POLITICAL MOTIVES OR LINKS TO THE RUSSIAN GOVERNMENT. THEY SAY OUR GOAL IS TO MAKE MONEY AND NOT CREATE PROBLEMS FOR SOCIETY. SHOULD WE TAKE THAT AT FACE VALUE?

The caption changes to "Stephanie Carvin. Carleton University. Author, 'Stand on guard.'"

Stephanie says I THINK THE MAIN ISSUE HERE IS THAT, YOU KNOW, THERE HAVE BEEN ALLEGATIONS SAY BY THE FBI THAT THEY WERE LOOKING FOR LINKS BETWEEN THIS GROUP AS WELL AS THE RUSSIAN GOVERNMENT AND, YOU KNOW, WE DO KNOW CERTAIN THINGS ABOUT THIS GROUP. FOR EXAMPLE, THEY ACTUALLY HAVE ARTICLES OF PRINCIPLES. THEY ARE A RANSOMWARE AS SERVICE PROVIDER. IN OTHER WORDS, THEY HAVE A SOFTWARE PLATFORM. AND THEN THEY BASICALLY INTERVIEW POTENTIAL CRIMINAL GANGS THAT WANT TO USE IT, AND IF THEY PASS, THEY BECOME AFFILIATES. THEY CAN THEN USE IT AND PASS IT ON. AS PART OF THOSE TERMS AND CONDITIONS, FOR LACK OF A BETTER TERM, THEY ARE NOT ALLOWED TO ATTACK THINGS WITHIN THE COMMONWEALTH OF INDEPENDENT STATES, OR BASICALLY RUSSIA, AS WELL AS, YOU KNOW, THEY'RE NOT SUPPOSED TO ATTACK CERTAIN THINGS THAT I THINK WOULD DRIVE A LOT OF ATTENTION TO THEM. SO ARE THERE LINKS BETWEEN THEM AND THE RUSSIAN GOVERNMENT? IT'S HARD TO SAY. THERE'S BEEN A LOT OF SPECULATION. IN MY VIEW, I THINK THE BIGGER ISSUE IS THAT THERE ARE THESE GANGS THAT ARE OPERATING IN RUSSIA AND RUSSIAN TERRITORY, AND OTHER COUNTRIES AS WELL, WITH IMPUNITY, RIGHT? THE RUSSIAN GOVERNMENT IS ALLOWING THIS TO HAPPEN, PROBABLY BECAUSE, EVEN IF IT ISN'T DIRECTING THE BEHAVIOUR, IT BENEFITS FROM IT. IT BENEFITS FROM A LOT OF THE CHAOS THAT RESULTS FROM HAVING A MAJOR PIPELINE IN THE UNITED STATES SHUT DOWN FOR A WEEK. SO, YOU KNOW, I THINK THAT'S THE GENERAL ISSUE. EVEN IF WE CAN'T POINT FINGERS AT THE RUSSIAN STATE, WE SHOULD BE RAISING VERY SERIOUS QUESTIONS AS TO WHY RUSSIA IS ALLOWING THESE GANGS IN THE FIRST PLACE AND WHY THEY ARE ACTUALLY NOT DOING ANYTHING ABOUT IT.

Steve says CHRISTIAN, WHO SHOULD WE RAISE THOSE QUESTIONS WITH?

Christian says THIS IS BASICALLY CYBER PIRACY AND THE RUSSIAN ARE EFFECTIVELY HOSTING AND ENDORSING CYBER PIRACY, IF YOU WANT TO FIND AN ANALOGY. THE PROBLEM HERE IS DETERRENCE. THERE NEEDS TO BE CONSEQUENCES FOR COUNTRIES THAT TOLERATE NON-STATE ACTORS THAT ENGAGE IN THIS SORT OF BEHAVIOUR, AND THOSE CONSEQUENCES MIGHT BE IN THE CYBER REALM BUT THEY ALSO CAN BE IN THE KINETIC REALM IN TERMS OF SANCTIONS AND OTHERWISE. IT'S VERY DANGEROUS AND RECKLESS BEHAVIOUR BY ENTITIES THAT POSE A SERIOUS RISK TO OUR WAY OF LIFE AND THE WAY WE RUN OUR DEMOCRACIES AND OUR ECONOMY. AND SO THAT'S WHY IT'S ULTIMATELY SIGNIFICANT THAT WE DETER THIS TYPE OF BEHAVIOUR FROM ANY TYPE OF ACTOR, EVEN IF THEY CAN CLAIM SOME DISTANCE FROM THE STATE IN AND OF ITSELF.

Steve says WELL, ROBERT, LET'S FIGURE OUT WHAT THAT EXACTLY MEANS. IF WE ARE LOOKING TO IMPOSE SOME CONSEQUENCES ON RUSSIA, EVEN THOUGH THIS GROUP, DARK SIDE, CLAIMS IT'S NOT OPERATING ON BEHALF OF THE RUSSIAN GOVERNMENT. WHAT ARE OUR OPTIONS? WHAT CAN WE DO?

Robert says I THINK THERE'S A FEW THINGS. ONE, ON THE DEFENSIVE SIDE OF IT, WE CAN GET BETTER AT PROTECTING OURSELVES. WE CAN START TO DO SOME OF THAT PLANNING, SOME OF THAT PREPARATION, AND A LOT OF THE CRITICAL INFRASTRUCTURE IS ACTUALLY DOING THAT. WE CAN GET BETTER ON COLLABORATING. SO THE FEDERAL GOVERNMENT HAS GOT A NUMBER OF INITIATIVES LED BY THE CANADIAN CENTRE FOR CYBER SECURITY IN TRYING TO ASSIST THE PRIVATE SECTOR AT GETTING HARDER ON THE OTHER SIDE. ON THE THIRD END OF IT WE HAVE TO BE MORE PROACTIVE GOING AFTER THE CYBER CRIMINALS. WHAT CAN WE DO TO MAKE IT LESS ATTRACTIVE FOR THEM TO DO THESE ATTACKS? THE BOTTOM LINE IS CRIMINALS ARE INTERESTED IN GETTING ACCESS TO MONEY. HOW DO WE MAKE IT HARDER FOR THEM TO DO IT? IF THEY'RE BUYING BITCOINS, WE CAN BE BETTER AT TRACKING THAT MONEY AND MAKE IT LESS FINANCIALLY ATTRACTIVE FOR THEM.

