 Good morning. A very warm welcome to the IIE webinar on cybersecurity and EU strategic autonomy, coherence and capability challenges. This event is part of a transnational project with think tanks in the Netherlands, Denmark, Sweden, which is coordinated by the IIEA and supported by Google. My name is Joyce O'Connor, chair of the IIEA digital group and moderator of today's event. I'm absolutely delighted to welcome back to the IIEA our distinguished speaker, Professor Kieran Martin. You're very welcome, Kieran. I'm really pleased to see you again and thank you for taking the time out of your very busy schedule to be with us today. And we appreciate this very much indeed. And we look forward to your presentation. Kieran produced an excellent paper for the IIEA cybersecurity and European strategic autonomy, which is available on our website. He produced this in May this year. So in today's event, he'll present the key points from this paper, as well as talking about some recent developments since May in EU cybersecurity. He will conclude by talking about the choice facing Europe caught between two technospheres, the US and China, and Europe's own ambition to become a global digital power. Kieran will speak for approximately 20 to 25 minutes, and then I will go to your audience for Q&A. And as you know, the Q&A functions at the bottom of your screen. Please feel free to send in questions during Kieran's presentation as they occur to you and I'll come back to you once Kieran finishes his talk. As ever, today's presentation and Q&A is on the record. Please join our discussion if you want to on Twitter, the handle is at IIEA. Professor Kieran Martin is currently Professor of Practice Management of Public Organization at the Blavatnik School of Government and Oxford University. Prior to joining the School of Government and Oxford University, Kieran was founding chief executive of the use case National Cyber Security Centre, part of GCHQ. Professor Martin led a fundamental shift in the UK's approach to cyber security. He successfully advocates for a wholesale change of approach to cyber security towards a more interventionist posture. This approach was adopted by the UK government in the 2015 National Security Strategy, leading to the creation of the National Cyber Security Centre in 2016 under his leadership. In his 23 years career in the UK civil service, Professor Martin has held senior roles in the Cabinet Office, including Constitution Director and Director of Security and Intelligence in the Cabinet Office. His work has been recognised nationally and internationally, receiving awards and honours in the UK, the US and elsewhere. Kieran's knowledge of public finances, national and international security and central bureaucracy is a rare combination of expertise and experience. So Kieran, you have the floor now and we look forward to your presentation. Thank you so much Joyce, good morning everyone and thank you for joining me. Thanks to the IIEA for having me. I learned in my previous job in the UK government never to underestimate the IIEA. I recall a wonderful morning in Dublin in around 2018 where a small number of opinion formers had been gathered for a private round table on cyber security. And afterwards I'd agreed that there'll be a small event where I would do some public remarks on the record because and of course I was a serving senior member of the UK government at the time. So when the door opened to this small gathering which turned out to be 150 of some of the most influential people in Irish technology and other aspects of national life. So I was really somewhat shuddered and did a double take. I know there are many eminent people and a large number of people listening in, but this time hopefully I have learned my lesson about the IIEA's convening power on important subjects. So I was privileged to answer their request back in what became a publication in May for a contribution to a series of studies they were looking at on the EU and technology. And they asked me to write something on cyber security and European strategic autonomy. And I chose to focus on two issues one is the coherence of the EU's approach to cyber, and the other is the influence between that and capabilities. Through two quite different contestable to just my opinion, you may not share it and we that can come out in questions. But I hope reasonably significant conclusions. One is around the coherence of the EU's efforts on cyber security in the midst of a bunch of harms that can happen as a result of malevolent cyber activity from hostile powers criminals and a range of other people. The conclusion of coherence is that there is a technocratic question for the EU and its member states about at what level does it want to do cyber security. What does it want to leave to member states and what does it want to in effect federalize that is a fixable technocratic challenge but it needs answering because otherwise if you do it unconsciously. This is one of my view suboptimal outcomes and I'll say a little bit about how that choice manifests what sort of harms it's trying to counter, but additionally, where it has somewhat stumbled into so far into quite a messy alignment between allocation of responsibilities between member states and central EU wide authorities. So that's the coherence point how do you configure if you like the capabilities 27 member states and a unifying central set of institutions to do cyber security. And what does that tell you about the strategic autonomy. Then you get into the much more important question and much more difficult question in my view which is about capabilities and in essence the quite provocative question. What form of autonomy ultimately can Europe have when you're basically using other people's technology. There is some indigenous technology in Europe in the European Union in the UK in the continent of Europe, but we are as Joyce said now sandwiched increasingly between two technospheres a US led block and a Chinese block. As Friday evening, I was talking to a former digital minister of a smaller EU member state who was talking about the EU's ambition to be a global leader in the regulation of AI. My simple rhetorical challenges. How far can you be a leader in anything by being a leader in its regulation but not in its development and what are the implications of that for Europe. I'll take those two and turn with some reflections on each and trying to weave in where I can significant events since May whether they do or don't promote the general thesis I'm imply I'm advocating. So first, let's go to coherence and if as if you're in my position in the period sort of 2014 to 2020 when I set up and led UK's National Cyber Security Center. It was a somewhat odd position from which to watch developments in the EU cybersecurity given the UK's initially full participation then half membership in the departure lounge and eventual departure at the beginning of 2020. That in some respects give me quite a valuable perspective on the way that the EU was developing on it. And one thing I would say around cybersecurity influence globally is that national capabilities give you a ticket and not having those national capabilities don't. So, if you like, in operational cybersecurity between governments, Europe, the most important mechanisms in Europe are largely private, not talked about much. They're