Mr. Padraic O'Reilly:

The Deputy has asked very good questions and I understand his concerns. Over 2020, the incidence of ransomware attacks increased by 311% and upwards of 350 million was paid out in ransoms, and that is just the disclosed stuff. The gangs are going nowhere and ransomware continues to be developed.

In terms of semi-state actors, when I was on television I was repeatedly asked, in terms of the states they are acting out of, who is responsible for this. It is something as a private citizen I am a little careful about but I think we all know they may be semi-state operators and, in that case, that means there is more will behind it. When it gets to cyber to physical, you would want to be very careful about the political terms you speak in, obviously. Cyber to physical keeps cyber professionals up at night. There was a lot of great research around it done in 2010 and they were looking at attacks that propagate over the generator systems and the like. Then, 2015 happened when we actually saw a grid go down in Ukraine. Those types of attacks are truly scary because they hit the national infrastructure.

In the States, we have a unique situation that 85% of our public infrastructure is in private hands. This is a very difficult situation to be in, largely because it is hard to impel some of those holders of that infrastructure to do the right things. We have some regulations in place to force that but we are struggling and scrambling at the moment. The Government has said all the right things after the Colonial Pipeline attack. We are now evaluating whether pipeline security should be the responsibility of the Department of Transportation, and we have six individuals in oversight there, so there is an analogue to some of what Ireland might be dealing with at the NCSC.

My company makes software. We benchmark organisations on cyber. We work across a large set of organisations. My perspective is we need standards. Compliance is important but it is just one aspect of the overall approach to cyber. I love the term "risk assessment" because it is the way forward. You have to identify and prioritise, and risk assessments do that. They also take probabilities into account. That is why information sharing is so important here in the States because we have to have better ideas of what the probabilities are. C-suites and boards will not invest if they cannot financialise the actual risk, but to financialise risk you have to have good data. These are important things to understand in the practice of cyber. Risk has to be understood. Compliance and risk are related. Talking about it more is getting the private and public partnerships going that will help to solve this long term.