Mr. Pat Larkin:

I thank the Chair. In terms of the FDI risk, we need to be aware that as organisations look to locate in a country, they assess the good business environment, the access to talent and resource pools and then the security of their investment. That is the kind of criteria that they use.

We brief boards regularly. On the foot this event, I have had a number of requests for briefing, including from one large natural resources company. The nature of the briefing is such that they are looking to assess whether this was, in our opinion, a nation state attack and what is the state of national cyber defence, etc. I think that there is a heightened awareness. I do not know that there is any imminent,per se, or immediate risk. We have to look at it as a long game. The long game is that we have to build strong, mature, optimised cybersecurity capability, to protect all the resources in the State. If we do that, then we will continue to attract FDI and retain it. That is why Cyber Ireland is so intrinsically important to this whole strategy.

In terms of the location of the NCSC, in some respects, it is as appropriate where it resides as anything else, provided that the national security governance and commitment is joined up. That needs to come from centre of Government, somebody who can drive that strategy into all parts of Government organisation.

In terms of sanctions, blaming the victim is perhaps unhelpful here. We do not blame homeowners when their houses are burgled. We point to them where they could improve their security, etc. Blaming the victim, in some respects, creates a perverse incentive for the ransomware attackers because, if we blame the victim, then there is an increased incentive not to disclose and pay. I think we have got to move to a mindset of supporting and getting the victim to improve their security. There will not be a healthcare professional working in the health system who will not be traumatised by what has happened, between Covid-19 and ransomware. I think we will get goodwill. A compelling event like what has happened - disastrous as it is – is quite often, if used positively, a good spur to drive improvement and to gain buy-in to improvement. If it is a stick-only approach, one will achieve very little progress.