[0:00:15]  Luke Connolly: Welcome to the Cyber Insider Emsisoft podcast all about cybersecurity. Your hosts today are Brett Callow, threat analyst at Emsisoft, and me, Luke Connolly, partner manager. And we're excited to have Professor Ciaran Martin with us as our guest today. Ciaran is the former CEO of the United Kingdom's National Cybersecurity Center. In fact, he was instrumental in its creation. Since leaving that position in 2010, he's kept himself busy. He's a professor of Practice in the management of public organizations at Oxford University's School of Government. He chairs the Australian government's global Advisory Panel on Cybersecurity Strategy and more. He was appointed CB by Her Majesty the Queen in 2020 in recognition of his cybersecurity work, has been phone-a-friend on Who Wants to Be a Millionaire and is a world-renowned authority on the subject of crisps or potato chips to me and many of our audience. Welcome Ciaran, and we're honored to have you with us today.  

[0:01:16]  Ciaran Martin: Nice to see you both. Thank you for having me.  

[0:01:23]  Luke Connolly: At the risk of skipping some really interesting stuff from that intro, I'm going to dive right in, Ciaran. Many people think of cybersecurity as a tax on their business. They have to buy software and services to protect their assets. They have to sign up for training to build awareness among their employees. They have to get cyber insurance to help in the event of an attack. So let me start by asking about the role that government can and should play in helping to defend not only government assets, but also private enterprise, local school boards or healthcare facilities. 

[0:01:56]  Ciaran Martin: It's a really interesting question. I think, firstly, if you overanalyze the subject about where risk lies between public and private sectors and so forth, you end up just giving up. There is a shared risk, even obviously in areas like critical infrastructure. But even beyond that, when food retail gets messed up or whatever gets messed up, it ends up being something that the government cares about, but also what the private company cares about. But at the same time, when we were setting up the National Cybersecurity Center, various government ministers were saying, we don't want to nationalize cyber risk, we don't want to absolve people from their responsibility. So I thought quite carefully about it. So there's a bunch of things, firstly, where the market doesn't step in. And you take away a lot of harm. There's a bunch of maliciously hosted websites in your own jurisdiction which cause harm, but nobody's got a commercial incentive to take them down. So we ended up paying a few million. It wasn't that much money in the grand scheme of taxpayers in the UK. We ended up paying a company called Netcraft. We got the time for websites down from 26 hours to 45 minutes for a while. That's the sort of thing that the government can step in when there's a sort of market failure, if you like, but you don't step in in the threat intelligence business because there's loads of really good companies providing that sort of thing. So step in where you should and stay out where you don't. There is something about national prioritization and national coordination, so there are things. One of the reasons the NCC was set up was when TalkTalk Business in the UK got hit and actually there was no public authority to say either this is really bad or it's not that bad and there's quite a lot of public panic. So there is something about the government, just like it does in floods or terrorism, just having an authority of voice to say look, here's our official assessment of harm and then finally sort of setting the public policy framework. So here government can do things that are harmful. We give two decades of bad password advice where we promoted a bunch of things which made it impossible for human beings to do cybersecurity well. We promoted bad advice such as don't click on a dodgy link. Some government can do actual harm, but then it can promote things. So for example, it can promote cyber education to workforce, it can at least hold discussions with the insurance industry, with corporate government's rule setters to say this is what based on our overall assessment of risks to the UK, Canada, US, wherever, you can say these are the sorts of things that we need to do. So those are sort of three areas and then the final bit, so intervening in the market, managing their incidents and setting a good framework. But there is a final bit, which is that, and this is the nirvana for me, where you get the first three right. So you have the private sector taking care of quite a lot. And then you employ a small number of really brilliant people. You pass some specialized laws with appropriate safeguards to give a state agency like the NCCS as part of GCHQ or the NSA. You give them some intrusive and quite substantial powers and you go after managing the threat from the most potent, nation state threat. That's what the government should be doing. 

[0:05:34]  Brett Callow: Indeed, to move on, governments are increasingly talking about counter offenseless cyber action against criminal organizations. That's not without risk. To what point do you think that should be part of the solution? 

