Welcome everybody to the SECTRE Capital Markets Day with focus on cybersecurity. Before we go into the presentation of today's participants, I would like to inform you all of your integrity that there will be photo sessions. If you do not want to participate in that, give us notice and we will attend to that request immediately. There will be one session later on in Swedish. If you do not command that language, there will be demos outside for you to delve into those issues.
And if you are not among the 10,000,000 people out of said 1000000000 who doesn't command Swedish. The secret side. Today's presentations will be initially goes without presentation is the CEO of the sector group, Torbjornander and then please, Simon, who is the Vice President of the Group and Head of the Sector Secure Communications, Fredrik Sundstrom, wherever you are, always taking a corner position. Robert Lied Twist happens also take a Kona position and being a neighbor of mine almost. And Lars Larsen, where have you also there, I can see a pattern here.
And Jonatan in the adjacent part of the room. And from Sector AB, as I said before, Torbjorn Kranender, myself, the Chief Financial Officer of the company and Helena Petron, Eier, outside scope. And from Most Pia Gruve. So without further due, I would like to leave the
table to Torbjorn. All right. Thank you very much and welcome here. As we said before, we are doing this a little different. Before we had Capital Markets Day for the entire company.
But cybersecurity and medical, although more and more synergies in it is quite different. So we decided this year to have 1 Capital Market Day for medical side and another one for cybersecurity and that is the one this is a Part B of that 2 days. So our main businesses as we you might know is IT for medical imaging, which is about 85%, 90% of the company. And then cybersecurity, which is the rest. And today we will only speak about that part.
And then in the our growth areas or our special efforts that we do outside the main business, we have one area in secure communications and Lasse Larsen will speak about that is protecting our critical infrastructure. We have built an incredibly sensitive society and small disturbances can be disastrous. So and that we work with as well. A little about markets. How do we choose our markets?
How come we work in cybersecurity and medical IT far apart? And seemingly, why on earth are you doing that in the same company? And it's a good question. And to be very honest, it's because my predecessor is cybersecurity and I did the medical side and we liked each other. So that's not very rational, but that's how it came to be, to be honest.
Now we see increasing synergies and both are definitely growth markets. And the easiest way when we choose markets to be in and we have also the start ups is the market should be big enough for us to grow. If we don't think we could reach SEK 1,000,000,000 in turnover within some reasonable time frame, we shouldn't do it. We are that size now. We cannot run around with markets that will end up with SEK 100,000,000.
It's too small. Profitable growth is also much easier in a growing market. You can be on a steady state market and then you end up fighting on price in the end of it. While in a growth market, you can be as good as the other one or a little better, but you will grow with the market. Both cybersecurity and health care is rapidly growing and it's and I'll come back to what the drivers for the growth are.
And idle growth markets also have external pressure that makes them grow. It's not only I took an e scooter here, that's a growth market, but you can have alternatives and January is not a good idea. It will be a steady market and there is no external pressure on it. While cybersecurity and medical both have external pressures, they have to grow. Society must invest in these areas and that will make them grow disregarding the financial temperature of the markets, etcetera.
They have to grow. We have to take care of the demographic situation that cannot be 100% of GDP going to health care. And so health care must be more effective and society must protect itself against cybersecurity or cybercriminals. Healthcare and cybersecurity worlds are on rapid change as well. And as one of our very early Board members, Gunther Rentsch, once minted, where there's change, there is margin.
You just need to be fast enough. A little about our philosophy about customers. In Merkel, we have won the most happy customers on the in the United States for large hospitals 6 years in a row. And that has made us in a position would have been almost literally impossible to reach without that award because that amount of marketing you cannot pay for. And that means we are growing rapidly in the U.
S. Market right now as for medical. It's been a little more difficult in cybersecurity. Some of the customers we are not even allowed to know who they are. And then it's very difficult to find in quality stuff.
But we have some measures as well on to increase quality. What happens with encryption, if it's not good quality, it will not be used. I know an admiral from my days in the Navy and he simply said, if it's not easy to use, I will not use it. And that goes, it's very true. So we have to make it simple to use and it has to be high quality.
You have to trust it. Not only that it's safe encryption that we had for a long time, but it has to be easy to use and must work when I need it. And we are going there with encryption as well. So we are gradually getting more and more happy customers, even though there is no class that measures it. One of the smartest things we did was actually we are forcing everyone in communications to use our own secure, secure phones.
And when developers use things themselves, all of a sudden miracles happen with quality of these systems. So that's each your own dog food principle. We have to use it ourselves and then it will be better, if not someone else. And quality is profitable. So for us, a very important thing also in cybersecurity is to listen to people using it even though sometimes we're not allowed to talk to them.
But in that case, the representatives or the people we know who uses it and we want to hear, yes, this works better than our normal phones or normal laptops. Otherwise we've failed because it will not be used. Then the users of these devices, they will go into what sell in Swedish called Skokskripto. And that means, you know, the thing we discussed yesterday, the thing that begins with a P and ends with an R. And that's how they do.
So going into something that is so easy to use, you don't see it. That's where we're going in cybersecurity as well. That's a big change though, and we but we're doing it. We'll take the questions afterwards, if that's okay, because we have a mic. And so just remember it and raise your hand when we have questions at the very end.
How do you build competitive advantage long term? And then you who have been to marketing schools, you have the 4 Ps. You remember them? I will not check you out. Product, product solves what it's supposed to solve.
Promotion, need marketing. Customers need to know about you in order to buy it. Bright place, are you in the place where people need to buy it, sell it? Price, that's a 4 piece you learn in business school. So I would ask 2 to that and we do that also medical.
Process, if you don't have a process and everyone does handle in a process, you cannot collectively learn. So you have to follow process. You have to develop processes. If you do one product, you need to do in the same way in the next product. Otherwise and you improve and then everyone improves as well.
Process is super important. And most important, people. If you have the wrong people, you will not succeed. And so we spend a lot of efforts in finding the best people we can find. Actually, I spent a substantial amount of that myself.
We have at least 3 interviews with new candidates. And we still despite this difficult to find people, we say no to a very large amount of people. For everyone we recruit, we say no to about 10. And I personally interview every single one as the last interview, which is kind of nuts. You have people say, you do that, you're almost 1,000 people.
And I say, what more important thing can I do? What is more important getting the right people on the ship? Nothing. So it's very strange that other CEOs doesn't do it. Because if you get the right people on the ship, you cannot say I can be a lousy manager.
And guess what, sometimes I am. And it will go it will work anyways. If you have the wrong people, I can be the best match on the planet, it will not work. So we spend a lot of time to get the right people on the ship. A little about shareholders and then we run with culture a lot, but I will not go through that.
As for shareholders, we have the view that if you have happy customers, if you have happy employees, risk and cost control, Now we don't stay in the Hilton's. We don't go business class. It's too expensive. A rational long term strategy in the growing markets and that growing market is important, then shareholders will be happy. It will almost impossible to avoid it.
And I think over the last 6 years, we've done okay in the stock market with this philosophy. But shareholders must understand you're lowest on the list because if the other things doesn't work, you will be losing in the end anyways. It's only short term if you take shareholders on the top. A little about cybersecurity. What drives the market in cybersecurity.
Well, these guys do. We have an increasing tension that is disturbing, especially for all of Europe because after the iron curtain fell down, we thought, oh, it will be nice and everyone will be kind forever. Well, it didn't work out like that really. Well, we don't know yet, but definitely we have a buildup on the eastern side that is heavy and intentions increase overall all over the world. And now it's not only the people next door who are kind of aggressive, it's people sitting on the other side of the planet because on Internet here there is no borders.
So that's one part that drives the market. Tensions going up, nervousness is going up and people want to protect their secrets. This is news from last week. Example of synergies, 32,000,000 patient records breached in the first half of twenty nineteen. 32,000,000 medical records, and some of them are sensitive.
And the fines in the U. S, a fine for leaking, this because Americans run everything by money, right? So they actually fine you if you leak as a provider hospital. And the top fine for a hospital losing one medical record for 1 patient is 25 $1,000 Now 25,000 times 32,000,000 is a heck of a lot of money. Now that creates a lot of interest in the healthcare industry to kind of protect against leakage.
And despite that, 32,000,000 patient record leaked. We have increasing synergies, especially beneficial for the medical side that we have cybersecurity in house. And there was also news last week and there was also a new technique and computer screen that there was like 350,000,000 X-ray images. They are not as sensitive as the medical records as a whole, but still you might have some disease you don't want to be out there in your x rays available in the network. This is FRA, which is a kind of security side in Sweden as well.
IT spies are preparing for attacks on the grid, the electrical supply. If you want to attack a country today, you don't need tanks. Shut off the electricity in Stockholm 2 weeks in February and wait. We have built a very, very sensitive society. And if you can sit remote on the other side of the planet and shut down electricity in the country, we're in trouble.
So that's what we do in critical infrastructure. And yet another one, WannaCry 2017, there was a massive attack. And you see this in banks. I'm just taking examples for medical now. In the U.
K, there was a terrorist in the U. K. Who drove a car over London Bridge. She killed 7 people. And it was big news all over the world.
This virus or it's not a virus, it was Trojan, entered the NHS, went inside the firewalls, covered up as a PDF, look exactly as a normal PDFs sent out by the NHS, but it had active content. People clicked on it, let loose a Trojan inside a worm actually, to be really frank, a worm inside the firewalls and that began to spread in between the computer in a known, known hole. This was published by Microsoft 3 months earlier. And from SMB, which is a file sharing protocols of Microsoft, went from operating system to operating system, so we were not responsible for the operating system. But it more or less shut down the entire U.
K. As for elective surgery and health care. Only the acute things could work. Now that worm killed thousands of people. We just don't know how many.
But the entire U. K. Health care was shut down for a week, except very urgent things. These are serious stuff. And the cost couldn't even be measured, almost not measured.
The problem areas we address in cybersecurity is, of course, wiretapping, which is one concern. We are all wiretapped today, Either when we do things on Facebook, because it's all recorded, I once wrote a message to a friend, you want to play squash? You think this messenger is not monitored. Well, it is. Same on Gmail.
If you use Gmail and write, do you want to play squash tonight? It's recorded somewhere and I get squash advertisements for the next 4 weeks. Buy this new racket because of recorders. And also if you have things at home and the phones, you cannot really trust you're not wiretapped, both from nation levels, but also from privacy levels. So individual companies, nations and society and companies are all wiretapped.
It's an ugly game. Everyone looks like you try to listen to everyone else. Our most critical infrastructure, again, is controlled by IT. It needs protection. If you get into a power plant, the Americans have shown, if you get into a power plant, the large generators, there might be some engineers here, they are all the rotor and the stator in a big generator are controlled by computers.
