“There have been some obvious hacking attacks where theft is the motivator. There have also been, simultaneously, in the past 18 to 24 months, people whose motivation is just simply disruption. They’re looking to disrupt the network, or they’re looking to just make it difficult for a company to run or make it difficult for that company’s website to be available to their customers.” ~ Jason Witty, Chief Information Security Officer (CISO) U.S. Bank
Jason Witty’s Recommended Resources:
Reducing Risks Associated with Destructive Malware | Financial Services – Information Sharing and Analysis Center
Framework for Improving Critical Infrastructure Cybersecurity | National Institute of Standards and Techonology (NIST)
How Will Businesses Prepare for Cyber Threats? | U.S. Chamber of Commerce
MMTL: It seems that data security is something we read and hear about on a regular basis, but what’s making this such a topic of concern for businesses these days?
Witty: There’s a running joke that I like to share. I talk about information security with my mom about as much as I talk about information security with my boss, and that’s how I know that this has become a household topic. It’s clearly top-of-mind, across the board. The reason for that really is twofold. The first is that you have to consider the explosive growth of the Internet. If you look at where the Internet was 10 years ago, think of it as a four-lane highway, and the on- and off-ramps that you would normally see when you drive to work are represented on that highway, and there are tens of thousands of them and hundreds thousands of millions of cars on the road. Then you fast-forward to where we are today. That same highway, instead of being four lanes, would be 4,000 lanes wide; it would have trillions of cars on it and there would be billions of on- and off-ramps associated with it. By the way, the other interesting analogy is to imagine that same environment and that 1 out of every 10 cars is trying to crush into you. There are certainly some very interesting analogies associated with the growth of the Internet.
If you look at it from a statistics standpoint, we have approximately 7.3 billion people on our planet. There are around 6 billion of us who are using mobile devices of some kind, a mobile phone. Roughly six out of seven people on our planet are mobile in some way. We also have a phenomenon on social media where there are social media companies that didn’t exist 15 years ago that have captured so many people from a usership standpoint that, if they were a country, they would be the largest country in the world. Facebook, for example, has approximately 1.4 billion active users. You compare that with the population of China, at about 1.3 billion, and see that it would literally be the largest country in the world. There’s quite a lot of social media activity going on across the board. Then you look at the growth in terms of the number of people who are actually simultaneously connected to the Internet, and this is just staggering. We have about half the world’s population at the end of 2015, or roughly 3.5 billion Internet users. That is an absolutely unprecedented rate. You look at all these sorts of trends that are layering on top of each other, and the bottom line is that we’ve been explosively growing in terms of how fast we are connected to each other, how many people are connected to each other, how many different types of devices are connected to each other, and, overall, how fast the information is flowing between people, between teams, between countries, and between companies. All of that’s the micro environment.
Then you look at the threat environment, and one way of putting this is that the Internet is a bad neighborhood. We’re all living in it, but in the physical world, there’s the concept of distance that you can put between you and some sort of adversary. You can walk around the corner, you can duck behind something, you can choose not to walk down that alley there are a lot of things that you can do. There is no concept of distance on the Internet we are literally milliseconds from the bad guy. To create some sort of barrier there, you need security technologies, and quite a few of them: detective, preventive, responsive, recovery-type controls. There are a lot of things that go into creating a “secure network.” If you look at the adversary side, there are certainly a lot of motivations that the adversaries would have in order to come after a company in general. It used to be that it was just related to theft. For approximately the past 20, 30 years, we’ve seen a lot of theft-based motivation for doing computer hacking, and a lot of that is related to things like stealing intellectual property or, certainly, from a bank, stealing money.
There have been some obvious hacking attacks where theft is the motivator. There have also been, simultaneously, in the past 18 to 24 months, people whose motivation is just simply disruption. They’re looking to disrupt the network, or they’re looking to just make it difficult for a company to run or make it difficult for that company’s website to be available to their customers. It’s so-called denial of services attacks. Then, simultaneously, you’ve also seen the military and some highly organized criminal groups that have actually figured out that there’s disruptive motivation that also gets people’s attention. The military want to use a cyberweapon to take out a power grid that’s a really interesting and sort of nonkinetic response to something an adversary might be doing. Similarly, if a bad guy wants to combine the motivations and use destructive technology to also then cause you to pay a ransom for example, you can’t have your data anymore because I’ve just encrypted it (we can talk a little bit more about that later) then you might actually pay money to then get the keys to do the decryption process. All of these sorts of things are simultaneously happening: We’ve got the growth of the Internet and then we’ve got the growth of the bad guy community and by the way, the bad guy community is quite well funded, so that’s all exacerbating the need, and it’s part of the reason why hacking is such a mainstream topic.