[0:05:53]  Ciaran Martin: First of all, I've always voiced some skepticism about not principal practical pragmatic skepticism about offensive capabilities because I think in terms of nation state threats, nation state bodies are well protected and we're not going to go after civilian infrastructure for obvious reasons. And it's interesting that most of the publicly abide operations by Western powers in the offensive space between [incomprehensible] actors, so called Islamic State in 2016 and as you've said, ransomware operators and cybercriminals and I think there is a space for them there. I think it's tactical and not strategic. You can knock these guys out for a while if you've got good enough intelligence, but they do come back and you will know with your expertise, you will know plenty of examples of something that looks, an announcement that REvil or the Emotet botnet and so on has been taken down and then a very suspicious and similar group popped up months later. So it is tactical and as you say, it's not without risk in terms of not so much escalation, but in terms of collateral and all the rest of it. So I mean, my own view is that our agencies are actually reasonably good at managing those risks. And please contest this because your expertise is considerable in these areas. We haven't had many examples of near misses, of things going spectacularly wrong. My point about it is that these operations do quite rightly, make you feel good for a while. They can when you really get after some of the big fishes, they can substantially give you a substantial breathing space from the harm for a while. But they're not a strategic solution. They're just not. They do reappear somewhere else. The big problem is in ransomware. For example, if the reports that 75% or whatever it is of ransomware payments are going to the Russian Federation, the big problem is you've got a country which is well known for having skilled computer hackers, lots of organized crime and state services that don't do anything to counter that. For as long as that's true, you can't strategically hack your way out of that problem. You have to do other things and we can talk about what those things may be. So I think my thing about the limits of counter offense is more that it's just a tactical thing rather than a strategic solution. 

[0:08:12]  Brett Callow: Just to tag in one more question there, things we can do. I flip flopped on the issue of prohibiting ransoms. What's your take on this? 

[0:08:24]  Ciaran Martin: The starting point of the conversation and the underlying analysis. So at the moment, right, I think we've failure of public policy. It's not a technical failure, it's a failure of public policy. We've got a bunch of people sitting in another country. I mean, your list, Brett, I'm just looking at your last few posts of Mastodon. You say the University of Melbourne has been listed, the government of Goa has been listed. Minneapolis public schools, the UK pension protection fund, shoreline Community college, Munich. I mean, from massive organizations to big governments to small organizations, all these people are getting hit with impunity. And lots of them I'm not saying any of these people are paying, but lots of them are paying, which is why this keeps happening. That's not a technical failure. There are technical aspects to that failure, but it is a public policy failure. Now, most of the time when I spent 23 years in British government, when there's a big public policy challenge, we do some policy work on it and we look at what options might make a difference. And here, quite clearly, the ease with which ransoms are demanded and paid is part of the problem. So you have a look at that. Right at the moment, what we have is people saying, let's have a look at ransoms, and a whole bunch of people saying, oh, it'll be much too difficult and be terribly counterproductive, and it will make things worse. Hang on a minute. And I'm serious. And this is where I get bureaucratically geeky. Where's the policy evaluation that says this? Where's the consultation exercise? Where's the expert analysis? Where's the white paper that says, we've done some serious work on this? The white house did something really good. They set up the 13 nation passport, is doing some really interesting things, but they just got up and said, well, we think banning ransom payments would be too complicated. Contrast that with the issue of ransoms and counterterrorism. The UK has enforced a really tough policy for years on banning payments. And it starts from the presumption that it is not normally lawful to give large amounts of money to criminals, even when there's serious risk to harm, which there is in these cases, and we've lost people through not paying ransoms. Very tragically. And I think the starting point should be it should be illegal to transfer large amounts of money to criminal organizations abroad unless there's a very good reason for that public policy not to be implemented. And for that public policy not to be implemented, there needs to be a detailed bit of analysis that shows beyond reasonable doubt that it would be too complicated and impractical. We just haven't done the work. So I'm not saying it would be easy. I'm not saying that if he brought in a ban, so I too have flip flopped. But I would actually love a government, a bunch of like minded governments, to have a big, serious policy analysis, engage the industry, engage the insurance industry, the corporate victims, you and me, people like that, and then work out whether this would actually work or not. Then we just said that would be too difficult. I don't know of any other area of public policy. We say whether it's leaving the European Union, whether it's forgiveness of student loans by the Biden administration, it doesn't just in this announce it's a bit difficult, let's not do it. We do some work, do some work that's over. 

