- il y a 2 jours
Integrating Cyber Resilience From Day 1
Catégorie
🤖
TechnologieTranscription
00:00Welcome everyone. Welcome to a masterclass on cybersecurity. I'm Michael Siegel. I direct the Cybersecurity Research Center at MIT. I've
00:10been there for over 35 years at MIT. And my work and research has been in the areas of distributed
00:18systems, risk management, cybersecurity, and about a hundred other different topics. But those are the ones most pertinent today.
00:26So what I'd like to do is have a masterclass today in which I level set for everyone in the
00:33audience. I know many of you have, some of you may have more experience in cybersecurity and some of you
00:38may have less. So let's get started.
00:46So the first thing to do is to make sure we're all on the same page about what is risk.
00:51I know this seems really simple, but we talk about cyber risk. We talk about cyber risk management.
00:58Many organizations have entire divisions working on this. For various reasons, it is a problem that I believe everyone needs
01:07to address. Everyone needs cyber risk management.
01:10But let's first make sure we understand cybersecurity. Cyber security or risk, the risk associated with cyber risk, is a
01:21matter of uncertainty.
01:22Now, some of my thoughts on uncertainty come from a vacation about 25 years ago on a French island in
01:30the Caribbean. I believe, I'm not sure it's status right now, Guadalupe.
01:34And I went to a beautiful beach there. But as you can see, I have fairish skin, blue eyes, and
01:42I'm missing some hair, even then.
01:44So one of the things that I can't do is lie around in the sun on a beach. So the
01:51first thing I look for is some sort of shade. And it turns out this beach had no umbrellas.
01:56So what do you do? Right? What do you do? There's these beautiful palm trees, and they create some shade,
02:03enough to sit under at the beach.
02:04But they have these big things sitting there. And I was uncertain enough about them that I actually went up
02:11and asked somebody on the beach how often they fall.
02:16The woman I was with, who I'm married to today, thought I was nuts. But we're married still today.
02:22So anyway, that creates a level of uncertainty. But then in order to be, to create a risk, I have
02:34to expose myself.
02:35So I have to choose to sit under that tree at the beach to gain the shade at the risk
02:40of being hit by a coconut.
02:43So that's our exposure.
02:46Now, let's look at managing that risk. So people talk about managing cyber risk.
02:51So what do we want to do? We want to reduce the uncertainty.
02:54And in the case of this particular risk, there are many organizations who have addressed it.
03:01The Indian government removed the coconuts from the trees around the Gandhi Museum during Barack Obama's visit in 2010,
03:08because they were afraid they might fall on him.
03:11Okay?
03:12The beaches in Australia have removed coconut trees altogether,
03:16because they were worried that the local folks would actually sue as a result of being hit by a coconut.
03:22So we do something called mitigation.
03:26And again, I apologize. I don't know these terms in French,
03:30but I think they come through reasonably well with the diagrams.
03:35So that's mitigation.
03:37On the other side, on the beaches in Hawaii,
03:41they created these beautiful visuals about these coconuts chasing people down the beach,
03:48which would scare anyone away from sitting under the trees.
03:54But in this case, if we see those signs,
03:57we may decide to accept and prepare for impact.
04:00So we do something special.
04:02Maybe we will wear a helmet.
04:05Because what we put the helmet on is our head.
04:08We'll hear that referred to as crown jewels.
04:10You've probably heard of that.
04:12But we look in our organization, what are the crown jewels?
04:15And in this case, this person has decided to accept exposure,
04:19but to guard those crown jewels.
04:23So the last component is, do falling coconuts really create a hazard?
04:30And there were a number of articles about 150 people dying a year from falling coconuts.
04:36And then there was, if you can believe this,
04:38a number of comparisons with shark deaths to coconut fallings.
04:43And in fact, less people are killed by shark deaths than there are from falling coconuts.
04:49And this became a big international scandal because, in fact, neither one was based on real data.
04:55But we'll leave that alone.
04:56You can catch me after the talk to talk about that.
04:59But as a result of this, in 2016, a very creative British travel firm decided the holiday makers hit by
05:08falling coconuts
05:09will be guaranteed full cover under their insurance.
05:13So you could actually buy the insurance policy with a coconut clause in it.
05:19So this is the last part of the way in which we manage risk.
05:23And this is where we transfer risk.
