 Majesty Majesty! good evening everybody so my name is winvo and I'm the head of the school of security studies here at King's at least for three moments also and then I hand over to my successor Welcome to King's welcome to Bush House that's great room we do a lot of events in here we do a lot of events in here that's actually fantastic that's actually fantastic it's a big week of events for us at King's big defence of Europe Conference yesterday today's cybersecurity series Yn ystod, mae eisiau digwydd ylegod dros y Cyfnod Cyfnod Cyfnod Cyfnod Cymru. Dyma Ddell yn ysgrifennol, ac mae e charfysgol. Cyfnod Cyfnod Cyfnod Cyfnod Cyfnod Cyfnod Cyfnod Cyfnod Cyfnod Cyfnod Cyfnod Cyfnod Cyfnod Cyfnod Cyfnod Cyffredinol ac mae'r dweud ystod gyffredinol i'r ffordd, ac mae nhw'n meddwl wneud gan ysgrifeniad Cymru wirthigol for cyber security research and have had that title, I guess, since 2018. The school of security studies here is involved in the third pillar of that activity around strategic cyber security, so the socio-political aspects of cyber risks and threats, cyber intelligence policy, defence-related issues, and then the relationship of all those to risk assessment, risk management, and governance and the like. The King's Cyber Security Research Group, which is led by Tim Stevens, where's Tim over there, is a fundamental part of the work that King's does in this area. The group under Tim has grown to about 50 or so academics, policy people, visiting fellows, etc. There's a real vibrant hub here at King's for work on cyber security issues. In the War Studies Department, colleagues from our Defence Studies Department, which is based at the Defence Academy at Shrivenham, working with the Armed Forces, Department of Informatics here, the School of Law, our global institutes, and other parts of the organisation. The group engages regularly with government, research networks, and everybody else too, and also gets involved in cyber security education, not just with our normal students here, but also with practitioners as well. This King's Dell initiative with the seminar series is a really important new step, I think, in terms of furthering that conversation between industry and academia, and we're very, very excited about it. For me, these sorts of things are about creating new knowledge and understanding and communicating across the different stakeholders that we have in subject areas like this, like cyber. So you've got a great set of speakers tonight. I'm looking forward to it, and I'll hand over. Great. Good evening, everybody. Thank you for attending this evening. We have a great panel ahead of us. I'm Dan Turbett. I look off to Dell Technologies Business in the UK. It may be surprising to you that the laptop manufacturer is here sponsoring a cyber security practice, but we currently have about a three and a half billion dollar business in security, whether that's in the BIOS on the laptop, through intrinsic security in the servers, but then more importantly to operational resilience and standing up things like Skeleton Bank and some of the work that we do with Sheltered Harbour. I see Jim Schuck in the audience, so if you want to know what that means, I'll ask Jim, because I have no idea, but we have a great panel tonight. I'm very excited about this series, so thank you for the partnership with Kings and for 2020. Let me hand you over to Liz, who will facilitate the conversations. Liz, all yours. Thanks, Dan. Hello, everyone. I'm so delighted to be here at the first inaugural Kings College event. So really great to be joined by so many thinkers in the audience from the public sector, from business, from technology, and from academia. I'm also joined by a wonderful panel. We have Lord Toby Harris, who's head of the UK National Preparedness Commission. We have Patty McGinnis, OBE, who's the former UK Deputy National Security Advisor, and Josh Jaffe, who is the vice president of cybersecurity at Dell Technologies. I am Liz Green, cybersecurity leader at Dell Technologies. I will be your host and facilitator for today's discussion. Firstly, thank you to those who are here in London. So great to see so many of you and meet all of you. So it's been great to have a few different discussions before the event started. And for those that have joined on Zoom, we are delighted to have you. A few things on how tonight is going to run. We are going to have a panel discussion, but before that, we're going to have some really great insights shared from Lord Harris. After that, we will have a Q&A. The Q&A will be for those in the room following Chatham House rules. So if you do think of a question, please write it down. And I have a few people I've already told I'm going to pick on. So I'll be great. Without further ado, it would be great, Lord Harris, just to have a few insights from your good self. Well, thank you very much and thanks in particular to Kings College and to Dell for making this happen. As you've gathered, I chair the UK's National Preparedness Commission. This brings together, for those who don't know, 46 leading figures from public life, academia, business and civil society with the rather grand aim of trying to promote better preparedness for a major crisis or incident. And COVID has taught us quite how vital this is. The speed with which the norms of society unravel with deserted city centres, businesses shut down and forced social distancing and mask wearing came as a shock to many people. But actually we should have been ready. Epidemics have occurred traumatically throughout history. The pandemic has been in the top tier of the UK's National Risk Register since it was first published well over a decade ago. And so far, 2022 has brought us the war in Ukraine, escalating supply chain issues and near double