MMTL: This is so overwhelming with all of these things happening together. What can really be done to curb these types of attacks?
Witty: The good news is that there are some relatively simple things that countries can do, that companies can do, and that individuals can do to help manage these types of risks. The first thing I would say is that if we just talk about vulnerability, absence of threat, everything is going to sound scary. If you talk about both of those together, that’s what really creates risk. It’s what’s likely to happen and the impact if that did happen, and it’s where the likelihood is real high and the impact is real high that you really need to focus. There are a few things that are going on right now that fall into both of those categories. But, in general, there have been a lot of government activities, especially in the United States, as of late, and Europe’s pretty much been doing this as well, and Japan has been stepping up quite a lot recently. A lot of work has been done to look at critical infrastructure in those countries and ensure that there are safety and soundness in the critical infrastructure.
You’re seeing things from the current administration in the U.S., which has released a lot of executive orders that have tried to raise the bar and ensure that there are government agencies that are stepping up to protect themselves and their consumer data that they are storing or encourage the U.S. government to work with the private sector to help partner together in order to manage some of these threats, especially, for example, if it’s a military that happens to be coming against the company. That’s an interesting phenomenon that really didn’t exist 10 years ago. Really, this public–private partnership has been very, very effective at creating a team sports atmosphere, where companies, especially if they’re critical companies, can work with the U.S. government to help manage the threat. There are a couple of different things that are really interesting.
Information sharing is a topic that comes up a lot, but there’s an organization that was created in the Clinton administration in 1999 called the Financial Services Information Sharing and Analysis Center or FS-ISAC. Back in 1999, it was formulated by this Presidential Decision Directive that basically said that the U.S. government needs to work for the private sector to form some anonymous sharing vehicle so that companies or financial institutions can share with each other, in a way that helps everyone, but can also aggregate that information and share it with the government so that the government would know what sorts of financial services sector experiences might be relevant to the government making proposed rule changes. None of these is sharing who’s been buying what online or anything that would scare the privacy advocacy. This is really sharing threat information, cyberthreat/-attack information, vulnerability information. We’ve been doing that in financial services really, really effectively for about the past 15 years, just putting that into perspective. That’s certainly, from the government side, one of those big things that is very helpful, that is, being able to partner with an information-sharing service of some kind or a cyberthreat-monitoring service of some kind, whether it’s the government or a private-sector service. Understanding what everybody else is getting hit with is really a good thing.
There are several other things that are obvious but, in information security, you just can’t do one thing. You have to have a set of layers that are going to consecutively reduce your risk. Having a firewall, that’s great, that’s going to take a lot of these attack services that are able to touch your network off the table. However, just having a firewall, you’re still going to get hacked because your end user is the weak point in everyone’s network. You have to make sure that your end users, for example, are not likely to click on a phishing link if it comes to their inbox. There are technologies that can be used to test your users to make sure that you know what your click rates are and those sorts of things. The bottom line is that there are a lot of frameworks that are out there, and the one that we really like is the NIST Cybersecurity Framework, that’s the National Institute of Standards and Technology Cybersecurity Framework. The reason we like that is that it’s relatively simple. It’s also relatively easy to put virtually any risk into one of the 22 categories that comes with the NIST Cybersecurity Framework or the 98 controls that it prescribes that you should be using in order to manage your cybersecurity risk. It’s a pretty comprehensive way of looking at the problem and ensuring that you just don’t have a one-point solution¾you’ve got all sorts of these controls, that are in layers, that are helping to manage these types of threats.
MMTL: Okay, we can just imagine that middle-market business leaders are trying to decide where to begin to protect their businesses. How do they go about it? What are some of the emerging trends that you are seeing in data security?
