 All right, well, great. Well, thank you, everyone, for joining us today for a discussion, what I think will be a great session on securing a common future in cyberspace. And I think that if our theme this year for the annual meeting is creating a shared future in a fractured world, then cyberspace is both where that shared future is going to lie, but it's also going to be where many of those fractures are going to occur. Cyberspace is often likened to a global commons, which suggests the challenge of how do we sustain cyberspace as that type of a global commons? So we're going to focus on that, that challenge, that question for the next hour, specifically focus on questions around, how do we overcome obstacles to global collaboration? And how do we grow and develop, build, and sustain public-private partnerships? So we have a great panel today to talk through these issues, which you'll see as I introduce them. And so for myself, I'm Alan Cohn. I'll be moderating the session today. I formally served as an assistant secretary at the US Department of Homeland Security. I'm now an adjunct professor at Georgetown University Law Center and a technology and security attorney at Steptoe and Johnson in Washington DC. Let me introduce the panel before we start. So first, to my left, Jim Snabe, the chairman of AP Molar Marisk, Andre Kudelsky, the chairman of the board and chief executive officer of the Kudelsky Group, Michelle Connings, assistant secretary general of the United Nations and executive director for counterterrorism, and also the former president of Eurojust, Tim Murphy, general counsel and chief franchise officer of MasterCard, and Andre Costin, chairman of the management board and president of VTV Bank. So what I'd like to do first is to ask Jim to tell all of you about an experience that Marisk had firsthand with today's cyber threats, with the types of disruptions that they cause, and some of the lessons that Marisk took from that experience. And then I'll ask each of our panel members to offer some thoughts, and then we'll have a discussion, perhaps, of some questions from all of you. So Jim, please. Well, thank you very much, Nad. Not necessarily the best question you can have, but I will be happy to talk about what happened. In fact, I'll never forget it was the 27th of June when I was woken up at 4 o'clock in the morning. A call came from the office that we had suffered a cyber attack, and then a process started, which I'll talk a little bit about. Now, before we go into the details of the attack itself, Epimelo Marisk is the largest container shipping company in the world. We transport roughly 20% of world trade in containers, so we're a very significant part of the infrastructure of making the world actually run. And every 15 minutes, in average, a container ship will come to a port somewhere with between 10 and 20,000 containers. So now you understand the criticality of infrastructure. We were hit by the non-patch virus. In fact, that meant that we were actually collateral damage of probably a state attack situation. And the impact of that was that we basically found that we had to reinstall our entire infrastructure. We had to install 4,000 new servers, 45,000 new PCs, 2,500 applications, and that was done in a heroic effort over 10 days. Normally, I come from the IT industry, you would say that's going to take six months. It took 10 days heroic effort. And I can only thank the employees and partners that we had on doing that. Now, imagine a company where a ship with 10 to 20,000 containers enter a port every 15 minutes. And for 10 days, you have no IT. It's almost impossible to even imagine. And we actually overcome that problem with human resilience. People were able to overcome. We only had a 20% drop in volumes. So we managed 80% of that volume manually, basically. And customers, by the way, were great contributors to overcoming that. Maybe coming to the learning, this was a very significant wake-up call for an organization like AP Miller Mask. We could say a very expensive one. It cost us between $250 million. And yet, I argue that it was a very important wake-up call. What did we learn? Number one, we were basically average when it comes to cybersecurity, like many companies. And this was the wake-up call to become not just good. We actually have a plan to become come in a situation where our ability to manage cybersecurity becomes a competitive advantage. That's the ambition that we have. Number two, we chose a very open dialogue around this. From day one, we were on Twitter telling about what has happened, and we have spent enormous resource on helping other companies. I think that is an important point to make, because with that openness, the experience we had, other companies can have. And I believe that we need a very significant level of increase in our understanding of this problem. It is time to stop being naive when it comes to cybersecurity. I think many companies will be caught if they are naive. Even size doesn't help you. I think it is very important that we are not just reactive but proactive. And I think we can't be average. We've got to be the best we can. The third and last conclusion that I have is one around urgency. We are a quite technologically driven company. More than 90% of all orders come through the internet. But the next level of dependency on digital will be everything is digital. All the documents are digital. The boats will be autonomous. And hence, the criticality of the infrastructure becomes even more urgent. And you cannot overcome with human resilience anymore. So with that in mind, the internet was invented in 1989, not with the use that we have today in mind. There is a need for a radical improvement of infrastructure and understanding and a collaboration between companies, technology companies, and law enforcement. And hopefully, our incident can be a wake-up call, not just for our company, with big ambitions now, but for everyone that has anything to do with technology, which I presume is all companies in this world. Thank you. Thanks, Jim. Hopefully that gives all of you a sense of the type of and the significance of the types of threats that we face and that the impacts are not just in the digital world, but very much in the