The Urgency of Quantum Readiness with Steven O'Sullivan

Show Notes

In this episode of the Entropy podcast, host Francis Gorman speaks with Stephen O'Sullivan, a cybersecurity expert, about the implications of quantum computing and AI on cybersecurity. They discuss the urgency for organizations to prepare for quantum threats, the challenges of communicating these risks to stakeholders, and the importance of understanding cryptographic assets. The conversation also touches on the ethical implications of AI in organizations and the potential benefits of integrating quantum computing with AI.

Takeaways

• Quantum computing is a game changer for industries.
• Organizations need to prepare for quantum threats now.
• The timelines for quantum readiness are closer than expected.
• Data theft and loss are major concerns with quantum threats.
• Effective communication is key to gaining stakeholder buy-in.
• Understanding cryptographic inventory is crucial for preparedness.
• Organizations must assess their cryptographic assets.
• AI can both enhance and complicate cybersecurity efforts.
• Ethical considerations in AI deployment are critical.
• Quantum and AI integration promises immense future benefits.

Transcript

Francis Gorman (00:01.272)
Hi everyone, welcome to the Entropy podcast. I'm your host, Francis Gorman. If you're enjoying our content, please take a moment to like and follow the show wherever you get your podcast from. Today I'm joined by Stephen O'Sullivan, a veteran in the cybersecurity game and the founder and CEO of Smart Cyber Group. Stephen has a deep expertise in cybersecurity, AI, quantum technologies, and today we're getting into the trenches to bring these perspectives to life. Stephen, great to have you here with me.

Steven (00:27.385)
Thank you, Francis. Thanks for having me. I'm really excited to have a good natter about the fields of quantum and PQC and AI and where we are and where we're going to be in the future.

Francis Gorman (00:37.678)
I think Stephen, it's super topical at the moment and I don't know how many papers I have seen come out in the last two to three months around quantum, quantum roadmaps, quantum readiness. We had the EU just land out their timelines and high exposures closed off by 2030 with medium and lower exposures by 2035. That won't be long coming around in the current scheme of things. What's your perspective on it? Time goes fast.
what's your sense of that in terms of urgency for the world as a whole like that is going to impact every industry at every level.

Steven (01:25.751)
Indeed. Quantum's a complete industry and cultural and societal game changer. And when I see the timelines 2035, 2030, I see these timelines coming down. And for me, I worry about the ability of organizations to be ready. There's a lot of hype without any doubt. There's much hype, but there's a lot of truth about getting yourself sorted and an organization needs to those steps. So personally, from the experience I've got,

I think those dates that we see, you mentioned the Etsy paper and the EU papers that came out recently, we're going to see these timelines coming forward. So I'm on the side of the fence that thinks probably two to three years closer than what we're seeing currently published, Francis.

Francis Gorman (02:14.381)
two to three years, that really creates pressure on companies to act now. And I know from my involvement in this field, the message in is key. Companies are looking for a lot of money to enact change that hasn't been touched for 20 to 30 years. Crypto has been a it's not broken, don't fix it field for cybersecurity and technologists in many industries. How can...

organisations set themselves up for success here because they need to get buy in, they need to know the problem. What would your advice be in that space Stephen?

Steven (02:48.792)
So I think we have to, we can answer this in a very general sense and say follow best practice by the NCSC, which publish various articles related back to NIST. We know from the United States, the White House and the executive orders, we know there's a lot of recommendations. There's a lot of standards that starting to come about. There's a lot of guidelines, but there's not any real regulatory pressure as such. We know the UK.

has invested 10 million pounds in the National Quantum Strategy, which is tiny in actual fact. We know that some sectors are on the front foot. So if you imagine the space sector, the M.O.D. and these organizations, they're kind of on the front foot. Then we come down to the tier one banks and financial services where they're already again starting to plan for this. Because they realize they remember back to Y2K.

25 years ago what happened there and this is quite different because of Y2K we all kind of knew when it was going to be but with Q-Day which is the the often mentioned the Equivalent of Y2K. It's kind of a bit fluid. It's not going to be a day It's going to be a number of days or number of years and in truth, we won't probably know when there's a quantum, you know, cryptographic relevant quantum computer it will

probably be something in the basement of a government organization to start out with and it may already be there with Qubits. So these organizations, be they tier one banks or top level MOD space agencies are probably already preparing. The areas that concern me are the middle level, the tier two and tier three sectors whereby they haven't got the money, they haven't got the budget, they're grappling with AI, which is not them for six.

