 Hello everyone I'm Karen Cho, anchor for CNBC. Thank you so much for joining us today for this important session. We welcome our web stakeholders as well as we turn the spotlight on cyber security. Cyber attacks as you know are not new, but the threat level has increased as we think about a changing digital and geopolitical landscape. A huge shift to remote working during the pandemic, more data moved to the cloud, a rise in e-commerce and financial transactions online, more and more connected devices and an increased geopolitical threat with the war in Ukraine. Over the next 45 minutes of this session we'll discuss how leaders can prepare for future cyber attacks. Just a quick housekeeping matter if you do want to connect with this debate. Hashtag WEF22 is the one that you can use. We'll also open up the discussion in about 20 minutes time so be ready for some questions. Let me introduce you to our panellists today. Jürgen Stock, Secretary-General for Interpol France. Josephine Teo, Minister for Communications and Information of Singapore. Chanda Prakesh Ghunani who is Managing Director, CEO of Teck Mahindra and Robert Lee, CEO and founder of Dragos on the States. Well first up Jürgen let me turn it to you. The World Economic Forum Global Security Outlook report indicates that cyber attacks over the past year were up to 125%. How do you assess the cybersecurity risk as we now also weigh up the threat of state-sponsored attacks? Yeah thank you very much. I think there's no reason to sound the all clear. The statistics are suffering from the fact that of course still many of the companies, many of the victims are not reporting the incidents to the police or to national agencies so we are still struggling that all the information maybe comes from the roughly between 5% and 10% of the cases that are reported to law enforcement. I think there's no doubt that the threat is increasing. We see criminal groups continuing acting in a more sophisticated way. The way in which they organize themselves is very different from traditional mafia style where people know each other maybe same family, same region. Here it's like the yellow pages in the internet where you offer your specialization, they connect for a specific attack and then they change which also makes it for law enforcement even more important on the one hand. So this is becoming more sophisticated, more difficult also because it's global by nature and of course law enforcement we still operate mainly in our national jurisdictions. On the other hand I think the major risk is still not that much IT security in a way of technical issues it's human failure that opens the door for criminals to attack the systems to take data hostage, one victimization, a second victimization with the data and as the world is becoming more connected we have been discussing that here the weft a number of times the challenge is still how do we connect the various dots that need to be connected that allow us to share information in real time to allow us to be prepared for the next attack which will come it's only a matter of time so that that is primarily the challenge. If I can just follow up quickly what is the link between state-sponsored cyber attacks and the criminal underworld? I mean first of all I have to say that Interpol is focusing on criminal activity so those perhaps 80% where criminals are behind that are still interested in money and data. The risk here is what we also see in traditional crime areas that weapons that are used today by the military for instance maybe a couple of years later will show up in the darknet and will be used by criminals for even more sophisticated attacks. That is a major concern in the physical world weapons that are used on the battlefield and tomorrow will be used by organised crime groups but the same applies for the for the digital weapons that maybe today are used by the military developed by military and tomorrow will be available for criminals. That's quite a warning isn't it minister let me turn to you late last year Singapore updated its cyber security strategy in particular to take a more proactive stance to protect critical infrastructure. There's plenty of reasons why Singapore would be a target with sanctions against Russia that you joined the city-state is a growing hub for international finance and business attracting more and more business away from Hong Kong for instance. It just gives a sense how you perceive the threat over the next 12 months to Singapore. Right well first of all let me say that it's an honour to be on this panel we have a veteran in law enforcement and we've got very prominent business leaders that provide a range of you know cyber security and IT services to so many different businesses. Let me just share in a perspective you know as a minister who really would like to see in the short term a more solid recovery for our economies and in the long term would really like to prepare our people to succeed in the digital age. It's probably right for us to not try and think of cyber risk in very discreet terms because they are interconnected with a whole range of risks geopolitical risks technology bifurcation the Russian Ukraine conflict which has as a result created economic turmoil questions about energy security and even you know just plain old supply chain disruptions all of these I think have got the potential to spill over into cyberspace. Now one key trend that we have been watching out for is exactly as Jürgen talked about which is that cyber criminals in terms of their level of sophistication they seem to be catching up with state-sponsored APT actors and we are observing that actually even this has become a national national security question because critical information infrastructure can come under threat and I think one problem that we face is that this is growing at a very fast speed this underground ecosystem