Most fundamentally, is it in Canada’s interest to further normalize the growing use of CNA (Computer Network Attack) activities by states? Should CNA be classified as just another tool of statecraft? Should such capabilities be restricted to a deterrent role? Is cyber deterrence, whether through CNA capabilities or more conventional responses, even a practical goal, given difficulties of attribution and the inevitable overlap between CNE (Computer Network Exploitation) and CNA? Would improved defence and resilience be a preferable, or at least sufficient, response or are all three required?