It is an honour to be here and I would like to thank both KPMG and Queen’s for inviting me.
Ladies and gentlemen: I’m here tonight with one objective.
To be boring.
Let me explain.
It may be the case that you’ve never met a cyber attacker. So here he – always a he – is.
In the course of this job I’ve got to know this guy rather well. He is very young – late teens or early twenties. He hacked into his first nuclear missile facility at the age of just five. At the age of twelve he started on bank heists. He bought his first hoodie with the proceeds and his face has not been seen since. He works alternately for the Russian, Chinese, Iranian and North Korean Governments, and spends his free time in his bedroom in darkness with green letters and numbers for wallpaper. He is very clever with computers. In fact, he is so clever he cannot be defeated.
This is of course, a pastiche. It’s the myth. In reality, a cyber attacker, whether working for a state or some criminal group, is actually more likely to be sitting at a desk in an open plan cubicle staring at a management information dashboard like this.
This is more like the reality. Through intelligence work, we have actually seen examples of organised crime syndicates using traffic light indicators on management information dashboards. Some of them are so good I suspect our hosts here at KPMG would approve – they are exemplars of modern business management (apart from the rampant criminality bit).
And what they tell us is that cyber attacks are fundamentally about return on investment. If an indicator is green, it means this is a profitable line of attack. If it is red, it means it’s too hard – go somewhere else.
This is a crucial insight for anyone charged with defending in cyber security. The goal is not absolute defence – that is neither possible nor necessary. It is to turn the greens to orange and the oranges to red.
Now I may have left these shores 24 years ago but I remember enough about life here to know that talking about turning greens into oranges and how oranges turn into greens is not always the best way to win over a Belfast audience. But the economic concept of a return on investment is at the heart of what I want to talk about tonight.
So, what I’m doing tonight is taking a fundamentally glamorous subject that Hollywood is making blockbusters about and is attracting some of the most brilliant people in the world, and I am going to talk about economic theory and corporate risk management techniques instead.
Hold on to your seats.
For the busy listener, my message to you, as head of the National Cyber Security Centre, is:
- Cyber security is shrouded in mystique and fear. That’s not helpful and we should stop it.
- Put simply, cyber attack is about return on investment.
- So cyber defence is about risk management and harm reduction.
- When you put it like that, it doesn’t seem so completely daunting. There’s plenty we can do to manage the risk.
- So simplify, simplify, simplify. Understand the risks and take action that you understand to manage them.
That’s the short version. If you’d like to stay tuned, I’m going to try to describe how we reached these conclusions. I’ll describe the journey we’ve been on at a UK-wide level to reach these insights and what it means for public policy. So, what I aim to do tonight is talk in straightforward terms about five things:
- First, talk about why Governments in liberal democracies should care about cyber security;
- Second, explain what that means the Government should actually focus on when it intervenes in cyber security;
- Third, describe what we’ve learned about what has – and more importantly hasn’t – worked in the past;
- Fourth, focus on what we’re doing differently as a result of that learning and what we hope to achieve; and
- Finally, what it means for somewhere like Northern Ireland and what the NCSC wants to try to help achieve here.
1. Why liberal democracies should care about cyber security
First, why should Governments even be involved in this issue?
The Governments of liberal democracies should care about cyber security for two reasons.
The first is the security of the state. That’s an easy concept. Some of cyber attack is about old statecraft by new means. The Internet grew up in the West out of Western values of liberty and free expression and open commerce. And hostile states will still want to undermine those values and will want to spy on, steal from and threaten the West for their own advantage.
From the experience of a decade or more of tackling this problem we now know already that hard infrastructure – electricity grids, power supplies, financial systems – all need protection from this threat. And whether they’re in public or private ownership it’s the duty of the state, at least in part, to help protect them from hostile state action. No company, however large, can be expected to defend a highly capable hostile state attack on its own. And it falls to us to help.
Then there’s softer infrastructure. Our democratic and electoral systems. Media companies like Sony. Indeed, earlier this week the New York Times and the BBC reported that Mammoth Productions here in Northern Ireland was attacked as it was in the process of making a programme about North Korea.
National security cyber threats manifest themselves in other ways too. One of the most important attacks in the United States, which the previous Administration blamed on China – was the theft of the personal details of more than 20 million Americans who had applied for a federal Government security clearance in the first fourteen years of this century.
