 Hello, good evening, good afternoon, good morning. I'm Amy Bernstein. I'm the editor of Harvard Business Review. And I want to welcome you to our session. COVID-19 dramatically increased all our dependence on digital technology. And at the same time, it increased our vulnerability, all of our vulnerability, individuals, businesses, and government alike to cyber attacks. This session aims to examine the lessons of the COVID-19 pandemic and to identify ways to better prepare for a future global cyber attack and to respond to it. What policies, practices, and partnerships do we need to prevent a global cyber pandemic? So before we begin, let me just describe the flow of this session. It's associated with the World Economic Forum Center for Cybersecurity. And it'll be 60 minutes in length and divided into two 30-minute parts. The first part of the session is going to be live-streamed and open to the public, while the second is a private discussion limited to forum members and forum partners. With us today is Jürgen Stöck, the Secretary General of the International Criminal Police Organization, better known to all of us as Interpol. Mr. Stöck has initiated changes in four key areas to improve core business services to police, establish strong partnerships, embrace innovation, and strengthen governance structures and mechanisms. Welcome. Also with us is Michelle Zatlin. She's the co-founder, president, and chief operating officer of Cloudflare, a web performance and security company that was named to CNBC's Disruptor 50 list. Michelle is also a young global leader for the World Economic Forum and has been named one of the top 15 women to watch in tech by Ink Magazine. And finally, Ken Shi. Ken's the founder, chairman of the board, and CEO of Fortinet. Ken is a cybersecurity expert and entrepreneur, and he has built three cybersecurity companies that have shaped the cybersecurity industry. Thanks to you all for joining us today. So let's kick off. Pardon? I just said it's great to be here. Sorry, I mean, I feel like you're just to acknowledge we can all hear you. Oh, terrific. I'm glad you can all hear us. And now we're all having the universal Zoom experience. So let me start with you, Jorgen. After observing the last year's worth of response to the pandemic, how did that change your and Interpol's work and your way of thinking around ensuring global security? Yeah, thank you very much, Amy, and fellow panelists. And thanks also to the World Economic Forum for organizing this panel. Yes, indeed, the global pandemic has had also a lot of impact on Interpol's work. First of all, my colleagues and me, we also spend a lot more time in home office. We try to continue digitalizing all our work. But of course, frontline police work had to continue in all our 194 member countries. And we tried to adapt to a very dynamic situation, a dynamic situation, which I have never seen in my 40-year career within the police. A virus actually traveling, spreading around the world, and criminals directly following, quickly following. Criminal global enterprises trying to exploit the new vulnerabilities within our societies. Ransomware attacks, for instance, even on hospitals, on laboratories, online scams in regards to the medical devices, our personal protective equipment. So a very dynamic situation, and it seemed to me that what we are experiencing is a kind of parallel pandemic that goes on. So a cyber crime, pandemic parallel to this kind of biological pandemic. And of course, we immediately started thinking about what can we do to support our 194 member countries in being prepared for what has been starting in one part of the world. But obviously, very quickly, it was spreading all around the world. And so monitoring the situation and ensuring that we have a coordinated response, that was of utmost importance. So I think in these times, the world needs strong coordination to facilitate the cooperation that is needed for the biological pandemic, let's say it is the World Health Organization. And for the criminal pandemic, the pandemic of cyber crime, it's interpolated since almost 100 years uniquely placed like the WHO to fight and to coordinate the activities to fight the global pandemic in regards to cyber crime. And that is still our major challenge. And that is what is now still dominating the day-to-day work of Interpol. So we hear that this is not the last pandemic will suffer. So as sure as the next one comes, the next wave of cyber crime will follow. How are you preparing for that? What have you learned in the last 10 months that you're going to take forward, Jürgen? I mean, in these days of a virtual World Economic Forum meeting, we are talking a lot for very good reasons about strengthening our partnerships. Some people were talking about unprecedented, an unprecedented level of cooperation that is needed. And that's exactly, I think, what is the challenge. So building on all the work that has already been done and building on the original spirit, why Interpol was created almost 100 years ago, already recognizing that criminals, of course, are trying to exploit the opportunity to travel. And that this is now, let's say, that this now has reached, let's say, the next level with the internet, the fourth industrial revolution. So the opportunity to attack systems anywhere in the world from any place without leaving your home or