 So good afternoon and welcome to the Global Cyber Security Outlook discussion. We are going to discuss probably what is the most important questions of our time. The cost of cyber attacks, cyber incidents are likely to reach six trillion dollars by 2021. But beyond just the numbers, brands, supply chains, stakeholders and markets are all going to be implicated. The citizen is at threat and this particular session hopes to unclutter some of the key trends and key developments that will impact the space. Now to discuss this, we have Jurgen Stok, Secretary-General of the Interpol, 40 years of policing and he has created a whole new division under him that looks at this matter. We have Andrei Kudelsky, Chairman of the Board and Chief Executive Officer of Kudelsky Group, Switzerland and he's going to bring his expertise into this conversation. David Garfield who creates niche products for governments and companies which respond to the cyber threats. His own company is Garrison from the United Kingdom and Laura Dina, the Global Chief Information Security Officer, SNP Global USA. And let me start with Laura. Laura, do companies now internalize that they are the first respondents and probably the most important rule makers for cyberspace? Yes, absolutely. So as a private company we know we have to have partnership the public-private partnership is why I am on the Global Futures Council for the World Economic Forum. We know the importance of it and we know that we are heavily attacked as a private company and a lot of our threat data can be used to help public companies but also the marrying with government companies can also help or government institutions can also help our own data to address any attacks that we have not yet thought of. So sharing of information and threat information is crucial and important. Now I was asking you off stage how easy is it for you as the CISO, as the Chief Information Security Officer to get the attention of your Chief Executive or Chairman or the Chairman of your company? Yes, yes. So at my company it's actually very easy because it starts at the top. Our board of directors have an imperative around cyber security. It's one of our top risks. We put a lot of efforts to formalize our risk appetite statements. Those go up to the board. I present pretty regularly. So it's not hard to get the attention. It's just what we're doing as a progress. And how difficult is it to work with states today? With strongman politics? With leaders who want to control? Who want to survey? Who want to intervene? How do you create a public-private partnership model? With strong woman politics. It's about collaboration. This is why I started talking about the public-private partnership and then the sharing of information. We have to be a community. We have to be able to share that data as well as best practices so that we're all living through addressing the attacks, whether we're talking about nation state actors or we're talking about criminals. We all have a duty and a responsibility to address it together. Andre, let me turn to you. How are business leaders, and you are clearly part of this industry, responding to the gradual and creeping fragmentation of supply chains? So fundamentally, you have to find some elements that are common. So more you are fragmented, more the combination of that is becoming something pretty difficult to manage. So you need to see what can be put in common and based on what is common to construct something. But now we have one issue. Is it, in many cases, things are not secured by design? And that is doing that rather than having something that from the starting point, from the beginning, is secure. We have to try to resecure something that is insecure. And that you do by monitoring, by analyzing what are the threats, being able to respond very quickly if something bad is happening. And here, until we'll get something that is more secure by design, it will be a race and to where speeds of reaction and to be as proactive as possible is absolutely key. Do companies working across the supply chains and certainly the product vendors, do they understand the geopolitics around technology today? It's absolutely mandatory. It's, you cannot drive a company and not drive strategy in cybersecurity if you have not a view that is a little bit, I would call, Zumbak. Fundamentally, if you just look at the detail that you don't see what is the neighborhood, what is happening more generally, you will not be able to be proactive. And one of the key elements to be efficient in cybersecurity is to be able to be proactive. So, first, you have to understand where the attack can come from or at least which type of attack you may face. And the fundamental element is to understand what are the motivations of the ones that are hacking. It may be economical, it may be geopolitical, but if you don't identify this element, it's much more difficult to address the issue. Both you and David are in high growth businesses. As cyber attacks become more frequent, your businesses are likely to grow. Now, as you plan for your businesses in the years ahead, can you give us an assessment of what are the key emerging risks in this era ahead? If I was a business leader, what do I need to prepare for? How do I secure these new spaces around cloud computing, AI, blockchains? What is vulnerable today? What do you think is the most emerging danger? Okay, I will start by taking that from a slightly different angle. You have two worlds that are competing. So, the world of the people that try to do good things and the world of people that are trying to do bad things. And you have one fundamental difference, is if the world of the people trying to do good things is regulated in one way or not the one. So, one of the bad guys is by definition