A

Welcome to Cybersecurity Today on the weekend. And I'm really excited to share with you a conversation I had with a colleague and friend, John Ferguson, who's a vice president at Cira. You've probably never heard of Cira, this Canadian Internet registry authority. And they're far more than just the folks responsible for the country. Code CA for Canada. And we're going to cover in this episode this evolution of this Canadian not for profit that started as a pad of paper registering names to websites at a university to become a global player responsible for 500 of the delegated top level domains around the world and building a host of cybersecurity tools with the mission first, not just the money. And so I hope you enjoy this conversation as much as I had in chatting with John today and learn a few things along the way. I'm really excited to welcome you, John, to the show and to chat with you about the fascinating world of Cira and cybersecurity. Thanks for joining today.

B

Thanks for having me, David. It's always, it's always a good chat when we get together. Just looking forward to it.

A

Awesome. One of the things I love to do is introduce people to the people I know. And so we've known each other for a few years. We've worked together through the work that Boseron and Cira does. But first, let's do a little bit about you. You've been around the cyberspace for a while prior to joining Cira. How did you get started in this space? And tell us a little bit about your career journey and what you do today at Cira.

B

Yeah, I think my cyber journey is the one I kind of try to stress to the youth, as they call them, that I talk to sometimes. They want to know how you get into cyber security. And I say cyber security is not degree or you get at school or a particular thing. I came to cybersecurity after years of building SaaS products and platforms. I came at it from an angle of data analytics and building big mapping systems and reporting tools. And eventually that led down the sort of rabbit hole of there are devices and systems and things that create this data that we're working with. Let's learn a bit about those. And then you learn a bit more about those and you learn about how they're not always the most secure thing or the networks they're running on need to be made better. That takes you down another rabbit hole and you find yourself doing things like encryption and device security. And after that journey kind of happened, it came back to a play again of how do you integrate all of these different types of security pieces of data into a security platform to protect an organization. So for me, it's been a real organic growth of looking really close at the outputs and the data and then looking at the things and then from the things to the bigger networks and systems that are used by modern business.

A

So tell me, what is your job? What's your job title? What do you do at Cira and why do you love what you do?

B

Sure, sure. I probably should have covered that. Basically from my perspective, I sit as part of our management team and I'm responsible for our DNS, the Domain Name System team. So we run a global network that helps resolve Internet addresses, make sure that when you type in your cbc ca, it shows up at a news site that's supposed to be there, or postronsecurity CA if you prefer. And then there's the other half of my title, which is and cybersecurity. And that's always comical that. And cybersecurity is tacked on as the secondary piece. But at Cira, we have this core responsibility. We run cause as a top level domain. So if you've ever been to a CA website, anywhere touches our infrastructure, our infrastructure is what makes it show up on the Internet. But in order to do all that, we built a big global infrastructure and began at basically about 10 years ago, providing that infrastructure to other countries and other organizations that do the same type of work. And we broadened our scope to say there are other things to do than just get people on a website and get them email. We want a trusted Internet. For Canadians, that means doing cyber security. So we work with you on cyber awareness and training platform. We do malware and phishing and botnet blocking, I guess you could call it, through services that keep those bad sites from being something you resolve. And now we do endpoint security and security operation center software. So collecting all the data off all the systems and finding the needles in the haystack, I guess is really the best analogy you can do. So it's a broad spectrum of things, but it goes from network security to endpoint security to human security.

A

So now for those who are listening, and you know, we've got large audience in the United States and around the world. It's funny, I was telling Jim earlier that in April we hit within the top ten of a half dozen different countries now, and so many people may not know of the Canadian Internet Registration Authority, Cira, and that it's a not for profit. Can you tell Me a little bit about like this fund. It's not a government agency, it's its own thing and it's not a for profit company.

B

Cyril, like yeah, very true. It's, it's a bit different. Yeah, we're 142 people strong, but to your point, not for profit, private organization. So we don't take any public funds and we are part of the government. What we do have is a directive from Industry Canada who is the government agency who technically owns the CA delegation. So every country recognized country under NATO gets a two letter designation. Ours is ca. Fun fact for your US folks. How many times have you been to a us? Com is not the us it's actually us but you don't see as many of those in the wild. And so there's an organization everywhere, in every country that's designated to run that top level domain and may have to adhere to policies from icanni. All those two letter acronyms have to be managed by someone. Typically in countries it's going to be a not for profit or quite often an education institution. And then in some other countries it'll be a commercial entity or the government has contracted a commercial entity to run it. And in order to do that, as I said, you have to be able to take registrations in from the hosting companies. Because if you were to think about it, even though you have a ca, you don't actually ever receive a bill from Cira or from most top level domain operators. It's GoDaddy's Web Hosting Canada Web names. If you're in the Canadian market, there's other global players, two cows. They're the ones who sell the domain and the hosting and the email services and all the things you use with your domain. And so in that way Sarah can often be looked at as a wholesale. We run back end infrastructure and we make sure it works for the Internet community that builds services and products on top of a domain.