your apartment, this unprecedented level of patterns of attacks and opportunities to attack our system, whether it's companies, the industry, whether it's critical infrastructures, like hospitals, for instance, currently, whether it's our private computers, our mobile phones. And again, these opportunities for criminals, as we all know, are only increasing as the world is becoming more and more connected. And I think this is the challenge, indeed, building on what already exists to strengthen our partnerships. Within law enforcement, of course, Interpol is, as I said, perfectly placed to unite the law enforcement in 194 member countries. But it's also building more bridges to the private sector, because this is where a lot of information sits. This is where the expertise sets, Fortinet, can one of our major partners on a global level and also further building our structure on the global level. Together, for instance, with the World Economic Forum Centre for Cyber Security, I think this is the way where we have to transfer that level of cooperation on the next level to do it more systematically in a more strategic way and connecting the islands of information that still exist, working against the fragmentation that still exists because there's a lot of good things and important things going on on a national level, on a regional level. But we nevertheless have to more strongly and systematically connect these individual dots at the national level, at the regional level, and of course Interpol, our role is to do that on the global level in a well-coordinated way, in a better coordinated way specifically with the private sector, with NGOs, and that's exactly what we are doing currently and what we need to continue doing to deal with the current crisis but also to be prepared for the next kind of cyber crime pandemic or any other topic, not to forget international terrorism, not to forget organized crime, because these are also global crime phenomena that can only dealt with on a global and on a well-coordinated level. And again, this is why Interpol exists and I would like to say more important than ever that role we play. Michelle, question for you. You're the president of a multinational company and like everyone else, you've seen this, this digitization of your business and everyone's business happened seemingly overnight but it's been going on for the last 10 months and I wonder what systemic risks and vulnerabilities has all of this exposed? Yes, well, there's so many things that Juergen mentioned that really resonated with me as well that we've seen here at Cloudflare the last 10 months where all of a sudden companies found themselves instead of having one or two or three or maybe 10 offices to having the same number of offices that they do employees because all of a sudden their employees were all at home and our homes became our offices. Even before this panel spoke, we were all remarking about that. And if you think about how much time and resources and budget companies and corporations put into securing their corporate networks and then you add to all of a sudden their employees are at home, that same level of investment has not been there. And so what it exposed was these home networks became a weak link in a potential attack vector and we saw attackers take advantage of that. And so it's both the internet connection that all of us are buying from our homes but also finding those old laptops out of the closets and letting their kids connect or maybe letting their kids use their work laptops to be able to do their schoolwork, right? And going to find those old tablets or cell phones, whatever they were and connecting to your corporation's network. And that became a weak link. And so a lot of IT teams have had to scramble to hold that together. They've had to find ways to patch solutions together. And I think that as we start to return to a post COVID world now that the vaccines are starting to be distributed I think we all expect some, the level of working from home to remain in some regard. And so thinking through, how do we ensure employees home networks or as secure as an in-office network is actually gonna be a really interesting opportunity because this is not gonna go away. The last two months just exposed how important that is. And there's a lot of research that shows that there's been a rise of attacks through this attack factor. So that's one. The other one that I would say is that a lot of corporations use hardware to help solve the solution or they've used VPNs to help solve these solutions of employees from home be able to access their work when they're traveling but everyone's at home to be able to access these workloads. And in many cases these VPNs weren't designed for so much load all at once. It was overnight. They had to went from a little bit of usage where some portion of the employee base might have been traveling like an executive might be in the snowy mountains of Davos this year it's virtual but last year it was in person and they were using the VPN but all of a sudden now everybody was and the persistent connections they didn't have the capacity and a lot of those VPNs fell over. And so a lot of IT teams have had to strengthen that to ensure that in a post COVID world with more flexibility if there's more of their employees connecting outside of the office network ensuring they can access