24

 

Joint Committee on the National Security Strategy

Oral evidence: Ransomware

Monday 28 November 2022

4.30 pm

 

Watch the meeting

Members present: Margaret Beckett (The Chair); Lord Butler of Brockwell; Baroness Crawley; Lord Dannatt; Richard Graham; Baroness Hodgson of Abinger; Darren Jones; Baroness Neville-Jones; Lord Reid; Lord Snape; Viscount Stansgate; Bob Stewart; Lord Strasburger.

Evidence Session No. 1              Heard in Public              Questions 1 - 14

 

Witnesses

I: Professor Sadie Creese, University of Oxford; Ollie Whitehouse, Chief Technical Officer, NCC Group; Jayan Perera, Principal, Cyber Incident Response, Cyber and Digital, Control Risks.

 

Examination of witnesses

Professor Sadie Creese, Ollie Whitehouse and Jayan Perera.

Q1                The Chair: Welcome and thank you to our three witnesses for coming to give evidence to us today. It is much appreciated. As you may know, this is the first of our evidence sessions on our new inquiry into ransomware, which we launched in October. The idea of today is to focus on the scale and nature of the threat, although obviously we are always interested in your views on what area there is for reform, particularly with regard to the Government’s approach to what is a very thorny issue. Could I invite you perhaps each to give a very brief set of opening remarks?

Ollie Whitehouse: I am the group chief technical officer for NCC Group. I have working in cyber security for 25 years. When we look at ransomware specifically, there has never been such a threat that has touched all facets of society, from the very small to the very large. We have, arguably, been challenged to address it with any furore because of the nature of where it stems from. I welcome that this inquiry is happening and look forward to contributing to it over the next 90 minutes or so.

Jayan Perera: I am the head of our cyber incident response team at Control Risks. I help our clients to respond to incidents and can see a lot of examples from the victims. I hope I can provide some of the examples and insights we see from that part of the world as well.

Professor Sadie Creese: I am a professor of cyber security at the University of Oxford. I am based in the department of computer science and we have lots of research that brings us insights into the kinds of attacks that we will be discussing today. I also teach for the business school, where we concern ourselves with the role of leaders, and direct the global cyber security capacity centre, where we concern ourselves with the capacity of nations to be resilient in the face of such threats. I welcome this particular inquiry.

The Chair: There seems to be a general consensus that this threat has got worse in recent years, but it is generally acknowledged that there may not be reliable figures on the scale of the problem. As I said, we want to focus today on the scale and nature. Is there any observation you would make about recent ransomware trends and what has been driving those trends?

Ollie Whitehouse: I will offer some opening remarks and comments based on data. The Bank Secrecy Act in the United States has given us a sense of the scale. We saw suspected payments of $1.2 billion made last year, based on a report that came out earlier this month. More broadly, that was a three times increase year over year. In the trending data that we observe from looking at the leak sites—sites where victims’ data is posted and held to ransom, in effect—we have seen a decline year over year of 7% to 10% between 2021 and 2022, but that is not to say that the threat is in any way small; it is still substantial. I hope that gives you a sense, at least based on the data that we have access to, of its scale today.

Jayan Perera: We have been tracking, particularly around recent geopolitical events, notably Ukraine, fluctuations in how ransomware has been conducted. This shows a clear link between some of the geopolitical challenges that we have, including conflicts in the kinetic sense, and the impacts on ransomware groups more broadly, particularly in eastern Ukraine and of course within Russia.

Professor Sadie Creese: I should remind everybody—I assume we all know—that ransomware has been around for some time. I remember dealing with it at the turn of the century, back when I was in industry.

You asked what the driving force might have been behind the changes we have been witnessing in recent years. Certainly, the change in geopolitical situation is part of it, but we need to remember that this is actually about two things generally. First, it is about extorting money and funds. In the last 10 years, we have witnessed the organised criminal fraternity becoming more tech-able. These are people who are interested in conducting crime to raise funds and they are now more able to conduct cybercrime, and ransomware is a really big feature of that.

At the same time, in recent years we have seen a rise in more politically sympathetic-driven capabilities. Unfortunately, they cannot be easily pulled apart. There will be certain parts of the world where it is easier to conduct these kinds of operations from. As we have seen in the Ukrainian conflict, some of those organisations have come out in sympathy with one side or another.

It is not like the old days, where we could say there was this kind of threat and this kind of organisation, and they are all separate. We have seen a very gradual maturing of the threat ecosystem in cyber over the early part of this century. We are arriving now at a point where we see the kinds of organisations that get involved in ransomware getting involved in lots of other kinds of aggression around the world. In some sense, that is quite worrying. The sharing of skills and tools has been maturing rapidly in the last couple of years.

Ollie Whitehouse: To build on that, we also have to recognise the unintended consequences. As Sadie has said, it had its genesis in the criminal fraternity, but states have learned. States that at times have been subject to very harsh financial sanctions have learned that one way to get liquidity is to conduct ransomware operations and be paid via digital currency mechanisms. It is the true 4D game of chess, as it were, that we are now playing.

Q2                Lord Butler of Brockwell: I will ask questions that I am very conscious are naive. We talk about ransomware groups and organisations. What is the characteristic? Is it possible for me to buy some software for ransomware and undertake my own project, or does it have to be done in groups, and what is the nature of the groups?

Professor Sadie Creese: Actually, it is possible, but you would be much more likely to obtain it as a service nowadays. Ransomware as a service is a growing trend. My colleagues can tell you more about that.

Jayan Perera: The ransomwareasaservice model is probably the way you would go if you were planning on doing it yourself. It speaks to the environment in which this is being produced. It is not just whoever is creating the code behind that particular form of ransomware; there are a number of other affiliates that provide the ecosystem. There may be people who just purchase that and hand it off to other groups. There may be some who create the access, so they find the actual vulnerability into the target company and sell that on to someone who has access to one of those tools to then go and extort.

It is quite a broad community of people as part of that, which is what makes attribution to these groups quite difficult, because it is not that we are looking at one person in one location; these groups are often split across nations transnationally, but also have connections to multiple other groups at the same time.

Lord Butler of Brockwell: What do you mean by a ransomware code? Is it like an app that I can buy and then set out on my own to undertake a ransomware attack?

