Kevin Quigley

Title
Professor (Prof.)
Organization / Affiliation
Public Administration – Dalhousie University

Kevin Quigley spoke 19 times across 1 day of testimony.

  1. Kevin Quigley, Prof. (Public Administration – Dalhousie University)

    Sure thing. I want to start off by just saying thanks so much for having me at the panel discussion, and also thank you, Professor MacDonnell for your pronunciation of “MacEachen” which is spot on, so you have established your credentials, your Maritime credentials. So threats to critical infrastructure come in different shapes and sizes. The climate change and natural disasters are the ones that get a lot of attention these days. They include floods, wildfires, hurricanes, earthquakes, and ice storms. There can be terrorist plots like the Toronto 18; terrorist attacks like 9/11; labour unrest like the strike action; environmental protest at seaports; cyberattacks like the one we saw in Estonia in 2007 which disabled part of its banking infrastructure; industrial failures, which can be sometimes accidents that result in bridge collapses, train derailments; there are nuclear examples like Chernobyl, for example; water contamination like Walkerton; contamination of food supply, an example like a foot and mouth disease spread. So threat level can be understood in terms of risk, and I note there’s been quite a few references to risk in some of these panels’ discussions, so risk is perhaps a little bit worth unpacking at this point. Risk is generally understood as a function of probability and consequence. So on the consequence side, all of these events are consequential when they occur, judging by dollars lost, property or reputational damage, or body count in the case of death. By taking a step back, some can be more consequential than others, and these consequences are not necessarily viewed or shared equally. On the probability side, some of these events occur more often than others. So when we think of 9/11, it’s likely a once-in-a-lifetime event; we hope. When we think about wildfires and hurricanes, they occur from time to time, and in the same regions from time to time. So I’ll note Halifax, for instance, we’re on a hurricane path so every few years we have a pretty devastating hurricane that blows through the region. Another distinguishing feature is the presence of a malicious actor. When nature disasters occur, we can build up infrastructure to protect ourselves; dykes, for example, to protect against flooding in flood-prone areas. When you have a malicious actor, you have an adaptive agent so protecting airports might result in a malicious actor targeting trains. So when you’re trying to protect yourself against those who would do your harm, you have to take a holistic view, otherwise you’re building half a fence. And as they say, building half a fence is no fence at all. Finally, I’ll just underscore that the importance of access to predictive data is an important consideration when examining risk problems. The number of car accidents is actually very predictable every year; year-in and year-out it’s pretty stable. The number of terrorist attacks or bridge collapses is not. This necessitates a different approach, which I think we’ll explore in more detail during the discussion. I’ll stop there.

    33-094-19

  2. Kevin Quigley, Prof. (Public Administration – Dalhousie University)

    Sure. I’ll just add a couple of terms I think that are useful in terms of thinking about risk problems that can maybe complicate or simplify things for us a little bit. I think one is we often talk about resilience in this field. The term gets used a lot. I feel like it’s probably losing a little bit of traction just because it gets used all the time to describe a whole bunch of different things, and I think it has many, many definitions. But usually, when we talk about resilience, we’re talking about some sort of adaptive capacity or flexibility or some capacity to bounce back after a failure. That’s really important, the capacity to bounce back, either through some sort of technical means or organic means. But I’m not really sure that fully satisfies the discussion today, so there are a couple other terms that I think are worth thinking about. One is the concept of redundancy, so when we’re thinking about managing risk, the question is, do we have redundant systems in place. So we might think about multiple bridges rather than one bridge, so if we’re thinking that -- when we think about redundant systems, it’s the concept of having another system in place that can help us to achieve the same goal if the first system fails. Now, that’s an expensive way to manage risk, but nevertheless, that can be important if you have a critical system in place, so do we have some redundancy in place that can manage to step in, let’s say, if the first system fails. And the second concept is the concept of robustness in our infrastructure. And so when we’re thinking about robustness, and I’m referring particularly to the International Risk Governance Council framework, when they talk about robustness, they’re talking about systems for which there isn’t necessarily redundancy, for which there isn’t necessarily resilience. And therefore, we have to make a special effort to protest that infrastructure or to make that infrastructure strong because if it fails, there will be massive consequences, cascading effects to the failure. So I think this concept of redundancy and robustness can be helpful for us today.

