In this episode of The Defender’s Log, host David Redekop interviews Sami Khoury, the Senior Official for Cybersecurity for the Government of Canada. With a career spanning 33 years at the Communication Security Establishment (CSE), Khoury shares how a coincidental job application blossomed into a lifelong passion for national security.

Khoury emphasizes that modern cyber defense is a team sport. He discusses the evolution of the CSE, particularly the 2018 creation of the Canadian Centre for Cyber Security, which enabled crucial collaboration with the private sector. This partnership is vital for sharing threat intelligence and protecting Canada’s digital infrastructure, intellectual property, and economic security.

Addressing today’s top threat, Khoury identifies ransomware as a persistent and evolving challenge for Canadian organizations. He explains that attackers have shifted from just locking systems to data theft and extortion. While there’s no law against paying a ransom, he cautions that it fuels the criminal ecosystem and offers no guarantee of data recovery.

Ultimately, Khoury’s message is one of proactive defense and collaboration. He encourages organizations to build resilience and highlights CSE’s role in creating a safer digital space for all Canadians, underscoring that cybersecurity is a shared responsibility.

Full episode of The Defender’s Log here:

Cyber Warriors: Insights from Canada’s Cybersecurity Leader | Sami Khoury | The Defender’s Log

• Cyber Defense is a Team Sport: Protecting Canada’s digital infrastructure requires strong collaboration between the government’s Communication Security Establishment (CSE) and private sector companies to share threat intelligence.
• Ransomware is the #1 Threat: It remains the most significant and evolving danger to Canadian organizations. Attackers have shifted from just locking systems to data theft and extortion.
• Don’t Fuel the Fire: While it’s a business decision, paying ransoms funds the criminal ecosystem and offers no guarantee that attackers will keep their word or that you won’t be targeted again.
• Proactive Defense is Key: The goal is to make it too difficult and expensive for attackers to succeed in Canada. This includes adopting “secure by design” principles and using protective services like CIRA’s Canadian Shield.
• A Lifelong Mission: Khoury’s 33-year career at CSE began by coincidence but grew into a passion. He encourages the next generation of defenders, stressing that failures are crucial stepping stones to success.

View it on YouTube: https://www.youtube.com/watch?v=i8W-FljMVDE

Listen to the episode on your favourite podcast platform:

Apple
https://podcasts.apple.com/us/podcast/cyber-warriors-digital-shadows-insights-from-canadas/id1829031081?i=1000732131347

Spotify
https://open.spotify.com/episode/0re8S6g4fTjcgZLIvFEHJ3

Amazon Music
https://music.amazon.ca/podcasts/d7aa9a19-d092-42a6-9fe9-9e8d81f68d30/the-defender’s-log-podcast

ADAMnetworks
https://adamnet.works

Defenders Log Episode 7: Transcript

Cyber Warriors & Digital Shadows: Insights from Canada’s Cybersecurity Leader

Intro Announcer: What was the original spark? I’m not afraid to fail. I do what I do because I enjoy it. You could not download a Linux distribution from the US. There is a lot of money to be made in the ransomware ecosystem. That is so simple. Why doesn’t everybody do it? We have a budget, but so do attackers. Our digital infrastructure is so vital. We had no ability to interact with the private sector. When did you do your best learning? CSE called and said, “Can you come to Ottawa for an interview?” That’s how it all started. Wow. That is really a source of encouragement for me for the next generation of defenders. Let’s try new ideas and try them fast. Oh, that’s where we need to go.

Deep in the digital shadows, where threats hide behind any random bite, a fearless crew of cyber security warriors guards the line between chaos and order. Their epic battles are rarely spoken of until today. Welcome to the defenders log, where we crack open the secrets of top security chiefs, CISOs, and architects who faced the abyss and won. Here’s your host, David Redekop.

David Redekop: Welcome to another episode of the Defenders Log. This is episode number 007 and my guest Sami Curry is actually even more special than just that number. Sami has been in the communication security establishment for at least as long as I have been and he now serves as the senior official for cyber security for our government, the government of Canada. Welcome 007.

Sami Khoury: Good morning, David, and great to be with you on this special edition of the podcast.

David Redekop: It is really good to have you and I was just thinking about this number 007 and the number seven has such an important meaning in my life and I’m wondering if that number appears elsewhere in your life too.