Ollie Whitehouse: It would be analogous to that. If you are, say, a single hacker, for want of a better description, and you want to undertake some ransomware activity, you can go to a supplier who will provide you with the payloads that will do the encryption, but then also run for you potentially all the negotiations, extortion and payment settlement, and get a cut for doing the deployment. There is this rich supply ecosystem for the individuals who want to do it, all the way up through to scaled organisations that you would recognise as proper organisations.

Lord Butler of Brockwell: Is there a limited number of groups that offer this service?

Ollie Whitehouse: It grows every week. The criminal supply chain has diversified over time. People recognise that there is money to be had, so there are new entrants. There is law enforcement activity. The vacuum that is left naturally by some of those is then filled by those who have learned their trade watching.

Lord Butler of Brockwell: You say that it is growing all the time. What sorts of numbers of active ransomware groups are we talking about?

Ollie Whitehouse: I do not think I have reliable data on the number of discrete groups at this time, I am afraid.

Lord Butler of Brockwell: Is it thousands or hundreds?

Ollie Whitehouse: No, we would be talking about hundreds rather than thousands.

Lord Butler of Brockwell: How do they advertise their services?

Ollie Whitehouse: Again, it is through a variety of different mechanisms. There are a number of online marketplaces where criminals congregate and offer their services in much the same way that you would expect in normal internet society. That is primarily how they connect and find each other.

Lord Butler of Brockwell: That would be part of the dark web.

Ollie Whitehouse: Correct. Exactly.

Q3                Lord Dannatt: Going on from that, we have heard that they are more able and sophisticated. Can you offer some comment on the leadership structure of this industry? Are there defined leaders, or is it more of a cell type nature, akin to what we got used to understanding about al-Qaeda—that it was more amorphous than identifiable?

Ollie Whitehouse: I would say that it is a more cell-like architecture. There is not one global head of ransomware by any stretch. There are loose affiliations of people and those affiliations change over time.

Professor Sadie Creese: I would describe it more as a marketplace. It has matured to a point where there are lots of different roles. The supply chain is international. One reason why we see groups ebb and flow is that we have had effective law enforcement operations, but sometimes people get concerned that they will get found out and so they change identities or groups. There is quite a lot of churn, much as you would find in any other kind of marketplace. I think what we are trying to describe for you is that this is now a mature system with its own supply chains.

Lord Dannatt: Within that, how do they communicate? How do they message amongst themselves?

Jayan Perera: There is a variety of ways in which they can communicate. We may not see some communication, and it is very hard to get a picture of what these groups are doing, because a lot of what they do is anonymised; it is behind closed internet forums or dark web forums. We know that they have their own closed chatrooms, chat relays, where they communicate with each other. We know that, because they work across border, those rooms are extremely important. Being confidential within those rooms and making sure that nothing leaves them is of paramount importance.

There have been cases in the past where some of those chats have been leaked and we can learn something about those structures. To your previous question, there may be something of a structure, where someone might be in charge of an operation, but who leads the overall group and the overall direction of the group is quite fluid.

Lord Dannatt: If you are talking about leaks, that suggests to me that there is probably a lack of loyalty within the overall industry. I guess some try to steal a march on others, which is helpful and exploitable, I guess.

Jayan Perera: Colleagues will fill in some other gaps here, but we have observed, again taking the Ukraine example, that a number of groups, once Russia had made its kinetic move into Ukraine, started coming out and saying that they were on one side or the other, and that was quite surprising within the cyberspace. We knew that there were affiliations; we knew that perhaps a lot of these criminal groups were not nationally affiliated per se, but quite a few of those elements have come out. Going back to the geopolitical narrative, there are links to what is going on in the real world that have an impact and can cause disruption within some of these groups.

Ollie Whitehouse: To provide a bit of clarity on that, some groups were Russian-Ukrainian in nature. When the conflict started, the Ukrainians obviously took issue with that and provided these insights into how these ransomware groups were operating.

Professor Sadie Creese: If I can build out on that, I think we are talking about the Conti messaging leaks. That particular leak earlier this year gave us a lot of insight for one particular organisation based on the data sample, which was around 60,000 messages, I believe. People have mined that data and made assertions about patterns of work, organisational structures and those kinds of things.

I believe that, in that particular dataset, one organisation said that there are a few people talking a lot and many people talking a small amount. What does that tell us? Maybe they are different people; maybe they are sharing identities. That is not a scientifically large enough dataset from which we could make any kind of robust hypotheses about what this might tell us, but it tells us something very interesting about one particular group, and it really underlines the value of that kind of threat intelligence.

Ollie Whitehouse: Correct. It was a very rich tactical intelligence view of a particular threat group.

Professor Sadie Creese: Yes, which, interestingly enough, has moved on now. Many believe that, because of the leak, people had to change their operational structures.

Q4                Lord Butler of Brockwell: Are all these groups out of the reach of our national law enforcement authorities?

Ollie Whitehouse: The majority of them are—the ones that cause us most pain. Over 50% are attributed to coming out of Russia.

Lord Butler of Brockwell: Are any within the reach of our national law enforcement authorities?

Ollie Whitehouse: Yes, and there are arrests. A gentleman was recently convicted in Canada. They like to go on holiday sometimes. Our law enforcement is very good at playing the long game, waiting for them to arrive in an extradition-friendly country and, at that point, picking them up.

Lord Butler of Brockwell: I noticed that there was a television news report last week, not on ransomware but on a group that was picked up here that organised telephone scams. You get people who are providing their skills to support this sort of criminal activity, but will most of them will be outside the UK in the case of ransomware?

Ollie Whitehouse: At the moment that appears to be the case, yes.

Q5                Baroness Neville-Jones: Thieves are traditionally thought to fall out, greed getting the better of them in the end. Are there spectacular fallings-out among these groups, or have we not seen that kind of behaviour?

Jayan Perera: We are limited by what we can see. From some of the casework, yes, we have seen disputes between the groups. It goes back to one of the points I mentioned earlier: you may not have the same person conducting the encryption operation as the person who got access to the victim company, for example. In some cases, we have seen those two threat actors having a bit of a spat on the dark web about that particular operation, but that is few and far between. There is only one case I can think of where that happened.

There is friction. They probably have their own way of dealing with that within their communities, but it is very hard, again to Sadie’s point, for us to form any larger trends or opinions about that.

Professor Sadie Creese: If I were to make an observation, it is that what we are seeing is not a unique human behaviour. We can expect all the behaviours that we would have witnessed in other forms of organised crime over hundreds of years to be present in these kinds of environments too.