physical world as well. So Andre, you run a renowned security company here in Switzerland. Thoughts on what Jim has said or thoughts on our themes today? First elements, and I think that's a very important message. I would like to thank Jim to really make public what has really happened. Because one of the biggest concerns that we have is that people are not understanding what is at stake. And what we have to understand is that, for the time being, we are just speaking about very simple attacks. When I'm speaking about simple attacks, our attacks were just by following some basic rules, like to have all the patch done and so on. You can prevent them. Now you need to understand that with the digitalization, you have a lot of new opportunities, but also opportunity for the hackers. And so basically what you have to understand is that the bad guys are really very economically savvy. Nothing to steal, nothing to sell. So fundamentally, if there is a real opportunity for them because the world is becoming digital, they will use a lot of new technology, of new creative elements to do the attacks. And now one of the biggest challenge that we have is that we cannot just say you have a set of rules and you will have no more issue. Since it's a moving target. And you have to understand also that you have a lot of new technologies that are pretty interesting, like, for example, artificial intelligence. And artificial intelligence has two sides. One side to do great new things in digital, but it can be also used as a great way to attack some infrastructures that are digital. And imagine artificial intelligence is a little bit like a self-mutating virus. And so you may have a lot of elements that make the things much more difficult to catch. And for that, one company alone, especially if it's specialized in one field, will not be able to solve alone the issue. So there is a need for collaboration between companies, but also a collaboration between companies and public sector because a company have not the right to be the police. So fundamentally it needs to have the legal elements, the enforcement. But also, if we look more medium long term, there is a need to do some fundamental academic research. And then the academic sector is extremely important to think the next step in term of theory, in term of element. And by combining this element, you can do something better. Now, we have spoken about the element of compliance, so first type of attack, some more creativity. But the reason also a natural dimension are some weaknesses that we see in the chip itself and that is opening a new door also of possible attack that will be pretty interesting to speak about. Yes, no doubt, no doubt. It's very interesting, some of the thoughts about what artificial intelligence will do both from an offense and a defense perspective in cyber. But Andre, you mentioned the public and private cooperation. Michelle, both in your current role with the United Nations and your previous role with Eurojust and as a prosecutor, your thoughts on some of these questions? Well, thank you. The attack against Mosk is certainly a very revealing story. But something we have to learn from and with a relatively happy ending, if you see in what a short time business continuity was ensured at cost, of course, some money, but you controlled the damage and you were very open. Let's learn from that attack and let's be proactive. Let's also embrace the development of technology and the use of internet. But what happens if it's used for criminal intents, for terrorist intents? So, yes, let's use this perhaps case as a wake-up call. But I would rather go for proactive approach and consider it as a story, as an attack to keep us awake, to keep us vigilant, and to keep us alert for the security concerns. And that was also what the United Nations last year has been embracing in its Resolution 2341, asking all the member states to take measures in order to protect their critical infrastructures. Because indeed, if the same happens to critical infrastructures as what happened to the company Mosk and we're talking about water supplies, nuclear power plants, electrical power plants, transportation, the impact on all of us in society, in economy, would be in the match amount. This is, however, a possibility. This is part of the reality. And so we fought in the United Nations that there are mainly two issues, key issues to address. The one is to improve international cooperation. And another one is to improve, to strengthen the public-private partnership. If we talk about international cooperation, we see that there are some differences in legislations and legal frameworks in the different member states. The globe is containing 193 different member states, so still a lot of work to go. And if we see that the incriminations for cyber attacks are tackled in different states in different ways, if we are confronted with different jurisdiction issues and hence confronted with its consequences, and that means loss of location, loss of data, with concerns about encryption and anonymisation online and offline, we're entering a scenario where we still have a lot to do. International cooperation is only possible on the basis of treaties. So we have treaties, we have regional treaties like the Budapest Convention, we have the Convention of Palermo on organised crime, we have a lot of treaties, and if we don't have all this, we can always work on the basis of reciprocity, because vital is still to have any terms to cyber criminals. If we leave them only free in cyberspace, we only stop criminal activity and don't manage to attribute criminal activity and stop criminals for once and ever, we are not going anywhere. Public-private partnership is another of the set of challenges. And indeed, if we manage to have a dialogue, a building up of trust and awareness creating by exchanging good practices, lessons learned between the two, we have already made a huge step forward. But let's also be honest, there are cold feet from both sides, because how can we improve the attribution to criminal activity? How can we convince that private sectors are engaging in an open dialogue after a cyber incident without facing embarrassment or maybe prosecution later on? How to find the right