And they are synchronized with the entire country. The 50 Hertz grid is synchronous in Sweden. All of these generators are on that 50 Hertz synchronous mode. And if you just move the face of the rotor or stator, one of them, just like a tenth of a degree, that big generator is fighting all the other generators of the country and it will explode. You can get inside with our tea and make a generator in Porteus, for instance, in Sweden explode, fiscuit explode.
Is as effective as throwing in like 50 kilos of dynamite. And those things take like weeks, weeks weeks to order and years to install a new one. You can physically kill a power plant by getting through IT. Serious stuff. So we do our part there and trying to or do our best to secure those networks.
They have very thick steel doors, but they are not as good as IT as they are in very advanced locks and steel. Everything goes mobile. We see that. We want to do everything mobile today. That includes authorities.
It definitely includes politicians. And you know the old days when you could have a protected network of 3 or 4 things on a network and you saw the cable, that red cable was visible for everyone because as a rule, if sensitive, you cannot have the cable not visible anywhere. And everything was locked in. That those days are gone. Everyone want to be mobile.
Everyone want to have a secure mobile workplace doing everything they can do in the office, in the laptop. Now if you want a secure environment working that you have to secure those mobile workplaces and we used to be doing only phones. We are moving into doing entire mobile workplaces because that is where the future is. And we want to raise these to very high secrecy levels now. So you guys, for instance, can write about things you know that the other guys here shouldn't know.
And you're absolutely certain, not absolutely certain, but very certain with a high probability no one can listen. And security must be super simple, as I said before. If it's complex to use, if it's a lot of key management and stuff, people won't use it. And then you fool yourself in a very dangerous way. Because if you provide very secure things but people are not using it because it's too difficult to use, It's that's fake security and that's worse than no security at all almost.
So these are the 4 areas we are solving. Software solutions can be cracked. That's another thing I'd like to point out. A terrorist in California 2 years ago had an iPhone. FBI, CIA, everyone to crack it, they were not able to.
After 3 trials of that 6 pin number, the phone erased itself. The ones who solved it was the Israelis. The Israelis actually cracked it by taking the entire software, running a supercomputer cluster and installing the software on that cluster. And then they had simply they sort of emulated an iPhone, but in software. So how do you crack it?
Will you try? Brute force, 0 didn't work. 1, 2, boom, telephone erased. But guess what? You have everything in software, you download a new one and then crack the phone.
This means this change the entire mentality because anything on software can be cracked now. Anything. All secrets. And in all secrecy encryption, there is some parts you don't want to be exposed. No software solution is safe.
So we do the high level we do or in hardware and we are good at that. So we do also in these smartphones, we have a little chip and that only will take 3 attempts and then it will go like a mission impossible, boom. So that's one of our key strengths. We do things in hardware when it's really, really important. I'll do end up with some financials.
I mean, that's what's all about really. In SEK, I saw some excerpts from our Q1. In communication, we actually acquired a company, a Swiss company called Columitec, who has a VPN on level 4. I will not go through exactly what that is. Robert will mention it.
But it's a very good VPN. It's actually the VPN used in the nuclear submarines in the U. S. Not with encryption we have, they have Motorola licensed it, but it's the one that is used because they have a lot of interrupted communications with these guys. Order bookings for the group were fine last quarter, but this is mainly medical that rose there.
Financial targets for the groups were we have 3: stability, profitability and growth in that order. And unfortunately, for the first time in a long time, we were below on the growth target, but we hope to get that up. We are in heavy investments right now in the medical side because of the large orders. We had to take cost up. That will last for about 2 quarters.
And the last 2 quarters of this year, we'll be better off getting some reap some financial benefits of that. So that's something we are not fulfilling all three targets right now, but we're getting there. What about communications then? Communications grew not enough. That's not the growth area.
So we have to work with that. And a little more important, it was combined with actually less growth in profits. And that's our communications area. That's not good enough. That's we have to get this grown.
So that's why we have these new areas, so critical infrastructure, secure mobile workplaces. And that is the efforts to get that to get communications into growth trajectory where they should be in this market. Communications does not contribute to our financial goals, but it's good opportunity for growth and margin improvement in the future. We are investment in critical infrastructure and authorized or authorities enterprise segments and the growth initiatives, critical infrastructure, mobile secure ecosystems and new geographic areas. And with the acquisition of ColomboTek, we actually opened up communications and security in the U.
S. Still small, but one of the largest operators use our VPN, Sprint has our VPN as a VPN when they sell to customers. This is how communications develop. Of course, we want that to go up here. Summary.
All critical functions in modern society is controlled by IT. Modern terrorists, cyber mafia, aggressive nations will target it. Society must protect itself. Legislation increases, investment will go up. So we are growing in the growth market As Exacto want is growing by external pressure, it has to grow.
Cybersecurity markets are set up for large growth. SECTOR is active in the key areas of critical infrastructure. High speed network encryption, more or less we only do with the Swedish authorities and high quality, high security mobile workplaces. That will be the norm of the future. People will not use phones.
They voice is just one kind of data. So that's an introduction where we are. Any questions?
Fredrik Kalin from IFRS. So you talked about secure communications not really contributing to earnings. And of course, now you are investing growth in critical infrastructure and other growth opportunities. I guess we'll hear more from Simeon about that. But looking at your sort of legacy business, where the lion part of your sales is within this division.
You more or less made no money between 2012 2016. And as I understand it also, these customers sort of limits or puts boundaries on where you can grow in what verticals and in what geographies. So that balance, is it worth having those customers still around? Or how do you see the yes, you need to increase your margins or grab the opportunities in a better way?
You're right. We have to increase our profitability or we have to do something else. I mean, the way we've done it doesn't work. But we believe in this area. And we'll try a little more before we take some actions because as it is today, I assure you, I mean, you are one of our biggest shareholders, right?
We can't sustain it. We need to get profitability up and growth up, otherwise we have to do something else. We have very smart people and they can do a lot of things. But let's try it a little more before we change. Any other questions?
Hello, Jan.
Could you just briefly explain the major differences between your phones and regular iPhones or just what's the main, yes, differences?
Well, there is 2 kind of phones and you will hear that later. The secret level phones, we build them entirely ourselves. They cannot be a smartphone because you don't control the operating system. It cannot be really safe. So we build that phones and they are quite different, I guarantee you.
And then we have our restricted level phones, which is a lower level. Then we have a ship that is secret and it cannot be tempered. It can never be cracked in the way they crack the iPhone. And iPhones do not cannot have a chip in it. There is no place to put it.
So it's very, very difficult, close to impossible to make an iPhone or a software based system at the security levels we do even our restricted levels. All right. Thank you very much.
The Vice President and the man in charge of this very area we're now discussing, Mr. Simo Pikkaliste.
Nice to see you so many here. And there's a big interest for the cybersecurity. And I will start and I will talk a little bit about what is our role and what is our focus and what we are really trying to do in the large field of cyber security. I mean, we can't do everything. So I'm trying to put some context what we actually do.
Picture myself, no need to mention other things, but I've been here since more than 16 years with sector, so in different roles. So I think it's I promised to be 3 years and now it's on the 17th year. So let's see how many years to come. But really good company to work with. Who we are at Communications?
Torbjorn didn't talk too much about the history, but company is more than 40 years old. So if you think of the field of cybersecurity, we've been actually doing something in cybersecurity more than 40 years. I think we can be really proud of that. And if you mentioned also regarding the knowledge and the brand, I mean we are quite known in certain places, not widely known in the cybersecurity, but we are quite known in the field that we are doing. So from the defense, actually starting from the banking sector, which I guess many of you represent here.
So we're doing the bank automatic teller security in 80s, that's where we started. And then crypto defense and then going into the smartphone and to critical infrastructure. And I come back to that a little bit what more we are doing and what is to aim with that. But moving a little bit into different segments now. So what we do, basically we could divide first a little bit on the 3 different areas.
We have the traditional communication systems for national security. And with that we mean the defense and the military and those that are mostly like Frederic was asking, regulating a little bit also what we are doing, good and bad. But you know, regulating a little bit what they're doing. But really high security and that's where our actually foundation is. So the people, the smartest people that we have, whatever we do in the other areas, that's where the foundation is actually the smart people come from.
So we should always keep that in mind. Then in the security solutions and the critical infrastructure, that is the newest part. And that's where we are trying to secure. We concentrate mostly on the OT, not so much on the IT. They are connected and we need to handle that.
But the operational technology and the SCADA systems, so there are actually the ICS and the PLCs and controlling the factories. That's what we want to secure, because that's where the bad things happen if something gets in there. Secure mobile solutions with authorities and enterprise. I mean, we're also doing it here, but now also we have a focus and concentration on actually doing that for the enterprise, including medical. To be mentioned there are more and more synergies.
Yes, they are. We already have medical customers, which I think is really exciting and also what we're now going to U. S. A little bit of products. I'm not going to go through all the products what we're doing.
We have Lasse and Frederic and Robert talking a little bit later. So they will talk more what exactly and how do we solve the problems with these products on the different areas. But one what we could say or I want to say is really important here, the services and recurring revenue. I mean, you see that the sector as a whole, I mean, has quite big jumps back and forth between the quarters. And of course, the platform and the recurring revenue, even the communications, it's really important that we get higher and higher every year, so that we have a balance in that rather than doing stop start and stop projects and development only.
That's not what we want to live for. We will do that, but we want to complement the traditional business with also the services and recurring revenue. And that's important to get and the balance over the time. A little bit of the customer, like I was mentioning, I mean, we have been working with the EU, NATO, different governments throughout already took more than 20 years in Europe, in Sweden more than 40 years. But even in the throughout the Europe and the NATO.
NATO, we actually got the first and we had a press release a year ago, a little bit, I think about a year ago. So we are actually now delivering our secret products through the Dutch secret phone actually to NATO. And that is really exciting. And of course, as European countries, there's as many NATO countries in the world that actually we can be targeting. But actually what we could say in here also is that they are all very demanding customers.
So that also means that we need to be really smart in whatever we are doing. They don't accept failure. To be mentioned also quality, you know, there is no quality. Quality failures is, you know, it's not accept you are kicked out right away if it doesn't work. Also I need more than half of the EU member states are our customers.
We have EU frame agreement and that's what we want to continue with. I mean, the long term relationships and agreements, same thing with NATO. And whatever the customers are, I think like in the medical also we have more 10 year contracts or even more. If they come and to become a customer, they most likely stay. Otherwise, we have I think failed.
We need to keep the customer, they most likely will stay. They don't change the systems every year or even in 5 years. It's more that 7 to 10 year terms and the development what we do. But now it's not only, I mean, when we go into different segments, it's not only, defense and military. There's also civil defense in Sweden MSP contingency agencies and the similar agencies in other countries.
