What You Need to Know About Bill C-26: Eric Jensen

howdy uh yes I'm Eric Jensen uh if you attended the oasp session uh in August the Y sex session in August this is the same presentation so if you want to pop upstairs uh all good uh Michelle great to see you I'm looking forward to your tough question later all right uh bill c26 it's very exciting do we all know what it is already no okay cool let's go for it uh today I'm going to cover off why there is a need for greater government regulation in cyber security uh what other countries are doing a little bit then we're going to get into the act itself um this is straight up copy pasta from the bill um so you can

see what it's like it's always good to review the source material uh and then to keep things interesting maybe uh we'll get into security operations maturity and how uh those kinds of capabilities can assist in meeting compliance with the Bill's objectives um and of course this is all just my opinion I'm not a lawyer I'm not a policy analyst this is not legal advice so um please take these words as you will but not as anything they're not okay getting into it uh so some background I think this is pretty natural to understand ever expanding threat landscape this is more than just vulnerabilities this is misconfigurations this is credentials for sale on the dark web uh this is low

hanging fruit brand identity all these kinds of things um play into cyber risk these days uh and cyber crime is a huge huge business um trillions of dollars this is all pretty natural I'm going to skip through it a bit uh but it's expected to surpass the GDP of China by the end of the decade probably come pretty close to us US GDP um and it's not going away like cyber crime is how people put bread on the table for their families these days there is a big business around this um with developers and quality assurance and help desk and all the resources that you expect a business to have so it's just going to

get worse uh and let's keep going Canadian Center for cyber security security um they put out their biannual report about current risks um and they've highlighted OT risk for quite a while um in 2018 they identified that OT environments operational technology environments things like pumps and windmills and factories and all that stuff the things that impact our physical environment will become increasingly vulnerable to less sophisticated actors this is born out you can go on GitHub you can get tools to hack stuff we all know this in 201 20 the report said that the most pressing threat to the physical safety of Canadians uh is cyber threats to OT networks um so we've gone from less

sophisticated actors can hit these things to this is the most pressing threat to Canadians to in the latest report uh specifically calling out that state sponsored actors are targeting OT networks attacking OT networks developing tools and payloads and resources specifically for damaging and degrading these networks and these assets um so it's a big deal it's pretty high stakes um and there's a lot of capabilities that are going into this as well that are identified by the Canadian Center for cyber security cryptocurrency of course makes it easier for cyber criminals to wash money to use that money uh we have state sponsorship there's at least four countries that are using cyber crime to fund State the

state itself like this is how military is funded in some countries how Healthcare is funded in some countries uh just due to the current sanctions environment and then we have the targeting Trends again um this is also highlighted in Alberta's own cyber security strategy report uh just saying how the the tensions of states are playing out in cyers space this is about deterrence you got to show that you have the big stick so that other countries hopefully don't come after you in cyberspace uh an example of that there was the Vulcan leaks earlier this year uh within those leaks there was this azmat C catalog I'm probably saying that wrong um but each of those circles

represents purportedly uh a critical system that Russian state sponsored actors have persistent access to the big circle is 10 million devices that's a lot of devices going on there's probably a map that looks very similar to this for Canada as well uh so this is real uh and there is a need to intervene so in the EU they have the network Information Systems directive uh it is recently updated it's becoming uh more broader in its scope has a couple core requirements that I will not read off the slide um but suffice to say the EU is taking this seriously the United States similarly is taking things seriously after the whole Colonial pipeline debacle uh they put out another

requirement for reporting immediacy of reporting any kind of Ransom paid or any kind of cyber incident um covering a lot of critical sectors and so Canada is doing this as well via Bill c26 there are two parts to the bill um that we'll get into but it was introduced into Parliament last year last summer um it is currently in its committee reading so kind of on pause it needs to go through one more reading in Parliament and then through the Senate and then get Royal Ascent before it becomes law so it is not in effect right now um but it is coming in some form there's two parts for it the first part is just an amendment to the T

