The World Economic Forum's Global Cybersecurity Outlook report indicates that cyberattacks increased 125% globally in 2021, with evidence suggesting a continued uptick through 2022. In this fast-changing landscape it is vital for leaders to take a strategic approach to cyber risks.
How can leaders better prepare for future cyber shocks? What individual and collective actions will foster a more secure and resilient digital ecosystem?
This is the full audio from a panel discussion at the World Economic Forum’s Annual Meeting 2022 in Davos
Moderator:
Karen Tso, CNBC International
Speakers:
Jürgen Stock, Secretary-General, International Criminal Police Organization (INTERPOL)
Josephine Teo, Minister for Communications and Information of Singapore
Chander Prakash Gurnani, Chief Executive Officer, Tech Mahindra Limited
Robert M. Lee, Chief Executive Officer and Co-Founder, Dragos
Subscribe on any platform: https://pod.link/1574956552
Join the World Economic Forum Podcast Club
Podcast transcript
This transcript has been generated using speech recognition software and may contain errors. Please check its accuracy against the audio.
Karen Tso: Hello, everyone. I'm Karen Tso, anchor for CNBC. Thank you so much for joining us today for this important session. We welcome all WEF stakeholders as well as we turn the spotlight on cybersecurity.
Cyber attacks, as you know, are not new, but the threat level has increased as we think about a changing digital and geopolitical landscape, a huge shift to remote working during the pandemic, more data moved to the cloud, a rise in e-commerce and financial transactions online, more and more connected devices, and an increased geopolitical threat with the war in Ukraine.
Over the next 45 minutes of this session, we'll discuss how leaders can prepare for future cyber attacks. Just a quick housekeeping matter, if you do want to connect with this debate, #WEF22 is the one that you can use. We'll also open up the discussion in about 20 minutes time, so be ready with some questions.
Let me introduce you to our panellists today. Jürgen Stock, Secretary General for Interpol, France. Josephine Teo, Minister for Communications and Information of Singapore. Chander Prakash Gurnani, who is Managing Director, CEO of Tech Mahindra. And Robert Lee, CEO and Founder of Dragos in the United States.
Well, first up Jürgen let me turn it to you. The World Economic Forum Global Security Outlook report indicates that cyber attacks over the past year were up to 125%. How do you assess the cyber security risk as we now also weigh up the threat of state sponsored attacks?
Jürgen Stock: Thank you very much. I think there's no reason to sound the all clear. These statistics are suffering from the fact that, of course, still many of the companies, many of the victims, are not reporting the incidents to the police or to national agencies. So we are still struggling that all the information may be comes from the roughly between 5-10% of the cases that are reported to law enforcement.
I think there's no doubt that the threat is increasing. We see criminal groups continuing, acting in a more sophisticated way. The way in which they organise themselves is very different from the traditional mafia style, where people know each other, maybe same families, same region. Here it's like the yellow pages in the internet where you offer your specialisation, they connect for a specific attack and then they they change, which also makes it for law enforcement even more important on the one hand.
So this is becoming more sophisticated, more difficult also because it's global by nature. And, of course, law enforcement, we still operate mainly in our national jurisdictions. On the other hand, I think the major risk is still not that much IT security in a way of technical issues, it's human failure that opens the door for criminals to attack the systems to take data hostage – one victimisation, a second victimisation with the data.
And as the world is becoming more connected, we have been discussing that here with the World Economic Forum a number of times, the challenge is still how do we connect the various dots that need to be connected that allow us to share information in real time to allow us to be prepared for the next attack which will come - it's only a matter of time. So that is primarily the challenge.
Karen Tso: If I can just follow on quickly, what is the link between state sponsored cyber attacks and the criminal underworld?
Jürgen Stock: I mean, first of all, I have to say that Interpol is focussing on criminal activity, so those perhaps 80% where criminals are behind that are still interested in money, in data. The risk here is what we also see in traditional crime areas, that weapons that are used today by the military, for instance, maybe a couple of years later will show up in the dark net and will be used by criminals for even more sophisticated attacks. That is a major concern in the physical world - weapons that are used on the battlefield and tomorrow will be used by organised crime groups. But the same applies for the digital weapons that maybe today are used by the military, developed by military, and tomorrow will be available for criminals.