This duty to defend the security of the state and its people from these sorts of risk is a permanent function of the state. It is hard to do and we put some of the best people in the world on the job at the National Cyber Security Centre.
But at least it’s easy to understand – it’s national security in digital form.
The second reason why Governments should care about cyber security is a bit more complicated and it arises because the economic prosperity of the country depends on it
Cyber attacks happen all the time. Successful – from the attacker’s point of view – cyber attacks happen all the time. But very few are of the audacious and strategically significant variety I’ve just mentioned in the national security space, thankfully. Why? Because these very sophisticated attacks are very hard to do and so they don’t scale. Basic cyber attacks do scale though. It’s very easy to launch prolific, large scale cyber attacks. So, lots of people do it.
And this is a big problem. When one of these attacks get through, and a small dataset is stolen, or a small amount of money goes missing, or a small business gets a ransomware demand, it is difficult and traumatic for the victim but of little or no strategic national significance.
Except cumulatively, it is of strategic national significance. The UK is one of the most digitally advanced economies in the world; on some measures the most digitally dependent country in the G20. If people in the UK lose confidence in the digital economy because they’ve had one too many letters telling them their data has been stolen, another sum of money has gone missing from a bank account or from a utility payment, or their employer is struggling because of a cyber attack, people will lose confidence in that digital economy on which our economic future is so dependent. There are various surveys showing that most organisations of any size experience some type of breach at least once a year. That is a first order strategic risk. The Internet is a truly marvellous creation but without security its potential will not be realised.
2. What Governments can and should do
What does this then mean for the role of Government? Well as I’ve already said, we have to invest in new capabilities to defend the security of the key infrastructure of the state. We’ve done reasonably well on that front and I want to pay tribute to my team and our partners for the excellent work they’ve done. We depend hugely on other security and intelligence agencies in the UK, on private sector threat analysts, and on international partners. We’re not complacent and we can expect a significant national level attack in the future as we’ve long said. It is a core part of our job at the National Cyber Security Centre to prepare for that.
But it is in the space of securing prosperity in the digital age that we’ve had to do the really creative thinking. That’s because we had to accept that our attempts to drive up general standards of cyber security in order to promote economic prosperity had not been as successful as we might have liked.
After the election in 2015 the returning Government made this clear and set about the task of rethinking our approach. So, 2015 was a watershed year for the UK Government’s approach to cyber security. When I say that, most people understandably assume I’m talking about the decision to establish the National Cyber Security Centre. And of course, I am. But we also had a profound strategic rethink. Without that strategic rethink, the NCSC would just a building and a new organisation. With a new strategy, it is, I hope, the home of some of the most innovative and exciting thinking about cyber security anywhere in the world.
3. Why a change of approach was needed
The new strategy came about because we asked ourselves some tough questions about why we’d been less successful in mainstreaming good cyber security across the economy than we had hoped. And while cyber security is in many ways an inherently technical subject, and we employ world class techies in our organisation, a surprising amount of the answers we found were rooted in the disciplines of economics and behavioural science.
To explain. We started with the premise – gained from years of painstaking analysis of the motivation and methods of attackers – that, as I’ve already said, cyber security is about a return on investment.
A second conclusion was that one thing the most sophisticated and the low sophistication but more prolific basic attacks had in common was they tended to exploit basic weaknesses in defence. Stuff that shouldn’t happen. Easy example – people often talk about something called zero-day vulnerabilities. These are weaknesses that aren’t publicly known so defenders don’t know how to defend against them. But there are very few zero days. The vast majority of cyber attacks exploit known vulnerabilities for which a fix is available. The classic example here is TalkTalk where the vulnerability had been known since 1998, before the alleged attacker was actually born.
Taking these two insights together, the thinking behind the strategy concluded that the most pressing and strategically important question was how to find ways of raising the basic defences of organisations throughout the whole country.
This led to another and this time a very puzzling question – if it’s about a return on investment, why had market forces not provided the answer by incentivising companies and individuals to put in place those better basic defences? You are here as chief executives worried about cyber security. You will have money to invest. Why hasn’t this dynamic been enough, on its own, to sort out the problem?
Or, to return to the jargon of economics, had there been a market failure, and if so, why?
Economics and behavioural science suggest three broad answers to this question.