They're grappling with compliance. They're grappling with technology refresh. How do they suddenly stand up a team to put in place a program of work, which effectively is going to take years and years to do when there is no real threat at this moment in time. So we have a conundrum here that each sector will have to handle and the sort of governments of the world and the UK government in this case, will have to start.

Steven (05:13.44)
actually issuing mandates almost to sort of get things moving. So it's a very difficult piece of work. And aside from the financial side, which costs hundreds of millions of pounds, there's resources, there's the time, there's the impact on your services. So this is a tremendous piece of work to do. The benefits are fantastic in terms of the quantum computing and AI and bits and pieces. We can talk about that, but

Getting yourself secure now is no easy task.

Francis Gorman (05:46.798)
I think it is two-phase. It's the future applications that quantum can be used against, but the threat it therefore brings against today's cryptography. And I suppose just to frame for any listeners that may not be overly familiar with quantum and what we're talking about, because we did jump straight into the middle of it. I suppose we're talking about QDate as a point in time where quantum computing becomes commercially viable to distribute at a scale that becomes a threat to industries at large. And therefore,

Delivering with it the ability to break asymmetric cryptography as we know it today RSA, Diffie-Hellman, those types of things at scale and incredibly quickly and due to the way that it processes information that is quite different to the ones and zeros that we're familiar with today in classical computing as we call it or today's computing. even explaining

the hypothesis of the problem is difficult. And we all know things that are difficult to explain that sound futuristic, it leads to levels of procrastination. And when you look at the timelines for implementing cryptography and the amount of complexity, dependency mapping, application refactoring, et cetera, that will need to be done in this space, you're rocking up to your chief financial officer or your board and you're going, hey guys, I need X amount of million.

every year for the next number of years to do this thing that might happen but I can't tell you when it's going to happen it's a very hard sell

Steven (07:23.284)
It is. And the way that I've worked with this really, and you mentioned the asymmetric encryption and bits and pieces, far too complex for most boards and chief financial officers because that's not the field, right? So we have to revert back and we have to say, how does this truly impact an organization and its clients? So we're really in most simple terms talking about data.

theft and data loss. there's a term called store now decrypt later harvest now decrypt later, where your information or your bank's information or your logistic firm's information can be stolen. And then there will be harvested, sold on the dark web, etc. file of six gig, 20 gig, whatever else. And effectively, that data which may have a long shelf life or may have a short shelf life can then be decrypted in the background. Now that is huge, because you can imagine

the brand damage that will do to any organization. Financial services is one side, any organization, critical network infrastructure, supply chains, healthcare, pharmaceuticals, no one wants their personal information or their clients' personal information breached. There'd be massive implications for GDPR, privacy aspects. So in simple terms, the organization needs to prepare now.

It's almost like a super fast data loss prevention program. You're trying to ensure that if someone does steal your information, they can't decrypt it.

Francis Gorman (08:55.789)
I'm gonna use that line. I want funding for the super fast data leakage prevention program.

Steven (09:00.344)
Well, indeed, it's a good one. effectively, this is initially, know, in the future, Francis, the we cannot even imagine the power of quantum computing merged with AI. But in simple terms now, you know, being able to protect your data, your IP and that of your clients is the key program of work.

We have to kind of look at it in a way, not so much around the word quantum. You have to go right back to the encryption, the cryptography side, the fact that you need to secure your information. And organizations have information in many, many places throughout their ecosystem. And it's about put the program of work in place that protects that. So when I speak to board members and organizations, I try to bring it back to the data loss side initially and the financial implications of that.

Francis Gorman (09:55.566)
One way, Stephen, that we could articulate this problem to those leaders is to look at lines of service within your business and equate that to long-lived product life. So you talk financials there. So, you know, people have mortgages that last for 30 years. They have loans that can last for 15 or 20 years. This is information that is still going to be relevant potentially within the time frames that we get to Q-Day, as we are calling it. So therefore, the relevance of that information is really important in terms of the risk that

harvest now, the crypto later poses. And I think it's when we start to reverse the messaging from deep crypto graphics speak back into business language and essentially align it with real world impacts that it starts to get a little bit of flavor. But for somebody who is starting today to look at their quantum program.