A

But you once told me a story about how this all started. Literally this is like one of those Internet legends now where somebody is running a computer at a university on their underneath their desk and that's the start of managing. Cause I get that right, It's a

B

living legend because John Demko is very much a person and he is still very much alive, kicking in hopefully a very long time. John was part of the Comp Sci department at the University of British Columbia and back in the early days of the Internet when it went from being a series of military networks to education networks to more of a public domain use they started handing out these two letter codes. Right. And who would operate them. And quite early on it was a lot of community led grassroots techies who raised their hands and said we'll do it. And that probably helps explain some of the KAI did a higher education community around the world because yeah, Comp Sci department. Yeah, this seems like it's right in line with the type of thing they're doing. But John's our origin story and he started doing all of the registrations for CA on paper in a ledger, him and a team of volunteers. So it wasn't a computer under his desk when it started, it was paper and pen and fun fact, the University of P.E.I. prince Edward island was the first CA domain minted. And in 1998 John did something which is still astounding to me but is again very indicative of people of John's sort of generation of the Internet. He did something very self sacrificing and turned the delegation for DOT CA over to to a newly incorporated not for profit CIRA. And we now have been managing the CA since 1998. And really it was John's recognition that in order for this to become a public good and scale up it needed dedicated resources, dedicated time. It needed to have a national focus. And through a tri party agreement between ubc, Sarah and John the delegation shifted to us. And we've been managing ever since. And John has been so good as to be on our board as an advisor and has actually gone on to found web names Canada, who's a registrar. Wow. BC and still very active in the community and just a great guy to to hear some war stories and from the early days of the Internet.

A

And I think it's important to remember that history and remember there was a time where people put the notion of a public good first. We live in the era of oligarchs and the big tech company and everything else. And it's good to reminder that hey, a lot of part of this is built on the goodwill of a lot of people who just wanted to see the best. And there's this other part of the story that I really enjoy our past conversations around is there's a bit of an Amazon kind of story to Cira with respect to getting into cybersecurity. So you have to build this infrastructure to run this domain. It becomes really popular and then you have to get really good at keeping it online. And so the first foray is into that core plumbing of the Internet. Right. So I think you told me it was the Anycast DNS was The start of all this adventure.

B

Yeah, so it's a. It's authoritative DNS is the type of DNS if you will, for all of our wonderful techie folks who want to dig into it and we anycast that authoritative DNS, you could do it different ways. But yeah, the. I think there's two elements to it. There's the technical part. I'm going to walk down that analogy in a minute. But before we move on from the public good element, I think it's a very poignant thing to unpack because John's decision to make it for Canada thing really shapes the way CA is administered today. Like, we are a registry that is known as a closed registry, as in we have registration requirements more than just put down your money. And so if you think about dot com or some of the big tlds like dot DE which is actually the German equivalent of dot ca, if you have the cash and you can give a piece of identification for your business or for your own, then you can register a domain and it doesn't matter anything else. For ca, you have to prove that you're a Canadian resident or a Canadian incorporated company, or else you can't get a dot ca. And by virtue of doing that, it makes it inherently Canadian. You have to have ties to Canada and the economy here to get a ca. And partly because of that as well, we have one of the lowest abuse rates of any domain out there. If you think about it, when you get phishing scams or you get to bad sites, it is very rare if ever that you will see a dot CA show up in that space. And that's because if I need to go and try to pretend to be something I'm not, I'm probably not going to go to Sarah and say, here's my passport in order to register as my website. And so that decision for John makes it inherently Canadian. It makes CA really what we say is CA means local, really, and it makes it Canadian. It allows us also to really focus in on making it safe and secure and trusted. And so it's really at the heart of that decision that John made a really long time ago. And we continue to try to live up to that. So moving from the history to the technical history. Yeah, the dot CA piece, every registry really around the world makes the choice of do I build my own software or do I buy it from somewhere else? And in the early days, everyone just built it. Right? You just, you did that. And we're now on version four of building that infrastructure and it's gotta be the system that's always up. Because if you're not available, then first and foremost, when a major commerce website wants to sell a new domain and a new hosting package, they can't get that domain. And you ever registered a domain, I want it now. I searched for that name, I found it. I want it before someone else gets it. So time is very important. And then in order for the Internet to work, you actually have to be able to. All the ISPs in the world need to be able to know where to find that domain name. And that's where the authoritative DNS comes in. So if we go and register, I don't even know if it exists. Davidshipley ca, maybe you already have does

A

and it is registered as a dot ca.