The caption changes to "For more information: Tvo.org/cybersecurity."

Steve says STEPHANIE, LET ME JUST ASK THE DIRECT QUESTION: SHOULD WE BE DOING CYBER ATTACKS AGAINST RUSSIA OR HELPING THOSE WHO WANT TO PERPETUATE THOSE KINDS OF ATTACKS ON RUSSIA?

The caption changes to "Stephanie Carvin, @StephanieCarvin."

Stephanie says WELL, IT IS INTERESTING IN THAT THE GROUP DARK SIDE HAS POSTED ON THE SO-CALLED DARK WEB THAT IT HAS IN FACT LOST CONTROL OF ITS DIGITAL WALLET. SO I BELIEVE THE RANSOM THAT WAS PAID THAT YOU HAD UP THERE AROUND 4.4 MILLION DOLLARS IN THE UNITED STATES, THAT THAT MONEY HAS NOW DISAPPEARED, THAT THEY'VE ACTUALLY LOST CONTROL OF SOME OF THEIR PLATFORMS, AND WE DON'T REALLY KNOW IF THIS IS TRUE. WE DON'T KNOW IF THIS WAS, YOU KNOW, THE UNITED STATES GOING BACK AFTER THESE CRIMINALS, AND WE DON'T KNOW IF THEY'RE JUST TRYING TO PRETEND THAT THIS WAS THE CASE IN ORDER THAT THEY CAN... PEOPLE WHO DID THIS CAN LAY LOW FOR A BIT. BECAUSE THEY NOW REALIZE HOW MUCH ATTENTION IS ON THEM. WITH REGARD TO CYBER ATTACKS, LOOK, I THINK CANADA DOES HAVE AN INTEREST IN TRYING TO PROMOTE GOOD CYBER NORMS AND TRYING TO STOP THIS BEHAVIOUR. IF ON THE ONE HAND WE'RE TELLING RUSSIA, LOOK, KNOCK THIS OFF, AND ON THE OTHER HAND WE'RE GOING AFTER THESE PEOPLE, WE HAVE TO BE CAREFUL IN HOW WE BALANCE THAT EQUATION GOING FORWARD. ONE OF THE CHIEF ISSUES HERE, PARTICULARLY IN THE UNITED STATES, THERE'S BEEN A LOT OF EMPHASIS ON CYBER OFFENCE OR WHAT WE CALL HERE IN CANADA ACTIVE CYBER. WHEREAS IN CANADA, WE'VE ALWAYS KIND OF FELT THE BEST DEFENCE IS A GOOD DEFENCE. AND I THINK HAVING PUT TOGETHER MORE OF AN EMPHASIS ON DEFENCE IN TRYING TO ENSURE THAT OUR CRITICAL INFRASTRUCTURE SECTORS HAVE A POINT OF CONTACT AND THESE KINDS OF THINGS HAS BENEFITTED US MORE IN THE LONG RUN. SO SHOULD WE BE GOING AFTER THESE GUYS? ABSOLUTELY. THE UNITED STATES IS MUCH BETTER AT DOING THINGS LIKE ATTRIBUTION AND ACTUALLY BRINGING CRIMINAL CHARGES AGAINST INDIVIDUALS, EVEN IF THERE'S NOT MUCH OF A CHANCE THAT THESE INDIVIDUALS WILL EVENTUALLY END UP IN THE UNITED STATES, I THINK IT'S A REALLY IMPORTANT STEP FOR THEM TO TAKE AND I THINK WE SHOULD BE DOING THAT AS WELL. WITH REGARD TO ACTUAL CYBER OFFENSIVE ACTIONS, I THINK IT'S JUST NOT... YOU KNOW, DETERRENCE ISN'T JUST YOU PUNCH ME AND I PUNCH YOU BACK HARDER IN CYBERSPACE. IT HAS TO BE MORE OF A DELICATE BALANCE OF ACTIVITIES THAT I THINK WE NEED TO BE UNDERTAKING.

Steve says WELL, LET ME FOLLOW UP WITH ROBERT ON THAT BECAUSE MORE THAN A DECADE, A LITTLE OVER A DECADE AGO, YOU WERE THE ARCHITECT OF CANADA'S FIRST CYBER SECURITY STRATEGY. CAN YOU DESCRIBE HOW THE CYBER THREAT HAS CHANGED FROM A DECADE AGO TO TODAY?

The caption changes to "Robert Gordon, @CCTXCanada."