Sami Khoury: Well, I mean there’s the connotation of 007 and the life at CSE. There’s also my parking spot happened to be 007 coincidentally. So, so yes, if you go into our parking lot, you’ll see that I’m in the building or I’m not in the building. So, another coincidence, but yeah, it’s the aura and the mystique of being in that intelligence security space.

David Redekop: Well, maybe the 007 parking spot is not so much a coincidence. Sami, have you thought about that? Maybe it’s meant to be a coincidence to you. Made greater powers at play. So we are all part of a greater ecosystem and we only have visibility so far, right? And that visibility component seems to be cropping up over and over again in our world. Well, I’m glad that you had the opportunity to set aside some time and it is cyber security awareness month in October which is really good and and I’m glad that we get to spend some time together today. You’ve had a pretty rich life as far as cyber and defense is concerned years you given that you’ve been in the business as long as I have been, I figure I’m just roughly guessing. Yeah. Uh what did I see? You’ve been a research engineer since 19 Well, you started in 1992 as a research engineer. Yeah. I’m always curious about someone who’s been in this space for as long as we have been. What was the original spark or the original passion that evolved to your long-term engagement in the cyber space?

Sami Khoury: You’re right. I’ve been at TSC now 33 years. I joined in 1992 having finished my masters in Montreal at Concordia University. I will say that how I landed at CSE is probably a coincidence because back then I was finishing my graduate studies. You were looking for employment. you look through what used to be the blue pages of the phone book for those who remember when we had phone books and at the end of the phone book there used to be the blue pages which which were all the government agencies and I was specifically looking for the communication research center having done my studies in in communication acoustics and those kind of things so CRC and just under CRC I saw CE with the name communication in it. So I said I might as well apply there too. So I sent my resume to both CRC and CSE and lo and behold cse calls and said can you come to Ottawa for an interview and that’s how it all started. So again it’s coincident that I landed where I am. I think the intrigue of the organization, you know, I went to the library, tried to find stuff on CSE was back then very little was known about the organization. There was barely an article or two. So that added to the mystique of the intrigue of saying that organization. The going through the clearance process and being offered a job that you didn’t know much about also added to the intrigue. So I guess I can say I came for the intrigue but I stayed for the passion. The mission kind of bites you and and you know since 1992 I’ve had like you said a very rewarding career at CSE. I spent 25 years on the intelligence side of the house then the CIO of the organization at a fairly interesting time during the pandemic. So transforming the organization IT-wise during the pandemic and more recently as the head of the cyber center last year transitioning into that role of government of Canada senior official for cyber security. So that’s the trajectory of my career over the last 33 years or so.

David Redekop: Wow. That is really a source of encouragement for me for the next generation of defenders that we’re looking to raise and bring into the space to show that there are lots of different paths that can lead to a rewarding career. And really a rewarding career is where you feel that you’ve had a positive impact. Uh would be one of the I would guess would be your way of measuring that as well. So, you now provide expert advice to senior officials, to deputy ministers. Can you tell us a little bit about what your day-to-day looks like today?

Sami Khoury: The day-to-day varies. So, there are no two days alike, just like there are no two cyber incidents alike. Today, for example, we’re recording that podcast, but I’m also preparing for an overseas trip next week. So for getting my notes ready if I’m not traveling which I do a fair bit of travel sometimes inside Canada sometimes outside Canada. So outside of those travel windows where I end up speaking at events. So earlier this week I was in Toronto speaking at a supply chain risk management event. Last week at insider threat event next week I’m in London. So outside of that window I participate in some committee on cyber security. It could be um you know associate deputy minister level. It could be deputy minister level committees where hopefully I provide some of my perspective on sort of the evolution of our cyber security landscape or some current thinking around our digital landscape in government and beyond. I am participating in other meetings at cse. So while I am at CSE, I also am part of the executive committee of CSE. So I do take part in some of these meetings when I’m not traveling. So that is that’s a bit of the the day-to-day that that keeps me busy getting ready for travel, you know, recapping outcomes from from trips that I might have taken or conferences I might have attended and seeing how we can connect more dots and otherwise read and catch up on on email. So that is that’s what a day-to-day would look like in my in my life.

David Redekop: It occurred to me that we used to always look at the difference between technology innovation as it happens versus public policy catching up. And that gap is what very often gets used and abused. And a lot of that had to do with just the pace of innovation, the pace of changes that occurred over the last number of decades. Well, especially since the internet, right? Is that gap getting narrower? Are we finding a way to catch up from your perspective by just more generalizing or how do we fare today compared to say 30 years ago when you started?