B

There you go. It has to get distributed out around the world. And the more places around the world that can respond authoritatively to say that this is where you find that site, the quicker that user experience is. And so in order to make CA performent and really high quality, no matter where you are in the world, Cira has data centers around the world where we have DNS servers that can respond to this is where you find your ca. This is a server to connect to and that does two different things. It makes dossier really performant. So if I'm a Canadian business and I'm selling overseas, then people should get a good user experience. If I'm a Canadian traveling overseas and need to connect to my government website or whatever, I should get a good experience. But when you think about the cyber security aspects, a lot of websites, a lot of web services get these distributed denial of service attacks that we hear about in the news. A ransomware or a botnet happens and what it's doing is a distributed denial of service. It's flooding a site so that legitimate traffic can't get there. One of the beautiful things about DNS is it's architected to be really resilient and really scalable. And when you anycast it, it actually means that the response will come from the fastest location. Typically that's going to be the one that's geographically closer. So if someone's trying to hammer away at me from a nefarious far off place, if I have a server close to that location, then that traffic stays in that region. If I'm a legitimate Canadian trying to find davidshipley CA and I'm in Canada, a lot of that flooding traffic never even hits a Canadian network. It never gets here, it never interrupts my user experience. So that Scale that Sarah has been able to build over the years makes CA more performant. It helps us mitigate some attacks that Canadian businesses using a category might otherwise have. And as we built up, we actually ended up becoming authoritative for just over 500 TLDs around the world. So we started with one, we're at 550 plus counting, and that's about 1/3 of all delegated TLDS on the Internet today.

A

Wow. And that includes some countries have partnered with Cira to say, okay, we'll just, we want to use your software and infrastructure. And so this is some really cool made in Canada tech that's become global infrastructure. But you guys didn't just stop at anycast DNS. You then got into the DNS firewall business. And I think it was between the Anycast DNS and the DNS firewall that I first met Sarah when I was running the security program at the University of New Brunswick. And so that became a big part of your activity. And you started with the organizational DNS, but then you're doing something cool for everyday Canadians. And this is something that I think ties back to this public good theme that we'll probably keep revisiting. So tell folks a little bit about, okay, what is this not for profit doing for regular citizens who don't pay you a dime?

B

Sure. As a not for profit, we don't have shareholders, we have members. So we're a member based, not for profit. If you're a CA domain holder, you can register with that domain as a CIRA member. And once you do that, you can vote in bylaws, you can help shape what we do next. But what we do with surpluses of revenue when they exist is we reinvest into programs. And so some of those are cyber. I'm going to do a quick audible and do a call out for the grant program that we run, which is also funded through the same way. That grant program is for digital programs, connectivity programs, digital literacy security programs. We do about a million and to a million and a half dollars a year in grants for Canadian organizations that want to tackle problems in their community. Great program. But the other thing we do is operate the cybersecurity tool called Canadian Shield. And Canadian Shield is a different type of DNS. So everyone's computer, when you type in the address that you want to go to, it uses a recursive DNS which tries to find where to go on the Internet to connect to that website that you were looking for. And when you do that lookup the recursive DNS server returns back and says this is what site your computer needs to connect to and it goes and makes that connection. And so pretty much any modern device that exists on the Internet is not, doesn't know the other server immediately. It has to look up the address because it's dynamic, it moves around. Especially in modern cloud based infrastructures, things are shifting and moving and load balancing. For all that wonderful resilience that we want, when they're not going down, they're shifting all around. And it's one of those things where recursive DNS, because it's in every network, it's intrinsic to almost how every device gets onto the Internet. You can actually say, we know that server is actually serving something bad and I'm not going to connect your computer to it. And essentially that's what Canadian Shield does. It gets threat intelligence from commercial partners, government partners, groups like the Canadian Cyber Threat Exchange. So for our business customers in Canada, if you don't know who they are, look them up, they've got a great mission. Another not for profit, doing great work. And that sort of, that point right there. Let's just say that we have this list of known bad stuff. There's no reason to connect you to it because maybe you clicked on a phishing link that came over a text message or came through your email, we can block that and tell you that site is actually associated with phishing. So we didn't make that connection. And it's very easy to set up on your phone or on a router at home. And that just protects those devices from things that we know are bad. And eventually over time, those lists continually are updating. Something can come off a bad list. But at the bare minimum, we ensure that those, those lists are updated and maintained. And if you look at the stats, there's like updates to those threat lists in the feed a day. We do about 20 million blocks a month. Wow. For the half a million users that are using that filtering. But the other element that Canadian Shield provides, even if you don't want the blocking, a lot of people say, no, you know what, I will, I know what's bad, I know what's good. We might have a debate. Those folks and I, even the best of us get fooled sometimes. But the other part of Canadian Shield is it provides an encrypted DNS because I think one of the things that users have become really keen on is they look for the HTTPs, they look for the little loss symbol in their browser. Am I on a secure site? And more and more When I talk to users, say, well, what do I need? And I'm already secure in the browser under the hood, all the requests for where to find that website are going out unencrypted. And that that data set is very heavily sold and resold for consumer profiling, for advertising, all those types of online things that maybe are getting a little bit frustrating for users these days. And so Cira provides an encrypted DNS as part of Canadian Shield, so you can secure that the same way you secure your browser. And Sira's commitment is we don't resell data, we don't provide any personally identifying information to anybody. You delete all that data after 24 hours. It's really only kept around long enough to know that the service is working properly. And then one other thing we do is we take the list of all of the domains that we blocked on behalf of those users, and we take that list and we submit it to public feeds that are used by the government and other Canadian businesses to say, we've been blocking this, you should block

