It's a great question, and the answer is, yes, it can be prevented.
We have technologies out there in the market today that are prevention-first technologies. Essentially, they leverage AI and machine learning to predict and prevent attacks before they are executed. We have moved beyond traditional technology, which basically adopted what is called a signature-based approach, similar to how we dealt with a COVID-19 vaccine. You need a patient zero, and then you model it and trace it, but now we've moved ahead of that. We have technology that, if put in place, can prevent that.
Second, mandatory cyber incident reporting for critical infrastructure will automatically create an incentive—or a stick, if you will—for entities to put in place better defences. They don't want to have to report their cyber incidences, but if they do, and if it's time-bound, at least we can move quickly to contain it.
Another key vulnerability that can be addressed, and it's being done in the U.S., is actually to get developers of software that's embedded in critical infrastructure and government systems to produce what we call a software bill of materials or an ingredients list that will list all of the components that are in that software so that they can quickly determine the provenance or origin of that software, where it comes from, identify whether vulnerabilities exist and be able to remedy them.
The reality right now is that people who buy software have no idea what's in it. There's no way to verify whether or not that software was built using cybersecurity practices.