There's a number of steps. One is the communication piece. Can you explain this problem in an easy to understand way that your stakeholders can start to buy into the concept? Two is, do you know what your cryptographic inventory is? And we might just talk a little bit about cryptographic inventory now, because it's a core foundation to the next step, which is, what do I need to fix and what are my exposures so that I can lay out the order?

of fix to reduce exposure in a way that is pointed and I'm not spending money senselessly and I can put structure on it and I could be architecturally led in this space. So from a tooling perspective or for somebody looking to collate a C-bomb, a cryptographic bill of materials, know, people may be familiar with software bill of materials. This is the next level of extrapolation to look at the cryptographic elements. When I know you're very familiar with this space, when you look across the market at the moment,

what approaches are two of them are standing out to you, if any.

Steven (11:53.721)
So there's two or three approaches. The first one is for an organization to make the most of his existing tool set. So they may have tools in place for vulnerability management, for digital certificate management, and they may have not used those to the full extent. So some organizations will try to extract as much information to derive their crypto assets. And let's explain what crypto assets are.

Cryptoassets are really all of your forms of encryption, symmetric, asymmetric, all in different types, be it in databases, in applications, in your code, in your appliances, firmware, your external TLS or what we used to call SSL certificates, et cetera. all of those cryptoassets can be in some way, or form discovered. They can be inventoried.

and they can be risk assessed against if they're quantum resistant or not. Secondly, they can then be mapped, which is a little bit more difficult, but it can be done. It can be mapped to the applications that they're protecting or encrypting the information on, which therefore can be mapped to the business use and the end client use. there's a whole number of vendors out at this moment in time that are offering solutions, offering tools that we'll discover.

all of your cryptographic assets and produce, as you said, a cryptographic bit of materials, which is a super large file, which contains all of the metadata of your cryptographic assets within the scope of the assessment. And organizations really need this first of all, because you can't manage what you can't see effectively. And you have to consider an organization, not in terms of the perimeters of the organization, upstream and downstream as well. So there are potentially

hundreds of thousands of cryptographic artifacts or assets within a large organization. Identifying them is no easy task. Fixing them and upgrading those that are vulnerable is an even bigger task. But you've got to start somewhere and you have to start with, you mentioned the executive committee and the awareness side. There comes a point where you actually need a tool to start to see where you are.

Francis Gorman (14:19.053)
And then once you know where you are, have to bring in your architectural teams and start to define exposure-based road maps to remediate from the outside in so that you start to reduce those high risks. And I think if we talk about what those risks are, I think earlier we were talking, there's your external network, your internal network applications, databases. Am I saying something?

Steven (14:47.486)
repositories. Yeah, I mean, there's like, I mean, you can see it in the five pillars. So there's a model which sees your external cryptographic assets, which is your TLS search, whether they've got vulnerable cipher suites in there or not. know, many organizations will start by looking externally at their primary domains and any other domains they've got and starting to discover whether or not they're running.

Francis Gorman (14:47.629)
Is it all quarter bus entries? That was the other one.

Steven (15:15.256)
a vulnerable TLS version. So 1.3 is a recommended PQC version. 1.2 is okay, but should be upgraded 1.1 or 1.0 or not. And any SSL is a no-no. So initially it's good to start to understand what you've got externally. It's quick and dirty. You can find out where you are. Then there's the second stage, which is your internal systems. So you'll have a lot of TLS is envelope. It will actually, you know, so the

presentation layout of the OSI model, will carry all of your protocols, your SSH, your SFTP, all the other ones inside it. in terms of our internal network, there'd be self-signed certificates, there'd be null certificates potentially, and there'd be lots of other TLS related traffic. Then on the pillar three, you'll come to your internal IT systems, your hardware, your appliances, your bits of kit, be they routers, be they jump boxes or whatever else that have got some certificate in place.

as such. And then you can come to your code repositories where you've got all your source code for your applications in there. And then you can come finally to your applications and databases and your key management systems and your cloud based system. So your cryptographic landscape across an organization such as the bank is immense. And it is, as we said before, hundreds of thousands of assets. And you've got to start identifying them ASAP.

Francis Gorman (16:41.709)
cryptographic assets because you've got libraries nested within software repos applications etc it's it's it's a quagmire and you do all of that but then you need to

Steven (16:46.442)
Indeed. Indeed.

Steven (16:52.576)
A good word, Frank, is a quagmire, that's a great word.

Francis Gorman (16:57.562)
It creates a vision of something else, but yeah.

