Full Report
Sami Khoury, a longtime Canadian cyber leader and the Government of Canada’s senior official for cybersecurity, says the threat environment now extends far beyond the systems and institutions that first defined the field. Speaking with Frank Cilluffo on the Cyber Focus podcast, Khoury pointed to critical infrastructure, operational technology and cross-border coordination as central to that shift. “These days it’s…
Analysis Summary
# Industry News: Expanding the Perimeter: Canada’s Shift to Ecosystem-Wide Cyber Defense
## Summary
Sami Khoury, Canada’s senior cybersecurity official, is advocating for a strategic pivot from protecting government-only networks to defending the entire national ecosystem, including critical infrastructure and private sector Operational Technology (OT). This shift emphasizes that in an era of asymmetric threats and blurring lines between state and criminal actors, national security is inseparable from private sector resilience.
## Key Details
- **Date:** April 8, 2026
- **Companies/Entities Involved:** Government of Canada (Cyber Centre), McCrary Institute (Cyber Focus podcast)
- **Category:** Strategic Policy Shift / Market Analysis
## The Story
Sami Khoury, head of the Canadian Centre for Cyber Security, warns that the traditional "siloed" approach to digital defense is obsolete. During a discussion on the *Cyber Focus* podcast, Khoury detailed how the threat landscape has evolved into an asymmetric environment where mercenaries, state actors, and hacktivists target both government and private entities indiscriminately.
Khoury highlighted two specific technical and operational frontiers:
1. **Operational Technology (OT):** Cybersecurity is no longer just an "IT issue" but a fundamental requirement for the physical systems (power, water, manufacturing) owned largely by the private sector.
2. **Emerging Tech Readiness:** He signaled an urgent need for "Post-Quantum" preparation, noting that the shift to quantum-resistant encryption must happen before the threat becomes "operationally urgent," as the change won't be heralded by a clear warning or "press release."
## Business Impact
### For the Companies Involved
- **Government of Canada:** Transitioning from a service provider for federal agencies to a strategic partner for the private sector, requiring increased resources for cross-border coordination.
### For Competitors (Security Vendors)
- **Market Expansion:** There is a growing opportunity for vendors specializing in IT/OT convergence and quantum-resistant technologies as government mandates likely follow these strategic warnings.
- **Service Shift:** Security firms must move toward offering "critical thinking" and analytical services rather than just automated software tools.
### For Customers (Critical Infrastructure & Private Sector)
- **Increased Accountability:** Private operators of critical infrastructure should expect deeper integration with government intelligence and potentially stricter compliance requirements regarding OT security.
- **Partnership Opportunities:** Firms can leverage government expertise more readily as the "mission" expands to include their protection.
### For the Market
- **Talent War:** Khoury’s focus on "critical thinking" over "coding pedigree" suggests a shift in the cyber labor market, valuing analytical and adversarial mindsets over narrow technical skills.
- **Investment Focus:** Likely acceleration in the "Post-Quantum" and "AI Security Review" software categories.
## Technical Implications
The focus is shifting toward **OT Security** and **Post-Quantum Cryptography (PQC)**. Khoury notes that AI deployment must be coupled with rigorous security architecture reviews to prevent creating new vulnerabilities, suggesting a "security-by-design" approach for AI implementation.
## Strategic Analysis
- **Market Positioning:** Canada is positioning itself as a leader in "whole-of-society" cyber defense, mirroring the U.S. CISA model but emphasizing international coordination.
- **Competitive Advantage:** Nations that secure their private sector OT and prepare for Quantum early will maintain economic stability during future high-intensity cyber conflicts.
- **Challenges:** Managing the "blurred lines" of attribution makes it difficult for private companies to know if they are fighting a criminal or a nation-state, complicating insurance and legal responses.
## Industry Reactions
- **Analyst Opinions:** Analysts agree that the asymmetry described by Khoury (government-on-private sector attacks) is the "new normal."
- **Expert Commentary:** Frank Cilluffo and McCrary Institute experts underscore that the interconnectedness of cross-border infrastructure makes "cyber silos" a liability.
## Future Outlook
- **Predictions:** Expect a surge in public-private partnerships (PPPs) specifically aimed at OT protection in the energy and finance sectors.
- **What to watch for:** The rollout of government-led Post-Quantum migration frameworks and new standards for "AI Security Reviews" before deployment in critical systems.
## For Security Professionals
Practitioners should broaden their skill sets beyond traditional IT security to include **OT/ICS (Industrial Control Systems) knowledge**. There is a clear signal from leadership that "critical thinking"—the ability to think like an adversary and interpret complex patterns—is currently more valuable than rote technical execution. Resilience plans should now account for the "post-quantum future" immediately, rather than waiting for a specific trigger event.