digit inflation. And it's only just into May. At our first meeting, I think 18 months ago, the commission was warned that irrespective of COVID, we're living in a world that is increasingly volatile and unstable. The UK's current National Risk Register maps 38 major risks facing the country, including environmental hazards, major incidents, malicious attacks both cyber based and terrorist, risks arising overseas and inevitably animal and human diseases. How it was prepared before the invasion of Ukraine and does not, as far as I can tell, mention significantly supply chain issues or supply chain disruption and energy market instability. Let alone possible Russian retaliation for the stance that the EU and NATO have taken. So the lesson from this, the overriding lesson, actually in every country, is that we have probably not been investing sufficiently in our general preparedness and resilience. Not that it's easy. In essence, we have to predict the unpredictable, prepare for the uncertain and recognise that some of it will be wrong. And being properly prepared and resilient is expensive. The increasing complexity of our society and its systems, of course, brings many benefits, but it potentially creates its own fragilities. And adopting a preparedness philosophy means parking our just in time approach in favour of just in case and being ready to build in redundancy and avoid interdependence. If you like that, reverses 40 years of eliminating redundancy, making things more efficient and making things far more interdependent. And that's bad enough for the public sector, but it's probably even more so in the corporate sector, particularly in a world with an increasing focus on annual returns and quarterly figures. And, of course, there is an imp-to, not in my term of office. Now, I am a recovering politician, so I know how difficult it is for our elected leaders to devote resources, by which I mean tax revenues, to projects that do not come to fruition by the time of the next election or even the one after it, or to build resilience that is probably invisible and may never be needed for an eventuality that may never happen. And it's usually impossible to prove that your actions have prevented something happening, particularly if that hypothetical event is at some indeterminate time in the future and almost certainly long after your term of office is forgotten. So the task of the National Preparedness Commission has set itself, and indeed I think it's a task for all of us, has to be to focus on three questions. What should we prepare for? How much preparedness is enough? And even more difficult, how do we finance the necessary investment? Now, these cannot just be questions for national government. And there is a welcome recognition of this in last year's integrated review. Most of the public discussion of that review focused on the defence and foreign policy content. But in my view, the most important section was building resilience at home and abroad. And that explicitly promises a comprehensive national resilience strategy expected soon. And that that strategy should be based on a whole of society approach involving individuals, businesses and organisations. And that chimes with what the National Preparedness Commission has been saying since it was established. That if you make every level of government, every organisation and every community more resilient, you can create a sort of, if I dare use the phrase, a sort of herd immunity for a society better able to address future global crises, whether it's a new pandemic, a massive cyber attack or climate change. And it's also true for every household and every individual. We all have our part to play. And in the context of cyber and indeed many other threats, preparedness has to be too pronged. First, we need to reduce the likelihood of an attack succeeding. And this is where effective cyber defences come in. But second, you have to assume failure. You have to assume that an attack could get through. So can you manage and maintain your key services and protect your most precious data under those circumstances? And how quickly can you recover? And how do you further strengthen your systems against future attacks? Now it is of course a truism that generals always prepare to fight the last war rather than the one that is actually coming. So David O'Mont, who I'm daunted to see is sitting immediately on me, the former UK security co-ordinated, recast it in a slightly different way. He said, what we prepare for, we deter. So what we actually experience by way of events is alas what we have not prepared for. And the reality is that our nations, our cities and communities and our organisations have to have preparedness and resilience designed in. It has to be part of society's fabric. And that preparedness has to be event neutral. It might be cyber. It might be the closing down of the state because of COVID. And actually, if you design it in, it's much easier than trying to fit it in afterwards. I spent an hour and a half earlier on this afternoon celebrating the progress that's been made on the Westminster ceremonial streetscape. For those who don't know, this is the long-term plan to remove unsightly concrete blocks which are there to prevent vehicle-borne attacks and replace them with rather more elegant gates and physical barriers, which look as though they were part of the original arrangements. So if you walk down Whitehall, you will see a series of palisades on either side which look as though they date from the rest of Whitehall. The reality is they're there, they've been very carefully designed and they were all in use today. But that point is design it in, design it early and be prepared to make that investment. And I think that's the context for this evening's