    33-106-21

  3. Kevin Quigley, Prof. (Public Administration – Dalhousie University)

    Sure. So I would like to maybe unpack a little bit of the complexity that Professor Boyle has articulated about on the sort of owner/operator relationship of critical infrastructure. So as noted, there's lots of private sector ownership, and the number of 70, 80, 90 percent gets kicked around, as Professor Boyle suggested. I'm not really sure how you would measure that, but the number gets used. It's certainly said frequently that the Federal Government does not much own much of the critical infrastructure. Most of it in government hands is with the province or municipalities, but not actually a lot with the Federal Government. What we can say, however, is that telecoms, power supply, and banking, which are often referred to as the iron triangle of critical infrastructure, for those inside the club, these are largely privately owned. Sometimes infrastructure is publicly owned but privately managed, like airports. In short, the private sector plays a significant role in most of the critical assets on which we rely every day. I think this is actually a very important theme when we return to Professor Boyle's or we recall Professor Boyle's definition of what critical infrastructure is, these are assets we rely on entirely on as a country every day. They are largely in private hands. Public Safety Canada often plays a coordination role between these owners and operators, and absolutely it has taken on -- it took on new interest in the sort of post 9/11 world and the post Y2K phenomenon, as Professor Boyle has mentioned. Public Safety Canada encourages relationship- building and information-sharing, but it is a fairly light touch regulation. There are a number of reasons why private companies, and public too, it's fair to say, but private companies don't wish to disclose information about vulnerabilities in their infrastructure. At a minimum, their share value would be at risk if they disclosed the vulnerabilities that they were carrying. On another point, if you consider the list of 10 critical sectors that Professor Boyle articulated at the outset, they are very different in terms of governance. There's a number of factors that work against a standardised approach. Some are regulated by the Federal Government, where some are regulated by the provincial and municipal government. Some are monopolies, some are oligopolies. Those two in particular have particular concerns from a risk of point of view, we have to make sure they don't fail because they're monopoly service providing a critical service, so there's usually great concern for government to work with and protect those monopolies and oligopolies. Other sectors, though, are highly competitive markets for which individual failures would not be that consequential at a macro level. So I'll just maybe underscore this point about trucking, and may Professor Chandra has a follow-on comment to make about this. But it seems to me when we think about trucking, there are so many service providers. I mean, the bridge itself is a single point of failure, looking at the Ambassador Bridge, about which we have to be concerned, and I know there has been concern about, you know, dropping the number of truckers, et cetera. But nevertheless, there are a number of trucks and some number of trucks could fail and it wouldn't really be that consequential at a macro level, unlike say a bank failing, which would be very, very consequential. So the way we manage the risks in the sector can be quite different because the characteristics of the sector are very, very different. I think I'll also just mention that some failures can impact individual communities. So again, going back to something like Walkerton water contamination, obviously a huge impact on Walkerton. The failure of a particular hospital can have a consequence for a rural community. But again, these are not issues that will necessarily raise questions about national stability, whereas a bank or an airline failing could actually have a much greater impact nationally in terms of national stability. So those are some of the characteristics I would say that make the space very complicated in terms of having some standardised approach. I think we've defaulted into, as I've mentioned, and I think Professor Boyle has noted, a kind of coordination role that Public Safety Canada plays, but perhaps an absence of strong standards. I'll pause there.