Steven (17:01.816)
Well, some would say that it's similar.

Francis Gorman (17:06.381)
Similar, similar. As opposed to even from that, you're great. I've done all this work. I've all this information. I need to make a start, you know, when you start working outside in or wherever your highest exposures are and you can target, you know, certain lines of business that are of a high impact to your organization, et cetera. But then you look at your vendor stack and your supplier stack and the trek just is encapsulated and spread.

outside your organization again. you know, what are your vendors doing? What are your third parties doing? Have you got technology agreements for technology refresh programs that are the accountability of one of your suppliers? Is that hardware going to be quantum ready? You need to get into those processes, et cetera. It's a massive, massive piece of work when you start breaking it down.

Steven (17:53.985)
Indeed it is. you know, Flantz is one of the, one of the ways I'm sure you've heard about is this, this enveloping approach whereby you, don't fix the underlying quantum PQC protocols and algorithms. You kind of wrap them up in a new envelope and you make them PQC safe. And this is a quick win. You'll see there's organizations that specialize in this, but

Really, you've got to think about the extra latency involved. You've got to think about the fact that you're, you know, you've got an old car, you're just putting new wheels on it and some nice windscreen washes on it, but it's still an old car with an old engine, right? organisations are trying to work around the quickest, biggest bang for their buck, which is normal, right? People do not want to invest huge amounts of time and money at this moment in time.

until there's a firm mandate and regulation that says you must do it. And you know, this has been the same for many, many standards, PCI over the years, et cetera. So as you said, you know, the vast ecosystem of your supply chain and your vendors alone means you need immense resources in a large organization. You need a GRC program. You need ownership. You need executive committee. You need all of that wrapping around.

before you can even start the work. Because once you start to discover your assets and you start to see which of those are at risk, it's almost an incumbent upon you to fix those. And this is where the work really starts because this requires program and project management. It requires a liaison with all your cloud supplies or your external supplies. So a lot of organizations, and I have to say over the last 18 months,

have adopted an ostrich approach, which is to put the head in the sand and kind of wait for things to come about. And I've had conversations where, you know, CSOs have said to me, well, I'm not even going to open that Pandora's box. It's best I don't open it. I've got enough on with the compliance with AI. I don't need to have quantum. And this is really dangerous because it means that you are exposing your organization for the sake of your own role and the fear of what's going to happen.

Steven (20:16.962)
to threats that could result in huge financial penalties down the line.

Francis Gorman (20:23.885)
I think that brings us full circle back. Toby said at the start, there's a real risk of decision paralysis in this space and

Steven (20:31.352)
Quantum inertia. Quantum inertia is a wonderful term. means that all organizations want to do it, but they just can't move out of first gear.

Francis Gorman (20:42.113)
like that idea I don't like to I don't like what it means but I like to like the idea so I suppose I suppose touch on quite a bit there but there is there is positives to quantum once you know you get your get your house in house in order so

Steven (20:46.84)
Quantum paralysis, quantum inertia.

Francis Gorman (21:01.037)
Everyone's talking about AI at the moment. Let's say we're all swimming in red seas of AI. Everyone has a fear of missing out and we want to do the same thing as everyone else is doing but no one can really derive much value. Does quantum help solve some of these problems or does it exacerbate it even more?

Steven (21:18.306)
So the answer is both. I mean, you know, it both breaks and bolsters. So if we think, Francis, you know, two years ago, maybe three, none of us had ever really used a chat GBT perplexity or Claude, any large language model in any way, or form suddenly appeared from nowhere. And it's not organizations for six. There's shadow AI and there's the people leaking information into LLMs. There's all sorts of things. So this

This is really, you know, at a big, big impact on organizations along with their compliance side. In terms of the interrelationship and the intersection of quantum and AI, let's just step back. If we move away from the cryptography side of quantum computing, quantum computing itself promises immense benefits for society in healthcare, in drugs, the power of quantum computing.

integrated and fused with the learning capabilities of AI are immense in terms of diagnosis, early diagnosis of medical conditions, in terms of your supply, in literally every part of organizations and society. At some stage, it may be 20 years away, know, at children's time, it'll be a different world, there'll be a different internet. It's a game change in every way, shape and form. Organizations like Google have already set up foundations, you

sort of quantum AI QAI foundations whereby they're looking at how they can harness the power of quantum and AI for these purposes. you know, AI on its own is a offensive tool or a detective tool. you know, AI is used in many organizations to detect threats and what's happening and picked up in the sock. But it's also in the wrong hands can be used we know

things like deep fakes and bits and pieces, it can be used as an attack vector. So you suddenly wrap that into quantum and you multiply the power of AI. mean, we cannot even sit in our talking, we cannot even envisage the power of quantum and AI in the future. And in terms of AI, know, with AI, you might even find that it will actually switch your algorithms and your protocols for you in real time.