Sami Khoury: Policy sometimes does play a catch-up a catch-up role and we work very closely with our colleagues at public safety when it’s sort of external policy and we work very closely with our colleagues at Treasury Board when it’s government of Canada sort of IT policies we have to be agile in the way that we respond to the technology environment with Treasury Board you know it’s I would say it’s fairly agile in the sense that we could we could work with them and and they would then issue to policy implementation notices where you know 90 days, 180 days, 270 days where you know there is there is a goal to move the yard sick forward for example on certain things like MFA outside of government we work with public safety the there is a consultation process and then there is a government agenda that has to be factored in so we learned for example from the first national cyber security strategy with which was released in 2018 that having a cyber security strategy that is outlined in 5 years might not be realistic in today’s fast moving technology environment. So the most recent cyber security strategy that was released earlier this year in 2025 has hooks in it for additional plans to be tabled. So, we’re not going to prescribe the entire cyber security strategy in a big document over five years, but we’re going to identify the pillars that that strategy is built on and then work more in a more agile way to develop for example a talent plan or a um maybe technology innovation plan and those kind of things. So, we do learn to adapt over the years to sort of that fast move fast fast-paced move in the technology space.

David Redekop: Very good. And I’ve certainly noticed that there’s been over the last while there’s been an increased amount of transparency in terms of what the real threats are. Uh obviously as incidents occur, there’s still no wisdom in immediately sharing too much information because keeping certain information quiet and secret gives the defender an advantage. But over time that does need to come to light in order for other defenders to learn from what happened behind the scenes. I’m recalling how the NSA had these very advanced tools that were being developed within their own red team that eventually came to light and then the moment it came to light then of course attackers started to use the same strategies. Are we still in a place where we feel that at the highest levels we have a strategic advantage against adversaries without you going into details you can’t reveal? Do we still have programs that give us at the highest level that strategic advantage?

Sami Khoury: The short answer is yes. Cyber defense is a team sport and you touched on many things in your preamble to the question. So the cyber center was stood up in 2018. So prior to 2018, we had no ability to interact with the private sector. So part of the 2018 national cyber security strategy was a recognition by the government that there are some capabilities at CSE that needed to be made available to the rest of Canada and the the cyber center at that at that point was stood up and given a mandate to sort of spread its wing across across the Canadian landscape not just across the Canadian government. And that’s where we reach out to talk about alerts. We publish lots of advice and guidance and we hope that in doing so people will recognize the value of interacting with the cyber center and share with us or reach out to the cyber center when there’s an incident to share information about the incident so that the cyber center can then connect a few dots and recognize whether this is a new tactic a new technique or a campaign going across Canada maybe against hospital or against manufacturing. So that ability to connect the dots is something that the cyber center can do but also understanding the nitty-gritty details of what’s behind an incident is something that the cyber center could do. So it’s a two-way street there. The important role also where the cyber center is positioned is super important to touch on because it lives within CSE which has a foreign intelligence mandate and from that perspective we do have capabilities to get into I would say the cyberspace of our adversaries and understand a little bit their intentions, understand their capabilities and and get a bit of a head start into predicting or anticipating hopefully where they will go or how they will do whatever it is that they will do. So there is a a very connected relationship between the cyber center and and the intelligence side of the house kind of two faces of of or two sides of one coin that gives us that advantage of working together not just to understand what’s coming at us but also potentially decomposing a threat and being able to reverse engineer it as to where the did where it did come from. So, that symbiotic relationship between the cyber center and the intelligence side of the house gives us an advantage that I would think puts us in a good position to not only defend the government of Canada network but also be up to date with the state of the threat that Canada faces out there.

David Redekop: That’s really fascinating and I’m so encouraged to hear that that is progressing forward and I’m wondering if there’s also integration with organizations like citizen lab out of the University of Toronto. Is there collaboration as well?

