 We have a wonderful panel here today. We're going to focus on cybersecurity with respect to critical infrastructure. There are obviously so many ways this conversation could go. We were talking just before and getting quite excited amongst ourselves of all the different things that we could talk about today. So what we'll do is we'll spend some time with the panelists and then we'll open it up to the audience and then we'll bring it back to close. So as I said, collectively today, we're looking to identify solutions to mitigate the risk to critical infrastructure in particular. Critical infrastructure, of course, being those asset systems and networks that are so critical, the destruction, disruption, or breach could cause different sorts of systemic effects to security, to the economy, to health, to a variety of core elements in society. So when we talk about critical infrastructure, we think of things about communication systems. We have Gavin Patterson who will help talk about that, financial services sector, Michael Vodson, certainly we have different perspectives from a government perspective. We have President Yildes as well as William Seito. And then how do we really account for the risk and the threat, and we'll look to Andre Kondalski to help us a bit with that. So I'm not gonna spend a lot of time introducing the panelists, you have their backgrounds. In the first round of questions, perhaps they can add if there's any additional experience they'd like to add in. But as I say, we have Michael Vodson, he's the president and CEO of the Depository Trust and Clearing Corporation. We have President Tomas Yildes for President of Estonia. Andre Kondalski, chairman of the board and CEO of Kondalski Group. Gavin Patterson, the CEO of BT Group. And William Seito, special advisor to the office of the Cabinet of Japan, among many other things. All of these gentlemen wear many hats. So to set the stage, cybersecurity continues to be in the news. There's rarely a data that goes by on some international newspaper. We're on the very front page. There is a discussion either about a breach or recently, unfortunately, some disruptions to critical infrastructure, including the electricity systems in Ukraine. Some of you might also have seen there are some allegations that there were also some tinkering, tampering with some major dams in the state of New York and the United States, perhaps from a nation state attacker. So we're starting to really see the risk of cyber change. We really, I think, probably 10 years ago, we thought more about very isolated attacks to specific entities, perhaps around data, but more of a nuisance, if you will. And something that was easily overcome did not have consequences beyond the victim, if you will. Now, as we expand, or as we expand, as the attackers expand, the risk expands, both in scope. We see data breaches now, such as the breach to Sony or to the Office of Personal Management in the United States that are tremendously large in scope. They're quite a massive undertaking to mitigate. And then, as I say, we're moving into critical infrastructure with recent examples of actual disruptions to systems, which is something that has been feared for a long time. So this week in Davos, we talk a lot about the fourth industrial revolution, the interconnectivity and interdependencies amongst critical infrastructure. So we're going to talk a little bit about what that means for cyber. And in some, it really is connoting a systemic risk. So we have systemic consequences, the possibility of cascading effects, perhaps single points of failure. Areas where we, multiple systems, depend on one key node, which if disrupted or destroyed, could take down many systems. So to start us off, maybe I could turn to Andre to just give us a little bit more of his perspective on how risk has changed, how cyber risk has evolved, and where we might be headed in the next few years. Thank you. I will just start with one pretty interesting element. If you look at Ukraine, just when the attack has happened, we have just created a company, an index, to measure what is the robustness of an infrastructure. And Ukraine is coming at the 53rd position. Switzerland is much behind. So it's showing one key element that the risk and the probability to be attacked through cyber is not fundamentally a question of the robustness of your infrastructure and the ability of the hackers to hack is first an element. What is the impact of the hack? And that is what has fundamentally changed during the last 10 years, is that more and more critical elements are using internet. And there is a very good reason for it. Internet is bringing speed, very efficient, cost of use, and it's allowing to do things that were impossible to be done before. So fundamentally, more you leverage the capability of internet, more you are putting yourself at risk. And that is bringing a pretty interesting challenge, because at the same time, you need to use this new technology to be competitive. And on the other side, that is creating new vulnerabilities. And so you need to improve the quality of your application, of your infrastructure, much faster than the speed at which the hackers are progressing in terms of technology, because the incentive to hack is much higher. Now, if you take also the experience we have in terms of hackers, for the last 20 years, we are chasing hackers, whatever they are, who they are. And the interesting element is that we have seen that the main motivation of hackers is not technology and to do things for fun. The main motivation is auto make money or to serve people that have ordered some specific element. So said in a different way, we see that risk are really increasing due to the power of what you can distract if you are successful in terms of hacking. But now, it's a way to address that. I will come back later on during my presentation. Thank you. OK. Thank you. So the impact is expanding, as you say. And then the more that you use technology, the more at risk you are. I might add to that and say, in this hyperconnected world, your risk becomes my risk. So the way in which we need to manage it is quite different than it was perhaps 10 years ago. So Gavin, if I could turn to you, the global risk report reflected this concept of cyber risks. Cyber risk was ranked as perceived as the 11th greatest in impact, as also in terms of likelihood. But interesting, two interconnected risks to cyber risks. One is the breakdown of critical infrastructure, critical information infrastructure. And one is the failure of critical infrastructure. We're actually ranked quite low. The failure of critical infrastructure is the second least impactful of all risks in that survey. But at the same time, we see through the executive survey that cyber risks are top of mind for doing business in eight economies. So from your perspective and your industry, what do we do? How do we account for this risk? Are there best practices? And maybe perhaps add