Canada's critical infrastructure (CI) is massive, geographically dispersed, owned by many different players mostly within the private sector, and vulnerable. However, the degree to which that vulnerability transfers into actual risk varies and is clearly in question. Our CI is dispersed yet interconnected, so applying any simple form of governance to protect it will not work. This is a unique policy and operational challenge not just for government, but also for all stakeholders. It cannot be said that we have a fully protected CI, but it also cannot be said that we have one under active threat. What is missing is a cohesive and sustainable approach led by the federal government with a healthy recognition that such leadership cannot carry the full responsibility for either identifying threats and risks, or doing something about it. That responsibility lies in many hands.