Sami Khoury: Describe collaboration as rings of collaboration. So at the innermost ring of collaboration of course it’s the cyber center and the intelligence side. within CSE that’s I would think the innermost ring and as you step outside then we have the the tripartite with treasury board and shared services to look at to look at you know government of Canada system and as we step maybe one ring outward then we work with public safety and and other government department to look at maybe more outward-f facing public policy on cyber security then we get into critical infrastructure all sectors of the Canadian economy economy be it finance being telecommunication being healthcare we will reach out to all of these in order to work with them including academia in some cases. So without naming names and saying we collaborate with one organization versus another I would say that you know wherever we identify an opportunity to work with partners out there we will leverage that opportunity. It could be one-on-one and it could be sometimes one too many. You bring a few folks in the room who agree to um in a way park their competitiveness at the door, work in a collaborative way for the good of their cyber defenses or for the good of the country. Uh so we will use whatever model works best. and there’s no one like there’s no cookie cutter approach. So in some cases in particular sectors we might bring them together in other industries might prefer to work one-on-one with us. Of course there’s always a capacity issue. Uh but having said that the teams at the cyber center will know how to prioritize the best value for outcomes in that case.

David Redekop: Now, that’s really good to know. And if we get down to one specific incident that is now so far past that I think the world already knows all the details that are knowable about Nortel. Nortel when the incident happened, it didn’t happen overnight. It happened over a period of time and we got into this crazy place where the total market cap of Nortel represented the highest ratio of our total GDP. Like it had never arrived at that level of value in history before or since. Like that is how outsized importance we allocated to this company called Nortel. And it was a pride and joy of Canada, right? It required … It showed evidence of tremendous amount of collaborative engineering that brought necessary products to the world at the right time just when communications was really surging. Was there any involvement at that time yet from a senior government level as it became very clear what was happening with Nortel at the side?

Sami Khoury: That’s a tough question. But you know from a cyber security perspective we, collectively we don’t like to single out specific specific incidents because we’re trying to build trust with the sector and we don’t know who might be the next Nortell or who might be the next victim. So my preference is not to tackle a specific incident and talk about how we help organizations protect their intellectual property so that we don’t run into similar situations. How do we help them raise their cyber resilience by sharing as much as possible as much as we can on the threat landscape and what we are seeing and and work with them to to raise their cyber resilience. So myself and my colleagues at the cyber center are out there and either talking one-on-one in case there is sort of an imminent cyber danger or or talking in a collective way about the latest threats. We publish twice, sorry every two years they publish the national cyber threat assessment. So that gives organizations the what’s and Canadian at large what is happening in the threat landscape and also organized briefings for particular sectors. They come to the cyber center. Sometimes those briefings are classified briefings where we share with them a sort of insight about the context of the threats or why we are warning about a specific thing. So, the idea is that you know the threat landscape continues to grow. The actors continue to get more and more sophisticated and we want to make sure that our intellectual property is always at risk. The key is to make sure that malicious actor don’t take advantage of sort of weaknesses in in IT and then and then take advantage of that weaknesses to steal all of the hard work that Canadian have put behind innovation and and then take that intellectual property and turn it around and in a way beak us to market with maybe cheaper products or or faster delivery of some of those products.

David Redekop: You did tell me that you could not talk about any specific incidents, but I had to ask that one because many Canadians are interested in knowing as much as possible about that. So, forgive me for asking you anyway. Um, but our digital infrastructure is so vital to our economy and entrepreneurs globally. We are a country that still wants to invite the right kind of brain power from anywhere in the world where it exists. And the way we’re going to do that is to provide such entrepreneurs with the confidence to say in this place in this economy, you’re going to be safe and you’re going to have an ecosystem that is rich with ideas and freedom of thought and innovation, right? And so that there’s all kinds of reasons why protecting our economy, especially in digital infrastructure, is so important. Not and that’s not to dismiss our own national security, right? Everyone is more concerned today than we were a year or five or even 10 years ago.

Sami Khoury: Absolutely right, David. I mean, cyber security is national security and economic security. So we have to do everything we can to from the cyber center from CSE’s perspective to convey the gravity or the severity of what the threat of the day is with not just you know scary messages but also with constructive capabilities to defend yourself. So the idea being that this is the threat and this is how you mitigate it. Not just this is the threat and then deal with it. So how do you mitigate the threat? And in the national cyber threat assessment with every threat there is a mitigation advice that has been conveyed but also you know paying particular focus to the research community and working with academia and how to craft secure research contracts or how do you make sure that the investments or the grants that you get from a research perspective are have a commensurate investment in in cyber security so that as you innovate and put Canada on the map this is not for nothing at the end that somebody manages to because I mean to be the research community is a collaborative community but also and an open community. So, how do we encourage them to continue to do that, but in a safe and secure way that it’s not just a one-way street where everything I do is sort of automatically shared and maybe even abused by others.