Robert says YEAH, WELL, WE CREATED THE STRATEGY, AS YOU SAY, I HATE TO SAY IT'S OVER A DECADE AGO. ONE OF THE THINGS WAS YOU HAVE TO BUILD A STRATEGY WITHIN THE CONTEXT OF WHAT'S THE GENERAL UNDERSTANDING OF THE THREAT ENVIRONMENT, HOW DO YOU MOVE FORWARD? AT THE TIME WE WERE CONCERNED ABOUT ATTACKS COMING INTO THE FEDERAL GOVERNMENT, SO THAT WAS OUR FOCUS. SINCE THEN THE THREAT ENVIRONMENT HAS CHANGED DRAMATICALLY. WE'LL TALK ABOUT THE SOPHISTICATION, THE TECHNICAL ABILITY, AND THE SPEED AT WHICH CYBER ATTACKERS ARE CHANGING AND RAMPING UP THEIR GAME HAS REALLY INCREASED OVER THE LAST FEW YEARS. HOW THEY GO AFTER COMPANIES AND THE GOVERNMENT HAS CHANGED TREMENDOUSLY. WE'VE ALSO SEEN A CHANGE IN WHO THE ATTACKERS ARE GOING AFTER. THEY'RE NO LONGER JUST GOING AFTER COMPANIES THAT MAY HAVE SOME TRADE SECRETS OR THINGS THEY WANT TO HIDE TO PROTECT FROM THEIR OWN CORPORATE INTEREST PERSPECTIVE. THEY'RE NOW GOING AT LITERALLY ANY COMPANY BECAUSE THEY'RE GOING AFTER, PARTICULARLY ON THE CRIMINAL SIDE, THEY'RE GOING AFTER... THEY WANT TO COMMIT FRAUD. THEY WANT TO STEAL YOUR MONEY. THEY WANT TO DENY YOU ACCESS TO YOUR INFORMATION. THAT MEANS EVERY SINGLE COMPANY IS NOW SUSCEPTIBLE TO A CYBER ATTACK. THAT'S A HUGE CHANGE IN THE THREAT ENVIRONMENT. IT THEN CHANGES HOW WE HAVE TO BE RESPONDING WHEN WE START TO LOOK AT THAT. THE SECOND THING IS CYBER CRIME HAS NOW BECOME A BUSINESS. THEY RUN IT LIKE A BUSINESS. STEPHANIE WAS TALKING ABOUT RANSOMWARE AS A SERVICE. THEY'LL NOW PROVIDE YOU WITH THE TOOLS TO ACTUALLY UNDERTAKE A CYBER ATTACK IF YOU'RE NOT PARTICULARLY SOPHISTICATED FROM A TECHNOLOGICAL SENSE. IT WILL COME WITH A SERVICE GUARANTEE AND A HELP DESK TO CALL IN. SO THE CYBER THREAT INVOLVEMENT HAS CHANGED A LOT SINCE I WROTE... I DIRECTED THE FIRST STRATEGY, AS YOU SAY, OVER A DECADE AGO.

Steve says CHRISTIAN, MY HUNCH IS WHEN THIS STORY BROKE, THE COLONIAL PIPELINE STORY, A LOT OF CANADIANS, THEIR FIRST THOUGHT WAS, HMM, I WONDER IF THEY COULD DO THAT HERE, AND IF THEY COULD, HOW EASY OR DIFFICULT WOULD IT BE TO DO. LET ME ASK YOU THE QUESTION: HOW VULNERABLE ARE WE AND OUR INFRASTRUCTURE TO THIS KIND OF ATTACK?

Christian says TO FOLLOW UP FROM BOB'S POINT, LOOK, THERE'S BEEN A PROLIFERATION OF THREAT ACTORS, STATES AND NON-STATE ALIKE. THE TARGET SURFACE HAS WIDENED SUBSTANTIALLY FROM STATE TO PRIVATE SECTOR TO INDIVIDUALS, AND YOU'VE HAD A SIGNIFICANT DECREASE IN THE COST OF ENTRY FOR BAD ACTORS. AND SO AS A RESULT, WE LIVE IN A RELATIVELY VULNERABLE AND HOSTILE ENVIRONMENT, AND CANADA, OF COURSE, IS NO EXCEPTION TO THAT. IN ADDITION TO THAT, WE'RE A HIGHLY INTERLINKED AND NETWORKED WITH THE UNITED STATES. SO IF YOU'RE TRYING TO CAUSE SOME SORT OF DISRUPTION TO THE UNITED STATES, OFTEN CANADIAN CRITICAL INFRASTRUCTURE WILL BE JUST AS GOOD TO GO AFTER AS U.S. INFRASTRUCTURE BECAUSE OF THE CONSEQUENCE OF THE SECOND ORDER EFFECTS THAT FOLLOW FROM IT. AND SO WHILE [indiscernible] IN CANADA, THE STRATEGIES THAT BOB DEVISED HAS BEEN QUITE PROACTIVE, IT'S DIFFICULT TO PROTECT AGAINST SIMPLE MISTAKES LIKE COLONIAL PIPELINE NOT KEEPING PROPER DIGITAL HYGIENE PATCHING IN A TIMELY FASHION AND MAKING SURE THAT THEIR CONNECTIONS WITH THIRD PARTY SUPPLY CHAIN COMPANIES ARE OF THE LEVEL OF SECURITY THAT THEY NEED TO BE. SO OFTEN THESE ARE BASIC MISTAKES THAT CAN READILY BE REMEDIED.

Steve says STEPHANIE, I DON'T WANT TO BE IRRESPONSIBLE HERE, BUT I... YOU KNOW, I'M WALKING A BIT OF A TIGHTROPE HERE. ON THE ONE HAND, I WANT OUR VIEWERS AND LISTENERS TO UNDERSTAND WHAT'S AT STAKE HERE AND WHAT POTENTIAL CATASTROPHES COULD TAKE PLACE; ON THE OTHER HAND, I DON'T WANT TO THROW ANY IDEAS OUT THERE TO GIVE SOMEBODY SOME IDEAS. MY HUNCH IS THAT ANYBODY WHO WOULD DO THIS, THEY KNOW ALL THIS ALREADY. SO, CAN YOU GINGERLY SKETCH OUT A POTENTIAL ATTACK THAT SOMEONE MIGHT MAKE ON SOME CRITICAL PIECE OF INFRASTRUCTURE IN CANADA AND A POTENTIAL SCENARIO AROUND THAT?