05:26We say, okay, we'll live with this risk.
05:28We accept it.
05:30But we're going to pay somebody else to transfer the risk to.
05:33And these are the key takeaways from understanding risk and the impacts of them.
05:41And when we think about them now in terms of cybersecurity,
05:45and this is why I wanted to do this, is to sort of get us all to the same place,
05:50we think about uncertainty being things is how mature is our organization in understanding cybersecurity problems.
05:58How many vulnerabilities do we have?
06:00Do we have the correct security controls in place?
06:05Do we understand the threat landscape?
06:08So there are all sorts of interesting stories about all these.
06:12One I'll tell you, I worked with a very large international company who monitored the dark web.
06:18Everyone familiar with the dark web?
06:19Just a quick show of hands.
06:21Yeah, okay, good.
06:21They monitored the dark web and placed themselves in certain groups that were actually voting more or less week by
06:31week
06:32on what organizations to attack for political reasons.
06:36And in doing so, they would understand, well, there were large international, multinational,
06:41which for reasons people might, you know, find more or less desirable.
06:46And during the weeks in which they moved further up the list, they would increase their awareness of security.
06:54And they would understand that they were now under a threat by a group of individuals
06:58who were doing what we might call political hacking and that type of thing.
07:02So they were monitoring their threat landscape.
07:04So these are things that we manage to take care of the uncertainty.
07:10And then we think about what are the exposures.
07:12We're not talking about someone's head anymore.
07:14We're talking about the crown jewels of our organization.
07:17And so we think of lost business cost.
07:20We think of customer churn, losing our customers because of our brand, legal issues.
07:25Certainly now, how many are aware of regulatory issues in cyber risk now or in cyber management?
07:35How many, take a guess, how many regulations do you think are out there with regard to cyber security?
07:43In France, I'm looking at France.
07:46In France, it's the DORA.
07:48The DORA, right.
07:49And here, the GRDP.
07:51So you named two.
07:53Okay, great.
07:54Well, just to give you an idea, there are 170 regulations now.
08:01And we do a lot of work in our research looking at issues around compliance and regulation.
08:07And it's becoming a factor, a burden for organizations and so on and so forth.
08:11So it is a tremendous challenge, the whole regulatory issue in meeting those requirements.
08:17We, of course, now are much more concerned about response and recovery.
08:21Our organizations can't afford to just go down.
08:24And we'll address that a little bit more later on.
08:27And then sort of direct financial impact.
08:31So this became even more of an issue recently, speaking on regulation.
08:36We have similar regulation.
08:39But this was a new one just months ago by the SEC.
08:44And the SEC came up with a rule that you have to report any material cyber security incident.
08:53Now, material, again, translating into French, it's the same.
08:57It is, in fact, a very difficult term to understand for many organizations.
09:03I would guess at this point, you know, hundreds of millions of dollars have been spent just to understand what
09:08this, the impact of this legislation.
09:12I met with the, one of the people in charge of creating the, the, the regulation.
09:18And, in fact, according to him, materiality is a financial term which is very well understood.
09:23But at the same time, many, many organizations are doing tremendous amounts of research.
09:28There are a number of organizations which are proactively reporting every incident.
09:35Major organizations, many of them on the floor today, that are reporting instances, instances saying, we, this, we're reporting this
09:44incident.
09:44We do not believe it is material, but we want to make people aware of it.
09:49So there's a lot of precaution and upfront precaution.
09:52In addition, it requires that organizations have to periodically disclose what their cyber risk plant management plans are and how
10:01they're addressing these plans.
10:02So there's a burden.
10:04Now, these, of course, are reporting public organizations.
10:07Not all of you are large reporting public organizations, whether here in Europe or in the U.S.
10:13and we'll address that in this discussion, too.
10:18As you mentioned, what we don't have just the SEC in, in the U.S.
10:23We have a growing number of regulations in the EU, all of which affect the management of cyber risk in
10:31your organizations.
10:34So let's take a moment to have a poll.
10:37I, I think some of you have already grabbed the Slido.
10:43and just to get a little bit better idea of who you are in the audience and where you are
10:48along this journey,
10:49because I understand, again, I'm speaking in a place right now where I'm trying to connect with everyone,
10:57and then I want to address your specific questions in a, in a sort of a more, you know, sort
11:02of more complicated issues.
11:05All right, so is your organization analyzing cyber risk?