Baroness Crawley: You said that we can expect traditional forms of criminal behaviour but in a new environment, yet earlier Ollie, I think, said that there is no Mr Big in this. There is no leadership, no pyramid. How can it be a traditional set-up and yet working in a celllike form?

Professor Sadie Creese: I do not think we are at odds with each other. Ollie was talking about the global community not having a single Mr Big, and that has been the case for organised crime too. We have lots and lots of organisations, sometimes in competition with each other and sometimes in collaboration with each other. That is the kind of behaviour we have seen over the years. Then you see shifts and some of these organisations fall by the wayside. It is a bit more akin to a normal market and the behaviour of organised crime over the years, yes.

Q6                Lord Snape: You mentioned Russia earlier as an originator of many of these attacks. What other state actors are there that play a major role in attacking the UK? I am thinking of North Korea, for example, which was blamed for the attack on the NHS some years ago. Is it largely Russia, or are there lots of other states that we could point a finger at?

Ollie Whitehouse: It is largely Russia. There are other emerging states, as you have mentioned, such as North Korea. Iran would be another. I do not think anyone is in the same league, as it were, in housing the volume, but there are, naturally, countries that are adverse to us and they can operate from there with impunity, it would appear.

Jayan Perera: The platform itself is quite versatile for threat actors. You have the element of being able to extort

Sitting suspended for a Division in the House of Lords.

On resuming—

The Chair: Lord Snape had asked you a question, but I do not think anybody had really begun to reply. Peter, could you say it again please?

Lord Snape: We had got as far as Russia and North Korea, and then we were distracted by the ringing of the bell. Is it just Russia and North Korea that we should be most concerned about, or are there other countries from which this threat is growing?

Ollie Whitehouse: Russia is by far the largest, with over 50%, that we are aware of, stemming from there. Iran would be another one. They are the sanctions states, in effect. There is ancillary activity from other hostile states, but those would be the major ones. Russia would be a focus.

Q7                Viscount Stansgate: I want to ask first about the type of organisations in the UK that are most at risk from ransomware attacks, or most likely to be targeted. In the light of your answers, I want to explore to what extent we can ever know who they are. One problem that I think we will have in this inquiry is knowing the scale of the problem, because some people simply might not want it to be known that they were attacked. What type of organisations in the UK, in your view, are most likely to be targeted?

Ollie Whitehouse: You have to treat any organisation as at risk of being targeted. As for where the threat actors naturally gravitate, we have very mixed models. We see those that gravitate to larger firms because they want larger payouts, but, at the other end of the spectrum, we see those that want very small pay-outs and work on a volume-based business. There is a diversity there.

You would naturally expect the ones at greatest risk to be those that are less able to protect themselves and invest in cyber resilience. That ends up being, more generally, organisations in distress financially, because they cannot maintain adequate investment, or small organisations that do not have the volume of capital necessary to do what is right.

Jayan Perera: I agree. We have to look at this across the entire spectrum of industry. When they target large firms, we see that they are looking for that large pay-out, as Ollie mentioned. We often find that SMEs or smaller firms are not as well prepared. When it comes to response, they find it much harder to get hold of people to support them. They may not be able to afford cyber insurance; they may not have their own internal information security team. They are often left to their own devices to deal with this type of issue, which is a concern in and of itself; they are not necessarily getting the advice that would otherwise help.

From a larger organisation’s perspective—let us take manufacturing, which is a particular industry that we have seen being targeted—there is a perception that, if there is low-hanging fruit, generally, they will go after that. They are, to some extent, opportunists. There are hackers who are literally looking for these gaps and selling that information on to other groups to conduct the attacks later.

Viscount Stansgate: Was WannaCry low-hanging fruit?

Jayan Perera: I have not had access to the detail behind that, so I would not be in a good position to answer it. There is generally lowhanging fruit in almost every organisation. The key thing we see is that small organisations are less able to pick up the basics of security hygiene, such as having multifactor authentication, a good password policy, and good detection and monitoring capability, or they do not have them at all.

Viscount Stansgate: What is your view about who is most at risk?

Professor Sadie Creese: I would unpack it slightly differently. There are organisations most likely to be targeted—that is one way of viewing this—irrespective of how equipped we believe they are to respond. They will typically be the ones that one can extort the most money from, so very wealthy organisations are likely to be targeted. If you look at recent trends, certain sectors appear to be more targeted than others, including industrial technology, healthcare, legal and those kinds of things, but, as you observed, this is based only on the data that we have.

A large organisation that is going to want to maintain access to the assets that are being held to ransom, for which the group doing the attacking believes it can cost effectively, viably reach its target and does not run too much risk of being held to account afterwards, faces a particular threat. In general, these organisations want to continue to exist and to do business. There are very few examples of organisations that do it once and then go away. They are not single shots. They want to stay afloat. So that tells you something about the kinds of organisations they go after.

In the last couple of years we have seen a relatively new phenomenon where the attacks are coming in through the supply chains. Instead of going after one potential victim with a particular attack campaign, we are observing that it is possible for the attackers to get some kind of economy of scale by going through a supply chain and obtaining multiple victims through one investment. Any one of these attacks requires certain investment in weaponry and resource.

That is shifting the characteristics and that would shift our analysis of victimology, so who is likely to be at risk. Imagine this: the ransomware threat actor groups start using the cloud as a platform, and then they attack one cloud supplier and potentially get multiple victims through it. If we were in a room doing a risk analysis, we would ask, “Who is associated with clouds? Where are there lots of people going into one area that becomes high value as a target for the attack groups?”

Apologies, but there is no simple answer to this. As Ollie said, we are talking about a certain kind of large company victim with large pay-outs, but around 2010 we would have said that the biggest growth of victims was in the SME sector. Back then, there was deskilling of the technical weapons, they were being made available for free on the dark web, and lots of people around the world suddenly did not have to become technical specialists in order to use this weaponry. We have seen a shift in the last couple of years towards much more sophisticated investment in weaponry and the same kinds of larger-scale paybacks resulting from those investments. There is no simple answer.

Viscount Stansgate: That is very helpful. Ollie, you used a phrase at the beginning: “data that we have access to”. In other words, your answers and your knowledge are inevitably shaped and restricted by what you can know about. One problem we will have is how to find out what it is that we do not know. Can you help us on how we can try to find out the scale of this, which may be much greater? People’s gut reaction is that it is much greater, but there must be companies, whether large or small, that do not want it to be known that they have been subject to an attack. Is this a problem in trying to identify the scale of what we are facing?