Karen Tso: That's quite a warning, isn't it? Minister, let me turn to you. Late last year, Singapore updated its cybersecurity strategy, in particular to take a more proactive stance to protect critical infrastructure. There's plenty of reasons why Singapore would be a target, with sanctions against Russia that you joined. The city state is a growing hub for international finance and business, attracting more and more business away from Hong Kong, for instance. Just give us a sense how you perceive that threat over the next 12 months to Singapore?
Josephine Teo: Well, first of all, let me say that is an honour to be on this panel. We have a veteran in law enforcement and we've got very prominent business leaders that provide a range of cybersecurity and IT services to so many different businesses. Let me just share a perspective, as a minister who really would like to see in the short term a more solid recovery for our economies and in the long term would really like to prepare all people to succeed in the digital age.
It's probably right for us to not try and think of cyber risk in very discrete terms because they are interconnected with a whole range of risks; geopolitical risks, technology bifurcation, the Russian-Ukraine conflict (which has asa result created economic turmoil), questions about energy security and even just plain old supply chain disruptions. All of these, I think, have got the potential to spill over into cyberspace.
Now, one key trend that we have been watching out for is exactly as Jürgen talked about, which is that cyber criminals, in terms of their level of sophistication, they seem to be catching up with state sponsored APT [advanced persistent threat] actors. And we are observing is that actually even this has become a national security question, because critical information infrastructure can come under threat. And I think one problem that we face is that this is growing at a very fast speed. This underground ecosystem that Jürgen outlined is extremely lucrative and it is self-funding. So any time that you have capabilities that are existing in a system that is self-funding and makes a lot of money, you can expect it to grow. And I think this is an area that really demands urgent attention, a lot of international cooperation, to rein in
A second area of risk I would talk about is that there has been just rampant exploitation of supply chain as well as all kinds of software vulnerabilities. A third party that are coming through to a lot of businesses. No business can operate without using some third party software. And there used to be a relationship of trust that existed between the clients and the managed services provider, and this trust is being undermined. And when you have an absence of trust – how can you continue to digitalise your businesses at the rate that would bring about great benefits? So this, I think, is a longstanding problem that isn't going away quite so soon.
And let me just close off by saying that there are two associated risks that we would characterise, not necessarily a cyber risk. One has to do with the fact that the threat surfaces are expanding so quickly and there is a real danger that we don't have enough talent, don't have enough capabilities to deal with them. Second is really the problem of what I call "distractedness". There are so many problems that business leaders are dealing with, and if it comes at the cost of de-prioritising cyber security, then I think this is going to have a lot of long term consequences that we will have to pay for and they will hurt us. So I will just pause right there.
Karen Tso: Minister, thank you, and I'm glad you brought up the supply chain, because one of the reports in recent days was about connected farm devices being hacked. And if we think about the food shortage we have at this stage, how it's proving inflationary across populations – you can see why cyber attacks and this particular area could be a major issue.
On that note, Chander if I can ask you about the business community reaction here, because we know that there's been a huge digital acceleration during the pandemic. There's reputational risk from cybersecurity, financial risk as well, we've also witnessed on the back of several attacks. How do you perceive the threat for the next year or so?
Chander Prakash Gurnani: I think, Karen when you step back. First, there's the dependence of technology on (some industries it is lot more evident) the power sector, the utility sector, telecoms, healthcare. Now, during the pandemic, even online education. And in a lot of ways, I'm sure the honourable minister would agree, the e-government services, the dependence on technology is so high that we need to be cautious – if that is the dependence then you treat it as an infrastructure, and if it is an infrastructure you need to budget time, money and energy for maintaining that infrastructure.