So basically we see and Pia will talk more about the security law. But in Sweden, it's the same thing and trend happening in other European countries that the market is actually is maybe 10 times bigger or becoming 10 times bigger than it was before. Because before the systems were actually only direct to military and defense, but now it's actually the whole civil authorities, which are considered to be critical security in the governments. So it's more and also the industry and critical infrastructure. They are regulated not as much as 1,000,000 DFs, but they are regulated and also by law.
So more important, it will start being more that we are part of the business development in these companies and when we do work. So business continuity and operational efficiency are becoming more important rather than just selling products. So where are we going? A few words. Torben also mentioned a little bit of trends and drivers.
The digitalization, mobility and automation, of course, that's everybody knows. If you're not digitalizing, I mean even in the banking sector, I mean everybody needs to be digitalized. Who is the most digital and most efficient, you know, then they are winning the game. And that's where we see the security also becoming more and more an issue. How do we secure the things when people are doing everything remotely and from their home rather than going into the stores or banks or wherever.
New geopolitical threats, need for cooperation. I think this we see more and more the threats landscape in Europe. The most of the countries have basically the same threat landscape. You had the Russian tank in the on the red screw or wherever that was. I mean, that's basically the threat landscape.
There are other ones too. But you know, Europe, I mean that's a common, we see the most countries the same. And you need the cooperation. I mean there's not one country I think in Europe that can do everything on their own. You need cooperation and you need trusted partners.
So that includes the cooperation need. Post quantum, if that will happen, how it will happen or when it will happen, Jonathan will talk a little bit more about it, but I'm going a little bit more in detail. But there definitely will be something. And if somebody would already have done something, we probably wouldn't know if the Chinese would have done that already. So I think it's a we need to do something.
We need to solve the issue. So I think that's why it's really important that we concentrate our focus on research, even within communications. So we are in the forefront of whatever will happen. Increased degree of interconnectivity and complexity. Just an example with the power plants.
Lasse will talk more about that. But I mean they are being built 50 years back and they have been adding systems since 50 years. Every system they add, they're not necessarily taking away another one, they're just adding something. So I mean, of course, you think there are probably 100 service people running into the plants and doing things, you know, that of course the security is quite huge. And you know, they charge their phones in their on their normal computers or at work.
So there are a lot of issues with that. And connectivity and complexity. So we will need to solve the issue that how do we in the mobility actually solve that. So what are we doing focusing? Focus on core competence.
I mean, we can't do everything. That's absolutely so. I mean, this sector has always been very good focusing things that we are very good at, and we will continue focusing. So we have said and we put the growth areas where exactly what we think that we can be best at, not that we are the 3rd or 4th or something. We want to be best at whatever we're doing.
3rd party integration that goes through the whole communications. I mean before we have done development projects quite a lot and we have done the specialized crypto, but that and on our own. But on the new areas and even on that on the traditional area, we need to be better in the partnerships and also using third party products. It's more solutions to the customer rather than saying, okay, we will solve everything, because then you really I mean, then you're too focused on one thing and it's impossible to grow. Organize for customer influence, that also ties a little bit the same thing.
Now more what is the customer needs and what is the solution that they need together with the partnerships rather than, you know, this is the product, you need to have this. It might be in some cases that, but it can't be only that. So what is actually the customer listen to the customers. And growth segments were outer influence lower. Not that we will take that away, absolutely not.
But it's that they will complement each other. And also as I say, getting more recurring revenue and also recurring profits that how we can grow and complement this together. So basically, one goes a little bit more even and the other one of course will go in the growth and stable over time, but it's a bigger cycle. So the segments what we are focusing on, national security already mentioned, it's a lot of legal requirements of course, and that is the base. Then we go more into civil authorities enterprise including healthcare.
It's more the security awareness, they need to be secure and they have a lot of legal regulations also, but especially the efficiency. I mean, when we talk about the roaming or the policemen you see here, you know, it needs to work and it cannot stop. Or if it stops, it needs to pick up again really soon. Otherwise, the bad guys will run away. So you need to be able to do that efficient way.
And operational continued in critical infrastructure. That's a special, I mean, Turbine was showing also the examples of and you will hear more from Lasso too. How much does it cost per minute, per hour, per week if something breaks down? It's 1,000,000 and 1,000,000 and 1,000,000. So we need to be part of the business continuation there.
So if what we are doing a little bit geographic focus, I mean, we have had the Scandinavia and the Northern Europe. And of course, Netherlands is our very important, let's say, like a second home country, and where we work very closely with, and then the whole Europe. Then of course with U. S. Office, I think that's also tied very much to the medical sector that together with Kolombidec and the resources in U.
S. We see a very good advantage and a possibility there. Partnerships, I mentioned 3rd party products and partnerships, really important that we can't do everything our own and we're actually working with that. You could also mention that Kolombidex actually has been our partner. I don't know the I don't remember the year, but I think 5, 6 years they've been our partners.
We've actually been using their VPN solution already partially and developed further in our products. And now they became, you know, the assets wholly owned by sector. So I think that's a good example how we want to work with. So it's complementing our organic growth. And Robert will also come back a little bit more in the details, but you know, we got the better VPN offering and also the software solutions rather than just only on the hardware even if that's important in the more secure segments.
And coming more with the services and recurring revenue. So that's all that is the aim that we will come more to this securing recurring revenue. So security market, you've seen a lot of pictures. I'm sure that there's a lot of research. So this is just one research.
And it will grow by, I mean this source it I think all the research that I read it says 10% to 15% annual average growth over next 5 to 6, 7 years. So that's nothing new. So of course, our aim is we need to grow at least that. Otherwise, we're not really doing our job really well. So we can't be worse than the average.
And if you look at the world actually they are growing where the growth is most energy, health care, public sector, airspace, defense, Those are exactly the sectors that we are very good at. So I see a good opportunity actually targeting and continuing with the sectors where we are. So how do we do it? I just wanted to show this. Just have you read the book and you probably seen the book in some of our earlier presentations, but Dan Brown had his sector, TigerXS named in the book, and we didn't pay a dime for that.
He actually found us because of our brand and he did research. Then there's actually another book, if you want to read, if you're interested in read, it's in Dutch. But Dutch is almost like Swedish. So it's, you know, it says something about security and spies and all that. So it's so but it came out last week.
And when he did research, he's quite famous journalist in Netherlands. He did research. He of course mentioned, you know, special Tiger telephone, and the ministries and IVD and all those different places. It's quite interesting actually, what I understand that some of the Dutch government officers actually did want that this book came out, because they still don't know really where you find all that out. So I think it's interesting book.
I don't know if it's in English yet, but you should read it. So anyway, what I want to say with this, I think the brand is where the base is. That's what we want to use. And you know, not just having in the books, but also in reality. National security, as I said, collaboration and the crisis preparedness.
When there's some crisis in some European country or there's a hostage situation or something, we see a lot of interest to the sector. And so we know actually that some of the incidents are handled or the communications handled with our products. Civil authorities, besides that it has to be secure, operational efficiency is absolutely the most important and then needs to work all the time, mobility wherever it is. If it's a doctor or a policeman or whatever it is, I mean you cannot stop the system and okay, then they go back to pen and paper rather than using the product. And then the energy, especially the business development, when they are digitizing their processes and their work, I mean, we are being there and those customers that we have doing the consultation first and helping them with the architecture and security awareness, then all the way that actually step by step becoming on the totally higher level on the security.
And I think that's really long term. It's quite people resource intensive in the beginning, which you know, it's good and bad. It's not that profitable. But that's needed to do to have the security operations center 20 fourseven and those customers in long term, where we have long term contracts. And not the least, the incident management.
So that makes the whole loop actually in what we are doing with the customers. So actually now we are working, Lasse will come back to that a little bit on the even the an example with the insurance companies that we actually paid to do the incident management. They can take all sector rather than somebody else. And that's an agreement with special agreements what we have, so that we actually handle the incident and send people there when something happens. Okay.
I think that was my last slide. Questions? Yes.
Just to understand, when you work, for instance, in energy project.
Yes.
So just so I learned basically, so what's the difference in your project versus high end security consultant project, for instance, the Tietos or anyone?
Yes, I mean and us.
Yes, so different levels and
I would say, I mean, of course, the IT and Altium is operational technology or that's the difference. I think we are concentrated on really the factory and the processes. Like you said, I mean let's say the same thing. We couldn't even sell in the medical if we didn't understand the doctor's process. So we really could understand the overall and the process.
So that's the difference. And a lot of times when they do a security, you know, if you look at the other competitors, when they do a security analysis or security consultation, They are much more on the higher level, or you know, computers and IT and okay, then they touch something maybe on the hotel. We come from the other side. So we talk about the SCADA networks and actually the PLCs and how do you control that, and then securing that part. Then we use, of course, in our work the solutions that, okay, how do you differentiate those 2 different levels?
So I think we come a little bit from the different angles a lot of times.
And what competitors are there on the OT level?
There are several competitors that do actually what we see mostly they do systems. You can find, I mean, OT security surveillance systems, if you Google that, for example. I mean, you will find probably 5, 6 different suppliers. The difference with that is that then you introduce the system and you monitor yourself your own system. So and we don't do that.
Lasse will talk more about that, but we actually are pulling information and securing and monitoring the system from outside with our crypto techniques and products and surveillance systems. So it's a totally different thing. So basically if you're doing it your own, you're basically introducing a security threat to your system yourself. So I think there is a totally different angle what we are doing. So in that place we are unique.
And all the other so all the other place are doing their own?
Not all, but most of them. I think there are there might be some but the crypto techniques that we are doing the information and not introducing anything the other way. I think we are unique in that one.
Into the rabbit hole. What happens if and when quantum computers become a reality? How is the world to handle this?
Okay, my slides are coming up soon. But thank you much for the introduction. And thank you Pia for the introduction over to post quantum cryptography, which will be the topic that I will be talking about. So just quickly about myself, I am an information security expert, computer hacker who went to the academic field and got a PhD in quantum cryptography before joining sector about 2 years ago, and I've been working with quantum cryptography and working with information security. I'm also an expert in Bitcoin and cryptocurrencies.
I run a consulting firm in this field. I've been working with law enforcement and I've been very active in Swedish courts as an expert witness and testimonies regarding cryptocurrencies and narcotics smuggling and related areas. Thank you. Now I have my slides back. So we don't do blockchains and cryptocurrencies that Secur, luckily, but we do a lot of work with the fields I'm working with today.
I also work as postdoctoral research at Linkoping University in parallel with my work at sector and I represent the research department at sector communications. As Pia talked about before, cryptography is paramount for security. There are 3 things we talk about, especially in security that are important to achieve. We have confidentiality in Swedish, we call it Securitas. We have integrity in Swedish, the best word to use is ricktyjet and availability.
You of course know about confidentiality, the need to keep things secret, especially about your customers. Now with GDPR, if you don't do confidentiality within your organization, you will find a very large fine. Also in integrity, if the data is not correctly sent or correctly authenticated, say that you make a transaction on your bank and some someone like a hacker adds an extra 0 to your transaction amount, that will be pretty bad. So integrity is also something we achieve with cryptography by making sure the data that you sent is the same data that is received on the other end. Also availability is the 3rd leg on which information security stands.