Ollie Whitehouse: I am not sure that it is. An evolution that we have seen, as Sadie alluded to, is that, as organisations have become more resilient and so can recover from ransomware, the criminals have had to adapt their own strategies. They not only encrypt data now, but they also extort by threatening to leak. That threat of leaking that data works only by having what we now refer to as leak sites, where they advertise their victims and put a clock that counts down: “Pay us the ransom or we’re going to release the data”.

It is those sites that give us at least a window into the world. I refer back to one of the earlier figures: $1.2 billion in 2021. That feels material. If it was an order of magnitude larger, would we care more or less? From the data, accesses and insight that we do have, you can still see that it is a pervasive problem and threat. It would have to be quantums bigger, rather than less, to potentially change your analysis at the end, I suspect.

Viscount Stansgate: Have you turned your mind to what might be the effect of attacks on what you might call our critical national infrastructure, however you choose to define it? What are the types of worst-case scenarios that you sometimes play around with, talk about and could share with us, if it is not too damaging?

Ollie Whitehouse: An initial response would be that we just have to look at what has happened in other countries. If you look at what happened with Colonial Pipeline in the US and then, more recently, down in Australia with both telecommunications and healthcare, you can see what might happen.

When we start getting into forecasting what might be, there are so many variables, but we know that, broadly speaking, we have the same technology bases as those countries. We have organisations that do not look dissimilar. However, we are one of the most mature countries with regard to cyber resilience. We have been at this for a number of decades, so discuss whether we are better placed than most by virtue of that. In terms of the potential implications, outcomes and impact on CNI, one has to assume that anything is possible, and we have to counter that.

Professor Sadie Creese: Reverting to your previous question about whether we have enough data and insight, the threat leak sites give us a sample for the organisations that use that kind of methodology. That is their tacticthe double extortion. They place the pressure and say, “If you don’t pay, well publish here and people will know whatever it is that weve managed to capture from your valuable data”. That gives us an insight into organisations that use that as a method.

There is no reason to believe that other organisations will not use the tactic of saying, “We’re going to share this with your biggest competitor. It’s not going to go on a leak site at all. I’m going to share this with your regulator. I’m going to share it with your biggest shareholders. I’m going to embarrass you in a completely different way”. Unfortunately, as outside of cyber, we do the best with the threat intelligence we have, but we have to recognise that what we have is great insight into a certain kind of operation. We all know that we would be fools to assume there were not other kinds of operations going on.

That moves me straight on to your second question about scenarios of concern. One scenario that concerns the community is this. We are just coming around to recognising this double extortion and the concern about that. It is no longer just that we have our assets denied to us, whether that is our data, web server or whatever it may be. Now they are possibly being shared, so we would have no privacy or confidentiality.

The obvious next step of a triple extortion would be a threat of sabotage. That has to be very concerning, because, in certain systems, sabotage could lead to a threat to physical security or safety of human life. There is no reason to believe that that will not naturally follow as another way of putting pressure on. That has to be a concerning situation, because decisionmakers, when faced with that kind of pressure, will have to factor in those kinds of concerns when they work out what to do next.

It applies a lot of stress into the environment. As we all know, if organisations have not properly prepared for, rehearsed, exercised how it might feel to be a victim put under this kind of pressure, they will not always make the best decisions. We are facing a potential evolution that will become very much more tricky to deal with for any single victim.

One other aspect that we have to be concerned with is a hidden systemic cyber risk. In single sectors and across multiple sectors, there are circles of dependency. The systemic risk could be because we use common technologies that suffer the same vulnerabilities, so somebody can attack us all at once with a single weapon. The simulations we have been running show that that is a pretty acute maximising worst-case outcome for a system, ecosystem or country, for example.

There are very particular dependencies: codependence on energy source, co-dependence on communications provided by ICT infrastructure sources, dependence of transport or finance on energy et cetera. Pick any of your CNI sectors and you would be hard pressed to convince yourselves that there is not some kind of linkage between them.

If we were to witness an attack on a number of organisations, and it would not need to be all of them, in close succession, orchestrated under a single campaign, we might feel some pressure as a nation. We are very lucky to have brilliant people working within the government organisations and the security industry, but that is a fixed resource. I would hypothesise that it is conceivable that, if enough organisations in these critical environments were attacked in close succession, we would find ourselves having to make some difficult decisions, for which we may need policy on how we prioritise resource.

Ollie Whitehouse: I will build on Sadie’s point, because it is well made. Our digital borders do not stop at our physical borders. A lot of our CNI is serviced by overseas IT services companies. That systemic risk potentially does not emanate from within the country. If an event occurs, it is not us deploying people into the north of England to resolve it necessarily. There may be co-dependence on overseas Governments and their services industry in order to support us in bringing parts of our CNI back online, conceptually.

Viscount Stansgate: If you are the subject of extortion, they say, “We want your data. Pay for it”, and you pay up, what guarantee do you have that they have not just kept your data anyway and could use it later to damage you?

Ollie Whitehouse: There is no guarantee, but, as you will recognise, if they show a pattern of that behaviour, people will stop paying. It is in their interests to at least hold up their end of the bargain, one would suggest.

Q8                Baroness Neville-Jones: Could I pursue the issue that Sadie was talking about in her last intervention? That is the question of the extent to which servicing takes place, not necessarily from inside your own national borders but from somewhere else, and therefore how the thing can spread. How well do you reckon that other jurisdictions that are of real value and economic interest to us are protected when it comes to their potential effect on the UK? How much do we need to be worrying about that? Do you know how much we are active in trying to ensure that external access to our systems is minimised?

This is a question of how you co-operate with your allies and how far you seek to go in common homeland security activity. I do not know what problems that poses, but I imagine that there are a number of considerations. I would be interested to know. It seems to me that there is plenty of evidence of sideways effect. You are not the main target, but, by God, you suffer. Would you like to comment on that set of issues?

Ollie Whitehouse: As the UK, we are very proactive. We are celebrated around the globe for some of the firsts that we have done in cyber security. People want to come and learn from us as a country. By virtue of that, those foreign partner nations, which we are, arguably, dependent on in part for certain services, are supported, collaborate with us and all those things. That is very positive.