    33-114-07

  4. Kevin Quigley, Prof. (Public Administration – Dalhousie University)

    Sure, so I think there are a couple of ways I would think about this. One is the category of infrastructure itself and then I'd like to talk separately about how these risks are socially constructed, which is a little maybe closer to my research area. I think that on the question of the category of risk itself, it's worth remembering that government is a category on that list of 10. And so if we were to identify government as a place that had to be protected and couldn't be a target of protest, then that would mean, say, for example, no more protests in front of the Ontario legislature. And I can tell you my whole life I've seen protests in front of the Ontario legislature for a number of different reasons, and I can't imagine us saying that you can't protest there anymore. So there would be one element of almost the absurd. I will say though that there might -- where I think it might get a little trickier, and I've mentioned this to Professor Boyle, if you think about something like nuclear technology that's been a kind of a flashpoint for protests for decades, there may be some genuine concerns about safety and security in protesting around that environment, so there's tension there, I think. Obviously, it's an area where there have been a lot of concerns though about the use of technology, nuclear technology and protests. You also have some disasters and crises. So I think there's -- that tension has to be managed there I think with some of these areas where there could be some serious concerns about safety. But I want to just shift a little and talk about social construction of risk and how threats and events happen in a particular context, that the concerns are amplified and shaped in the moment and will influence the tools that are invoked. So natural disasters are frequently referred to as acts of God. Traditionally, they're seen as nobody's fault, although I think that's changing a bit more with a lot of the climate discussion. But traditionally, they're seen as nobody's fault, and that makes it harder to hold people to account. So, for example, decisions to build infrastructure in flood-prone areas, you know, who made those decisions, when did they make them, why did they make them, and can we hold those people to account afterwards when there's some flooding. That's harder if we think of acts of God as nobody's fault. So where we build infrastructure can put people in harm's way in natural disasters and we need to think about that. In contrast with industrial failures like bridge collapses and train derailments, accountability can be actually rather narrow and ruthless, and I'm talking about the sort of popular media context. It can often neglect the broader context in which risks are managed in industrial settings. So, for example, not just the owner of the infrastructure, but also the inspections that occurred, the training culture that exists, the safety culture that exists, and I would point to Lac-Mégantic as providing some examples on this front that the accountability was rather narrow, and in fact, there were a number of different organizations that shared some responsibility for the rail derailment -- for the train derailment, pardon me, on Lac- Mégantic. So in the particular context of the protests in February, popular media plays an important role in amplifying and also in attenuating risks. So here I'm referring to mainstream media, not the discussion we had earlier today that focussed largely on social media, although mainstream media have social media outlets, of course. So between January and March 2022, according to our research, there have been nearly 600 articles published across the Toronto Star, the National Post and the CBC News on the Freedom Convoy. In contrast, cyber threats normally get very little coverage, partly due to the complexity of the issue, partly because companies don't want to disclose their cyber failures when they occur, and partly due to the absence of a central figure in the narrative. We often don't know who is responsible for cyber attacks. There is no "bad guy" to frame the story. So while these events can be highly consequential, they don't get nearly as much attention and certainly not as much media attention. I'll just put the little caveat, that if you can get a bad guy or some sort of famous celebrity associated with the technology, you get a lot more media coverage. But if it's a hack for which no one knows who's responsible, it gets a lot less attention, but it may be very, very consequential. And then you contrast that with a protest where you had 600 articles in 3 main media outlets in Canada over 1 month. That's a lot of media attention. I'll also point out there's ambiguity in the polling data and public sentiment that occurred in February. A February poll by Angus Reed indicated that 70 percent of Canadians opposed the protesters approach and behaviour. A separate poll reported by the Economist noted that 46 percent of Canadians believed the protesters frustration was legitimate and worthy of some sympathy. So you have this sort of highly fluid popular context where you're not -- people seem to be opposed to the method but sympathetic to the cause, so it's maybe a little bit difficult to interpret where popular opinion landed. This, of course, matters to politicians and policy makers where public opinion stands at a particular moment in time in the middle of these crises. And finally, there’s the capacity -- and I want to go back to this notion of private ownership and highly concentrated power. There’s the capacity of powerful actors in society to shape views. Larger, better funded companies have stronger lobbying capacity, and typically have better access to decision-makers. They are better able to shape and influence the manner in which governments understand the problem. So comparing major banks’ or airlines’ ability to influence decision-makers, to the individual truckers that Professor Chandra referred to, for example, would suggest that there -- that some have better access and influence than others. I note that the last week, that Minister Freeland referred it -- to the Commission, she referred to discussions she had with the CEOs of banks during the protests. This is not unusual in these kinds of events. I’ve studied many of these events before, and it’s not unusual for CEOs to engage with Ministers in different countries, during these crises. I’m not suggesting it’s wrong, but it seems to be the case that powerful interests have ready access to governments during these events. Less organized, less well- funded organizations have less access. I’ll pause there.