First, cyber security had become shrouded in mystique and fear, and the market ran on that fear for too long. Threat awareness raising too often tilted dangerously close to scare-mongering. There were – and are – things to be afraid of. But warning of a major new threat – whilst essential – wasn’t often enough accompanied by simple guidance towards solutions. Instead, cyber security was portrayed in the Hollywood way. Business leaders – highly able people with awesome responsibilities and outstanding personal qualities were encouraged to think of it as a problem they couldn’t possibly understand but luckily help was on hand for a handsome fee.
In case you think I’m exaggerating, consider this.
About ten years ago, a former colleague of ours set up a website for a cyber security service called airgap™. It made a series of utterly preposterous claims about what it could do. It claimed to be “the single answer to all Internet security problems – known and unknown”. It offered “100 per cent protection” against all viruses and spam. It was accompanied by a picture, which is actually a metal box with a blue light inside it.
He received several thousand sales enquiries, including from well known companies. (I stress this was a stunt to prove a point, and no money changed hands). It was ten years ago, and things have moved on a fair bit, but you get the point about selling fear.
That is what happens when fear rules the market. For too long we ignored the basic reality that cyber security is about risk management and it is well within the capabilities of boards of directors to manage that risk. Executives manage all sorts of risk that they are not technically expert in – pension liabilities, commercial litigation risk, health and safety. Cyber security should be added to the mix, not put in its own box, whether with a flashing blue light or not.
A second problem was that this climate of mystique and fear translated into bad advice and rules for citizens. Here is one example:
Official Government advice: “Have a different, complex password for each service and change them often”.
We all know this guidance. This was classic risk aversion with no rooting in real life. It had been global orthodoxy since the early years of this century and no one questioned it. But anecdotally, not least in our own lives, some of us thought it might just be a little bit mad. So we tested it. We have set up a series of academic centres of excellence – and I’m pleased to say in passing that Queen’s is one of them – and some research institutes. We got Professor Angela Sasse of University College London to look at the behavioural science of passwords using this advice.
Her conclusions? What we were asking the average citizen to do in his or her daily life was the mathematical equivalent of remembering a new, 600-digit number, every month.
Impossible and unworkable, and therefore no basis for defence.
The third problem was by far the most important: an apparent mismatch between the problems and the economic incentives to fix them.
We’ve done a lot of work trying to understand how the cyber attack market works. Earlier this year we published a paper called Cybercrime: Understanding the online business model. As part of that we published a graphic showing how we think some aspects of this global system work.
What this shows is that there is an online cybercrime marketplace. Like any marketplace it responds to incentives and to success and failure. Let’s look at one bit – the market for stolen credentials.
The way this works is that someone will steal a dataset from somewhere. That dataset could be anything from names and addresses all the way through to more sensitive information. The more information there is, the more valuable it is because it enables identity impersonation more easily. A common basic dataset is what we call credentials – the login address (normally an email) and the password.
Although a fairly basic dataset, a list of stolen credentials can be valuable to an attacker because they enable what is called a brute force attack. This means the attacker takes the logins and passwords and tries to log them all in at the same time into a service and see how or she gets on. So, and this observation is based on real examples, if they’ve got a bunch of UK looking email addresses, a smart thing for the attacker to do would be to try to attack well known UK brands on the assumption that some of these addresses and passwords will work. And in the global cybercrime market, these credentials can be sold on the dark web to anyone – an organised crime group looking for money, a state sponsored group looking to get into a network, or whatever.
So how should defenders respond to this? One way is to tell people to use different passwords for everything. But we’ve already seen from behavioural science that that doesn’t really work. What instead the Internet operators should do is turn on something called two factor authentication onto their service. This means when someone logs on to a service from a new device they get a message – often a text – sending them a code telling to verify that it’s them. In most cases this renders the brute force attack completely useless. And it therefore makes the dataset of stolen credentials relatively worthless. That is why we have been promoting two factor authentication for web based service providers.
That’s the sort of thinking we’ve been trying to lead.
There are other examples of where the market hasn’t always got the incentives right. One of the most pervasive and important features of the cyber attack ecosystem is spoofing. Spoofing is what it says it is – an attacker is abusing trust by pretending to be someone he or she is not. The vast majority of cyber attacks involve some element of spoofing. So, doing something about spoofing would be a good thing for a country serious about cyber security.
Again, we researched how to do this. It appeared that the most spoofed brand in the UK was, predictably enough, HM Revenue and Customs with attackers offering tax refunds and so on. I imagine many in the audience have received a spoof email from HMRC. If you haven’t, maybe you got one of the better ones so you didn’t notice.