Stephanie says WELL, I THINK, YOU KNOW, EARLIER I SAID THAT, YOU KNOW, WE'RE DEALING WITH A SECOND PANDEMIC, AND THAT IS REALLY A LOT OF THE CYBER THREATS, AND THE INCREASE OF CYBER THREATS. ALREADY, BOB AND CHRISTIAN HAVE SAID, YOU KNOW, THE THREAT SURFACE HAS JUST INCREASED SO MUCH, AND SINCE SO MANY OF US ARE WORKING FROM HOME, INCLUDING ME RIGHT NOW IN MY PARENTS' BASEMENT, THEY ARE... YOU KNOW, THE FACT IS IT'S JUST EASIER FOR THESE GROUPS TO PENETRATE ALL DIFFERENT KINDS OF SYSTEMS BECAUSE PEOPLE ARE WORKING FROM THEIR HOME, WI-FI NETWORKS, WHICH ARE NOT SECURED IN THE SAME WAY, AND THEY'RE ALSO, YOU KNOW, ARE NOT BEHIND PERHAPS THE KIND OF SAFEGUARDS THAT THEY WOULD NORMALLY HAVE. SO LET'S WALK THROUGH THAT. IF YOU ARE WORKING IN A COMPANY, DOING SOME KIND OF RESEARCH OR LAB WORK RIGHT NOW, THERE'S ALL DIFFERENT KINDS OF WAYS AND ACTORS THAT ARE TRYING TO PENETRATE YOUR SYSTEMS TO NOT ONLY ENCRYPT YOUR DEVICES IN ORDER TO HOLD IT HOSTAGE BUT ALSO TO GET THAT INFORMATION AND EXPLOIT IT, RIGHT? THIS IS A NEW PHENOMENON AS WELL. SO IF YOU'RE WORKING ON SENSITIVE INFORMATION ON A SENSITIVE SYSTEM, JUST BECAUSE YOU'RE WORKING FROM HOME, YOUR DATA IS... YOU KNOW, IF THEY GET ACCESS TO YOUR NETWORK, THEY'RE ABLE TO ENCRYPT YOUR SYSTEM, AND THEY MAY BE ABLE TO HAVE DATA AND HOLD IT HOSTAGE AND SAY WE'RE GOING TO PUT ALL THIS SENSITIVE DATA ON THE INTERNET. IT'S NOT JUST RANSOMWARE, WE'RE ALSO DEALING WITH EXPLOITATION-WARE AS WELL. THIS IS A HUGE PROBLEM. THAT'S JUST PEOPLE WORKING FROM HOME. IF YOU THINK ABOUT IT, WE HEAR ON AN ALMOST DAILY BASIS NOW OF DIFFERENT HEALTH CARE PROVIDERS BEING ATTACKED DURING CoVID, MAKING IT VERY HARD FOR THESE SYSTEMS THAT ARE ALREADY UNDER STRESS. WE HAVE SEEN IN THE PAST A NUMBER OF HOSPITALS BEING TARGETED. YOU KNOW, THE URGENCY OF THE CoVID-19 PANDEMIC, PARTICULARLY IN THE EARLY MONTHS WHEN PEOPLE WERE SEEKING INFORMATION, IT'S VERY EASY TO SEND AN e-mail THAT PANICS YOU AND YOU CLICK ON IT AND YOU CLICK ON THE ATTACHMENT. AND THAT'S ALL IT TAKES FOR THESE INDIVIDUALS TO GET ACCESS TO YOUR SYSTEM. AND WE'RE TALKING HERE ABOUT ALL DIFFERENT KINDS OF SYSTEMS. SO, YOU KNOW, IF YOU SEE HERE, HEY, THERE'S BEEN AN OUTBREAK IN THE COMPANY AND YOU NEED TO CLICK ON THIS e-mail OR CLICK ON THIS LINK OR CLICK ON THIS ATTACHMENT TO FIND OUT MORE INFORMATION, THAT INSTILS A SENSE OF PANIC IN YOU. AND YOU CLICK ON IT PERHAPS WITHOUT THINKING. YOU KNOW, IS THIS ACTUALLY FROM MY COMPANY? IS THIS ACTUALLY FROM SOMEONE I KNOW, SOMEONE THAT I TRUST? YOU'RE JUST WORRIED ABOUT YOUR OWN HEALTH. ONCE THEY HAVE ACCESS TO YOUR SYSTEM, THEY'RE EITHER STEALING THE DATA OR ENCRYPTING IT OR DOING SOMETHING MALICIOUS WITH IT THAT YOU DON'T NECESSARILY APPRECIATE. AND WE'VE SEEN THIS IN PRETTY MUCH EVERY SECTOR FROM EDUCATION THROUGH TO HEALTH CARE, NOW THE ENERGY SECTOR AS WELL. AND AS MORE AND MORE EMPLOYEES ARE WORKING FROM HOME, THIS IS WHY WE HAVE SEEN THIS LEVEL OF THREAT INCREASE.

Steve says WELL, THAT'S A GREAT POINT BECAUSE I GUESS WE SHOULD NOT DRAW THE INFERENCE FROM THIS COLONIAL SITUATION THAT THESE FORCES ARE GOING TO BE TARGETING THE CN TOWER OR SOME PIPELINE OUT WEST. I MEAN, THE REALITY IS, THEY COULD ATTACK ANYTHING. I GUESS THE SECOND THING I SHOULD SAY IS WE'RE GRATEFUL TO YOUR PARENTS THAT THEY'RE LETTING YOU USE THEIR BASEMENT SO WE CAN HAVE YOU ON OUR PROGRAM TONIGHT. SO THANKS, MOM AND DAD. THE THIRD THING IS... CHRISTIAN, PICK UP THE STORY. STEPHANIE REFERRED TO THEY. WHO'S THE THEY? WHO IS TARGETING US?