To the core of your question, are we all at parity? The answer is no, for a variety of reasons: people starting late, where they are in their maturity more generally, et cetera. This will always be a game of how we ensure that, as the tide of resilience rises, it rises at sufficiently even levels across the core dependent markets that we have for service supply and technology supply. Cyber, broadly speaking, is still in the foothills as a science, so we do not necessarily fully know how we will achieve that in reality.

Baroness Neville-Jones: Is there prioritisation of areas that we feel we need to focus on because of the potential effect of cyberattack?

Ollie Whitehouse: Sadie touched on it first. Supply chain security, especially where it breaches national borders, and how we gain assurance over the integrity and their ability to respond as we become dependent would be a good area of focus.

Jayan Perera: That supply chain point is really well made. It cannot just be sent down from a government level. That is something that private organisations need to take into account more and more. Ultimately, the complexity of any supply chain is now growing every day. The number of technical connections between businesses, consumers, et cetera, is growing. There has to be some focus on what the private sector does to secure its supply chain.

To Sadie’s point, we do not know where these vulnerabilities will show themselves. It may not necessarily be directly related to a piece of critical national infrastructure up front within the UK. It may relate to a number of businesses that are part of that supply chain that have that same weakness. That kind of due diligence and supply chain analysis needs to be conducted across public and private partnership.

Q9                Baroness Neville-Jones: You hear some complaint in some quarters that the UK is not as active in regarding ransomware as a national security threat compared with, say, the Americans. That comparison is made, rather to our disadvantage. Do you share that view that there needs to be more activity from government departments that have a strong interest in cyber security? Our CNI, after all, is run by the private sector, by and large, but it could come crashing down and public services disappear, and there is a cost to remodel. Do you think that the state interests itself enough in this international supply chain issue?

Ollie Whitehouse: I think the state has mobilised quite extensively on the topic of ransomware at all levels. If you look at the various lead government departments and the national technical authorities that support them, you can see that there has been increasing focus on gaining assurance over resilience.

The big difference between the US and maybe the UK, if we were to observe one, is that the US has a propensity to indict the actors legally and the UK does not. I would like to think, at least based on what we see, that we are at least on par in achieving real-world resilience, compared to our American cousins.

Baroness Neville-Jones: The comment is also made, however, in rather the reverse direction—that the Americans tend to support their businesses, whereas the UK tends to find fault when somebody gets into trouble. Do you think that is a fair comment?

Ollie Whitehouse: No. There is a dimension of British culture here. More generally, when organisations are hit, as we have seen in local government and the private sector, and they matter, things get mobilised and support is provided. No one goes wanting here. Naturally, there is always a challenge that every country faces, which is how one provides that for the very small. We do not have the equivalent of universal healthcare for cyber today. How do we help the three-person organisation, especially if 100 of them get hit simultaneously? Today, we are seeing emergent models where cyber insurance will fill that vacuum, but discuss.

Baroness Neville-Jones: That is very interesting.

Professor Sadie Creese: Some may not be dealing with ransomware any more.

The word that was in my head was one of scale. It is not so much that I feel we are not engaged as facets of state, but rather that this problem is growing far more quickly and at a scale that we are unlikely to keep pace with. There is something that we need to be doing together, a public-private partnership that needs to address scaling up, whether it is practical help or how we make these systems inherently more resilient from the get-go. If too many of the big ones were attacked in one go, we would find it very hard to deploy the levels of support necessary to avoid very large amounts of harm.

There are specific areas of action that we ought to be considering, such as requiring some transparency. Gaining some insight into the data would probably be helpful on a number of levels. In all likelihood, it would encourage some change of behaviour in the victim organisations to try to be a little more resilient to these kinds of attacks in the first place, because they are having to declare what is happening to them.

I have worked in this industry since the turn of the century. We have always had an issue with not having great data. You see the clients and sectors that you have opportunity to work with. A good example of a particular kind of threat that we know we do not know much about is the insider threat. It has become okay to admit that people are hacking you from the outside. It happens to everyone—nothing embarrassing about that. It is still not perceived to be okay that people working for you would attack you. That looks like you are not in proper control.

When I think about the scenarios that we should be concerned with about ransomware moving forward, we all know that ransomware will involve some kind of malicious software in the victim’s systems at some point. It is that that denies access to the assets. If you cannot get that by hacking in from the outside, you will put it there using an insider. These threats come together and can be very challenging to cope with.

Without good data, it is hard—not to understand the threat, because, as Ollie says, we kind of do. We know that it is big. We do not need an increase in data to tell us that, but we need it to tell us how effective risk control practices are inside organisations of the types that we might be very concerned about as a nation, so the CNI. Some evolution of the benchmarking that we ask organisations to undertake would be good. At the moment, we look for basic levels of hygiene, which are incredibly important, but they are not going to produce organisations that can resist very sophisticated attacks of this kind. We need to look more in the round about how we build the next generation of benchmarks to help the more advanced organisations that have capacity to protect themselves, but where we still need to do more.

The other area I would be looking to is leadership. We still face a world where the boardroom is not populated by people who understand and can debate these kinds of threats very easily. That is natural, but we know that it is leaders who set the tone. They set the agenda. This is as much about the culture of organisations, behaviours and trying to become more resilient, and that comes from the top and the front. We have some way to go, and I wonder whether there is an opportunity to bring these things together.

Ollie Whitehouse: On that leadership point, sometimes when we think about boards we think of the FTSE 250. We have to recognise that that is a small fraction of the total number of businesses and organisations in the United Kingdom. That leadership point speaks to organisations of all sizes. To Sadie’s point, how do we make it truly scalable? How do we get that company that is 10 people, arguably living hand to mouth, to be able to factor in cyber resilience as they would health and safety?

Baroness Neville-Jones: We had a national project about 10 years ago now on both those areas. It sounds to me as if, from what you are saying, we need to return to some of that again.

Jayan Perera: The threat is changing, so it is prudent for us to look at those types of mechanisms and structures to see whether they are still fit for purpose and adjust them where necessary. To Sadie’s point, ransomware presents itself as very different to other forms of cyber attacks that we are used to dealing with.

You can look at cyber-enabled fraud, where someone might get into an email account, change bank account details and send that on. Unfortunately, coming up to Christmas time, we will probably all see examples of that, or attempted phishing emails, coming into our inbox. In those scenarios, a board would typically throw that down to the IT team and say, “Remediate this. Give me a clean new laptop and let’s forget about it”.

