 I'm Karen Cho, co-anchor of Scorkbox Europe from CNBC. Thank you so much for joining us. Big warm welcome to the World Economic Forum, participants, delegates and stakeholders. Thank you so much for joining this special discussion, protecting cyberspace amid exponential change. It was roughly six months ago, I was on a similar stage here at the World Economic Forum with the Secretary General of Interpol who was warning us about escalating cyber security risks that effectively military-grade cyber weapons would eventually end up in the hands of criminals bringing more sophisticated cyber attacks. From state actors amid the war in Ukraine to cyber criminals, the threat is growing. Data collaboration with authorities remained low and new digital ecosystems are complex with vulnerabilities that we've yet to uncover. There's plenty to discuss. Let me introduce you to the panel and also feel free to engage on some of these channels. Hashtag WEF23. Joining us on stage, say decrees who is Professor of Cyber Security, University of Oxford, United Kingdom. Dorian Bogdan-Martin, Secretary General International Telecommunication Union, or ITU. Chuck Robbins, chair and CEO of Cisco. Brad Smith, vice-chair and president of Microsoft. Thank you all for joining us today. Well, first up, let's start with some data, some key takeaway points from the 2023 Global Cyber Security Outlook Report. This is a study of cyber professionals, rather than business leaders, how they view the threat. Effectively, the threat has changed. The focus now is on business disruption and reputational damage from cyber criminals than was the case a year ago. Also, the perception gap between business and cyber leaders on the importance of cyber risk management has changed. 91% of all respondents now believe that a far-reaching, catastrophic cyber event is at least somewhat likely in the next two years. Professor, why don't you kick it off for us? You're an expert in the field of cybersecurity, threat modeling and detection. Are cyber experts and business leaders right to fear an imminent damaging cyber attack? Absolutely, and in fact, the geopolitical instability that we're witnessing is increasing the challenges and actually the pace at which this risk is growing. If I could just sketch that out for the room. Obviously, if you're operating in an area that's experiencing on the front line some of this conflict, then companies and organizations, they're gonna be facing some significant risks. I'm sure everyone in the room is already making a sensible response to that. But if we see the situation where nations involved in conflicts become less restrained in cyberspace and that's gonna have very significant consequence for us all. You mentioned that some of these technologies find their way into the broader supply chain. It's beyond just technology. What we're experiencing, if I can sketch it out for you back at the turn of the century, it was really easy for us to try and classify threat actors in cyberspace. What's happened in the last 20, 23 years is a massive evolution of the ecosystem to a point where you see collaboration almost on a commercial scale. And what that means is people are sharing knowledge, they're sharing networks and they're sharing cyber weaponry and anyone that's even acting in sympathy in areas of conflict right now is going to be free to use that knowledge and that experience in conducting other activities in the future. This coupled with some of the decoupling that we've seen in East West, some of the fragmentation, more protective tendencies that we've seen as nations reach towards protecting sovereignty and economies means that we risk losing the opportunity that cyberspace can bring us if we get too protective. So somehow we have to balance the protective measures against the collaborative measures that we need in order to realise the opportunities that cyberspace can offer. Now, I'm a computer scientist, so I feel like I should drill down a little bit on the technology risks before I hand over to colleagues. Whenever we come to Davos, we're always inspired at the potential that technology can bring to all of us. And right now, today, everybody's immersed in the metaverse or at least a dreaming of the metaverse. And if not the metaverse, it's quantum or it's artificial intelligence and things like that. These huge investments come alongside, as we all know, with any new technology, any new business model, any new supply chain, any new ecosystem, any new trends in the way in which we humans engage with technology can bring about new attack surface and opportunity. And that's happening and growing at a significant pace. So if you imagine this, our ambitions for digital and data growing at a pace. Unfortunately, that means the potential for harming us because we're becoming so independent upon it is growing at a pace. That then amplifies the interest of cybercriminals and cyberterrorists, that's growing at a pace. And what you can see is the perfect digital storm, although that perhaps is the wrong metaphor to be using. All right, Secretary General, let me turn to you. I saw an article describing the ITU and I'm sure you've seen this description before, somewhat of a backhanded compliment, the most important agency you've never heard of because of all of