Mr. Pat Larkin:

There are models emerging. I regard the UK as a model. It has had a number of goes at it, the most recent of which has been pretty good in respect of the role of the UK National Cyber Security Centre and the level of leadership it has provided. That is not a bad model. Again, it is a matter of continuous improvement and evolution because circumstances change. What does perfect look like? What does the desired state look like? The desired state looks like one in which everybody takes cybersecurity seriously and responsibly. Most commercial institutions, regardless of whether they are quasi-semi-State, take cybersecurity seriously. Why? It is because it is about protecting shareholder investment and revenue. If Ireland Inc. treated it the same way, it would be about protecting our tax flows, health service, foreign direct investment and national output, meaning everybody would take it appropriately seriously.

We have seen the escalating threat. I use the term "lucky" advisedly, but we have been lucky that the HSE was able to recover as quickly as it could. I am sure there has been worse patient mortality as a result of it, as well as significant costs, and it is not finished yet. The model should be that everyone is educated and takes cybersecurity seriously, with co-ordination and leadership at the top. It will be impossible if it is left to a single body to drive, execute and implement all of this. Leadership is needed, with a clear statement that it is a national and economic security priority. It should be addressed with all involved agencies. We have a problem, which is that this is very much an infinite defence mindset, which we are not resourced for. Regarding Dr. Scott's earlier point, infinite defence is fine if one is confident about the ability to tire the enemy exhaustively or is in a position to launch a counterattack. There need to be consequences for cartels or nation states that launch or facilitate cyberattacks, otherwise we will be in an infinite defence model and a cyber arms race.