 Good morning, and welcome to this morning conversation. How can cyber defenders win? The answer is going to be provided by this fantastic panel we have this morning. We have Yogan Stok, Secretary General of the International Criminal Police Organization in Tupole. Next to him is Devjani Ghosh, President of National Association of Software and Services Companies from India. And Sadie Cree, Professor of Cybersecurity, University of Oxford United Kingdom. Next to Sadie is John Doyle, President and Chief Executive Officer of Marsh, McLennan, USA. And finally, we have Gary Steele, President and Chief Executive Officer, Splunk, USA. It's the best name of the corporation that I've heard this one. I like it. Now, this session, in many ways, engages with the key findings of the Cybersecurity Outlook Report that has been published by the World Economic Forum. There were QR codes. I hope some of you have been able to download that report. But please do read that report. It has interesting revelations for all of us to consider. This is becoming a vital domain. The pandemic, the conflicts, the economic opportunities, all point to the fact that we are more digital than ever before. And therefore, we all, individuals and enterprises, must engage with the potential risks, in fact, the real risks and the existing risks that confront us. Let me give you a few numbers from that report, since many of you are not going to download it. So let me give you a brief insight. 70% of leaders who were surveyed in that report stated that geopolitics has influenced their organization's cybersecurity strategy. So geopolitics matters when it comes to cybersecurity as well. And today, we are in a world which has heightened geopolitics and weak multilateralism. And that lends itself to new risks. Of course, we have also seen that there is cyber inequities. Smaller companies, smaller countries are struggling to cope up with the dangers that the sector offers them. We have seen the number of organizations capable of minimum viable cyber resilience down by 30% in the last year. Now, that's a big number. Companies are unable to keep up with the cyber costs and capabilities required to respond. 90% of 120 executives surveyed at the World Economic Forum said that urgent action is required to address this growing cyber inequity. And maybe, Gary, I'm going to come to you on this particular aspect. Fewer than one in 10 respondents. Now, this is the most important finding. Fewer than more than one in 10 respondents believe that generative AI will give advantage to defenders. Many see AI and generative AI as adding to the threat landscape. And this is something that we will discuss as well today. And finally, one third of organizations have suffered a material incident in the past 12 months and say it was caused by a third party. So there are actors besides the state and the non-state who are going to do harm. And you have to protect yourself against those. Now, there are a number of interesting findings. I'm going to refer to some of those as we proceed with the conversation. But let me start with the global cop, Jagan Stark, from the Interpol. And I'm delighted to be here with you again, Jagan. And let me start with you. In this heightened geopolitical moment that we are currently confronting, how are countries harmonizing their approaches to respond to these threats from an Interpol perspective? Are you seeing within the organization a growing appreciation of the challenges that we face today? Yeah, very good morning. Everyone, it's a pleasure to represent here the global law enforcement community. Interpol currently has 196 member countries. And maybe to answer your question, I should start by saying we are struggling. The global law enforcement community is struggling with the sheer volume of, let's say, cyber-related crimes or high-tech crime or the new types of crime, which we know from the past, like fraud, which is now entering into a new dimension with all the services that the internet provides. The crime statistics only know one direction, which is going up dramatically in many parts of the world. And the tricky issue is the more resources law enforcement is investing, the more cases you discover. The more you are raising the level of awareness, and we have been making some good progress in raising the level of awareness, particularly amongst private sector, the more cases you discover. Cases that almost all have an international dimension that is challenging, to a huge extent, the classical model of investigation, which is done by nation states who try to organize their own legislation, their own rules, their own level of capacity of skilled police officer, but you need to organize yourself, not only with your neighbor, but maybe a police organization on another continent in a situation where, of course, particular law very often is missing. We have a number of member countries who do not have at all the necessary legal framework to investigate cyber-related crimes. And I would like to say we definitely have a kind of, if I may use that term, Champions League of Law enforcement that is quite successful to a lesser extent in getting the criminal behind bars and prosecuting, but at least taking criminal infrastructure down. We might come back to that point a little later, but let's say maybe 70 or 80% of our member countries are struggling having at least a minimum capability to investigate crime. And, of course, prevention is very important. The best crime is the crime that is not going to happen, but we have a huge increase. Everybody in our communities is affected. It's not just the critical infrastructures. I have been a couple of weeks ago visiting a rural police station in Germany, good old friends and colleagues, and they are telling me we are overwhelmed by cyber-enabled crime, and nobody is helping us in investigating that crime that most of the time has an international component. So that is a little bit of the situation we are facing. Again, to summarize, crime statistics only going up, and we only know, perhaps we know eight or something between eight and 30% of all the cases are being reported to the police. All the rest is not reported to the police, so we only see the peak of the iceberg, and that illustrates a little bit the difficult situation. And last remark, artificial intelligence, you said advantage to the defenders. Currently, the criminals, of course, have been starting using at eye to their advantage, and that will boost the situations of urgency is very important. No, let me dive deeper into that. So can you, you know, you recently mentioned that, that AI is undeniably a game changer for criminals and law enforcement alike. That's your