unregulated. Take an example, artificial intelligence can help to detect some intrusion, some attacks and so on. But the first ones that have used artificial intelligence are the hackers. And they don't need to have a charter. They don't need to limit themselves. As an example, with AI, you can reach much smaller targets as a potential target in a hack because you can do something that is automatized and that will not be profitable if you just work in a conventional way. So, fundamentally, technology is something that is available and the ones that will not use regulation as a hacker will be able to be efficient much earlier than the others. Thank you. Jürgen, there's little consensus around the rules governing behavior in cyberspace. I mean, we've had a few attempts at the UN. One of them is still on. How does this complicate your life as the head of international police force tasked with keeping all of us safe? First of all, thanks for disclosing that I have 40 years of policing. Everybody in the audience understands I'm not a digital native. So, we as many police organizations globally are struggling with fragmentation. First of all, we are struggling with a lack of capabilities and capacity. And we are still struggling with a lack of receiving information from the private sector. These are the three major obstacles, of course. As we all know, cyber crime is bordered by nature. We tell that. We explain that on any occasion. Rightly. So, purely national cyber crime doesn't exist. So, naturally, any police-related case or the judicial authorities have to deal with the case has international implications and very often not just to your neighbor country, but the next continent as servers are moving and everything. So, we know the situation. Our system of law enforcement, of course, is still based on national sovereignty. And it's still based on national law. And as you said, there were some attempts in the past finding some common standards, but so far the situation is it works quite well if people know each other. If somebody in country X has a direct line to his colleague in the country set, then cooperation works. Then it's able maybe to secure information that is on the server and to bridge the time until an official request arrives. But the reality is to organize really a transnational organizing because of this fragmentation, because we have a lack of common standards, because we have a lack in a certain standard also legally as a basis for police action. And the situation is still, let's say, politically correct, difficult. Which means, first of all, we are only receiving perhaps information concerning maybe three, four or five percent of all the incidents that occur. It's still more the rule than the exception that law enforcement gets informed in case there is an attack. Secondly, organizing a transnational operation still difficult. Again, it works amongst those who have a good relation, who have built trust amongst each other, who have more or less similar legal systems. But the world is much bigger as we know. We have Interpol tries to connect 194 member countries. So this is very diverse. And again, also the fact that maybe 70, 80 percent of our member countries police service have only little or no capabilities at all to deal with cybercrime doesn't make our efforts easier. So this is again where can I ask you a quick question here? Do you feel that it's not only the private sector that doesn't share information, but do you also believe certain countries don't share information? No, I mean, first of all, it's mainly the private sector, because that's where the information sits specifically for Interpol. So our mandate is only to deal with cybercrime. If it's state activity or kind of state sponsored activity, we are out. So we try to find the overlap of interest between all the countries around the world. And interestingly, it works quite well. So we get all the big players or the small players to the table. Table means we can organize police action if we identify this common interest that we target cybercrime. For instance, child exploitation on the Internet, no descents around the globe that we need to do something. And a lot is going on. Botnet takedowns, illegal dark nets, illegal the underground economy, illegal working places that that works quite well. But the main information sits within the private sector. So for us, this is the main source of information to start an investigation. The expertise sits in the private sector. And that makes it also in other crime areas, by the way, it's not totally not totally a new model. But in the banking sector, if there is a bank robbery, there's a button under your seat or table. And immediately the bank would push the button if there's a bank robbery in the real world. Unfortunately, that doesn't happen. There is no red button. Somebody needs to take the phone. Somebody needs to know whom to contact. Somebody needs to know what is police actually doing. This is where we have to be better in explaining what are the consequences if you report an attack to the police in terms of what happens with your servers, what happens with the evidence, what happens with your workflows and what happens with maybe disclosing something to the public. This is where we have to be better as law enforcement to explain and to have a crime, the kind of crisis management with a private sector so that they know in case something happens. I have an emergency situation. What happens? Whom do I call and what are the consequences? And that makes again the cooperation with the private sector crucial specifically in finding cyber crime. This is your second term as a secretary general of the Interpol. What are your priorities in the next five years for Interpol and for persecuting cyber crime? I mean it's transitioning