Mr. Padraic O'Reilly:

My father is a Leitrim man. Regarding the aspect of social media warfare, that must be countered. This also connects with Ireland wanting to get some of its agencies more proactive in how they address the public.

One of the good things that CISA has done recently in the US is to talk regularly to the public. It talks regularly to the critical infrastructure sectors. The White House makes weekly announcements on cybersecurity. There has been a big public relations push. I regularly talk to reporters. It is in the news all the time and should become a part of the culture. The countering of cyberwarfare must become a part of the culture. Everyone, in some respect, is a soldier. That goes to the idea of training the requisite staff to address these issues. The cyber skills gap is profound. It is profound when I look for help in my company and across the entire country at the moment. It is a wonderful and fascinating field and it should be characterised as such to get young people interested. It is endlessly fascinating.

I work in risk management and build software that deals with risk management. It is necessary to have some idea of where one is at the moment. In the cyber world, we call it a baseline. One can consider an offensive capability but that is only a part of the picture. When we deal with companies that are trying to ward off these threats, we give them the tools of risk management. That is the ability to identify bad things, how likely they are to happen, how they might impact the company and how systems should be hardened in response. That concerns incident response.

When forensics are applied after an event, it is clear that cybercriminals are not using the most sophisticated techniques. There is a lot of spear phishing and brute force password attacks. Some of the highest profile breaches in the US were the result of not having two-factor authentication on a remote desktop protocol. It is not the most expensive thing in the world. Cyberhygiene and risk management are vital. It is also necessary to have some idea of where one's essential services sit at the moment with respect to those practices. That is going on over here in the US. Risk management came through the Strengthening American Cybersecurity Act, two sections of which deal with metrics around risk management. The problem will not be solved if it is just addressed by putting a finger in the dyke and deploying stopgap measures. It must be considered from the top down from the point of view of the governance structures. Resourcing is absolutely essential. The function of governance is to resource solutions to these problems.