I think when I look out, I think many corporates have taken a responsibility to look out for country attacks. They look out for dark web attacks, they look at individual attacks. But the question is, how often do you maintain? My personal read is that the boardrooms become very, very active whenever there is a similar industrial attack. So if a Colonial Pipeline is attacked, suddenly all the oil companies around the world will become active because they all want to know what happened in that case study and are we safe.
Similarly, the scope of audit, – many companies only assume saving their servers or networks, or the end user devices in their premises, are good enough. But the reality is the ecosystem is much bigger. So one of the banks that we work with, we were engaged to audit, but the audit was very specific – banks like to be very specific – it was a server network and their premises. And we said, "No, that's not enough." And we had to prove it to them through the law firm that they engaged – that on a Friday evening one human (this is the point Jürgen was making) that it is mainly the human failure. One human picking up a phishing email brought the whole system down. So I think we need to be cautious that our vulnerabilities are now outside the system also. And when we do ethical hacking, (a) we should do it more frequently, and number two we need to take into account the ecosystem.
Karen Tso: That's a good point that you make. There are red flags when it's an external contact, but when it's somebody you work with day in, day out who sends that email, it does provide a different level of risk, doesn't it?
Robert, I want to turn to you. I think most of us feel there's someone who has greater IT experience than us in the room – you are the exception. You're probably the resident tech expert. Very interesting background as well – you were one of the first (or the first) to investigate the 2015/2016 attacks on critical infrastructure in Ukraine. Now, as we have a physical war playing out on the ground with devastating consequences, just draw the links for us to what could start as something that looks like it's just an attack on the global community but is very much focussed on a specific area. How do you look at that now in hindsight and look forward at the risk?
Robert M. Lee: I think most business leaders, most executives, most board members, they have these cybersecurity conversations. The awareness, as we were talking about before, is very, very high. But we still very much have a focus on IT, even my skill set as an example, I really don't know anything about your IT, I know a lot about your operations technology, the control systems, how a power system works, how a manufacturing system works. But most companies, when they talk about cybersecurity, spend more time on the website than they do on the gas turbine system.
But the stuff that actually generates you revenue, the things that actually have national security impact, the things that have safety impact, the things have environmental impact. It's the operation side. It's all the control systems. Those were never really connected before – they started getting connected en masse about 15 years ago. People still think that they're disconnected now – they're not – save yourself the audit, they're connected. But because they're getting connected at the same time the digital economy is going the direction that it's going, and at the same time that our systems are undergoing a massive change, especially as we move towards a more sustainable and equitable energy system, as an example, we are operating on a little bit of a knife's edge.
And so we've got adversaries that know how to target operations systems – they've included engineers with their cybersecurity people. We've got systems that are more connected than ever, and something like a disruption on an electric system years ago, it would probably have been OK, more fear than actual impact in some cases, you can design the big ones. But we make safe and reliable infrastructure in the industrial community all the time. But take, for example, the green energy change and electric system, as an example now, is operating in such a way that power is on demand in real time for the lowest kilowatt hour. So previously, if you caused one company to go down, I could have enough backup energy on the system and we had the concept of inertia. You have big spinning equipment, big spinning equipment in inertia sort of slows down the effects of things and you can respond.
But now that we're going towards wind energy, solar, etc., it's all inverter-based resource, it's direct current. I don't have big spinning equipment much anymore. Now I don't have that inertia in the system. Now, if I have an impact on an electric system, I don't have the backup power and I don't have the time to respond. And it's more connected and there's more adversaries that understand it. That's not a good place to be. So when we look at cybersecurity of critical infrastructure, it's important for everybody to take away the fact that the critical part of critical infrastructure are those operations technology systems. Of course, we want you to do the IT stuff as well. But if we're going to talk national security especially, really got to put a focus there.
And I would say probably the closing comment on that one is governments do have to be very aware of the difference between business risk and national security risk. If it's business risk, companies should be paying for themselves and doing that work. But if it's a national security risk, there's got to be support and potentially even resourcing from the federal government. So that entity actually takes it and does something with it.