largely voluntary and they're largely voluntarily multilateral. There are all sorts of little groups of institutional cooperation between the UK and CSC the French the Irish authorities and so forth, little mini groups and so forth. And often I'll come to this in a little part they're not highly dependent on the treaties of the European Union, because their national security organizations and therefore exempt. And as you might expect, in terms of national cybersecurity capabilities, three of the most powerful in this continent are Germany France and the United Kingdom. I start by this rather glorious incident in 2017 at the Estonian Digital Summit in Tallinn. Estonia as you may remember had an extended presidency because the UK post referendum give give up the six months. And we've had a very interesting discussion between me and my French and German counterparts around trilateral security cooperation between the three big powers. And I knew for full well this would happen. You know, I was not allowed on stage with them because of the UK's position vis-à-vis the rest of the European Union at the time. So I happily embraced the role of bad smell at the conference, at least in public, and the French and German, my French and German counterparts went on stage together and what followed was extraordinary. I had been talking privately with my German counterpart, Arna Schoenbaum, the head of an organization called the BSI, who was scathing about the EU's latest national mandates for its member states on cybersecurity, because essentially in the words of a member of an academic from the University of Levain, Germany was being required by Alexander Samojenk is the name of the academic Germany was being required to replace a more advanced cybersecurity strategy with a less advanced one if it took the commission's regulations. And seriously, the commission's ambition was to level up to use a British politics phrase at national cyber capabilities. But in doing so was actually constraining what Germany which had been doing this to a high degree of capability for years was being was being asked to do. And I sort of said you're not going to say any of this on stage are you and he said all of it on stage and actually led a denunciation of if you like Europeanization of cybersecurity at the expense of some of the more capable member member states. And this I think is a really interesting illustration of the problem. You've dealt with cybersecurity as I have for many years and you look from a nation state perspective at the sort of threats, what you have ranges from profound matters of national security, often, if not covert, reasonably classified, requiring high end national security capabilities, some of which will be secret, often an intelligence or Department of Defense type of context, all the way through to criminals hacking bits of data of commercial companies in a very obvious and open and open way. And therein lies the challenge of doing cybersecurity at EU level. Because part of this, and nations like France feel extremely strongly about this as perhaps, surprisingly to some of you do Germany has shown by the talent anecdote. And they engage profound matters of national sovereignty, which they will be very reluctant to get away very reluctant to share. On the other hand, the other end data breaches etc etc. And of course Europe has been a world leader in data regulation for good or ill with the general data protection regulation of 2018, all the way through to matters of digital trade which lend themselves very obviously to leadership at EU level. So if you're worried about Russian state espionage and national parliaments, which is a has been a consistent problem across all areas of the European Union for many years. Most countries will default to doing that at nation state level. If you're worried about an apparent French, apparent attack all by Russia on a French TV station in 2015. The instinct will be to deal with that at member state level. And even that specific example France takes a very different approach to the issue of attribution the public accusing of a hostile power of malevolent cyber activity France doesn't do it as the Baltics do the Scandinavians do. So the significant, if you like tensions and differences of approach between them, but they'll want this, the national freedom the autonomy to do that themselves. On the other hand, in the digital single market, how can you regulate against data breaches, how can you put together different approaches, you'll want something unified. Now there have been some significant development at EU wide level something called the news directive and they're now two of them network information systems has some harmonized approaches for the regulation of critical national infrastructure across across the Union. Increasingly, and there's something called door of the digital operational resilience act has harmonized expectations for cyber resilience amongst big financial institutions. But again, to go back to the German criticism of this. What cannot be ignored is the variance national capabilities. Now one of the difficulties in cybersecurity is actually assessing how good people's capabilities are and there are various organizations that try to do league tables of international capability and cybersecurity and they're but the international telecommunications union is one of the more respected and authoritative lists. And what's interesting is that of the top 20 ranked countries in the world and the most recent index in 2027 are in the EU is Tony Spain, Lithuania, France, Luxembourg, Germany and Portugal. And nine are outside the top 40, and a further six are outside the top 50. And it tends to be the further north you go. The more capable it becomes, sadly I'm afraid to say the exception in the last ranking is Ireland, which, which placed them 54th of the government since the HSE hack has placed significant investment and reforms and we'll see how that goes. So what you have is if you like a central, the central European functions increasingly putting in place e wide regulations on this, but in very, very different national capabilities needed to make them a reality. So in other words, one of the risks is that they're not sophisticated enough for Germany which is frankly incentivized as its head said in 2018 to do its own thing. And perhaps the two challenging for some of those lower down the scale, and maybe they're aimed at those and bringing them up to a basic minimum standard. One of the two discussions that I think that one of the two discussions that you will need to have more strategically is which parts of this do you genuinely believe are best left to national authorities, because there is an element of this, just as there is in defense, where countries will be more and more and send will be incentivized to do at least some of their own thing. There are parts of this that are very obviously around the digital market where it'll end itself to regulations, but how do you then make sure that you're not penalizing those who've got a head built good digital defences good ecosystems for digital defences and so forth. And the second challenge is what you do at a wide level. There are bodies in the Athens based cybersecurity agency which sets sort of regulatory standards. And there is something called a search computer emergency response team which is