to that flavor, what are the risks that you are particularly mindful of? Well, I'm a little surprised by those conclusions in many ways. Certainly in our business, cyber risk has been top of the risk register for probably five, even 10 years now. BT, as many of you will know, for those who don't, BT is a telecoms company, strong in the UK, serving all customer segments, but also operating internationally in 170 countries where we own networks and manage networks for many of our customers. And that gives us, I would describe, a ringsight view of exactly what's going on. And there's no doubt that the risk is changing in its nature and is becoming more and more sophisticated. And while I think there's a recognition at a board level now, I'm not always convinced when I talk to other CEOs that there's a high technical understanding and there is a sophisticated understanding about the nature of the risk. I think it absolutely spots on. It's gone from being a risk which was we've got to put up a big wall, and that will stop everything to one which is highly sophisticated, where the type of actors have changed dramatically, and the scale has increased significantly. So when I'm talking about this to CEOs, I point out we provided the security for the Olympics in 2012, so almost four years ago. Even then, we had to fight off 200 million cyber attacks over the four weeks. So since then, it has changed in its nature dramatic, but the scale has changed even over the last 18 months. So I was looking at some data recently that in terms of protecting our network and our customers, the scale has gone up 1,000% in the last 18 months. So it is one of the challenges you face, I think, when it's that significant is how do you identify the signal from the noise? There is just the sheer barrage of attack means that you've got to be able to identify the one that can get through your defenses. So your ability to process data quickly, real time, and be able to confine a threat rather than expect to stop every threat coming into your network is absolutely key. I think one other thing I'll talk about, and then perhaps open up to other panelists, is around the human risk that happens, and particularly insiders within companies. Companies I don't think spend enough time really looking at which individuals have control of their systems and their networks, and could, if they chose to, be able to implement a hack or destruction in some form from the inside. So the threat is always assumed to be from the outside, but how companies are protecting their employees, and indeed their assets from human error and human destruction, I think, is a key issue. Every company could have their own Edward Snowden as with cis-admin privileges, right? I couldn't agree more. And I would say many of them have, and they've just not been found yet. So Michael, maybe we could turn to you from the financial services sector. As I mentioned, cyber risk is top of mind in eight economies. Interestingly, it's all the economies that we represent are of the eight. From your perspective, you could either pick up, perhaps, on the insider threat or the concept of interdependencies. Obviously, we all depend on the financial services sector in many, many ways. I think people might think of it very simplistically in terms of using an ATM, but as we know, it's much more complicated than that. So perhaps, from your perspective, you could talk a bit about the risks either playing off some of the other comments or... Well, I think that's the fundamental issue is that the risks have morphed, but the risks are multiple in nature. There's insider risk, there's outsider risk, there's data corruption, there's system interference. It manifests itself in so many different ways. And I see my friend Gottfried Liebromf from SWIFT is sitting in the audience, and I always get asked the panels, what do you worry about? What's the most important thing you worry about as a CEO? I said, I only worry about one thing, which is everything. But the one thing I am truly paranoid about is cyber. It's the old days of, there was a famous bank robber named Willie Keeler in the United States, and they asked him after they had captured him, why do you rob banks? And he said, well, that's where the money is. I thought it was a pretty good answer. So why do cyber attacks come into the financial system? I mean, one third of all attacks are against the financial industry. It's where the money is, right? And it is an industry which I think is paranoid. We spend a lot of time focused on cyber. We focus a lot on the evolving nature of the attacks, but it is very, very difficult because of this interconnectedness risk to really get your head around where are you gonna be attacked? So if you look at target getting attacked through an air conditioning system, I mean, how do you think about where your vulnerability is, where your vendor risk is? We were talking before, one of the newest risks that we are now contemplating is regulators in their earnest attempts to understand risk are asking us for more and more confidential information. We just got to see requests for, give us your physical layouts for your data centers. One of our groups is being audited by a regulator and they wanna see the social security numbers of the senior people of the department so they can do background searches. Our people are saying, no, you mentioned OPM. One of our regulators is SCC and they were written up last year for poor practices. So the difficulty is you're sitting there, you know you're under attack. As you said, we get attacked, there's about 120,000 automated attacks every single day against the financial system of different ways. Most firms take about seven hours to process an attack. They don't do it instantaneously. We found that until a few years ago where we built a new technology, we could actually just process about a third of the information about attacks on a daily basis. So you hope to your point, the noise and what's the real attack. You know, one third of all this is coming through, we're trying to sift through and say, this is something I have to pay attention to. This is simply noise. So one of the things we did, and this is not meant as an infomercial, but we came up with a product called Sultra. And all it allows that it does is basically standardize the ingestion of information into your system so you can see which ones you really are worried about and promulgate it throughout your systems. But the next step is we're trying to create a community effect. Right now that information you bring in is really from your vendors, your security vendors or maybe the US government. But what we really want is the industry to band together to say if I'm attacked, if I'm Morgan Stanley and I get attacked, not only will I beat it back, but I will tell the rest of the industry on an anonymous basis, I just got attacked. So everybody else starts putting up the defenses immediately. What that does is raise the cost for the hackers. And