Things need to be available when you need them. If your banking system fails and you can't do trades for a minute or for an hour for a week, that would be terrible. But all these things we do achieve with cryptography. So good cryptography, we need high quality cryptography. If you don't if you can't trust your cryptography, you can trust your information security and your business will fail.
So how long do you need to keep your data safe? As we just heard in the long term security spectrum, we need to keep data safe up to 95 years. I mean, if we encrypt some very sensitive information, we Plan B, redundancy is important in security. Okay. Availability, as we said, it's important to have backups.
If something fails, you need to have a threat model that takes care of all possible scenarios. So long term security, even if we have something extremely sensitive, if we have a good crypto system, we can encrypt this information. And And then we take the encrypted information and can send it on a postcard to Vladimir Putin. And then it should still be secure for 70 or 95 years. That's how good our security and cryptography needs to be.
But I'm talking about a new threat that's coming up on the horizon. That is quantum computers. Quantum computers will have a profound effect on cryptography in the medium- to long term future. You might not need to keep your data safe for 70 years, but in the commercial sector, we usually talk about 30 years of security. Of course, if security fails, you might violate the GDPR, and it can be very expensive for many, many organizations, not only in Sweden but also in Europe.
But quantum computer can come soon. So how long do we have or how long does it take to migrate to new cryptosystem that is safe against the quantum computer? Could it be today in 0 years? In some of the very high assurance systems, we are already safe. But for most of us, we need to think about how long time do we have to migrate to new systems and it can take years.
We learned this in the 90s. It can take decades to develop and fully implement new safe crypto systems. And the question we need to ask ourselves is, if we have a security horizon of say 30 years, we need to keep the information secure for 30 years. And then we also have a long deployment time for our new crypto systems. How long time does this time take until a quantum computer arrives?
So if a quantum computer arrives in, say, 10 years, that's an optimistic example, but 20 years. If that is shorter than the time it takes for us to deploy a new system before we can use it and at the time we need to secure information, we will have a problem. And this is not just relevant for Defence or National Security. It's also relevant for critical systems like Energy Sectors or Finance. Even though Quantum Computers are still a bit away in time, we need to start thinking about it.
Konarkoviras are pretty strange. They work on information in a completely different way than we do today. They don't just do single bits of 0s and ones. They do superpositions of bits where it can be 0 and 1 at the same time. They can do some amazing operations on these Qubits or quantum bits.
But the question is how long do we have until they come? Well, we are roughly at Stage 3 or 4 in this 7 step process that has been discussed for the past few years in the quantum computing sector. Normal computer uses many bits. And if a quantum computer wants to do something important, it needs to do many quantum bits. This is not easy.
It takes time. We can do some very, very basic operations now. But for the future for Quantum Computing, they will have some really, really difficult steps to achieve before we're here. But a good estimate from Michel Moscow, who is leading the Institute for Quantum Computer at the University of Waterloo. In his opinion, it's about 1 in 6 chance that we will have a work in quantum computer within a decade.
And this prediction is 2 years old. He also says we have a 50% chance of a quantum computer existing within 15 years. Now I would say that Michel is quite optimistic here. I'm more pessimistic, and I will say, well, maybe 20 years away. But still, it's within our lifetime.
This could very much happen. We need to take the appropriate steps to secure our information. Now just the other day, Google, who is working a lot with Quantum Computers, apparently published or leaked some information that they are actually building a working quantum computer. And this Quantum computer is now proven to be better than a normal computer. This computer can do tasks that takes 3 minutes that would for a normal computer take 10000 years.
So we're now in the post quantum era where quantum computers are better than our normal computers. Now with that said, this new result is amazing, but still it's a very, very impractical computer. It can only do one specific problem that is just made to show that this computer is faster. It cannot do anything useful for us. Also, if you run this computer, you have just 1 in 1,000,000 chance that it will produce the correct answer.
So you run this difficult quantum computer. It gives you some kind of result. You can't really verify it because it will take you a normal computer 10000 years to check it. But I would say it's a good metaphor to think about the first airplane, the Wright flyers. They flew maybe 100 meters or something.
It wasn't very practical to use. If you try to sell that one to someone, they will say, I don't need this, which is true. But the right flyer, just as this quantum computer, is the first in many steps to a working quantum computer to a future where quantum computers can be a reality. So why is this important? Well, quantum attacks can happen today.
Let's say you're the Chinese. You can record our secret encrypted communication. I mean, we send a lot of data over the web today, but hard drives are cheap. Buying a new computer with big storage, it's very cheap. So a nation state attacker like the Americans or the Chinese can record everything we do encrypted.
It's just garbage right now, just random ones and zeroes, but they store it on a big supercomputer. And then they can wait, wait 10 years, 20 years, not a problem. And then if they get a quantum computer by then, they can break the communications and decrypt security horizon. Then you really need to make sure that every kind of technological development within these 95 years does not affect the security of your information. And we know that this is happening.
The Americans are doing it, and probably the Chinese and probably the Russians too. So what will happen when a quantum computer does exist? Well, for the defense, it will probably not happen too much because as we said, we are mostly secure in the secret domain already. But for the rest of us, for the finance sector, for the critical infrastructures of our society, Well, it's back to the dark ages of crypto. You see a locked briefcase with what's called Hunt Kilver.
That's how we did key management before we had good cryptographic algorithms. You basically sent couriers with new cryptographic key materials to your other end. And this is really, really expensive. It's just information security for the very rich people. We cannot do this on our phones anymore because the phone today negotiates the new cryptographic key with the other part.
If you go to your app to check on your bank account, it will do a cryptographic handshake that will no longer work. So it's back really to the dark ages of cryptography. Also these types of crypto systems that we need, they're quite easy to screw up. It's much more difficult for a computer programmer to sit down and write a secure software now if the systems are broken. It's hard to audit.
It's hard to tell that it's secure or not. Now of course, we at SECTA, we now have to do a crypto system, so we can do these things. But for the normal guy, normal developer, it's very easy to screw up. I want to show you some few slides. These are just big numbers.
But look here, this is a prime number. It's hard for you to check, but trust me, it's a prime number, And this is also a prime number. Now I can tell you to multiply these numbers. It's easier than I think. You learned this in elementary school.
You just write it down on pen and paper. You can do it in a few minutes. It's not difficult. And then you get the product, which is an even larger number. Okay.
Now let's say I just give you the large numbers and you don't know these smaller factors. Now I tell you, show me the prime numbers that I multiply together. And this is more or less impossible. It's very, very difficult for any computer except for a quantum computer to do this kind of thing. It's called a trapdoor function.
And this is what we base some of our modern crypto systems on. It was an amazing discovery back in the 70s that you could actually do this. It's very fast to do the encryption, very fast, very difficult to crack it, basically. This is the basis for the software called RSA. And the problem, of course, is that a quantum computer can do this operation very fast.
It can crack RSA. It can crack other similar methods like Diffie Hellman or Elliptic Curves. So we need to do something else. As I said, RSA is an amazing discovery. And to make new safer primitives for cryptosystems, it will require amazing discoveries again in mathematics.
For instance, you can do something called lattices. We do vectors in some big abstract vector space. Don't worry, I want to there's no test on this. Don't need to study. But we need new chapter functions.
Really deep level academic research is needed to make our new system secure. It's nothing that we can just spend a few years on an engineering level. We need to really delve into deep academic thinking. There's a big process now going on in the United States, but also in the whole world. It's led by the United States.
NIST is the National Institute For Standards and Technology. And they're now working on a big process to standardize to together come up with new cryptographic methods that will withstand quantum attacks. So right now they are using 26. They have 26 algorithms that are sort of advancing to the semifinals. You use cryptographic methods today that was selected by NIST about 20 years ago, things that we assume to work every day.
This will be needed. We really will need these methods to work in the future. So we really depend on academics coming together and inventing new cryptographic methods for use in the future. I also forgot to show you, this is an image of a quantum computer, how it looks today. We have these cubits, these physical cubits.
They're superconducting things, uses something called transmons. It's very, very high grade physical research. But this whole thing is then sunk into a bottle. As I said, superconducting means it needs to be very, very cold. So you have to chill this down to about 100 millikelvin.
You go down to the absolute zero temperature and just go a tenth of a Celsius above it. That's how cold you need to have your quantum computer so that it actually works. So there's some extreme technical difficulties in making a quantum computer work and I think quantum computers are still quite far away since we have such a difficult time making them. But still, we as the defenders, we need to make sure that when they come or if they come, we need to be secure and that development can come quickly. We won't have any time to prepare unless we start right now.
So we need good fundamental and good applied research. A quote here again from the Director of the Institute of Quantum Computing. Post Quantum Cryptography also requires a wide range of research from fundamental studies that is mathematics and physics of the resistance to quantum attacks to studies of their efficiencies. How can we make them under difficult resource constraints, how can we make sure they resist so called side channel attacks. We need a sector to make this work and we need a good research department.
But post quantum cryptography is possible. For instance, a few years ago, Google Chrome, I guess most of you have seen Google Chrome or use it. They did an experimental study to see, can we make a web browser quantum secure? And while it was quite difficult, the report says we did not find any unexpected impediment to developing something or deploying something like New Hope, which is a post quantum safe cryptography method. There were no reported problems caused by enabling it.
So the technology is possible. There's a roadmap for it. We can do it. We just need a lot of work and a lot of expertise to make it happen. Now one of the big hurdles for us who defend against cryptographic attacks is that these new crypto systems are difficult in a way that new crypto systems can be broken in some unknown way.
There might be some hidden flaw we don't know about. Not that anyone has put it in there, just that mathematics is difficult. So we have a problem where our current or pre quantum systems are broken by quantum computer and the new post quantum systems on the other hand can have unknown flaws. So how do we do that? Well, we do something called a hybrid cryptosystem.
We combine the best of the 2 worlds. We use pre quantum security and post quantum security together in a so called hybrid. Okay, I know it's an electric car, but it's a better image than a Prius. We make it into a hybrid cryptosystem that takes the best of both worlds. This is also in the frontier of academic research.
Nothing that is available right now, but it needs to be done in the right way. So what is sector's role in post quantum cryptography? First thing, post quantum cryptography or PQC is a high priority for sector. Our customers want it. We want to deliver to them.
And in the future, say, 10, 15 years, also on the restricted side and lower grade security will also need post quantum resistance. Now we are 1st movers, etcetera, in a very rapidly moving field. Those 26 cryptographic algorithms that we see in the previous slide might be 1 or 2 in the future, might be none of them, might have to be something else. It's a moving target, but we're working hard to stay ahead and we are the right people to do it. As I said, customers will need the Quantum Safe Technology, maybe not today, but in the near future.