Witty: There are really a couple of them that are out there. Again, I mentioned that you just can’t just do one thing. You have to have a series, a set of layered controls in place, and picking a framework is probably your first starting point, right? Just understand what the universe is that you should looking at, and this Cybersecurity Framework is a really good way of framing the problems, doing the gap assessment, understanding where you are weak. Then you can figure out what your priority is for fixing those gaps. That being said, there are a couple of key things that are out there that are really prolific today, one of which is business email compromise. This is a new threat that really it doesn’t have anything to do with hacking. This is just straight-up tricking people. What’s interesting about this one is that there has been a 270% increase in this particular attack since January of 2015 and more than 17,642 victims between 2013 and 2016 who have fallen prey to this attack. They gave the bad guys $2.3 billion to go play with as a result of executing these attacks. This is just a huge phenomenon that companies all over the world are experiencing.
The basic way that it works is that the CFO or the financial controller or treasury management professional of the company happens to have a social media account of some kind or they’re mentioned in public reporting documents or what have you. The bad guy figures out who the CFO is and sends them a well-crafted email that looks like it came from that company’s CEO and then basically tells them that there’s something going on and they need to transfer money. There’s a lot of different variance on this, but the bottom line, the most common one, is that there’s an angry client and we need to refund some money, so take it out of my admin while we are figuring out how exactly we are going to handle the back end. Or there’s a big merger and acquisition deal that we’re going to be doing, and it’s super hush-hush, so don’t tell anybody about it, but we need to transfer these funds to fund this deal and send this money over to this country somewhere over Asia. That wasn’t from the CEO¾it was a spoofed email that had the CEO’s name or a domain name that looked very similar to the real company’s name.
The CFO then believes that it was the CEO and sends a message to the controller: “Hey, can you put in a wire for this amount and charge it to my admin [or whatever]?,” and then the CFO approves it. You’ve got two separate people who logged in with their valid banking credentials with their digital tokens, whatever they had to do to strongly authenticate that transaction¾one of them submits it, a totally different one approved it. From a bank standpoint, it was a valid request for money movement, so there’s really not much that a bank can do about it at that point, but it was done for a nefarious reason, right? The CFO or the controller or the treasury management professional, or whoever it was that got duped by this initial email, did not ever contact the CEO to say, “Did you actually send this? Was this actually you? Should I really send this money?” That’s what has netted out these attackers to $2.3 billion. It’s preying on that more junior person who doesn’t want to go to talk to that C-level executive to make sure that this really happened.
The good news is that we are seeing a lot of people who were not comfortable in talking to their CEOs getting much more comfortable, especially when the CEO of the company is telling all of the people who have money movement access in the company, “If you ever think this came from me, call me.” That is a really good best practice that could cut that out almost immediately. We’re also seeing some pretty clever things, like certain companies that are starting to embed a specific code that’s calculated every time. There’s a little tool on the Internet that you can use to go get the current code or whatever. The bad guys are never going to know what that code is. If you see a code on your email, then you can generally expect that it’s legitimate, but if you don’t, then it’s not. There are things like this that companies are doing to help thwart that threat, but it’s certainly something that we can continue to mention because we still do see a lot of small businesses getting hit with this. The number one way to avoid it is to talk to whoever you think it was that sent you this email and don’t ever accept wire instructions over that vehicle if you don’t have another way of proving that it was actually them.
That’s the first major one that I wanted to share with this group. The other is a really interesting phenomenon, and I alluded to it earlier. Along with the rise of ransom attacks, you can imagine that this age when we have all of these people who are highly social, highly mobile, highly tech, all of these technologies are going with this Moore’s Law rule, which basically says that the rate of technology change doubles every 18 months. If you used to have 1 gigabyte of RAM, 18 months later, you’ve now got 2.5 gigabytes of RAM, and it’s just an exponential curve that keeps going up and up. It applies to storage, it applies to the number of emails being sent, and it applies to the number of videos being watched. All these sorts of stuff seem to be doubling at that roughly 18-month pace, but encryption has also been, and the strength of encryption has also been doubling at the same pace. We’re living in an era now, for the first time in human history, where you, as a citizen of whatever country you’re in, have the full ability to lock the government and any other military out of your data. There’s no way that they can do anything about it. This is the first time in history when there’s been that capacity at an individual level, that strength of the encryption that’s available. That’s all well and good from a privacy standpoint. A lot of people like that. I’m both a security and a privacy advocate, so I like that there’s some capability there, but it’s got to be balanced in some way, if there’s due process and there’s some proof of criminal activity.