increasingly under international practice, a required function for every nation state to have in the US has one. There's an intelligence center set up by the external action service, but relative for example, to a France to Germany to a UK, they're very small organizations in terms of personnel and and and expertise. So what is if you like the balance between eyes and stomach of the EU, in terms of its capabilities and how does that relate to member states. Now so far, I'm actually going to because that sort of brings me to the end of the first question on coherence, if you like, and if you like national capabilities. And so far, you know apologies if you find it rather boring. And the reason to say that is that everything I've said so far is I think makes for an interesting technocratic discussion about some fixable problems. I don't think there's anything than what I've said that is an extremely sort of cumbersome intellectually difficult long term policy challenge. There's a bunch of choices, and then investment and reforms and institutions and practices arising from those choices. But there's nothing that complicated about deciding on the right balance and the your and the EU institutions and culture to do this and all the topics for decades now about finding the right way of configuring a bunch of capabilities regulations and relationships about how to do this. And you can take your own view as to how that should be done. But alternative capabilities of a different sort and by this I mean in a sense the building and operating of technology. And this is where I think Europe has got a has got a much more fundamental problem. And by this I will probably lazily and unintentionally interchange the European continent, including for example the UK, and Switzerland and others, and the European Union because frankly, I think whilst the solutions may be different because of the usability to act at 27 and other countries, not having that ability, but the problem is actually the same. The fundamental problem is that the tech revolution has been driven by people and institutions and companies that aren't here that are not in this continent, whether in the EU or out of it. So the top 20 tech companies by market cap in 2020 10 were American five were Chinese and the remaining three were Japanese Korean or Taiwanese, that is should no surprise to anybody. Major part of the technological market by my reckoning, where your place is significant role is the highly faltering telecoms infrastructure market where the two Scandinavian giants of Nokia and Ericsson are globally strategically important companies that register in the Beijing, their fate for good oil matters. We saw that with the 5G controversy. The mismanagement globally of the telecoms infrastructure market over recent years has been really really striking. And these companies are there but they are the exception in the paper. For example, I've given a separate analysis of national security requirements in the UK and France and how they relate to data hosted in the US. So, essentially, for purposes, principally but not confined to counter terrorism, the ability to analyze data on suspicious activity is hugely constrained by US law, and ultimately because of the headquarter location of a lot of these companies, American law, the special protections for US citizens for communications, transiting in and out of the US, which basically all communications do have placed great constraints on the sovereignty and strategic autonomy of other countries. We have contrasted the contrasting fortunes of the UK and France in seeking an effect and negotiated arrangement for special access to data held by US companies, known as the Cloud Act. The UK has achieved one the French have not. That's not to say that there's something special about the UK's position, although as a five eyes partner, it does give the UK both access to greater security data and indeed some more leverage in discussions in Washington. But the fact is you have two other permanent members of the Security Council who are both nuclear powers, in effect having to go and beg the US Congress for access to data that they didn't vital for national security. That's not strategic autonomy for either country. But that's the way of the world. You will think back to the outrage in many parts of Europe, particularly in Germany after the Snowden leaks, and lots of talk then about in effect trying to make sure that the way Europe used the internet did not lend itself to such things in future. That talk lasted a few months before dissipated on the grounds that the technology is not there. There is no possible viable way of doing this. Now that doesn't leave Europe powerless. It is half a billion in the EU it is nearly half a billion by global standards wealthy internet users. So there is mileage in being a regulatory superpower. The EU has shown that in data. It has enacted one of the most forward leaning and indeed might be absolutely welcome in terms of global cybersecurity set of regulations on the Internet of Things in the world. And this is really important stuff. Essentially, one of the big problems in cybersecurity has been the exploitation of intrinsically weaker technology to give you an example. There's a major attack which affected Twitter and Amazon host of other household names on the East Coast of the US in 2016 and the way it was done was hijacked a bunch hundreds of thousands of CCTV cameras and just pointed them at what's called a DNS provider. Essentially think of the phone book of the internet took it down. So all this traffic on Twitter and Amazon didn't know where didn't know where to go. And so essentially the services collapsed. And the way those CCTV cameras were hacked was that they were the default password on them was password. And even if you notice that the technology that cameras were built so you couldn't change it under the EU regulations that is now illegal to sell such stuff that's really pioneering and really good stuff so there is agency for Europe in being a regulatory superpower but it only in my view takes you so far. And this is where you're going in effect, as per this so called cloud act where you're in effect, I'm a supplicant to, you know, to US led sphere. But more importantly, I think you're beginning to detect in the transatlantic tech dialogue. There's potential change in US attitudes and I'll just, I'll come to that in a minute. We can talk a bit more in the Q&A about, you know, the sorts of threats we're trying to encounter, we're trying to counter. And there are all sorts of criminal threats are, you know, as everyone in Ireland knows from the health health services executive outrage last year, there's a problem with Russian organized criminality. There's malevolent North Korean activity against financial institutions, there's lots of Iranian spying and so forth. But the two most common threat actors we talk about the Russian state and the Chinese and the Chinese state. But here I need to bring attention to an important difference between Russia and China. And I said this many times before the war showed up some of Russia's perhaps limitations as a as an aggressor, but it holds even more true now. When it comes to our technological ecosystem, it is now very fashionable but no less true for that to say that when it comes to our sort of digital security Russia is severe bad