Christian says THE ARRAY OF ACTORS IS SO BROAD BECAUSE THE COSTS OF ENTERING ARE RELATIVELY LOW. IT'S ALSO IMPORTANT TO UNDERSTAND THAT 98 percent OF THESE ATTACKS ARE RELATIVELY LOW-LEVEL AND LOW-SKILL TYPES OF ATTACKS. THE CHALLENGE FOR ENTITIES SUCH AS COLONIAL PIPELINE THAT ARE UP AGAINST DARK SIDE OR STATE-BASED ACTORS THAT WENT AFTER SOLAR WINDS OR THE MICROSOFT EXCHANGE VULNERABILITY IS THAT THEY'RE EXTREMELY SOPHISTICATED. AND SO WE CAN BLAME THE PRIVATE SECTOR FOR PERHAPS NOT DOING ENOUGH AND NOT COORDINATING BETTER AND NOT ENGAGING IN BETTER HYGIENE, BUT THIS IS A LITTLE LIKE BRINGING A KNIFE TO A GUN FIGHT. THIS IS WHY THE RELATIONSHIP BETWEEN THE PRIVATE SECTOR AND GOVERNMENT HERE IS CRITICALLY IMPORTANT BECAUSE GOVERNMENT CAN PLAY A KEY ROLE IN PROVIDING ASSISTANCE WITH DETECTION OF POSSIBLE VULNERABILITIES AND ATTACKS. IT CAN PROVIDE ASSISTANCE IN DEFENDING AGAINST THESE TYPES OF ATTACKS. AND ON THE INTELLIGENCE SIDE, IT PROVIDES AN OFFENSIVE CAPABILITY, NOT NECESSARILY IN TERMS OF ATTACK, BUT SIMPLY THE ABILITY TO LURK IN THE SYSTEMS OF ADVERSARIES TO UNDERSTAND WHAT THEIR CAPABILITIES ARE, WHAT THEIR INTENT MIGHT BE, AND WHAT THEY MIGHT GO AFTER. BECAUSE IN THIS SPACE, REALLY ADVANCED INTELLIGENCE IS YOUR BEST DEFENCE, UNDERSTANDING WHAT YOUR ADVERSARY IS UP TO AND BEING PREPARED FOR THEM. ULTIMATELY IN TERMS OF DETERRENCE, YOU WANT TO ENGAGE IN DETERRENCE BY DENIAL SO THE THREAT ACTOR CAN'T SUCCEED AS OPPOSED TO THEN HAVING TO ENGAGE IN DETERRENCE BY PUNISHMENT WHICH MEANS THERE'S GOING TO BE CONSEQUENCES.

Steve says ROBERT, I SHOULD GET YOU TO COMMENT ON THAT METAPHOR. DO YOU THINK WE IN CANADA ARE KIND OF SO FAR BEHIND THE TIMES ON THIS THAT WE'RE BRINGING A KNIFE TO A GUNFIGHT?

Robert says I DON'T THINK IT'S QUITE THAT BAD. I THINK IT'S CERTAINLY A CHALLENGE FOR ALL OF US. BUT I THINK THERE ARE A LOT OF STEPS THAT ARE BEING TAKEN, BOTH BY GOVERNMENT AND BY INDUSTRY, IS STARTING TO HARDEN THINGS UP. YOU WERE TALKING ABOUT THE FLOW BETWEEN CANADA AND THE UNITED STATES. WE'VE HAD TWO COMPLETELY INTERCONNECTED ECONOMIES. THAT ALSO APPLIES TO CYBERSPACE. OUR CYBER REGIMES ARE INTERCONNECTED. MOST ENERGY IN NORTH AMERICA FLOWS NORTH AND SOUTH, IT DOESN'T FLOW EAST AND WEST. THERE'S A LOT OF WORK GOING ON IN THE ELECTRICITY SECTOR, FOR EXAMPLE, ENSURING THAT THE CYBER HYGIENE ON BOTH SIDES OF THE BORDER IS SUFFICIENT THAT NEITHER ONE OF US BECOME VULNERABLE. SO THAT'S PART OF IT. DO WE HAVE SOME STEPS TO GO? ABSOLUTELY, YES. THERE'S MORE WE CAN BE DOING. BUT WE'RE MOVING IN THE RIGHT DIRECTION. I LIKE TO LOOK ON THE OPTIMISTIC SIDE. YES, WE CAN GET THINGS BETTER. I THINK ONE OF THE THINGS WE'VE GOT TO BE THINKING ABOUT IS SOME OF THE UNINTENDED CONSEQUENCES OF CYBER ATTACKS OCCURRING. IN THE PAST WE'VE JUST LOOKED AT WHAT HAPPENS WITHIN ONE PART OF THE COMPANY WHEN A CYBER ATTACK OCCURS. AND I THINK WHEN YOU LOOK BACK ON THE COLONIAL PIPELINE ATTACK, IT'S A GOOD EXAMPLE. WHAT APPEARS TO HAVE BEEN INSIDE THE I.T. SIDE OF IT OR WHAT RUNS THE BUSINESS HAD THE RISK OF ACTUALLY GOING OVER AND THEY HAD TO SHUT DOWN THE OPERATIONAL SIDE OF THE BUILDING. WE DON'T KNOW WHETHER THE ATTACKERS ACTUALLY WANTED TO DO THAT, WHETHER THEY WANTED TO TAKE DOWN THE PIPELINE. WHAT THE ATTACKERS WANTED TO DO WAS GET A RANSOM OUT OF IT. DID THEY REALIZE THE COMPANY WAS ACTUALLY GOING TO SHUT DOWN THE PIPELINE AS A RESULT OF THAT? I THINK WE HAVE TO START BUILDING THAT INTO OUR PLANNING. THAT COMES BACK TO THE GOVERNMENT AND HELPING US DOING THAT. CHRISTIAN TALKED ABOUT THE COLLABORATION WE'RE SEEING WITH THE FEDERAL GOVERNMENT, HUGE STEPS THEY'VE TAKEN OVER THE PAST COUPLE OF YEARS AND STARTING TO DO THAT. WE'RE STARTING THE DIALOGUE. WE HAVE TO CONTINUE. WE HAVE TO MOVE IT ALONG.