Communications act which we'll get into very briefly um and the second bigger part is this new critical cyber systems protection act um which is really targeted towards critical systems operators we'll get into that a bit um but there's going to be a lot of KnockOn effects for other organizations as well whether or not they directly interface with critical systems if they're providing any kind of service to a critical systems operator there will be increased friction uh in that transaction why does the Telecommunications Act need to be amended it's mostly because of wuwei this is a response to uh huawei's involvement in Canadian Network infrastructure uh so in 2020 2021 there was a bunch of reports around purported

backdoor access into Huawei equipment um this was largely borne out as true um and by mid 2020 is Canada was the only five eyes nation that had not limited or banned the use of Huawei equipment in core networks it wasn't until 2022 that Canada actually banned the use of Huawei equipment so it took a long time to do that bad look um being involved in that intelligent sharing partnership uh to be the only organization sorry the only country that was allowing uh an adversarial foreign State access into critical networks basically so we have this amendment to the Telecommunications Act that is allowing the federal government to to mandate telecommunications service operators to use or not use certain

pieces of equipment to provide or not provide certain Serv services to specific entities those kind of capabilities um as well as the requirement to report on cyber security incidents to implement any future specific standards specified by the federal cabinet and of course there's monetary penalties as well that's the very quick of it but moving on to the critical cyber systems protection act it's a bit more involved so the federal cabinet has an oversight relationship with the communication security establishment as well as The Regulators um who in turn have a uh relationship with the critical systems operators and then they of course have that reporting Duty with their Executives and whatnot as well the relationship here is critical systems

operators are going to be required to immediately um report any kind of cyber incident of a critical system to the CSE the CSE maintains the ability now to intervene in the followup to the investigation of that cyber incident they can report that information onto the regulator uh cabinet whoever else do their thing with it C identifies uh these as critical infrastructure sectors um so 10 critical infrastructure sectors but the bill in its current state only applies to four um so that's pretty broad categories um and it is very likely if we look at what EU and us are doing that future coverage will expand to all these critical sectors as well as probably Beyond critical sectors as well but this

is a first step for each of these sectors there's an appropriate regulator um and there will be more clarity down the line towards who specific designated operators are within these um areas as well so it's not all like hashed out who exactly is in scope at the moment but this is kind of the broad Strokes for uh where the scope is no oh pardon sorry sorry okay um okay so the obligations they're broken down into really eight obligations for these designated operators the chief obligation is really around um establishing a cyber security program uh within 90 days of the passage of the bill this program will need to be amended um periodically each year those

amendments will have to be provided to the regulator um any kind of change in how U mitigations are applied to risks identified in the program will have to be um submitted to the regulator as well uh and the particular focus of this program is really around mitigating supply chain risk and third party risks um that comes up again and again in the document as we'll see so the uh cyber security program itself which must be created in 90 days uh it needs to address risk broadly um any kind of vulnerability to the critical system or uh means of impacting the critical system in some way uh especially with respect to third parties uh and suppliers the program needs to identify

how the organization is going to mitigate the identified risks and reduce the potential for impact um from those risks as well pretty sensible stuff um but very Broad in what needs to be covered protecting the critical systems is Paramount of course and being able to detect incidents in some way also very important um having an expanded detective scope is a hard thing to do uh so I think a lot of organizations may be surprised at what goes into this um if they're not already addressing it in terms of supply chain and third party risks I think this is where the bill really starts to impact more than critical systems operators uh and that's just because if you're providing any

kind of service to an organization that is included within the scope of this bill you're going to have an easier time doing business with them if you can provide them with assurances that you are up to Snuff in terms of cyber security yourself uh so whether you are a sole proprietor providing some kind of service or you work for a body shop uh and you're providing Services through a Contracting vehicle um or if you're Azure or whoever there's going to be a lot more string stringency string can't say the word but there's got to be a lot more um I guess like oversight from from these operators into who they are doing business with uh because there's so much

on the line for them in doing this business there's so much requirement that they have to report risks um and what the what the issues might be with their supply chains if if uh you as a third party are breached that can be a very easy Avenue into one of these organizations because it's a simple trust boundary that can be bypassed you have a question yeah I was just going to you look in the US they have cmmc and they're very rigorous with the contractors that are dealing with any government instit institution and I just find there's no teeth on these type of things like even when this finally gets passed let's just say you're a

contractor in your third party and you inadvertently something happens to you basically you report you don't report there could be impact M the or you're with the government has no teeth or there's no recourse for us to raise our game much like what cmn is yeah that that may stay the same it's hard to say I think there's like attempts to add teeth and this bill is part of that um but we'll see how they're circumvented in the future these attempts sure Michelle please I I I think Bill c26 is in the right direction for Canada but if we go and we go across the sea to the n directives in in in European Union I think they're doing it

the right way which is the n directive started in 2016 uh and they've started to add more teeth into it uh with Nest Nest 2 and they're covering off all critical infrastructures inclusive inclusive of private public and private sector the Canadian government here from from this bill is taking a very relaxed approach and that they're really only taking an approach relative to the organizations that they control which is the public sector compan not the private sector companies right so so what I suspect that we'll see within with after this bill is passed we'll see an evolution of this bill probably very very quickly afterwards because of the fact that the bill does not have enough teeth uh it