[0:11:33]  Luke Connolly: That's an awesome answer. So many times it's so easy to say, well, we should just do this, pass a law. There ought to be a law where in reality there's a lot of subtlety and complexity involved in doing that. So thank you very much for that answer. And I have a question, which is we've seen some instances of companies actually hacking back, like if they get their files exfiltrated and there's a threat of it being released on the Dark web. And we talked about this with John DiMaggio, who's the author of The Art of Cyber Warfare. There's a company that I don't think I have to mention, but they had their data stolen and they were threatened that the data was going to be released and then the threat actor had a denial of service attack and their servers taken down. So do you think it's really something that corporations should consider doing on their own? I mean, ultimately you might see a cyber mercenary force as well as cyber defense options available. 

[0:12:21]  Ciaran Martin: So here I'm going to be completely conventionally orthodox. And again, I wouldn't object to serious analysis being done in this, but I think certainly some has been, even if it hasn't been published. I do think let's just take the word cyber of this conversation and apply it to a mainstreamer, ordinary length that predates the digital world, and we'd all go, you can't possibly run a society like that. That's the road to hell. That would be complete madness. And I think what is it about sticking the word cyber or digital or data in front of any of those sticks that would make it I don't inject in fact, although it's only tactical applaud, the FBI's recovery of these things are applaud when they do get the counter defense operations correct. But I do think we would have a serious problem if we start if we go download private actors having their own I mean, I think you answered the question for me when you said we might have a cyber mercenary army as well as this. Yeah, I don't want that. 

[0:13:25]  Brett Callow: We're not going to be able to eliminate financially motivated cybercrime anytime soon, but is there anything we can do to bring the numbers down quickly to protect our hospitals whilst we work along the term solution to protect other? 

[0:13:44]  Ciaran Martin: So again, firstly, you're starting for something bright. We're not able to eliminate anytime soon, nor is there a single magic solution to even bring it down. I think there are a number of things and again, it helps to sort of slightly technocratically disaggregate it. So one thing is about helping, particularly in ransomware is helping potential victims understand the nuances of the awful predicament they fall into when they're a victim of this crime. So the example I'm slightly obsessed about at the minute is the second or double extortion ransomware. And if you look at for example, the metabolic crisis in Australia at the end of last year, we look at the Irish Health Services executive crisis. The same thing happened in [incomprehensible], where you have population level healthcare data of great detail. This is more than just registration, this is medical files. And you have then a scared public and non technical leadership of organizations and non technical media immediately sort of jump into that oh my God, the entire population's health care records are going to be available online. Now, we all know that that's not the way it works. That even in the worst case scenario they're not on something that most people don't understand anything about, so called dark web, et cetera, et cetera. And there's loads of agency on our society level. The defenders get a vote. So I thought the Australian [incomprehensible] was really quite they said to the media it's obviously a legitimate public interest that we've got. We've lost 9.7 million medical files and we're not going to censor you, but don't go looking we are imploring you. It is not responsible to go looking for this. It is not responsible to report details of individuals, et cetera, et cetera. And really people shouldn't examine this data and should not promote it's, aggregate it's dissemination. They set the same social media platforms. By and large, everybody concurred, as I understand that it is based in Australia. In a conversation about the responsible reporting of these suicides, which is a big problem in Australia some years back, a lot of the experts said that the way it was covered in the media is potentially encouraging copycat suicide. So that's of a responsible way of reporting suicide, that's a responsible way of reporting data breaches. When you take away that fear and you realize that actually yes, you get a letter saying you're a customer but we've lost your personal data. But then you get explained to you that actually even if it is published, it's going to be in some secure [incomprehensible]. Yes, there's a risk of financialization you need to be really careful about financial transaction but know your external neighbor or your ex partner isn't going to easily be able to look up what you've got and put it all over the place. I think that's really important. That's one example. There are other examples. If we do the work on the ruling between insurance policies and paying ransoms, that might affect things. If any of these things around cryptocurrencies that Biden administration task force has been looking at, if they work, that might affect things. Yes, hardening defenses and a lot of people then shout at me saying you can't defend your way out of this problem, but you can make it a bit harder. So if you take those four things together and all four of them, or even three of them work, you take it down a bit. So I do think there are a bunch of things. What's interesting is many of them are sort of policy governance and risk management rather than technical. So I don't know, be interested to know what you think at some point. 