What were HMRC doing about the problem? For a while, absolutely nothing. And I make absolutely no criticism of them in saying that. Why should they? They have a massive job to do on a limited budget, and – and here is the economic problem – it made absolutely no difference to them that they were being spoofed on an industrial scale. Attackers were sending millions of fake emails from HMRC. But nobody stopped paying tax because of it. So why should HMRC use up their own limited resources fixing a wider problem? And the same was true of the private sector – if an attacker was impersonating a favourite retailer and the attack was successful, the damage was to the customer, not the retailer, which suffered no damage.
Thankfully, HMRC’s digital leadership recognised the problem and worked with the Government Digital Service and with us to fix the problem. This is what the answer looks like:
It’s a bit of code getting HMRC to use something called the DMARC protocol. DMARC stands for Domain-based Message Authentication, Reporting and Conformance. So the ‘a’ – authentication – is the important word. What DMARC allows an organisation to do is tell the Internet’s distribution mechanisms what a genuine email from this domain – in this case HMRC – should look like. If it doesn’t look like it should, it doesn’t get delivered. Instead, in our pilot with HMRC, we got it delivered to us instead.
The result? In the 2016 pilot we got 300 million emails sent to us from people pretending to be HMRC.
And the real value of this?
HM Government advice: "Don’t open attachments or click links unless you trust them."
People don’t have to make impossible judgments about what attachments to open or links to click, because they don’t get the emails in the first place. The guidance only to open things you trust is on a par with the old guidance on passwords in terms of being impossible to follow. Yes of course people should be careful and if you see an email that is the electronic equivalent of the famous Bank of Nigeria letters from decades ago, you probably shouldn’t open it. But the very nature of cyber attack involves, as we have seen, abuse of trust so it is fundamentally unreasonable to expect the average user to be able to spot each and every one. Instead we need to take away the problem from them insofar as we can.
And here’s another problem of the mismatch between incentives and response. In September 2016 a company called Dyn suffered an unprecedentedly large DDoS attack. It had a very big impact because Dyn is an important part of the American Internet backbone – it is a major DNS provider, DNS being the phone book of the Internet. So when it fell over, household names like Amazon and Twitter were affected for several hours.
A DDoS attack is a denial of service attack where the attacker overwhelms the target by simply pointing more traffic at it than it can cope with. It was unprecedented in scale because it was able to use something called the Mirai botnet to repoint vast numbers of Internet of Things devices (in this case Internet connected CCTV cameras) at its target.
This model of attack works by pointing otherwise innocuous Internet of Things devices and turning them into weapons against a higher profile target. The economic problem? Throughout this attack, the cameras worked just fine. So if you made the cameras, owned and operated them, or were a customer of them, why should you pay for the fix? Is it down to you to do the research and capability development to thwart the Mirai botnet?
Instead, the answer to the Mirai botnet problem appears to lie in improving the way in which the protocols governing the flow of Internet traffic work. Fixing this is largely down to standards bodies and groups of telecoms companies. Some of these protocols date back to the 1960s and 70s. So in the UK, what we’ve done is got the telecoms companies together and are in the process of agreeing revised protocols. If successfully implemented, and we are close to finding out, this won’t prevent the UK from suffering this sort of attack, because it could come from anywhere in the world. What it would do is stop UK infrastructure from being used in Mirai botnet type attacks. And that makes the commercial value of UK infrastructure lower. And that makes UK infrastructure less valuable to an attacker. And that makes the UK a less attractive target. And that’s a win.
4. What we are doing differently as a result
This is radical stuff. Up until this point, Western cyber security strategies had been largely passive in terms of what one might call the commodity threat from large scale, unsophisticated cyber attack. The approach was centred around fairly vaguely defined notions of public and private sector partnership, and the establishment of information sharing mechanisms. Whilst they contributed some useful outcomes, they did not get us strategically ahead of the threat. Some partnership initiatives struggled to deliver real, measurable outcomes beyond raising awareness of the threat. And far more weight of expectation was put on information sharing initiatives – the pooling of data between commercial rivals for the common good – than they could bear. After a decade or more of this approach, the evidence is beginning to emerge of its limits.