The issue with ransomware, regardless of the size of the organisation, is that the impact on the organisation is so substantial. It is no longer just the need to get systems back up online. That is a priority, absolutely, but we have the demand on the table; we have the legal priorities“Do we need to disclose, based upon which jurisdiction?”; we have the communications issues both internally to employees and externally to law enforcement and others. You can see how this plethora of issues starts to bubble up.

When we look at educating and bringing industry along with this conversation, we realise it is a different segment of that employee population that needs to be educated. To Sadie’s point about the board, it is about getting them comfortable and having the muscle memory of dealing with those issues, even if they are not the technical experts. They do not need to be, necessarily. They just need to know where to go for that help and how to bring it in.

The Chair: Can I just ask you something, bearing in mind everything you have said about transparency? You might say, “We wouldn’t know”, but do you get the impression that a lot of these organisations and states respond only when they have actually experienced an attack and, before that, are not sufficiently aware?

Ollie Whitehouse: You would recognise that, in certain organisations, cyber is but one risk on the risk register. It will be treated as would all the others, but it is probably fair to say that it will often be given higher priority and more capital investment post an event.

Professor Sadie Creese: It has always been so.

Ollie Whitehouse: Never waste a crisis.

Q10            Lord Dannatt: I was going to ask you, but I think you have largely answered, how much support we give victims, both the Government and agencies. You may want to say a bit more about that.

On the other side of the coin, and again you have alluded to this, would it be helpful, at least in gathering more data, if there was a requirement—perhaps a legal requirement, although I am not quite sure how we would shape it—on victim companies and organisations to report to the National Cyber Security Centre or the NCA that they have been the victim of an attack? That would certainly amplify the data and we would probably have a better feel for the size of the problem. It might also help the leadership issue on boards; if we know we have to report it, we will report it, because it is our duty.

Jayan Perera: There is a need to demystify law enforcement’s engagement and support of victims. In some cases I have dealt with, there is reluctance to get law enforcement involved, because they do not see the direct benefit of that. That broadly comes down to their awareness. Our role as advisers is to bring them up to speed and get them aware of that, but as it stands it is ultimately their choice as to whether they report to law enforcement. If they felt that it was relatively anonymous and it was not handing themselves in to say, “We’ve made a mistake”, perhaps there would be more sharing there.

I am sure Ollie and Sadie will have more to say on that, but that relationship needs to be explored in more detail, because I am confident that there is more we can get from those conversations. The question is how much is enough to get some meaningful results and start changing the tide on this, versus how we protect the victims of this so they are not the ones penalised for these incidents.

Remember, we still live in a very regulated world, with GDPR in Europe and other data protection regulations all over the world that companies are trying to balance with this risk. The fear may not be that law enforcement will come and slap the handcuffs on them, but more that if they disclose to some form of public sector organisation that will then lead to other broader fallout in terms of the regulatory environment.

Lord Dannatt: I can see, going back to the earlier point you made, that it is easier to report an external attack. We are much more hesitant to report an insider attack in comparison.

Ollie Whitehouse: To build on Jayan’s point, you recognise that the world is complex here. We have a regulatory landscape; we often have victims who do not want to lose control and who sometimes perceive, incorrectly, that engaging law enforcement is losing control. The world is unclear at the moment about legal liability and contract liability. If you are a data processor on behalf of your customers and, through the course of a case, you are found wanting in cyber resilience, what commercial exposure does that create for you? Again, it is a patchwork of potential outcomes and enforcement mechanisms here, which complicates it for very sophisticated organisations. The small organisations struggle to know where to go sometimes and do not realise the value that the police can provide.

Professor Sadie Creese: Switching to a slightly different topic of reporting, it would probably be very helpful to introduce some form of reporting on the positive initiatives, the use of risk controls by organisations. I talked about benchmarking. It would encourage thought to be given to how to invest. It would be very useful for senior leaders to reflect upon how they compare to their peers and ask whether enough has been done: “Have we exercised enough? Have we prepared enough?” Trying to encourage that kind of behaviour in organisations will begin to stimulate investment that should build cyber resilience. Ahead of the bad thing happening and whether you report an actual incident, it would be very useful to try to bolster the defences of the CNI by encouraging that kind of reporting.

I would encourage us to do it in the round. This is not just the use of technology. This is as much about people, leadership, communications and planning as it is about technology. It is orchestration across all of them, and any kind of reporting would really seek to look at all these aspects.

Ollie Whitehouse: Sadie has balanced the conversation well. We have been talking about incident response, but there is also the proactivity piece about how we make organisations resilient. There is a question here of what reporting there should be on near miss incidents and what we can learn from that. Why were they a near miss and why did they not manifest? Importantly, we will only get organisations to engage with any of these reporting requirements in the spirit in which they are intended if they get some protection and some credit for doing so. Otherwise, it will be done through the most expensive lawyers to the crispest, most exact language necessary as stipulated in legislation. What we want is a culture that is open and engaged on this, where we share this and we have a culture of cyber resilience, much like aviation has a culture of safety.

Q11            Richard Graham: Can I just come back to one or two of the useful insights you were sharing earlier? Ollie Whitehouse, I was interested when you said that everyone should have confidence in being helped if they suffer one of these ransomware attacks. I am just interested in your time definition of everyone being helped. To give you some perspective, my own local council was cyberattacked. It is now over a year and their systems are still not up and running. It is great that they are being helped, but it would also be great if it was a lot faster.

What, in your experience, is the timing of help given for a ransomware attack?

Ollie Whitehouse: That varies. It is a piece of string. We see organisations that are able to recover in a matter of days and weeks with a good team. We have seen customers that have tried to recover from ransomware, have not successfully got the threat actor out and have been hit again before they have even recovered in the first instance, so have had to restart all over. This is a multidimensional problem, because there is the security and law enforcement response, and then there are IT engineers understanding business processes and the recovery of all of those. I cannot speak for your local council specifically, but there must be some complexity there. It would feel anomalous to be that long.

Richard Graham: They are only dealing with the systems. They do not have the additional ransom overlay, so I am just interested in the timing aspect.

Professor Sadie Creese: All our research shows that the longer you allow attackers to persist inside your system, the longer this goes on, the more harm and loss there is. Intuitively, if someone is inside your system, they can benefit from serendipity. They may have been there and selected that asset to hold to ransom, but when we investigate how the cost builds in the face of ransomware insurance claims, for example, we find that quite a lot of it is in the forensic investigations that follow. Somebody has to call time on what else they did. Have they left a back door? Is there something else they have done to our system? Of course, you cannot prove a negative, so somebody has the difficult decision of saying, “We’ve looked enough”. It does not mean to say that around the next corner there was not another fact to be found. Your observation is incredibly important. We are really dealing with scale and pace issues.