the work done that underpins our communication systems from smartphones to Wi-Fi that updates apps. As we take a look at the landscape now, which is changing, what jumps out to you about the technology, the approach from a policymaker to a company level that is required here to bolster digital resilience globally, given the threats we are facing? Well, that's a great question. Maybe if I could start with what keeps me up at night and that would be really the threat of a complete disruption, a digital storm, as you said, a complete disruption to global communications. And I was thinking about this session and Brad, I recalled back in 2008 where we had a senior representative of Microsoft come to speak to us at the ITU about cybersecurity and he started the briefing asking us who had seen a die-hard four. Of course, being a Bruce Willis fan, of course I raised my hand, but it's interesting to think 15 years after that movie actually came out how real it is that we could actually have a complete disruption of our critical infrastructure and the impact, of course, that that would have on obviously people's lives, on communities, and of course, on the economy. I think it's real, as you have said, and of course we add to it the risks around AI, the metaverse, and countries, companies, we need to be prepared and we need to be prepared for what we know, excuse me. We also need to be prepared for what we don't know. And I think there's much to be done. There's much for the ITU to do. Working as a community, I don't think one entity can manage this, so we have to work as a community. We have to put people at the center, it's absolutely key. We have to work holistically, because it's not a tech issue, it's not an ITU issue, it cuts across everything, every silo. And of course we have to look at our networks, we have to look at our coverage, we have to look at our security, redundancy, robustness, and make sure that that's there. We also need to have the right policy and regulatory frameworks in place, and of course we have to focus on capacity development. And Sadie and I had a long chat on capacity development before. I think it's important in this room as well to remember that least developed countries are not prepared, and maybe I can come back to that day afterwards, maybe I'll get my voice back. Thank you. Let me turn to you, Cisco works globally, building digital resilience for institutions, governments, companies. Are you raising the red flag on the threat level this year and next? Well it's, first of all, thanks for having me. It is, there's so many things happening in the way people are working and the way enterprises are building their technology infrastructure, that in the last 36 months, I'd say the threat landscape has evolved tremendously and it's expanding rapidly. So give you a few examples. Number one, just hybrid work and mobility. Everybody is everywhere and so you have to protect them regardless of where they are. We're having to think about the home as a small branch office now. That's one thing that's happening. The second is, most enterprises are moving away from having their own dedicated network out to their remote locations. And they're basically creating virtual networks on top of the internet. So they're connecting to the internet and then they're having secure tunnels or connectivity through the internet to get to cloud services like what Brad and the team deliver. That's the second. The third is obviously IoT is exploding. We are now coming out of, I think, executives and heads of state and others during the pandemic, they came to grips with the real power of technology. And so all these projects around, you know we can connect these things and they're like, okay, and change a customer experience or change this. And in some ways there's value to connecting some of these legacy systems because there are major security issues with the current architectures. But if you add all that together, and then layer on the geopolitical dynamics that are happening, we're at a high risk level right now. And so for us, if you think about those environments that I just described, we believe it's important. Our team has shifted this year to not only the business opportunity, we do several billion dollars in cybersecurity every year. But our team has come to the conclusion that we have a responsibility because all of those situations that I just described, the common denominator across all that is the network. And so we believe we now have to bake security deeply into the network because that's the only place where you can really guarantee the protection. So it's on us now. Brad, let me turn to you because there are constant threats here as we take a look at cybersecurity from the geopolitical side to what we're seeing from criminals. Just weigh in on the extent of the threat that you think we're facing. Well, I actually think the current situation is pretty textured, is the way I would put it. The first thing I would just note is that the last 12 months have been the biggest victory for defense of cybersecurity technology since the cybersecurity profession was created, in my view. The last 12 months have witnessed the most vigorous, aggressive, sustained, destructive wave of cybersecurity attacks in history. It's been Russia, the