11:13And we all now understand what cyber risk is.
11:16It's the, that, that exposure, uncertainty.
11:19It's exposure and uncertainty, where uncertainty is the coconuts,
11:24and the exposure is whether you choose to sit under it.
11:28All right.
11:36So we're having a pretty positive, positive in the sense of a majority of the organizations here are addressing cyber
11:45risk.
11:47That's great, this is conclusive enough for me, uh, moving down a little bit, let's, I think I can move
11:55on by clicking or no.
11:57How's the best way to go to the next, there we go.
12:02Has your organization ever purchased cyber insurance, cyber insurance policy?
12:10And again, what, what did we talk about?
12:11We talked about, we not, may not be able to manage all the risk.
12:15We may not be in the business of doing that.
12:17We may be a startup with get to market issues that are really important,
12:23but we understand that cyber risk is, is going to, you know, make or break us possibly.
12:28So we go ahead and transfer that risk.
12:31And how many of you ever purchased a cyber?
12:36So again, I, this is, I would say, a, a quite an advanced audience with regard to cyber insurance.
12:43And we'll see why in a minute.
12:45So remember that number, uh, 58%.
12:49I'll go on to the next slide.
12:52Going down a little bit.
12:55Okay, great.
12:56So the state of cyber risk management today for small and medium enterprises,
13:01and some of these polls are a few years old, um,
13:0446% of all cyber breaches impact organizations with less than 1,000 employees.
13:09So we can talk about quite a number of them affecting small enterprises.
13:14Uh, 51% have no cybersecurity measures in place at all.
13:18But here's the number that's amazing.
13:2175% of small and medium enterprises could not continue operating if they were hit with ransomware.
13:28Now, I've, I've also seen numbers along the lines of about 60% are out of business if they have
13:34a cyber attack at all.
13:35So the, the, the, the impact on small and medium-sized enterprises is far greater in some ways than large
13:42organizations who can take a hit.
13:44Think about the, um, the, uh, all the cyber breaches that have occurred.
13:51Whether we think of Maersk and not Petya, or we think of some of the older ones like Target and
13:57Home Depot in the U.S.
13:58Or other organizations, these organizations are still there.
14:02They're all operating just fine.
14:03In fact, all of them have recovered to, um, a, a, a much higher level than they were at prior
14:10to the cyber attack.
14:12And in many cases that didn't take very long, some organizations handled it better than others, and, and the ones
14:18that handled it well recovered faster, but large organizations can take the hit.
14:24It's a small organizations, but this is the amazing one given the answers in the audience.
14:29I'm impressed because in, in this survey, at least only 17% of small and medium enterprises ended up with
14:36cyber insurance.
14:39So, what I would like to propose to you today is a, a, a, a simple way of look, looking
14:45at cyber risk management for those of you who are already involved, but also for those of you who are
14:51just beginning to think about it.
14:54I think we have a number of approaches.
14:57What I've tried to do is simplify it to a single cube, okay?
15:01So, what we have is that organizations choose to do it in a qualitative or quantitative way.
15:09For example, how many people in the audience are using the cyber security, the NIST cyber security framework?
15:16See a number of hands, not that many.
15:18It's a qualitative approach.
15:20It has about a hundred and, I don't know, last count, 180 security controls.
15:25You determine whether your, you know, data is encrypted at rest, your data is encrypted in transit.
15:31You know, what are your assets, you do this according to a bunch of standards, it's very helpful, it, it's
15:37a sort of a little, it's better than a check the box because it has tiers associated with it so
15:42you can get better in each of those controls, but it's qualitative.
15:45What we're seeing more nowadays is some of the quantitative approaches, things like, for general public and free to use,
15:54things like security scorecard.
15:57And you can find out what your, what your stance is, what your publicly known stance according to security scorecard
16:05is by going online in security scorecard.
16:08BitCite is another one that organizations are using.
16:10We're seeing, we're seeing things done by something called the fair analysis, which is a very statistically heavy method, but
16:21also a very productive, very helpful method for gauging where we are with cyber risk.
16:26So you make some choices.
16:27You choose to be quantitative or you choose to be qualitative.
16:31Then you ask yourself, am I going to measure or am I going to manage?
16:35Now everybody should measure their cyber risk.