statement. Can you expand on some of the ways criminals are using this? I mean, cyber criminals are organized in a very different way that I learned when I was a young police officer, and we're dealing with a typical, let's say, traditional kind of mafia-style crime. So people knowing each other, so it's same geographical relation and so on and so on. So that was the principle. Now, the key word today, we all know that cyber crime as a service. So the criminals are organizing in themselves based on expertise and through the underground economy. They only know their nicknames. They get a certain rating, so at AAA, perhaps, if they are providing reliable services. So this is the dynamic way in which they organize themselves and you do not any longer need to be an expert. So even perhaps I as a non-tech person and a lawyer, I could conduct a denial of service attack because the tools are available for little money in the underground economy and AI as a service for criminals is already there. So we all know these kind of deep fakes, these phishing males, more sophisticated, business email compromise, and we have seen now the first cases of a kind of deep kidnapping where voices have been cloned and a family thought, oh, our daughter has been taken hostage, but it was a cloned voice at the end of the day. So that gives us an understanding what is coming up. So AI drives also scales, sophistication, and speed in terms of online crime and the criminals are already there and we are running behind and that is not a good position, not only for law enforcement, but for our communities and particularly the most vulnerable in our communities who might not have the resources to protect their own systems. You know, a police officer had once mentioned to me in India that we are largely safe because most criminals don't have the competence to perpetrate what they want to do. So what you are suggesting is that an AI enabled criminal is going to be more dangerous in the future. Absolutely, also in terms of scale, the sheer dimension of the cases, again, I mean a classical criminal had to go from house to house for burglary, from country to country. Now, of course, you don't need to do that and you get the help of technology, you get the help of artificial intelligence so you can do everything from your sofa at home. Deepjani, let me turn to you. You know, Jogun mentioned countries not having the capacity to keep up, sometimes not even having the legal frameworks. There is a certain vulnerability aspect that is discussed today when the largest chunk of the emerging world has decided to go digital for payments, for governance, for democracy itself. Sitting in India with a country that is now betting on digital, it's growing on its digital progress, do you see this as an opportunity or a threat? A huge opportunity, but before I get into that, just adding to what you said, you know, one of the most innovative uses by cyber hackers right now is something called fraud GPT, which is actually a model built to significantly reduce the competencies required by hackers to go out there and, you know, deploy the most complex attack. So that's the kind of complexity we are seeing, the advancement we are seeing with respect to use of technology. Now, coming back to India, I think India is a digital society. It already is a digital society because the last mile today is connected by technology and using technology for their livelihood. And I don't think today any company or any government with a strong level of confidence or surety say that they are fully protected because cybersecurity is a moving goal. I think the focus has to be on building that resilience. You have to build your defense, you have to build your resilience because at some point in time, there are gonna be breaches, there are gonna be attacks. How soon and how well we recover is what it should be becoming more and more important. I think India is taking the right steps. I mean, one, there is a lot of focus right now on building not just digital literacy but responsible use of technology at the grassroots. What, it's becoming a part of the core curriculum, digital literacy curriculum in India. How do you use technology safely? What do you do or what do you just like? In school we are taught, well in India we are taught to look left and then look right and before we cross the street. Similarly, what are those steps that you have to ensure before you navigate the digital world? I think one, just the simple things, creating that awareness at the grassroots becomes important. Two, ensuring that the infrastructure that powers India's transformation to a digital economy is the digital public infrastructure that the government and industry is building out. Ensuring that security by design becomes an imperative for the digital public infrastructures where the first layer is the secure layer that gets built in. And there's a lot of good learning that has come out of Aadhaar, our digital identity card, a billion point two of us have digital identity cards, digital identity, sorry. So I think a lot of these steps, the security by design is getting built into it. As an industry, India is still largely a hybrid model. Post COVID, more than 50, 60% of our employees are still working from home. So this becomes very important. It becomes challenging and important for us because when we think of cybersecurity in the past, we have always thought about the parameter of the enterprise. Now we have to think about the employee's home ecosystem. We have to think about the partner's ecosystem. And how do you ensure resilience carries through all of that? So the enterprises are now dispersed and you're looking at threats coming in from different quarters. But let me, since you mentioned employees, let me talk to you about another facet that the report brought out. Only 15% of all organizations are optimistic that cyber skills and education will significantly improve in the next two years. And 52% of public organizations state that a lack of resources and skills is the biggest challenge when designing cyber resilience. How is it faring out in India now? The biggest challenge is time. It's the pace. The pace at which technology is evolving, the pace at which the risk landscape is evolving, it becomes pretty much impossible to keep up with that pace using traditional educational processes. You can't wait for five years for someone to get trained. That's not gonna happen. I think what we are doing in India is figuring out how do you disrupt that entire process? So for example, and it's not just the potential workforce, it is also upskilling in the existing workforce. The job of the CSO or the role of the CSO has completely