does have some significant fines Associated to it for non-compliance but but the problem that this bill brings in is is that in Europe they bring this concept of the regulatory Authority but they also have this concept of a competent Authority relative to security they don't have a competent Authority uh and so when when this Bill gets passed they're going to be told to comply within 90 days the reality of it is is that their Regulators will have to tell them how to comply and The Regulators themselves won't be competent to comp to comply and so therefore then it will become go back and forth with the government and the Regulators for a period of time so unfortunately for me

this is I think Bill c26 is way too LAX uh from the perspective of of what we're doing uh for the rest of the world and you take a look at United States unfortunately United States is broken too because they're doing it um you know uh nerk came out with FK so FK came out in 1938 nerk came out in 2005 uh for the electrical industry and they're breaking they they're basically doing compliance on a on an industry by industry basis rather than where Europe is doing it on all critical infrastructures and and then expanding it even further and Eric I'm sorry if I took point of your thunder honestly that was a good summary

thank you for that uh this is yes it's absolutely just a first step um in Canada over I think it's like 60% of critical infrastructure is managed by private sector um so this is going to be a bit of a road to travel in terms of giving everyone time to start adapting cyber practices giving the government time to become a competent body to assess these cyber programs that's why CSE is involved at this point um and just getting everything up to speed in terms of the government's capabilities and this goes back to Michelle's Point honestly is the bill gives the federal cabinet a lot of leeway to further Define how this bill is interpreted and implemented as it um

plays out so the bill is pretty short it's like 15 minutes to read it is not exhaustive in any means um so a lot of this is just there's power provided via this bill to the state to start defining what is a good cyber secur program look like how are audits um like performed how are things classified terms of violations all that it's going to be very ad hoc as the bill is implemented and like enforced in the future there's penalties as well with this bill um this is where the teeth come in or the attempt for teeth I think the important things to call out is that individuals within the organization will be personally liable um this is

directors and officers for any violations and violations are counted on an ongoing basis so any day that the violation is not remediated rectified um there's an addition fine up to $1 million per individual uh and $15 million for the company so it really is attempting to add a cost to uh carrying risk or not mediating risk remediating risk mitigating risk um but as we've seen in the states where they've tried similar things uh the outcome was really just removing certain officers from the organization so um in the states there's like a criminal component to to some privacy bre Brees that is borne by the ceso of the organization Financial penalties as well um and so

organizations down there are just removing the ceso and instead of having an office of the ciso to to bypass that so it'll be interesting to see how this actually plays out um but I think the intent is at least there and that's a good thing for now so to summarize uh the bill is allowing Federal cabinet to uh have cyber security sorry critical systems operators do or not do a thing they must make these cyber programs they must have this ability to audit their systems report on incidents proactively detect threats all those things that we hope organizations are doing anyways uh and then there is this $15 million violation component as well the core pillars there

using reputable vendors don't use Huawei I guess is like the the point don't use organizations similar to Huawei you got to pick stuff that's not produced in China probably to be compliant with this bill um cyber security planning will really help you meet your objectives around protection monitoring detection response reporting auditing and assessment um and even mitigating those third party risks uh so having these capabilities is the focus of the bill uh if you want to have compliance with it in my view and I would like to focus on cyber security planning for the remainder of this presentation um when we get into security operations I think it's worth considering the fundamentals um these are big numbers up top for

meantime to detect meantime respond I'm sure we've all familiar with these kinds of reports it might be bigger or smaller numbers um but it's always measured in days and that's the problem uh because within 15 minutes of critical cve being published there's automated scanning for actors are using all kinds of tools to find vulnerable endpoints um and they don't even need vulnerabilities to get access anyways really um and within 5 hours of initial access there's usually crown jewels achieved so like domain admin and dwell time is is now around 5 days from the latest reports I've been seeing so there's a completely different time scale in this uh system the system of security operations and it really

boils back to a finding from locked Martin Corporation in like 2008 is when they had their white paper on intelligence-driven defense uh they said there's a two bad assumptions right response should happen after the point of detection so um once we've gotten the alert in the Sim or once we feel the impact of a breach uh and then the other assumption is that a breach is always a result of a fixable flaw so we have to address our way of thinking around security operations in some way and to do that we have to follow the wise words of Donald Rumsfeld and know about knowing so we have known knowns uh and these are things that we are we can