And as the technology matures, we will strive to be ahead. And I am proud to say we have a strong academic focus as Head of the Research Department. We are working closely together with universities, Linkoping University and Lund University and others. As a summary, we need post quantum cryptography to stay secure in the future. We have challenges.
These new algorithms, they are of lower performance. You want to have your phone running the same way as today. You don't want it to be obvious to you that you use some kind of new cryptography. We need it to be transparent. We need it to be usable and easy to deploy.
But we have higher power consumption with these new methods. How can we make a mobile phone run a heavy algorithm without draining the battery? And also uncharted waters, there will be unknown unknowns coming to us in the future in the post quantum field. But this is a disruptive field. We know we have challenges.
We are the right people to do it and we have to act now to be prepared. Okay. So that was a short summary of some of the challenges and problems facing in the quantum world. I'm happy to take some questions.
So thank you, Rotam, for disrupting us a bit. So do we have any questions from the audience?
Maybe you said I missed some bit, but when will Quantum come? What timeframe?
I quoted Doctor. Mosca from the and he said 1 in 6 chance in a decade and 50% chance in 15 years. I think the time frame is longer. I think we are further away from this, but the problem is not really when they come. The problem is it takes a long time for us to switch crypto systems.
Yeah. And it takes a long time. Even if we report something today, we wanted to stay secure and say 30 years time or 10 years time, maybe if you have low grade security requirements.
Sure.
But we cannot really wait with development. Development needs to start right away. And even though for the commercial sector, I would say post content cryptography is of lesser importance than some other issues facing right now. It's really important that we keep track of it.
Okay. And what hurdles need to be solved in order for you to think like, okay, this was a big step?
Yes. We need to, for instance, agree that which crypto systems to use together with our cooperating authorities and also to make sure everyone in the industry agrees on the same system. As I said, 26 different methods, we need to choose one of them. Also performance is difficult. We need to make it run fast.
You need to make it run on a phone with power constraints. You don't want to drain your battery just to send them on text message. That will be absurd. That's the situation we're in right now.
But what within quantum computing, what do you need to see in order to
All right, okay. So you're asking about what do we need to make a quantum computer run today?
Yes. Well, what needs to happen in order for you to think or see that now we're it's a big leap. Yes. Now we see
something happens.
So the Google Quantum computer I was talking about has 53 cubits, 53 quantum bits. Now to be able to run, say, the algorithm that can crack RSA, that can crack cryptography, you need 100 or 1000 of qubits. And the problem is these qubits are very noisy. They don't do the thing you need to do. So you need to do error correction, which needs a 1000 times more bits.
So logically, we're thinking about maybe a 1000000 qubits are required to run a decent size of algorithms. And going from 53 to a1000000 is a major, I mean, we need to have breakthroughs in this technology. Such as? Right now, if you run a quantum computer, any kind of noise will destroy it. If you just nudge 1 of the cubits, everything is destroyed, which is a difficulty that we don't have in normal computers.
I need to scale it up from 53 to a1000000 running at almost absolute 0 temperature without any kind of disruption or vibration destroying it. So the major technological challenges in this field.
Doug. How about the resources? If you compare your resources at Netzetra and with Chinese military or whatever, is there any point in you guys trying to fix this? Or could you elaborate something about that question?
Sure. As I said, some products are already secure on the highest levels of domain. You just heard about it from the previous speaker also. But yes, we can do it for sure. We have candidate algorithms.
We just need to make them run better.
There is a popular belief, whether it's prequantum or postquantum, that if you have a crypto that is going to be used in the United States, you will have to deliver the crypto key to NSA or any other securities organization. Is that a truth or is it just a popular belief?
You're talking about something called escrow that in some jurisdictions you need to send your cryptographic key to the authorities before legally being able to encrypt the information. I don't think that's true today because today we can do high grade encryption even using our normal web browser and our computer. And it used to be true in the 90s during the so called crypto wars. But I don't think I'm pretty certain that this is no longer the case.
Any more questions so far? Now there is always a back door to every security system and in Sweden it's called the Fika. So for now there will be such an event obviously to keep their brains and minds running. And at that time there will also be demonstrations. So but don't rush because there will be a second set of demonstrations at 12 o'clock as well.
So you can delve into the details one at a time. So off we go. So welcome back. I hope you enjoyed the Fika and the demonstration. As far as it goes, there will be, as I said before, they break a second session.
As always, where there is change, there is margin. So we have made some changes and compressing of the agenda, which means that we will now head on for the rest of the program. And then following that at around 12 there will be some sandwiches and an opportunity to see further demonstrations and some Q and A with the management at your discretion. On the theme of minor changes in the program, now we do not start with what you believe would be 11 Robert, who will be later on. But on the other hand, National Security, headed by Fredrik Sundstrom.
Thank you. Hi, everybody. My name is Fredrik Sundstrom. Can you hear me, everybody? Perfect.
So, we will start now to dig into the different kinds of business areas that we are working with. And I will talk about national security. I would say that, as Simo mentioned in the beginning, this is the kind of traditional area where Secure Sector Communications has been working for 3 decades or something like that. We started with the Swedish defense in the 1990s or something like that, doing encryption algorithms. And then after that, developing different kinds of products using those encryption algorithms.
So that's the kind of starting point of secure communications, I would say. As I said, Fredrik Sundstrom, responsible for national security. I've been working at Sekra since 2,001, reaching 20 years soon. I would say 20 years is a long time, but it's very easy to stay with the sector and work there since the people who work there is so engaged in what they do. It's so interesting to work there maybe due to what the management do in recruiting, maybe due to skills, I don't know, but it's a very interesting place to work.
I have a Master's of Science from Linkoping as my background. And this is my first job, actually. So for the area of national security, what is the common factor that all of them need to apply to? This comes back to what Pia said before. All of them are required by legal requirements to do things to handle and to exchange information.
Everything they do need to have approved products. And approving products, that's what Most and Pia and her organization do. There is also international organizations like NSM in Norway. We have NBV in the Netherlands, CSG in UK, we have BSI in Germany and so forth. All of those are focusing on approving products to a certain level.
You saw this before. There is a range of levels that you approve products for. And depending on time and consequence of leakage of information, you will require different kinds of levels here. Also, I would like to mention not just time and consequence, but also depending on the potential threats, the environment where you use the products will affect the kind of level you would have for your products. We have been doing this for quite a long time, of course, with Sweden, but also international authorities.
So we know for sure what it takes to approve a product and to follow regulatory requirements that comes with these kinds of improvements. For Sweden, 30 years. We've done it with the Dutch authorities for 10, 15 years. We have products approved for EU level and also since sometime also for NATO levels. So what does the customer actually want?
Who's the opponent what they want to protect themselves from? To your right, it's criminal organizations. Well, not actually. Those are out for stealing things. They are very short term.
They don't care if you notice that they've been there. So that's not actually what you're protecting yourself from. Youngsters trying to hack themselves into systems, maybe from time to time. But again, if they succeed, they typically are quite happy of doing it and we'll announce it. So you know that they've been there.
The most dangerous part is the left one here that should represent state actors. Those are professionals with extensive amount of time, money, resources, technology and very skilled with what they're doing. And they are trying to gain information, steal business intelligence, state secrets, miscredit or spread disinformation in different kinds of ways. And always they want to do it without being noticed. That's a big difference between those.
So for those customers we are working for, they are all trying to avoid this. Those areas will be addressed later on with Lasse and Robert, I would say. So what do they need then? We talked about security, usability and availability. And those three things is a difficult combination to find.
And the biggest threat I would say is usability. It's very difficult to get this in a usable way. To make something very secure, I would say it's quite easy. Buy yourself a big safe, throw away the key. But it's not that usable.
You can't share that kind of information. So what we are doing here is finding this balance, verifying balance between availability, usability and security. And from a security perspective, Jonatan mentioned it before, you require a few sets of functions to mitigate the state actor interest. You need to make sure that you are authenticated. You are you.
Compare yourself by the cash machines. You will enter a PIN code to verify that you are you. We talked about integrity or viktihiet, as we said in Sweden. You don't want to have another extra 0 in the transaction of money. That would be bad.
And the third one being confidentiality or encrypted information. So that is what we are trying to give to our customers. Taking a bit more from our perspective, what markets are we active in? Of course, Sweden, that's our home market. That's where we've been active for 30 years and we will continue to be active there.
Another main market is the Netherlands. We have very close cooperation with them. And the third one is Norway. And then also looking into the European Union, we are active in approximately 50% of the nations being present either by the Dutch company or direct from Linked Shutting. Who's the typical customer?
I'd say the first sector is, of course, easy to understand. Defense Organizations typically, Swedish Defense, of course, Norwegian Defense and the Dutch Defense. We are also more and more working together with civil authorities. These ones being Swedish, Brijellingskaasliet or Uticus departmented. Swedish Consilidencies Agencies, MSP.
But we are also seeing more and more active dialogue with different kinds of Ministry of Defense and Ministry of Interior Affairs in several countries around Europe. The third part is different kinds of organizations and operations. We have since quite long a framework together with the European Union. We're supplying communications equipment for all the ministers. We have an agreement together with the EEAS that's a part of the European Union.
They are supplying equipment to external actions within the European organization. We have since 1 year working together with NATO, European parts of NATO supplying products there. And we are also quite active within civil companies, for instance, Saab in Sweden. So what do we do for those customers? First of all, we have the Tiger Ecosystem.
That's the most famous product I would say we have. And that's a broad range of products. The most known one is the secure mobile phone. This is approved to secret level. It's a proprietary hardware solution that we built.
It supports different kinds of networks. You can use it in fixed line. You can use it in GSM mode. You can use it over satellite links and so forth. It's also possible to use this one and connect to lower security levels on restricted level with an ordinary phone.
Robert will talk a bit more about that later on. This is the product that is most present in Europe and we work on the international arena. Network Encryption, this is moving big data from one point to another. Possible to look at this kind of products outside here later on if you want to. This is developed in Sweden and used in Sweden.
And I would say an interesting product to look forward when it comes to the new rules and legislations that Pia talked about that was present from 2019 in April. 3rd part that we are working a lot with for all products is support and maintenance. All products are sold as a package with a maintenance program, and that is of quite big importance since most of them contain software that needs to be updated from security perspective. So we work with it quite often and quite close with our customers, making sure that everything is secure. Do we think that there is any growth potential in this area?
I don't know if you saw it, but last week, it was published on the government's homepage. There is a decision to rebuild the total defense within Swedish authorities. First of all, department decided to add some €5,000,000,000 extra per year the next coming 5 years to support this. Also mentioned by Pia, this will cover a lot of Synallquids material, which is what we're doing. We see the same trend in many European countries.