Interpol into the digital age so we do not only see technology as a threat of course. It's something positive and specifically for law enforcement it's something positive. We have already to deal with big data. When I was a young police officer of course it was paper that we seized and analysed. Today we have huge amounts of data that we have to collect and to analyse and we also try to use analytical software, artificial intelligence, all that provides huge opportunities for law enforcement to better investigate. So we need our own transitioning into the tech world of today and of course all in a certain legal framework. We take privacy really very honest. Also this political discussion so where are the red lines for law enforcement which we don't want to cross to protect privacy to protect the data of individuals is something we take very seriously. I want to come back to you with two questions. One is of course I want you to think about how does it change or how does the work landscape change when the private sector company is a state owned enterprise and therefore there are state rules that apply to it and second is it time for Interpol to start proposing positions around encryption and privacy debates that are happening around the world. I'm going to leave this with you I'm going to come back to you. David let me come to you. As a provider of security solutions in the face of constantly evolving threat landscape how do you assess the race that is currently on between the attackers and the defenders? Yes it's quite a big question. I think in the grand scheme of things I don't believe we're winning the battle. I think if we look at the numbers they sort of speak for themselves so over the last five years the cost of cyber crime the spend on cybersecurity technology has gone up by roughly 58% to about $120 billion a year. At the same time the frequency of cyber attacks has gone up by 67% and the impact of those attacks has gone up by 72% so all of the numbers are going in the wrong direction. We're spending more and the situation is getting worse. I think there's a there's a huge given that cybersecurity is such a broad topic there are many many reasons for this but I want to bring out a particular point around asymmetry and there are multiple angles to asymmetry so one point is that that creates asymmetry it's a huge complexity of technology these days. Just to run a browser on an operating system you're building on about 60 million lines of code that are riddled with bugs. We saw an announcement from Microsoft via the NFA just the last week highlighting one of these critical bugs and there are going to be plenty more of these and the attackers just have to find one of these exploit it and they can get into an enterprise or advice so we need to address that complexity. I think over the next decade there's going to be a need to go back to basics and technology and understand how we can make things simple in order to create our controls whilst enabling this great complexity because the complexity is going to get much much greater. We've got AI, blockchain, quantum computing all being talked about in this forum and I think we need to work out how we can enable the progress of these great technologies whilst ensuring the trust is still there that we're getting the security that we need. I think the other point on asymmetry is what we talked about earlier it's very easy to perpetrate a cybercrime from the other side of the world with almost total anonymity and very very little chance of retribution and therefore that's further tipping the balance. So I think as we look forward as I say I think there are a number of things we've got to do I'm a technologist I think there's there's a back to basics I think we need to catalyse that. I also think there's been almost a resignation I think it's been a very useful approach over the last 10 years where organizations have universally basically you know tried to create a mantra that says it's not here but when you're attacked in cyberspace it's allowed us to raise awareness at board level and to engage people so you need to be able to deal with cyber attacks but I also think it's a very defeatist attitude we shouldn't be sitting here thinking well it's not not if but when we need to think you know what can we do better what what can we do to improve our fundamental cyber protections to keep the bad guys out in the first place. You know the numbers that you just cited tell me that it's a good business to be in if you're a startup. But my question to you is that do these small cyber security startups companies firms do they have a role to play or is it going to be the big boys with the vast networks and vast data collection capabilities that are going to prevent these niche companies to come up. No so I think I think it's a mixture of all of what you've just said I think it's definitely an area of extreme innovation and there are certainly the capital markets have got behind the innovation so I think we have something like two and a half thousand cyber vendors in the world all coming to Laura to try and sell their products and this is one of the kind of real problems in cybersecurity. Strangely for a cyber company one thing I'm going to ask for is better controls from big business in determining whether or not a product is good or bad. I think one of the issues we've got is we've got a huge race for innovation and I think that's creating kind of liquidity in the capital markets to invest in these in these companies but they're investing in things that aren't necessarily fully formed and aren't always really very well stress tested. So one of the things I think we need to get leadership from businesses in is to say well you know given the numbers are all going the wrong way it's our spend