conceive within our threat models we are measuring them we're doing something about them so that could be uh how many vulnerable systems do we have according to our vulnerability scanner could be what kind of alerts do we see on our Sim or our EDR platforms what kind of plans do we have for incident response those kinds of things very clear very understood we spent some time considering them then there's things that we maybe have not considered they're looming on the horizon we have some sense that they could be there waiting for us but they are not measured at all um so this could be things that we could check like how many domain admins do we have in our organization do

they all need to be domain admins how many shared accounts do we have with administrator credentials or privileges rather uh those kinds of things or uh just what misconfigurations exist in our environment these are things we could find out what we probably are not measuring and these are things that should be addressed these are where we can do that proactive threat hunting assume the breach and really dig in and find some interesting gaps things we can do something about and then all the way at the other end we have unknown unknowns which are inconceivable we we are not considering them at all in our threat models we're not measuring them we're not doing anything about them uh

and these are all the unaccounted for risks risks that is not in the register in any way so we got to do something about those and I think it all comes down to some concentric circles here so if we consider the miter attack framework there's lots of ways to use each Technique we have to have a depth of coverage and a breadth of coverage um and that can be like a nice reference point uh and then we go out from there with our concentric circles so in the center we have control group these are our known knowns these are applicable risks to our organization that we have technical controls for mitigations and we have observability data for as well

some other source of data that allows us to verify the efficacy of our technical control or policy control then we have these low priority areas where there is no applicable risk the organization we have some technical controls we have some observability but we're not really sweating it where it gets interesting is when you get into things where you do have a technical control for um a perceived risk an applicable risk but you have no other data source to evaluate the efficacy of the control for that risk um examples you have an endpoint detection response tool on your endpoints it goes off we all understand it makes alerts um but how do you know when it's not

working how do you know when something's getting through what data source do you have to evaluate the efficacy of that tool um that's where we get into log data command line logging getting like cismon and stuff that you can start to interpret data from the system to understand if there has been some kind of uh realized risk on that system instead of just being notified by a tool that is telling you a thing and then finally the highest priority to mitigate or add capability around is when we can see impacts of risk risk is being realized and we have no mitigation for it so if we're able to consider this kind of model into our organization then

we can improve the efficacy of our security operations we can identify a candidate capability bring that into the organization and evaluate how effective it has been at improving our security posture uh an example here we can take the idea of again EDR it makes a bunch of detections there's malare on our devices but how do we stop the maler from getting to our devices in the first place maybe we identify um that we're doing deep inspection on our wire traffic we can uncover threats there um but stuff is still getting through so we want to add sandboxes inline sandboxing as a capability we can add that in monitor what kind of detections it's making start incorporating that data

into our other security tools so that we can have a bit of a proactive use of locally curated threat intelligence and then we can measure what that success outcome is did the number of EDR detections go down around malware did the number of sandbox detections increase are we stopping delivery of of threats to the end point that's pretty easy to tell at that point um and then that might UNC cover additional gaps within our operational environment as well maybe those hashes that we're collecting out of sandbox start appearing on systems that don't have EDR we've identified that in some other way so then we see like oh hey I thought these systems weren't even accessible to

the internet how are they getting these files we can follow that down to some other path as an example this allows us to become more predictive in our security operations and really move left on that killchain model because delivery is kind of a point of control that impacts everything else this allows us to go faster to very uncomfortably Embrace this uh Sonic cage or whatever I don't know I'm sorry for subjecting you to this view um but again from that locked Martin white paper uh they identified that Defenders must be able to go fast that's the real goal if we can iterate faster than attackers within our environment we increase the friction we increase the cost for them

to do the attack cyber criminals have quotas yeah they've got they've got like bills to pay they got to make the money they got to do the thing so if there's a higher barrier to entry they're incentivized to move on when they can just attack another Target so if we can go faster than them then we reduce the risk and that is where uh security operations really shines and having good practices in that area so some examples uh of how we get there if we consider again the killchain uh delivery is really our choke point that's where we can impact uh what threats get to an end point we can use data from the reconnaissance phase like

understanding what does our environment look like from the point of view of a threat actor um to to uh I guess predict what systems will come under attack as like an entry way we can understand those trust boundaries uh and then we can use data from after the point of delivery to start anticipating what does an attack look like in our environment what artifacts would we expect to see and then we can incorporate data from both sides onto that delivery point of control to improve our security posture I'll get into a few examples very loose examples um to just chug through and close this out because I don't have much time left so perimeter is pretty well