balance between the need for a deciphering by law enforcement and justice authorities versus the strong need for strong encryption to protect the critical infrastructure? So there are lots of challenges we need to discuss, proactively, not in a way, as we usually do, demand-driven or event-driven, but results-oriented. There are also success stories. And I must say that last year, the big companies, Twitter, Facebook, Microsoft, and another, which I now forget, managed to establish the International Global Forum on Countering Terrorism. And in that initiative, my organization at the United Nations set up the initiative to launch the Tech Against Technology. And this is exactly meant to provide the tech industry with the global leadership in the fight against the exploitation of technologies by terrorists. It also ensures that we help them to improve the self-regulation through the adoption of the voluntary guidelines. And finally, we also help them with advice and tools in order to make them at speed in tackling the exploitation of the internet. What I would like to stress, finally, is that there are also successes you've referred to my previous life. And indeed, in one region, the European Union, we manage by gathering the forces between law enforcement and judiciary to manage to be on top of the fight against heavy cyber attacks. Some examples are, for instance, Avalanche 2016. And of 2016, a huge criminal infrastructure taking over computers in a huge way with sophisticated means. We did this. You were just gathering all the prosecutors from more than 30 countries, liaising with EC3 at European Law, the European Cybercrime Center, liaising with the private sector and being on top of things. And that ended in a race. And finally, we can also do another initiative from UN together with IAP and with UNODC, which is meant to improve the capacity of prosecutors to get after the evidence by liaising with the CSPs. No, so that's a lot of different pieces in play. You mentioned the cross-border collaboration. And you mentioned the cooperation and collaboration among law enforcement agencies, prosecutors. Tim Mastercard operates across pretty much every border in the world. And what do you see as some of the, what's your thoughts on some of the things that we've talked about already and some of your thoughts on some of the challenges and successes around collaboration? Sure, Alan. It's a terrific question, and thank you for asking it. I think the theme for this session is cyber is a commons. And it is absolutely true. It is a commons in which enormously productive things can happen. It's also a very dark and scary place. There is a commons near me. There is a public park. And if this public park looked anything like cyberspace, I would never send my children to it. That's the problem we live with today. So I think the first place you have to begin with really talking about the role of government at some level. And the fact of the matter is we can do so much better than we've done on international norms and standards about conduct in cyberspace. And we have not made nearly enough progress in that space. And I think it's incredibly important that public companies, that companies, the private sector around the world, continue to demand of government that we do better in that space. And leadership is needed at a political level. And these need to be treaty issues. And of course, the UN plays a critical role. So I think that's the first thing we have to say. The second thing is that it goes without saying every public company today is, and if they're not, they are almost derelict, laser focused on to the best of their ability, securing their own infrastructure, their own mode. And for companies like MasterCard to have a wider accountability for the payment ecosystem, investing to make the overall system more secure. And I would say very significant progress has been made in that space. Is it good enough, we will see? The adversaries are very intense, but a lot of work is going there. I think the two things we need to start thinking about differently are more creative ways to think about collaboration. So in our own company, we do a lot of information sharing and a lot of intelligence sharing with critical customers and other big partners. We're certainly engaged with the FSISAC in the United States was probably a leading method of sharing information among private companies and government. I think more can be done in that space. And we need to move from talking about threats to talking about what we're doing well, what we're not doing well, and learning from each other. And that's why the leadership position that Merish took is so extraordinary. But we can do better still. So many companies have very complex value chains. Small businesses are in those value chains. Small businesses are completely at sea. In navigating the cyberspace, what can large companies do to help small businesses be more effective? MasterCard has helped launch something called the Cyber Readiness Institute with Microsoft and others that helps take big company thinking and information and assets. And we're going to try to make it digestible for small businesses so they can get more effective. So different forms of collaboration I think become critical. And then the last thing I would say is, as this emerging digital world comes upon us, every player in the space has to think about architecting. And again, this was mentioned earlier, architecting some of our core network systems very differently. If the internet of things happens with 30 million interconnected devices, and if their payment capabilities embedded in those devices, then the fact that those devices don't have IDs that you can track back to is a fundamental problem and has to get addressed. The current system for identifying humans to devices in the world, based on the password, is completely broken. And someone will fix it. And we need to get that work done urgently. And that requires ample public-private dialogue. And so there is so much work to do, collaborations at the heart of it. Because if we don't earn back the trust or we can maintain the trust or earn it back in this emerging digital world, we will not get anywhere near to the benefits that these commons can