that Jürgen you know outlined is extremely lucrative and it is self-funding so anytime that you have capabilities that are existing in a system that is self-funding and makes a lot of money you can expect it to grow and I think this is an area that really demands urgent attention a lot of international cooperation to rein in. A second area of risk I would talk about is that you know there has been just rampant exploitation of supply chain as well as you know all kinds of software vulnerabilities a third party that are coming through you know to a lot of businesses no business you know can can operate without using some third party software and there used to be a relationship of trust that existed between the clients and the managed services provider and this trust is being undermined and when you have an absence of trust you know how can you continue to digitalize your businesses at the rate that would bring about great benefits so this I think is a long-standing problem that isn't going away quite so soon and let me just close off by saying that there are two associated risks that we would you know characterize not necessarily a cyber risk one has to do with the fact that the threat surfaces are expanding so quickly and there is a real danger that we don't have enough talent don't have enough capabilities to deal with them. A second is really the problem of what I call distractedness there are so many problems that business leaders are dealing with and if you know it comes at the cost of de-prioritizing cybersecurity then I think this is going to have you know a lot of long-term consequences that we will have to pay for and they will hurt us so I would just pause right there. Minister thank you and I'm glad you brought out the supply chain because one of the reports in recent days was about connected farm devices being hacked and if we think about the food shortage we have at this stage how it's proving inflationary across populations you can see why cyber attacks in this particular area could be a major issue on that note. Chanda if I can ask you about the business community and the reaction here because we know that there's been a huge digital acceleration during the pandemic there's reputational risk from cybersecurity financial risk as well we've also witnessed on the back of several attacks how do you perceive the threat for the next year or so? I think Karen when you step back first is you know the dependence of technology on some industries is a lot more evident you know you saw the power sector the utility sector the telecom healthcare now with the during the pandemic even online education and in a lot of ways I mean I'm sure the honorable minister would agree the e-government services the dependence on technology is so high that we need to be cautious that if that is the dependence and you treat it as an infrastructure and if it is an infrastructure you need to budget time money and energy for maintaining that infrastructure I think when I look out I think many corporates have taken a responsibility to look out for the country attacks they look to look out for the dark web attacks they look at individual attacks but the question is how often do you maintain my personal read is that the boardrooms become very very active whenever there is a similar industry attack so if a colonial pipeline is attacked suddenly the all the oil companies around the world will become active because they all want to know what happened in that case study and are we safe similarly the scope of audit the scope of audit many companies only assume saving their servers or networks or the end user devices in their premises are good enough but the reality is the ecosystem is much bigger so one of the banks that we work with we were engaged to audit but the audit was very specific like banks like to be very specific it was the server network and their premises and we said no that's not enough and we had to prove it to them through the law form that they engage that on a Friday evening one human this is the the point Yorgen was making that it is mainly the human failure one human you know picking up a phishing email brought the whole system down so I think we need to be cautious that our vulnerabilities are now outside the system also and when we do ethical hacking a we should do it more frequently and number two is we need to take into account the ecosystem that's a good point that you make it there are red flags when it's an external contact but when it's somebody you work with day in day out who sends that email it does provide a different level of risk doesn't it Robert I want to turn to you I think most of us feel there's always someone who has great IT experience in us in the room you're the exception you're probably the resident tech expert very interesting background as well you were one of the first or the first to investigate the 2015-2016 attacks on critical infrastructure in Ukraine now as we have a physical war playing out on the ground devastating consequences just draw the links for us to what could start as something that looks like it's just an attack on the global community but it's very much focused on a specific area how do you look at that now in hindsight and look forward to the risk yeah absolutely and and I think most business leaders most executives most board members they have these cyber security conversations the awareness as we were talking about before is very very high but we still very much have a focus on IT even when like my skill set as an example I really don't know anything about your IT I know a lot about your operations technology the control systems how a power system works how a manufacturing system works but most companies when they talk about cyber security spend more time on the website than they do on the gas turbine system but the stuff that actually generates you revenue the things that actually have