Our response now has been to move to something we call active cyber defence. I have to make clear that active cyber defence isn’t intended to mean aggressive hacking back – though the Government has been clear we are developing a lawful offensive cyber capability. Instead, active cyber defence is the opposite of passive cyber defence – instead of sitting back, promoting partnership and information sharing initiatives we are actively stepping in to fix problems that for whatever reason no one else has. And as well as our technical expertise we are putting behavioural science and particularly economics at the heart of this approach. And we are committed to publishing the data to show where we’ve been successful and where we’ve failed.
We’re trying out most of the new measures on Government networks first. That’s because we can, it’s because it shows we believe in what we’re doing, and because it makes it easier for us to get the data we need to illustrate whether or not it’s working. So among the measures that are now mandatory across Government are:
- The adoption of the DMARC authentication system – that’s the one that helped HMRC with its spoofing problem – across all Government services;
- The implementation of a new system for all public servants who use Government networks called a DNS filter which stops them from going to sites we know to be bad;
- A new service called WebCheck. This allows smaller organisations like local authorities and NHS bodies, for free, to scan their web facing services for common vulnerabilities. It’s the embodiment of our new approach to try to make things easier for people and organisations. In the past, when we allowed cyber security to be shrouded in mystique and fear, we told people in small organisations with limited budgets that they were doing things wrong and were at great risk. But they had neither the money or the capabilities to do anything about that and we weren’t helping them. What WebCheck does is give them the ability to find out where their most basic weaknesses are and it then gives them some basic advice on how to fix them.
And beyond Government we are making it easier for people to use the Internet safely in ways that the user can see, and also in ways they cannot. To go back to passwords, password guidance from the Government is now far more practical.
We tell systems administrators how to help users generate appropriate passwords. We tell them they don’t need to be changed if there is evidence of compromise.
In terms of unseen help, we are using fairly simple techniques to take away some of the problem. Over the years we’ve found out that if the government has evidence that a particular site is malicious and being used to infect users, if you point that out to the host, they will tend to take it down on request. The challenge then is to be able to do this at large scale. We have partnered with a small company in the west of England who have developed a very clever system of automating take down requests. Some of the early results are impressive.
For example, phishing sites – the sites that lure the user onto a site and then infect the user – hosted in the UK used to be up for an average of 27 hours. Now, on average, they are up for around one. This is real impact with a hard, measurable effect.
What lessons can we draw from what we’ve learned and what we’ve been doing? I think the following points are key:
- Given cyber attack is about return on investment for the attacker and risk management for the defender, our job as the national authority for cyber security is to do what we can to help take away as much of the harm from as many of the people as often as we can;
- Doing that isn’t as glamorous as Hollywood makes out. Instead, it’s about a relentless focus on getting these basic defences right.
- Good enough should do for most things. Defences have to be useable by people.
- By focussing not just on technology but also on behaviours and economic incentives the Government can help create the right framework where that improvement in basic cyber security can take place.
- Success is possible. We are not claiming that we’ve cracked the problem. And I’ve already said that we expect serious attacks with significant public impact. But that doesn’t mean we can’t make progress. In the twelve months to September of this year we saw a 47 per cent increase globally in detected phishing attacks. But the UK’s share of those attacks fell from 5.1 per cent, to 3.3.
5. The wider strategy, and what’s next
I have focussed this evening on the general threat from large scale, unsophisticated cyber attack, often criminal in origin. That’s because it is the big systemic threat that most people and businesses face every day. The average citizen or business is much more likely to encounter this threat than a sophisticated and targeted attack from a highly capable attacker like the Russian state.
But those risks are real too. Cyber attacks are fairly new but they happen for ancient reasons – the pursuit of money, power and influence. So states will use them for traditional statecraft reasons: to spy, to get commercially valuable information like intellectual property, or to ‘preposition’ on critical national infrastructure so that they can act with menace against us in times of tension. As we have seen, hostile states will also seek to use cyber to influence developments in Western countries, in effect trying to mess with the very freedoms the Internet has done so much to enhance.
This does give us a range of other challenges beyond the main one of improving basic defences at national level that I’ve focussed on tonight. And it draws on a range of cross-Government capabilities. So part of the Government’s response in the national strategy has been to unify responsibility for the challenge in a single organisation, the NCSC, which I’m proud to lead. As part of GCHQ it has access to a range of world class data, capabilities and partnerships. And as part of the wider security community we have access to a range of world class partners, including the National Crime Agency whom we support to bring as many attackers as possible to justice.