Karen Tso: If I can just follow up on that point, whether there is a pre-Ukraine versus post-Ukraine moment for the industry here and whether companies, countries that are joining sanctions or taking a move to exit Russia and doing operations there, are they at a greater level of risk now versus before?
Robert M. Lee: For sure. We've absolutely seen countries that have come out with sanctions, countries that have been public in discussion, countries that are connected to that system, we see them getting targeted much more. And so there's absolutely the geopolitical overlay of any time you're talking about critical infrastructure, cyberattacks.
And the other thing that we just need to be really mindful of (and I think this is a suggestion as well to the audience as you think about those challenges) is if you're an executive at your next board meeting, your next executive discussion, there's really two questions I would focus you on: number one, when you get all your metrics and your stats and your cyber heatmaps that you barely understand and we all love the colours, ask the question, is that the enterprise IT or is that the enterprise? Because very often you're doing far less on the side of the business that you care most about.
The second thing I would suggest is the scenarios (and this goes back to your Ukraine discussion), very often, especially in the technical community, it's all about technical controls. I mean, what about patching, what about vulnerability management, what about antivirus, what about firewalls? What this, that, the other. Their problem is not needing next-gen AI, blockchain or whatever else. Our problem usually is just about rolling out the things that we've already invested in doing something.
But don't focus on the technical controls. We don't treat our business in any way like that anywhere else. Instead, focus on scenarios. Should a power company anywhere in the world be able to prevent, detect and respond to Ukraine 2015/2016 scenario? Of course, we've seen it, you should. Should they theorise about what happens when China, Iran, Russia, the US or whatever superpowers team up against you? No, it hasn't happened. Don't focus on the theoretical. But if something's actually happened in your industry, you owe it to the community to actually have that scenario covered. Not a single technical control.
Karen Tso: Minister, can I get a quick response from you? Bob [Robert] has just mentioned that if it's a national security threat that a company is facing, there is a role for funding for the state. How do you feel about that? Would Singapore step in and provide funding for companies that are under increased threat because of national security?
Josephine Teo: Well, I think in the first place, as a state, we have to look at our own provision of services and ensure that we set standards at a high enough level. Actually, if you look at some of the critical information infrastructure, quite a lot of it is operated by the state. So for example, even if our power grid is privatised to a very large extent, the cyber security measures that we impose on the power generation companies is one way of ensuring that the standards are met. But there are also other ways in which we can help, for example, understanding where the risks are. I think this is where government can play an active part.
But I also want to add to what Robert was saying, which is that I think it makes sense for us when we think about scenarios, not to think that we have not yet been breached. And in fact, in Singapore, the way we think about it is that the cyber attack is not a question of if, but when. And so we have to move from preventive measures to being able to recover from an attack. And so cyber resilience, building it into enterprise risk management is really important. And it has to be at a very high level of leadership that demands that these steps be taken.
Karen Tso: Minister, you're taking us neatly into the next area. I want to talk about perception gaps, because the World Economic Forum has identified that there is a perception gap when it comes to just how prepared businesses are around cybersecurity versus cyber leaders. Now, 92% of business executives agree that cyber resilience is integrated into enterprise risk management strategies – only 55% of cyber executives agree. So the experts in-house think that the level of planning is just not adequate at this stage. Can I come to you on that point? Because Jürgen you've seen the level of preparedness when it comes to locking down facilities, stopping criminals from entering the premises. What do you make of that perception gap and whether business leaders are ready for the task of averting cyber security attacks?
Jürgen Stock: From my experience and talking to a number of senior leaders in companies, there is definitely, the level of awareness has been rising, it's much better. But that does not necessarily mean that there is a comprehensive understanding of the cybersecurity risk in a company, including what you said, the supply chain, your partners, you are connected with. And again, this comprehensive understanding and translating that into implementing the necessary measures, doing it often enough, because what we need actually is information exchange in real time. Because the situation is so dynamic, crime patterns are changing, sometimes within hours, slightly or within a couple of weeks at least. And being a part of an ecosystem nationally, regionally and internationally that allows this real time information exchange.