Ollie Whitehouse: I will just come back to your local council. We recognise the acute challenges that local councils face in balancing budgets. That is not distinct from the distressed debt companies that we see. We see companies in distressed debt situations, they are taken over by a new owner, and they often feel the impact of ransomware the most because they have had a period of underinvestment and do not have the people on staff to allow them to recover in a timely fashion.

Richard Graham: Sadie Creese made a point about transparency of data and more being available, perhaps particularly to the corporate sector. Is there a great deal of training offered to the corporate sector, perhaps particularly by the NCSC, that would be a good place to share some of that data, in terms of bolstering awareness and the leadership challenge that Sadie Creese mentioned?

Ollie Whitehouse: The NCSC produces a variety of tools, from the board toolkit through to tabletop exercises and everything else. We have all the materials there. Indeed, police and certain local law enforcement use that in their outreach programmes. Again, the question is how we touch every part of society with what we have today.

Richard Graham: Is that increasingly a part of the corporate requirement? Just as large corporates in particular have to go through diversity and equality training, is there now a requirement on them to go through the equivalent of ransomware training, for example?

Ollie Whitehouse: There is no requirement today. You recognise that there is a greater expectation in more regulated markets, but on the whole there is no set of key requirements that you must have a non-executive director sufficiently skilled in cyber to challenge the operational board and that your exco has practised crisis response for ransomware in the last six months.

Richard Graham: It might not be a bad thing.

Ollie Whitehouse: We do not have the level of stipulation that we have on other risks.

Jayan Perera: When we look at how businesses exercise in that space, there is obviously a lot of value in doing that at the board level for that specific organisation.

Coming back to the broader point about the supply chain, there would be a lot of value in government and law enforcement leadership having more focus on industry-wide exercising, which may not be as granular. It may look not at a company’s specific systems but at the interconnections between systemically important industries, for instance. That happens in the UK, but we can do a lot more there, particularly in taking smaller organisations though that process. When we look at the supply chain, often we have large business, large business, large business, small business, large business again. That smaller business gets forgotten, but it can be the weaker link.

Q12            Richard Graham: Can I follow up with one other aspect? Earlier, while I was in the meeting virtually rather than physically, I heard you all say that the majority of these threats geographically have been analysed to have come from Russia, North Korea and Iran. Is there any other evidence of such ransomware attacks coming from any other part of Asia? If not, is there a curious opportunity, almost, to work with other nations in Asia that might have capabilities and a similar defensive requirement to make sure that their defences are as strong as ours against these ransomware attacks, or is there a greater threat in having these discussions more widely because then there is more awareness of each other’s skills and potential weaknesses?

Ollie Whitehouse: To be kind to our future selves, we should engage anyone who can help us. There is enough information out there that, if anyone wants to do this or defend against this, they probably could do today. Co-opting any partners to help is probably the prudent thing. We are not going to be disclosing any national security secrets by engaging on this topic.

Richard Graham: Does that happen? Are we doing that quite well?

Ollie Whitehouse: We do today. We see enough organisations coming to London and we visit other countries. We sign joint statements and those types of things, but we can always do more.

Richard Graham: Has that happened for you as well in the commercial sector, Sadie Creese?

Professor Sadie Creese: Do you mean among companies?

Richard Graham: Yes. Are you looking quite far and wide to see where you can benefit from each other’s experiences in tightening your defences against the latest attack techniques?

Professor Sadie Creese: I do not work for a commercial organisation and I cannot speak for the whole sector, but from where we sit in the business school we certainly see lots of sectors collaborating. Indeed, in the UK, when I was working in a commercial company we benefited from the Government bringing sectors together so that we could share insight into threat and vulnerability. The research shows us that sectors that have trusted communities of sharing fare better, because if they can share the threat intelligence ahead of when they fall victim, they stand more chance of hardening their defences, so it does work.

In fact, where it does not work and they do not listen to each other, we have seen some very high-profile not ransomware but insider threat activity float across one of the CNI sectors. They were not listening to each other and, indeed, the same attack popped up at another two very large organisations in that sector. Now, they listen to each other.

Wherever there is sharing, provided it gets ahead of the pace at which the attacks are coming at you, there is huge value. From everything I know from working among the wider UK community, we have lots of strong relationships internationally, which is incredibly important. Given the nature of the global supply chain of threat actors and the global threat community, it is hard to imagine that we could ever have as good a defence as a single nation as we would sharing with others.

Richard Graham: I hope, Chair, that we will be able to bring that point out in the report.

Lord Butler of Brockwell: Which department leads on the international cooperation within the British Government?

Ollie Whitehouse: I would guess that it is the FCDO, supported by the likes of the National Cyber Security Centre, but I do not know for sure.

The Chair: We are talking about how people cooperate. What responsibility lies with IT and cloud providers to close vulnerabilities and block malware?

Ollie Whitehouse: There is a lot. We recognise that cloud providers are a net positive. When you take away from small businesses the burden of trying to manage IT, for which they are ill equipped, they generally provide a net security benefit.

Q13            Baroness Crawley: It was heartening to hear you say a few moments ago that we were up there with the US in our response to this threat, but you must know that there have been critics certainly of the Government’s approach—I am not talking about the private sector at the moment—being too slow. I read recently that a cyber news outlet called The Record, talking about the sprint that the Home Office undertook earlier this year on this issue, said that the focus was more on the Government’s starting point than where it finished in talking about the complexity and scale of this issue.

Do you think the Government have been slow? What advice would you give them? How could you see government coming together on, say, reporting, which sounds like a very important issue to me?

Professor Sadie Creese: We can always say that we could be quicker at things. I do not think we have been particularly slow. I would view it differently. I cannot see how we should be pulling out ransomware as a particular threat. I would be looking at it more broadly as cyber threat and cyber resilience. Ransomware will continue to evolve. I predict that it will converge with many other classical kinds of attacks, including malware inside hardware and insider threats in the form of humans. All these threats will come together.

I appreciate that there must be situations where people feel that we are not as well prepared for a particular threat. That has always been the case. In hindsight, we could always have started earlier and done more, I am sure. I would encourage us to use the concern about ransomware to move forwards on cyber resilience more generally, because ransomware will incorporate lots of other kinds of cyberthreat. A positive move on benchmarking and changing behaviours on reporting will be really helpful to us.