weather, but China is climate change. And this matters, because in a sense what Russia does is cheats on America's internet. Okay, so it's, it doesn't have anything of its own. It, it spies, it disrupts, it hacks into essentially technology built by the US and its allies. So your job there as a defender is to try to reduce the number of times are successful and reduce the impact when they are successful. So it's conceptually easy operation it's very, very difficult to the first part of the conversation. And it can be, it can be very difficult and it requires lots of careful organization and so forth but conceptually it's quite simple. China is now completely different it does all of that stuff that Russia does it spies, it steal stuff, etc, etc. And it also has now built an alternative set of technology that work differently they lend themselves much more to state control. They have gigantic companies that can do all the data processing they can do all the infrastructure, and so on. And there is now if you like a, some people use the phrase tech Cold War. It's not a phrase I particularly like but I can't think of an alternative other than these two technospheres. They're now in effect around the world, including as we saw over 5G and a con in Europe a contest between the US led block and the Chinese led block for supremacy. Now, in that scenario, my judgment is that Europe will default to the US led block, but rhetorically, and I stress rhetorically, there's a lot of talk in Europe about why are we in this position, and shouldn't we have our own strategic autonomy so we can take our own decisions. And I'm afraid the answer to that at the moment, by and large is no, other than in some aspects of regulatory policy and a few bits of telecoms infrastructure, because the capabilities aren't there. So in a sense, one of the things I noticed in the regulatory discussions is a sense on the US side that look, whatever you whether you like Facebook or not, some most people don't whether you like various other US tech giants. The beast, if you like, is, is not US tech. Based with the choice between a US led tech model and a Chinese led tech model, it is obviously more closely in line with the EU's values and Europe's values as a whole to go with the US model. And what choice do we have if we don't have anything of our own being being built in that. So I think that's something for Europe to watch in future the limitations of being a regulatory superpower, but also frankly the importance of thinking about what is built and run and operated from within the continent itself, and it gets very very hard. It also, and I think the US are finding this themselves. It is, and it is a hard set of policies and practices to get right in liberal market democracies. I mean the Biden administration and I just passed an extraordinary piece of legislation which includes all of the following three things one is $52 billion worth of subsidies for the US domestic industry. Secondly, a bunch of sanctions on Chinese companies in terms of using US IP and so forth. Many people have likened it to a race where the US are both trying to run faster and slow the competitor down. But most extraordinarily, a set of possible sanctions on US companies and companies trading in the US I lots of European companies, if they do any business in China or with these Chinese companies so there you can see this bifurcation, this bifurcation happening. And that that act has passed since I wrote the paper. So just to conclude because I know we're coming to the end of of time, I think there is a sort of technocratic problem or challenge, but it's fixable within Europe which is faced with a bunch of malevolent cyber threats which I think is the war in Ukraine as shown are more if you like chronic catastrophic we're not talking about, you know, digital Armageddon we're not talking about cyber power harbors we're talking about the persistent pernicious loss of data we're talking about more instance like the HSE in Ireland, where you have massive and sometimes physically dangerous social and economic disruption. How do you frame a set of capabilities amongst an advanced digital market of half a million people with 27 national governments and a bunch of central institutions. We've got that challenge that can be that can be solved, but the greater long term challenges there is a race on for mastery of the technologies of the future between the US and China. There's a third block of advanced mass market digital users who don't have the indigenous infrastructure to compete there are largely using laws and regulation to maintain a voice and changing that in terms of planning, organizing markets, cooperating across national barriers, balancing economics and security, balancing the short and the long term is finally difficult challenge, but any meaningful discussion of European strategic autonomy and cyberspace has to grasp that it's not something that can be solved by strategy documents it's something that requires profound discussions about national sovereignty about European integration, but also frankly, and how Europe interacts as a block with the rest of the world. So I'll stop there Joyce I hope that's given you some food for thought and very keen to move to the Q&A. Very much here on it definitely has given us food for thought, and maybe a warning shot across our bows and it certainly wasn't boring at all. I must say you've raised many issues and challenges, but very clearly set the scene, if you like, of what the challenges are. You know, I'm very pleased to see that you're optimistic that we can look at particularly the challenge of working together on the more chronic issues but the future issue really is the race on mastery of the future of technologies and how that's going to make sense. So, thank you very much for that and we might start with the first question, because you said that the EU must make a choice, either to seriously commit to a technological industry policy to achieve a strategic autonomy or else pursue closer cooperation with the US. So what happens if the EU fails to make a choice between these possibilities for the divergences between member states and what possibility is likely to occur by default. So I think, I mean just my view and it's a prediction, therefore caveat supply. I think not taking a choice defaults over time into closer dependence on the US. I think we've seen that over various issues in the past, and I can't see certainly with geopolitics the way they are. Too many people trying to do what we did maybe 10 years ago and balance the US and China against each other. And then I think the second order effect of that is over time, probably not through any specific incident landmark incident but over time they use regulatory power diminishes on the grounds that you know eventually the US strategically says well what are actually going to do instead. You know if we don't like the burdens that you're putting on essentially US technology and US companies then what are you going to do about it. So that would be my prediction on that from us. You know currently that you know you mentioned it about the US trade and technology council. How do you think and that it is more optimistic and there seems to be more kind of effort to get things going but it is still at that superficial level. Have those profound discussions taken place. Not