effective. You know what can we do to challenge whether or not you know in a large bank you might be spending hundreds of millions of dollars on cyber security protections. That's a huge amount of money to not know whether it's effective or not. So I think challenging these these technology innovators to say well is this actually providing the security you claim it is will be something that it needs to be transformed in the next decade. So your second point was about. No my second point I didn't ask you let me ask you what about the human capabilities. I mean you have these companies coming up you have these the threat landscape which is continuously growing and evolving. Where are the people. So are we investing in building if I was to use a term from what one of the Indian ministers coined cyber warriors if we were to create a corner of cyber warriors you would need to invest in a certain kind of education and scaling program. Are we building enough capabilities. So I think there's there's plenty of evidence that there are a lot of good initiatives out there. But again it's a very complex landscape. Cyber security isn't one thing. And so when we talk about how we've got capacity we mean lots and lots of different things. We need better analysts more analysts and threat intelligence professionals. We need people who can design architectures better. We just need engineers who can build better products. But one thing that that we were talking about earlier was even at the leadership level what's been dramatic over the last 10 years is 10 to 15 years ago cyber security wasn't a term learned by the board. It was a back office activity. There was a guy called Bob somewhere in I.T. that did something to do with security. It was right next to the pantry room in most exactly that. And what's happened over the last 10 years is it's become a board level job. You know you have a C.S.O. or a C.S.O. advising the board or being part of the board. I think what that means is that you know we need to support many of the C.S.O. in the world to better understand business so that because this is no longer just a peer security activity this is a security and business expertise that you need. I think we also need to educate the board and the non execs on security in the same way that almost every company is now a technology company and the boards had to learn that. I think there's also a transition to the board having to learn security. So Laura let me come to you with this. I think this is a question right for you that he's put up to you actually as a C.S.O. and probably you're the only one here in Davos this time. How do you manage to influence a not to know I met plenty of other C.S.O. so how do you manage to influence a company's cyber security culture. I mean that's the point he's raised here. Yeah absolutely absolutely. I appreciate all those points. I think making security more participatory right. It's not something that is an IT problem to your point. It's a business problem and you want everyone interacting in it and you can take it home with you. It's also a personal thing. You don't want your identity stolen. And so when you're when you're thinking about security at a company make it fun. Don't make it about these horrible compliance videos that you have to take. Make it not just about phishing simulations every single month. Make it about something that you can bring back to you personally. And most importantly what we like to do is make it more about responsibility. We have this deficit obviously of cyber talent upskilling is an option relaxing some of the requirements of requiring a computer science or computer engineering degree taking some very good critical thinking and problem solving and turning those folks into cyber warriors to your point is something that you can do. And if you don't want to do it as just a cyber security function then it's okay to have developers doing secure code. That's okay too. I'm performing hackathons or you know having everybody together just to purposely break an application from a security perspective means that everybody's learning again more more to a community respect. So not just about the cyber security people but about everybody learning how to do cyber security themselves. You know when we were part of a global commission on the stability of cyberspace and some of us a multi stakeholder group were discussing ways in which we can incentivize stakeholders to secure network secure digital facilities. One of the idea was that let the market do that. And they said there are two tools markets normally have one is ratings other is insurance. And those are two important tools to in a sense incentivize better behavior. Is that something that you guys believe is necessary. There's actually a really great paper that the World Economic Forum has produced with Eloise. I don't know if Eloise is here. It's incentivizing cyber security for the markets and there's a lot of really great principles in there. You know very basic things thinking about your security posture just in general having it to be more of an executive thought the board the CEO everybody thinking about it adopting just some very very low touch standards. You know not just having a CISO you don't have to have a CISO everybody can think about cyber security. It doesn't have to be Bob the IT guy in the basement or the pantry. It could be everybody thinking about it and then just adopting different practices so that you can perform cyber security posture at a baseline level and insurers. We were actually on a great panel yesterday here at Davos where we talked about insurers having a stake here because of some of the crime data that they may be underwriting on. So that is a treasure trove of information for all of us here. If we could take advantage of