it sounds strange, but one thing that hackers can do is they do economies of scale. They can attack everybody at the same time using the same techniques. If you make it that everybody's putting up the same defenses simultaneously, you've also made that a very cost, not cost effective way of attacking. Lastly, just one other risk we have to worry about is reputational risk for the industry. And the US, there's a group that is focused on this. If a bank got attacked in the United States, it could be a small bank. Doesn't have to be a major bank. But if they got into a system and wiped out the records for a mid-sized bank in the Midwest. And all of a sudden everybody picks, turns on the news at the end of the day and starts reading about how you just lost all your money because the bank's systems were corrupted. That's the start of a bank run. Because all of a sudden somebody's gonna start and say, well, if that happened in middle America, what's to say it's not gonna happen against Citibank and what's to say it's not gonna happen against my local bank. People are gonna start pulling money, putting it under the mattress. So this whole issue of interconnectedness is not just even if your systems are connected, but the fact that somebody was successful against somebody similar to you raises the prospect of you being attacked successfully. And all of a sudden you get panicked in the population. That could be in the United States. That could be in Europe or Asia. It doesn't matter where. And I think that's a risk that very few people kind of thought about is just the fear factor of if it happened there, it can happen here, and what do I do? And if it's against the financial system, what do people do? They take their money and they run. So President Ilvis, maybe I could turn to you. You know, the communications and financial services sector are interesting because for most of us we have a choice. So God forbid my bank gets hacked. I might just choose to go to a different bank. But from a national perspective, the lifeline sector, such as energy, water, we rarely in most countries have choices. We have whatever energy provider we have in our local communities. How do you, from a nation state perspective, protect against these threats, especially given your experience if they are perpetrated by nation states? When is the appropriate time to go on the offensive or how from your perspective do you partner with private sector to help ensure the integrity of our systems? I'll say right at the start. Offensive actions in cyberspace, I will not touch. I mean, that's just, but from the very beginning, in fact, our entire system, even before we first had experienced one of the first cyber attacks, sort of at a political level. I mean, politically motivated cyber attack was that we had a public-private partnership in creating a two-factor identification system used by everyone, I mean, available to everyone. Anyone using a one-factor system today, such as Sony or OPM, is, I think it's insane. But I mean, basically, yes, we were attacking 2007 with DDoS attacks. Basically, it was just denying access to things like banks. We dealt with that fairly successfully and we were down for a short time, but fortunately, being a small country, we had very, sort of, it was easy to call up the bank president or the person responsible for something on the government side and resolve that. The problem is that the DDoS attacks, which most people, and where most books these days start off on the millions of books on cybersecurity, is that that's sort of at the club and the stone stage of warfare. We have progressed beyond that in terms of cybersecurity to perhaps, I mean, I'd say Sony and OPM have gotten to the point of building castles with stone walls, which it does a great job of keeping the stone age threats away, but the problem is most people these days, or I mean, the bad guys have gunpowder. I mean, my country is littered with former stone fortresses from the 13th century because they were very good in keeping out the Estonians from taking it over from their overlords, but as soon as some countries or nations had gunpowder, this became obsolete, and most systems today, I mean, most people use in their emails, in their company mails, in their access to company or country or national security related data simply work on a password. And until we realize that that does not work, that you have to do it, you need something more complex, at least for a while. I mean, I'd say that where we are is that when we are moving into the internet of things, Industrie Fiat.null as the Germans call it, where everything is internet based, where industrial processes are based on the internet, that the concern will become first and foremost the issue of data integrity. To make that, especially in data integrity, you talked about having financial data wiped out, well, I mean, or you can take your blood type. Now, everyone is concerned about privacy, especially after Snowden, and everyone's saying, oh my God, the government can get access to all this, but in fact, one should think that, okay, someone knows your blood type, okay, not pleasant, if someone changes your blood type, I mean, all the records for your blood type, you're really in trouble. And so we must pay very careful attention to the data integrity issues, which you talked about in the financial services sector, but everywhere, and the more we see our economies going over to an internet base or internet of things, or fourth industrial revolution, whatever you want to call it, where things are basically happening online, independently of any human actor, it's just, the more concerned we have to be about data integrity. So, I mean, this is, I think, will be more and more the crucial issue, even more so than theft. I mean, what we've had up to now, when we've had some huge losses, where billions of dollars or euros worth of intellectual property has been stolen, that does not complete, that's not a sort of a lethal threat yet. But soon as we had the Ukraine case, we've had a number of other sort of funny things we've seen with critical infrastructure, that I think my friend Thomas Rid, who thinks cyber war is a myth, I think that in fact, we may be entering the stage where no longer is. And so, this means we, what this has led us to think about at least, is we need a program of education. We need to educate our civil servants on, look people, these are things you must do. You can't operate on simple passwords, you have to convince ministries, you have to convince banks, well banks are about the only ones who've figured this out actually. But that all of our critical infrastructure and our other infrastructure, not even the uncritical infrastructure, it will have to be far more secure. And this is something I do not see as possible unless we do it at a public-private partnership level, meaning there has to be legislation. But it also, for example, which I've been arguing for years, is that companies