David Redekop: Yeah, I do appreciate the fact that we really did lead the world. Uh, as far as I understand it, I am not a public policy expert, but when we implemented a privacy commissioner and made a very specific requirement that a privacy officer of any corporation in Canada must report incidents to the privacy commissioner in a very very fast turnaround time. Um what that did is it created the right kind of purposeful attention within the suite of organizations to say well if I’m going to be the one that’s going to be required to report the breach you know what I am going to put my absolute best defensive foot forward to prevent that from happening and and then we saw a number of other other countries follow that as well. So that was definitely a good example where we led by doing the right policy at the right time.

Sami Khoury: There’s a lot to be proud of in Canada, not just on the policy side, but also on the innovation side. And often I hear in my engagement that Canada punches above its weight. We are recognized, you know, in things like AI and things like quantum as having quite the rich and vibrant and innovative ecosystem that we need to protect. So how do we work with those you know academia with the startups with the companies to make sure that they appreciate the threat but also protect their investments so that it doesn’t go out the back door. Your point about privacy is super important and and you know our identity is our crown jewel at the end of the day and and uh you know it’s in the news every day there is a breach that results in identities being stolen and then bartered on the dark web. So protecting the privacy of Canadians is important and falls to the privacy commissioner. We are very much interested in understanding how the breach happened and how we prevent other breaches like that from happening. There is a clear separation between the privacy commissioner and the role of CSE and the cyber center. So, so and corporations need to understand their obligations from a privacy perspective toward the privacy commissioner but also you know I would say their role as good corporate citizen because there is no obligation to report incidents to the cyber center but I would hope that their role as good corporate citizens to recognize that there is value in reporting that incident that we hold that incidents in the highest respect and privacy as you pointed out and as I mentioned We don’t talk about the incidents publicly and I will never go out publicly and shame a company or talk about an incident that they suffered and because we want to build that trust and we want to continue to interact with them and learn about how it happened. So one is an obligation in law for the privacy commissioner and the other one is being a good corporate citizen.

David Redekop: Yes, exactly. I have a quick story. I want to relate it to you at a generalized level. I almost had to reschedule this call because a couple of days ago we assisted an organization to segment their domain controllers that were part of a fairly flat network. And the important thing was to put the domain controllers in a separate network segment altogether. And this was not unplanned like this was planned in a very detailed way to do it in a method that would cause no disruption. And no matter how much planning you do and no matter how much buyin you have from all those teams that you just described because the net decision was made that there is some risk. However, the value is that in our target state, we have a very strong security posture that will prevent X, Y, and Z type of attacks. X, Y, and Z, X, Y, and Z. You can tell I am speaking a lot to our American friends. So, I’ve almost adopted the American pronunciation. Ended up happening is the entire project went about six times longer than we wanted to. But once you go down a path, you get to a certain level where a roll back is no longer practical, right? And so it’s very interesting. But the other story that I remember from back in the 80s is remember the United States had a strong encryption export prevention in their public policy. And so as a result, you had simple Shaw, I think it was Shaw 256 that could not be exported as part of any code. And since that was Yes. And since that was part of every basic Linux distribution, it meant that you could not download a Linux distribution from the US if you were not in the US. Do you remember that?

Sami Khoury: I remember something along those lines. But I know Canada also had its export control legislation and we are part of the Vasinar agreement which limits you know for example the export of cryptography to certain countries and it started with DEZ 64-bit then it went to triple DZ and and so yeah absolutely it’s an evolution of how do we live in a in a global system but still manage it in a in a in a thoughtful way.

David Redekop: Let’s switch for a moment to evolving cyber threats where I don’t know if public policy plays as much of a role in it or maybe it does. When you started your research, it was a completely different landscape than it is today. And what are your thoughts on the fact that ransomware continues to gain momentum as we see it today? Is there any bright white light at the end of this tunnel as we fight this?