    33-125-13

  5. Kevin Quigley, Prof. (Public Administration – Dalhousie University)

    Sure, I think I can offer a couple comments here. I think I'll preface my comments with just a general observation I feel I -- I feel about this field generally and I've felt for a long time. And one is this bias - - I know there's a question about, you know, should we have a list of critical infrastructure, and I think that the -- I always -- I'm always a little sort of suspicious of that sort of approach that somehow critical infrastructure can be put on a list on a spreadsheet and we can say those are the critical assets and we have to protect them. And I think it's because of this earlier point that I made that there's this sort of contextual piece that goes along with these crises and disasters. They happen in particular ways, in particular moments, they're amplified certain ways, there's a certain amount of hysteria that obviously goes along with -- often goes along with it. And so whoever is responsible has to deal with all of those circumstances in that particular moment in time, and then often has to respond in a way that seems reasonable, which is quite challenging. And so critical infrastructure, you know, we talk about the Ambassador Bridge, clearly, this is a piece of very significant infrastructure for the country. There are other times though when you see, like, these sort of small bridges to a village in Newfoundland, or some, you know, single road going to a territory that is there for delivering food supply to those communities and for those communities that is critical infrastructure, and they depend on it. So it may seem small in sort of mezzo macro level terms, but it's important for those particular communities. And I think it's worth noting as well that a bit along the lines of Professor Boyle's comment around Indigenous communities, you know, rural communities often can be quite vulnerable because they have very little infrastructure, but what they have they're depending on as a sort of lifeline for the community. It's also the case in small ---

    33-141-27

  6. Kevin Quigley, Prof. (Public Administration – Dalhousie University)

    Sure, by all means. It's because my comments aren't scripted in that case, so I just get all kind of worked up when I start to -- I shouldn’t have prefaced it, you see. I shouldn't have prefaced my comments. So I think, anyway, small communities I think have little infrastructure and what they have they depend on. And, you know, even more so the case with telecoms failures and whatnot where you've got small communities that when telecoms fail, they can't call ambulances and things like that during crises. So my point simply is that to establish a list and say this is the list of critical infrastructure I think would be challenging, bureaucratically appealing, administratively appealing, but hard to actually put into action, plus, you'd have to determine how you're going to do it. What's on the list? What's off the list? Who's responsible for it? Who's responsible for the list because you have to actually keep it up to date? Who's managing that asset? What does it mean to be on the list? What are the standards that you have to actually achieve if you're on the list, if you're considered part of critical infrastructure? Those are interesting questions, I have to say, and they're, as we've said before complicated. So could we actually establish those standards. The second point I'll make as a preface is just, again to reiterate, that the assets are largely in private sector hands. So we talk about stakeholders, which really, to me, masks the concept of private interest and interest groups, which we use a lot less frequently, but political scientists still like to use this term about interest groups, their interests. And insofar as those private interests can align with public good, then it can provide good infrastructure and managed efficiently with some stability. I think a lot of the assets are in private hands because there's an optimism that they are more creative, innovative and efficient, and that can very well be the case. But there are risks that go along with such a large private interest in our national assets and upon which we rely every day. And as Professor Chandra mentioned earlier, that in some cases were publicly funded in the first instance and then maybe privatized later. So, on that note, I'll also just mention that as Professor Boyle has said, that Public Safety Canada is engaged in a process of reviewing the national strategy. I encourage them to continue along that path. And I think that one of the issues that continues to challenge us in the way we address the risks associated with critical infrastructure is the fact that you have so many different interests, complex governance settings, but particularly private interests, and the coordination function or the regulation function seems to be rather light touch on that in the whose managing the infrastructure, what standards should they be achieving, what degree of transparency should we expect if you are managing critical infrastructure, and who is accountable and to whom are you accountable. I think those are all important questions that have really existed for quite some time that I think we need to continue to pursue in the management of critical infrastructure. I'll pause on that point.