At the National Cyber Security Centre we’ve been given three tasks.
The first is to manage national level incidents. This is in recognition of the fact that major attacks will get through. We should plan on that basis and seek to mitigate the harm those attacks do. In our first year we dealt with 590 significant cyber attacks that required some level of Government coordination. The details of some of these remain secret. Others, like WannaCry, are all too public. Part of our job in those public incidents is communicating advice to the public on the extent of the risk and what they can do to protect it. This is the first time the Government has had a single authoritative voice on cyber security. So, for example, during WannaCry – the attack that affected the English and Scottish NHS – we published detailed, specific and technical guidance on how to contain the attack within 24 hours, and more general guidance on how to protect against ransomware, and undertook a wave of media activity to make sure we maximised public awareness of that guidance.
The second core task is to help protect the core services and infrastructure on which we rely. So for example, as services move online – like SmartMeters for measuring energy consumption – our job is to do what we can to protect the system from attack. In doing so we don’t care who the attacker might be. Some of these systems will last for decades and geopolitics, as we know all too well, can change in that timeframe. What we care about is the resilience of the system. So for smart meters, we’ve published in detail how we’ve helped design the system so that the different bits of the system have to verify themselves when communicating with each other, and that there aren’t single points of failure in it. We’ve worked to a doctrine that while attacking one individual smart meter would be doable, it would take at least three, simultaneous sophisticated attacks to cause national level damage. Again, harm reduction.
We also protect the softer core infrastructure of a democratic state. Earlier this year we delivered an intensive programme of work to protect the 2017 General Election from outside interference. This involved publishing detailed guidance to electoral administrators, electoral software providers, and political parties themselves and hosting seminars for all of them. it involved intensive work to protect the Register to Vote website. Like our response to WannaCry, it showed the merit in the pioneering approach we have developed at the NCSC of fusing highly classified working with openness and accessibility: much of what we were telling those involved in electoral security work was derived ultimately from classified intelligence, but we were able to find ways of giving people useable advice that was based on it. And our building in central London, crucially, has both low and high classification facilities, in easy reach of each other.
So acting as the central authority for incident handling and critical infrastructure protection are two hugely important priorities. But it is in the third area of the general improvement of the UK’s cyber defences – which I’ve focussed on tonight – that has the most potential. So what’s next? As we plan for our second year we have to focus on implementing the good ideas and concepts we’ve had in the first year at national scale. But technology changes fast and we’ll need constantly to innovate.
And in my view we need to crowdsource the next set of ideas. We need a far better understanding not just of the technology but other subjects too. And we need the private sector and academia to help with that step up. We need to get more people to understand and study things like the economics and cyber security and come up with more insights like the ones that have done so much to bring about the change that I’ve talked about tonight.
Our commitment to Northern Ireland
And in all of this there is a clear commitment to Northern Ireland. Tomorrow I will be in Stormont talking to civil service leaders and later on law enforcement and business partners. We want to do more with leaders here in Northern Ireland across all sectors to make sure we’re as well prepared as we can be for whatever may hit us in terms of major incidents, and that we work to protect the critical infrastructure here as well.
But there is opportunity here too. I don’t just want the next generation of active cyber defence breakthroughs to be government-led: having made the interventions to correct things that aren’t working and create the right framework Government should try to get out of the way and let private innovation and research flourish. Why shouldn’t Northern Ireland, with Queen’s as one of our academic centres of excellence, with the cluster based around its research, and with a renowned education system take advantage of this opportunity? We will want to support you on that.
My concluding remarks reflect this relentless optimism about the future. It has been all too easy to indulge in counsels of despair about this subject, to say it has been too complicated, too technical to grapple with. We have, I hope, shown that by breaking the problem down into manageable chunks, and looking objectively at what is and isn’t working, we can bring about some improvements. Please don’t let anyone tell you that the problem is unfixable, or that the right skills can’t be developed. Skills are indeed a very significant challenge, but there is no reason at all we should see it as an insurmountable one and the work going on here in Belfast and at Queen’s in particular is, to me, proof of that.
On that optimistic note, I’ll finish. My final message to you as chief executives is the most important thing you can do is not to be afraid of the problem. Work out what you care about protecting the most, treat it as you would any major corporate, and engage with us and with other partners to work out what the best protections are for you. Cyber security is a team sport and we should be optimistic about our ability to make a real difference here in Northern Ireland.
Thank you for listening.