a taxonomy and think about that information then there may be one way of leveling kind of just the baseline field. So it's something that we have been thinking about at S&P. Martina Chung had talked about it last year at Davos. And what about rating geographies and companies and countries like you have financial ratings you have cyber security ratings. And yes you know is that something that's being considered. Yes. So we are thinking about that. Now I know we just spoke before we came on. It's not something where we would fault a specific company but as your point was earlier security needs to be infused in education. Everybody has to be thinking about security. We can't just say don't fault a company because they haven't thought about security at all. There has to be some incentive. And if the incentive is I don't get breached. And I think that's a good one. Right. And do you think increasingly this will become a marker for investments for credit ratings. Yes I do. Yeah I do. And we actually saw a downgrade of Equifax for instance by our competitor Moody's. So they downgraded Equifax and Equifax has been dealing with it since then. They've been doing a phenomenal job of dealing with it. So this is a wave incentivizing. Great. So I asked I left two questions with you. What happens to Interpol's capabilities to work with private enterprises when they are owned by the state. And I'm not pointing to any country. There are many countries which own enterprises. But how does that complicate or you know make it more complex. The conversation. If I may ask my answer the first question. I mean it's not making things complicated. We are rules based organization. All the activities are based on the rules of processing of data which is a very complex system and everybody has to follow the rule. This is the condition to use the Interpol global network for any kind of activity and wherever the information comes from. So this is not necessarily making anything more difficult for Interpol. This is not. And is Interpol now ready to be part of the policy prescription process. Are you based on your years of experience persecuting cybercrime or best practices ready to share ideas for the emerging digital policy landscape. No not completely. Of course we are historically not designed to fight such a such a dynamic crime type that really requires us for instance to have a much closer cooperation directly with the private sector. Historically Interpol was designed in a way that all the information we receive goes through a national so-called central bureau. So the National Central Bureau received the information from the private sector and is passing it to Interpol. That has changed that's much too slow to address the situation around cybercrime which is fast fast speed. And of course we need to have what we call real time exchange on critical information. Again in the in the years where Interpol was designed we had time to collect evidence. So you could maybe go to the prosecutor to the court then to the embassy then to the next country. So we had time today. Evidence is volatile. It might disappear within seconds or at least hours. So we need to have a direct contact now with a with a private sector. We are currently discussing it with our membership. Of course we have a pilot going on cyber our cyber capabilities are based in Singapore and now with some satellites and other parts of the world. And we have a pilot with almost 20 companies where we from the IT security arena where we directly share relevant strategic information. If it is person related that's a different story different rules but at least to get that global threat picture. So and this is just the way in which we have to further develop our business model in cooperation with the private sector. So much more dynamic much more close and direct. So we have we have been developing a kind of desk by desk approach where we sit together with people from the private sector IT security companies every day and exchange strategic information and in cooperation with member countries we can translate that into operational information that leads to investigations. But a new dynamic is required. And of course a new set of rules and regulations because we are transparent we want to be held accountable for what we do. And any police case hopefully will end up at a court. So there's scrutiny on what we do. Andre you're part of the Global Council on shaping the future of cybersecurity. You're also someone who's a 30 year long experience in this particular segment. And I was speaking to one of you earlier. And the idea was that one of the best responses to technology threats is better deployment of technology. My question to you is how can we use emerging technologies to actually counteract the threats emerging from technology themselves. So how can we use AI blockchains and other. So the first element I would like to insist is that and that's back to the discussion before cybersecurity. It's not one size fit all you have a toolbox. And what is interesting is that in the toolbox you will try to use the best appropriate toolbox tool. So fundamentally if you have a new technology faster you can use it in the way your response to cyber threats better you will be. Now one element that is extremely important is to be able to act at internet speed. Taking back the elements if you have a crime in the real world you have some trace and you are able to work with the tool that you used to have. In cybersecurity speed is absolutely of essence. The speeds when you react but also the speed at which you introduce new type of tools. Take an example of AI and here you don't need to be automatically if you are just doing surveillance you don't need to be automatically 100 percent right. You need to be able to detect what is