[0:17:14]  Brett Callow: Yeah, the exfiltration issue is certainly problematic, as is the way in which the data has been used on occasion, when there's at least one case where a national media outlet used the information contained in a hospital's data dump to create stories. 

[0:17:31]  Ciaran Martin: I think that's right. So, I mean, if you take it a minute, let's move from personal data to political interference. That's really interesting. So what happens in the US in 2016? And I don't think that I'm not saying don't wait into the argument, when did it swing it for Donald Trump or whatever, but I think the fact that people in the United States are still fighting over this and arguing over it seven years later showed that the operation, from the aggressor's point of view, worked. It destabilized the political discourse. Now look at what's happening. So the NCSC, my old organization, issued this advisory about Seaborgium, the Russian attack group, and Iranian groups that are both doing sort of potentially hacking cooperations against British and all their question public figures. And in terms of Seaborgium, it seems that the two rumored known victims so far have been a former head of [incomprehensible] who is very much on the right of politics, very pro Brexit and so on, and an MP from the Scottish National Party, the complete opposite end of the political spectrum. So to me that says these people don't have an agenda. They just want to destabilize. They don't have a specific agenda. They want to destabilize British politics and then to destabilize British society. But we have a choice in that. If you look at what the Washington Post did at the head of the 2020 US presidential election, their editorial published this article saying, if there's a repeat of 2016, we might not take the same approach to publishing it because we have to bear in mind the provenance of the information. I think we have to have the same conversation if actors from Russia, Iran, wherever, are going to hack into all, whether it's medical data, whether it's political discourse, whatever it is, I'm just going to put all this information out there with the explicit intent of destabilizing our societies. It would only work if we believed in that enterprise, and we have to find a way of reconciling free speech and free media with that threat. 

[0:19:27] Luke Connolly: I've done a fair bit of research in preparing for talking to you today, and I've seen that you're consistent in your approach, which is, let's start by being sensible. Let's not sensationalize let's not catastrophize the reality is there's a threat there and we can manage it. I'd like to ask you something about you said something that you said a couple of years ago when you compared cybersecurity to Brexit, and you wrote this about the generic threat of imposing costs to deter adversaries. You said imposing costs has become the Brexit means Brexit of the cybersecurity domain. A catchy, useful political slogan, devoid of meeting substance and consequently, impact. So my question is what tools do governments have at their disposal to respond? How effective are they and what risks does it bring to use certain tools? 