Steven (23:43.287)
So if you've got a super, super system in place and it's all integrated with your organization's cryptography, your AI may be able to fix and decide which are the best protocols at any point in time and self-heal the weaknesses that you have. So there are so much power in this. That intersection is not really, I mean, there's a lot of papers out there. There's a lot of organizations looking at things, but...

how it influences the AI side, how AI influences the quantum side is gonna be immense. But alongside that, as we know, there'll be negative impacts as well. we're not just talking about the quantum cryptography weaknesses, but we're now moving and shifting right into threats and risks that are gonna be immense. And we can't even think about in maybe 15, 20 years time.

Francis Gorman (24:43.799)
Yeah, there's a lot to unpack there. I'm not overly familiar with the quantum use cases outside of kind of high frequency trading, et cetera. know, it's still a topic to explore. I've spent so much of my mental capacity looking at the quantum readiness problem. I haven't looked past to the quantum benefit side of the house just yet, but it's on my to-do list. So it is a fascinating area.

of artificial intelligence, Steven, as you I feel like everywhere you look, every product now claims to be at the rivient of some kind of AI or some extrapolation of a large language model that is doing something and agentic is the new term. But we're seeing new and interesting attack vectors coming as well with the nesting of plain text and a white background to...

to conceal instructions that are either there to mislead the user into clicking on a phishing link or into carrying out destructive actions off the back of an agentic task list, et cetera. Where do you think artificial intelligence is going? To me, it seems like it's become the wild west. Everybody feels the need to be some way involved, but nobody's really thinking of the downside to all of this. And I think...

I was encapsulated for me a couple of weeks ago when MIT released a 200 page report talking about cognitive impacts in stage two thinking for users that started a task. I think the study group was students, you know, one cohort did their assignments without the aid of technology. The other cohort fully used chat GPT in this case. And the neural connections were almost, you know,

didn't exist in the cohort that used Chatchabee from the start. So I have a real worry about human resilience and the ability for critical thinking to be diminished within organizations if we just throw these tools out. And I kind of want to get your view on the kind of threat side and the human impact that we're seeing off the back of it if you have a perspective there.

Steven (26:56.118)
Yeah, yeah. mean, I saw your paper that you posted on LinkedIn about the hidden words in documents. You know, this chat GPT brain won't know that term is real. You know, I speak to many people who mark assignments. I used to work at university. The mark assignments from students are 85, 90 percent, know, LLM generated. And as you know, there's tools in place to detect that.

But the gene is out of the bottle, okay? So, you can imagine a young person these days just starting secondary school, they've got their mobile phone. In our days, we would have to go to the library, we would look at books and papers, we would take photocopies, we would go back and we would then write out and we would apply critical thinking. If you then move this forward to the speed that the market wants and the way people are.

there's the ethics side, there's the transparency, there's the trust. You know of the EU AI Act as an example, and there's many, many standards and many, many people shaping up the AI side. And it's really, it worries me a lot. I've got a little granddaughter who's three years old, and you can imagine when she's at school, will she even use a pencil? Will she even write anything? And how will this affect the...

neural and cognitive functioning of how our people work. And then you can move that forward into organizations and organizations that really want to reduce their cost and to make things super, super fast. And they will take the easiest route and the fastest route. we know you're Gentile AI chat bots and agents, and we know they're going to get more more clever. And, you know, apart from the societal impact, which is huge in terms of potential jobs, you know,

Is AI, I I did a conference in London two weeks ago on AI and the supply chain, you know, and the impact of that. if you think when the Amazon guy comes to your house, that, you know, that the supply chain back or the digital touch points, AI is both a friend and a foe. But we know from history that we kind of very rarely learn from history. It's just the way it is as human beings. We repeat the same mistakes.