Steve says STEPHANIE, TELL ME THIS. I PRESUME WE HEAR MORE ABOUT THIS WHEN THINGS GO WRONG. YOU DON'T HEAR ABOUT THINGS OBVIOUSLY WHEN AN ATTACK IS ATTEMPTED AND WE HAVE SUCCESSFULLY FENDED IT OFF. SO IS IT FAIR TO SAY RIGHT NOW THAT OUR FORCES ARE AT THE MOMENT PREVAILING BECAUSE THANKFULLY WE DON'T HEAR A LOT ABOUT THIS IN CANADA?

Stephanie says I THINK IT'S ACTUALLY HARD TO SAY IN THE SENSE THAT THE FACT THAT, YOU KNOW, WE ACTUALLY HAVE PRETTY GOOD OVERSIGHT OF THE NUMBER OF ATTACKS THAT HAPPEN AGAINST GOVERNMENT SYSTEMS BECAUSE, YOU KNOW, THAT IS KIND OF MANAGED THROUGH A PROCESS THROUGH THE COMMUNICATION SECURITY ESTABLISHMENT AND IT'S KIND OF OPEN-FACING INSTITUTION, THE CANADIAN CENTRE FOR CYBER SECURITY THAT BOB MENTIONED EARLIER, AS WELL AS SHARED SERVICES CANADA THAT IS RESPONSIBLE FOR COORDINATING A LOT OF THE CYBER INFRASTRUCTURE WE HAVE PROTECTING THE CANADIAN GOVERNMENT. AND WE KNOW THAT THEY FEND OFF, LIKE, BILLIONS OF ATTACKS A DAY, MANY OF WHICH ARE AUTOMATED, AS CHRISTIAN SAID, SOME OF THE LOWER LEVEL ONES. WHEN THEY'RE MORE SUCCESSFUL, WE KNOW THAT THE GOVERNMENT CAN COME IN, MONITOR THAT, AND WE'RE OKAY. THE PROBLEM IS THE PRIVATE SECTOR. WE STILL DON'T HAVE GOOD, YOU KNOW, INFORMATION FROM THEM. I MEAN, SOME OF THE INSTITUTIONS, PARTICULARLY THE CANADIAN CYBER THREAT EXCHANGE, WHICH BOB LEADS, IS REALLY IMPORTANT IN TRYING TO, YOU KNOW, SHARE INFORMATION AND PRACTICES AND TRYING TO BE A CONDUIT OF INFORMATION BETWEEN THE PRIVATE SECTOR AND GOVERNMENT. THAT SAID, THE PRIVATE SECTOR STILL DOESN'T HAVE TO REPORT IF IT'S BEEN HIT IN THIS WAY. YOU KNOW, IF IT HAS CYBER INSURANCE, INSURANCE COMPANIES DON'T NECESSARILY WANT TO GO PUBLIC. THEY MAY JUST WANT TO KEEP THINGS QUIET, TRY TO NEGOTIATE SOME KIND OF SETTLEMENT, AND GET THE INFORMATION BACK. AND SO AS LONG AS PRIVACY HASN'T REALLY BEEN AFFECTED BY THIS RANSOMWARE ATTACK, THEY DON'T HAVE TO GO PUBLIC WITH IT. SO I WOULD SAY THAT THERE'S STILL NOT A LOT THAT WE KNOW, AND I KNOW THAT THIS IS SOMETHING THAT, YOU KNOW, THE COMMUNICATIONS SECURITY ESTABLISHMENT AND THE CANADIAN CENTRE FOR CYBER SECURITY WOULD LIKE TO KNOW MORE ABOUT SO WE HAVE A BETTER UNDERSTANDING OF JUST HOW CANADA IS IMPACTED. THE FINAL THING I'LL SAY HERE, THOUGH, IS I DO SHARE BOB'S OPTIMISM. IT'S A BLEAK OPTIMISM MAYBE. BUT CANADA IS ACTUALLY FAIRLY WELL-PLACED RELATIVE TO SOME OF ITS FIVE EYES PARTNERS AND THE FIVE EYES OF COURSE ARE OUR MAJOR INTELLIGENCE SHARING PARTNERS, THE UNITED STATES, THE U.K., AUSTRALIA, NEW ZEALAND, AND CANADA. IF YOU TAKE A LOOK AT THE WAY OUR CYBER DEFENCE INFRASTRUCTURE, FOR LACK OF A BETTER WORD IS ARRANGED, IT'S ACTUALLY A LITTLE BIT BETTER THAN MOST OF OUR COUNTERPARTS. IN THE UNITED STATES, IT'S DISTRIBUTED ACROSS SO MANY DIFFERENT AGENCIES THAT HAVE SOME KIND OF RESPONSIBILITY. AND IN THE U.K., IT STARTED OFF BEING FAIRLY CENTRALIZED BUT HAS DECENTRALIZED OVER TIME. IN CANADA, WE REALLY HAVE... YOU KNOW, WE'VE KIND OF TAKEN THE OPPOSITE STEP, BACK IN, YOU KNOW, 2016-2017, WE SAW THE CREATION OF THE CYBER CENTRE AND THE REMOVING OF CERTAIN CYBER RESPONSIBILITIES FROM DIFFERENT GOVERNMENT AGENCIES, AND PUT INTO THE CANADIAN CENTRE FOR CYBER SECURITY. SO WE'VE CENTRALIZED IT. WE'VE CREATED A POINT OF CONTACT. WHICH MAKES ADDRESSING THESE ISSUES A LOT EASIER BECAUSE THEN YOU'RE NOT TRYING TO COORDINATE A LARGE NUMBER OF ACTORS ACROSS, YOU KNOW, THE GOVERNMENT SPECTRUM WHEN TRYING TO RESPOND TO THESE TYPES OF INCIDENTS. WE'VE KIND OF CENTRALIZED THAT WHICH MAKES US MORE NIMBLE AND I THINK IT MAKES IT EASIER FOR DIFFERENT COMPANIES THAT HAVE BEEN AFFECTED AND ARE TRYING TO GET ADVICE. THEY KNOW WHERE TO GO.