discussion. Thank you. Thank you, Lord Harris, really valuable insights and I think really sets us up for a productive discussion tonight and hopefully some following questions. So I think expanding on this, Lord Harris, it would be really great to hear a little bit more about the role that cybersecurity has played during your time, both as the chair of the UK National Preparedness Commission and while working for the mayor of London. And I will say particularly, as you consider the city's readiness in the event of a terrorist attack. Well, I think my approach is to say that cyber is one of a number of threats that we face. And it of course became extremely fashionable at one stage and a lot of resources were made available for it. But actually, you need to be able to respond to cyber. You need to be able to respond to power failures. You need to be able to respond to interruptions in your supply chain. The significance of, for example, power failures or for that matter, a massive cyber attack is how dependent our systems are all on them or are all on those elements. There's another point. I talked about herd immunity. Cyber is the possible exception to that because your cybersecurity will depend on what is your weakest link rather than, I mean, yes, you do improve things by everybody generally improving their cyber hygiene. But you don't, if your key supplier or somebody has let in the virus, then you are not, then that's your weakest link. And so it's not just about herd immunity in that case. You've got to look at your whole network. You've got to look at your supply chains. But also, are you protecting your crown jewels, your most important intellectual property or the most significant services that you provide? And there's a piece of work that we did for the National Preparedness Commission which looked at the experience of business leaders during COVID, which identified that the ones who were most agile in terms of responding to situations were the most effective, but also those who were clearest about what were the most important things within their business, within their organisation and making sure that those happened and that those were protected. And it's the same principle as far as cyber is concerned. Thank you, Lord Harris, really helpful. And I think actually ties well into a question I had for you, Paddy. We're talking a lot here about how do we prepare? What does leadership look like? And I think you have a lot of experience working as a National Security Advisor and more recently as an advisor to executive boards. You've been in the room with organisations that have been impacted by more catastrophic incidents. What are they thinking and what are some practical tips or guidance for people in the room that might be on those boards as well? How can we be more prepared? Liz, thanks for the question and Toby, thank you for the framing, which I think is really strong. I'm very conscious that in the room here and quite possibly online, we have a set of people who either are on boards or in executive teams and will have a view on what I now say. So please do tackle me if you think I've got it wrong. There are regularly surveys done of leaders as to what's on the top of their mind. And one was done earlier this year by Pricewaterhouse Cooper. They do a very good one, which is of all their CEO customers. And cyber risk, cyber disruption was very high on the agenda. In fact, it was the top risk they specified. And that wasn't because CEOs have an intrinsic interest in IT systems. It was because they couldn't bear another period of business disruption after the one with COVID, no matter how agile they were, and they wanted to be prepared. And critically, they recognised that it was a hard-to-price risk, which means it was difficult to get assurance and be confident that they were well-postured to deal with it. And regret is rarely a useful emotion. I'm not sure my wife thinks that, but still. It rather saps the energy. But boards who suffer events or if they're lucky have near misses and kind of have that like when your car skids moment, the adrenaline goes in and it makes you think a little bit, usually there are kind of three or four things that they wish they'd done or they then do. So, and here they are from my lived experience looking after tens of boards through events since I left government. So the first one is that they wish that they had pulled through measures to strengthen their security architecture more quickly. And it isn't that many businesses now don't have programmes of work like this. It's that, frankly, they are too often complacent about how fast they're coming through. They are often doing the right things, but not quite fast enough or not with enough determination. And, you know, there are people more expert than me in the audience here about, you know, but network segmentation, enhanced monitoring, control of identity, disciplines about data holdings, what data is held where, elimination of legacy systems or products or domains and projection of this down the supply chain, all feature. And where businesses have done this to any degree, they fare better when they have an event. And, you know, we can all cite examples of that. I'm happy to do so in Q&A. Secondly, my word, and this goes to your point, Toby, they wish they had prepared for what colleagues from CCS would call reasonable worst case scenarios. Now, including, critically, a focus on recovery. And I'd note from my lived experience with businesses that often the most neglected element is real thought about what recovery is like. That isn't recovery of the ability to deliver a service to the client or the customer, although that really matters, doesn't it, if you're in CNI, critical national infrastructure. But actually that's about