Steven (29:17.98)
And it worries me that, you know, I see people I work with that send me papers. I've just written this paper and they've just run it through one of the LLMs, no names mentioned. And it's just so obvious. And if you then move that forward into our organizations, you're going to use that in HR, in finance, in procurement, in supply chain, in cyber. You've suddenly got people that are relying on AI and they rely on AI to

such an extent that it's taken over their life. You suddenly add in the power of quantum computing and it's a massive game change in ways that we can't even imagine.

Francis Gorman (29:57.139)
I wrote about this a while back on LinkedIn and I used the phrase, we're creating a new form of digital asbestos. the whole point I was trying to make with that argument is a lot of these tools accredit the outcome to the license holder and don't create a variation that shows that they were actually generated by the artificial.

Steven (30:06.548)
Indeed.

Francis Gorman (30:26.047)
intelligence itself to the generative AI tools. In ChatGPT, you look in the properties section, you'll see a Python, a Python marker as the order, and then you can know pretty quickly that it's generative AI. But if people are copying and pasting content from within the tool and then putting it into a document or creating a document and saving out a different variation of it, et cetera, those markers get diluted over time.

We're ended up with all of this almost synthetic data that has a certain amount of theater around it that is pertaining to be something, but it could be full of garbage data or infactual statements, et cetera. And Stephen creates that document. go, that's a great source. And I point my agent at it or my generative AI tool at it and I suck it in and I create a derivative of that. then, let's look at Francis's, it's a super thing. And then someone else does it.

you lose all providence and lineage of the source of truth that it was that data. And if you move that idea out of the internet back into an organization, you're gonna have so much garbage data. Will organizations be able to say, we roll out this massive AI program, we gave all of our users AI, 80 months time, what's artificial intelligence generated, what's human generated, what's garbage? I think there's a real problem there.

Steven (31:28.664)
Absolutely.

Steven (31:49.465)
I think the answer is, France, is the good ethical organizations that adopt good AI practices will have some control over that provenance side. But there'll be many, many, that will not. And as you just said, that is a massive dilution. Everything changes in every way, shape or it changes the whole culture and the ecosystem.

every trust element of an organization is now eroded and I can't see an answer because we know that you know organizations some are much more ethical than others and some just want to make a quick buck. It's a loose cannon, it absolutely is.

Francis Gorman (32:36.693)
It is the loose cannon and I think the next problem that we're going to see is your ability to interact with the prompt engine and the outcome you get. So I've seen a number of studies and Louise McCormack that was on the show a couple of months back, we spoke about this after it. It's that you get different outcomes based on your ability to speak the natural language of the model. So if I am a native English speaker and you are not, my outcome

It's far better than yours because my structure and my context and my understanding of English as my first language allows me the ability to create prompts that are more accurate, more pointed and more concise. And what that potentially means is you have somebody that is using artificial intelligence beside you in the workforce that is getting better outcomes and maybe getting graded in terms of bonuses or performance ratings, et cetera, at a higher standard, but you are far more capable.

And it creates this this ethical question around bias within an organization. And I think all of these conversations are not being had and we need to start getting them out there so public discussion can.

Steven (33:48.056)
And know, you know, possibly quantum AI and the way that that is being shaped up, it's not just theoretical that, know, maybe that is the answer. Maybe that is a solution. Maybe, you know, I know it's a subject that not many people looked into yet, but there's a lot of good information out there now. A lot of organizations are trying to do is maybe fingers crossed that the evolution of quantum and AI will actually make the weaknesses in AI better.

We shall see.

Francis Gorman (34:19.821)
We shall hope. We shall hope, Stephen. Look, Stephen, I think we were nearly up on time and it's been a really, really insightful conversation. Hopefully not extremely technical for the listeners at home, but I'd really like to get people's views and opinions and start conversations off the back of this episode, especially if we can get more people thinking about quantum readiness and the preparation that they need to enact in that space. It would be fantastic. And I have more series coming up.

with different speakers in the coming weeks in the quantum space. it's a topic I'm gonna follow through for a little bit for anyone who is interested. Stephen, it's been lovely to have you on and I really appreciate you taking the time out to speak with me today.

Steven (35:02.22)
Thanks, Francis. It's been a great, open, free-flowing discussion. I think we've covered quite a lot. And it's an area that we both know is not going to go away. So the more people talk about it and the more discourse and debate and the more sharing, the better for everyone.

Francis Gorman (35:20.959)
Excellent. Thanks Stephen.

Steven (35:23.203)
Thanks, Francis.