potentially give us. I think that's a good point. Andre, the financial services industry, obviously one of the top targets in this space, from the perspective of a major bank, your thoughts on these issues? Thank you, Al. I'm not sure whether I'm the right person to address this audience. Because frankly speaking, I don't like new technologies at all. New technologies deprived me of many things I was enjoying in this life. Privacy, good holidays, and many other things. When I came to Davos for the first time in January 1996, there was less than 100,000 mobile telephones in Russia. Now it's more than 260 million. So when I switched on my telephone after the discussions, I'll have a dozen of calls, unanswered calls from all my colleagues, from my office, from my wife, and many other things. So I don't like new technologies. I mean, they spoiled my life, that's for sure. But as I agree with you, as being a banker and chairman of one of the largest bank in Russia, I have to face a situation that I have to deal with new technologies. More than that, probably banking, more than any other industry, can benefit from new technology and reduce new technology in everyday's life. But first of all, very short comments on what my colleagues said about the cooperation. I think it's vital. It's vital for bankers, it's vital for Russia because we are quite often accused of being the best hackers in the world. And I'm not quite sure that that is true, but I would like to say that Russia definitely stands for more cooperation. We think it's absolutely vital to accept some kind of the Geneva Convention of what we can do, what we can do, what the code of conduct in this area, and that's absolutely necessary. We should define many things, including the cyber attack attribution mechanism, in order not to mix the private hackers with some possible attempts of some governments against other governments, and what kind of response the governments can have in response to any cyber attack. So it's very unfortunate that when last summer, Mr. Putin met Mr. Trump, they discussed the possibility of creating the joint group or some kind of committee to work on the cyber security agenda. And unfortunately, American side never came back with this proposal and still we don't have any discussion on this subject. But that's one again. We need cooperation in this area. We need cooperation between the private company and the government. We need cooperation between the government. That's vital if we want to build, as you mentioned in the global common, rather than the warfare territory in cyberspace. As far as the bank is concerned, you're quite right. I mean, according to some statistics, banks are 300 times more under the cyber attacks than any other industrial or other businesses. And we spent probably three times more money on this because it's very important for bank to be cyber attack resilient is quite important, quite important for our clients. And the more we are progressing in the high technologies, bringing online banking and other new forms of banking, you know, the more money we should spend on this. And that's quite clear that, and the level of the problem is very high because we all know about the crisis. We experienced the crisis in 2007, 2008, but that was a different risk. Now we have a very high risk of, in actually in cyberspace area. And this could lead to a much quicker crisis and a much bigger scope of crisis in financial sector will be devastating for the global economy. And it's definitely very high on the agenda for banking sector, that's right. No, that's very interesting. So it's interesting, several of you mentioned different centers around which we find this kind of collaboration. Tim, you mentioned the financial services, information sharing and analysis center, the FSISAC. Thank you for defining it. And Michelle, you mentioned EC3, the Europe Hulls European Cyber Crime Center, which has a coordination center in it. Do we think that there are a sufficient number of these centers that exist? Is there a, or is there a challenge of do companies or do governments still, do they need more guidance or more understanding about where can we come together to have these discussions, to discuss things like whether it's norms, whether it's practices, or whether it's active collaboration? What do you think? I think we have to consider two dimensions. One is trust, because it's really important to exchange information, but to be sure that we exchange information with people that we can trust. If not, we have the devil that is part of the package. The second one that will be increasingly important is speed and flexibility. Because we have to consider that in the cyberspace, what is yours in the normal life is maybe millisecond. So it's extremely important to be fast. Imagine that you have one cyber attack that is happening somewhere, the speed at which the propagation may happen is extremely fast. So if you need to have weeks to address an issue, it's just too late. So fundamentally, these two elements are absolutely crucial to have something that is operating well. And here, we need to think about collaboration between private public that are at one pace of speed faster. That's what we have had so far. I think another opportunity for more information sharing is to begin to think cross-economic sectors. And I endorse everything that Mr. Kedelsky said, absolutely true, we need machine speed for sharing of information. But at the moment, at least in the United States, they're very sectorally independent. Financial services is quite strong, power, teleco, and so on. And there has to be a way to link those together in a more effective way. I think the wider picture and the wider dialogue could be effective. Some of that is happening by, I think, private self-help. Companies are creating fusion centers, building their own networks of relationships with other trading partners. But I think a more organized effort, an effort that reflects the fact that again we're defending at commons here could be quite useful. But also one element that we need to take into account that sometimes you may have some contribution from new players that are maybe not as well known. So we need to have a system where we can have some entities that