There is extra monies added for their budgets for the years to come to take care of the increased cybersecurity threats. We have very good frameworks with both European Union, EEAS and NATO Organizations, and I think we could expand on those and make them even more fruitful than they are today. And finally, also I would say, some of our products, it's only the Tiger product and the Tiger system today that is actually introduced on the European market. But we have more things to do there. We have more things that we can introduce in Europe in the within the European Union.
And we are today supported by Swedish authorities to actually go in that direction, which is good. Last, I would like to point out here, this is the Dutch Minister, Mark Rutte. He is using one of our products. This is a sector Tiger phone. He used that through a service agreement we have established in the Netherlands called Fekom, which provide Dutch authorities and ministers with communications equipment both for communicating speech, transfer of data and for fax installations, both on secret and restricted levels.
And they use it between ministries and between defense organizations. I think today we have some 200 subscribers or something for this area. All right.
Those who are about to listen to the next segment, secure mobile workplace and smartphones. Now we move from the Dutch Ministry of Affairs to a more mundane arena, but another segment nonetheless. Robert?
Some sales there. So my name is Robert Lidquist. I've been working at sector for 16 years. I had the same idea as SIMO. We started almost the same day and free maximum 5 years.
But if you meet super talented people every morning when you come to work, you tend to
want to go
there tomorrow. And I think we are for me, it's very important the purpose of what you're doing, trying to help out in the society. So I've been stuck here. I worked at 10 years, you saw Tiger Ecosystem. I was responsible for that for 10 years, and that's been a really interesting journey to with ES, NATO and so on.
So that's a really interesting journey. So what we are my task now is if you look at those high end from national security is like Formula 1. We're taking those components and those So if we look at the risk factors here, Internet is wonderful, but it's also like having criminals just next to your door. You can do attacks from a student room in Moscow or whatever in the world in minutes like this. You can redo the attack, you know the fishing mails and those companies working with 300 people in India, just trying to get one fish, fully paid, 300 persons in one company.
So there are big risks, but we need Internet. We need our connections. We need the transport. Of course, it's here. It's not a fluega.
Also, there was all the services we have are on we need the services. Everything is digitalized and will be digitalized. And that makes a big threat. If you have information as you bank vault, all your information is money in some way. And we need to protect the servers like the vault, I would say.
And also the personal integrity, you probably heard about the news the last month about collecting your data, selling it off. That's also very valuable and it doesn't feel very well. So that's a reality. We know that. We need this tool, the phone of course, and we need it in work and we need it in defense, we need it at different operations.
So how do we mitigate the risks? There are a lot of companies, cybersecurity companies today. I probably you've done some research. A lot of them do just a component, just a thing here, just a
thing there. We try to
look at the whole scope and that comes from our heritage in the national security looking at the real threat. We always look at the threat. What is the level we need to reach? And we'll look at the organization needs to be aware, the training of the organization, the device needs to be secure. And if you lose the device, the access to the device needs to be secure.
And application framework needs to be secure. And then of course, the connection to your vault, to all your money, your information needs to be secure. And on top of that, you have the service, what do you want to do, open a door with your phone, transaction or so. So this is how we look at security. Is it too complicated?
No, very simple. I think can I use this one? Yes. So what we have done, we have packaged this technology into a mobile workplace. And I think one very important goal of this design, it should be easy to do the right thing and hard to do wrong.
And this is your tool that replaces the laptop. I have it myself. I only as Torbjorn talked about the dog food is excellent from a roaming perspective, and I will come into that. So this is the sort of the offering we have, if you look at the material we deliver. And how we build this up is from bottom up.
Our experts and Samsung experts worked since 2014 on something called NOx framework to really make sure that the device itself is secure. We have also mechanisms to protect data if there is some data stored on the device. We recommend to do more sort of your private cloud or on premise cloud, your own bank vault. There are also something that's not shown in this picture. Torbjorn talked about some extra cards that we put in and that's to prevent from state actors.
You know all what state actors is like a foreign country. China, Russia trying to get in to steal your IPRs or your information. So that's some extra we do for those critical customers. And then to something, yeah, let's use this. Our VPN, this is a really critical component and that's the connection in the pyramid.
And this is really fantastic technology, I would say. It's the patent solution from the acquirement of Columbia Tech and the patent is, yeah, it's very complicated if you look at all the schematics and so on. But what it does is make sure that your connection is always up. So if you switch between Wi Fi, another base station, if I don't know exactly how we're in the future networks, but if there are a lot of hopping between networks, you don't need to log in again. A typical case that we now found out in health care is that tend to switch networks when you go on different floors in a building and many hospitals are often very high.
So it's hard to digitalize and use a tablet today because they have a traditional VPN not built for mobile. So they go log in, have the pictures, then change floor, logged out, lost the session and you have to re log in again. So it's a simple little thing patented, but makes life easier and makes this a usable product. It's also always on. And that's another thing that's always scared me with your PC that you the PC starts up, it starts to do a lot of communication.
And then after a while, you log on the VPN. But then your computer can already be infected. And here from the first bit, everything is encrypted. 2 strong things I would say. Then there is something in the pipe that can be a little bit complex to explain, but in we can have number of VPN on the same device.
If you have a shared service for the Swedish government, for example, but you still want access to your own bank vault, You can have that encrypted as well on the same phone. And the VPN for everyone doesn't know it is like on this picture. All your data going in a secure like metal pipe to your bank vault. So you can transfer your money back and forth. What we also done for me, I replaced I don't have any laptop anymore.
We throw that away. It's too complicated. This one is easier. I'm always on, always running a virtual machine, if anyone knows what that is. So I don't have any data on my device.
And that's really good when you lose your laptop. That happens from time to time, especially when you're a little bit in a hurry. Yes, what more to say about it, it's very simple to use and we sell it always now as a service. And that's a bit of a challenge. We're actually selling a whole sort of IT system for very critical use as a service.
And that's again the recurring revenue. Looking at the VPN, it's sold actually as well as stand alone component or together with a subscription in U. S. And here, this typical case is the policeman is moving around and again, the VPN make sure that you're always connected. So it's sold both on security and on availability.
And there we've got a lot of stamps, HIPAA and FIPS and such approvals to that. So I think this is really, really, really interesting how crypto things can help in life. The traditional business, which is very touch close to what Frederic talked about is for restricted level. And I would say that's to prevent against state actors. And this is a service also running for smartphones and tablets in Netherlands and Sweden and for EU where it can connect to wine voice and messaging community.
And this is approved to EU NATO restricted. And that's a quite tough one to get the smartphone approved to EU and NATO restricted. If you look at this, what we're doing right now, we take a little bit if this is like product market matrix. For the Tiger R, the restricted version, we can't tell you which countries, which organizations, but we have a lot of happy customers there. If we look at the sector mobile workplace, we start off with those services in Sweden and Netherland, our home countries.
So we have the customers close together and develop it together with the customers. And for North America, which is new, which is new together with Columbia Tech acquisition. It's the VPN together with a telco subscription or the VPN itself. What we see drives this, we got a lot of requests. Actually the sector mobile workplace idea comes from our customers.
Hey guys, you are experts in mobile security. Can you help us out? And we started to do this as like a buyout solution and then but you're expert in holding data as well. Can't you come, we buy this as a service from you? And the driving factor is definitely you want to digitize, you want to be mobile with your sensitive data, but also what we see, have you read about Maersk and Hydro?
How much it costs to have a security incident? I think Hydro was about NOK 650,000,000 something like that.
300,000,000 the 1st week. Yes.
And if you look at an insurance ecosystem, I think it should be possible to get lower cost for insurance if you have real trusted and good security equipment. And also as Pia talked about and there are new regulations and new laws coming up. So I think that that goes for the market is growing. Okay.
We have a gentleman down there.
For the mobile workplace, do we need hardware always or can you do it on software?
We can do it on software. To prevent against state actors. We do some more production things on it. But for standard enterprise, I would say for the government at the level when it's not super, super critical, but it's critical and we can do it in software.
In order to bridge that or bridge that Israelis do, with iPhone, you need a super computer cluster to emulate the iPhone under you. And that's not what the normal criminals have. Some might, but not the normal ones.
Exactly. And this is the case that you need to steal someone's device as well.
Yes. Christophe?
Also for the mobile workplace, could you talk a little bit about competition and also the possibility to expand this outside other markets than Sweden and Holland. Could you take it to the U. S? Would that make sense?
For software, we can take it to outside Sweden and Netherlands. There are competition, of course, on this. There are some big integrators taking components. There are also competitions I told you in the beginning coming with component there and component there. For this service there are things growing up next to us.
But I think we're in a good position here. Yes, the state actor thing is just for Europe.
Okay. That's the ship.
Yes.
Yes. You did this acquisition of Combitech. Columitech. Columitech, sorry. And And you mentioned you had a partnership with Sprint.
Does that generate any revenues or cash flows or is it just a partnership? Or can you tell us something about it?
It's a good partnership, but the figures I leave out for you to answer.
It's small. Kolomitik has been a very, very small company and not much negotiating power. So they have that too low prices in our ID. We are a little bigger, so hopefully we can drive the revenue up a little bit. But there is revenue coming.
And it's definitely a partnership that makes money, but perhaps it could make more money.
And could there be any synergies for medical IT?
Oh, yes. Oh, yes. We just last week, we had a user group meet actually this week, we have a user group meeting for medical in the United States. And the people from communications selling these devices there and Sprint was also very interested in coming there to discussing selling the VPNs into hostels.
Those of you who are interested in the numbers can look at the supplementary information in the Q1 report about the acquisition analysis if you're into the number crunching. Okay. Thank you, Robert. So now we come to something also tying back to what Pia was talking about previously as part of her session. Critical infrastructure, increased operational security in the energy sector.
Yes. Hi. I'm Lasse Larsen. We'll talk about the Critical Infrastructure. I have to correct Mats.
We don't only do it in the energy sector. We'll soon dive into which the customers are. Been with the company for 3 years next week on Tuesday, to be very specific. Simo gave me a call and say, hey, Lasse, you've been doing industrial automation and these kinds of developing and deploying industrial control systems for the last 20, 25 years. Now it's about time to do it properly and securely as well.
Would you like to join us? And the answer was yes, of course, I want to do that. So now I'm spending my time on securing some of the systems that I have been part in delivering or developing in my past history. So that makes me tick a lot doing this. To start with, which are the customers?
Obviously, the energy sector has been really that was the starting point, easily defined as very critical to society. Our modern society don't work without electricity. So it's yes, it's super critical. Our very first customers were in that sector, obviously. It's also a sector that is very used to being regulated.
The distribution parts, the power grids, they have a monopoly situation in their specific region, so it's highly regulated, both from market perspective, but also from security perspective due to its criticality. So they are quite used to taking on new legislations and so on. So we do both for customers that do power distribution, more electricity distribution, and obviously also generation. The second part that we also work with, especially in Scandinavia, most of the utility companies are multi utilities. They do water, they do energy, they do local broadband or fiber connectivity for the municipality.