my knowledge. So, I think there are. There are two sets of nascent dialogues going on in the world around. So if you take for example if you go back to the G seven declaration and 2021 and Cornwall. It's actually a really really interesting declaration signed by the leaders including EU leaders who were there around recognizing the fact that, as I said in the presentation for the first time there is a. There is a competent competitor to the US led tech model and there's no such thing as sort of borderless technology anymore essentially what it says. And that if you want to protect free and open classically liberal technology have to basically work harder and coordinate it better. So there are two sets of activities going on through that. One is if you like an informal G seven there was talk of something called a D 10 in other words the G seven plus India Singapore, Korea, South Korea, I think, you know talking about this the problem is they don't have the infrastructure to move markets and what happens after this, you go back to your national capital and you do what exactly, given that you're talking about the organization of technological markets. So they, so they get they are sort of more nimble than if you like a US EU structure, but they don't have the infrastructure to do anything. I forgot the exact opposite problem. You know they have the infrastructure and the ability to talk to each other they have close on a billion citizens between them of some of the richest and technologically advanced people in the world. But the mechanisms are incredibly cumbersome and the trade offs are massive. You know we all know I mean, these are sort of you know, turbo charge version of trade talks, we all know how difficult those can be the sexual interest that they engage, etc, etc. In the EU, I mean if you look at one of the, you know, both the EU and US the reason we're in such a mess on telecoms is the way that I think free markets find it hard to regulate for long term security and sort of strategic stability. So 20 years ago, the EU was the world leader and essentially in commercial telecommunications, all the big sort of you know telco providers so many of them were in Europe Europe was consolidating. The way regulation has been done through nobody's fault, it was well intended but the way regulation has been done in the past 20 years has contributed to breaking that model, because the whole point has been about within the EU, it's been about making sure that it's lowest possible consumer prices and no roaming charges between member states is essentially being the bedrock of European telco regulations the last 20 years. That's left no room to build up if you like strategic capability to look at these in the way that China does a strategic national assets that need to be nurtured. Again, how do you get that that sort of dialogue, changing that within the EU itself is hard enough, trying to do that between the EU and the US is going to be really really hard. But that's probably the only area of, if you like, Western life, where you have the institutional framework and you have the commercial power. And that is where I think the best hope lies of doing this but I think involves Europe first of all making that choice as to what extent it's seeking to pursue genuine strategic autonomy as opposed to regulatory autonomy which is not the same thing. And what sort of deal does it intend to strike with the US if it becomes available. Yeah, there's a lot on because in a sense if you look at the overall commission and the digital agenda, it is in fact, kind of there to promote small and medium size companies and larger companies to develop that technological competence, particularly in the selected areas you mentioned of Internet of Things, you know, AI, blockchain and other areas. But why is it in your opinion that Europe has failed to be a world leader despite its vision, its focus, its emphasis in producing digital technology in the same way as the US and China. China has it has has greater capabilities in terms of the state's intervention, but why is it because that is a very key ambition. And is it realistic. So the honest answer is I don't know. I think. So it's partly that scale really matters. It should weren't so, but you know you saw this if you take the big data giants on the west coast of the US and product giants in Apple and so forth. They're there they they scale up, they gobble up competitors, etc. And they're very hard now to, to, to break for whatever reason it has become much harder to build scale players in European Union and in the UK. There's a whole bunch of reasons in terms of you know the ecosystem of Silicon Valley and so forth that got a look, I suppose, at what gave the US its unique, unique advantage. China of course, a lot of not all of it is state is state planning the first phase of Chinese technological development was actually, I suppose if you like in the post done reforms entrepreneurial phase of it but since you know certainly in 2015 a lot of it is nice state planning and long term, long term execution of that plan in the way that you know the EU and indeed the US find extremely difficult given the profoundly different systems of government. And I do think that one potential reason I don't think it's the only reason or possibly even the primary reason, because I'm not trying to get all sorts of you know, free market idea log on you. But I do think that when it comes to regulation. And again it's contestable I'm not an EU expert, but it does seem that when it comes to tech, you know, the, the regulatory focus is understandably, but perhaps not always advisably just almost exclusively focused on the consumer. You know, the price, the safety aspects on all of which are absolutely have to be part of it. But what about the long term sustainability the scalability if you like. Yeah, of a particular product because if you're, you know, if, if you're coming out of the EU and that's your home market, and you have to pay attention to all of these things. You know, if you like feature of the regulatory system that allows you just to really really develop and scale up and then there's somebody else in the US you can just do it and then export to Europe on a much bigger scale. There is, there is, there is something in that I think. I think there's also something around. You know, whilst again, there are all sorts of aspects of the US ecosystem that are very much just originate entirely in the private sector. There's a massive amount of both spin off research from, you know, the humus that well also the US, the Pentagon and so forth, and all that. And also frankly, you know, very, very large scale research programs funded by the US government on a scale that, you know, Europe because it does a member state level will never will never match. And then, you know, at the level what sort of huge research programs might you think about and how and again what's the deal there between the central EU mechanisms as a whole and member states about where the fruits of that of that research go etc etc. I think there are there is a scale really really matters in this business. And it's proved harder to scale in Europe. It matters, not only in that development of it, but also in the support systems, as you say, like the universities, the investment research and all of that area, which, you know, that just