Russian military seeking to pound targets across Ukraine as well as six in Poland. Who has read about a massive cybersecurity defeat in Ukraine? No one. There hasn't been one. And this represents one of the important advances, in my view, really over the last five years. It's the advance in defensive cybersecurity technology, especially the combination of threat intelligence and endpoint protection. And what it shows is that when you have organizations that deploy technology across the spectrum and apply it well, defenses can hold. But I think the reason the situation is textured is all this can be true and threats can be rising at the same time. Why? Well, one is because the landscape is so broad and because there are many that have vulnerabilities, either because they're creating technology without the kinds of controls and say the supply chain or they're not deploying all of the protections that exist. The other reason that threats can rise is of course none of this stands still. So you can have new gradients, new increases in threats. Certainly I see more amassing of zero-day vulnerabilities in China, that's a huge threat. The Russians are not going to stand still. Even though the last 30 days have probably been the quietest since before the war began, in terms of active cybersecurity attacks, none of us knows whether a spring offensive on the battlefield will be accompanied by a spring offensive in cyberspace. But it's not all bad, it's not all good, it is the future, it's this constant tug of war between offense and defense. Chuck, I want to pick up on your comments around the network. Do you need to shrink the network to try and keep it safe? And what I mean by that is this de-globalization theme that you need to stop investing in certain places of the world simply to shrink the network. I think that's a great theory, but it's not going to happen. And we've seen the Russians. They attacked us for 90 days straight after we pulled out of Russia and we actually published a document about it so it's all public information. But I don't think so. I think the reality is that we have to integrate security at every point, right? I mean, it has to be integrated everywhere. It's got to be integrated at the de-mark of the branch or the home or the mobile device or whatever, it's got to be on the edge of the cloud where these guys are operating. It's got to be sitting in the electrical grid. I mean, it has to be everywhere. And so I don't think there's any level of decoupling because the bad guys will find a way to get connected. Professor? Yeah, if I may. I agree wholeheartedly and I would say this. I've worked in cybersecurity since the last century and whenever we have imagined that we can somehow shrink down to the crown jewels, people have been wrong about that and often actually because the system is not just technology. And so back in the olden days, I'm sure colleagues would remember this. We used to have, in fact, your movie, I think previous movies even, this notion that you could have air-gapped systems that were considered more critical than others and somehow we'd keep all the bad stuff out. And that only works, of course, if human beings are not involved because the true system is people as well as technology, as well as processes. And so this idea that we can shrink it is one unrealistic and it's been tried before and it's an abstraction too far. But the idea that we need to think very precisely and more clearly about what kinds of controls we need, I think is really, really strong and sharp and we have limited resources in cybersecurity. So we do need to be very creative about where we put it. Brad, can I bounce us back to you because there are plenty of excuses to shrink exposure. If you think about the trade wars that are played on the technology side, how the US and China have been at loggerheads of approach to data and technology, the war in Ukraine as well, are there reasons to shrink the amount of places you will invest in to protect the network and protect many companies and clients from cyber risk? Well, I agree with the other folks here. I actually think asking organizations to shrink the network is like asking people if they can breathe less air. Yeah, I suppose it could be done but I'm not sure that the consequences would actually be all that desirable. What we really need to do is strengthen the protection across the network. And that is in part what Chuck was referring to. That's where the technology is going. What we need is oftentimes people, organizations to move faster in deploying best practices. The one other note I would add is where I think regulation is making a difference and is strengthening the network, if you will. If you look at the world of technology regulation, Europe, the European Union, has been the clear leader in privacy, in antitrust, in digital safety. But the United States has led in cybersecurity regulation really during the last two years, principally through executive orders. And so that at first is just strengthen the network across one government, the United States, but it's set a model. But it's also, I think, creating a higher bar with more common standards, especially for the technology supply chain. And if you think about where a lot of the vulnerabilities can creep in, it is in the