getting back to a state where your business is capable again of being agile and of responding and, you know, running through a technology transformation programme. In my lived experience with ransomware, the shortest full recovery to a state prior to the event, having learnt the lessons of it, was six months. That was the shortest. And that was when there'd been a four-day incident and they hadn't really crossed a threshold. And then they all wished that they had structured arrangements with external partners, able to reinforce their response and recovery. Now, this isn't about the insurance panel of the remediation company, the lawyer and the comms firm, although all of that matters, but this is absolutely about the technology and security partners that are going to help you put your network or your servers or your architecture back together again. I would note that when we get a systemic event, and I could cite an example in Victoria or Australia if you want to ask me about it, when you get a systemic event, the market dries up. Those are who are insured or have pre-booked their partnerships, get all the support, and others don't, whether or not they should have it for societal purpose. So there's something really important about thinking about who's going to fix this, it is never just the internal team ever. And then lastly, they wished that they had worked on their own personal and collective resilience and that of their staff. And the most frightening moment of some of you who've been in Cobra meetings and have situation room meetings with me will know. The most frightening moment is when you have a new set of ministers and they've never been in a situation like this together before, but they all know they need to assert themselves and they're all exhausted and worried and then they lean forward and start. And then you're in trouble. Boards and leadership teams and indeed our staff who are the people who repair things and put them right and also represent an attack surface and a risk during a cyber incident, my word they need to have resilience built in and that needs to be planned. Lindy Cameron, the CEO of our National Cyber Security Centre, made a very telling point I thought last summer when asked about what she recommended to business leaders, thinking of how to prepare for a ransomware event was the example for her. And she said, speak to folk who have gone through an event to understand their dynamic. And it's absolutely what I see in a cyber crisis practice that I live and Toby has described it. You've got to believe this can happen to you and that your world, the bottom can fall out of your world and prepare yourself for that and not have a false complacency. I think that's the thing people wish most. Really helpful, thank you so much. I don't know if this mic is working now, but I'm hoping it is. I think there's a lot of practical insight so hopefully everyone has been able to take some of those down for me really being able to think about how we recover, think about how long it takes. I think some of those data points about a five-day incident taking months to recover, something I see a lot and I know quite a few of us as well. And then thinking about personal resilience of teams. So really helpful there. It would be great, Josh, now to talk to you a bit more from a US lens. We've talked a lot about the UK and what we're doing from a national level, some of the government businesses here are looking at. But what about the US? What are you seeing that may be different or similar? How are people leading in this space? What insights can you share to be really helpful? Yeah, absolutely happy to do that and certainly happy to have a chance to share a little bit of my experience with the group but also hopefully have a chance to listen and learn and share in the learning in the Q&A portion. Maybe a couple points of you in answer to your question but for an answer that both is a US security leader and CISO but also formerly a CISO of European Corporation as well. I think there's probably more similarities than differences. In fact, there are substantially more similarities than differences. A couple that I'll key on from the outset. I think though one of the high level things that may be as most important, at least from my point of view for us to recognize when we talk about the way that we both regulatory frameworks and risk help us structure the way we think about and respond to cyber attacks is that it's critically important for us to be able to leverage or to take the learnings from those regulations to point specifically to I think at your example of the kinds of things that we really should be doing and doing faster. I think you made the point of whenever you have a chance to talk with a board on this topic they very regularly will have a list of things they were already doing that they didn't quite do in time. And I think done right, the perspective of a regulatory authority or regulation, the frameworks that are built give a push, give an impetus to do things that are already known to be the right practices. So for example, we talked about cyber resiliency. Internally at Dell and I'm sure across the landscape of corporate entities that are attending here, it's quite reasonable to foresee a day where you can imagine the experience like you were describing Toby, the very foreseeable possibility that we ourselves may or a customer or somebody that will be in a position where we're responding to one of those bad day events. So knowing that ahead of time and planning for it is critically important. I think we have a point of view around the need to have what we consider to be a air gap protected capability around our critical data, the things that we need to recover our business. We should be able to