A

it too, so that that concept of cooperative, collaborative defense becomes part of it and everyday people can benefit. It's funny, I was doing the math in my head. So 500,000 people, 20 million blocks a month average, four blocks per person per month. That's a lot of saves for a goaltender. I know my Maple Leafs could probably use that kind of goaltender, but. But hope springs eternal. And so that's awesome. And then you and I, we work together and just transparently, for folks listening, Boceron has been partnered with Sarah for a number of years. And what I really enjoy about our partnership is they're not exclusive to the following areas, but you certainly have made it a core mission to make sure that you're serving them, which is municipalities, universities, schools and hospital. They're kind of bread and butter for Cira. And talk to me a little bit about serving that community's needs.

B

Yeah, I think there's a little to steal a little bit from the Boseron branding. There's a bit of a PAC mentality. When you can get people together in a community, that collective group can protect each other better. You get communities together, they typically have similar constraints, whether it's funding, whether it's technical aptitude, the type of folks that are attacking them, and that allows you to align on tactics and in many cases, procurement. How do we bring down the cost of access to top notch security tools? How do we service customers in a way that makes sense in their segment? Because a municipal Operator is not the same as a higher ed operator. Higher ed is a K to 12. They've got students, and students are very different than a condemployee who's got an employment contract. The expectations and the types of risks that are on those systems are different, but a lot of the same core technologies can be used. We build a program for cybersecurity training which looks different for a student than it does for a municipal worker. The platform itself is the same, but you change the content, you change the approach to whether or not you send phishing emails or you do competitions. And so a lot of Cira's focus is making enterprise grade and enterprise quality security tools available to sectors that are often left behind in the funding, who often have a challenge with maybe long tail. You might have very large organizations and members. A city like the city of Ottawa will have a different cyber budget likely than the city of Fredericton where you are just because of populations and tax bases. Right. But we want to try to bring those groups together, procure standard tools and approaches so that one, everybody gets better protection. But also you can baseline across, across the country. Right. If we're all using similar tools, we have a way of determining how we're doing. We can share intel because our tools are compatible. And so a lot of what we're doing is trying to make everything accessible, but also bring a Canadian context. You can get things like our DNS firewall or our anycast DNS from global vendors and many of them are really top notch, but we're focused on keeping data in Canada, keep jobs in Canada. And in many cases, when you're talking about threat intelligence and attack vectors and things like that, there is a unique Canadian context to that. Canadian organizations may be getting hit by different types of attacks at different times than the global, the global sort of players. And so a lot of what we're doing is operating in that Canadian context, especially as you consider what's going on. I know you spent a lot of time looking at the regulations and what the heck's going on in, in the regulatory frameworks, as do we. There is a real unique Canadian context of how that's developing. And so we try to build products that can help people meet those compliance requirements in Canada and take some of the time that we have to also advocate for more transparent regulation, more, you know, and in some cases maybe regulation's not the right path. Best practices are and sometimes regulation is needed, but. But there's the balance there. Right? And having an advocate out there who can provide tools but also can help speak to what's going on. More or less can help.