supply chain. So I don't want to come across as just the unbridled optimist, but we should, I think, recognize that some of the things that we have been pursuing over the last couple of years offer real promise and more promise in my view than shrinking the network. Secretary-General, do you want to weigh in here about how we keep borders open, but also protect networks? Yeah, I mean, I also agree that to kind of shrinking the network is not, I don't see that happening. And of course, with a third of humanity that's not yet connected, I see growth will continue. And as growth continues and we get more people online, the risks also continue. So I think we have to keep that in mind too. The point about best practices is also critical. I think international cooperation, as you mentioned, is key, sometimes it takes a long time, but I think we can't give up. We have to keep working together, international collaboration, sharing best practices. Something we did at the ITU was the creation of the Global Cybersecurity Index. We worked with partners to create that index. We look at countries' technical capacity, legal capacity. We look at their organizational setup, their capacity side to manage cybersecurity, and also how they're cooperating with different institutions. I think that's been, it's been a great resource to help countries see where the gaps are and what they need to do to, well, improve their ranking, which ultimately improves their cybersecurity. Let me talk a little bit more. I would just say, I think that's a really important point because I think people often look at cybersecurity and they naturally focus on the technology dimension, but a lot of this comes down to a very human dimension. It's really a workforce issue. One thing you see in almost every country in the world is a critical cybersecurity workforce shortage. In the United States, for every two cybersecurity jobs that are filled, one is empty, small businesses, others cannot find the people they need. You go to the emerging markets, you go across Africa. The shortage is even greater. So one of the things that many of us are investing in, frankly, we're building on a model that Cisco created a long time ago and is still a leader in, is just training people so they can fill the jobs. That's how you meet the capacity needs. I wanna talk about ecosystems. So we started off the conversation talking about vulnerabilities that we don't even know about more and more connected devices, more systems where there are potentially more access points on top of that new technology coming into the mix. And there's only a several days ago that Chinese researchers were saying they have the ability with quantum computers to crack encryption. Some are questioning just what that timeframe is. And then there's new technology that some are invested in or on the panel here, chat GPT, and what that can do in terms of driving fishing. Just weigh in, Professor, first on the ecosystem threat and how we start to think about addressing these new threats that are coming our way. Yes, well, I think the starting point for addressing new threats has to be more imagination. When I talk to boards very often, the concern I hear is that they're not sure that the risk analysis they've conducted is right, is anticipating the right serious events, possibly existential threats to them in the coming years. And one of the things I think we really need to be doing is not just baking security into the network. We should do that as much as possible, of course, but we need to bake cyber resilience and cyber into the DNA of leadership and of businesses throughout at all levels because actually cyber security we all know is there's no such thing as 100%. So the art of cyber security, and it really is sometimes an art, is actually being resilient in the face of insecurity. And so it's such a complex space. We, yes, we need good threat intelligence, but you know what? We need more than that. We need to know what to do with it. We need to know is this a 3 a.m., 4 a.m., 5 a.m. reaction, or is this something I'm going to think about over coffee weekend? And the truth is in many organizations, the most senior leaders, the ones that are ultimately on the front line when things go wrong, they have to face the press. They're going to be on this platform next year, explaining to all of us how it was that they acted in the way in which they did act in the face of this threat. These people need to be equipped with the ability to lead and govern well in the face of it. So we've got to be able to help our organizations and our biggest businesses and the people that drive them bake cyber security into them and what they do, as well as try and keep as much out as we can. And then the one final point is this, just if we all accept that this is about being resilient in the face of insecurity, we also need to have our eyes open really and always be thinking when we innovate, when we invest in any kind of digital opportunity, let's ask ourselves the questions, what the risk is that we might be also creating and make sure we're innovating as much in that too. Because I think that kind of dual investment is really the secret, I think, to dealing with this kind of exponential growth in risk. And Chuck, what advice do you have to companies