16:37So the measure is sort of what I see many organizations about, especially small organizations, I work with a lot
16:44of smaller pharma firms, once a year, they'll analyze their cyber risk.
16:50What are our real concerns for this year?
16:52What's happening in the marketplace that's attacking pharma's, what do we really, what are our crown jewels, what do we
17:00need to put in place over the next year to make sure that they're safe?
17:03That I would call an organization who's doing more measurement.
17:06They do some management, they make a plan for a year, but they're not actively managing on a sort of
17:12a daily or hourly basis.
17:14Then we have the management organizations who are doing a much more active cyber risk management.
17:21They're planning monthly, quarterly, weekly, whatever it is, and they're changing some of their ways in which they allocate funds
17:29for various projects, and they're, of course, addressing threats that come in front of them very quickly.
17:35And finally, this is a really important one to think about, and especially for the small and medium-sized enterprises
17:42in the audience.
17:43There's your internal cyber risk, and we've sort of addressed that a lot.
17:48That's how's your organization doing internally.
17:50But the real issue that's coming on board is the whole supply chain risk issue.
17:55And so what is your external cyber risk posture?
18:00If another organization is looking at you, and you provide a widget for X, and another organization provides the same
18:08widget for about the same price,
18:10but they look at what your cyber risk is, whether it be bit side score or whatever way in which
18:16they figure it out.
18:17Many are using questionnaires.
18:19Many will ask you what kind of software you're using, and they determine that one organization is more secure than
18:25the other.
18:26That may be their choice.
18:28So you may be facing a vendor choosing issue with regard to managing cyber risk.
18:38And here I show an example.
18:41Not all organizations need all sides, all combinations of sides of the cubes.
18:46Notice that there are eight possible combinations.
18:48You need to address some of the things differently, internally and externally.
18:51You will address differently.
18:53Some of them may be quantitative.
18:54Some of them may be qualitative.
18:56Similarly, you may be more active in certain parts of your organization or certain approaches and less active in others.
19:02So not everything fits at all.
19:06We have here a large energy organization.
19:11They've decided internally to worry about cyber risk in the finance department.
19:17They've chosen a quantitative approach using the fair analysis.
19:21And they're going to manage continuously by looking at various key performance indicators, KPIs, and adopt an overall security performance
19:30monthly.
19:31So that's their approach, and they've used that cube.
19:35I want to be clear that cybersecurity is not one size fits all.
19:43It is clear that there are organizations that have priorities that have to choose to make cybersecurity a lower risk,
19:51a lower concern, because their speed to market and so on and so forth.
19:57I still believe everyone needs cyber risk management, and you just have to be more selective about what you secure
20:04and more focused on making sure that it does not affect your brand, your reputation, your ability to be a
20:13provider in the supply chain.
20:14So I think that's really important to think about.
20:16We're doing a lot of work in this area.
20:19Well, we're doing a lot of work in all the slides, but this is at the high level.
20:23But we're doing some fairly advanced simulations, usually Monte Carlo simulation, to generate some heuristics for how different types of
20:34companies will approach these four quadrants.
20:39And finally, because I want to get to your questions, that's really what I'm here for, in building a cyber
20:45resilient organization, and building any organization, this is how we look at how we've looked at risk.
20:53And this framework, I hope, provides you with a number of ways to go back to your organization.
20:59I always like to think about what are you going to do different on Monday.
21:02That's what our research really wants.
21:04We want you to walk away from understanding the research we do and to say, what am I going to
21:11do different on Monday?
21:12Am I going to ask a different question?
21:13Are we measuring cyber risk?
21:16Are we managing cyber risk?
21:17Do we use a qualitative approach?
21:19Have we determined what our crown jewels are?
21:21What's our exposure?
21:23How do our partners understand us in the supply chain?
21:26Are they asking us about our cybersecurity?
21:29How are we able to show them how well we're doing?
21:31Are we, you know, are we best, you know, doing, practicing best practices?
21:37So these are the types of questions I want you to go back with.
21:41And finally, please beware of falling coconuts.
21:45So thank you.
21:46And now I'd like to take your questions.
21:47One more slide, though.
21:49So if you're interested in our research, a lot of the work we do, it's online.
21:53We have members in our organization.
21:56If you have follow-up questions, you can email me.
22:01But a lot of our papers, a lot of topics, we have didn't cover a lot of the issues.
22:06We have a paper with the Geneva Association, Switzerland, on cyber insurance.