A

So the core business was selling cas. You got into the security side, you had the infrastructure, had the technical know how it started with the core stuff that you guys knew in your DNA, DNS and other things. You went, you found partners for other things like us on the awareness side, which we brought our skills into, documented at. But in the last few months, you guys have headed into an area that's really interesting and really hard. I think you've been doing Endpoint for a time, like a year or two, and you can probably correct me how long you've been at that. But then you announced something in the last couple of months that really caught my attention in terms of manage detect and response in this. And I don't know of another not for profit that's offering this kind of service anywhere, let alone in Canada. And so I'm curious about. This is a whole new level. Why did you guys decide to get into this if there's a lot of players in the space? And then how and why have you chosen to evolve with it and who are you partnering with to bring that to life?

B

Yeah, there's a lot of questions to unpack there, David, but I think it's in general there's a high level of how did we get to the fact that's what we do next? To a certain degree, if you look at the traditional Sierra world, it was very network focused, DNS, network security. We started to work with the human layer when we started working with trading and yourselves. And really as Covid accelerated so many things, it also accelerated a lot of security being shifted out to the edge and the endpoint. Much more of of us are working mobile, maybe completely remote. And that necessitates the fact that you can't put a big moat around the network and the office and just keep all the bad folks out. That way VPNs don't have enough bandwidth to VPN everyone back to the office to get them inside the moat when they're traveling. So you got to bring security further down the chain onto the mobile, onto the desktop. And that's really what we saw happening in the sector. And things like our DNS firewall were becoming part of these endpoint stacks. And in fact we work with some endpoint detection response partners that embed our firewall in that. But what we saw was a challenge for again that public sector clientele to be able to deploy at scale. Everything was geared towards enterprise deployment models, enterprise pricing models, and what is good for big tech. And what is good for big tech is getting you into the ecosystem and getting you consuming compute and storage and a whole bunch of other things. And quite often those larger packages are forcing you to buy a large suite of things to get at that sort of nugget that you wanted. And so for us we saw that the need was there in the market, we needed it at point that folks need endpoint security to be able to detect these different types of threats. We are at our heart a operator of infrastructure. So we look at it from a standpoint of we're good at building product. So let's take a stack, let's start build it and let's operate it in a Canadian context, hosted in Canada again, Canadian compliance standards, Canadian threat feeds and put a sustaining program together around some really top notch open source software that does this type of stuff. And in pockets across the country you'll see organizations using it. But what they needed to really scale it out is a commercial entity that will support it, that will patch, that will security scan it. It's not that the technology and the tool doesn't do the job. It's a I need someone I can contract to that's going to fix a bug when it's found, who's going to support me when I don't know how to configure it. And so putting that support model around it is really, I think one of the things we're doing and pushing that integration Canadian context compliance framework into the tool. So side by side, doing things like French translations, getting Canadian compliance metrics in there, that's all things we're doing software wise and building the tool so it's cheaper to deploy. Take an open source tool, doesn't mean it's easy to put it into an enterprise tool like Microsoft Intune, right? So if I want to roll it out to 50,000 people, I don't want to have to do that manually one at a time. So that's really what we're doing to add to this really top notch tech stack. And the next phase of that is once you get over that hump of being able to collect the security data. And a lot of organizations don't get over that hump. They burn out the staff or they burn out the dollars before they collect all the important information. And you don't actually get to what everyone's trying to do, which is remediation and response. They talk about security, orchestration, automated response. Often people get stuck on getting the data in and never get to the response. Portion and so bring costs down by bringing this group together, by lowering the barrier to entry, getting more people in there and then getting them focused on what they want to do when something goes wrong. Because as security professionals we'll tell everyone now it's not if you get hit, it's when you get hit. And so you should be planning on the remediation stage. And so one of the things we do is we include an automated workflow response tool in the base package. There's no buy the data collection and then go and get the automated response. No, it's part of it. And we then launched a managed detection and response partner program. So security operation centers, eyeballs on glass tools looking at real time data feeds to make the recommendation of all of this. 50 alerts that are sitting on your dashboard in red right now actually mean you've got one firewall to patch and this is how you go about patching it or I'll patch it for you. And so we said Sarah is not a security response organization. So we're going to partner with a number of folks to do that. So we started a partnership program. Callion, who's a great Canadian company, very large security and IT shop, is the first partner to provide their security operations center here in Ottawa and in Toronto. We'll have eyeballs on glass and be able to push a button and shut down a device if it's doing bad things or help someone reconfigure a network. And that basically gives a large or small Canadian organization that wants to work with us the ability to say I've got every endpoint collecting critical security data and I have security professionals sitting 24 by 7 ready to respond if something's gone wrong. I don't have to wait till the next morning when people come in with their Tim Hortons cup in hand and say oh crap, there's been 10,000 alerts overnight. What the heck happened? Not saying that's everyone's case, but I've heard enough stories of we had all the data, we just didn't push the button in time or we weren't able to correlate those alarms with those alarms fast enough. That's the problem we're hoping to solve. Get people the data, get it in front of people who know how to respond to it. Limit the blast radius by having as quick a response as possible. And we hopefully through this partnership program will bring on some more partners in security orchestration and security response space to better serve different markets, whether or not it's geographically or vertical markets.