happening. What you need to be 100 percent right is in the way to resist against an attack. And here there is another asymmetry. Someone that is hacking needs to be just one time right because he will be able to enter the system when he'd try. When you have to defend yourself you have to be close to 100 percent secure. But on the other side when you are trying to monitor what is happening you may have some new tools that will give you a percentage of confidence that do not need to be automatically 100 percent because you will cross check with other tools to see what has exactly happened. And fundamentally it's a funnel of different alerts that you have in order to really realize what is happening. And in this new tool you have naturally AI. Now if we come to blockchain blockchain is a pretty interesting technology not to monitor what is happening but fundamentally to have elements that are secured by design. Now one thing you have to be careful it's not because it's blockchain it's secure because you are also able to do mistake in implementing and you may have some things that is blockchain based but that can be completely insecure. So it's not because you have a great technology on the plate that it will be automatically secure. David let me ask you a question. You serve both the government and the private sector. How different are conversations that you have with these two. I think it's absolutely fascinating and it comes back to a point we were making earlier about demanding better. I find it incredible. I sell a product. It's a fairly straightforward product in that it's trying to create extremely secure access to the web so you can benefit all of the richness of the web. I sell that to governments secure parts of government and I sell it to the private sector. When I sell it to secure parts of government the experts there will want to pull my product apart and they won't want to do it over a day. They'll want to do this over many months putting many years of effort into it and sometimes many many years as well. One process I've been in is is three years long now. When I go to the private sector and I take my product exactly the same product to a bank and I try to put it into the bank to kind of to take it to an extreme they broadly speaking take my my marketing collateral and build their confidence based on that. But they may do some some small automated testing. They may spend a few thousand dollars just trying to do some basic checking but they've basically taken it on trust that I've created my product to that standard which I don't think is a valid way of of determining whether or not your spend is going to be effective. You know there are so many products out there that I don't think are exactly living up to their marketing standards and therefore I think you know it's a strange thing for a vendor to do but I do call on our buyers to challenge us more. And are you beginning to see the emerging part of the world the new digital economies investing in similar solutions. Yeah so I again I think this is where the digital landscape is democratized things quite dramatically. I mean there's no barrier for one kind of nation against another and and also I think there's the opportunity to leapfrog. So if you have a kind of Greenfield site you're trying to build your infrastructure and it's a lower base. You haven't got the essentially the tech and security debt that you've you may have created in more complex more advanced places. And therefore you have the opportunity to build security and by design. And I think what we're starting to see is in some of the the big flagship programs around smart cities etc. Security has been talked about from day one. I'm going to ask all of you a question and you can all come in. In fact two questions. The first would be that we have seen in the last one year two trends that are pretty secular around the world. The first of course is governments are finding new ways to control control the flow of data. Some have also gone to the extent of enforcing data localization. And what does that do to the security landscape. Does the lack of access to data weaken the response to cyber threats. That's one proposition. What does data localization do. The second of course is governments around the world are beginning to focus on the individual. So from the GDPR to the Indian experiment on privacy to the California law we are beginning to see the individual become more protected by legislation. And what does that do to this business of cybersecurity. So who wants to go first. I want to put this pose this question to all of you. I mean I can start by saying it was quite easy. Again we have rules based organization. We need the rules to access data to access information. So both on the national side on the international side. And again the current the problem is fragmentation. So it's not only that we need these rules and regulations on the national level we need a kind of international standard. This creates another level of fragmentation. Exactly. Exactly. So that's the basic issue. But fundamentally this fragmentation is adding complexity and usually if you want to have something that is really secure you need to go for simplicity. So that is not automatically going in the right direction. On the other side you have to measure two things. One element is what is your weakness. And the second element is what are the consequence in case of a breach. And for example some of the rules and regulation on data privacy may limit the consequence if something bad happened. For example if you have some rules that say that you need to erase data after a certain period of time then there is not anymore something to steal in some case. But just to say that there is not a straight answer to that but that is really adding one