should not be insured, unless they can prove to the insurance companies that they have taken the appropriate steps. Because if you're Sony, I mean I don't want to get down on Sony, they're just the biggest case. But the point is that if you have such a low level of security, why should an insurance company bail you out? So I think those are the kind of general trends we'll have to see. Government attention to critical infrastructure to a far greater level. Education of civil servants and companies and finally the insurance companies really putting the pressure on the private sector. The role of insurance is quite interesting. I think it's still somewhat nascent. I'm sure you all would agree. The problem there, the challenge, of course, is how do you quantify cyber risk, right? I mean, insurance is essentially based on what's a potential loss. And as we're describing with all these complexities, it's very difficult to pin the tail on that. How much would, could any given cyber tech actually cost systemically? But William, I'm curious with your experience. You've just held a very successful cybersecurity conference in Japan in the fall. I understand there were many wonderful conversations on these topics in terms of best practices and how do we begin to work together to solve this? I'm also struck by Gavin's, I think he said 200 million for the Olympics, 200 million attacks. You're gonna soon be facing a similar potential situation. So how do you, how do you prepare? Right now, I think those are all very valid points and the biggest point that I think, at least from a government of Japan perspective, which is probably not unique in representative of many other governments, is how you really need to have a discussion, not only discussion, but across sectors and across governments because this is one of those first unique issues that transcends sovereignty. And, you know, it's a discussion where the national police agency can't arrest the bad guys necessarily. And yet they put these impediments in that if you do this the wrong way, ends up being a moral hazard and hurts the industries that you're trying to actually support. I think that critical infrastructure here is going to be even more critical in the sense that London, I believe, was one of the first digital Olympics with the advent of the iPhone coming online and so on. Given the delta between London and Tokyo, there are sayings that say that there are probably 50 times more data bits that will be transmitted and that everything from traffic lights to sports timings to the safety of the audience is going to be an issue. And this is very difficult really to let people know because this is supposed to be a happy thing and so on. Yet you need to understand that there are people who will take advantage of a very prominent event and see the changes. And I will tell you that it used to be a much simpler world. I've been in this field for over two decades and it has transitioned. It has transitioned, I call it the ABCs, where most countries and nations where I sit were worried about the ABCs, the atomic, the biological and chemical. And it was easy because you knew who the adversaries were and it was somewhat tangible. But now you have the new letter D, digital, where your opponents aren't very clear. It transcends sovereign borders. It's very asymmetric in nature. It's very cheap to do. And so these things are very difficult for countries who are in a fixed mindset to get around and changing this and not just changing and actually doing, but changing from a fundamental mindset and especially in governments where you have a situation where government officials, their job is to get it done. And so when they report up to senior staff, ministers, prime ministers, of course they're okay. Of course they're safe, everything. And so this is the mindset I think for at least cyber since it's not as measurable needs to change in that this is probably the worst thing to say, that you're safe, that everything's okay, that you probably need to flip it around the mindset, especially from a government context and go, no, well, okay, let's assume you're doing your job. No one is criticizing how you're doing that. But let's assume that we want to get into a more resilient posture and think about the other scenarios to do this. And I'll tell you, in countries like Japan which is very conservative and it's very difficult to think outside that box to begin with and to not be perceived as critical or criticizing that mindset we have less than four years to get right. But I think unless you do that, it's just checking off the boxes and I always say the moment you print up the checklist it's outdated and so it's how you stay on top of that. So yeah, we have a few challenges remaining. Maybe I could tease out a little bit more from the conference. I'm curious about any discussions on international norms. So we've talked a bit in what you're describing with this cross-sectoral need for discussions. We might similarly say among countries we need to have similar discussions whether it's on enforcement or working together on attribution or agreeing that there are common elements and common behaviors that we agree are not appropriate in cyberspace for our collective good, if you will. So do you see international norms developing and how as a community can we encourage that and work towards that as a goal? You know it has to. It's not the perfect model but I think the aviation industry is a good exemplar in that if every time a plane crashed and you kept that evidence to yourself because it was embarrassing no one would have the confidence to ride an airplane and thus you would not have the industry that it is. I think cyber security and cyber and IT will go towards that direction in that yes it's embarrassing but as Mr. President said it's embarrassing but it's still not life in it. It's I think we need to get past that and share this information but when you start getting around this and international norms and stuff then you actually get into discussions of what information and what do you consider this? But I think yeah this has to be an internationally motivated internationally driven thing and it actually is the information sharing that yes it will be embarrassing but we get that past and. It's more than embarrassing. I mean there are also, I mean quite a bit has been done. We have the Budapest Convention which started out with the Council of Europe which has now been exceeded to by US, by Japan, New Zealand, I mean it's and all that does simply says it obligates the members of the countries that are part of this convention that if a cyber criminal is located in your country you are obligated to give him over to the country effect but Russia has not exceeded to it. China has not exceeded to it. Belarus has not exceeded to it. Now at least two years ago Ukraine had not exceeded to it. Maybe they have in the interim I don't know. The point is that I mean if you have countries that I