can opt in or out, also at the fastest speeds to get really the best of knowledge. Yeah, it's interesting. In the United States, as we mentioned, the sectors created information sharing and analysis centers for sharing, and that was due to some proactive policy by the U.S. government. And the U.S. government a few years ago looking at that, networks said, look, this is a good start, but we can't confine this just to sectors. We need to encourage the creation of more hubs for sharing than just in individual sectors. In a sense, it almost seems like it's a network of networks. It's a network of hubs that may be necessary to ensure the kind of collaboration, information sharing that today's threats require, let alone tomorrow's. So I'm curious also whether you think that there is a sufficient posture right now about public-private cooperation for cyber security. I know that in some areas, the relationships between law enforcement and companies for the investigation of cyber crime prostitution is very strong, very good collaboration, very good cooperation. In other places, it's not as much, and Michelle, you also mentioned the question of, are the right laws and treaties in place, whether that's at the convention or treaty level or at the national level. Where do we think the state of kind of cooperation between the private sector and the public sector is right now? Well, so I actually believe that we need a very significant improvement of that. It's not that, you know, in our situation, we got a lot of very important help from law enforcement, but I think we need to be much more ambitious. If you rob a bank today, it is likely that there's a little button on each of the tables in the bank that someone can push the little button, and immediately there is an alert around an ongoing attack on that bank. Imagine you had that in cyber. Now, first of all, when you go into that bank, you get access to all the branches of that bank, not just one, so the problem is significantly bigger, and hence the opportunity to have early warnings, information that might be available by law enforcement in the dark web be circulated more actively. So that we go from this reactive, let's try and run after the problem and see if we can fix it to a much more proactive prevention, proactiveness in terms of knowing when something happens and then alerting everyone, and then coming up, and I think that's where it will all end. It's gonna be an artificial intelligence war between attackers and defenders. That's where it's all moving. I think the use of artificial intelligence requires that the networks are connected so you can collect all the data. This is where it needs to go. Now, the issue is that we have on one side as companies the obligation to be safe. We've taken very serious actions at APMilumask. We now have a much, much more safe infrastructure, and we cannot let that responsibility sit in someone else's hands, so we gotta do something. And on a national level, countries will look at that and say, we gotta protect our country. And this is where the challenges come, that's why it's a network of network, because then countries also have to collaborate because the digital war has no borders. That's the complexity. It's three levels, and we need to set the bar really high. We cannot be naive anymore. I will just come to dimension. First one, no border, and that is, I think, one of the very fundamental role in cyber, but that is also meaning that every country is a neighbor and that bad guys will use the legislation, the worst possible legislation to do the attacks. Now, in term of collaboration with law enforcement, place like US or Canada are really extremely advanced in such collaboration, but what is interesting, it's not a one-way street. Fundamentally, the police can help us, but we can also help the police to learn the latest technological evolution. What do we think? Do we think that, from your perspective, do you think that that sense of collaboration between law enforcement in the private sector or the public sector more generally and private sector is there? Do you see that? It is, but I think there's certain areas of concern. For example, there's a, first is a certain level of mistrust between public and private organizations and in sharing the information, of course. The private sector doesn't very much trust the government and the government is probably not very eager to share information with the private sector. That's one thing. The second is that the cybersecurity areas are relatively new. There's a big concern about the fact that the government, maybe an advice of the law enforcement agencies will strengthen regulations, like it's happening in Russia to a certain extent and it make it much more costly for private sector to keep up with these new regulations and probably more to come. With a more difficult and a more complicated system, it means there's a, for example, more burden for Russian telephone companies nowadays and some others. That's another area. And third is, my colleagues already mentioned it, that's of course the problem of international cooperation because different legislations, criminal cause and many other things which prevent us maybe for having a broader cooperation in this area between different countries. So I think that is obstacles for further developing the PPP, if you'd like, concept in this area. But I think we have no big choice. We should develop it. But I'm describing just the area of concern and the obstacles we should overcome on this way. Right. And then finally, Tim, you had mentioned the norms question. And do you think that norms, how do you see norms coming about in this space? Do you see them coming from the declaration of, whether it's states or now really companies coming together and saying, look, we believe the X and Y and Z should be the norm or do you see it more evolving from the actions that, whether it's governments or whether it's companies agree to take amongst themselves? I think it's a mixture of both. I was speaking specifically of making sure that private sector continues in its dialogue with government to keep the issue of international norms and standards as an ask of government, exercising its proper role. And I see it as simple as there are rules