Sami Khoury: You’re right in the sense that ransomware continues to be the number one threat that Canadian organizations will face and not just Canadian but around the world but because we are Canadians I would say Canadian organization there’s a very high likelihood that they will be a victim of of ransomware as the number one threat that that we are seeing. Why is it flourishing? There is a lot of money to be made in in the ransomware ecosystem you know and the malicious actors have adapted their tactics and techniques over the years as you know it used to be that they would lock your system and ask for a ransom as we got better at having backups and told them we’re not going to pay the ransom like go away I have a backup they they they move to well I will steal information now so and I’ll lock your system so we’ve seen some cases is that double jeopardy where where they would lock your system and steal well steal the data first then lock your system and ask for a ransom and if you didn’t pay the ransom then they will threaten to leak the data and force you to pay it that way. And now we’re seeing less of locking systems up and more of stealing data out of networks because that data has value and they found a way those malicious actors have found a way to monetize that data in the dark web. So any organization that sits on a pile of data becomes eventually at risk of having that data stolen and then bartered on the dark web and consequently a ransom asked to be paid so that the data is not sold. So are we seeing a bright light at the end of the tunnel? I would hope that the more we talk about the threat, the more we talk about what organizations can do to defend themselves, we’ll have less and less incidents of ransomware. We’re not there yet. So it’s important that we don’t take our foot off the pedal as we say and continue to talk about the plight of ransomware to get organizations to continue to invest in raising their cyber resilience in encrypting the data. You can steal the data but if it’s encrypted it’s of no use to anybody. So encrypt the data and build strong defenses around your network. It’s not just a technology piece. So there’s a lot you could do in the technology but also there’s a human dimension about training about educating education and all of that to to build you know a strong cyber security posture to make a dent on cyber on the ransomware. In Canada there is no law against paying ransom. Often when I’m asked a question I say it’s a business decision. If a company wants to pay the ransom, it’s up to them to weigh the pros and cons of paying the ransom. But it’s important to recognize that in paying a ransom, you are in a way putting money back into that ecosystem. So you are fueling the development of new capability. You are dealing with a cyber criminal and there’s no telling whether or not they will hold their end of the bargain. Some cyber criminals claim that there’s honor among thieves. You know, that remains to be seen. Paying the ransom will not rewind the clock and will not get you back into the pre-inccident state. And there’s no guarantee that if it’s known that David paid the ransom that another cyber criminal will come after you to say, well, if he paid Joe, then he might pay Jim or if he paid Lock Bit, then he might pay cop or whatever. Um so those are some of the pitfalls or some of the considerations for paying the ransom. Two other thoughts I would add to that ransomware conversation working with industry with things like secure by design, secure by default to make the products more secure from the get-go. So you don’t want to buy a product and either security becomes an option that you have to pay for or buy product that the security is not well thought of and and you have to consider or you have to spend a lot of energy securing the product like ideally you want to get it out of the box put it on your network and and have it secure by default and that’s why the secure by design upstream secure by default the other thing I would mention is cse in 2019 19 received some authorities to conduct cyber operation. And those authorities give the organization the ability to figuratively speaking slap people on the wrist for misbehavior. And in our annual report, we have acknowledged that we have carried out some of these activities. We quote the number in our annual report and that we have imposed the cost on cyber criminals. We don’t go into details against whom and how but it’s a capability that CSE has put to use since getting those authorities in 2019.

David Redekop: That is really good news. I did not even realize that. So speaking of secure by design, secure by default, you and I actually met at a cyber security event in Washington DC of all places. And I remember very distinctly Dr. Amit said, “You need to speak with Sami and there’s like 30 people around you trying to get your attention.” When we finally got through the queue, you were so gracious saying, “Okay, I’m sorry, but you only have two minutes.” I’m “Okay. Let me tell you about Don’t Talk to Strangers in 2 minutes.” And I remember so clearly you made very good eye contact with me and it was very clear that you understood and that you said “That is so elegant. That is so simple why doesn’t everybody do it?” And I’ve taken some time to think about that question but I thought now I’m going to pose it back to you. Why do you think everybody doesn’t do it?

Sami Khoury: We teach our kids not to talk to strangers, but from an IT perspective, don’t talk to a stranger. Don’t go to a website that you don’t know. It’s still not ingrained in the way we live digitally, right? And you get an email with a link, this element of curiosity, you click on the link. So, defenses are often pushed a bit upstream with DNS or other capabilities. So that maybe will substitute the due diligence by blocking you from going to a malicious website. So how do we train individuals? I think it is part of what that education process I talked about earlier and a podcast like yours where we convey the sense of there is maliciousness out there. So and and it’s getting better and better or at least those malicious actors are getting better and better at blending into the goodness that’s out there. So how do we make sure that we stay on guard? We spot or we distinguish the stranger that is malicious from maybe the stranger that is good and don’t talk to the bad strangers as opposed to don’t talk to the good strangers. So when I spoke to you at the conference, you were a good stranger, but there might be some bad strangers out there that I don’t want to talk to.