understood classical perimeter but perimeter is wherever our data is it's wherever our devices are it's wherever our users are whether they're on or off the network that is the real perimeter these days um so if we consider an example example of we have good security controls within our perimeter on our network uh and then someone leaves with a corporate laptop goes off Network what do we enforce at that point maybe we have like an endpoint control still um but we don't have any kind of way of enforcing our traffic policies on that endpoint we can change that using modern tools like sassy that's a big marketing buzzword simple example we can extend that as well to do

more wire based analytics as well sandboxing again I'll come back to that that one um mail Gateway can submit attachments to a Sandbox evaluate them evaluate URLs evaluate QR codes that's becoming a increasing Avenue for an attack to bypass the controls environment by having a user use their own device to scan the QR code and kind of get out of that chain of inspection remove visibility from the defender's point of view so we can use these systems to evaluate those things in line before they reach um the end user's mailbox and then distribute threat intelligence throughout the environment that improves our security posture as well and gives us a lot of Rich data from an endpoint perspective we

understand simply endpoints must be protected but what are we doing with the outcomes of those detections a simple thing that we can do is when our endpoint control tool makes a detection it can notify our firewall or endpoint management solution in some way to let it know that the device is no longer trusted it's in a risky State we can feed that information back to the firewall to dynamically change our network access policies on eastwest traffic so that that compromise endpoint cannot um access sensitive data we reduce the risk of lateral movement or access to critical systems um through this kind of attack surface management using that endpoint data we get into the network side it can

be very expensive to collect Network traffic into a Sim or net flow data um so a lot of organizations just submit a subset which makes it very difficult to identify things like lateral Movement we can use tools like Network detection response wants um to identify those kinds of use cases or we can use deception tools as well um going Beyond honeypots which are usually pretty easy to tell if it's a Honeypot to something more High interaction um an attacker when they land on a device whether that's headless or workstation or whatever they begin doing internal reconnaissance if we can incentivize them to interact with decoy assets then we can understand what end end points are are uh affected compromised

potentially and then notify the firewall do do that quarantine or Knack solution or the endpoint control do that quarantine step to cut out the AIS of the attacker from the network at that point they have to Pivot again we're increasing the cost of the attack with those capabilities likewise with our Sim it's usually an expensive noisy box that does a lot of nothing um unless we spend time with it and take care of it and tune it and stuff uh that's my background I know the pain but our SIM can do useful things things that can dynamically feed into our environment M as well as it analyzes external data interactions with like VPN or um just

access to our web applications and starts uncovering those risky indicators or as it sees bad things happen on the endpoint we can use that data to identify risky assets and again submit that to say the firewall so that it can dynamically change how network access is is uh mediated we always want to incorporate our data flows into other systems instead of just dumping it as a detection we need to do something with data uh and Sor is kind of like the crown jewel of that security orchestration automation response tools um this is where we can really triage and analyze low hanging fruit things that are well understood and just have the action happen automatically because

we ain't got time for that it happens all the time we got to automate so a sore can get a notification say of like a type of squatting for a monitor domain it can query web services like who is to compare the two domains the monitor domain and the typos squat domain uh do that triage automatically it's very simple to do something an analyst could do quickly so we can do it programmatically as well through a sore then it can have that domain be blocked at the firewall level or proxy level or whatever um it can also query our Sim or other tools to proactively begin threat hunting and understand what assets what users have been interacting with that

type of squatting domain and maybe chase down some new areas of Investigation there so just simple examples of capabilities that maybe address known unknowns or unknown unknowns in our environment that we can begin working with to really work at this choke point thing there's a lot of tools that we can deploy at these different stages that can support and facilitate um the collection of data or the production of data that helps us to evaluate how we can close that Gap at the choke point and when we do that then we're able to validate what's going on in our Network and uncover the true threat Chad Kroger right there bottom center and uh stay safe safe out there

so that's my spiel about BLC 26 I can take some questions I think there's a bit of time um but thank you thank you keep the mic for a second any questions this morning howdy in what is the definition of an incident uh they are looking for things that impact the Integrity or availability of critical systems uh primarily confidentiality as well that kind of classical answer um so anything that is going to degrade uh the utilization the proper use of a critical asset one of those critical systems I know it's pretty broad but yeah howdy yeah I so we do a lot of the work with the government and like the local government in small towns and so so some of the