    33-143-08

  7. Kevin Quigley, Prof. (Public Administration – Dalhousie University)

    Sure, I'll offer some observations. I think on the question of do we need a FEMA, it has been commented before that the Canadian -- so with FEMA, of course, you have an agency that is responsible for coordinating federal government actions during an emergency, and Canada doesn't have the equivalent. In some respects, Public Safety Canada emerged in the post-9/11 environment as a response to Homeland Security. Homeland Security needed a department to work with, so a number of organizations were merged. In the same way that a number of organizations were merged in the U.S. to create Homeland Security, a number were merged here to create Public Safety Canada. But there isn't the equivalent of a FEMA here, and it has been commented before that in the case of certain crises, there's so much -- there's so many organizations involved. And if we're only talking about large-scale devastation, like, we're talking about a west coast earthquake sort of thing, you would be bringing in so many supplies from so many different regions, and so it does beg the question does it require some coordination, because in an emergency, you need certain -- like, you know, if you think about Walmart, for instance, Walmart's considered to be quite excellent at supply chain management and responding during crises, but they'd probably need some direction in terms of what supplies can they bring. And so there's a coordination function in an emergency. And so I think it does raise an interesting question, and that could be -- I think that can be investigated. I think on the question of emergency and response versus, you know, ongoing maintenance of infrastructure, for me in some respects, like, they are separate but they're also the same; right? I think when I listened to Professor Chandra talk about just the huge significant dependence that we have on the Ambassador Bridge, I think he makes the compelling case that this is significant vulnerability for our country, and if that infrastructure fails, you know, what would the consequences be. So, you know, part of it is about emergency response maybe in a crisis, but I think a more thoughtful response is to say, you know, to what extent does this represent a significant risk, and, you know, in some -- when I think about sort of the normal accidents literature, Charles Perrault, I mean, he would say you have to say to yourself the system is going to fail, and then ask yourself what does that look like, and can you live with it. And now I would say that the way we've talked about the failure of the Ambassador Bridge the answer is no. So what are we going to do about that? And we can focus on the threat side, but I think that only gets you so far, to a certain extent. And I think one of the themes that has come up repeatedly in our discussions today is the governance side. To what extent have we got to modify the way we're managing these assets, so that we don't have these single points of failure that can have these massive cascading effects. And I think this is kind of a -- this event in itself has brought this into focus, although I'm sure, you know, many scholars, Professor Chandra among them, is aware of that. And so now we need to do something about it and there's an opportunity here to start addressing some of these risks.

    33-146-19

  8. Kevin Quigley, Prof. (Public Administration – Dalhousie University)

    I'll pause there, yeah.

    33-148-19

  9. Kevin Quigley, Prof. (Public Administration – Dalhousie University)

    It’s never a meeting until somebody’s muted. Anyway, I almost made it two hours without that mistake. It’s a comment, probably an extension of Professor Boyle’s comments about lists, if that’s useful. Or have we passed that?

    33-154-03

  10. Kevin Quigley, Prof. (Public Administration – Dalhousie University)

    Okay. Well, in that case I’m going to make two separate points, but one is about the issue of -- the issue of the list. I think that one thing that -- so Professor Boyle made reference to Y2K, which is a case study near and dear to my heart, I have to say. And one of the things they did in the UK, that I thought was very interesting, in the run-up to Y2K was they grouped a lot of the critical -- they identified 26 critical sectors, and they were all subject to a sort of standard audit. And each of those sectors, the audit for the sector was published, and they were given a red mark, which meant you weren’t ready for Y2K; a yellow, which meant you were getting there but not quite ready; or blue -- not green, blue; nobody got green when it came to Y2K because nobody was ever 100 percent sure that it wasn’t going to go off without a hitch, but you got blue if it meant you did the best you could and we think you’re ready. So the idea was that no -- there was no disclosure on any particular company; it was the sector as a whole that got the evaluation, so they were kind of all in it together. Now, there’s a whole bunch of reasons why that doesn’t necessarily work out. A lot of the stuff in critical infrastructure is voluntary by nature, by the way. So these private companies participate if they want to. If it gets a little bit too tough, they might actually defect. So that’s always a risk, that they won’t actually participate in these strict audit functions, so the audit function might be a little bit too easy or a little bit too light. But, nevertheless, it does introduce some level of accountability at the sector level. It creates an opportunity to establish, you know, what are the standards we should be looking for in this sector, and then some outward reporting of how those sectors are doing. So -- and then there’s a collective responsibility that the sector has to be ready for some improvement. So I just put that in as one example of an exercise that happened when a crisis was occurring at a deadline, and it was meaningful, and I think those critical infrastructure owners and operators wanted to tell the world they were ready, so they were interested to buy into some process. There were some, as I say, weaknesses and flaws, but I felt it was a more ambitious approach than I’ve probably seen since then of actually trying to pull the owners-operators together and say, “There are going to be some standards, and we want to hold you to them.” I will say, also, that some of these pre-event evaluations aren’t always super strong, and I know there was some evaluation of which country was best ready for a pandemic, and the US and the UK finished number one and number two. And I think after the pandemic occurred, people questioned whether or not those pre-event evaluations were really all that rigorous. So sometimes before the crisis, it’s not quite the same as during the crisis. But it’s something, and I thought it was an interesting mechanism. Let me just make one separate point that I didn’t make earlier, which I think is important for the discussion, it’s the notion of a precautionary principle, because we haven’t actually mentioned that, so I just want to introduce this to the lexicon. In the risk community, I think generally speaking, people are -- it’s a concept that largely emerged through environmental studies and a feeling of trying to protect the environment. The precautionary principle has since been criticized quite a bit for its absence of a standard definition, absence of standards, absence of accountability. However, there is some sympathy when you’re dealing with a risk that is highly catastrophic, potentially catastrophic, and irreversible, that you would adopt a precautionary approach. The term “Precaution” was used a lot during the pandemic, and I think there was some precautionary rationales that underpinned some of the actions in this particular exercise we’re talking about. So I just wanted to put that term, “Precaution” in play as well as something that is criticized in the risk community, I think rightly so for its vagueness, and who pays for precautionary approaches; not always clear who pays. But that there's some sympathy when you’re dealing with a potentially catastrophic, irreversible risk. So I’ll just pause on those points, but I would just offer them.