that have connected up more and more of their operations at this point and are just unaware of vulnerabilities that exist, let alone the next onslaught of challenges from quantum computing and the like? Well, I think the good news is that over the last 15 years, we've come a long way in our acknowledgement of this issue. I remember probably a decade ago, we had a service around security audits to try to help customers understand their, and no one wanted to do them because it brought, the results brought a responsibility that they didn't want to deal with. And now that's not the case, obviously, everybody, every boardroom to your point that they're talking about this. So I think that when we talk to the organizations, I think there's a few things. I'm gonna flip it a little bit here because I think how we ultimately get better and better and better at this is we have to create more partnerships, right? I mean, in the tech world, our cybersecurity teams, they talk to each other, and when they learn something, they may call somebody. They take great a deal of pride in being the first one to find something, and they always wanna write the article or go on CNBC and talk about it. And I think we ultimately have to get to a place where we have some common standards, and maybe you guys can help us here, on how we share threat intelligence in a real-time way. And I think that's gonna be super important. The other thing I think is important is we gotta figure out how to optimize public-private partnerships. Washington has talked about doing this, but I can tell you, when the Russians were attacking us back starting last May, we called some of our friends in the agencies, and they're like, oh yeah, we know that signature. Here's who it is, and here's how they do it. Here's some of their tactics. It's like, well, it would have been good to know that up front, you know? And so we're not really as good at that yet. But what we're trying to talk to customers about is I think we're gonna emerge to, our customers have come to the conclusion that this has gotta require, drive tons of automation into this. We gotta create platforms, and we gotta feed threats into platforms that can actually help you determine, is it a 3 AM action, or is it something you need to have over coffee? And I think that's gonna take probably the next, I think you'll see those begin to emerge in the next 12 to 24 months. I have a question on standards, but I come back to that because I want to just pivot to you, Brad, first up on chat GPT, because it is certainly capturing the internet is capturing a lot of company boardrooms by storm about the potential for these bots. But that said, are you aiding the cyber criminals with this type of technology to encourage them with fishing attacks? The answer is no. Probably won't be surprised to hear me say that. I think what the one really needs to start to imagine is what are the various ways this technology could be used? How could it be used for good? How could it be used to create challenges? To some degree, it's an extraordinary tool to identify patterns in a data set. So anybody who can amass a data set could certainly identify new ways to find patterns. Now the truth is those of us in the tech sector should be ahead of everybody else in, among other things, using it to identify vulnerabilities and address them. I think we may find that it will become a more relevant topic as people are thinking about the future of information, intentional influence operations, people creating disinformation and also combating it as well. And we're not even at day one really for this. I do tend to believe that if we do our job well, if we're vigorous, this will be a more effective tool for critical thinking and helping people around the world think about and identify where people are putting out narratives and how to evaluate them. But there's a huge future, a huge journey ahead of all of us in this space. So you're not seeing reputational risk around chapped GPT? It's like every technology that's ever been invented. It will need to be used responsibly. It will need to be used well. If it's used without thought, then it's a different situation. But I think the promise far outweighs the peril, but we cannot afford to close our eyes to the peril either. Secretary-General, I want to pick up on standards because as we can hear, they're necessary at this point. And it may aid reporting. Underreporting has been a massive feature. Interpol was talking about that being a challenge that authorities are flying blind and the company's not reporting information unless there's a clear benefit to them for doing so. How do we change this? Standards are key. Definitely norms, frameworks, codes, best practices, I think that's critical. The ITU has been engaged in the development of some 200 security-related standards. There's much standards work that's actually ongoing in the space of the metaverse. Discussions ongoing in artificial intelligence as well. I think your point about public-private partnership is also key and is also linked, of course, to standards because our standards making process is private sector-led voluntary standards. We have been fortunate at the ITU to actually partner with you, Sadie, with you, Chuck, and also with you, Brad. And I think those