of war, there are rules that govern civil aviation. Public law has been profoundly successful in the world and often gets a bad rep. But it can be done here. And I think it's just an ask of our governments to do that work at the same time. We have to continue to invest as private sector companies and we have to continue to work together. But we just can't lose the umbrella, I think, of the need for international norms and standards. The only thing I would say and want to just draw one point is that I do think it's important that we move beyond the concept of information sharing or sort of collaboration with government because that's still all in some very deep sense playing defense. It's still waiting for somebody to attack and just getting better at the response or even getting better at your preventative measures but that's still all defensive work. We have to go on the offense and going on the offense means having a real conversation in private sector and with the public sector on what does security by design look like for the new digital world? How do we ensure that every internet connected device has some form of identity? How do we continue to invest using all sorts of new technologies and our global payment systems to ensure they are more and more secure, our global security clearing systems and so on? There are ways to design things up front without embedded passwords that say password 123 without so many basic things that are fundamentally wrong today. But if you can get it fixed, yes AI will be a terrible challenging thing to worry about and we worry like crazy about quantum computing which can break every cryptogram in the world today. Yes, we'll deal with all of those things as we come. Let's fix some basic stuff now in design and let's be consumer centric. Let's give consumers the right to make the choice. Why not have the equivalent of a nutrition label on devices that or a good housekeeping seals approval as they say which is a US concept that kind of gives the consumer some sense of the level of security of what they're opting into. Just an idea but why not talk about it more? Good, Michelle did you want to add? I would like to look to two things we'd have already been referred to. Time and the global nature of cyber crime, cyber security. Time is a critical element. If we do not manage to keep up with the pace of the criminals and the terrorists who are lost, hand initiatives taken proactively by United Nations in making sure that the capacity of counterterrorism prosecutors and central authorities in gathering digital evidence is done through rising and networking with the private CSPs. Ensuring that CSPs are aware of the rules of engagement and working with law enforcement and justice that we exchange best practices, that we exchange also lessons learned and create awareness. But we also get quick access to data through formal and informal mutual assistance. That's possible by this public private partnership depending on the nature of the data, content, meta, subscriber data, we can manage and assess certainly in emergencies to get access to data quickly. So there are some improvements made in a proactive way, global, proactive and timely way. Excellent. Questions that all of you have for our panel. I'm sure there must be a few things that have come to mind or questions that you may have for the folks. Yes. And if you wanna just say who you are and where you're from. Hello, this is Zunayath, State Minister for Iowa City from Bangladesh. I'm also a young global leader from 2016. So thank you very much to the panelists for discussing and sharing all of your thoughts. And from Bangladesh, I would like to also share with you that in last year, we have also lost 81 million dollars from our central bank. So actually we woke up last year. So we have actually got the wake up call. So now we are actually introducing the policy because we need legislation because digital security act. Under that act, we are going to set up the digital forensic lab because when we are talking about the track down the attackers and also we are talking about the preventive measures. But at the same time, after the attack, we need collaboration cross border collaboration and also we need our local capacity building. So the first thing, how we can track down the attackers. And the second thing is cross border collaboration. And the third thing, the human resource development. So what is your suggestion? I would like to know from the panelists. So how we can work together private public collaboration and partnership for developing the human resources for creating the cyber security expert pool. That's an excellent question. This question of the human resources that are necessary to address the threat. Thoughts on that? It's a very welcome question. For executives at private firms running cyber today, you face an insurmountable, what feels like an insurmountable challenge, which is to say that the demand for talent far outsees the supply. And in a world where there are these serious disconnects and issues and important dialogues to have around employment, that seems to be a critical issue. Many private companies have partnerships with universities. And again, I think the need for private and academic collaboration is important. MasterCard has a major facility in St. Louis, Missouri. We work with Washington University on a whole set of cyber related issues. I think at the end of the day though, we need things that can scale. We need the academy to beef up its education and we need to produce more graduates in key technology, technological centers and areas that are relevant for cyber. And we think there is a way that private companies can collaborate with government. So again, I'll give you a US example. There's twin crises in the US. There's not enough cyber talent and there's an enormous issue with student loan debt. We've proposed working with governments to say, why don't you go work for government for two years, come to work for MasterCard for two years and then we'll forgive all your debt up to 100,000 US. It seems to be, why is that still cheap to get cyber talent to do that sort of stuff? I think there's a ton of opportunities like that that we can push a lot harder. But again, private sector has