the workload in a fast and reliable and secure way and expecting higher volumes than they did before. So those are two that really come to mind. So the smart betting right now is that when we return to normal it's not gonna be the normal of 2019. It's gonna be a hybrid normal. How does that affect your thinking about these new attack vectors and the inability of most corporate VPNs to handle the load? Does that, does the added complexity change your thinking at all? Well, I, this is very self-serving cause it's one of the things our company does and we're not the only company there's lots of amazing corporations out there helping to solve the solutions but a lot of the cloud, cloud-based security solutions help solve a lot of these problems and they make them a lot easier to solve than they were 10 years ago. And the reason why is that in the cloud you can process a lot of large amounts of data. And so it's easier to solve this. And so again, this is from my lens which is a company that I run and I've built and we just see it. So Cloudflare, we run a global network where in over a hundred countries around the world 200 cities we run our service and that means whether an employee is connecting from their home in Nigeria or in Boston, Massachusetts you connect to the closest Cloudflare point of presence and we can make the experience both fast and more secure and more reliable for that employee on behalf of the corporation. That didn't exist 10 years ago, that ability. You had to go back to one single point. So a lot of these sorts of things were very slow. And so I do think that the rise of the cloud-based solutions have actually made some of these coordination problems easier, the same on the VPN side instead of having one or two VPN locations and inside a corporation, you can now run it in 200 countries around the world and all of a sudden it scales really eloquently. And again, that's something that we do as well as many other vendors do as well. And I do think that's the future. And so I guess the silver lining that I would say from all of this is even though the last two months of exposed weaknesses and companies can't not take those seriously I do think that there are better solutions today than five years ago and they'll continue to be better solutions over the next five years. So if you're a corporation wanting to solve these problems I actually think that there are much better solutions today than just 10 years ago. And that is a silver lining. And probably the pace of development of those solutions is really speeding up. Very much speeding up actually. And so, and I'll just give you one example where we, again, so we saw some of these VPNs falling over and it makes sense, it's fine. And so we had a cloud based solution and we offered it at no cost to organizations for six months and the adoption was very quick. And so there were a lot of businesses that were able to pivot very quickly. And as a result, our product got a lot better too because there was a lot of feature requests and we were able to innovate on it very quickly. And so if I look in our just 10 months from kind of when we offered the product to the end of the year, there was so much innovation and the team at Cloud for that worked on it was very proud and our customers are very happy. And I think that is a good side of technology. Those are the good stuff. Those are the positive innovation stories. That's kind of what entrepreneurship is built on where you can say, wow, there's real need in the marketplace. Let's go build a solution or respond. And we're really lucky that we are able to play a small role in helping to do that. Yeah. Before I go to you, Ken Shi with a question, I want to remind our audience that they can pose their own questions to our panel via the chat function. We'll find that. I guess it's the bottom of your screen there. So Ken, let's talk about the board response to these twin pandemics, but definitely security. Amy, can you hear me? I see the picture freeze a little bit. Okay. Yeah, the cybersecurity definitely become a topic in the board level. And you can see its impact is also very big and that can be impact the company business, the customer and the partner level. Also, that's the reason like the solar wind security issue. And on the other side, nowadays, since the pandemic, a lot of people starting working from home. So you can see like Amy said, our tech surface increase a lot. So it's no longer just protect the data in the company. Now a lot of data, whether it go to home or go to the cloud or go to a lot of different device. So all this need to be protected. And that's making whether the security company or the company leverage the connection to the business become kind of more critical to protect their data, protect their value. So that's what the board, I believe the board also need to view this not only it's critical but also it's a long-term investment. Whether you mess in the infrastructure, make sure they have all the connectivity and where to work on home or do some connect with other device. All the kind of educated people, educated executive employee make sure they understand the importance of cybersecurity and also driven the partnership also very important. Like Eugen said, in this space, we definitely need to be more partner together to bring down the cyber criminal. Like last week at the press