national security impact the things that have safety impact the things that have environmental impact it's the operation side it's all the control systems those were never really connected before they started getting connected and mass probably about 15 years ago people still think that they're disconnected now they're not save yourself the audit they're connected but because they're getting connected at the same time the digital economy is going the direction that it's going and at the same time that our systems are ongoing a massive massive change especially as we move towards a more sustainable and equitable like energy system as an example we are operating in a little bit of a knife set and so we've got adversaries that know how to target operation systems they've included engineers with their cyber security people we've got systems that are more connected than ever and something like a disruption on an electric system years ago it probably been okay more fear than actual impact in some cases you can design the big ones but we make safe and reliable infrastructure in the industrial community all the time but take for an example the the sort of green energy change an electric system as an example now is operating in such a way that power is on demand in real time for the lowest kilowatt hour so previously if you caused one company to go down I could have enough backup energy on the system and we had the concept of inertia you have big spinning equipment big spinning equipment in inertia it sort of slows down the effects of things and you can respond but now that we're going towards wind energy solar etc it's all inverter based resource it's direct current I don't have big spinning equipment much anymore now I don't have that inertia on the system now if I have an impact on an electric system I don't have the backup power and I don't have the time to respond and it's more connected and there's more adversaries that understand it that's not a good place to be so when we look at cybersecurity of critical infrastructure it's important for everybody to take away the fact that the critical part of critical infrastructure are those operations technology systems of course we want you to do the IT stuff as well but if we're going to talk national security especially really got to put a focus there and I would say probably the sort of the closing comment on that one is governments do have to be very aware of the difference between business risk and national security risk if it's business risk companies should be paying for themselves and doing that work but if it's a national security risk there's got to be support and potentially even resourcing from the federal government so that entity actually takes that and does something with it if I can just follow up on that point whether there is a pre-ukrain versus post-ukrain moment for the industry here and whether companies countries that are joined sanctions or taking a move to exit Russia and doing operations there are they at a greater level of risk now versus before for sure we've absolutely seen countries that have come out with sanctions countries that have been public in discussion countries that are connected to that system we see them getting targeted much more and so there's absolutely a geopolitical overlay of any time you're talking about critical infrastructure cyber attacks and the other thing that we just need to be really really mindful of and I think this is a suggestion as well to the audience as you think about those challenges is if you're an executive and your next board meaning in your next executive discussion there's really two questions that would focus you on number one when you get all your metrics and your stats and your cyber heat maps that you barely understand and we all love the colors ask the question is that the enterprise it or is that the enterprise because very often you are doing far less on the side of the business that you care most about the second thing I would suggest is the scenarios and this goes back to your crane discussion very often especially the technical community it's all about technical controls are we enough patching what about vulnerability management what about antivirus what about firewalls what about this that the others our problem is not needing next-gen AI blockchain or whatever else our problem usually is just about rolling out the things that we've already invested in doing something but don't focus on the technical controls we don't treat our business in any way like that anywhere else instead focus on scenarios should a power company anywhere in the world be able to prevent detect and respond to Ukraine 2015 and 2016 scenario yeah of course we've seen it you should should they theorize about what happens when China Iran Russia the US or whatever your powers team up against you no it hasn't happened don't don't focus on the theoretical but if something's actually happened in your industry you owe it to the community to actually have that scenario covered not a single technical control minister can I get a quick response from you probably just mentioned that if it's a national security threat that a company is facing there is a role for funding for the state how do you feel about that would Singapore step in and provide funding for companies that are under increased threat because of national security well I think in the first place as a you know state we have to look at our own you know provision of services and ensure that we set standards at a high enough level actually if you look at some of the critical information infrastructure quite a lot of it is operated by the state so say for example you know even if our power grid is is privatized to a very large extent the cyber security measures that we impose on the power generation companies is is one way of ensuring that the standards are met but there are also other ways