[0:20:17]  Ciaran Martin: Yeah, so obviously being deliberately provocative and we were still wired in the Brexit crisis when I wrote that. I mean, I do largely stand by it. I think it's very easy. As I said in a previous lecture when I was dealing with when I first came into cyber security, I asked a senior aide to a senior government person, I said, look, what does these senior leaders think of think about cyber? And the answer came back, where’s my red button? And it was this sort of slightly infantilized approach to cyber and this sort of easy rhetoric where you sort of posture and go, wow, we're going to impose costs and so on, which essentially meant partly hacked back. And I think it's pretty limited the circumstances in which the state can actually effectively impose costs in that way. So I think firstly, there is this tendency to look at cyber as an enclosed boxing ring where you've got two actors and both of offense, if you like, punching people and defense, putting your gloves in front of your face and that sort of thing. But it's not like that. And actually, I think again, I think I may have written this in the piece. Again, taking things to absurd extremes is often useful. So when the Russian state did that horrific attack in Salisbury in the UK in 2018 using novichok, UK came in all sorts of responses, but the thing we didn't consider was using novichok in Russia. That's just not the way it somehow we have this. So we have to strike back with cyber. Now, that's not to say that there is no way of using things to make it less attractive for attackers and harder for them. So there is something around tightening defenses. And part of my worry and all this imposing cost stuff is you just lose track of the fact that people need to harden their defenses incrementally. But then you look at some of the things and again, they're not perfect, but counter offense in criminal stuff can work. I actually think the Obama administration had some reasonable successes with some of its tools of statecraft. So if you look at their long standing concerns about Chinese intellectual property espionage, so between 2015 and the back end of 2017, beginning 2018, when the Trump administration relations with Beijing started [incomprehensible]. We actually had a relatively quiet few years from Chinese intellectual property set. Why? Because Obama in 2015 said, right, drawing a line here, threatening economic sanctions, we're going to do more and more indictments so more and more of your people can't go to west and so on. And that had a destabilizing effect. So there are things, there's nothing magic. I mean we do have to contend with the, we have to be realistic. There's a serious problem. For the first time in human history, you can inflict large scale harm on all the jurisdiction without ever setting foot in it and in a way that you can't do with other forms of harm, but there are things that you can incrementally do and most have very little to do with technical cyber. 

[0:23:16]  Brett Callow: Companies often claim that they have been victimized by a highly sophisticated adversary. Don't have a sophisticated adversary problem. We have a companies not using MFA problem, they’re not getting their 101s right. And that's been the case for years. How do we finally fix those? 

[0:23:40]  Ciaran Martin: First of all, I mostly agree, but there are exceptions and it's worth and I think one of the challenges of things like insurance and what the world government is making sure we know when those exceptions hit. So you take something like SolarWinds. It's an espionage case. First of all, a lot of the actual victims of SolarWinds, because it's a supply chain update of some sophistication are reasonably blameless. They did the SolarWinds update as they're supposed to. And as it turned out, they were injecting a highway at Russian intelligence exploit into into their their system. But for the most part, I think you are right that it's sort of an MFA problem. So how do you fix that? I think this is where frankly, some regulation of corporate governance comes in beyond critical infrastructure. I think if you look at IoT regulation so let's take the Mirai Botnet attack of 2016. How does that work? Well, as far as I know and correct me if I get this wrong, because they often do get things wrong, but as far as I know it's hacked a massive amount of IoT gadgets, mostly in this case CCD cameras, and point them all up [incomprehensible] so it falls over. How can you do that? Well, it turns out the CCD cameras then understand it and have a default password of password. And even if you notice that you can't change it, that's not unlawful to sell that product in the UK and the European, Singapore and other jurisdictions. Okay, well, I'm not saying you have to reach for primary legislation for everything, but what are the insurance implications of getting done if you don't have MFA? I remember in 2017, on our advice, the independent authorities who regulate or sorry, who provide IT services in the British Parliament took remote access of for a few days so they could install MFA because there was a very noisy nation state espionage attack brute force password login on the British parliament. So they removed remote access, which was not easy to do given that lots of MPs from remote constituencies would have depended on would have depended on remote access. So you do that and then how do you disincentivize on a frankly occasion if necessary, punish organizations who are down because they don't have an MFA or that they don't have adequate firewalls and so on. There's a bit in me that says let's perhaps not reach for the law in this, but what about corporate governance? Corporate governance rules which by and large are set under the supervision of the government, certainly in the UK, but are set by business and independent bodies, independent both mainstream business and the government. They say look, here's how you manage financial risk, here's how you manage wealth and safety, et cetera, et cetera. And they don't say anything about cyber risk and why not and why can't we? Again, there is a frustration, I can't quite put my finger on why it is with the dialogue with the insurance industry. The insurance industry appears obsessed with exemptions for nation state attacks. But what about having a serious dialogue about how to incentivize policyholders to help MFA, firewalls anomaly detection systems and so on, which I think is happening, but let's get that a bit more up. So I think that's where we have the internal discussion of our societies and that's where the whole the defender has a vote thing really comes into play.  And one final slightly mad thought, I think say the British government as a whole at the moment, people are asking themselves what I would call the vaccine question. So for everything the UK states got wrong in the last 1020 years, whatever, the way in which the country built and rolled out vaccine capabilities during the pandemic was really, really impressive. And they did it by setting aside lots of rules and procedures. Now you can't do that all the time outside of a crisis. You can't control public finances that way. But there are things about the work of general rules. They'd say, well actually in peacetime that might work. Similarly, in cyber space, look at the defense of Ukraine during the war, the cyber defense of Ukraine. They stopped worrying about legal liability for sharing information. They stopped worrying about was the file really safe because you've got massive nation state invading army and so on. What do we take from the massive rapid acceleration and improvement in the quality of Ukraine cyber defenses in the context of the war? What can we say, okay, that would work outside of these horribly exceptional circumstances? I have a conversation [incomprehensible].  