David Redekop: Right. Right. Absolutely. I guess in our vernacular what we’ve been using is that once a domain is trusted and it resolves to an IP address then at that moment when the source has been verified the destination has been verified and it now resolves now that IP address is not a stranger right for a short period of time because our services are severely operating under ADHD so they forget a second 60 120 seconds later whenever the time to live expires, you know, they’re a stranger again. Anyway, so yeah, but I I like this idea as well of good strangers versus bad strangers because in real life that is that is how it is. And I’m having a fun experiment with people that are aware of the risks that have that educational component already that you describe. And my encouragement to them is please click on every single link because that way you’ll be forced to go through all of the layers of protection and if there is something that you know still ends up being leaked through then we want to know about it. We know it’s going to be less than 01%. But it nothing is 100% but our intent is to close that gap as much as possible to make it so expensive for the attacker to ever be able to do anything malicious that they just leave and go elsewhere. That at this point we feel in 2025 in October cyber security awareness month is the single philosophy that I think will work is just making it too frustrating for the attacker.

Sami Khoury: You mentioned something absolutely right David. We have a budget but so do attackers have a budget and if we keep raising the cost on them to conduct or to carry on a malicious act at some point they will run that that budget will run out or they will figure it out. They’re too hard to go elsewhere and like you I don’t care where they go as long as they don’t come to Canada. So we’ll push them, we’ll push them out of that Canadian landscape. The other thing is we’re proud to have been partnered with CIRA, the Canadian Internet Registry authority, with Canadian Shield which is a way of stopping you from talking to what I would say bad strangers. It’s a capability out there that you could install on your web browser or on your home router that in a way warns you about going to websites that we know are amongst other things malicious. So we serve maybe as a broker to help you navigate the internet and don’t talk to those that we know are bad strangers.

David Redekop: Yes, absolutely. And you should also know Sami that your this e are a um protective resolver is in our list res of resolvers that’s built in to new DNS harmony accounts along with Quad 9 and Cloudflare for families and so forth. Um these are services just so everyone knows that they don’t cost the consumer or business anything at all by just at least pointing your DNS to a place that will block known bad strangers, you know, from a DNS perspective. So it’s amazing that we have this resource but it’s still not a default with internet service providers. If we can make it default for some web browsers that you know they come configured for let’s say the Canadian some Canadian resources that would be amazing. I remember when Firefox first launched with DOH capability, they did a deal with Cloudflare for that to be a default, not the protective one, but the open DO one. A similar kind of an approach would be really valuable for those that might, you know, be in that space that would have that kind of influence.

Sami Khoury: I would agree that would be a better protection than no protection, right? Anything is better than nothing.

David Redekop: Real briefly here, if my research is correct, you received the Queen Elizabeth Diamond Jubilee Medal and the Apex Award of Excellence for Innovation. What do those rewards mean to you personally, Sami?

Sami Khoury: I don’t know. It’s a like I do what I do because I enjoy it because I have passion for the mission of CSE and and you know many of the things I’ve done over my career are unfortunately things that I can’t talk about but they have made a difference and to be able to be recognized or to get that recognition you know is a reward in a sense uh you know there’s not going to be a book there’s not going to be movie there’s not going to be you know a c a public celebration of something I was involved in that made a difference you know from an intelligence perspective. So for the first one for Queen Elizabeth that was sort of a contribution over my career on the intelligence side of the house for the innovation award I I’ve always been one to push the envelope on innovation. I’m not afraid to fail but the idea is let’s try new ideas and try them fast. so ever since you know I joined in ’92 it it was you know this is cool but let’s make it cooler and and I think we we we have made significant advances in in how we tackle some of the challenges that we tackle because of that mindset of innovating and and you know miss this how we did it yesterday but let’s try to find another way so giving my teams when I was a manager or director ODG that latitude to try new things and to support them in that endeavor and if they fail it’s not about a blame game but it’s okay what have we learned and let’s move on. So those two things are a recognition from the leadership of CSE for the contribution I’ve made over the years to be a recipient of those awards.