be sure that we have access to those even in that worst case scenario. So knowing those things and moving them forward, a layered set of controls, specifically understanding that we can expect, we can predict that different ones of those controls will be more or less effective in a different kind of crisis and planning for the failure, not the success of some of those, right? I think that the point around deterrence is a relevant one. The things we experience are the things that we didn't successfully deter, which means there was a failure likely in planning or preparing for those events. So preparing for failure is important. We get a chance to talk with our customers regularly. We do a survey similar to the 1U reference patty where we go out and ask customers and potential customers the things they're most worried about, increasingly ransomware is at the top of the list and increasingly people we talk to are not confident that they'll be able to recover from a ransomware attack, right? So those kinds of recognitions, things you can plan for and understand the systemic implication of critically important. I think in addition to that notion of compelling things we already know are good to happen faster, there's also the notion that we have the opportunity to sort of bend occur, which is going the wrong direction institutionally, that the notion of herd immunity that you mentioned, Toby, really resonates with me. I think if we see the trajectory of cyber crime in ransomware in particular, that is not just the result of a particular institution's failure to deter ransomware crime, but it's the recognition that as long as there continue to be soft targets in the world, in the economy, in institutions, we will regularly encounter these problems and they will continue to get worse, not get better, right? So the notion that each organisation, each entity has an opportunity to strengthen their cyber resiliency and improve their posture in a way that they themselves will be a harder target for ransomware that collectively has an impact on the whole, which again creates a more herd immune culture, made a more resistant civil society, which I think is important. And again, I think the notion of both sort of regulatory frameworks, but also risk-based strategies have a considerable part to play. I guess I'd say the last thing that maybe occurs to me though is there's also the opportunity for things that are a good idea in a moment combating a present problem to not modernize with the times and the threats we face to also create a risk of resources being forced to be allocated against a thing that no longer exists. So in the moment we're describing now, all of our companies, our institutions are all very technology dependent. We will likely be for the foreseeable future. Ransomware is a considerable threat to that. It is also though important to realize like hopefully is the case with some of the other viruses and pandemics that we've been facing that. We as a society come to a point where the need to institute controls against old threats may become less important and new ones emerge. So oftentimes we find that organizations are regularly forced to continue to maintain a set of standards or controls against things that maybe once existed but in the future no longer are as prescient. So I think an opportunity to go back and look at the things that maybe have historically existed, the requirements we have historically for different kinds of cyber hygiene and modernize or reappropriate some of that emphasis in a way that allows us to be more flexible with the way that we apply our resources to the future. I think certainly an opportunity for all our organizations to consider. Really helpful, thank you Josh. And I think it's good to know from a US lens that we're seeing similar trends and focus on resilience and recovery. So really helpful. I think we have time for one more question and I would hope maybe each of you can just share a comment or two on this. But what we're seeing with a lot of organizations today is a focus on ESG, so environmental, societal and governance. One thing we're really looking at is how can organizations or should organizations be responsible? We've acknowledged here that there is a need to be resilient and that organizations need to look at threats, be it cyber or otherwise. Who is responsible for this and how do we build that responsibility into the framework of the businesses and the organizations that we have? Starting in any order? For Toby the politician, you better go first. Sure, Lord Harris. I think at the moment, the value system that we operate doesn't place enough value on the societal position of a business. So that the immediate concern of the directors, the immediate concern of the entity is survival or conceivably, this is so existential, actually we might just as well pack up and go home. But that does not necessarily reflect the value that their activities have for the rest of society. And so we need to find a way, first of all, recognizing that. And yes, at the simplest level, having to report in your annual report what you are doing about your societal responsibilities is helpful. But actually it's about institutionalizing that, making that a necessary thing that needs to be done. And it also requires an ability to place a value on resilience and preparedness, which at the moment we can't really do. Because that could then justify the investment I talked about to remove, to build in redundancy, to build in everything else that you might need. And it would satisfy shareholders that you were doing that. And the absence of that then becomes a concern for shareholders and those who are investing. Because at the moment, the driving factor is what is the return going to be in the next