Steve says ROBERT, I SHOULD GET YOU TO FOLLOW UP ON ONE OF THE THINGS THAT STEPHANIE JUST SAID, THAT BEING WHETHER OR NOT THE PRIVATE SECTOR, IN YOUR VIEW, HAS A DUTY TO REPORT TO SOME KIND OF PUBLIC SECTOR ORGANIZATION... GOVERNMENT, WHATEVER... ON WHETHER THEY'VE BEEN ATTACKED? WHAT'S YOUR VIEW?

Robert says I THINK THERE ARE TWO ANSWERS TO THAT QUESTION. ONE IS I'D LIKE TO GET OUT IN FRONT OF IT. THE PROBLEM WITH REPORTING AFTER THE ATTACK IS USEFUL FROM ONE PERSPECTIVE. BUT WHAT I'D LIKE TO SEE THE PRIVATE SECTOR DOING IS ACTUALLY DOING MORE EXCHANGING OF INFORMATION SO THAT COMPANIES CAN PREVENT ATTACKS FROM OCCURRING. SO REPORTING AFTER THE ATTACK IS, YES, THAT'S NICE, BUT I'VE ALREADY BEEN ATTACKED AND I'VE SUFFERED. WHAT CAN WE DO IN A COLLABORATIVE SENSE IN FRONT TO MAKE IT EASIER FOR ME TO STOP THAT ATTACK FROM OCCURRING? AND I THINK THERE ARE SOME THINGS THE GOVERNMENT COULD PROBABLY BE DOING TO ENABLE THAT COLLABORATION, THAT SHARING OF THREAT INFORMATION AT THE FRONT END. THEY COULD PUT SOME LEGISLATION INTO EFFECT THAT WOULD PROTECT COMPANIES WHEN THEY VOLUNTARILY SHARE INFORMATION ABOUT, YOU KNOW, INDICATORS OF COMPROMISE THAT THEY'RE SEEING, ABOUT THREAT ACTORS AND HOW THEY'RE PERFORMING. IDEAS ON HOW TO PROTECT THEMSELVES. THAT'S THE KIND OF THING YOU WANT TO BE DOING UP FRONT. YOU WANT TO STOP THE RISK OF OCCURRING. YOU WANT TO STOP HAVING TO ACTUALLY REPORT THAT I'VE BEEN ATTACKED. AND THEN ONCE THE ATTACK OCCURS THEN, YES, THERE SHOULD BE SOME WAY OF GOING FORWARD AND REPORTING THAT BACK IN. AND I THINK IT'S GOT TO BE REPORTING MORE THAN JUST HAS PERSONAL INFORMATION BEEN COMPROMISED BECAUSE IN SOME INSTANCES CYBER ATTACKS WILL BE OCCURRING WHETHER PERSONAL INFORMATION HASN'T BEEN COMPROMISED, SO YOU MAY NOT ACTUALLY HAVE TO REPORT IT INTO THE PRIVACY COMMISSIONER, FOR EXAMPLE, BUT IT MAY AFFECT YOUR OPERATIONAL CAPABILITY. SO HOW DO YOU START SHARING THAT INFORMATION GOING THROUGH? AND WE HAVE TO MAKE IT REALLY SIMPLE. WHEN YOU LOOK AT THE NUMBER OF COMPANIES IN CANADA, I CAN'T GIVE YOU THE EXACT NUMBER, BUT LIKE I SAID 98 percent OF ALL COMPANIES IN CANADA ARE SMALL. A LOT OF THEM ACTUALLY DON'T HAVE THE ABILITY TO DO SOME OF THAT REPORTING. WHAT ARE THE MECHANISMS AND THINGS WE CAN PUT IN PLACE TO MAKE IT EASIER FOR SMALL AND MEDIUM SIZED COMPANIES TO PARTICIPATE IN THIS COLLABORATION AND SHARING, AND I SAY SHARING OF KNOWLEDGE ABOUT WHAT'S GOING TO HAPPEN, NOT JUST TELLING ME AFTER THE FACT THAT SOMETHING OCCURRED. BECAUSE QUITE OFTEN, AS I SAY, I WANT TO PREVENT THE ATTACKS FROM OCCURRING. I DON'T WANT TO HAVE COMPANIES HAVING TO PUT A REPORT IN TO THE PRIVACY COMMISSIONER THAT THEY'VE BEEN ATTACKED OR ANOTHER REGULATORY BODY. LET'S BE PROACTIVE ABOUT THIS.

Steve says CHRISTIAN, WE'RE DOWN TO OUR LAST FEW MINUTES AND I DO WANT TO FOLLOW UP ON THIS PRIVATE SECTOR ANGLE HERE. OBVIOUSLY COMPANIES HAVE PUT A LOT OF THEIR OPERATIONS ONLINE BECAUSE IT HAS BEEN A MORE EFFICIENT WAY TO DO BUSINESS. I'M WONDERING, GIVEN HOW THAT ALSO INCREASES THEIR VULNERABILITY TO THESE KINDS OF ATTACKS, WHETHER YOU BELIEVE MORE OF THEIR BUSINESS OUGHT TO BE TAKEN OFFLINE SO THAT THEY ARE NOT SO VULNERABLE TO THESE KIND OF ATTACKS?