mean the countries I just listed also tend to be the major source of the things that we are talking about. Rumor has it, oh yeah. But the point is that, okay so you have this, you have a, we have a treaty, I mean a good treaty for dealing with the criminal aspects of this yet the source of the criminality is completely outside of the treaty. This is a big problem. I think that the other side of this is that we have it's not only security but we also have this difference between liberal democratic and authoritarian regimes that make use of all kinds of funny things. There is a slight overlap there but I won't make it too political and between the first and the second. But when we start agreeing to things as I, I mean this is my personal view as we saw with the ITU discussions two years ago, there was, I mean we in the liberal democratic camp were a little worried about government control of the internet under the guise of cybersecurity. Okay this may get too sophisticated I think right now but the point is that it's rife with problems. My own view is that we should start with the organizations that we do have that are functioning, though this doesn't touch Japan for example or Switzerland but I mean certainly the European Union is making slow, very slow steps towards that within the North Atlantic Treaty Organization, very slow steps. In both cases I would argue what we have to understand is that we have to get beyond this kind of, cyber is something that again countries are embarrassed, they don't want to talk about it when they have problems, it's kind of more in the espionage realm they think than it is in the kind of interoperability of weapons or sort of common legal space that we have in the EU unless we get beyond this current mindset and get at least the community of liberal democracies. I mean I would argue that's an important part because the countries that are not helping us not cooperating are countries that have difficulties with the concept of human rights and liberal democracies. In general, I wouldn't name any single ones again, caveats but that's one place to start we have a long way to go but we do need to do this at an international level because per force, most of the bad things are cross-border. You'd be really dumb to do it in your own country. I would just add one point that if we look at hackers most of the times they will use the international connection between different countries taking advantage of poor legislation in a way to perform their attacks. Now, one thing that is also key that our legal system and I'm speaking about in the democratic country is pretty slow and in internet age speed is absolutely key and we need to think at the new level and the new generation of legislation that is acting and transforming much faster in order to address this element while at the same time respecting element of democracy. Yes, Alan, right, for all of us. I mean, I can speak to my experience in the states which is that regulations take a long time. It's very difficult to keep up with the pace of technology and unfortunately sometimes they are addressing the threat that we just had, not necessarily the threat that we will face tomorrow so they also can have an effect on stifling innovation. So regulation is difficult. Perhaps I can bring our private sector folks into the conversation to ask how do you all, from an alignment perspective, we talked about the international alignment piece but within a given country, how do you work with the patchwork of regulations? So you mentioned you have six, seven regulators at this point on cyber. How do you decrease your costs? How do you ensure that it's actually risk-based? Part of this conversation I'll just throw in is that any check the box exercises, compliance does not on its face necessarily equal security. So how do you count for this? Maybe Michael could turn to you first. Yeah, we were just talking about that before that unfortunately legislation comes out which is interpreted into regulation and in the US patchwork is a nice way of saying the chaotic regulatory structure we have where we have the CFTC, the SEC, the FDIC, the Fed, every letter of the alphabet I have to deal with on a continuous basis. And again, and rather than taking a framework that is based upon the specific risks of your company or your industry and seeing how you are dealing with it, it does become a checklist. It does become the difference between security and compliance. And you are focused on compliance unfortunately because if you don't, you will end up in the paper, you will end up getting sanctioned, you will end up with fines, all these wonderful things. I will lose my job because the board will say I have not met my regulatory compliance. But we spend a lot of money on that but luckily we actually spend more money on the actual real risks. And I think what you have to do is sit there and say the price of playing the game is how much you pay on compliance. But what you really have to do as management is secure your company. And understanding the difference between the two is very, very critical. But unfortunately also you deal with outdated mode of thinking, I think William was talking about the ABCs, a lot of the cyber rules are written thinking about a physical attack, right? I mean a lot of the rules are based, one of the things we have to face is we have a mandate to recover from a catastrophic attack within two hours. Now nobody knows where the two hours came from. I mean honestly it came in after 9-11, it was in a fed white paper, somebody in the bureaucracy said, it sounds good, two hours, had no basis on anything, two hours. Well, when you're under a cyber attack, one of the worst things you may be doing is turning your machines on too quickly, not understanding the nature of the risk. And again, if you're a central point of contact and a single point of failure like I am, don't tell anybody outside this room. But I could be promulgating that virus throughout the entire system. I am hooked up to every single bank, asset manager, et cetera, et cetera in the United States. If I am corrupted and I spread that corruption, all hell breaks loose. But I have this two-hour standard. And it just came out to CPI in IOSCO, we met with Greg Metcraf, who's the chairman yesterday, and we said, you gotta take that out. That just doesn't make sense. It has to be best efforts. We understand that for us, we have to get the money out by the end of the day. But don't risk the entire system just so you can meet this checklist of two-hour recovery. You know, we built our systems. We have three data centers. For a long time, we had a data center in Dallas that we never told anybody about. People joined us and they thought they were joining the NSA, it was actually our third data center. Until we put it in the internet and it came up DTCC Dallas. And we set the games up at that point. But it's all based upon synchronous replication. We have two data centers, synchronous replication. Why? One