So for me, it's not a surprise that there is still a gap between the senior management, that there is a general awareness, but again, investing in specific measures, including your teams, your staff, to reduce human failure in these procedures and to understand that this is something you cannot just do once a year, like a medical check, you have to do it as something permanent. There is still obviously a lot for us to do and to increase the dialogue, for instance, between law enforcement, because we, on the one hand, we are aware of what's going on, on the other hand, we need the data which are in the private sector. So we need your reports. Without your reports, we are blind. And that is something I mentioned this huge number of unreported crime - that is a gap that we need to close together, not just law enforcement. That requires that we build bridges between our silos, the islands of information, and in a more strong way, institutionalise the cooperation that already exists, and for us the World Economic Forum is an important player on the global level.
Karen Tso: Europe is going down the pathway of requiring some sort of reporting within 24 hours, which is to your point that often we see this just brushed under the carpet, that people don't want to disclose that there has been some sort of cyber breach because of reputational risk.
Jürgen Stock: Or whatever reason.
Karen Tso: Chander, let me come to you because you did touch on the perception gap a moment ago and one of the conversations I had with a cybersecurity expert this week was that nothing has changed in 20 years, that people still perceive there is a risk, they're trying to protect absolutely everything in the organization rather than the most critical information. Just touch on what the strategy should be for business from here, given that there is such a wide gap of how the industry experts feel the preparation should be.
Chander Prakash Gurnani: So, I'm surprised that you think nothing has changed in 20 years.
Karen Tso: That's not me.
Chander Prakash Gurnani: So I can only say that, when I was walking up here, I accidently met the chairman of IBM and he said, "Where are you going?" (This is Arvind Krishna, chairman of IBM.) And I said, "I'm going for the cyber security, at the Forum." And he said, "Oh, that's the threat of the decade, and it will remain the threat for the next decade."
So one part is very clear that most of us do realise that it is a threat, the second part is that most of us also realise that while we know 100 ways to secure our IT systems, or the network, or the end user, or the supply chain, but the attacker has to succeed only once. So clearly for us, whether it is technology, it needs to be refreshed, whether it is the processes they need to be, you know, talking about those viruses. I mean, all of the healthcare, as you put it. I mean, it is very, very clear that our processes have to be current.
And third is people not only need to know how to protect, but they also need to know how to anticipate. So I think the world over we need to realise that the various studies have shown there is a skill shortage in cybersecurity and I don't think that all of us are putting enough attention to creating that lateral skilled force of 2.7 million people that are required by 2025. So I think it's a bigger challenge of people, process and technology.
Josephine Teo: So Katherine, building on what Chandra has said, I suspect that the perception gap comes about because one group is looking at all the known unknowns and saying that we've got this. And then there is another group that is thinking about all the unknown unknowns and saying, no, we haven't really got it. And that's why, you know, you have this very big difference in perception. In cybersecurity, exactly as Chandra says, you don't know what you don't know. And you have to believe that these are very serious vulnerabilities and you have to be on the lookout and trying to exchange information with each other, try and get better to understanding the problem.
Jürgen Stock: I think many companies still start seriously working on that when they first have been hit and the data are blocked. This is where the action starts. "Oh, who am I in my points of contact? Where are my data? Who can help?" That's my experience. And talking to a lot of senior leaders who called, "I have been attacked. What am I going to do?", "Too late. Sorry."
Karen Tso: You can see how engaged the panel is, but I know there are some questions out here on the floor. So we have promised to open it up for the conversation with our audience. So if you would like to pitch a question, please stand up and we will bring a microphone to you. We have a question here first, we have a microphone ready. If you could state where you were from too please.
Wolfgang Kleinwächter [audience member]: My name is Wolfgang Kleinwächter, I'm a Professor Emeritus from the University of Aarhus. The United Nations have started negotiations on a convention on cybercrime. What do you expect? And the question goes in particular to Mr. Stock and Madame Teo.