David Redekop: And I want to say the Canadian cyber security landscape has benefited from your failures because the failures had resulted in the success. I had so much fun with one of my sons this week that was emotionally down about the failures and I said, “You know who’s a bigger failure than you? Your dad. I failed and I failed and I failed and I failed and then I got up again and it’s so key because we don’t get to the answer in an easy way. If we ever ask somebody when did you do your best learning?” They never share a white fluffy easygoing story. It is always about the failures that preceded the discovery, the absolute disappointing results that finally led to the one bright light bulb. Oh, that’s where we need to go.

Sami Khoury: You know, as a manager, you have a role to support your teams. So, and I think since joining CSE and becoming a manager, this has been sort of my motto and my way of working is I’m there to support the team and make their life easier. So, clear the hurdles and make their life easier so that they can do what they do best, which is get the job done.

David Redekop: Sami, I feel like we’re both at a place where we’re in our prime in the sense that I feel like the positive impact we can now have is only bright. And to that end, what is the one bit of hope or one bright beacon that you see or one piece of information that you’d like to leave with anybody that’s reading this transcript or listening to it or or watching this podcast?

Sami Khoury: The bright one piece of advice. I mean listen this is a very exciting space we are in and living exciting times notwithstanding the cyber security challenges that we are seeing but it truly is a team sport and we would need encourage young young folks young people to join you know it used to be that you know maybe it’s rare these days to have somebody join an organization and stay 30 years in one one place but so more and more we’re seeing young young folks join CSE and then after a few years get the itch to go to the private sector and it’s no longer seen teasingly I say you know you’re a traitor for leaving us but but it’s actually it it enriches the ecosystem the Canadian ecosystem to when when you come to CSE you get the perspective of what we do here and then you go and work for the private sector sometimes you come back sometimes you don’t but but it it truly making that partnership work is more and more we’re building that partnership it feels feels more like a team sport now. It’s no longer, you know, just one or two people. And we need all the voices out there, your voice, my voice, and many other voices to continue to promote that need to make a difference while we continue to innovate. So, Canada has been known for innovation. We’re respected worldwide. We have an amazing story to tell on cyber defense. You know, we are recognized by many of our peers as as leading the pack when it comes to cyber defense and defending the government, but how do we push that beyond just the government walls and encourage that partnership with the government? We are trying. I remember we had a chief of CSE many years ago. He said we need to think and act like the private sector recognizing that we work in the government space but we need to act and speak and move with greater agility and that’s what we’re trying to do in those partnerships. So my hope is that we will make a big difference and we will take all the help we can get because we need help. I don’t have the entire solution to Canada’s cyber security challenges. Neither does my colleague at the cyber center. But we all have to add our voices to yours and many others and continue to drive the message that you know that perseverance will pay off and we will be in a better space and a happier space.

David Redekop: Our mission at ADAMNetworks is very simple. We protect people. And so having gotten to know you and a better understanding of your role in the CSE and all of the other areas where you carry an influence has me in a place of gratitude. Thank you for what you do for making the world a better place and for allowing us to complete our or keep on working on our mission. I’m not sure we’ll ever complete it but we will keep on working. So thank you Sami for coming on today for spending time with me and I look forward to seeing you at future conference events.

Sami Khoury: Thank you David for that opportunity. It’s a great kickoff to cyber security awareness month and I very much enjoyed our time together and maybe have an encore at another magic number not 007 but we’ll find another one to live through together at some point.

David Redekop: That sounds good. And then I’ll and then maybe at that point it’ll be an order of magnitude or or not. But I have so many sevens as I was thinking about this this morning on my drive-in. Yes. So I look forward to sharing those with you as well. And yes, let’s do an encore. I agree. Bye for now.

Sami Khoury: Bye.

Outro Announcer: The defender’s log requires more than a conversation. It takes action, research, and collective wisdom. If today’s episode resonated with you, we’d love to hear your insights. Join the conversation and help us shape the future together. We’ll be back with more stories, strategies, and real-world solutions that are making a difference for everyone. In the meantime, be sure to subscribe, rate, write a review, and share it with someone you think would benefit from it, too. Thanks for listening, and we’ll see you on the next episode.

1 post – 1 participant

Read full topic

*** This is a Security Bloggers Network syndicated blog from The ADAM Blog - ADAMnetworks authored by Carly_Engelbrecht. Read the original post at: https://support.adamnet.works/t/tdl-007-cyber-warriors-digital-shadows-insights-from-canada-s-cybersecurity-leader/1485