Mr. Pat Larkin:

At an operational level in an Irish context, we have a security operations centre. Three years ago, ransomware for our clients, either the clients we have or inbound clients, would typically have been a once a week or once a fortnight event. It is now a daily event, so we are dealing with ransomware incidents and outbreaks daily.

Coming back to the previous speaker's point, it matches exactly with the profile of increase. Why? Because it is so easy to execute and it is so lucrative. It is industrialised now from a cybercriminal's perspective. There is a whole cybercriminal ecosystem. When we talk about one group perpetrating this attack, actually it is not one group. It is a whole layer of contractors and subcontractors who provide different ranges of services in perpetrating the attack and then liberating and washing the finances associated with it.

It is absolutely the case that, at an individual organisational level and at a national level, we all have to improve our cyberhygiene and beat the odds. It is like the physical security in your home. If you put a burglar alarm in, if you put gates and locks in, then typically the criminal passes by because it is more difficult to break into your house than your neighbour's. Unfortunately, you are trying to secure yourself so that you are at the smaller end of the probability scale.

I agree with the previous speaker's point: it is all about risk and mitigating risk. You can spend an infinite amount of money, resources and time delivering security and security technology, but the majority of it is inefficient if you are not deploying it against identified risk and mitigating that risk.

It comes back then to the broader agenda, where we need to lead as well, which is we have to change the game here. Internationally, you have to make the organisations perpetrating this type of activity pariahs. You have to make any nation states that are facilitating it or are ambivalent towards it pariahs and there have to be sanctions. You have to enforce it. At the moment at the UN there are still debates on whether cyber law is adequate and how we are going to deploy it and enforce it. Because this is a global problem, however, while we can secure our critical services, our organisations etc., infinite defence in its own right is not a strategy. The principle of defence, from my military days, is you defend and protect yourself long enough that you can launch a counter-attack. That is the argument for defence. If you are not in a position to launch a counterstrike against the people perpetrating this, then at some point they are going to get in. You can defend repeatedly but at some point they are going to get in, so we need a global consensus to say this activity is a higher order of crime, particularly when it attacks critical national infrastructure or health systems. It is not a financial crime; this is a higher order of crime.

Without being dramatic about it, there are adverse patient outcomes to what has happened in the health system leading to increased mortality. This is not a financial crime. This is a crime against society and a crime against people. You have to look at it as that higher order of crime and we have to mobilise the United Nations and people like that to say this is unacceptable, the people perpetrating this are pariahs, and we have to go after them, their assets and their infrastructure like they were narcoterrorists or international criminals. We also have to go after states that are ambivalent or are facilitating or perpetrating this as international pariahs.