Christian says I THINK IT'S A MATTER OF RETHINKING THIS PARTICULAR ENVIRONMENT SO THAT WE NEED TO LEARN TO LIVE IN COMPROMISED ENVIRONMENTS. WE NEED TO UNDERSTAND THAT OUR NETWORKS ARE LIKELY PERMANENTLY COMPROMISED, SO HOW DO WE PROTECT THE ELEMENTS OF THE NETWORK AND OF THE DATA THAT ARE ABSOLUTELY CRITICAL AGAINST THOSE THAT ARE NOT? THOSE ARE CONVERSATIONS, FOR INSTANCE, ABOUT HOW DO WE MAKE BOTH OUR NETWORKS AND DATA AS WELL AS CANADIAN SOCIETY MORE RESILIENT? HOW DO WE BUILD MORE AND BETTER REDUNDANCY INTO OUR NETWORKS? AND IN PARTICULAR, HOW DO WE CREATE SOME STANDARDS TO WHICH EVERYBODY HAS TO LIVE UP? NOW, WE SEE THIS IN THE PRIVATE SECTOR. STEPHANIE MENTIONED CYBER INSURANCE. THAT'S A REALLY INTERESTING DEVELOPMENT BECAUSE IT'S A MARKET BASED SOLUTION. THE INSURANCE COMPANY WILL REQUIRE CERTAIN STANDARDS OF YOU IN ORDER TO INSURE YOU AND THEN WILL ASSESS THE PREMIUM BASED ON THE RISK ENVIRONMENT THAT YOU'VE CREATED WITHIN THE COMPANY. BUT I THINK WE ALSO NEED, WE SEE THIS OUT OF THE U.K., PERHAPS A CYBER CERTIFICATION REGIME, PERHAPS VOLUNTARY FOR THE PRIVATE SECTOR WHERE COMPANIES LARGE AND SMALL CAN SIGN ON TO A CERTAIN LEVEL OF CERTIFICATION THAT PROVIDES SOME SORT OF ASSURANCE BOTH IN TERMS OF THE INDUSTRIAL CONTROL SYSTEMS BUT ALSO IN TERMS OF THEIR INTERACTIONS WITH CLIENTS, IN TERMS OF THE BEHAVIOURAL SIDE, THAT IT MEANS THIS COMPANY MEETS A PARTICULAR STANDARD. SECURITY IS FUNDAMENTALLY A COST IN TERMS OF THE BOTTOM LINE. SO THE INCENTIVE IS, WHAT ARE YOU GOING TO SPEND? IF YOU'RE COLONIAL PIPELINE, YES, IT'S A MAJOR NEWS STORY. BUT IT'S NOT LIKE YOU CAN SEND YOUR OIL TO ANOTHER PIPELINE. THIS IS SORT OF YOUR ONLY OPTION. WHEREAS IF YOU'RE A BANK AND YOU END UP GETTING COMPROMISED, CHANCES ARE THAT'S AN EXISTENTIAL RISK TO YOUR BUSINESS MODEL, THE REPUTATIONAL RISK ASSOCIATED WITH IT. SO YOU CAN'T AFFORD THAT TYPE OF RISK SO YOU'RE GOING TO BE MUCH MORE AGGRESSIVE IN TERMS OF HOW YOU INVEST IN YOUR INFRASTRUCTURE. AND SO I THINK WE NEED TO FIND A WAY TO RAISE ALL THE BOATS IN PORT. SO HOW DO WE BRING IN THE TIDE TO MAKE THAT HAPPEN?

Steve says STEPHANIE, LET ME GIVE YOU THE LAST MINUTE ON THIS. THE CASE OF COLONIAL WAS A BIG CASE. IT GOT A LOT OF ATTENTION. THEY TOOK A BIG HIT. FOR CANADA, IS IT NOT A QUESTION OF, IF THAT WILL HAPPEN TO US BUT WHEN?

Stephanie says YES. IF THERE'S A GOOD/BAD NEWS STORY IN THERE, IT'S NOT JUST CANADA. IT'S PRETTY MUCH ANYONE. THE STORY REALLY DOES SHOW THAT ANYONE ANYWHERE CAN BE HIT IN THIS WAY AND, YOU KNOW, AS CHRISTIAN JUST POINTED OUT, LIKE WHERE THERE IS NOT THESE KINDS OF REDUNDANCIES, THESE INDUSTRIES, THESE CRITICAL INFRASTRUCTURE SECTORS WILL SUFFER. SO IT IS SUPER-IMPORTANT FOR, YOU KNOW, FOR THESE, YOU KNOW, PEOPLE IN INDUSTRIES IN CRITICAL INFRASTRUCTURE TO LOOK, TO LEARN ABOUT THIS CASE, TO UNDERSTAND THE LESSONS OF IT. AND, AGAIN, I MEAN, IF THERE IS A VERY THIN SILVER LINING HERE, IT'S THAT WHEN THESE INCIDENTS HAPPEN, WE DO SEE A SPIKE IN INTEREST IN CYBER SECURITY ISSUES AND PEOPLE TRYING TO SEE IF THEY CAN DO BETTER AND HOW THEY CAN IMPROVE THEIR OWN CYBER SECURITY, BUT WE HAVE TO MAKE SURE THAT INTEREST IS SUSTAINED. THAT WHEN WE HAVE THESE INCIDENTS, IT ISN'T JUST A FLASH IN THE PAN BUT THAT WE CAN GENERATE A TRUE, YOU KNOW, CYBER SECURITY CULTURE THAT CHRISTIAN JUST SPOKE ABOUT, SO WE CAN, YOU KNOW, DO OUR BEST TO DETER BY DENIAL.

The caption changes to "Producer: Eric Bombicino, @ebombicino."

Steve says WELL, WE HOPE WE'VE MADE A MODEST CONTRIBUTION TO THAT GREATER UNDERSTANDING HERE TONIGHT ON TVO. I WANT TO THANK STEPHANIE CARVIN AND CHRISTIAN LEUPRECHT AND ROBERT GORDON FOR JOINING US TO THAT END. BE SAFE OUT THERE, EVERYBODY, AND THANKS FOR JOINING US.

Stephanie says THANK YOU.

Robert says THANK YOU.

Watch: Is Canada's Critical Infrastructure Vulnerable?