22:11We have quite a few papers on cyber resilience and cyber risk management, probably a few dozen.
22:17So there's a lot of work that we've done looking at the particular topic.
22:20But I'd like to take your questions.
22:24Michael, we actually have quite a few questions coming in from you who generated a lot of interest.
22:29Thank you to all of you that have been asking your questions.
22:32You can flash the QR code that you see up on the screen to do this and upvote the questions.
22:37So I'm going to start off.
22:38We're going to do some rapid fire here in search.
22:40The first one that's got five upvotes.
22:42Will AI accelerate existing cyber security crisis?
22:47And if so, how?
22:49So this is a discussion we've had a lot.
22:53So there are, you know, of course, many opinions.
22:56Let's start out with the clear understanding cyber security is asymmetric warfare, right?
23:03No other way to describe it.
23:05They need to find one way in.
23:07We need to stop every way in.
23:09That's just not fair, right?
23:10That's just not fair.
23:11In addition, the last estimate is we're four million people short of fighting cyber security.
23:18Four million people short.
23:20Okay?
23:21So what's going to make up that difference?
23:23Where are we going to get the leverage?
23:24And my belief is that though it will be back and forth for a little while, ultimately the defense will
23:32win in the sense that we will be able to leverage AI to start to fill the holes with regard
23:39to those amount of people that we need and to stay ahead of the attacker.
23:43Now I have heard all sorts of things, a wonderful paper out of MIT on AI that helped with phishing,
23:50but then somebody understood what the AI was and they created another phishing bot that actually knew what the AI
23:59is and therefore created the phishing emails based on understanding what the AI is.
24:03So you can see it going back and forth and back and forth.
24:05But I think in the long run, it will help the defense.
24:08Yes.
24:08Okay.
24:09So we've got this sort of cyber security whack-a-mole that the game is.
24:12But four million people?
24:14Did I hear that right?
24:15Four million people.
24:16Okay.
24:16That's a factoid for you.
24:17So job security for everyone in the audience today.
24:20I love that.
24:20That you can go back with.
24:22All right.
24:22Okay.
24:24So we're thinking about AI.
24:25Of course, it's on everyone's mind right now.
24:27Now, how should organizations think about the unknown risks that AI is going to be bringing us?
24:33How can we prepare for the unknown?
24:36Do you have a crystal of cyber security?
24:38Well, there's sort of the unknown, unknown, unknown.
24:39But anyway, yes.
24:41So we're looking at a lot of – there are a lot of layers in AI.
24:51First, there's the whole idea.
24:52We were talking about cyber security attacking our systems.
24:54But now we can talk about AI as someone attacking the actual AI system, affecting the large language model,
25:03creating different answers, creating much different results than we might have expected.
25:11I think many organizations are addressing these challenges.
25:15I think it's very, very large.
25:18There is concern that things will happen.
25:22We really, in some ways, we still say we haven't had the big one yet, right, in cyber security.
25:30We don't really – we still talk about that.
25:34Some of the question is can what we refer to often as AI or even non-AI systemic risk, what
25:44we talk to as systemic risk, cause such a problem?
25:47A cloud provider going down, a large piece of software that's used by every organization being a problem, large language
25:56models that are used in many organizations being affected or being hacked and that having a result.
26:04So, I do think there are issues there with regard to unknown.
26:09I think the best thing to do, and we're spending more on it now, is look at that response and
26:15recovery capability.
26:16Because just like we said with cyber – we've been saying recently with cyber security, well, not even that recently,
26:22some years ago, everyone has a different form of it.
26:26If you haven't already been hit – I'll give you the bottom line, we'll be hit eventually.
26:29Everyone in this audience, you know, every organization –
26:32If you haven't already been hit –
26:33If you haven't already been hit –
26:33If you haven't already –
26:35We can say the same thing about AI.
26:37Okay.
26:37So, what do we do?
26:39We prepare.
26:40We understand.
26:41We have tabletop exercises.
26:43We know who we call.
26:44We understand how to protect our brand.
26:47We understand what happens if our systems go down.
26:49Okay.
26:49So, we have to spend more on that.
26:51So, resilience, response, repair, recovery.
26:56Okay.
26:56Thank you.
26:56I have a very quick question for you, actually.
26:58So, we have many people in the groups here who are startups.