extra layer of complexity. David. Yeah. So control of data potentially between nation states etc. So I think that has multiple effects. I think it has an incredible complexity for global businesses. How on earth you maintain that complexity. We already have many of those problems but you're just compounding that dramatically. But by the way most of these localization drives by countries are to enhance cyber security national security. That's the that's the word you enhance national security and control. I think yes. I think the other piece is that if you are going to control those boundaries and particularly the flow of information particularly to the citizen you're going to find that citizens are quite innovative and will use technologies in innovative ways. And I think you might drive some behaviors underground and you might find things pop out that you don't expect. Yeah. So you know I think the protection of private data is a crucial and paramount thing. You know I agree we do need some kind of national way of doing it. We need more of a baseline standard or something along those lines. Something with some taxonomy so that we're all speaking the same language about what private data is. I think that's some of the challenges with the local regulations is what private data might mean in GDPR. I think everybody can make assumptions by whereas in California they might be very specific. So I think we need that national understanding and taxonomy for for it to work properly to protect private data and localization. Yeah localization I think is necessary in some cases but it has made it quite challenging especially from a technology perspective. We want to be innovative but we're hindered to do so if we are only allowed to use certain vendors for instance in a certain region because it has to be localized there. So now you have to add one extra element if you take also approach that is agile and where you have speed of evolution that is extremely important in the internet age you need to be able to adapt yourself very quickly. If you add the speeds with the complexity the probability to make errors may be higher and that is something that you should take into account. Before I invite William Dixon head of delivery private sector at the center for cyber security from the World Economic Forum to sum it all up and conclude the session let me pose one question to all of you a quick fire round. One good or one bad thing that could happen in 2020 in the cyber security space. Andre one of the most terrible thing would be a hack on a hospital or some critical infrastructure that can really arm operation and with some casualty. So fundamentally with internet being more and more interconnected with the real world we can have really bad things happen. Now in the positive if I have one dream is that we have a real good example of secure by design how to say solution. Good thing our cooperation with the World Economic Forum Center for Cyber Security. We are talking a lot about the next generation of public-private partnership. So developing a concept until the end of the year how such a the next generation looks like that's the positive thing. The negative thing would be a successful hack into our data. It would be very very negative for the trust. I agree. Have you just raised your sure. So I am I mentioned the Global Future Council. My co-chair Belisario Contreras is actually behind me not on purpose. So we we are actually working with the World Economic Forum to form a sharing alliance. So we're hoping that that will actually help. That's the positive thing. I'm not going to say a negative thing. I'm just going to stick to positive. Okay. With on the negative thing I think we've had a near miss with Microsoft vulnerability that came to space. I think it's inevitable given the frequency with which those vulnerabilities come out something else will happen there. And the extreme would be if that happens with a mass implication. I think the positive thing would be a move a pendulum swing back away from a key focus on monitoring and detection and back to fundamental protection after all prevention is better than cure. Great. So with this, let me hand it over to William to wrap up the session and perhaps to also share his thoughts on what this new alliance is likely to do in the days ahead. Thank you. So I'm William Dixon from the Centre for Cybersecurity. And I think the overarching themes over this conversation as well as the conversations over the last few days is cybersecurity is a shared challenge. And it also is a shared responsibility. And that actually offers real strategic opportunities for building trust in the ecosystem. I think the panel reflects the diversity of actors that you need to be able to build collective resilience and actually in the future. And now we've got real strategic issues to deal with as a community from collective attribution, building collective resilience in key industries, as well as how we incentivize next generation technology and the skills and capabilities that we need. And I think the kind of overarching theme that I've heard is the time to act is now because next generation technology, adversarial use of AI, the role of quantum, the potential of physical convergence of infrastructure in key industries that might take cybersecurity from an enterprise risk to a public safety risk is coming. So when I think about the last few days and what I've heard is I'm excited, but I'm also asking that we need to act now and that the incentive to act is now. So in the closing remarks, I think on behalf of the center, I'd like to thank our panel for the very interesting discussion, as well as the last few days, all the interesting discussions we've had on the strategic topic. And thank you for joining us today as well. Thank you.