Mr. Padraic O'Reilly:

This topic is timely and of significant consequence. As we all saw last year, certain nation states and criminal gangs that operate within those states pose a significant threat to the public and private sectors throughout the West. Much of my work is in advancing the maturity of risk management practices inside large and small entities. I work with critical infrastructure, or essential services, across large enterprise corporations, governments in the US and elsewhere, and smaller concerns such as state and local government and small to medium-sized companies. Consequently, I have a fairly broad understanding of the challenges in critical infrastructure and shifting threat actor profiles. I also work closely with many of the firms that model cyber-risk and suggest an efficient path to mitigation and the hardening of systems. This gives me a good, high-level sense of where weaknesses persist and what efficient and cost-effective paths to the prevention of cyberincidents look like.

As we all saw in 2021, there was, effectively, a plague of ransomware. Several of these attacks became very high profile and did serious harm to citizens. Any attack on a health service should be off limits, yet criminal gangs have crossed that line several times. Attacks on critical infrastructure also become political very quickly, as we saw with the Colonial Pipeline attack last year in the US. To get an idea of frequencies and impacts, almost one third of all healthcare organisations have reported an attempt at ransomware. The rate is almost double in manufacturing. Slightly over 40% are able to restore their system from back-up and only about one third will pay the ransom. The average loss in healthcare from a ransomware event is $1.27 million, but the secondary losses drive that figure much higher. There are then the human costs, which are, obviously, even more significant.

The heightened threat in the wake of geopolitical events should concern all essential services or critical infrastructure firms, and all should be on heightened alert and take measures to harden systems. More than 80% of critical infrastructure is in private ownership in the US, which produces a difficult circumstance in that public goods and services and their protection often fall outside the purview of regulation. This means the government has to be a helpful partner, stay apprised of a multitude of potential threats and get that information to the private sector in an efficient manner. Government has an important role to play in combating these threats and in helping essential services to understand current best practice. Many sectors are underfunded and the authority for security is decentralised. Water treatment is a prime example of this.

Attackers use many different tactics, techniques and procedures. The practice of risk management combines an analysis of the threat actors, their methods and the existing vulnerabilities in systems, and then looks at the essential functions of the business. After a probabilistic analysis has been carried out, the potential impacts can be understood, including the human cost, financial impacts, downtime, reputational damage and lawsuits - all are factored. It is complex, but the results are often simple. Reporters often ask me what can be done, as though the challenge were insurmountable, but it is not. There are many simple and cost-effective strategies both to prevent attacks and to mitigate the potential losses if an attack gains a foothold, but they require proper risk management and full engagement from governance structures.

In cyber, when we hear intelligence that criminal gangs with nation-state cover are preparing for attacks, we think of essential services. We think of the grid, healthcare and the supply chain for food and water, but many resources are available and not all of them are expensive. Many attacks begin because of a trivial oversight or a failure to have trained employees properly. The message of proper risk management in cyber is a largely positive one. That is not to say it does not entail significant complexity; it does. It also requires resources, but resources that are deployed wisely. The recent cyber Bill in the US details how risk management in cyber should operate and is a big step in countering the advanced persistent threat. It also puts more requirements around cyberincident reporting, which will get better information into the hands of practitioners faster. The practice of cyber is changing, as it must to meet the current challenges. I look forward to our discourse today.