Mr. Padraic O'Reilly:

It is a pleasure to be here today and I thank the Chairman for the invite. The Colonial pipeline attack, which may have been in the news in Ireland, shook up a large portion of American society. It really hits individuals where they live and is escalating prices for gas. It has had a direct impact on the citizenry. Over here we also have health services getting attacked. We do not have a national health service but we have prescription and hospital concerns. A hospital in San Diego is currently struggling with ransomware. We had more than 200 attacks on hospital chains last year also.

I will talk a little about my background and my perspective. I started the company five years ago with the chief information security officer of Schneider Electric. His expertise was primarily in cyber and operational technology. My expertise was in financial modelling. I bulked out a software product that operationalises regulation standards, like the NIS directive. From what I have seen on the inside, my concern across many sectors is in accordance with what I have just heard, which is that there is some variance with regard to maturity and work in depth with the energy industry, the finance industry and across almost every sector. We see the increase in frequency of ransomware and the increase in ransoms, which is quite alarming. Maturity levels vary greatly. With the pipeline Colonial tech we are dealing with the learnings here in the US. The Administration here came out immediately with an executive order that sought to address some of the gaps that remain.

We have a sprawling regulatory regime here so when I work with the energy industry it is under something we call NERC CIP, which is a legacy set of standards that relate to the grid. The pipeline industry is under a voluntary set of standards, so there is real variance between practitioners and companies within the energy industry. One can see the results quite clearly. We do not see that the organisations under strictly voluntary standards do a great deal of adoption. That is not the case for all of them, of course, but we have learned over here, with the threat of going from cyber to physical in the pipeline industry hack, that the government and the Department of Energy are now re-evaluating whether to actively police or regulate the pipelines. It is always a question. The question comes down to the fact that 85% of our public infrastructure is in private hands. Private infrastructure companies tend to live quarter to quarter. They do not always put into practice some of the standards that are quite clear.

When I was speaking on television last week, there was quite a gap in understanding about what one does with respect to cyber. People tend to think it is extremely expensive because these are complicated systems. Many things done in cyber that are practice and policy oriented and employment oriented are not overwhelmingly expensive. Best practices are not always terribly expensive. The pipeline attack looked like a remote desktop protocol, RDP, attack. In an RDP attack, one can do two-factor authentication and do some other things with RDP that make it much harder for brute force attacks. There is no way to know, however, if one does not have metrics. We can talk about standards and best practices, but there must also be metrics. When the network and information systems, NIS, directive came into play, there was a colloquium in Washington DC on metrics. It was essentially taking the cybersecurity framework we operationalise in our software and driving metrics over it. It was very controversial. Many industries do not want metrics. They do not want to be measured. If one cannot measure it, one cannot improve it.

I will end by saying that-----