enormous demand for cyber talent, needs to be talking with their university partners and that's something we're trying to do. But one element that is pretty amazing is that we see on the other side that the parrots have a way to educate themselves. So the know-how is existing, we just need to organize it. And one of the question is all the concept like the max and other new type of university can be also applied to the cyberspace. And I think there is a little bit of innovation to be done in this field. So that's a very interesting point that if a significant portion of the hacker community is self-taught, can't that be harnessed for the cybersecurity industry too? You have also to consider one element, if you take a courses to have somebody that is trained and considered as graduate from a university, he needs to go through a courses that has been defined by university. For the hacker, it's completely different. He will organize himself and the benchmark, his graduation, is to be successful by attacking somebody. So it's a different courses and we see it's pretty efficient. Does cut to the chase. So other questions, yes? Donald works from here from Heineken, so beer has nothing to do with cyberspace, but we hear a lot about security and devices. And Tim, you said that the big question was to find a way to identify the user of a device with his real identity. Now this morning I attended another session where a gentleman from a Indian governmental body said that they are embarked on a very huge program of linking biometrics of each individual to mobile phones. And to banking. Can you tell us a little bit more of how far advanced are they? Is this really the technology of the future we're speaking about and how fast that it will go in the other parts of the world? I can give you, do we have, how much? Right. So the Indian government is working on a way of really identifying human beings and it's called the Aadhar system. And it's extraordinarily advanced and it works and it works well and it's being used to set up bank accounts today and really help with financial inclusion. India's one end of the pole and I think there will be a range of national answers to the question of digital identities for people in the future. We know that for financial inclusion a basic identity is one of the critical things you need. It turns out we are all gonna have to refashion our identities in the digital space. Because right now the way the system works is each party that we interact with in e-commerce manages a different identity relationship with us and it requires passwords which I can't remember and it requires expense and it's poorly done and it's a system where there is a market failure that is waiting for a solution. The Indian government solution is a centrally government driven solution that works. The notion that in the United States that there would ever be a centrally driven government digital identity solution is a political impossibility. It will never happen in American culture and so in the United States you'll have a different answer to digital identity, probably private sector driven or some combination. The needs for public policy around that space are yet to be identified and then in Europe there's a mixed position. The government is leading with some key new regulations in our space, it's called PSD2 and others and there are private sector players. So the world will have a complex set and a distinct and different set in our view of answers to the question of digital identity. The Indian model is one, it's not the only one, it is one that's live today and working. But I think the example shows the dilemmas that we need to deal with. I mean, the UID project which was called, I think they have 800 million people now which is quite astonishing in four or so years, maybe five years. It's almost impossible to imagine and they did that. So my point of view is that there's not a technological limitation. We can solve this problem. There are convoluted ways or designed ways or... So it's more of a, what are we willing to give up? Do we wanna give up privacy for security and how far do we wanna go with that? How much do we wanna give up country control versus global? These are some of the, how much do we wanna give up? Simplicity for perfection. We gotta find the right things. We've done that in the physical world. When cars began to drive faster than horses, they became dangerous. And so over time we invented roads that were more safe and airbags and what have you. And if you look at it today, and probably the next thing will be self-driving vehicles that don't bump into anything. So we do have responses, but we need to solve these fundamental problems. How far will we go? And these are not simple questions. So that's my concern. It's not a technological problem. But we have also to be careful and there are some lessons from nature. Diversity is still important. If we try to do everything in one single way, we have really a big risk. So there is a need to have diversity, first to emulate innovation, but also to be more resilient. Because if you have every risk that is concentrated, then the opportunity for the hackers is really outstanding. I think this comparison to nature is beautiful. Think of the immune system. It's not that we assume that we won't get a virus, but our body is designed in a way to deal with it. Where in most cases the body doesn't die from that. And I think that's the kind of, it's a very decentral thing. The last challenge we have is that if you centralize too much, the whole idea of the internet, which is a very decentralized, innovative, everyone can use it, falls away. So how do we balance that? It's also a challenge. And it's interesting, Tim, you talked about that politically, it would be very difficult to imagine a centralized identity solution in the United States, but perhaps a centralized solution isn't necessarily the right solution either. There are technological solutions like blockchain technology, for example, that approach those types of questions from a different perspective, from a decentralized perspective. By the way, blockchain technology can be also very interesting in a way to exchange information regarding security, because then we can ensure the element