of your data centers gets blown up, right? Okay, that makes sense. Well now, synchronous replication means you're corrupted. You're corrupted immediately everywhere. So that standard that made absolutely perfect sense post 9-11 is really something we should not be doing in this new world. But trying to get regulators to understand that, they're still worried about ABC and not understanding what D is. So communications, I get frustrated when I can't make a call in 20 seconds. What do you do with your customers who are looking at holding you perhaps at a unreasonable standard if you vote from a cyber perspective, given the nature of the risk? How do you ensure availability of your services? Well, just to build on the point earlier, completely reinforced, we can't rely on regulation to save us. It will never keep up with the nature of attack. And governments, I think, need to take the lead in the way the UK government is, in many ways, ensuring that companies are properly educated on the risk. And the investments that the UK government are making around using the capabilities of GCHQ to improve our cyber defenses and the interdependencies between companies and government services is absolutely key. This is a time for leadership from governments and really taking a very firm position, and I think the UK have done a good job on that. In terms of customers, it is, I say, it's increasingly becoming an issue for customers of all nature. So in the corporate world, it is being talked about more at a boardroom level. I would, as I was mentioning earlier, I don't think the dynamism and the sophistication of the threat is always properly understood. And we often come across situations where the CIO will tell the CEO, don't worry, I've got it all covered. And because sometimes CEOs don't come from a technical background, they say, fine, it'll stop there. Whereas it needs to be much more of a debate that the board engage in. And something where people are prepared to be open and recognize that they won't have everything covered. It's about how do you respond when you do get attacked? So it is definitely an issue that we're seeing our customers expect us to really not just set out our own capabilities in terms of a network provider, but also help them manage their own cyber risks and provide the services, both in terms of the cyber defenses, but also the analytical tools to be able to help them protect their own systems and their own services themselves. And then in the consumer space, it is becoming much more front and center. So there have been a number of major breaches amongst telecoms firms in the consumer space over the last few months. I won't name names, I like Thomas. So I don't want to embarrass people, but he's raised the ante. And increasingly, I think it's going to be something that consumers are going to be expecting network providers and service providers to really set out their capabilities as part of the basic service. People think cell phones are safe, right? And more information you put on cell phones, right? But everybody's worried that you do your antivirus software on your laptop, et cetera, et cetera. But I find it amazing that everything, my whole life's on my iPhone. And I don't really sit there and go, well, I wonder if it's safe or not, right? And then last week, androids got hacked into cell phones. Yeah, it's worse. It's worse than that. I mean, I would, you know, with, after Snowden, I was, oh my God, they're looking, I mean, what's happening in our data, especially in Europe. And I pointed out to people, you know, there's no such thing as a free app. People are not out there making all these apps that you download for free because they're just doing it because they think it's a great idea. I mean, all of your personal data that you enter into that app is going out. Now, so you, and then you synchronize your iPhone with your Mac. I mean, just, yes, think about what you are doing. So you download who knows what app. I mean, it might even work, but, but, but. I think that's an important point because often we think of that from the perspective of how much data could be available, which is significant on a risk. But to your point, each one of those connections provides an additional vulnerability for someone to attack, right? All those interconnections. So I have no idea how many apps I have on my phone, but essentially the security of my phone is now contingent on the security of all those app providers, right? So it's a very. It's even far beyond this. First, architecture and the design of mobile phone is less secure than computers. The second element, you have these apps, but the third element, like traveler coming into different countries, you are exposed to all the type of disease and viruses. Imagine when you are traveling in strange country, you can get special disease. It's the same thing with mobile phones. And basically you go in a country, you get a virus, you come back and you can infect the rest of the mobile phone population. So just think as if it was Ebola. Just think about it. Well, on that frightening part, we have about 15 minutes left. What I'd like to do is open up to the audience for a few questions, and then we'll turn back to our panelists perhaps for some closing thoughts and calls to action. If I could ask you to identify yourself, and if I could, please do ask a question. I know it's very tempting to add into the general conversation, but just given time limits if you could make your question precise. So I'm not sure we have a microphone here. Yes, there's one right here. Hi, I'm Eugene Park. I'm a YGL 2015 from Korea. I do digital citizenship education for children. And I'd like to add another layer of dimension on the cybersecurity, but children online protections. Two years ago in Korea, there was a massive hacking on the financial data. And then the leak was, like you say, it's a human. So actually the employee used a thumb drive to take all the data and then sold it to the brokers. And imagine that happened to the children data. So now IoT happens, and then the bio data, financial data, behavior data is all online. And there is very limited discussion about the online protection for children. So that can lead to trafficking. And it is not just about the stealing money, it's stealing the life. So I'd like to hear your perspective about your government perspective and private sector perspective. How we can actually guarantee the safe data protection for children. So I will open it up. But Mr. President, if I could turn to you. You have, Estonia has amazing training programs for children. And perhaps you could give a little perspective on that because I think key, my personal opinion key to this is really ensuring that whether it's a consumer as Gavin's describing, or if it's a child going online, that they understand a bit more about the risk and what they face. So perhaps you could. I think there's a pretty, I mean, I think educating children is one thing on