A

Right it's funny, when I was the security lead for the University of New Brunswick and I you really nailed the Monday morning I walked in with the because we have a Tim Hortons on campus and I put my coffee down and I opened QRADAR up and we had been used to attack a secure US government hosting cloud provider a hundred million times over a weekend. And you want to believe that I had some furious email writing and some apologies to write and for really sorry that our high compute network which was recommissioned on a Friday afternoon and the students rushed and they left it wide open on a public class BE IP address with default Linux credentials was used by the following actors from Russia and Romania and China to go after you. Here's we've got all the receipts. Please do not think that this came from us or anyone associated with it. So yeah, would have been nice to not have to do the cleanup on that two days later and and go from there. So completely get the, the response. And I think this brings us back to before we get to some more of the more fun questions before I let you off the hook, back to this concept of public good. And I say this as a for profit company, but there are lots of times where I wake up and drive to work and I drive by the fire station and that's not a for profit company. And a lot of people don't know that. A lot of fire stations started off as for profit entities. But eventually we started to realize that there was a balance here, that there's a need for some public good. And we now have that because we still do have police departments and we have private security companies providing augmentation to that police capability. But sometimes, John, I think we're still not there yet in cybersecurity and I think there's room for more organizations that are public good, be they not for profit or government, gets a little problematic because of privacy and other things. But I think that Cira plays an important role. And I think the easy question here is obviously, yes, but you've been in the private sector, you've now you're in the not for profit sector. How do you feel about that? What's it like doing this from that perspective?

B

I think quite honestly, in the right organization, all we're doing right now is having a conversation about tax status, right? If you are running an organization like we do at Sierra, which is focused on. On doing a job well, then it doesn't really matter to a large extent if the dollars that end up at the end of it are going into granting programs or to give portions of the software away for free or they're going to shareholders. I think it may change to a certain degree some of the investment strategy because for us, we don't have to turn profits year over year. We don't have to necessarily return it as quickly maybe. But at the end of the day, we can't sit here and burn cash either because we have to fund what we're doing. No one like we can't go and raise money like a private company can. You can't just go out and issue some shares or some stock or even take some things like tax credits in Canada that are often used for private sector development. So it does change the way you have to go about funding some of the initiatives. I think. I think for me that's a big part of it. The other side of it is from a staff perspective, we're all clearly aligned to what the organization is trying to do. It's not just here because it's the place I could make the most amount of money. Maybe it is for a lot. It's a great company that's everyone's aligned on there is good we can do for Canada. This is also good for me because I'm in a technical company. A lot of people associate not for profits as not technical or maybe more this they make and not for profit as surroundings with charity and not to cast dispersions on charities. They do amazing work. But that's a very different mindset than just being a not for profit. And so I think that's a big part of where it is. There's a very strong alignment to the mission in the organization. That is our North Star. Our North Star is not money, it is the impact. And we need to bring in a certain amount of money to make that impact. So you do get to financial goals, but not as the first measure we have this, the first management meeting I have, I remember having this conversation around a mission money matrix. I'm like, what is that? And there's this intersection and this balance between the mission and enough money to keep the mission moving forward that we always need to do. But if we're doing something and there's no mission value, then there's no point in doing it. And that's an ethos and a mindset from a management perspective where if we can't demonstrate how this connects to the mission, then let someone else do it because that's not core core for us. So it can be a real, I think, galvanizing thing. But at the same time also helps inform our potential customers of what our motivations are like. Our motivation is to get more people protected under these programs. And so I think that maybe sometimes helps with the conversation because we're coming from a place of we have something to offer that we think is valuable to you. If you'd like it, great. If you don't, if you have something else, great. But at least you need to have something. And I think in an ideal world, long term, way down the road, when John's old and gray, maybe Sarah doesn't need to be doing some of these things because there are Canadian organizations that are doing this at scale that's needed and we're a trusted entity for holding the data, which I think is part of why it works. Well, we run CA. We've done that for almost 40 years now. Next year will be the 40th anniversary of dot CA because it was delegated originally in 1987. And so yes, we only took over in 1998 from John. But we've got a long track record of doing things and doing things, I think that are in the interest of Canada is well respected and we try to carry that baton into cyberspace in a way that, you know, if you're getting something from Cira, that we're going to stand behind it, we're going to, we're going to do our best to operate it the best possible way we can from, with a Canadian mindset. And for this sort of front of mind.