Jayan Perera: There is a fine balance there too. When we are working with clients, we always say, “You want to go well, not go early, with your communications and your strategy”. The same is true perhaps of the national strategy on this. Yes, we do not want to take too long to come up with the approach, because it leaves victims in the lurch who need support as we go forward, but we have to make the right decisions and not become overbearing about victims reporting, for example. If we get the balance wrong, we will end up with fewer people wanting to report because they feel that it is a punitive measure.

Of course we would love to go much more quickly. We would love to have a strategy that has real impact real now. To one of Ollie’s points earlier, we are still in the early days of cyber. We are still learning a lot as we go. We need to find the right balance between protecting the victims and getting that intelligence across without stifling the other cooperation that is required.

Ollie Whitehouse: It is unfair to say that government has been slow. There are government departments that have been working on this problem for five to 10 years in various guises. Those who would look to lay criticism may be clamouring for the silver bullet. The punchline here is that there is not one. There is hard graft, and there is a considered plan that has to work for every type of organisation in this country with various level of maturity and capability. One does not rush to that answer.

They may look to certain government departments and ask, “Where is it?” It is not there, because it is really hard. It will come in time as we learn more, as we make cyber a scienceto Sadie’s pointand as we understand what is evidence-based and what works in the real world, versus jumping to a strategy that on the face of it sounds great but in fact does not realise the benefits we seek.

Professor Sadie Creese: I do think we are underinvested in being able to meet scale and pace, but we are not unique. We are still a leading nation, but that is where we should be focusing. I think we will be outpaced and face a significant upsurge in very tricky attacks that are hard to deal with at scale, which is going to cause us some pain.

Ollie Whitehouse: Just to echo the point we made earlier, even if we were impervious, our foreign suppliers would not be, so we would just displace the problem. When we think of a national response, we have to be very cognisant of how we help everyone we are dependent on, maybe not to be at the same level but to not be several generations behind. Otherwise, we will not achieve much.

Baroness Crawley: This may seem quite naive, but do you see the silver bullet route being, for instance, a prohibition on ransom payments? Is that unrealistic or something that could happen 10 years from now?

Ollie Whitehouse: I personally do not see it. Criminalising victims will not stop it, because, going back to my last point, all we will do is force them down into our supply chain where it is not prohibited to pay it. We will still feel the aftermath but lose all the control.

Jayan Perera: I agree. Again, we do not want to penalise victims, and the threat actors manifest in various ways. They may not target us in the same way, but, to Ollie’s point, they will go down the supply chain. They will go to our allies or to the cloud providers, as you mentioned, and we may not have an approach for dealing with that, because we perhaps feel that we have somehow blocked this off but actually we have become woefully unprepared. There is generally a need for us to feel at all times a prudent sense of vulnerability. It is about saying, “Yes, we want to get better and to invest in those systems”, but I do not think that at any point we want to say, “We know we’re 100% ready to go now”. That is the same for any risk, but for cyber in particular it needs to be brought up to government as well as to executives of companies.

Professor Sadie Creese: The question we reflect upon when we talk about trying to prohibit ransom payments is that we are really trying to disrupt the threat actors and the value they seek to achieve. These points are really well made. It is very likely that we would push these things underground and have less visibility, but I would agree that making it harder to make money seems to be a very sensible way forward. Therefore, perhaps we ought to be trying to make it harder to move and to hide the money. Certainly, cryptocurrencies are a big enabling technology for this particular kind of threat. It might be worth looking at whether we can make it harder for threat actors to gain financially.

Ollie Whitehouse: I agree wholeheartedly here. Going after the supply chain, for financial settlement and otherwise, is where international sanctions can be useful. Where we find certain legal entities that are facilitating this, that could be a national response.

Baroness Neville-Jones: In relation to that last point about making it harder for them to actually get the money, does this get us into regulating the bitcoin world? It seems to me that part of the issue is the flows at the moment, which are wholly unregulated and not controlled.

Professor Sadie Creese: Yes, we should certainly be looking at the global financial system in terms of response. That, of course, brings us immediately back to the fact that you cannot do this as a single nation. This is a global system, and it rather feels to me that, as an international community, we should be looking to that.

Viscount Stansgate: Does that mean that the recent collapse of the exchange might be a helpful development?

Ollie Whitehouse: There are many others. That one collapse in Bermuda will potentially cause a little disruption, but there are many similar bitcoin and cryptocurrency exchanges around the globe. A number of them are based in Russia, which we cannot touch.

Jayan Perera: They tend to protect themselves from fluctuations by setting the ransom amounts in dollars, pounds or whatever it is. Yes, they run the risk that if they do not clear those funds within a certain time they suffer the wrath of the market, but they tend to make sure that they get that in a dollar amount before they actually ask for the amount itself. If they did it in the cryptocurrency and, say, negotiation took a week or two, that could have a significant impact.

Viscount Stansgate: You said that America tends to indict and we do not, but why not? Is it that it is just so difficult?

Ollie Whitehouse: I do not know.

Q14            Baroness Crawley: Could I just ask about a governance issue? You are all experts in this area. Looking at government at the moment, do you think there is enough joined-up thinking between departments? Does there need to be more leadership by departments? What advice could you give?

Ollie Whitehouse: I would say from the forums that I have been invited to as industry that all the government departments are there. There is clear leadership on the issue. It does not feel like I am having four versions of the same conversation with different audiences. I am having one conversation and they are generally all in the same room at the same time, obviously with slightly different lenses because of their focus, be it strategy, implementation or whateverat least from my perspective.

Jayan Perera: I may have a slightly different perspective on what all those conversations mean for those who have to go through a crisis themselves. We need to start getting more support for victims in some way, shape or form. When we work with clients who are going through this problem, they are often not clear about where they will get support from government and where they will not. There is no problem if it is clear that they do not meet a metric such that they get direct support from the NCSC or the NCA or somewhere along the line, but I think they feel left out of that.

It is quite interesting, because we are connected within the industry as providers in that space, but a lot of our victims are not; they are nothing to do with cyber security. That is an area of focus when it comes to pushing the good news stories that we already have, as well as the new developments, towards the broader public, as opposed to just having it among us as a security community.

The Chair: Thank you for coming to give evidence, all of you. It is much appreciated.