how to use this and what risks are. In terms of access to children's data, I mean, I think that's goes back, that's a fundamental security issue on an architecture issue. It is not possible to get the private, I mean the state, the data the state has on any individual child or adult is not, you cannot do with a dump. You can't get at it. You can get one person maybe. But, and you know who did it. It can't be done anonymously. So, I mean, those are separate issues. Educating people on how to properly use the internet. I mean, I think that's good and necessary, but I think it has to be done not only at the national level but at the family level as well. Because, I mean, they're not gonna, you know, I mean, if you've had kids, you know that basically whatever you tell them in school, they think it's nonsense what you tell them at the family level isn't, well, depending on their age of 13, they don't listen to anything you say. So, I mean, yes, education is important. I can't compare it to other countries so I don't know whether it's amazing or not. But I would say the architectural side in terms of data protection is exactly the same for adults or for seniors and... Yeah, I think there's possibly two, I guess where I was headed is similar to when I go online, right? If I click on a phishing email, for example, or I click on a website that I'm not familiar with, there are certain behaviors that I personally could take that could be risky. A child could do the same. So, helping them understand how to interact with the internet I think is helpful. I take the president's point, so how to communicate that to a child is perhaps a difficult. And then the second thing, of course, as you're saying, is to the extent that there's a national database or there is a compilation of information on children, it's probably not dissimilar to any other databases. Yes? I would say that with children, we have to take into account elements that for education, they need to understand what does it mean. Take an example, if you have a knife, they understand that the knife is sharp and that you can be hurt. Now, one element that you can consider are some software that will just challenge if the children have well understood what is happening and then only he can get educated. If you just give him some information, the don't do, and without having a practice where he understand clearly what this can mean, it's difficult. So, we need to have some specific softwares that are able to challenge if the child has well understood the lesson. Yes, Gavin? I was just gonna add a couple of points. In the UK, all the internet providers work together to ensure that child protection software is built into the proposition. It's not a thing that distinguishes one from the other. We can use different suppliers, but it is something that everybody provides, in fact. Number two is I think doing that without ensuring the education of the family around it and making sure that parents take responsibility to educate the children, I think is absolutely key. Assuming that the software will do it and there's no role for the parent is a mistake. And then the third thing I'd say is around general tech literacy. There's, I think, a whole generation since, certainly since I was at school, there's a whole generation that has come through and doesn't necessarily understand the sort of second order importance and issues around the internet and coding. What we need to get back to, I think, is the fundamentals of tech literacy and make that part of the core curriculum in the same way reading, writing, and arithmetic. It's tech literacy should be part of what you teach every child and ensuring that teachers have the right capability to do that. And so one of the things we've been doing is helping trying to address that shortfall with teachers because many primary school teachers don't know how to teach this. So we're working with the Barefoot Foundation to ensure that five million school children by 2020 will have these basic tech literacy skills taught to them as part of their education. I think it's got to start there. So obviously literacy, no arguments there. One thing to be mindful for, though, is that this is, at its essence, a very difficult discussion because it's a debate about privacy versus access. And so what do you call a child and how do you delineate that? And so it's not an easy question when you get into that because if you do allow for this access, it also means that you're also giving up privacy and vice versa. It also means that you have this kind of system on your computer. This could also be a venue into the system. So it's not as clear-cut or easy, but I think there's also that angle. Obviously literacy is a given, but this part should probably not be ignored. Sir, I think we have, and maybe what I'll ask is if we could have maybe one or two panelists respond. I apologize to anyone behind me if you have a question, but hopefully we'll give you one more. Okay, thank you. My name's Ulf Pärsson. I'm representing Ericsson, a world-leading provider of mobile communication equipment services, just very quickly. Mobile phones are actually safe for the computers because there's a SIM card in them, but let's take that debate safe for a bit. But I think that rightly so, I think this debate has been about data integrity because of course with the explosion of data in networks, IoT, et cetera, that will be absolutely crucial. And I think it's about awareness raising. My question is, how do we make sure that regulators and lawmakers are actually taking this seriously and are putting the right regulation in place to make sure that companies not only are aware, but they actually do something about it. We're working with an Estonian company called Guard Time. They're very good at this, very fine data, it's not been corrupted, et cetera. But I think we need also not only awareness raising, but also regulatory push here and maybe to the governments, how likely do you see that happening? Thank you. You've got to get regulators. The term embarrassed was an interesting term to use. But I think coming out of the financial crisis, you saw all these rules coming in and they all again dealt with the crisis of the past. No government wants to have the same crisis occur. And again, there's this mindset, if I stop the crisis of the past, then I'll stop all future crisis, separate to two. And I think that same dialogue has to be had about cyber is the regulation you're writing today is solving yesterday's problem. We all want to protect our companies. We all want to do the right thing. And it has to be a dialogue. It's got to be public, private sector dialogue and cooperation and you lay the cards on the table and say, I think I'm good here. If I'm not, don't penalize me. Help me get stronger. But again, my fear is the regulations are going to become punitive rather than saying at the end of the day, we all have to be tied at the hip to get these things right. And it's got to be