    33-154-12

  11. Kevin Quigley, Prof. (Public Administration – Dalhousie University)

    Maybe just to note that if I think about Halifax, for example, I mean, as a port city, I think there are obligations for social licence on behalf of those who move their goods through cities like Halifax, and some of the ports, particularly in the US, have been points for protest and -- because of the, you know, differing environmental standards, environmental concerns about the way some of the infrastructure affects the water and the community. So I think there’s an obligation on our operators to be mindful of that, and I think that some of them are because if they lose their social licence they won’t be able to move their goods through those ports.

    33-158-22

  12. Kevin Quigley, Prof. (Public Administration – Dalhousie University)

    That’s right. And I think there’s some other infrastructure; I’m thinking about nuclear power in Deep River, I think, for example. It’s -- you know, I think it’s the highest concentration of PhDs in the country because they’re good at doing nuclear. So those things have to exist somewhere, and you want to make sure qualified people are -- manage them. And there’re benefits for the community in doing so, but risks.

    33-159-12

  13. Kevin Quigley, Prof. (Public Administration – Dalhousie University)

    Just a quick observation to say that I think the question of jurisdictional responsibility would apply equally to questions around the port, the seaports, and you've got the same kind of mess there in terms of the seaport itself is federally regulated, but when you get those trucks off or when you get the goods off the boat there are municipal issues, provincial issues, and do they cross provincial borders, there are additional federal issues. So you have a complex space with seaports also, so it wouldn't just be about road transport bridges to the U.S.

    33-165-21

  14. Kevin Quigley, Prof. (Public Administration – Dalhousie University)

    So -- I mean, I'm reluctant to say because I'm not aware of any, but what I am aware of is this fact that we normally talk about the complexity of jurisdictions when it comes to seaports. That there are ---

    33-166-09

  15. Kevin Quigley, Prof. (Public Administration – Dalhousie University)

    They're all involved, and there are a lot of private sector operators, and as we've talked about with trucking, there are many private truckers on that one space. So it's a very, very complicated space. I'm not aware of any overriding kind of authority that could sort of seize control. I suspect there is none.

    33-166-14

  16. Kevin Quigley, Prof. (Public Administration – Dalhousie University)

    I will -- maybe one other point I would say is that I can recall an issue of speculation that a boat was bringing in a number of people -- there was sort of people smuggling going out of port, and the various government agencies had to prepare because they had -- they were led to believe that a boat was coming in and they didn't know what boat it was and they were bringing people in. And I remember there were at least 14 different government departments from various jurisdictions that were responsible for standing at the ready in case this boat arrived, they didn't know which boat, and in case they had people on and they didn't know. And they had to do it all quietly because they were worried that if the boat found out that they were caught for smuggling that they might do something bad with the people who were on the boat. But anyway, there were at least 14 different departments involved in that exercise. I remember it was something that happened quite a few years ago in Halifax. But it's a complicated space, even within the Federal Government, a lot of different government departments have responsibilities, but it's spread out over quite a few. Yeah.