There’s a real need for law enforcement or intelligence agencies to get at that information. That’s a really tough spot for us to be in right now. What you’re seeing is that the bad guys are now taking advantage of that. Weapons-grade encryption is also available to the bad guys. If I’m a bad guy, I’m going to send you a virus that you would have clicked on previously that would have stolen your user ID or password or whatever. I don’t do that anymore. Now, I send you something that just uses whatever access you have to encrypt all of the data files that access allows you with this weapons-grade encryption that the FBI, the Secret Service, the NSA, foreign governments, there’s nothing that they can do to decrypt that for you. Then it just pops up a message that says, “If you don’t pay me, you will never have access to this again.” Then, if you do pay them, then you’re basically aiding and abetting a felon, which is not a good thing. You’re also able to get the key for that encryption and decrypt your data. There may be circumstances where you have to do that. There have been several events that have happened in 2016, where hospitals that have control systems that are interfacing with the human body, that are running a Windows operating system, happened to get this Crypto ransomware and the entire hospital had to shut down, or sections of the hospital had to be shut down, or patients had to be pulled out of surgery and emergency airlifted to another location.
There have been some pretty scary things that have happened when you get this Crypto ransomware concept applied to something¾toward not just your traditional laptop or your home computer or your vacation photos, but it could actually be an embedded device that’s actually doing something to manage a heart pump or manage an x-ray machine or an insulin-injection device or what have you. There are a lot of real-world implications to this. The bottom line is that companies are starting to pay, which is only going to increase the bad guys’ use of this type of technology. The flipside this is a little bit scary, and I would say, “I’m here to educate you, not to scare you” is that your data backups kill that threat. If all of your data is backed up and you have a secondary copy of it, and then your primary computer or primary device gets completely encrypted, and then you get this message, “Pay me or you lose your data,” you can say fine, and just wipe it and build it again and then go restore the data. It’s not a big deal if you’ve been doing proper backups.
From a corporate standpoint, the same thing: If your company has been doing standard good IT practices, keeping your data centers in safe locations, and doing backup of some kind, whether it’s tape or virtual tape, or what have you, and then putting those backups somewhere offline or otherwise unaddressable on the network, then the virus doesn’t have access to it, and you’ve got a lot more options. Obviously, you want to have good antivirus software, firewalls, and user education, and other controls like this that will help with this threat. The number one on this one is to make sure that you’ve got good data backups, and that’s where we see a lot of home users falling prey or falling victim to this because most home users don’t back up their data very well, and that’s where it really gets challenging.
MMTL: Okay, you mentioned the Crypto ransomware. We would love to explore this a little more with you. How do you recognize it, and what can be done to protect business against it?
Witty: Again, the recognition is when it’s too late. It’s really easy to recognize it. It literally pops out of a screen and says, “You can’t use your computer anymore, and if you don’t pay me 10 bitcoins by tomorrow, then you’re never going to see your data again. By the way, if you don’t then, I’m going to give you a second chance, but it’s going to be 100 bitcoins once you’ve really thought it through.” It’s really easy to recognize when it’s too late. There is a concept, and again you have to think about how much funding the bad guy has, there are tens of thousands of people who are full-time in organized crime rings looking for holes in software that they can use to exploit, and then install other software, aka viruses.
The rule of thumb is that if you have the latest and greatest antivirus signatures, and you have applied all of these Microsoft or Adobe or Java system patches, and you’re managing your IT infrastructure fairly well, you still have a gap of about 24 to 48 hours when the bad guys are aware of a new method to penetrate the system or to get the virus installed that antivirus vendors don’t have a signature for yet because they’ve never released this thing yet. There are so many of these things happening, roughly 70,000 new viruses on the Internet every single day, that 24 to 48 hours¾it’s pretty effective. You’ll recognize things that are older than that using your commercial antivirus software or firewall or your intrusion detection system or what have you, maybe your threat-intelligence feed, but within that first 24- to 48-hour period, you’re pretty much solely limited to whether as the end user you are going to click on it or not. That’s the way that you would basically see it: “Hey, this looks weird.” Report it, see something, say something. It really does have to be a combination of IT solutions to prevent it from coming in, to make sure that nothing in that 24- to 48-hour period becomes interesting. Then education that the end user is a little bit more wary of clicking on this attachments or clicking on links or validating whether it really was the CEO who sent the email or that type of thing. If you have framework and you implement those things and you’re judicious about data backups, and then you have a relatively good antivirus and vulnerability management, plus a patch management program, you’ll be in really good shape.