A

It's funny, I'm still processing. I had no idea there was a dot us. Yeah, seriously, I just, huh. It'd be a great fishing debate. No, I'm kidding. But, but in all seriousness, we, you know, pivot away from sort of the Cira story and you sit in an interesting place because of the kind of data, the kind of threats you get to see, the kind of work that you get to do. And so if we put on the John as a cyber expert hat for a bit and if I had to ask, and I'm going to, what keeps you awake at night in 2026? What's the thing you're like, oh, I, I just, I don't like this.

B

There's so much to unpack in that question. David, I'm, I'm a father of two young children. There's a lot of things that worry me about what, what happens down the road, what's happening today. Frankly, we're at a strange inflection point of. I think maybe more than ever people would say that the Internet you might be able to make an argument the Internet's bringing a lot more harm to, to certain portions of the population than good. And Sarah definitely is in a position where we believe that the Internet can be and is a net good, but there are portions of the population that disproportionately get hit by the not so good. And certainly the youth are part of that. We see a lot of regulation going on in different parts of the world, like in Australia and UK where they're moving to change access to social media, where things like online harm protection is being much more codified in law. And that's a recognition. And I always say if we get to regulation it means that the problem, it's probably been a problem for a very long time because regulation never gets there first. And so I worry that can we keep up with the protections, with the rate at which the creativity of the bad folks keeps leaping forward. So the AI push that is accelerating a lot of this stuff means that we have to look at unfortunately a lot more automation as well in the response and in the security mitigation. And that creates a situation where it's hard to keep quote unquote trusted hands on things because the attack speed is now coming at machine speed. If you're not defending with machine speed, you're falling behind. And so figuring out how to build trusted automated machine speed security is the thing that kind of rattles around in my head. A bad day in cybersecurity as like you're you described at the university is really bad. And it doesn't take much to absolutely obliterate someone's life, their life savings, their, their online, you know, their whole identity can be erased or co opted. And that's a big responsibility you take on when you become a cyber person for your organization or your home or anywhere else. And that stress factor I think weighs on everyone who's meaningfully in cybersecurity. But figuring out how we keep up with some of what's going on, that's probably the thing that worries me the most because I think we're getting to a time where it's hard to know what to trust when you look at it online. And I know when we're sufficiently gray and, and losing hair that we can say, hey, I'm losing it too. It just hasn't gotten there yet. Rocking the gray that we're in this mode of where we look at something, we're like, yeah, I don't think that's, I might go and look at two or three or four different Places before I'm gonna say, okay, maybe I trust that. I really fear that we're losing that critical thought on where is this coming from? Why is this showing up in my feed like now? Everything is a feed. People don't like even ask why is. Am I seeing this? Am I going out and finding a dessenting opinion? It feels like we're losing that craving for understanding the other side of a conversation. And that makes me worried that we're just going to continue getting pulled into these extreme versions of things, which makes it really hard to come together and defend together. If we're too busy arguing about these strange extreme points of view on everything.

A

Is it a white and blue dress or is it a gold and blue dress? Remember that? That was a thing we got into. Everything on the Internet becomes a fight. No. And it's interesting because I think back to your example of John. This is not the future people poured their hearts into to try and build a more connected society and to create opportunities for knowledge and sharing. And I think in past sere events I've heard the slogan connected Canadians. And I still believe that on the whole we can accomplish good. But I think you're bang on that there are absolutely particular segments of society, women, visible minorities and others who bear disproportionate the costs of the Internet, the harms of the Internet. I remember one of the hardest cases I ever worked was supporting another university where it was a non consensual intimate image abuse at a whole new level where an individual was. She was targeted by another former student and they just kept blasting it across the school emails, listservs it was. And the sociocultural dynamics behind some of this meant this person was never gonna be able to go home ever again. It was beyond the typical horror of this stuff. So those kind of things, they can be haunting. And certainly you and I have seen more than our fair share over the years of the horror stories. But let's change the dial for a second and look at either what gives you hope or what do you think could change that would be hopeful.