in which we can help for example understanding where the risks are I think this is where government can play an active part but I also want to add to what you know Robert was saying which is that I think it makes sense for us you know when we think about scenarios not to think that we have not yet been breached and in fact in Singapore the way we think about it is that the cyber attack is not a question of if but when and so we have to move from preventive measures to being able to recover from an attack and so cyber resilience building it into enterprise risk management is is really important and it has to be at a very high level of leadership that demands that these steps be taken. Minister you've taken us neatly into the next area I want to talk about perception gaps because the World Economic Forum has identified that there is a perception gap when it comes to just how prepared businesses are around cyber security versus cyber leaders now 92 percent of business executives agree that cyber resilience is integrated into enterprise risk management strategies only 55 percent of cyber executives agree so the experts in the house think that the level of planning is just not adequate at this stage can I come to you on that point because you can you've seen the level of preparedness when it comes to locking down facilities stopping criminals from entering the premises what do you make of that perception gap and whether business leaders are ready for the task of averting cyber security attacks I mean from my experience and talking to a number of senior leaders in companies there is definitely the level of awareness has been rising it's it's much better but that does not necessarily mean that there is a comprehensive understanding of the cyber security risk in a company including what you said the the supply chain your partners you are you are connected with and again this comprehensive understanding and translating that into implementing the necessary measures doing it often enough because what we need actually is information exchange in real time um because the situation is so dynamic crime patterns are changing with sometimes within hours slightly or within a couple of weeks at least and and being a part of a of an ecosystem nationally regionally and internationally that allows these real time information exchange so for me it's not a surprise that there is still a gap between the senior management that they are there is a general awareness but again investing in specific measures including your your teams your staff to reduce human failure in in these procedures and to understand that this is something you cannot just do once a year like a like a medical check you have to do it as something permanent there is still obviously a lot for us to do and to increase the dialogue for instance between law enforcement because we on the one hand we are aware what's going on on the other hand we need the data which are in the private sector so we need your reports without your reports we are blind and and and that is something I mentioned this this huge number of unreported crime that is a gap that we need to close together not just law enforcement that requires that we build bridges between our silos the islands of information and in a more strongly way institutionalize the cooperation that already exists and for us the world economic forum is an important player on the global on the global level. Europe is going down the pathway of requiring some sort of reporting within 24 hours which is to your point that often we see this just brushed under the carpet that people don't want to disclose that there has been some sort of cyber breach because of reputational risk for whatever reason yeah right Chad let me come to you because you did touch on that perception gap a moment ago and one of the conversations I had with the cyber security expert this week was that nothing has changed in 20 years that people still perceive there is a risk they're trying to protect absolutely everything in the organization rather than most critical information just touch on what the strategy should be for business from here given that there is such a wide gap in how the industry experts feel the preparation should be. So I mean I'm surprised that you think nothing has changed in 20 years that's not me that's right so I can only say that you know when I was walking up here I accidentally met the chairman of IBM and he said where are you going this is Arvind Krishna who's the chairman of IBM and I said I'm going for the cyber security you know at the forum and he said oh that's a threat of the decade and it will remain the threat for the next decade so one part is very very clear that most of us do realize that it is a threat the second part is that most of us also realize that while we know 100 ways to secure our IT systems or the network or the end user or the supply chain but the attacker has to succeed only once so clearly for us whether it is technology it needs to be refreshed whether it is the processes they need to be you know you know talking about those viruses I mean all the healthcare as you put at your gun I mean it is very very clear that our processes have to be current and number third is people also it is not only that they need to know how to protect but they also need to know how to anticipate so I think the world over we need to realize that the various studies have shown there is a skill shortage in cyber security and I don't think that all of us are putting enough attention to creating that lateral skill force of 2.7 million people that are required by 2025 so I think it's a bigger challenge of people process and technology so Catherine maybe just you know building on what Chandra has said I suspect that the perception gap it comes about because one group is looking at all the known unknowns and saying that we've got this and then there is another