kinds of partnerships are what we need. And we have to double down and find ways to advance. I do want to say, in the UN context, and I know the Secretary-General spoke this morning, he didn't get exactly into issues linked to cybersecurity, but he did make the point. If we leave one person behind, we leave everybody behind, I think the same is true in cybersecurity. If we're not all safe, then nobody's safe. So I think we have to keep that in mind and try to push forward for further collaboration. Sorry. Chuck, Brad, one to both of you. Cyber security is no longer just an IT issue. It's a business-wide issue. The SEC wants to beef up cybersecurity reporting from incident disclosure, strategy, executive skillset in cyber. Also, there was an FTC order late last year against an Uber subsidiary company called Drizly, and effectively it held the CEO to account. He must now implement an information security program even at future companies that he works for. So effectively, CEOs are now on the hook for accountability potentially. Is that right, Chuck? Look, I think it's like anything else. I think somebody's got to be accountable. Should it be you? Well, in some cases, absolutely yes. In some cases, probably not. I don't think it's binary enough to make a law around it. I mean, there's things you just can't know. Right? And so it's, but sometimes it doesn't matter. Somebody's got to fall, right? But I think it's, look, at the end of the day, I don't think any of us as CEOs are sitting around letting that decision drive how we think about this. We're much more worried about our brand, our reputation, the impact of the business. I mean, those are the things we care about. And those should drive more behavior in the appropriate direction than any sort of legislation or rules that come out of Washington or wherever they come out of. Brad, quickly, just to you, should the board be accountable for cyber security? Well, I think boards already are to some degree. Obviously accountable for each individual member. I think that is probably a little less constructive, to be honest, in terms of that kind of following somebody around from employer to employer. The role of the SEC is to ensure that there is transparency about issues and risks that are material to investors. And so a lot of the lists that you recited does have a governance framework and other things that would fall within the category of things the board would often be responsible for and be considered material. I think that you have two other issues, though, that are very important. One is, if there's a specific incident, if you suffer an attack, should you, as a company, be under a legal obligation to report it to someone? And I think there's a good argument that the answer is yes, it may or may not be the SEC. And it probably isn't to the public, because what you really want for a specific incident is for information to flow, so that then the problem can be corrected rather than have it spread. And there's just this key issue around policy when vulnerabilities are identified, where does that information go? And you see widely differing views being taken by different governments around the world. That can have a huge impact on the threat landscape. Brad, thank you. We are going to take some questions from the floor. So we have a microphone that is ready to go. Does anyone have a question that I'd like to picture the panel first up? Say whereabouts you are from, if you could, and then if you have a specific question directed towards these speakers. Sure, thanks for the great panel. My name's Tom. I'm the CEO of Hubble. We're a cybersecurity tech pioneer. First Del Vos here today. More importantly, I'm the former line of business CISO from AIG Insurance. And we had 17 different lines of business across more than 30 different countries. And we're dealing with Israeli data privacy law, some of the new legislation in China, GDPR, of course. You name it. And I think, I'm in DC, we talk about policy and I feel numb every time we talk about public private record because we've been talking about it for so long. So I'm more interested in the vendor response to enabling your customers to navigate those environments. Because we talk about the threats a lot. We kind of know what has to be done, right? We have the frameworks. There are white papers all over the internet about the controls that we need in place. But what are we doing as vendors to enable your customers to implement the technologies in those countries? For example, in Germany, took us 12 months almost to implement a certain security control because of workers' counsel challenges. And I talked to other CISOs in the FSISAC. They're experiencing the same thing. So I don't think there's a good policy, like there's no short-term policy answer to this. So I am curious what you got two big brands. What are you doing to help your customers move more quickly to implement your tech? It's a really good question. I think we're all dealing with, first and foremost, we're dealing with how do we deploy our own solutions in light of all this nationalism that's occurring in the data sovereignty. I mean, there's such a wide range of requirements depending on where you go, by which country. And so I'm hopeful that when we solve it that way, it will