Mr. Padraig O'Reilly:

Not wishing to be too US-centric, I take as my model some elements of the approach here in the US. While it has taken some time to shake out, CISA effectively liaises between the public and private elements. It does a lot of the associated co-ordination. It aggregates the threats, takes the intelligence and does the information-sharing. It posts a lot of pretty helpful information. It is free and available to anyone anywhere. The Shields Up initiative, which CISA came out with recently, pretty much details the mitigation strategy in light of the current threat landscape.

The FBI investigates cybercrime. Also involved is United States Cyber Command, with which I have worked on occasion. It is a branch of the military whose concerns are more offensive. There are also multi-agency involvements. The United States Department of Energy has oversight of the grid. Many of the regulations concerning the grid are updated continually in light of the current threat landscape. Sometimes they lag a bit, which is one of the major concerns. When we talk about the NIS directive, we should note there is a lag time.

To me, the major problem is risk management. The issue is not one that can be tackled without risk management. There is a list of a hundred things any organisation can do to harden systems in light of the threat landscape, and risk management involves determining which are the most effective. That is an area in which the NIS directive can come into play because it can give an idea of the posture of individual companies at present. I agree that a multi-agency, multifunctional approach is required. That is the way to tackle it.