So water was a definitely second and very obvious sector for us also to enter. Another analogy is, it's also And another analogy is, it's also a continuous process. You always clean the water and you also always supply the water. We expect whenever we turn on the tap, there will be water. When we flip the light button, there will be light.
It's always on. And hence, these guys and their production processes also needs to be always on and cannot be disrupted. So that is also a sort of a synergy. Technically, it's the same sort of technical systems that operate these. We talk about industrial control systems or SCADA systems or OT technologies, operational technologies.
It comes from the same vendors. To name a few, we talk about ABB, Siemens, Honeywell, General Electric, those kinds of big companies that supply this sort of industrial control systems. The 3rd sector that we also are active in right now is Process Industry. So that's a bit of a step. Are these critical to society?
Yes, they are. Either by the products they supply, some of the process industries, if we take Sweden, for instance, some of the heat that they produce go back to the energy companies and supply the district heating in those communities and municipalities. They also consume a lot of energy to run their processes. So if you shut down a big process industry, say, a pulp and paper mill, you actually influence the balance and the 50 Hertz in the power grid. So they are very interconnected.
It's also a continuous process. If you disrupt one of these and cause an explosion in an oil refinery or a gas depot, you cause serious damage to the society. Netherlands have identified 2 90 3 process industry sites as critical for their society that needs extra protection, to take an example. From state level, they have named these 293 countries companies. So these are the 3 sectors.
So sorry, Mats, not only energy. 1 out of 3. Yeah. So you were right, but it was not a complete picture. So these are the sectors that we are into, continuous processes that have a very critical effect on society as it is today.
Another commonality for all of these is they are highly automated or highly digitalized. They need computer systems to run their process efficiently. And when I started back in the 1990s, or as my kids say, oh, in the 20th century, way, way, way, way back, Actually, the industrial control systems and the office network or the IT systems were separate. It was physically separated networks. That is not the case today because the production manager of a process chemical plant wants to read the output from the process and monitor the efficiency of the plant live, maybe back from his TV sofa in the evening.
So it is interconnected today. We also see that many of the systems and the maintenance of them are outsourced, and they are dependent on their suppliers. So you create systems of systems or dependencies, not only within the company or within the utility, but also to external parties that actually help them maintain and run their services. This has made the utilities and the companies a prime target. You can affect financial markets like the Robert mentioned the Hydro incident.
When they were started to communicate on that they were having serious issues and production shutdowns, it affected aluminum pricing. It affected Hydro's stock price. So it is both a target from state actors that want to disrupt the society instead of rolling in tanks, going back to Torbjorn's picture, they can actually sit remote and disrupt supply of water, electricity and so on. To counter that, EU and national legislators are introducing new legislations. From EU level, it's most important is the NIS Directive, Network and Information Security.
It identifies 7 sectors. Bank and finance is one of them because if payment doesn't work, you would also heavily disrupt the societal functions. Electricity is 1, drinking water is 1 and so on and so forth. So new legislations, increased threats, increased interconnectivity. That is really market drivers for us.
But does it happen? Does anything happen or is it like goose wild goose chasing? Things do happen. That's why I had the numbers so fresh in mind. Norsk Hydro, their incident cost NOK 300,000,000 the very first week when they were disrupted.
They were hit by a ransomware on their computer systems that spread rather rapidly through their computers. So when the employees came, they were met by a sign on the entry door, do not plug in, do not turn on your computer, a physical sign. Don't turn on your computer, don't connect it to the network to avoid further spread on it. How did they discover it? The computer shut down.
They were faced by the ransomware blockage. Same thing has happened to Maersk the year before, 2 years before. So you actually discovered it when you saw the consequences. And then the cost is pretty high. What if there was a way to counter the threat or counter the consequences a little bit earlier?
This is another very, very famous incident. Did anyone hear about the Ukraine incident in the 23rd December 2015? Few, yes. For those that hadn't heard about, 225,000 people in the key of surroundings we're out of electricity due to someone, state actor, with interest in Ukraine, not named, actually hacked into the systems and took full control of the SCADA system, the control system that controls the power grid. So the operators in the control room, they could see the mouse pointer moving on the screen and someone was clicking, turn off this switch, turn on off electricity here.
1 of the operators was pretty fast. He got up his cell phone and filmed, and they couldn't do anything on their local keyboards and mouses. Someone had full control of their most critical system. And the scary part is that started with a phishing email somewhere in May or June, and the attack happened on the 23rd December. The heart and core of what we do today is monitoring as a service.
We monitor critical networks, so we can detect when something is starting to move and starting to fish around in these critical networks. Then, I mean, the Ukraine, they are not stupid, but they had 6 months to actually discover it. It took the opponent 6 months to gain full control of their control system. That gives a little bit time to defend yourself. That is partially what we do or mainly what we do.
As I said, I came from the automation business. This is how I learned cybersecurity. This is thanks to NIST, National Institute of Standards and Technology over in the U. S. It's a print a simple model.
You need to identify what you need to protect. Okay, I put locks on my doors back home at my house. Pretty obvious, I don't want anyone to just enter the door. So identify what you need to protect, protect it with locks or firewalls or whatever virus hunters, what you have in your IT systems that you can resonate to. But more and more, it's also about how to detect intrusions and respond to intrusions.
I have an home alarm on my house with a camera system that activates if someone enters the house when the alarm is turned on. That is very, very similar to what we are doing today. We install camera systems or sensors in the critical networks to monitor when something that shouldn't be there is there. And then we can help our customers respond to that. Recover, yes, Maersk did that.
Ukraine did that. Get back on track again. And the scary part is really the second incident in Ukraine because the same actor went back a year later and caused even more damage, then they caused physical damage to it because they were starting to switch on and switch off really, really big circuit breakers that caused mechanical and physical damage to the power grid. And those things have a long lead time if you want to reorder them and rebuild them. The first time in 2015, they managed to recover in 3 days because they were not fully automated.
They had process engineers and electricians that were used to manually run the power grid. So actually, I would say the consequences, if that attack would have happened in Sweden, it would have taken us longer because we are even more dependent on the automated systems rather than the people. So what we do, we've been doing critical infrastructure for the last 4, 5 years. The majority of the business has actually been training and helping the market to adopt the new legislations to identify risk and vulnerabilities to do security assessments of their entire organization, technology, people, processes, those kinds of things. And the majority of the revenue have come from this advisory services.
Now, I would say the last year, we see a major shift going into the monitoring and respond and detect. And this is where we want to be. To monitor and run it as a service, reoccurring revenue, continuously monitored 20 fourseven, being able to respond to it. The nice thing is also that we link it also to the insurance business. Cyber insurances are getting better and better, and they are becoming more and more commoditized.
But the insurance companies has also discovered that it is good that any of their clients have the ability to respond, not only to protect, but also to respond because you can't protect yourself against everything. So they give a carte blanche on, yes, you should start acting like I have in my home insurance. I can run my fire extinguisher, and the insurance company encouraged me to use the fire extinguisher and they would pay for the costs to sort of sanitize after the powder is all over the place. They'd rather take that cost than risking that the entire house is burning down. The cyber insurance is moving the same way, So they'd rather take the cost for response, which we can do and which we do for our customers, rather than risking that there is a power outage or a complete halt in the process of a petrochemical plant or drinking water supply.
So there are analogies and business drivers that helps us. All of the other guys got questions on competition. Also, I think there was a question already to Seymour regarding competition in the CI area or critical infrastructure. Here, Jess, definitely we compete with big consultancy companies. So consultancies, technology providers, and there are some someone's running also security operations center, but mainly coming from an IT perspective.
We are happy to work together with those guys that provide the IT protection, but we do really, really excellent OT protection. Somewhat of an answer to your question earlier. Great. How does it work then? Some sort of a plant, electrical plant for drinking water, process industry, their SCADA and control systems.
We install sensors like I have in my home alarm, the camera. We install the sensors that monitor and read as much network traffic as possible. That is also why we came from the core competence on Zectra, which was network. Networks and networks traffic and communications traffic. That is what we have built the sensors around.
And the good thing is, here we talk about machines and processes that are pretty deterministic. So it's easy to predict how they should behave. And we teach the system, this is normal behavior. And everything outside that, an anomaly, triggers an alarm to our 20 fourseven service, where we can analyze and recommend the customer. This is something really, really serious.
We need to contain it. You need to unplug that machine or stop that process or not giving away too many secrets, but the most common false alarm is a new service technician or a service technician at the energy plant has received a new service laptop and should just do a minor tweak in the system, plugs in his brand new laptop that we do discover, we call the customer and say, hey, we saw a new device on your network. Yeah, that's Karl, he's got his new brand new laptop. That's the most common false alarm that we see, not giving away the real ones. This is also a differentiator.
We can actually close the loop without compromising customers since we can provide a secure communications. We provide the critical infrastructure customers with Tiger Phones, so we can talk to them because still you need the human interaction. And yes, we are security experts and really, really good at that, But we are not that fantastic in how you optimize a furnace at a power plant. If we shut down that service, that could be our recommendation. What would that effect have on your district heating power plant?
That needs to be in dialogue with the customer, so we can do that in a controlled manner. So they still own their own core process, and we add a security component to it. Good. So monitor it, complete monitoring, 20 fourseven, closing the loop, we can do help them do incident response. And we also see different business drivers, both from a legislative perspective and from a business continuity.
It costs very big numbers if one of these plants needs to shut down, either in direct revenue, if we talked about process industry or societal consequences, if we talk drinking water and energy supply. So it's pretty big numbers that helps drive it. So I think we open up for questions, Eir, just
to put?
Thank you. The first question, the sensors or the technology, how good is it? Would you detect more or less everything, for example, the examples you were highlighting? Is that something you would have
detected? Yes. We had the team do a reverse engineering based on we met the analysts that did analyze the Ukraine incident. So we dug into that. We would have detected somewhere between June December.
Yes, the technology allows that. We would have seen that, definitely so.
And also is it possible to give some sort of indication of the sales value for if you take one customer as an example, to get a sense for what this could mean for you if this becomes more common?
I'll take that one. It's very different. I mean there are big players that will pay many 1,000,000 a year in this supervising on the network or detecting intrusion networks. And they're a small place that would pay much less. It's a huge variation.
But it's 1,000,000 per year for the big guys, definitely.
But if
you take the biggest guy in Sweden, you said many millions. Is that like SEK 10,000,000 for
such a customer? Or
is it
SEK 5,000,000 or Can't reply to that.
And you also have a scalable I mean, a larger customer would maybe like to have partial coverage and start small with a few sensors on very, very critical systems and then expand it. So that's also the coverage
part of it.
That's a
good comment because we see very often they come in with 1 and then it works. And these guys, they provide water, sewage, electricity and then it grows. And the final, it's much bigger.