provide architectures that you can then just plug into that will then take care of it for you as well and will actually take care of the underlying stuff. Maybe not in every single case, but I think a lot of it will be resolved. We need everybody to settle on the policies. They're still debating them all over the place. And new ones pop up every week. And so it's a big moving target. So you start investing and spending a lot of money with your teams, and then it shifts, right? So I know we're dealing with it. I know you're dealing with it. I think your example is a really interesting one because first, when you're a large supplier in the industry, you want to basically take the state of the art cybersecurity protection and for the most part, bake it into your products. You then have this interesting question. Now that it's in, do you turn it on by default? And a lot of times these days, the US government is especially asking large tech companies to turn something on by default. Your scenario actually also illustrates what can sometimes be some counter pressure, which is having security within a network, having security for information or having security around identity may have implications for data that's collected about employees. So you may find that there's some tension with the privacy law or the rights of employees in countries that act through a workers council. There's this other aspect that I think is also important. Let's go back to sort of one of the questions you asked before, what should people do? Look, believe me, you should buy what we're making. I mean, if you just look at how much the technology sector has advanced. Not just in- I agree with him by the way. Yeah, no, it's not just the basic features, but the multiple layers then of cybersecurity offerings. And if you don't like what Microsoft has to offer, but you'll be happy to help. You want a robust ecosystem with a lot of competition. And that's what the world has to offer today. And to some degree, then you have a new layer of complexity, but that's why you need skilled professionals to be able to evaluate for each entity what they need. We need to do a good job in helping people, but I don't think anybody ever wants us to claim that we can offer every answer. You actually want a robust ecosystem. Before the activists get too involved on social media about the sales pitch, let's take some more questions. So I'm Michael Daniel. I'm the president and CEO of the Cyber Threat Alliance. So interestingly, one can make the argument that the global use of technology and the global deployment of the same technology around the world has served as a restraint on government action, offensive action, because the tools that can be used against your adversary can then be turned around and used against you. While I agree that I don't think we're seeing decoupling, I do think we're actually seeing technology divergence and the emergence of different technology spheres into like a Western sphere and a Chinese-led sphere. And so my question is, do you think that could actually lead to increased instability and use of offensive tools because the same restraints are no longer there? Professor, this might be one for you. Yes, so starting position, I think it's really excellent observation. What you're essentially saying is, are people going to get out some of their cyber weapons because they're pretty sure that perhaps the same can't be used back at them? Well, if it was as simple as that, then I'm sure there will be some examples. But I have a suspicion that some of the restraint is not solely because there's such commonality, but I also think to a certain extent, people are slightly unsure as to what their opponents are capable of. If I can give you another example, it's very hard to monitor the stockpiling of zero day for anyone in the room that doesn't know what a zero day weapon is. That's a cyber weapon that's going to target a vulnerability that's not been targeted before, which means all of our defensive measures that rely on us having seen it happen before won't be effective defense. It's very hard to externally, empirically, observe the ecosystem and say these parties are developing these capabilities in the way in which we can if we were, say, monitoring nuclear activity, that kind of thing. But I do think it's a very interesting observation. I think actually I would build on that and I would say a further consequence of decoupling and associated fragmentation around the edges is actually going to be that it increases the cost of doing business in multiple markets. And what that's going to do is probably going to lead to some organizations going back to this box ticking compliance exercise where they're going to do the minimum in order to conduct business because one can't afford to do the optimum in all of these different markets who have all of these different standards. And so, unfortunately, I do think it's going to lead to increased risk for many different reasons. And there's a really interesting and important question I think for the world laid in that example. And Michael, I'd probably worry less about what you were describing and more about this. What should someone do if they discover a new zero day vulnerability? Namely a vulnerability that no one has identified