group that is thinking about all the unknown unknowns and saying no we haven't really got it and that's why you know you have this very big difference in perception in cyber security exactly as Chandra says you don't know what you don't know and you have to believe that you know these are very serious vulnerabilities and you have to be on the lookout and trying to exchange information with each other try and get better to understanding the problem I'm glad many many companies still start seriously working on that when they first have been hit and and the data are blocked this is where the action starts oh who are my my points of contact where are my data who can help that's my experience in talking to a lot of senior leaders who called I have been attacked what am I going to do too late sorry you can see how engaged the paddle is but I know there are some questions out here on the floor so we have promised over it up for the conversation with our audience so if you would like to pitch a question please stand up and we will bring a microphone to you we have a question here first if we have a microphone ready if you could state where you're from too please yes my name is Wolfgang Kleinwächter I'm a professor I'm a reader from the University of Aarhus the United Nations have started negotiations on a convention on cybercrime what do you expect and the question goes in particular to Mr Stock and Madame Theo should I start so yes thank you for that good question I mean it's a it's a global problem right and it requires a global solution as many other threats that the world is facing you cannot deal with that in just on a national level or on a regional level or an isolation that doesn't work it requires global coordination that the challenge for Interpol to connect 195 member countries what we expect is that that law enforcement is mentioned because hopefully we all agree that investigation prosecuting prosecution and getting the actors behind bars is an important part of protecting our systems so we are part of these negotiations we hope that we can we can make sure that the interests of global law enforcement are represented in in this UN approach which we consider to be important can I just add to what Jurgen has said I fully agree with him there is a great need for international cooperation and that's why I think Singapore makes an effort to participate in all of these even though you know in comparison to the threat space by many other countries I think ours is of just a different scale but I would say that apart from having a convention there is another area that I think is also very important and that has to do with capacity building you can have a convention but ultimately it is the individuals that are operating each of the country's cybersecurity systems that have to intervene at the appropriate times and what we have done is to work with our international counterparts to try and create programs as well as training opportunities in our part of the world in ASEAN for example we've worked together to set up a cyber security center of excellence it's very well received whether it is the US whether it's Interpol whether it's the UK so many countries have decided to come on board to try and share knowledge because in cyber security we fully recognize that it is a team sport and the better we are able you know to make every player a competent player the stronger the team is going to be so that's that's how we are approaching it and of course you need a full team as well to to play the game properly Robert before we move on can I just ask you because you're charged with a cleanup when these security attacks happen do you think would make a difference if they were global coordination or some form of a UN resolution I think it's a really nice idea and I wish you all the best of it thank you but no I don't think it will actually help anything you have always had agreements between states on things even to the point of like critical infrastructure attacks most of us agree that you shouldn't target civilians and in the moment that a government wants to they do when it's in their necessity they do and so I just think global discussions and so forth really really important the awareness really really important thinking that a tree to sea or similar is going to fix it I think is is not necessary but I do want to look at the things that work if you look at the cyber security agency in Singapore if you look at the cyber security infrastructure security agency in the US if you look at the Australian government their ACSE program these different government agencies that come out and raise the discussion completely on their own like it's not vendors or anything else it's government agencies having international cooperation and making sure that board members down to practitioners know what to do that type of stuff works go repeat what works and scale what works and if you want to do some other ideas too that's fine but do them in parallel don't do one or the other let's get some more questions in there was one down the front here thank you thank you hello my name is Natalia and I'm here as a global shaper as a curator of the live hub when the war started the headquarter they took out all information from the website information about all Ukrainian hubs meeting about all Ukrainian shapers in the meantime we do have our Facebook Instagram LinkedIn profiles the question is what would you do on our place should we hide all information about ourselves thank you you know honestly the sources of information are so many that I don't know whether you can be a universal policing so for example when we were talking about this you know central competency regarding the repository of let us say malware I mean the reality is people in the CSO community and the people in the hacking community they have all the repositories available and that's why the