hasn't had that quantum investment like in the US. But just staying on on this issue about investing seriously in techno industry policy, Seamus Allen from the IAEA asked the question if you're Europe did choose to invest. And in a way I'm wondering are you saying, you know, how can we but you can answer that in a techno industry policy to significantly develop this digital sovereignty. What steps should Europe take to ensure it is successful, or to compete with the US and China. And so I think I think there are a number of things one is the one is a serious sort of research strategy and capability around that. And the second and also, you know, picking those right technologies and so on to research and invest in a second part of that is then, you know, and this, this, this risk sounding a little bit protectionist although I think it is actually commuter with what's happening in the US and the UK is actually talking about the sort of rules and procedures flow from that in terms of what you're allowed to do with that research, you know, keeping it in, in, in, in Europe and so forth. A third is already mentioned is making sure that the regulation of the use of these technologies is mindful to the long term that you're not just squeezing costs down as low as possible to consumers. This means that, you know, they will be out invested by American competitors. And a fourth and very difficult challenge for, you know, a multinational super national if you like Union is, you know, having some honest discussions about location. I mean, you know, we talk about the virtual world, but actually this takes up a huge amount of physical resources and needs physical presence for large scale manufacturing of various things. Well, you know, where in the EU might that be. And that's obviously a very difficult decision. It's a difficult, even within a nation state never mind a multinational union. They're all there. There are a whole bunch of things I think that you're to be optimistic because you did say in your question Joyce, you know, is it even possible I think it is possible. It's not quick. It's not quick. I mean, look how long it's taken China with all the China there are many disadvantages to the Chinese system but it has some advantages such as scale deep pockets and not having to worry about the view of electors. But, and even then, you know, their development has taken has taken a long time. But I think if there is the sort of candid realization of what is of what is needed it is possible to do this over years. There's a bunch of technology you kind of forget about that you should forget about. I mean, you know, web based, you know, big data analytics, probably the ship is sealed. If you like, you know, the US and China already dominant in that next generation telcos I think Europe actually could get its act together because of some of the advantages and then you know there are all sorts of all the things. There are all sorts of other areas of emerging technology where Europe could, you know, if it gets back together in time and be competitive in the long run. Yeah, thanks very much for that. I think there's a question from Karen Fitzgerald security and defence research at the IEA. To what extent could we potentially see cyber attacks on member states national grid infrastructure this winter by Russia. And how can member states prepare, prepare for the risk of cyber attacks. And is there a role that you can play in helping member states respond and deter against the risk of cyber attacks. I think that's a question, Karen. I think it does give me an opportunity to say a little bit more than I did about, you know, what the war has meant for cyber security. So I think there are several things to say one is, Russia is one of a small number of states that does have the capability to strike things like power grids. And I think there's a question to see, you know, cyber risks as being sort of all consuming and that, you know, teenagers in their bedrooms kind of sophisticated code enough to bring down power stations actually it's much harder than that. And only a few countries can only a few actors, all of whom are nation states can probably do it Russia is is one of them. And indeed it did do it in Kiev in 2015 and 2016. But it's not magic. You don't have a big red button that says that press this and it runs a bunch of code and takes out the Dublin, you know, a power station outside Dublin or whatever. The two attacks on Kiev took 18 and 31 months respectively from conception to execution. The sophisticated attacks are comparatively rare. That said, as HSE showed him, and indeed a similar case in the US were just sort of low sophistication hack of a net of companies, corporate systems took out a pipeline in the US, not because they took out the pipeline but because the company couldn't organize itself to run the pipeline so the company closed it down so there is that potential for disruption. And I wanted to spread alarm, because when Russian invaded Ukraine, there was an awful lot of fear that things like this would happen in the West, to a great extent, none of them have. Why is that we will probably never know and it will be studied for years among cyber sort of scholars, but I think part of it is that it does seem that you know the cyber dimension of Russia's campaign. It's directed against Ukraine, rather than against the West. Some of it was well organized, some of it was just as badly organized as the rest of Russia's invasion campaign but what seems to be an explicitly absent is a direct provocation of the West. So, and I think this vindicates a long hell of you among some cybersecurity specialists that we tend to think of cyber as a sort of special enclosed domain where it has its own rules. It's true. Put it this way if you know, the power to this webinar went down and Oxford where I'm speaking to you from came under sort of cyber attack of an unprecedented sophisticated nature and the electricity supply to the city of Oxford was was wiped out. We probably know reasonably swiftly that it was the Russian state, and a response would be required as if it was an accidental pouring over the troops of into the Baltics or another Salisbury horror type attack. You can't do a cyber attack. But most of the time anyway in a completely sorted reliable way that doesn't have consequences. So, you know, I don't, I think we should be vigilant but I don't want people to sort of panic and think that just because the war is going very badly that these sorts of large scale attacks are inevitable. In terms of in terms of preparation. There are two things one is that actually what the history of the criminal cyber crisis which led to the events in Ireland last year led to hospital disruption in France led to food retail disruption in Sweden also the pipeline problem in the US. The entry points were reasonably basic, you know, it may have been a good team on the job but they didn't have to work very hard so that's one thing. There's a lot that organizations can do to just plug some basic gaps. But the second thing particularly something like energy is about resilience, you know, and the ability to survive the loss of a network. The example I always use is the next time you get on a plane. Just think about the air traffic control system which is computerized. If you think about it, if I told you that in the event of the wholesale