global and it's got to be private public. The problem we're going to have is that's easier said than done. You can use the FSB for instance, Finance Security Board. That's a different one. Yeah, the other FSB. But there are forms that could be utilized but the question is, do they have the willingness to take on this issue because they may be embarrassed because it's a hard issue to get your head around. Well, let's do this in the remaining time. Let me first describe briefly what I heard. And then perhaps I could ask each of you in a quick lightning round to perhaps give one or two calls to action, if you would, of how to address this. But I think we talked a lot about the role of governments, both internationally working together, the Budapest Convention being an example, as well as internally how do we align and eliminate patriarchs of regulation, ensuring at the same time that regulations are both risk-based and forward-looking and don't become result in compliance checklists. We talked about the importance of education, both from a hygiene perspective, not relying solely on passwords, T-factor authentication. Also this idea of tech literacy and how do we instill at a very young age this new brave world that we now live in. We talked a bit, of course, about public-private partnerships. So how do we all work together and what is the appropriate role of the private and the public sector in that? And maybe I'll just stop there and in turn to Michael, what would be your one to two calls to action to help us address this risk to critical infrastructure? I think one, policymakers understand the difference between physical threats and cyber threats and we're still not there. And not trying to apply one standard to both. And two, there's this hard concept of don't look at the past risk, look at the future risk. And work within the industry, be it telecoms, be it financial or whatnot, to assess what the potential risk is, not what the risk of the past was. Mr. President? A topic we didn't actually discuss here, but I see increasingly as a problem is, I don't know, stove piping. I mean, basically within companies, within ministries, between ministries. And then we get ultimately, I mean the ultimate manifestation is sort of stove piping between countries on whether, and until we actually at least find some, first of all, we have to start in the beginning that even in departments and ministries or in departments and departments, would finally sort of agree on what the approach should be and then you need the various ministries in the government to do this, to work then with the banks, I mean actually the banks, they're actually the most progressive on this because they have the most to lose in the short run. Or at least they understand what is at stake. So data integrity is not an issue I ever have to explain to a bank. Never, I mean they, but the rest of the private sector. You know, when we think about data integrity, I don't think too much about it, but I mean there are things such as traffic lights. It is one case where in LA they hack the lights, the traffic light system, and fortunately what they did was they turned all the lights red. Now can you imagine in the city of Los Angeles to turn all the lights green? The point is that, but traffic lights, it's such a basic, simple, you know, you don't even think about it, you automatically, your foot responds to the light. I mean it's, critical infrastructure is, I mean, rather the critical infrastructure is a much broader concept than we normally think about, you know, we think dams, power stations, well think about your electrical traffic lights and that as we move into this new era of IOT where everything is done over the internet, that we really have to think very close, much more at a broad level with cooperative thinking on where to go and not fight, as you said yesterday's war and especially because we don't even know what the next issue will be. For the last five years, the European Union was only really concerned about until March, the Greek financial crisis and now, you know, that's, that was completely forgotten. Last March. I mean, so it's, these things change quickly, we have to be sort of mentally resilient. Right, right, Andre. For me too, important element, first element, only government or only private cannot solve the issue. So there is a real need of a public-private partnership but not on a country level but on a more global level where speed is absolutely essential and access to information. So there should be a platform in order to exchange the information about what are the potential risks and how it's the fastest speeds to be able to address them. The second dimension is regarding the compliance and the regulator. I think that fundamentally people that need to check if a system is secure enough or need to design a system that is secure enough must not think as compliance officer but must be able to think as hackers. A hacker will not look at a computer system in the same way as a compliance officer and we fundamentally need to change this behavior if not we find good excuses and people to blame rather than solutions. And that is for me a key element to make a more secure internet. Thank you. So now we're super lightning speed for our last year panelists. William, what would be your call to action? Yeah, so two quick things just to keep things in perspective. There's a lot said, everybody's probably frightened and running home and so on but to simplify really what security is for me and what everybody should like look at this is that's really a triangle of balancing security, cost and usability. And so one of the things that I look at and tell people is that not necessarily what you're doing is a security issue but it's actually a usability issue that causes security issue. Cost of course is given. So that's one. So to look at this holistically in that it's this balance that people don't recognize sometimes and take security the wrong way. 30 character passwords is a usability issue. So and then the final thing that I would add there is that cybersecurity is not a technical problem. It is definitely a management issue now. And so to look at it that perspective. In a word, step up engagement. Engagement at a boardroom level. Engagement between companies and governments between governments and governments and engagement with the general population as we talk particularly young people as they come through. I think we've got to make this much more front and center is the key threat, one of the key threats of our time. Well that was not planned but that was a wonderful way to end. We do encourage you all to engage in whatever your life's work might be. This really is a problem. I think that not only affects us all in terms of its scope but it's something that we can all contribute to. So I'd like to thank the panelists. I'd like to thank the forum of course for hosting us and thank you all for attending. Have a wonderful rest of your day. Thank you.