I'll go back a bit to what I said earlier. If you're going to deal with private sector research and development areas, passing legislation or regulations is not going to make a huge difference. You have to convince these people there's a real risk.
The only way we're going to do that is if we share information with them and we bring them, to some degree, within the tent.
I know CSE makes a significant effort to try to explain to corporations and whatnot the dangers of cyber, but when we compare what we do to the United States, the United Kingdom and Australia, we're still very reticent about what we share with the private sector.
Sure, change the rules if you have to—require reporting on cyber-attacks; require basic measures to be taken—but no large corporation is going to significantly shift its investment pattern, for example, if it's not convinced itself that there's a real risk that its R and D or its IP will be stolen.
We have to find a way of bringing them along more than we have now.
I'm repeating myself, and I apologize, but we as a country simply don't share enough information with the private sector.
One of my political masters once told me, when we were talking about sharing information, that national security is to be dealt with, not talked about.