before. Now, the truth is almost every tech company would say, please give it to the tech company whose software has the vulnerability so they can fix it. And if you are that company, jump on it and fix it fast. Now in China, the law today is if you discover a zero day vulnerability, you must give it first to the government. And that is a trend that is exactly the opposite from the trend the United States government fundamentally has pursued, especially since the WannaCry attack in 2017, where if anything, the policy shifted under a so-called equities process so that if the government ended up with vulnerabilities that technology companies did not know about, it was far more likely that they would turn around and give it back to the technology company. This is sort of, these are the armaments of the future. How long does it take for them to give it to you? Well, and that's absolutely right. I mean, we've used our voice as an industry, as you know, to push the US government to rebalance the equities so that it would more likely come fast to a tech company. Of course, none of us have visibility to what exactly is going on. But if you wanna keep the world secure, don't stack pile zero-day vulnerabilities. This is a really great example of a multi-stakeholder process because when I worked in the industry, we had responsible disclosure policies. If we discovered a new vulnerability, we did approach the company. But for this to be an effective culture of partnerships, the companies need to respond too and they need to shut down those vulnerabilities. And so we have this challenge, we need to encourage people to try and help us protect and have a safe and secure environment, cyberspace, and that's going to involve all parties acting as effectively as they can because what happens is if people discover vulnerabilities and they share it and then the companies kind of ignore it, sometimes they become disgruntled and motivated to do other things with them. That too is a big problem when it happens. A terrific question has certainly taken us down a whole new pathway. Thank you very much for that. But we're gonna wrap up the panel now before we toss over to the World Economic Forum again. But Professor, thank you very much, Secretary-General Chuck and Brad, we appreciate your time. Please welcome to the stage now, Jeremy Jurgens, who is Managing Director, Managing Board at the World Economic Forum for some concluding remarks. Great, thank you, Karen. And thank you everyone for joining us in today's discussion. I think as we've all seen digital is integrated in pretty much every aspect of our lives. Personally, professionally. In protecting that underlying infrastructure is important then to ensuring that we can continue to enjoy those lives, even those times when we're not connected, right? So one of the topics that came up here was actually this aspect of cooperation, right? We heard it in multiple aspects here and I'd invite everyone in the room to reach out to your relevant forum colleague and to see how you can actually both benefit from the lessons that we've been learning. Many of our partners here with us and that we can also then help improve cyber resilience and cyber hygiene within your respective organizations, within your respective countries and the various institutions here. This is absolutely critical and it's one of the purposes of the forum's center on cybersecurity, right? How do we improve international public-private cooperation? How do we actually address some of these critical challenges? And how do we actually improve awareness with the general public of the importance of cyber hygiene and cyber resilience? I just want to point out a couple areas that I think we've made particular progress on the last year, say, okay, well, what have we done differently? We've convened a group of oil and gas leaders looking at protecting critical infrastructure. We've now extended that into the electricity sector. We're also working closely with the financial services and health sectors in these domains. And this year, we're actually looking forward to extending this and thinking of the manufacturing sector as critical infrastructure. I think all of us experienced during COVID what happens when supply chains are disrupted. Well, they can be disrupted by COVID, by shortages of semiconductors. They can also be readily disrupted through cyber attacks. So this is an area that we're going to advance in the coming year. Tomorrow we'll be announcing our 2023 Global Cybersecurity Outlook. What was one of the striking finance here? I won't share all of the information. One of the striking findings was the proportion of cyber leaders that anticipate a significant or critical cyber disruption within the next two years. I think Brad, you spoke to say it's been relatively calm. Is this a calm before the storm? So interesting is most people in this space expect that we'll see something catastrophic and significant in the next two years. And we'll go in depth tomorrow on actually some of the steps we can take to mitigate or alleviate the damage that such as cyber attack can inflict on your organizations, and as well some of the steps we can take to improve our cyber agent. So I'd like to thank all of our panelists here today and thank you all for being engaged.