Mr. Padraic O'Reilly:

We have a strong deterrent capability in the USA. In the UK, this was always on the radar of the military. President Biden's announcement, red lines and so on are a strong deterrent. There is tacit acknowledgement by criminal gangs that certain types of critical infrastructure attacks are off limits. It looks like we are maybe in a holding pattern. The ability to take criminal gangs offline, which the FBI, CISA and the military demonstrated last year, is a powerful deterrent. The problem is that it quickly gets geopolitical. It can probably escalate. I cannot speak for my Government, but there is probably much caution with this because it can escalate. This is brand new territory. There is no real theory of cyberwarfare yet. There is the beginnings of one. Cyber moving to kinetic is also a threat and we need a deterrent capability for that. While it is a good exercise to think about whether a stronger, more robust programme can be developed, from my experience of risk management for critical infrastructure, even when there are strong recommendations for defensive capability, there is still resistance.

There is still much work to be done on risk management and getting the private sector that is involved in critical infrastructure to do the right thing. This has largely been a governance problem. I have seen many clients in the USA that had to report a breach. The governance structure was then addressed. Regulators put them on a programme to put in place a cybersecurity programme, report on it, and tie executive compensation to it, which tended to produce some results. It is about a carrot and a stick, whether it is offensive or defensive capability. While risk management has advanced significantly, we still have a problem with governance structures that are asleep at the wheel, though I do not mean to be unkind. That has to be addressed.