tool companies have created some of the controls so I personally believe that we have to assume that the information would be available we do should while we can try policing but that information will be available whether it is through Facebook or whether it is through any other social media and I think our strategy has to be with an assumption that people know what the tools are available people know what malware is available people know what kind of security measures are there and within that how to evolve and encrypt or protect yourselves if I could take a spin at that I would say especially when you're talking about conflict and shooting wars and not just espionage I think the topic of personal safety is something you should think a lot about and I think those type of actions are really important I agree that that information is available somewhere but a lot of these state actors we view them as if they're one big state actor the US Russia Iran big country level but the reality is there's a bunch of different agencies a bunch of different teams and the person coming after you is not Russia China Iran US it's five to ten people on a subset of a subset of a subset of teams so maybe somewhere in the government they have the information that team might not and so when you're talking about personal safety I do think limiting your exposure especially in those type of environments is a very wise thing to do there's also information war that comes up I mean we saw one specific example where I think it was a makeup artist in Ukraine who is a part of one of the the areas of conflict and her profile was used against her in the information war by the Russians so it's obviously another area to think about but let's get some more questions and I know that there's a little bit of interest here down the back so thank you very much can you hear me yeah so just on the cyber war we don't have rules of engagement for like multilateral system to just I understand your point Robert in terms of like we need solutions but I also believe that we need multilateral solutions for that so do you have ideas for engagement in cyber war like rules of engagement Geneva Convention for cyber war actions any I sit on a panel of day one secretary general and effective multilateralism and we're thinking we're thinking about this right now so that's why I'm just also consulting you thank you I think a number of countries are trying very hard to develop rules of the road that could you know be subscribed to by everyone the United Nations has a open-ended working group for example where many countries have been engaged in multi-year conversations but as Robert has also intimated it's not an easy conversation obviously they are very diverse interests and but I think we are making progress as it turns out Singapore is the chair of this current edition of the open-ended working group and at the very least I think you know when the Swiss chaired it the last time round you know there was at least a document that they could agree you know what was some of the baseline provisions that everyone you know should be able to provide can the in can this conversation be taken deeper and can we develop you know more you know robust sort of understanding of how we would operate with each other the answer is yes will we get there anytime soon I would say we will have to work very hard at it yeah can can I get you on this I mean you're used to working across borders we also have a situation where we know that global cooperation has broken down China is a great example where there's been trade wars there's been concerns about the level of information shared between the Chinese and the West and how do you get around some of these issues as we talk about global cooperation yeah I mean we try to be the platform where all these countries to some extent are coming together despite all the differences in in legal systems and put in political systems because one thing is quite clear any gap we are leaving will be exploited by criminals and we have seen that also during the the pandemic during covid how quickly criminals shifted their narrative to the new vulnerabilities of our society so so any crisis that occurs will be exploited by by criminals we spoke about meta worse earlier today here I'm sure as we speak here criminals are already preparing to use that as a platform for criminal activity and again there is no other choice and this is why Interpol exists to provide that platform is it perfect no of course it's not but on the other hand are we successful here and there by by bringing the players together even those who have diplomatic problems to I mean difficult to say in these times yes we are there is I think there is no alternative to that the internet is global and you need a kind of global kind of police force or at least we we try to bring the the national forces at least in some cases together that that's our mandate let's take some more questions I believe we have one down the front here we will take one from the other side of him if we can in a moment too okay hi I'm in on costica I'm a co-founder for a cloud security company named whiz and we're working with multiple fortune 500 companies and what we've realized that the key to actually initiate something uh an improvement is working with the engineers that build the cloud applications you mentioned that humans are the biggest failure you mentioned that we need to train more and just now we're seeing questions from a people personal people saying okay exposed information I didn't know what would be the outcomes in the long run so my question to you question to you is basically how can we enable a more global education on or awareness on cyber one that can provide everyone with tools to assess their risk my my parents for instance they got an email saying we have pictures of you pay $1000 to this address and I'm like that's