Mr. Pat Larkin:

-----so I must be circumspect because we are in the middle of an investigation. Taking up the general point made by the previous speaker, however, healthcare is attractive because the data is valuable. In addition, both private and public systems are incredibly complex. They have what are called a large attack surface area because of the complexity of the environment, the spread of the network and the range of different users of the system, including doctors, nurses, students and vendors as well.

Therefore, it is an incredibly complex environment, which means that it is relatively easy to target from an attack perspective. Even robust health systems, because of that complexity, are also vulnerable. Equally, there is the ability to monetise the situation. I agree with the previous speaker in this regard as well, in that I think that it is the principled and correct decision to not pay a ransom. The reality, however, is that more than 56% of organisations pay a ransom. It is usually because they have no choice, but it could also be because organisations may not have the same resources that enable a state to go through a complex, lengthy and costly rebuild of its systems. Most organisations, and especially those which are private, are therefore faced with a simple balance-sheet choice.

Do we spend tens of millions of euro rebuilding or do we spend €1 million getting the keys to unlock the system and get back to core business? It does not help to speculate, but I do not know that Ireland or Ireland's health system has been consciously targeted. It is another health system that is vulnerable. They have carried out a targeted attack that has been successful from their perspective. It is very difficult for us, as a State. The challenge is that today the health system could be attacked, tomorrow it could be the power grid, the day after that it could be the transportation grid.

In respect of a national security mindset, we should be cognisant of the fact that traditionally, when we think about national security, we think about state actors carrying out targeted attacks from a foreign policy perspective to influence a government. In this case we are also seeing criminals attacking from a financial crime perspective, with a similar attack profile and causing similar national damage as state actors, potentially. The mindset must be that criminal cartels can in some respects cause as much consequential damage to a state as nation state actors carrying out deliberate foreign policy based attacks. From a mindset perspective, it is necessary to take the position that, defensively, we must secure ourselves against the attacks of criminals almost as much as we need to be secure against nation state attacks, because either is of similar consequence and catastrophe to the State.