Jürgen Stock: Thank you Wolfgang for that good question. I mean, it's a global problem, right? And it requires a global solution as many other threats that the world is facing. You cannot deal with that just on a national level or on a regional level or in isolation, that doesn't work. It requires global coordination. The challenge for Interpol to connect 195 member countries. What we expect is that law enforcement, as mentioned, because hopefully we all agree that investigation, prosecution and getting the actors behind bars is an important part of protecting our systems. So we are a part of these negotiations. We hope that we can make sure that the interests of global law enforcement are represented in this UN approach, which we consider to be important.
Josephine Teo: Can I just add to what Jürgen has said? I fully agree with him. There is a great need for international cooperation, and that's why I think Singapore makes an effort to participate in all of these, even though, in comparison to the threats faced by many other countries, I think ours is of just a different scale. But I would say that apart from having a convention, there is another area that I think is also very important, and that has to do with capacity building. You can have a convention, but ultimately it is the individuals that are operating each of the countries cybersecurity systems that have to intervene at the appropriate times.
And what we have done is to work with our international counterparts to try and create programmes as well as training opportunities in our part of the world, in ASEAN, for example, we've worked together to set up the ASEAN-Singapore Cybersecurity Centre of Excellence. It's very well received. Whether it is the US, whether it's Interpol, whether it's the UK, so many countries have decided to come on board to try and share knowledge because in cybersecurity we fully recognise that it is a team sport and the better we are able to make every player a competent player, the stronger the team is going to be. So that's that's how we are approaching it.
Karen Tso: And of course, you need a full team as well to play the game properly. Robert before we move on, can I just ask you, because you're charged with clean up when the security attacks happen, do you think would make a difference if there were global coordination or some form of a UN resolution?
Robert M. Lee: I think it's a really nice idea and I wish you all the best of it and thank you [laughter]. But no, I don't think it will actually help anything. You have always had agreements between states on things, even to the point of critical infrastructure attacks. Most of us agree that you shouldn't target civilians. And in the moment that a government wants to, they do, when it's in their necessity, they do. And so I just think global discussions and so forth, really important, the awareness, really important – thinking that a treaty or similar is going to fix it, I think is not necessary.
But I do want to look at the things that work. If you look at the cyber screening agency in Singapore, if you look at the Cybersecurity and Infrastructure Security Agency (CISA) in the US, if you look at the Australian government, their ACSC programme. These different government agencies have come out and raised the discussion completely on their own, like it's not vendors or what else, it's government agencies having international cooperation and making sure that board members down to practitioners know what to do. That type of stuff works. Go repeat what works and scale what works. And if you want to do some other ideas too, that's fine. But do in parallel, don't do one or the other.
Karen Tso: Let's get more questions in. There was one down the front. Thank you.
Natalia [audience member]: Hello. My name is Natalia, and I'm here as a Global Shaper , as a curator of the Kyiv hub. When the war started, the headquarters, they took out all information from the website, information about all Ukrainian hubs meeting about all Ukrainian Shapers. In the meantime we do have our Facebook, Instagram, LinkedIn profiles. The question is, what would you do in our place? Should we hide all information about ourselves? Thank you.
Karen Tso: Chander, do you want to take that one?
Chander Prakash Gurnani: Honestly, the sources of information are so many that I don't know whether you can have a universal policy. So, for example, when we were talking about a central competency regarding the repository of malware, the reality is people in the CSO community and the people in the hacking community, they have all the repositories available, and that's where the tool companies have created some of the controls. So I personally believe that we have to assume that the information would be available, while we can try policing but that information will be available, whether it is through Facebook or whether it is through any other social media. And I think our strategy has to be with an assumption that people know what the tools are available, people know what malware is available, people know what kind of security measures are there. And within that, how to encrypt or protect yourselves.
Robert M. Lee: If I could take a spin at that, I would say, especially in a time of conflict and shooting wars and not just espionage. I think the topic of personal safety is something we should think a lot about. And I think those type of actions are really important. I agree that that information is available somewhere, but a lot of these state actors, we view them as if they're one big state "the US, Russia, Iran", the country level. But the reality is there's a bunch of different agencies, a bunch of different teams and the person coming after you is not Russia, China, Iran, US. It's five to 10 people and a subset of a subset of the teams. So maybe somewhere in the government they have the information, but that that team might not. And so when you're talking about personal safety, I do think limiting your exposure, especially in those type of environments, is a very wise thing to do.