    33-166-21

  17. Kevin Quigley, Prof. (Public Administration – Dalhousie University)

    I'll just offer some thoughts about emergency planning exercises that sometimes happen in anticipation of these kinds of events, because this is one of the sort of favourite exercises of agencies that work in this area. They sort of imagine a scenario and they think about how are we going to respond to this particular scenario. And so one of the things they do too often is they work with public agencies. They always say, you know, you don't want to meet somebody in a crisis, you know, meets them for the first time in a crisis, so they want to know who all the emergency responders are, and that sort of stuff. Sometimes these exercises are a little bit false because they only bring together agencies from the same order of government because they're -- they've been told to sort of work out an exercise, so they kind of develop these scenarios that are not really very realistic. Because the thing about disasters and crisis is they don't respect jurisdictions. Disasters and crisis come and hit you the way they do, and they will hit all three orders of government. The very fact that a province is responsible for emergency response in the first place means the province is going to be at the centre of anything that's -- any sort of seriously devastating issue is going to go well beyond one piece of infrastructure or the community at large. So one is we need to have approaches that where we actually bring a lot of the stakeholders together. It's hard traditionally to bring the private sector in on these emergency response exercises. Maybe they don't see the value, maybe they're too busy, I'm not sure, maybe they don't want disclose their vulnerabilities. Certainly noted, with some concern from public agencies, that private sector agencies don't necessarily come to emergency response exercises, and they should. And then I think the other thing that we need to do in these exercises is we need to actually get better at trying to establish clearly what are we trying to learn from emergency response exercises, and we have to declare them, and then we have to monitor over time if we're getting better at emergency responses. Too often these emergency exercises occur, there isn't really kind of serious report afterwards, there's no benchmarking, and we have no sense if anybody's ever getting better at these things. There's just a kind of occasional exercise that they kind of make up, and then they run a few things, and then there's a hotwash afterwards where they kind of report out, and then it -- but there's not necessarily sufficient and rigorous follow up to show if we're actually getting better at emergency response. So I think there's a fair bit of learning that could be done from public agencies, and the private sector, that's owning and operating a lot of these infrastructures.

    33-169-23

  18. Kevin Quigley, Prof. (Public Administration – Dalhousie University)

    Yeah. I'll just point out that, you know, when I think about rail, first off I think about how you can't really move the track. I mean, this is one of the flexibilities that you have with trucking that makes trucking very appealing in terms of its adaptive capacity that you don't have with rail necessarily, notwithstanding Professor Boyle's comments about some additional rails where flexibility is built into the system. The other thing I would just note is there is quite a bit of work done around critical infrastructure and various pressures that are exerted on the railway lines through the Lac-Mégantic experience. So I think there's actually quite a bit of documented evidence about challenges with managing the railway line and protecting and the sort of push for efficiency and maybe safety over -- lapses I guess that occurred. So I think there's quite a bit of work that has been done there that could be looked at and fair questions about whether or not Transport Canada has made progress in that area and whether or not private industry has made progress in that area.

    33-173-25

  19. Kevin Quigley, Prof. (Public Administration – Dalhousie University)

    Don't worry, you didn't miss much. It was just to say that I actually agree with Professor Boyle, that I also don't know much about this. And in fact, I think it's interesting and telling that it's a sector that's -- the importance is significant, and experts are saying that we should be more aware of the vulnerabilities. I think the Society of Actuaries has talked about this particular domain is maybe one of our greatest vulnerabilities. But I'm not sure that it gets a lot of popular attention, and there's the sort an awareness of the vulnerability, but I'm not really sure we're ready for the consequences of a significant failure. So I also couldn't comment I think with any great intelligence to translate on it, other than to say that in my own research around popular attention to cyber it gets very, very little, dare I say, the least amount of coverage of all the key sectors, I think partly because, as I mentioned earlier, it's complex, it's hard to see who is responsible. And in many respects, people, I think, enjoy the technologies they have and they want to be continued -- to be a certain level of deregulation and freedom and flexibility in the way they use technologies, they don't necessarily want them regulated and limiting to what they can do with their technology. So there's a lot of resistance and ignorance around the space that I think that allows the vulnerabilities to flourish.

    33-175-26