[0:28:34]  Brett Callow: To go back to something you said before that we. Don't necessarily need to look to the law for solutions. Industries like aviation and transport are highly regulated. Why shouldn't cyber be too? 

[0:28:50]  Ciaran Martin: Well, there's a case for that. So one way of looking at it is in heavily regulated industries. So is cyber an industry like aviation? Well, yes, in terms of companies like yours, but no, in terms of it's a function for most people that the three of us wake up every day and think primarily about cyber. But most organizations who are key to cyber defense, don't. They think they might be an aviation company, they might be a healthcare organization, whatever it is. So, in terms of critical assets, I've always thought that sectoral regulation made some sense. And in the UK, I mean, part of the whole genesis of the NCSC was a partnership between the predecessor organisations and the bank of England. So in 2012, then the UK Parliament passed a new bank of England Act as post crash. And it was like, here's all your new responsibilities for financial stability, post crash, toughening up the regulations and so on. And so in law, the words were financial stability as its mandate. And there were some definitions of financial stability and one of them was operational resilience. So the Governor, Mark Carney, said, and by operational resilience, that sense, but that includes cybersecurity and cyber resilience, I better write that into the regulations. Who do I talk to? Went to the government and said, because of course, the Central Bank doesn't let people who know how to do this. And the government sent him a long memo about all the different organizations he'd need to talk to, they said, this is ridiculous, you should have one. That was one of the reasons the NCSC was set up. What it meant was that the NCSC could then talk to the bank of England and say, right, well, we think you need to do this, this, this and this, write these into your regulations. Some people at the bank of England, will go back and say, okay, well, that makes sense. That makes sense. If you do that, you'll bring down most banks because they'd be able to operate it. And we say, okay, well, thank you for telling us, because we don't know anything about banking. You don't know anything about cyber. So that's do it a different way. In banking it worked quite well after seeing the same hasn’t happened in energy, and it started to happen in telecoms. So the British parliament just at the end of last year passed the Telecom Security Act, which more or less does to telecoms what happened in banking. So I think you can take care of a lot of critical infrastructure that way. Then the question arises, and like you were saying about ransom payments, Brett, I sort of [incomprehensible] for over this. Do you bring in law, a general duty of cyber hygiene for all organizations? And part of me just thinks, well, we legislate a bit too much, maybe we shouldn't. Another part of me thinks, well, we've got one for data and actually that can be a bit weird and distorting. To go back to the Irish healthcare, it's just one of the things I find really strange about it was that people were wondering how the government has broken its own laws in terms of this catastrophe that was leading to widespread disruption of the health service and turned out, as in most Western jurisdictions, that if personal data was lost, then there were legal consequences. But if it was just denial of if it was just sort of classic ransomware that meant you couldn't operate the health care system, despite the fact that there are some of these massive consequences, there is no breach of any legal duties, that sounds a bit strange. There's a bit of me that sort of thinks if you're trained as a civil servant, where you have the power to [incomprehensible] legislation, so you're always sort of trained to think, well, you do have to justify this, let's think about it. So I would take care of the critical things. You have to make that work for the business model, the rest of the economy I think you can make a case for it. I'm just not sure it's made yet. 