27:02What do you do if maybe your CEO or your CFO doesn't believe in investing in cyber security to the
27:09budget that you believe needs to be?
27:11How do you convince these people?
27:14I think that the thing that is coming that will be most convincing – obviously, you can show them articles
27:21and things, you know, that have occurred.
27:23I think the real challenge now is supply chain cyber security.
27:27Supply chain.
27:27And so, as I mentioned a little bit earlier, if I have an organization – if I have a choice
27:33as an organization to buy the same widget from a secure or less secure supplier, I'm going to choose a
27:39secure supplier.
27:40Okay.
27:40So, if you're talking to your CEOs or your CFOs, come at it from a business perspective, maybe, that supply
27:46chain, that will help you out.
27:47Another question.
27:48We've got lots of upvotes on this.
27:50Who are behind these cyber security attacks, Michael?
27:53Who's behind them?
27:54Who's behind them?
27:55Interestingly enough, we've studied this in a number of ways.
27:59I've looked at a whole series of data from – on the good side, from bug bounty programs.
28:06Everyone familiar with what a bug bounty program is?
28:10A couple of hands going on.
28:11Is there a translation to French?
28:13What's it called?
28:14Same thing, bug bounty program?
28:15Yeah.
28:16Okay.
28:16Good.
28:16Good.
28:17So, bug bounty programs, interestingly enough, started what year?
28:21Take a guess.
28:23Don't.
28:251996.
28:27Yes.
28:28Netscape.
28:29Netscape Navigator.
28:31The – one of the first browsers had a bug bounty program.
28:35You find a mistake in the way it performs or a way to access it and hack it, they would
28:41give you a reward.
28:42Now, of course, bug bounty programs sat still for quite a while.
28:47And then, in the sort of mid-2005 or something, they become very active.
28:53Most major organizations here have some form of bug bounty program.
28:57There are a number of platforms for small organizations to get involved in – small and medium enterprises to get
29:03involved in bug bounty programs.
29:04These are – again, these are people on the white hat side.
29:09Now, let's talk about the black hat side.
29:12Unfortunately, and there's a wonderful book out of a gentleman in Oxford, and I don't recall his name, who went
29:19around and visited these towns in Russia, Eastern Europe, and areas like that, where they had these extremely well-trained
29:28individuals who couldn't find jobs.
29:33And the whole town is dedicated to hacking because they have no employment, but they're extremely well-educated, and there's
29:42no other way to do that.
29:44So until we change – and that's why I bring up bug bounty programs – it changes the dynamics some,
29:49and I've talked to a number of organizations.
29:51When United first got – which is an airplane flying, right, they had a bug bounty program.
29:55It's not just for software companies.
29:57It's also for all sorts of – in fact, the U.S. government and the Pentagon uses bug bounty programs.
30:05So I want to make it clear, I'm not talking about some little esoteric thing, but when we find a
30:11way to reward people for their work with regard to this in a way that can help society – and
30:18this is, of course, going back to the whole discussion, which is a longer discussion about cyber security really has
30:24to start at K through 12.
30:26It's really a societal thing where we have to understand the security of our digital environment is essential.
30:35So we just talked about sort of like the preparation, the resilience, and then the sort of response and the
30:42recovery.
30:43But even before that, we need to get the education in.
30:46And to get more, you just mentioned the 4 million people missing.
30:49We're not going to fill that unless we get into the education.
30:52But it's also societal response.
30:54It's a sense of thinking, I mean, my children, and I imagine many people in here know, grew up putting
31:00everything online, you know, and it's not – it's not a mentality that's going to work because there are bad
31:07actors.
31:07Yes.
31:08So I want to say thank you to all of you that have submitted your questions using the application.
31:14You're going to be able to do that throughout the day here today to tap into the minds of our
31:19speakers like Michael.
31:20Michael, it's been fantastic having you with us here this morning.
31:23Thank you very much for leading our very first master class.
31:26Thank you.
31:26Thank you to everyone soon.
31:28We are going to be staying on the subject of cybersecurity and cyber resilience now.
31:33We have another session starting in just a few minutes handling the fallout of the cyber attacks.
31:38So stay right here for that.
31:39Thank you, Michael.
31:40Thank you, everyone.
31:41Thank you.
31:41Thank you, audience.
31:42Thank you very much.
31:43Thank you.
Commentaires