B

I've kind of had this conversation with a lot of folks I think I would say with any new technology evolution, the bad often comes before the good. It's easier for the folks that are looking to do bad things to try things sooner because the risk of failure for them is low or never. Never observed someone who's trying to breach a network using AI. If they don't breach that network, no one ever really knows about it. They haven't lost anything per se. But the security defense that uses AI that makes a mistake and screws that up is all over the newspaper. They're maybe losing their job over it. And so being an early adopter of new technology is often not for the quote, unquote, good folks. The folks that are trying to do we got to get through the bad stuff. We got to figure out how to harness it responsibly. So I do think the better days are ahead as we learn exactly what this can be and we can entrench what the new norm needs to be. Like when the Internet wasn't the Internet, or when VoIP first came out, how long did it take before people got rid of their home phone? But it was one of the great things I love about the neighborhood I live in. Every Easter we have an Easter egg hunt with the kids in the neighborhood. And it's awesome. But it's also a moment where every single adult on the block, even if you're not a parent, they're out walking around as the kids are ripping around the neighborhood looking for chocolate and whatever else and you're chatting. And we're having this conversation this weekend about do you got a home phone? Should I have a home phone at home now? Because we don't really need kids on Snapchat or other social media type tools to communicate with one another. Why not pick up the phone and talk to someone rather than a 15 second and change the dynamic of some of the interaction social. But it was interesting for me that the moment now it shifted back to simpler technologies. I want a flip phone because I don't need the distraction of all of this other stuff. And so we went through this cycle of smartphones being great and we did all these amazing things for productivity and now we're maybe getting to a point where maybe they're not as great or they're not as useful for every use case. Maybe I don't need to be connected 24 by 7. And maybe I have some hope that maybe people will put a rather than being anxious and worried about it, maybe they will put a newfound onus and preference and desire to connect in person and do things real. Because I think as much as you and I are benefiting from the Internet right now and doing this podcast online, it's hard to ever substitute the time you spend sitting around the boardroom table or around a meal and having that connection. And I think as a lot more of our world is becoming AI influenced or inflow influenced, it's less substantive. And so I'm hopeful for my children and for myself and for everyone else that these moments of connection with people become more valued as we are starting to feel some of the flip side maybe of the virtual extreme that I think we've gotten to Covid really pushed us down that acceleration path. But I'm hopeful that people will have a renewed appreciation for time spent together and what that means and what. What that quality time can help us learn and build those communities that, that have been there to support us for so many years.

A

No, I really appreciate that. It's funny in the Zeitgeist at the moment, I was reading this morning that there's a trend of cafes and restaurants that are now asking people not to bring their smartphones or to put their phones in a locker and have those genuine moments of connection. And I think you spoke to something really powerful here about maybe we just gotta find the balance and maybe we find that we can still have the best of the Internet. And it's not just about knowing when to put your smartphone down. It's balancing the worst impulses of for profit capitalism and tech concentration and all of those issues with maybe the right size players or different players providing alternatives for people that give them more options on those sides. So really appreciate the conversation. I know we've covered a lot of ground. I just thought it would be great for people, not just Canadians, but everyone listening to think, okay, it's not just Google, Apple, Microsoft, Cisco, all of the names that people hear, but it's not just the regular names that there are really interesting organizations that they probably have never heard of doing really impactful things to help protect people and small businesses and organizations. So really appreciate your time today and the chance to tell a little bit of the Sarah story and for me to share with folks listening or watching a bit of what I've had the chance to learn with your help and from Sarah and to to celebrate this idea of the public good and the impact it's had. So really appreciate your time.

B

Thank you. David. It was always great to chat, including

A

the fact that you may not know this, but there is a country code for the United States and it's not dot com. Let's get started. I don't know if Jim's still there, but maybe I'll get a rating and review from him later on. How I did an intro. You get to to watch me try and do that on the fly. John, thank you again so much. I'm sorry that we had to do the rerecord, but hopefully it's even better the second time. Around. I thought there was a couple of really great moments. The whole thing was great. But I really appreciate you bringing it back to thinking about what it's like. First as a father and then as the bigger picture. And not without some irony. Those two tech guys talking nostalgically and optimistically about what if we all gone offline again. And speaking of offline, I hope whenever I'm allowed out of the office again, now that I've been returned back to myself from my Asia trip, I will get a chance to see you. But hope things are well. And thanks. Thanks for the time for sure.

B

Okay, sounds good. Thanks again.

A

Take care, sir. Cheers.