failure of the air traffic control systems it system, whether by design in other words a hack or by accident because computer networks feel by accident all the time. If I told you that in the event of the complete failure of the computer system of an air traffic control system, there was no backup. Would you get on the plane course you wouldn't. So should you run an energy, you know, a grid like that, of course you don't, etc, etc. So it's all about resilience and thinking about the loss of key networks. In terms of what can the EU do about it, I think one it's already done, one it's not in a position to do yet. So what's already done is it's regulated minimum standards and you know that's now moved from, as I said in the presentation, NIS 1 Network Information Systems Director to NIS 2. So it's better and more sophisticated thing it's not in a position to do yet and maybe never will be that's part of that choice is are there a set of EU capabilities that could be deployed to help us a sort of member state in distress to a point but not, you know, it's it's, it's certainly not sort of equivalent to what say the US military might be able to deploy to the US. Now maybe that's not where Europe ever wants to be. So I'm not saying it's an obvious choice it's just one of the questions from the first part of my presentation, and it comes to a wider point, which is for minds better than mine with greater knowledge and expertise you know to what extent does the you want to get involved in mutual basically what it is. And that you did raise that question, you know, about the discrepancies. So, you know, in a sense, is it that bringing together in the whole EU framework or, you know, can we learn from greater cybersecurity, the greater cybersecurity capabilities in Estonia or Spain. Is it possible to learn from that, or do we have to get together and start looking very seriously at an overall EU framework. So I think I mean certainly there's more potential to do that informal voluntary cooperation and quite a lot of it happens. And there are very, you know, capable countries in the European Union in cybersecurity. And actually, I think one of the things is that, you know, if you get into, you know, complicated military capabilities, and you look at cooperation and, you know, everybody in the EU knows this. Then, you know, it does lead to if you take France as the leading military power in the EU. You know, and I say this with sympathy towards the French position when other countries ask it for help, you know, it does lead to some pretty tricky questions of, you know, capabilities and sovereignty and all that sort of thing that plenty of people in Paris care deeply about. In terms of cyber defense cyber offense is a different matter, you know, the ability to hack other people in your national security interest, but in terms of cyber defense. It's kind of mostly pretty easy actually, you know, it doesn't lead to that sort of thing so that there is scope. If you like to think about aggregating capabilities and again it's a choice for the Union as to what extent wants to get involved in that. And it comes back to a lot of the problems in cybersecurity. There's nobody's fault there's no major sort of malevolence or negligent decision in the past. It's just it's a tricky subject that not a lot of people understand. And so, you know, so again, it's no coincidence that data has been the great sort of flagship of the regulatory intervention because you know everybody sort of gets the data economy now it's trade it's modern commerce so of course the government regulates it a part of this part of the single market but then you take sort of national defenses against known threats, and people think well that's about article four is to me you know better stay out of that, etc etc. But actually, you know there's a $200 billion global cybersecurity industry that's actually really open where you know proprietary information is relatively rare I mean sure in terms of you know techniques and stuff you can do but in terms of actually understanding the information people are sharing it in abundance. And so, you know, I remember when the UK was still in the EU and I was still in government, you know, we did go to the old meeting of EU cybersecurity national authorities. It wasn't a particularly well developed network in my day maybe that's changed I haven't been tracking it, but there is definitely more that can be done without actually having to bother people with great institutional reforms new directives, new legislation in the European Parliament whatever it is. I think there is more. It's really dull, but it's quite worthy. It is but it may be dull but it does take a lot of attention when anything goes wrong. And just on that resilience and further cooperation and acts, what are your thoughts on the EU Cyber Resilience Act, which was prepared earlier this month. So, in so far as I've understand the detail, you know, it is a good thing. I like it in a number of ways. You can always pick holes and anything written by bureaucrats speak as a long time one. So, one of the things that's better in it than in some previous year regulation and cyber is a bit more about, you know, the regulation about comes very easy in cyberspace to regulate and in sort of corporate governance and cyber to regulate the inputs but it's kind of it's not a waste of time, particularly if nobody's doing anything, but it only takes you so far. You know, actually preventing things from happening. Sorry, not preventing things from happening, but one of that is actually saying this is the outcome that you need to stop from happening. You know how you get there needs to be more specific. There's more that in this in this in this piece of legislation. Again, I suppose, you know, to get a little bit philosophical, it's sort of interesting that, you know, the EU is more and more stepping into this with Cybersilience Act within his directives and so forth. Because a lot of that historically might have been seen to be, you know, member state competence. And so if that's the way the EU is going, then I suppose that's fine if the member states are happy. But then at some point and you know this is a discussion that needs to be had the sort of institutional capacity and operational capacity of the Union as a whole will need to advance commensurately because at the minute, you know all those organizations that I mentioned that I imagine very few people in the audience for good reason have heard of any society you since then and so forth, you know they're smaller than the comparative agencies in France Germany, probably Sweden and the Netherlands as well. You know, but if the if the way the EU is going regulatory terms is meaning that it's more sort of harmonized and unified, then presumably that has to change at some point. Yes. But in a sense, though, there, there's a movement you think towards a kind of a better approach to cybersecurity within the Union. I mean, I think that's what you're saying you see signs of that. I think that's right and I think also, you know, it's no coincidence that Dora has it's known the digital operation resilience cycle is basically about the financial sector it's no coincidence that you know a lot of this is happening at sector level that's good by the way that it's happening at sector level rather than just cyber in a box because at