Karen Tso: There's also an information war that comes up. I mean, we saw one specific example where I think it was a makeup artist in Ukraine who was a part of one of the areas of conflict and her profile was used against her in the information war by the Russians. So it's obviously another area to think about. But let's get some more questions. And I know that there's a little bit of interest here.
Audience member: So just on the cyber war, we don't have rules of engagement for a multilateral system to disturb – I understand your point Robert in terms of we need solutions but I also believe that we need multilateral solutions for that. So do you have ideas for engagement in cyber war, like rules of engagement, the Geneva Conventions for cyber war actions? I sit on a panel of the UN Secretary General on Effective Multilateralism and we're thinking about this right now. So that's why I'm just also consulting you. Thank you.
Josephine Teo: I think a number of countries are trying very hard to develop rules of the road that could be subscribed to by everyone. The United Nations has a open-ended working group, for example, where many countries have been engaged in multiyear conversations. But as Robert has also intimated, it's not an easy conversation. Obviously, there are very diverse interests, but I think we are making progress. As it turns out, Singapore is the chair of this current edition of the Open Ended Working Group. And at the very least (when the Swiss chaired it the last time round) there was a document that they could agree – what was some of the baseline provisions that everyone should be able to provide. Can this conversation be taken deeper and can we develop more robust understanding of how we would operate with each other? The answer is yes. Will we get there any time soon? I would say we will have to work very hard at it.
Karen Tso: Jürgen can I get you in on this? You're used to working across borders. We also have a situation there where we know that global cooperation has broken down. China is a great example where there's been trade wars. There's been concerns about the level of information shared between the Chinese and the West and how do you get around some of these issues as we talk about global cooperation?
Jürgen Stock: We try to be the platform where all these countries to some extent are coming together, despite all the differences in legal systems and political systems. Because one thing is quite clear, any gap we are leaving will be exploited by criminals. And we have seen that also during the the pandemic, during COVID, how quickly criminals shifted their narrative to the new vulnerabilities of our societies. So any crisis that occurs will be exploited by criminals.
We spoke about metaverse earlier today here. I'm sure as we speak here, criminals are already preparing to use that as a platform for criminal activity. And again, there is no other choice – and this is why Interpol exists to provide that platform. Is it perfect? No, of course it's not. But on the other hand, are we successful here and there by bringing the players together, even those who have diplomatic problems (difficult to say in these times), yes, we are. There is I think there is no alternative to that. The internet is global and you need a kind of global kind of police force, or at least we we try to bring the national forces, at least in some cases, together, that our mandate.
Karen Tso: Let's take some more questions.
Yinon Costica (audience member): I'm Yinon Costica, I'm co-founder of cloud security company named Wiz, and we are working with multiple Fortune 500 companies. And what we've realised that the key to actually initiate improvements is working with the engineers that build the cloud applications. You mentioned that humans are the biggest failure. You mentioned that we need to train more. And just now we're seeing questions from people saying about exposed information and you didn't know what would be the outcomes in the long run. So my question to you is basically how can we enable more global education or awareness on cyber – one that can provide everyone with tools to assess their risk? My parents, for instance, they got an email saying we have pictures of you pay $1,000 to this address. And I'm like, that's nonsense. It's just extortion and ignoring it. But they didn't know. They were scared for two days. They had nowhere to go to ask that question. So my question to you, how can we create a global community to train and we raise awareness?
Karen Tso: Chander, do you want to talk about that?
Chander Prakash Gurnani: I would agree that nipping the problem in the bud is the right way. Because if you write a code which is secure and which has got enough firewalls in it, I think you're making it difficult for anybody to break into the code. So I think that's a fundamentally just the right way. Number two, I think we covered this point about education. There is no immediate resolution to that part, whether that education can be given to tens of millions of users now, because as we all know, the vulnerability is not only by one operating system or one piece of code or one tool. The vulnerabilities can come in from a smart city, a smart factory, or from a smart metering.