MMTL: As a bank, you have these unique lines of sight into all these businesses, and we’re sure that you’ve witnessed some clients fall victim to some of these very schemes. Where does the business owner turn when they suspect that they’ve fallen prey to one of these scams?
Witty: It depends on which scam. If money movement was involved, you obviously want to work with your bank first, and I can’t reiterate how important it is to get that done expeditiously. When I say the first thing, I mean, the first thing you do is call your bank. Don’t wait, don’t get the FBI involved, don’t go to all these other forensic and external providers and everything else. If money movement happened, call your bank. The reason for this is that if a fraudulent transaction is submitted through an authorized vehicle so again, in the business email compromise example, there were two people who were legitimately the users, who legitimately submitted and approved that transaction for a million dollars to China¾if that happens and we are notified that this was done for reasons that were nefarious and we want to undo that and that’s reported within the first four to six hours, then there’s a pretty good chance that the bank is going to be able to get that back for you. It hadn’t had time to go through the full clearing and settlement; it probably hasn’t even been pulled out of the receiving account.
If you wait 24 hours, then that chance diminishes quite quickly; if you wait 48 hours, there’s even less chance, and if you go past 72 hours, there’s virtually no chance. The faster you work with your bank, the more chance you are going to have of getting the full amount back, or reversed, or at least a partial amount back. I will just give you a quick story: We had one customer, one very large corporate client last year, that fell prey to this scheme, and they stole $3 million in two separate $1.5 million transactions. One went to one bank. One went to another bank. They notified us after about 48 hours. Luckily for them, one of the banks was a commercial bank, so there wasn’t an easy way for the bad guys to get that portion out. We got the first $1.5 million back. However, the second bank was a consumer bank, and what we saw happen was that as soon as that landed in this one consumer account, 500 to 600 simultaneous people went in and pulled that money out of ATMs, all over this destination country and cities all over that country. It literally went out into the street in a few hours. That’s just phenomenal coordination, but that’s the type of coordination that you get when you are highly social or highly mobile people who have milliseconds of communication capability with each other because of the speed of the Internet and how connected everything really is. That’s certainly number one: If money movement is involved, contact your bank as quickly as possible.
The second thing, I could say, if money is not involved, if it is just some sort of hacking, or maybe it’s Crypto ransomware, is this: Get your IT people involved. That’s your first step. Computers are involved, go get IT. After that, it’s get an external forensic provider engaged, and you may find¾depending on whether data that you were the custodian of, such as your customers’ information, might have been part of that or your employees’ personally identifiable information¾that there are a lot of things an external counsel can do to help protect those with the compromised information, as well as what an external forensic provider can do to help with the detection. Did we actually find everything that they got? Is it as big as we think it is? Is it bigger than what we thought it was? But, also, to them, if you engaged the external forensic provider through an external counsel, then you can basically have that part be privileged. You will have a lot better control over what gets out and when. Obviously, you have to comply with all state, federal, and tribal laws associated with notifications. It does get very complicated, which is why you want to have some form of external counsel and a forensic expert involved if you do suspect that there’s been some breach of your data.
MMTL: Well, you have covered a lot of ground and talked about a variety of threats that business owners face today, but maybe you can summarize some of the best practices that business owners can follow to safeguard their businesses?
Witty: I would grossly oversimplify it to say that there are really just three things, but here goes. First and foremost is have someone who’s named as accountable for your information security posture. That sounds really obvious, but you would be shocked at how many people think that just having that IT department means that there’s information security. It absolutely does not. Somebody has to be named by name, say, “Witty”: Witty is in charge of information security for U.S. Bancorp worldwide, including all subsidiaries, and that drives a lot of action. You don’t necessarily have to call that person a chief of security information officer. It could be that at a very small company, it’s Dan, the IT guy. Dan, you are in charge of information security if we have an issue, it’s your problem … or it could be that you have a CIO and he also has the CIS title. It doesn’t really matter who the person is, but you have to have somebody who’s going to be driving for this and that means being somebody whom you’ve understood you can trust no matter through whatever means they got the job. It could be to get a different CSO to interview them for you. It could be that you have other people, people who understand the problem, who get someone or are the solution themselves. Get somebody that you trust and name them as accountable.