release, whether from Interpol or Europol, bring down the biggest boat night, they call the EMOTED, which is really the biggest boat night actually during this pandemic and take a lot of company whether using ransomware or some other kind of take the information. So that's where a lot of party need to be working together. Sometimes working from the board level to make sure they can partner together to really fight in all this cyber criminal, cyber security issue. So it used to be that cybersecurity was sort of the province of the CIO, the sort of the tech function within an organization. Have you seen that move outside the tech function? It's obviously a strategic risk. How are organizations and particularly boards thinking about this, Ken? Yes, whether the CIO, CSO, but also you can see the cyber security as a percentage of IT spending also keep increase. Like the one I started footing at 21 years ago is probably only one to 2% IT spending go to security. Now probably over 10% now. So we can see it's a bigger money, bigger budget. So need to involve in higher level multiple department to involve. The other part we see also we call the security driven networking or security whole infrastructure. There's no longer like just the endpoint security which installed the Android software on a laptop machine now your mobile device, right? And also it's not just everything like application go to the cloud. And also there's a network security and that makes sure how to secure your home connection whether the 5G or the SD1. All this have to be working together. That's what we said. We integrate working together, automate together because you look at cybersecurity industry pretty interesting like the endpoint security company they probably don't do much network security. They also probably not do a lot of cloud management. And then that was security they really don't evolve much of whether endpoint or some other part. And then the cloud company probably not do a lot of networking on endpoint. But in order to secure the whole infrastructure you need to have all this working together, integrate together, automate together. So that's probably need to have a more partnership whether on the technology product level or in the company high level whether from the board or CEO or CEO level. Okay, we're gonna take some questions from our audience and just to remind everyone please chat them in using the function I think at the bottom of your screen. So the first question comes from Julian Weissenberg and I'll throw this out to the panel. How should organizations handle the vulnerabilities they identify? How best to handle the unexpected in cybersecurity? Who wants to jump at that? I can try because we deal with this every day. So you can see us more like how we handle the COVID-19 pandemic, right? So you need to first isolate the issue and make sure blocked all this since spread out to the other part of the nation. And then also if you have certain like vaccine of software you can fix the issue in the device level you will try to do that. But otherwise you also try to kind of see how the infrastructure part you can prevent all this go kind of do more damage. And so that's where the remediation and how I think the first step always try to detect and then remediate. And like I said, also we kind of need to make sure infrastructure is strong enough fortified whole infrastructure. Make sure they can resist on a lot of attack because you can never avoid any attack. You just try to see how you can respond quickly. You can get strong yourself and make sure to email some of this attack. Michelle, I wonder if you have a word. Oh, go ahead, Jorgen. Oh, no, sorry. Sorry, just two brief points from my side. It's a tech topic, no doubt about that. It's a topic of having recovery plans, business continuity plans in place, but it's also don't forget the human factor. It's still, if you take the example of business email compromise, for instance, the critical factor is staff perhaps not having the awareness how attack patterns look like. So the training of staff, continuous training of staff is important and have a line to your responsible police office in your neighborhood so that in case something happens, you have a direct line to the police that they can take action because I can mention the example of EMOTED. Global law enforcement can be successful against these criminals if we work together with the private sector and if we receive the information we need to start an investigation. The other thing I would add, and I agree with all these sorts of things, is the best organizations that do this have a plan and it's almost like they know where they are. Even if they give themselves low marks and they know where they want to get to and they start to make progress there in a systematic way. And so when something unexpected comes up, you look at your priority list and you say, where does this fit? How big compared to all the other things that we already have a plan to do, the most vulnerable organizations don't have a plan and they don't even want to talk about what grade they would give them in the different areas. And so really to be in the top, you just need to start with a plan and kind of go through with your leadership team and saying, where are we? How are we? If something happened, how would we respond? And you start to kind of march through building