[0:32:33]  Luke Connolly: I just wanted to give a shout out to thank you for mentioning Mark Carney, head of the Bank of Canada before he was head of the Bank of England. 

[0:32:40]  Ciaran Martin: It was a rare transfer. It's like a sports transfer.  

[0:32:45]  Luke Connolly: But talking about how to get companies to actually implement cyber solutions, which we've talked about regulation. We touched on insurance as well. And we see that some companies are having their insurance companies say that you have to have this set of cyber defenses, you have to have EDR, you have to have this or that, so they can pressure industry to take on cyber defenses. But at the same time, some people really feel that cyber insurance has contributed to the ransomware problem. So I'm wondering what your take is on that and how can we make sure that insurance becomes part of this? 

[0:33:20]  Ciaran Martin: So it's a hard problem and annoys various people in the insurance industry, so I try not to annoy them any further. I mean, analytically, I think we've gone from asking to work for a lot where cyber insurance went from being quite sort of lucrative for the small number of people who were in business because you were paying for things that often the customer didn't really understand and so forth. It went from that to being almost uninsurable, thanks to ransomware, without passing the happy medium that insurance is supposed to occupy as a public good. How do you make sure insurance is part of the problem? I do think there are probably two things. One is the discussion around ransoms. I think we have to have that serious public policy discussion. I have some sympathy with the insurance industry. You can't expect them, if it is lawful to insure people for ransoms, then it's not for the insurance industry to make a judgment as to whether it's moral, ethical or efficacious. That's what governments and parliaments are for. So for as long as you allow any payments of ransom, why would you not allow any insurance for it? For me, so have that discussion bring the insurance industry in. Where it'd be more critical is that I think that if you take, for example, I think there has been a waste of exertion over the issue of nation state attribution and exemptions and so on. And I wish they talked about it more with cyber experts, government people and so on. If you look at the roads of London closes from the end of 2021 when they talk about retaliatory cyberattacks. Well, I mean, if it's not a term that means anything to me in terms of exclusions for retaliatory cyber attacks, I'm struggling to think what actual type of operation are they talking about here? Just thinking of an example, I can't think of something, a system that would rely on governments publicly attributing, governments don’t attribute for the benefit of the insurance industry. Governments attribute because they think there's a small public policy reason to do so and it's entirely defensible. You can have exactly the same two cyber operations against your country in two consecutive years and attribute one and not attribute the first time and not the second time, or vice versa, depending on the geopolitics of the time. So there's been this completely pointless sort of diversion of effort into working out whether nation state exclusions apply. When we're not looking at how do you incentivize MFA, how do you look at whether an organization has got [incomprehensible] practices, et cetera, et cetera. So I think there's another issue where I have, again, some sympathy about measuring the actual harm. So if you take a ransomware operation, I think you can measure harm how much money did you lose, et cetera, et cetera. Not just the ransom, but all the disruption and so on. When you talk about a data breach, what is the harm caused by losing 100 million hotel reservation details in Marriott or whatever it is? It's really hard. So how do you price that? So I think we need to have some more conversations around that. So basically, I think the answer on, my unsatisfactory answer, on how do you make insurance part of the solution, not part of the problem, is a sort of slightly technocratic processing one. Let's set up government cyber industry, insurance industry corporate working groups, on measuring harm, on measuring the impact of interventions, et cetera, et cetera, on assessing liabilities to whether so if a really sophisticated doesn't have to work very hard, who's liable, that sort of thing. And that's [incomprehensible] out all these problems and see how it's workign, because it's just not working at the minute and we're just putting our effort in the wrong places. 

[0:37:08]  Brett Callow: Absolutely. With that, I think we're almost out of time. Do you have anything, Luke? 

[0:37:13] Luke Connolly: I do not. So I'd like to thank you, Ciaran, very much for joining us today. You brought really good perspective and insights to the discussion. We'd like to thank our listeners for tuning in and to stay up to date in the latest in cybersecurity. Be sure to subscribe to our podcast. Ciaran, thank you very much. Again, great discussion. 

[0:37:30]  Ciaran Martin: Really nice to see you both. Thank you. 

[0:37:32]  Brett Callow: Thank you.