The second thing is to pick a framework of control. I mentioned this NIST Cybersecurity Framework, which we think is a very good starting point. There are certainly others. There’s ISO 27002, there’s COBIT, there’s COSO, there’s NIST 800-53 Rev 4, which is the gobbledygook¾basically, it’s for government contracts. The bottom line is that if you pick a framework, then you are able to have a comprehensive set of controls in place. One single control is not going to protect you, but having these things working in concert and compensating whenever there are evidence flows in the level of control that’s been provided, they help to manage these flows with each other. Picking a framework is the second one.
The third one is to assume that something is going to happen and not that something is not going to happen, and practice that situation once or twice a year. To get that person who’s accountable, have them sit at the business table¾not the IT table, the business table¾and walk through what your company will be doing if your worst-case scenario just happened. The blueprints for all your designs just got stolen, you’re pretty sure your competitor has them at this point. What are you doing? That is a business problem that has almost nothing to do with IT. The IT part is, How did it happen? Are they still here? Do we get them out? All that, of course. The business problem is that your stuff was stolen. What are you going to do about it? That’s just a very different way of thinking about the cybersecurity problem.
You also want to do this other exercise so that, obviously, you understand when you are going to initiate some internal communication, when you are going to get external communication involved. Do you need an external PR partner to help you with some of those communications? How are you going to engage them so that the legal privilege is managed? Do you already have an external counsel? Are there already relationships between external counsel and law enforcement? When are you going to bring them in? All those things get fleshed out pretty quickly when you are able to spend an hour or two sitting with your C-level executives and having somebody facilitate that: “Hey, if this was happening, what would we be doing right here?” Or, if “that” was happening, questioning the executives about what they would be doing right now. What are you doing to help manage this response? Assuming that it’s going to happen. Really, every time you go through it, I promise that you will learn something. People change, positions change, teams grow and shrink every time. You want to do this a couple of times per year at least because of those changes. Doing that in itself really will help you to understand where your weaknesses are and cross them off before there’s actually a problem.
MMTL: Those are great. Finally, can you recommend any good resources for business owners to turn to for learning more about how to deal with data security concerns?
Witty: Certainly. The National Institute of Standards and Technology, NIST, has these frameworks that I mentioned before, the NIST Cybersecurity Framework. There are also a few others. The FS-ISAC that I mentioned before, or the Financial Services Information Sharing and Analysis Center, actually did a really good destructive malware best practices white paper. If you just search for “destructive malware best practices paper,” you’ll find that on the Internet. It’s a really good one that talks about backups and the different types of technology that can be used to do backups. Snap technology, for example, which allows you to take a snapshot of where a particular set of data was at any one given point in time during the day or night or week or what have you. There are a lot of technologies that are in there; it also talks about detecting these things and best practices for recovery, etc.
That’s a really good one. The U.S. Chamber of Commerce actually put out a really good one on ransomware best practices and thinking through what you should try to do if you have ransomware. If you go to uschamber.com, that’s a pretty decent ransomware best practices white paper. We also put out a newsletter to our commercial clients called “The Shield,” and I will certain encourage you to read that. We can make that available online; it really provides what U.S. Bank is seeing from a changing landscape or changing technology landscape every quarter. We have a spring version that is very good that mentions destructive malware and Crypto ransomware, as well as a piece that was done on business email compromise and a few other topics that are part of that. We also just released a summer version that really says, “Hey, business email compromise is still happening¾here’s a slight twist on it,” but also we are starting to see that same scheme branch out. Some of the news you’ve seen, SWIFT, for example, or banks in nontraditional or non–highly regulated countries starting to fall victims to their networks getting hacked and then legitimate messages being sent from their legitimate computer, their legitimate credentials, but from an illegitimate actor in their network¾these have caused some pretty highly visible bad wire transfers to happen. Central Bank of Bangladesh was the first one that got on the news, but it happened several times after that. We put out a piece on how we handle that here and also about what you should be thinking about. That “The Shield” publication is really good. It’s not too long, a few pages, but it gives you that quarterly view of where the threats are from the information security standpoint.
MMTL: Thank you for joining us on Middle Market Thought Leader.
Witty: Thank you very much.