Whichever way you want to look at it and to prevent it, if you were to say there are two ways to prevent it: one is become a good citizen, so there is no crime or you put in enough police people so that there is no crime because people are afraid of the police. I think both of them are required. You need to educate, but it will take time. Until that time, I think some of us have to act as a catalyst. And I definitely would agree that people like you, when you write your code, try and make it secure. And the more we start as a community, start paying you premium because you deliver a secure code, I think that is the right way because people will learn that there is an economic benefit to secure code.
Josephine Teo: Can I just add to that two perspectives? One, I completely agree. Security by design should become a competitive advantage for you, if you are able to offer a product to the market that has got more security features built in, and then it should command a premium and people over time will learn that it is in their interest to pay for it.
But I would also say that I don't know that you need a global effort to get this going. I think as national governments, we all owe our citizens a duty of care, and it is in our interests to help educate our citizens to understand the risk that they are exposed to when they engage in the cyber domain. It starts from children in school helping them to understand that they can be exposed to online harms and how to deal with it. It can be, for example, in collaboration with corporates, in Singapore for example, Google has a very good programme. They help teach our school kids how to do simple things like have strong passwords.
But there are also different segments of the population that are vulnerable – seniors who are targets for scammers. And apart from strengthening our defences against scammers, there is also a lot of education that can be done by the government. This is sometimes police, collaborating with people sector organizations, civic, civil society. I think these are all efforts that can be taken at the national level and it should be in our own interest to do so.
Jürgen Stock: Right. Law enforcement needs the industry to help us get the tools to investigate cyber crime in that new virtual environment. We have a Champions League of law enforcement agencies who are well trained and well equipped, but of 195 member countries' police services, maybe 70% are not well equipped and not trained and very often they have nothing. So we also need the support from the private sector to develop easy to handle solutions to investigate that type of crime.
Robert M. Lee: I would agree with everything that's been said. I would just add again, to our scenarios and requirements discussion. I think the minister was talking earlier about distraction. Should your parents be worrying about the cyber attack, the takedowns, transformers and electric system? Probably not until they're operating them, right? So we come out all the time – we do all these cybersecurity things – I think as leaders we sometimes fail our communities in setting the requirements to start with, even at a business level. What do you need to worry about at this company? Set the two or three scenarios, the requirements you have, etc. that you need to care about. That company doesn't need to be prepared for every possible cybersecurity thing.
And we talk about education. Where do you start these days with cybersecurity? It's so broad. You cannot be a generalist in cybersecurity anymore – 20 years ago absolutely. Today, no, cloud specialists, industrial specialists, whatever, and we just say industrial and that's different from being a specialist in electric power versus pharmaceuticals. So I think setting the requirements, setting those scenarios and figuring out what do we actually want out of our communities other than cyber safe, cyber hygiene or whatever else you want to throw out that ultimately just gets this large peanut butter spread instead of actually doing things.
Karen Tso: We are out of time for questions. I'm so sorry. I know that there's plenty of interest still, but just 10 seconds each. What do you want to see happen in the next 12 months, Robert?
Robert M. Lee: I would like to see at an executive level, a better understanding of the operation technology risk that exists in companies and put some effort towards it. Take a path doesn't matter, but pick a path and realise that you cannot copy and paste your IT strategy into your power plant.
Chander Prakash Gurnani: From my perspective, including the policymakers here: focus on education, focus on people, focus on skills.
Josephine Teo: Cybersecurity is a wicked problem. You never get to solve it once and for all. It should never be an afterthought. It should always be a priority.
Jürgen Stock: Stronger, more institutionalised, public-private partnership.
Karen Tso: That was very snappy. Thank you so much Jürgen, Minister, Chander and Robert, we appreciate your time.
Öykü Işık and Ankita Goswami
November 15, 2024