Canada’s Sami Khoury says cyber defense must expand beyond government networks 

Sami Khoury, a longtime Canadian cyber leader and the Government of Canada’s senior official for cybersecurity, says the threat environment now extends far beyond the systems and institutions that first defined the field.  

Speaking with Frank Cilluffo on the Cyber Focus podcast, Khoury pointed to critical infrastructure, operational technology and cross-border coordination as central to that shift. “These days it’s not just an IT issue and we have to pay attention to OT,” Khoury said. 

Over the course of his 34 years in public service, Khoury said, Canada’s cyber posture has expanded from defending government networks to supporting a wider ecosystem that includes critical infrastructure, public-sector organizations and private operators. The point is both strategic and practical: if the systems that keep a country running are increasingly interconnected, governments cannot afford to treat cyber as a narrow technical problem inside their own walls. 

Khoury argues that when much of the infrastructure at issue is owned outside government, partnership with industry is not secondary to the mission; it is part of the mission itself. The same is true internationally. As he put it, “We know that cyber, and it might be cliche, cyber knows no border.” 

Khoury also describes a threat picture that has grown harder to cleanly categorize. Traditional distinctions between state activity, criminal behavior and looser proxy or hacktivist operations have become less reliable, complicating both attribution and response. “It’s no longer government on government, it’s government on private sector, it’s mercenaries on private sector, it’s mercenaries on government or hacktivist on government,” he said. “So it’s completely asymmetric and it takes a whole team to basically make a difference.” 

That asymmetry, Khoury suggests, creates two related challenges. One is workforce: governments need people who can interpret patterns, think like adversaries and make sound judgments in an increasingly blurred environment. The other is preparedness for emerging technologies that will reshape both offense and defense. Khoury argues for a broader talent pipeline built around analytical ability rather than narrow technical pedigree.  

“It’s not necessarily that you’re the best coder or that you are the best hardware architect,” he said. “We want people with the critical thinking skills.” 

That same mindset shapes Khoury’s view of emerging technology. AI may offer real gains, but deploying it without adequate security review can create new vulnerabilities just as quickly. Quantum poses a different kind of challenge: not hype, but timing. Khoury’s warning is that organizations cannot assume they will get a clear signal before the post-quantum era becomes operationally urgent. Institutions that wait for certainty may wait too long because, as he puts it, that post-quantum future “will not come with a press release.”  

Khoury’s broader warning is that the cyber landscape has already changed, and institutions that fail to adapt to its wider, more interconnected realities will struggle to keep up. 

For more on this and other important cyber topics, check out the full catalog of Cyber Focus podcasts.