a plan and making progress and you look back after one year, two years and you're like, wow, we've made a lot of progress. And so when things come up, you're in a better place to remediate and respond, which I think is really important. And I couldn't agree more about what you're getting said about your question Amy about how it's certainly not just the chief security officer's job. It is the whole company's job. And the more that you train your employees, all tides rise and actually it's not even employees, it's citizens. We need better digital citizenship. And actually if everyone becomes better digital citizens, the whole world gets stronger from this. And so you can't just relegate this to your security team. It's a business topic, it's a team topic and really it's a digital citizen's topic. I love that, the digital citizens, it feels like a HBR article waiting to be born. This question comes from Kelly Bissell. How do we reduce the risk of a cyber pandemic? Today we have higher risk of third party problems. We have higher cyber crime and indisputably. We are innovating faster than we can secure our own networks and our own technology. We cannot do the same things we've done for the last 20 years. How do we solve this huge problem? Who wants to jump on that one? I can try again. Like I said, it's the whole infrastructure need to be secured and not just a part of it or certain application. That's what we call the secure driven network. And I'll just make sure we cover all the tech surface because definitely from the technology they bring more connection, more device online and more data go to the internet and sharing all together. So that's where make sure you can embed it, you can build it all kind of security in the mind. And at the same time also needed to more training to the public and whoever using the internet make sure they have all the basic cybersecurity training they can understand what's the risk and how to protect themselves. The other thing that would add to what Ken said, if you think about, it's a good question Kelly what do we have today that we didn't have 23 years ago? So we have way more people connected to the internet and we have way more cyber crime and attack vectors that way more than 23 years ago. On the flip side, we have much more machine learning AI technology, we have cloud technologies that actually make the coordination of the data of these attacks much easier today than 23 years ago. And I just think that's a huge asset to be able to protect corporations against this. That just didn't exist 23 years ago. 23 years ago, each corporation, each small business each nonprofit, each government were trying to figure out, build their own profile they weren't trying to tell anybody about cyber crime they were just trying to do it themselves. But today there's a coordinated model. There's a way to coordinate this information that the attack data among the private and public sector you use machine learning, you use AI and the technology actually makes it much simpler when you have a lot of those data points and actually the more devices connecting makes the problem easier, not worse because you have more data points and we all know ML and AI works better with more data points. And so I'll just give you highlight this for the audience. So my company, we're 10 years old. We're a relatively, it depends on which way if you're a startup, we're a huge company if you're a big multinational which many people who come to Douglas are then we're a tiny company. We're about a 20, $25 billion market cap company just to give you a sense, 10 years old. And with our technology which uses AI and ML and cloud we protect every day on behalf of our customers we have over 3 million customers around the world 76 billion cyber attacks daily and we're a relatively small company and it's the technology that's doing it and it only works because it's cloud-based we take all the data and we create a really strong kind of bodyguard to protect the networks, the internet properties, the employees access and it works and that didn't exist 23 years ago. And so I do think that there's very real reasons why it's easier to solve today than 23 years ago which is a good news. It's not solved. So we can't let our guard down. There's a lot of work left to do and there'll be a lot of other terrible hacks but I do think we're in a better position today than 20 years ago. Yes, you can go ahead. Yeah, only three brief points and linking to what Ken and Michelle have said. I think every day more than 300,000 new variants of malicious software are released in the internet. I think and also what Michelle that shows the dynamic and the need to share that information on a global scale. So what Interpol has been doing is starting developing a global early warning system together with major global industry players in our global complex for innovation in Singapore systematically collecting and sharing that information on a global scale because we are talking about global pandemics that's needed. Second point, cyber hygiene. We all have to apply a better cyber hygiene. That's a matter of education training and the last point, security by design. So whatever product is developed and released in the market security by design needs to be a feature from the very beginning. Okay, that is a great note for us to end this part of the conversation on.