nonsense it's just extortion ignored but they didn't know they were scared for two days they had nowhere to go to to ask that question so my question to you how can we create a global community to train and we raise awareness channel do you want to talk about that so you know I would agree that nipping the problem in the bird is the right way because if you write a code which is secure and which has got enough firewalls in it I think you are making it difficult for anybody to break into the code so I think that's a fundamentally just the right way number two I think we covered this point about education there is no immediate resolution to that part that whether that education can be in a given to tens of millions of users now because as we all know the vulnerability is not only by one operating system or one piece of code or one tool the vulnerabilities can come in from a smart city a smart factory or from a smart metering I mean whichever way you want to look at it and to prevent it I mean if you were to say there are two ways to prevent it one is become good citizens so there is no crime or you put put in enough foolish people so that there is no crime because people are what you know afraid of the police I think both of them is required you need to educate but it will take time and till that time I think some of us have to act as a catalyst and I definitely would agree that people like you when you write your code try and make it secure and the more we start as a community start paying you premium because you deliver a secure code I think that is the right way because people will learn that there is an economic benefit to secure code so again can I just add to that two perspectives one I completely agree security by design should become a competitive advantage for you if you are able to offer a product to the market that has got more security features built in and then it should come on a premium and people over time will learn that it is in their interest to pay for it but I would also say that I don't know that you need a global effort to get this going I think as national governments we all owe our citizens a duty of care and it is in our interest to help educate our our citizens to understand the risk that they are exposed to when they engage in in in the cyber domain it starts from you know children in school helping them to understand you know that they can be exposed to online harms and how to deal with it it can be for example in collaboration with corporates in Singapore for example google has a very good program they help teach our school going kids how to do simple things like have strong passwords right but there are also different segments of the population that are vulnerable seniors you know who are targets for scammers and apart from strengthening our defences against scammers there is also a lot of education that can be done by the government this is sometimes police you know collaborating with people sector organizations civic civil society I think these are all efforts that can be taken at the national level and it should be in our own interest to do so right and once and I mean we need law enforcement needs the industry to help us getting the tools to investigate cyber crime in that new virtual environment we have a champions league of law enforcement agencies who are well trained and well equipped but let's say 195 member countries police services let's say maybe 70% are not well equipped and not trained and very often they have nothing so we also need the support from the private sector to develop easy handle easy to handle solutions to investigate that type of crime Robert yeah I would I would agree with everything was said I would just add again sort of the scenarios and requirements discussion I think the minister was talking earlier about distraction should your parents be worrying about the cyber attack that takedowns transformers and electric system probably not until they're operating them right so we come out all the time with do all these cyber security things I think as as leaders we sometimes fail our communities and setting the requirements to start with even at a business level what do you need to worry about at this company set the two or three scenarios the requirements you have etc that you need to care about that company doesn't need to be prepared for every possible cyber security thing and we talk about education where do you start these days with cyber security it's so broad you cannot be a generalist in cyber security anymore 20 years ago absolutely today no cloud specialists industrial specialists whatever and we just say industrial and that's different from being a specialist in electric power versus pharmaceuticals so I think the setting the requirements setting those scenarios and figuring out what do we actually want out of our communities other than cyber safe cyber hygiene or whatever else you want to throw out that ultimately just gets this large peanut butter spread instead of actually doing things we are out of time for questions I'm so sorry I know that there's plenty of interest still but just 10 seconds each what do you want to see happen in the next 12 months from it I would like to see at an executive level a better understanding of the operation technology risk that exists in companies and put some effort towards it pick a path doesn't matter but pick a path realize that you cannot copy and paste your it strategy into your power plant channel from my perspective including the policy makers here 10 seconds focus on education focus on people focus on skills minister cyber security is a wicked problem you never get to solve it once and for all it should never be an afterthought it should always be a priority yeah stronger more institutionalized public-private partnership that was very snappy thank you so much Jürgen minister Shander and Robert we appreciate your time