But do you see this becoming bigger than the defense side of
No, we want to grow both of them. But this, of course, is the defense is a problem. We cannot sell that stuff outside of Europe. This we can sell to anyone.
So you think this will eventually get bigger?
Hopefully, it will be big and defense will also be big.
If you acquire a lot of customers while you monitor the systems, that will in turn mean that sector will become a security problem for them in one sense. Does that have any connotations?
Yes, you're absolutely right. One thing about I mean, Fredrik and Pia has commented on different security levels or threat models or so on. If you aggregate the data, which happens when we grow the number of customers, then the requirements on us increase. We have done our homework and we do the security assessment and analysis of ourselves, obviously. So the critical parts that handle informations regarding more than one customer, we protect more.
That's so yes, I agree.
Anders?
Do you take on risks when you accept a new customer? If you don't succeed in this protection, Will you be sued? No.
Will you be sued? No, I would say because we can never assume and guarantee that for any upcoming and future incident because we also signed the contracts on several years. We cannot guarantee that we would rectify any possible attack and attrusion in temp and do the liabilities and the indirect costs for a power plant outage. The customers do understand that. So the rectification is always, I'd say, best effort.
But since we are the experts and we also have the gathered and collected information through our sensors, we have a much bigger chance of doing a good job. So it's not a liability question there that at least direct.
I could answer a little bit on the insurance part. I mean also because that's what we work with and then as a partner, it means that they take the liability part in the insurance in Tel Aviv, they take that from our partners. So of course, then they are secured a little bit more for the risks that are coming from outside and not very found by us either. These sensors, do you develop them yourselves in house? If not, if they're bought from 3rd parties, I assume other companies can also use the same sensors.
Yes, good question. The hardware is commercial off the shelf. The software encryption technologies, how we collect the data, how we do the anomaly detection that is our proprietary software.
And can we get any figures on how many sensors have been deployed? How many you expect to deploy?
No. Then I would violate massive trust from our customers. So sorry.
And the payment model, is that fixed? Or are there any variable elements in it? If it's more attacks on a company, would you receive more money or is it just fixed based?
We'll limit the amount of incident response because same thing, we cannot assume the risk if a company would be attacked once a month for with severe consequences, we have a roof on and then they need to we can charge extra for the efforts for incident response. So that is a moving thing. The other one was the expansion of system based on the coverage or how many networks we monitor and protect at the customer sites. So that is the 2 variables, I would say.
And secondly, as the consequence for your customer, if they fade, they are terrible. Do you think you charge enough for your service?
Good question. Next question.
The customers think we're charged enough.
Do you have a protection for I lost the word in English, Help me out.
Denial of services or these kinds of when you spend
and then You
overload the system.
Overload the system. We would detect the abnormal traffic and can recommend that the customer shuts down parts of the networks or most of our customer have like a big manual switch going into island mode, where they actually physically disconnect the process systems from the administrative works and everything. So that is one way of maintaining and running the process. But disconnecting from the outer world.
So you cannot automatically, when you see such an attack coming.
We see
the attack Somehow mitigate this.
Yes. I would answer to that. From a security perspective, it would be disastrous if we could go in. That has been a fundamental design principle of our product that we cannot go in and tamper with the customer systems because then we would be an attack vector for the system. So no, we cannot automate that.
Then we would compromise the security level.
Okay, then the future of cybersecurity, skate where the puck is going to be. And who should talk about that? None other than Torbjorn?
All right. It's been a long day. I'll try to be brief in the very end here. As you see, we're trying to move the entire security field over to recurring revenue. We do that with our phones and the smart terminals, charging for a service, and we are definitely doing so in the critical infrastructure with the whole business ideas around that.
The consultancy part is an enabler of the recurring revenue. All of these businesses is kind of burden in the beginning. When you have a 20 fourseven operation SOC and it's only one customer, it's a tough call making that profitable. But when the 10th or 20th or the 19th customer comes in, it's a very interesting business because it doesn't happen so much things all the time. So that's where we're moving.
Sorry about that. So our position again, it's a market that's global and large. It's forced to grow by external forces, as we said. It's our demand on markets. It's not price sensitive.
Well, it is because they if you run a critical electrical power supplies company, every little penny is important because government is supervising their pricing. But compared to the damage, if you have a petrochemical refinery or something like that or something in that area, the cost is 100 of 1,000,000 per month or per week, if it breaks down. It's all right. But again, it's always a negotiation. Large barriers of entry due to required trust, you wouldn't buy this from anyone.
3 guys in a garage can compete on IT security. But on our level, if a power supply company wants to protect themselves, they will not give that to any vendor. They will call the security of their country and ask, is these guys okay? And the national security operations in Europe know us very well, and they will confirm we're okay, which reduces barriers or increases barriers of entry very much to trust business. And it's a rapid and it's forever change.
It's kind of a hunting guy. The bad guys come up with newer vector we protect. So you can't just buy it and let it be. Our position, and again, is that where there's change, there is money. You just have to be fast enough.
Growth and margin have to increase in this business. As I said, we're going over to recurring revenue, and that's a very expensive 1st years. But we're clearly seeing it. I cannot repay how much. We don't publicize that yet.
For sector as a whole, it's substantially above 50%. We're not saying how much above, but it's substantially above 50%. And we are moving security in that direction as well. Going forward, skate where the puck is going to be. When Wayne Gretzky was interviewed on how he could be such a good hockey player, he replied he was not good in anything.
Not good in hockey, skating and not good at shooting, nothing. His only response was, I skate I don't know what skate to where the puck is. I skate to where the puck is going to be. We've been quite good at that sector. We've seen things.
We saw security come into medical IT ways before anyone else did it. So when that hits and some of our competitors are issued with severe warning by Department of Homeland Security in the U. S, we're already there. Nothing is perfectly secure, but we've seen it coming. Critical infrastructure, we saw it coming.
And we started this 4 or 5 years and invested a lot of money in that software that supervises these things. So we've been good at that, and that's what we try to do. So what we will see here, we will see new threats. 5 gs, Internet of Things, everything will be connected. Now it's not a major disruption if your cooler at home is infected by virus.
But if that spreads from that cooler or if all the coolers in the country are disabled all of a sudden, that's a problem. And there will be all cars will have Internet in them. That's exposure security that is massive, and this is coming right now. That will drive market. Google has now proven, as Jonatan showed us, that actually there are cases where these quantum computers do work.
And I don't say, I don't know if you really understand what the consequences is. If this happens, no bank ID, no swish, no HTTPS connections, no internet banking, no information between the banks of transactions. If those computers really happen before we have a counter attack to it, we are in deep trouble. And so we're working a lot with that. So that will drive the market.
All these networks have to be quantum safe. And as I said, the highest levels, the secret levels, so we already are, but that means you have to have a very expensive key distribution because you have to move a physical key to both ends before you start the encryption. Now that doesn't work for 1,000,000 customers of a bank. So you have to have these public key structures in place. And that those algorithms are coming.
We just don't know which one will succeed win yet. Artificial intelligence, we are doing a lot of things in medical around that, but that will impact also this industry. If you have a predetermined algorithm for detecting intrusion and that algorithm is known, you can get around it. But if you have an AI system that detects traffic on a network, no one knows exactly what that system has marked it is. It's very, very difficult to get around it.
And we're playing around with that for security as well. There's a first law of technology. I've shown some of you have seen it before. First of all, law of technology says that invariably, we overestimate the short term impact of new truly transformative technology. Everyone says quantum computers, they might happen tomorrow.
And then everything will go bad. Or medical, there will be no more regiolists. We don't need to educate more radiologists 5 years from now. That was what Google researchers said 4 years ago. Well, they still do educate radiologists.
It doesn't happen that fast. It always goes slower. But we also invariably underestimate the long term effects. The long term effects of quantum computing somehow will make it work, perhaps not now, perhaps not in 10 years, but in 100 years, they will work. That will disrupt the entire industry.
5 gs will happen. That's happening right now. AI will happen. And when it does, it really changes things, and that opens huge opportunities for the people who are there already. Keywords going forward for ZECRA.
Customer satisfaction. We have not done that perfectly well in security before because some of the encryption system were very difficult to use. Our previous secret telephone required more or less a full time assistant making it work before the President or Prime Minister, whatever, could actually talk in it, and it took like 10 minutes. That is not an easy enough usability system. We have fixed that now.
So now it's like calling a normal phone. Customer satisfaction is very important also here, and we will work with that as we do in medical. Top level security, a short level secrets in hardware. We do a few software systems, but that's not our key point. We need to do that high level because if you do only security, you compete with WhatsApp, all the other things that has encryption in software.
We don't want to compete in that space, too much cheap things there. We want to be on the high level, and then you need hardware. So that's our target. But if we're going to sell these things in all countries, we cannot sell that hardware to anyone. Super simple to use, as I said before, ideal security, you don't even see it.
Mobility, everything will go mobile. People think you will sit there and do that thing in that closed room. No, it will not. These what the military call red networks, the networks over the really sensitive, it used to be in a locked in room. Now it's over the entire building.
In the future, it will be many buildings and many cities, and they should be perfectly secured. That creates completely new demands to build these systems. Critical infrastructure, protect our society. There will be more Ukraines. There's no doubt that someone will, you know, take down a power plant or really hurt a country.
If there will be a contract in Ukraine or conflict in Ukraine again, the power grid is the first thing you attack. Because if the soldiers feel my family don't get food, they don't come into the military. They stay home, make sure their families get food. So it has to be solved as part of this total defense. Internationalization and growth, that's another important aspect.
We've been mainly Sweden, increasingly also in Netherlands and somewhat in some other countries in Europe. The big market is, of course, outside the 20,000,000 people of Netherlands and the 10,000,000 in Sweden. But then we have to have products that we can actually allow to sell all over the world. Critical infrastructure is such an area, and some of the encryption stuff we can sell to anyone. So this will set us up on a good path forward.
Occurring revenue, high level and trust, trust, trust, trust and brand. Secla is a brand. If our system stopped in medical, I just discussed that with our U. K. Manager.
She said, well, you realize that more than 50% of U. K. Hospitals depend on us. If our system stops to work, regioli stops to work, emergency stops to work, hospitals come to grinding halt. So she was concerned as a British citizen that we actually are very careful.
Now this kind of level of trust we also have in this area. If we protect the critical infrastructure of a country, we are severely important and then we can charge a little money extra for that thing for that trust. Okay. That comes to a conclusion of this day. Please give us feedback.
You will all have a survey sent to you because your time is very valuable, and we want these to be productive. So please respond to that. And we adapt these days according to your wishes. And one of those was 2 years ago, we got that we split up cybersecurity medical and we did. So we do listen to your advice there.
Thank you very much. You can have demonstration, a little snack and you can have a chat with any one of us outside.