small towns have like a couple people that work there they manage the infrastructure they're also the fire chief they drive the snow plow seeing this requirement come out here maybe this is where cyber Alberta can come into play what kind of support is there for like the towns and municipalities that don't have any money to do anything let alone hire one it person versus Mar quite did you want to take that I noticed it's part of the Cyber strategy for Alberta I can take that yes this is actually exactly what cyber Alberta is about we're trying to actually uh Leverage The efforts of an entire Community to make things happen in municipalities and postsecondary in

institutions in in schools school boards and so on and so forth across the province so this is definitely a place where we could uh we could look at leveraging our resources um it's not always a question of injecting money it might be indeed resources doing some research ahead of time working with municipalities we're very much connected with Misa prairies for instance I would imagine your organization is connected with them um so as a matter of fact Misa representative is also part of our National Committee on information protection so these things would pop up we would discuss how we can actually help facilitate that across the province and we can help with that definitely thanks hey Michelle I've been looking

forward to this I I caned another question I know what you do for Martin but uh I can you can ask it so I I'll go I'll go both from the Alberta perspective as well as from the the the forn net perspective um from an Alberta perspective uh I see an opportunity for us to be able to replicate what we did in I forget now how long ago because I was a part of it but building of the supernet allowed us to be able to get rid of those those concerns of the smaller municipalities because then at that point they could be all connected do we have the opportunity within cyber Alberta to be able to

create Services being delivered in this nature to those communities in need right I I work in a I work live in Nanton Alberta which has only got 2,000 people we've got a water treatment plant that doesn't really work very well but I guarantee you as as one of my one of my um uh you know I know for a fact that there isn't cyber awareness there so I love the idea of trying to be able to get this type of of solution set right of what Eric is presenting as a solution set as a service to the to the communities of Alberta again something we can definitely look into I think um okay let me

start there are so many things that we can do for this province and once again some of them might need an injection of money some of them might be an injection of resource and we're looking at using the committee leveraging the the the community of interest to make that happen you mentioned awareness for instance Minister gubish mentioned this morning some programs cyber safety to K to 12 Focus also on uh 9 to 12 in terms of developing new talent and things like that we might need to inject a bit of in there but I'm also going to be looking at leveraging the community we can't we're a very small team in cyber Alberta so I can't see us being able to uh move

all across the province go and help people there so we're going to Leverage The committee's expertise to do that now to come back with assistance you mentioned superet absolutely critical something that we've done a long time ago that we keep on keep on supporting keep on hammering our head against sometimes we also have a Broadband program right now that's looking at getting us into some of the uh furthest communities not only with fiber and things like that that's usually a Preferred Choice we have a very short construction season so it's hard to actually get to all the communities quickly we also get money from the federal government we're looking at making some deals right now with uh uh

elon's company and bringing more services with L bit satellites and things like that those are all the things we're looking at facilitating again it's not NE necessarily showing up as an injection of money or doing the work but it might have to do with trying to Leverage The Buy power of Alberta coming in as a common entity and getting better deals as a result so that's one thing that we're looking at sky is the limit with things like that if you have any ideas about things we can do to help the communities to help the municipalities organizations or anything like that please reach out to me um because we're looking for more ideas we're looking at ways to actually make

things better for the province of Alberta and um uh I lost bit my throat oh yeah an idea you mentioned supernet one of of the things I talked about to a few organizations in Alberta is as we're reaching out into those communities and extending the internet wouldn't it make sense to maybe also look at providing a monitoring service from a cyber security perspective so that not only do you bring the internet to those Community but it's a safe internet that is monitored and maybe we can do something about it the organizations like Bell Tellis and such are coming forward now and saying how can we make that happen find a way to well of course they're in

there to make money if they don't won't be able to support the service so make money out of it but do it in a way that makes sense that supports albertans and puts them on the map also for the community service they would be providing to the province so please bring up those ideas sky is the limit and I I will say I'm I'm not joking this morning I'm not sucking up anybody who knows me knows I'm not a good suck up person as a matter of fact I'm usually having issues with management but anyway um Minister gubish has done some things and made things possible like never before and I can only see that getting

bigger that's awesome and my second question Eric and pointing towards you is is that the lock heed Martin white paper that you referred to also talks about unified data lakes and unification of of not just simply data sources from the perspective of a security need but from all of the different application application needs and knowing knowing that you're a Sim and a sore expert I'm going to throw this at you is is that do you believe in the unified data Lake methodology and and from that perspective I see it as an opportunity for us to be able to understand indicators of exposure through Sim and store Technologies to be able to effectively secure ourselves is that do

you see it in the same way yes perfect