quarter? What are the earnings figures are? How can we maximize those? Rather than recognizing that unless you invest in things which don't have an immediate return, your organization may be destroyed further down the line unless you've taken out that. So how you report that, how you record that and how you measure that, I think are important tests. I'm sure the National Resilience Strategy, when it's produced, will cover this and find the magic solution which will enable this to happen. But it is a critical question. And if you think about it in terms of cyber, I talked about it's where the weakest link is. You may be the weakest link as an entity, as an organization or as an individual, but you may not regard yourself as particularly important. So why on earth should you as an organization be investing at a high level in this degree of cyber security? And yet, if you get it wrong, you're bringing down a whole chunk of society. I see no really helpful, thank you. And I guess Patty and Josh, do you have further comments on that, anything you would agree with or maybe challenge? So I'm sure in the Q&A we'll get to talking about ransomware. I'm sure it'll come up. But I want to say something about it that's very powerful in my mind. So I notice that in ransomware events, when you have an interaction with authorities, and this isn't only in the UK jurisdiction, it's more generally across Europe and in the United States, there is a punitive or I would call it blame storming approach to the victim. When that victim is a provider of services and our societal interest is in keeping them functioning. If there are, I've worked with food packaging firms, I've worked with transport. I can go through the sectors, all of which are on the CNI list in one way or a critical infrastructure list in one way in the UK. During the pandemic, we understood absolutely that we needed to support business when they were beset by difficulties with staff and economic pressure and we poured money onto them and supported them. When they have a ransomware event, we beat them up as if they're a calcitrant, even though they're the same businesses. So you look at that and think, we aren't quite getting this right. Particularly when, and we could talk about this separately, as a society, we're not doing terribly well with fraud and extortion and that kind of crime. So it's not as if there's a ready support for the individual or for businesses when they're subjected to this, which is what they're dealing with. Ransomware is so fundamentally different from the kind of data and money stealing that was going on previously and is aimed because of the Darwinian effect of our cyber efforts around financial services at increasingly more vulnerable elements, whether it be the health sector, whether it be food distribution. I could think of a whole set of them I've had to work on recently. So to my mind, there is a big question here. It is absolutely about the value of the business and we've got schizophrenia because one place it's valuable, another place it isn't. I would completely agree with all those comments and maybe just echo them by saying, I think one of the things that occurs to me whenever we have a chance to sort of speak with or look at a room full of participants and contributors like this is that every one of our entities and companies is at its heart today, a technology company or entity and all of us are interdependently linked to each other in some sort of ecosystem on which the rest of us depends. Even not necessarily critical entities in an institution that we might not define as critical by virtue of the role that they play may be critical for something that another critical entity does which brings us back to this sort of herd immunity topic. I think incredibly important for us to recognize the institutional power of being able to get the kinds of incentives and also structures right that raises the level of cyber security resiliency and preparedness across the entire society but in a way that starts to finally bend the curve of cyber crime so it at least stops rising like in this shape right and starts to level and maybe hopefully in time to clients. I think the other thing I'd say is just again considering the audience and the opportunity we have to think and reflect on this here. London is of course a global financial hub and we have the opportunity here to sort of think and reflect about some of the ways that some of the financial incentives as Lord Harris mentioned shape some of the ways that entities operate. I mean as we think about that ransomware for example and the role that certain standards for resiliency like sheltered harbor which I think was mentioned by Dan earlier but also some of the frameworks for the way that we incentivize institutions to invest in cyber security not just to put it off balance sheet as a sort of an unknown invisible risk that can't be quantified as we were saying. We changed that framing a little bit we get the opportunity to really drive the kinds of change that I think really can meaningfully impact the way that society becomes more resilient to cyber threats like we're describing. Thank you, thank you all for answering that and I think that the answer seems to be yes we do need to look at how we build cyber resilience we do have that social responsibility to do so but there might be a few changes we need to make in terms of how we incentivize that from a leadership perspective and also from a business perspective and as you said Josh to kind of make technology a part of everyone's discussion on how are we safeguarding consumers today so really appreciate it. Thank you to the panelists I think it would be a great time now to say goodbye to our friends on Zoom great to have you on and thank you for joining.