of the trust chain and to think in a different way out of the box as a way to address this issue. So there you go. And so I think now we've accomplished the mandatory goal of introducing blockchain into every discussion going on this week here. So I'm glad we were able to accomplish that. One last question from our audience, yes. I appreciate that. My name is Leila Koshane. I'm invited by a delegate of Google. My background, I work actually in cybersecurity, but also physical threats for organizations. I was involved a little bit in the investigation of Bangladesh and was down the street from Heineken. You might guess who I was representing from that, but that's all I'll say. I have a proposal because my clients, they can go into the red teams and hack themselves and trace that. They can look at post-incident, but we brought up a point here, Mr. Koldelsky, Mr. Murphy. You brought up the point of what I'll call the preventative threat. How do we go into the dark web and monitor? And I advise them, my clients, to put up avatars and go in. I cannot advise that to a private organization to pretend to break the law. So we need the governments and the law enforcements to do that for us. And yet they are also not doing that or also under scrutiny. You may have heard about the FBI posting to try to get a child offenders and for 13 days they have a false site up and then they were in trouble for that. So even our legal enforcement can't do it freely to try to stop crime. So any thoughts on how do we get it to help the private sector because they cannot falsely impose, let's call them avatars in the dark web to trick and listen for threats? Any thoughts on? Yeah, and that's a very interesting case. This was the FBI seized a website called Playpen, which was a child pornography site. And rather than shut it down, not only did they continue its operation in essence operating it, but they also introduced a tool onto the site that would allow them to identify who is accessing the site. So very much a gray area where it's very unclear that a private company could do that and very unclear that a government agency could do that in the absence of warrants and other types of structures that would have been very difficult to get in that type of a circumstance. But the interesting element if you take the US Constitution, it's granting some self-defense rights in the real world but not in the cyber ones. So that is one of the paradox that we see. Right, well. This is a very difficult issue and it really is impossible I think for private sector companies to go proactive. The risk is enormous and just really can't be entertained. I do think the answer to your question has to be some framework under, to the extent a nation chooses to have that capacity, some framework for that to be held in a law enforcement public space with the appropriate controls and guidance around it. I don't see it as an, self-help was never a legitimate, I mean rarely legitimate in the physical world. You're really not supposed to hit back and it shouldn't be true in cyber either for private sector actors. Very interesting, of course, the debate we talk about are global commons and we think about, when we think about a global commons we often think about the maritime environment and that the hacking back debate, the US Constitution does, may have several provisions but there's also the concept of letters of mark and reprisal right that you could be issued, the ability to go and hunt pirates on the open seas. Anyway, not that we're suggesting that that should be the way that these questions should be approached but I do think what this discussion has suggested is that there is a need, a continued need for places, not only the concepts and centers but places where entities can gather to discuss these issues. And in today's world it's interesting when we think about some of the challenges of the past we think about nations coming together to talk about these issues and we have the United Nations. We think about allies, military allies coming to talk about these types of issues and there are centers of where military allies come and talk with one another. What's interesting in this environment is that of course major multinational corporations and small and medium-sized companies as well as academia, universities, others all have a stake in this area and a role that can't be escaped that that voice needs to be at the table as well. And so I hope that I don't know how many of you were able to see this morning. There was a press conference that the forum held to announce that the forum will be creating a global center for cybersecurity in Geneva to create that space, to try to fill some of the gaps that we've described in this discussion not to duplicate the efforts of other centers not to replicate the roles of government or governmental entities but to provide a place for the continued examination of how do we continue to build better public-private cooperation around things like cybercrime? How do we help build capacity in governments that might not have the technical skills that are necessary or smaller medium-sized businesses who may need more guidance and help? A place where concepts like norms or standards of action can be discussed. And I did wanna note, this session when it was planned was scheduled to be introduced by the person from the forum who really led the efforts to stand up this center. Tragically, he passed away, Jean-Luc Bess passed away over the holidays, not three weeks ago. Over the past holidays. And so unfortunately, he is not here to introduce this center. Many of us had the opportunity to work with him and I think that he really embodied this idea of public and private collaboration, cooperation from a background, not only here at the forum but a long background in law enforcement in Switzerland and with the international community, with Interpol. And so we just recognize his contribution to this effort as the forum launches out on the creation of this new center. So let me ask all of you to please give a round of applause and thank you to our panelists. It was an excellent panel today. Thank you so much for spending an hour with us and we hope that it was useful and informative for you. Thank you. Thank you. Good job.