the end of the day, what matters is what happens in the in in sectors you know what works for cyber regulation and finance doesn't necessarily work in energy. It doesn't necessarily work in telecoms mean finances, payment systems, etc. energy, a lot of it's plant and securing those are completely different technology technical challenges, so regulation finally enough needs to be different as well. I think markets become more and more integrated within the Union, you know, common regulatory approach can can can be very useful. But then of course those are the places where the big systemic risks from nations from hostile nation state activity arise. And that's of course where particularly the bigger, more security conscious, more security capable EU member states will tend to have sovereign capabilities and they will rely on more than they rely on EU institutions. That's not an insurmountable challenge you can pick and mix a bit but I think it needs to be a more conscious part of the debate which is kind of why I thought that German intervention way back in 2017 was just so refreshing and so interesting. Yeah, I know it was very refreshing when I read paper because it literally opened the discussion and change the agenda completely really from there on. So I just got a question from donor or brother Khan, who's a member of the IAEA, and he's going back to the scaling up question, and he's asking, you know, is, is Airbus an example of the kind of scaling up possible in European technology based businesses. I mean, I'll be a bit wary because of one, you know, commenting on one company but sort of, I mean, to give the classic answer given I used to work in Whitehall and the UK government give the classics or Humphrey Apple the answer, yes, yes and no. So yes, in terms of, you know, the conscious effort to get capabilities from different countries, put it in an industry where scale matters and be competitive that way in a carefully managed strategic way so yes. Knowing that, I think, or, you know, I would qualify it a bit by saying, you know, the speed at which scaling up has to happen is probably a lot faster than it has been and say, you know, classic sort of aerospace and defense technologies, you know, the sort of innovation is, so it's probably a difference in pace, but you know, I would sort of look favorably on it as an example, particularly actually outside, you know, I'm not now talking about cybersecurity, I'm actually talking about, you know, just take some technologies, just take some key advanced technologies and look at it that way. You know, because the focus of this seminar has been the, the EU, this webinar has been the EU, you know, I'm not trying to adopt a sort of, you know, classic, you know, UK exceptionalist, you know, everything's right in the UK I mean the UK has got similarly actually, you know, relative to size the probably greater problem in terms of the quality of the research and innovation in the country, not then being measurably matched by, you know, economic, scalable economic activity in country afterwards. So, you know, it is a key issue. Absolutely key issue. You mentioned there and unfortunately this is the last question because time has beaten us, but you've mentioned a number of times, you know, new technologies. Do you have thoughts on the cybersecurity implications of emerging technologies, or is it that we have to really develop those become a world leader, at least in some of these are a combination of these new technologies. So, you know, computing AI, the metaverse, all of these things that are developing. Right, so this is a brilliant question to finish on and actually if I had my prepared presentation over again I'd work us in so thank you for that choice. So, first of all, I'm really optimistic in this front globally about the chance to fix insecure technology so I bang on these days about the digital environment that we all live and work in. And how it's full of pollutants and that's a legacy of when we built the first generation technology back in the 90s and 90s didn't think about it. So, at the moment we're just playing catch up and mitigation the whole time and there's no choice that's what we have to do, but as new technologies can come in, we can learn from that and fix them as they're coming in. You know, why aren't there driverless cars in the streets of Dublin because you don't know how to operate them safely enough yet the technologies there we've all seen on TV. So, there's the principle is that you, you know, you carefully look at the technology, partly through regulation but also through just the science and engineering of it you think that gives a safe enough etc etc. So that really really matters. And the big opportunity for us now with applied AI, and with quantum computing, you know quantum computing is terrifying unless you secure it. It's transformative if it's secure and it's terrifying and transformative if it's not secured. So quantum is actually a good example where, you know, possibly the limits of just being a regulatory superpower would matter, because you shouldn't, you know, the countries that are ahead in the quantum race are both ahead in quantum computing and quantum engineering but also quantum security because they know the stuff will just not work unless it's it's it's secure. So if then, you know, they use nowhere to be seen in something like quantum, or the UK is nowhere to be seen in quantum. Actually, how many people in the US and China are going to care about their regulatory approach. Because you either have it or you don't and you have this or you can have something else. So there's a really interesting aspect there where, you know, it's in the global and it's in the interest literally of our species to get security of this right. But the people who are actually building it, we'll have much greater, we'll have the first call on the way it's secured and so on. And we need to incentivize that and I'm actually quite hopeful that this is an area where we can really get it right. And that could be transformative for both for both, you know, our ability to harness new technology but to do it safely. Yeah, but Karen, our time is up and that's a very optimistic note to end on because I think you gave a tour de force in terms of raising the issues and looking and probably as you said, you know, food for thought around along all those issues they're going to remain, but there's optimism about resilience, you know, has been resilient, but also looking to the future with these emerging technologies. So thank you very much for that. I think we'd be thinking long after this of the issues you raise and appreciate it very much. And I'd like to thank our audience for their participation and for the your questions. And we look forward to seeing you at our next event. And to our team here at the IIEA, Roka Mulally and Eva Mulcahy on production and Andrew Gilmour's the Deputy Director of Research and Seamus Allen our digital policy researcher. But our big thanks is to you Karen for your time for the stimulation and for the passion that you have for the subject and the absolute overview of the key issues. So we look forward to see you again and perhaps we can bring you, we definitely have a big crowd, but come to the IIEA in Georgia Street now that we're getting back to near normal. And thank you very much again and goodbye. Thank you.