changed. So how do you upskill as well as reskill for what is needed today? So a few things very quickly that I'll talk about in reskilling or in building the talent pool. Shorter courses. For example, NASCOM is working with government and Microsoft to train women in tier two, tier three cities in India on a short one-year course that has been built by experts. And in the last one or two years, we've trained around 2000 plus women. Nearly all of them have got employed. That's the demand, right? So short courses, look at different talent pools. Change the system in our education in the universities where the government has now, the regulator has now agreed to give credits to industry curriculum straight away. So that shortens the time required to develop curriculum because industry already has curriculum. They are bringing it in. They are getting the credits and all of that works. And on upskilling the existing, just as the cyber attackers are using fraud GPT, I think it's time we started thinking about how to catch up. We have to build models that act as security experts and work with everyone from developer to the last line to ensure that the security protocols get ingrained into everything they do. We do not have the time and ability to train every single employee to become a security expert. And that's the need of the art. So defense GPT, that could be a new product. NASCARM comes out with Siri, let me turn to you. Geopolitics is important and conflicts are now common in the last, in this decade, this very long decade, that's lasted just four years or three and a half years. We are now well into the third or fourth conflict. What are the learnings for you as someone who studies cybersecurity, cyber resilience in a university ecosystem? What are the learnings from, say, the Ukraine conflict? How did that implicate or impact the digital realm? And what can be done to prepare enterprises and countries from the fallouts of such occurrences? Thank you, good question. I guess the first thing that we should be mindful of is that there has been a cyber element to most conflict for many years. But what we've witnessed in the Ukraine was a particularly rapid scale-up and partnership between private industry and public to help bolster defenses. And that would have had many elements, of course, and one of which moving essential digital assets out of the conflict, out of the theater of conflict and into the cloud and there's some lessons we need to think about there. But also what we've learned from stepping back and speaking to people that were involved is the essential nature of the partnership between business that have the tools, that have the infrastructure and the ability to help change these defensive postures rapidly and those charged with public sector funding of it, et cetera. And we're told that in the Ukraine example, the pre-existing relationships that existed were essential. So there's a lesson we can take away there if we're thinking about how to prepare to rapidly bolster cyber defenses in the face of conflict in other parts of the world, then we must make sure that we have already invested in the relationships, the networks that will enable us to change the nature of that cooperation and that communication so that what happens in the cyber defense can happen quickly. We mustn't underestimate the essential nature of business here and there will be a temptation for us as an international community to start thinking about the processes we can put in place to make sure that we can support each other and defend each other's public infrastructures in other cases and we must always bear in mind that whatever we do there, we do not damage our ability to be agile in the face of this kind of need. So I think that's the key lesson. We need to have invested in the relationships and we need to make sure whatever we do in terms of public, private, private, public cooperation support, we protect our agility. So let me ask you a what if. What if, and listen, I'm not an advocate of any of this, this is just a what if question. What if we were to see a pandemic scale event in the digital sector, affecting the clouds and affecting key service providers or maybe even a financial crisis that happened in 2008, that scale kind of occurrence. Can we respond? Is the world cooperating enough to be able to bring all systems back online? And what can be done to be ready to do that? Gosh, that's a million dollar question, isn't it? Well, we know, don't we? We've known for some time there is cyber risk. It's likely to be systemic. It's likely to be aggregating. We don't fully understand the nature of that. So it's a bit of an iceberg. We can see the peak of it. We don't really understand what's below the waterline. But we are as a community, many of us cooperating, trying to build the foresight, the simulations, the scenarios that would enable us to begin to anticipate this. At Oxford, we've been working on some agent-based simulations. And we don't have access to all of the data. But what it's telling us is there is an issue. And even when we come up with good estimates, we can see certain scenarios where you might see a portion of the cloud going down, a portion of the energy infrastructure coming down. And the consequences for that could be quite significant. And if you start modeling in policy decisions, which may be we need to protect these kinds of organizations, these sectors, the consequences for those that are not protected can rapidly become very significant. So, yes, there's a really important call to action here. We should be mindful of this. It feels to me like the potential consequence, the cost of it will be beyond any particular organizations, capital reserves, yeah. But I think we have other colleagues on the panel that we're going to speak to that. But I want to bring in the global south here. Yes. Again, taking a lesson from the pandemic, the global south was largely left to their own devices. And you had countries that received the first shot of the vaccine a year later from, say, Europe or America or even India, for example. How do we include the global south and the fastest growing digital geographies in the south in our plans for resilience, for building international partnerships and capabilities? Yes. And it's incredibly important, isn't it? Because we know that cyber does not restrict national boundaries. And we are codependent on each other. One of the things we need to do is ensure that we are working together to raise the general baseline and that we understand what that cybersecurity capacity baseline should be. It's not just going to be cyber defense capabilities. It's never just about technology. But that is important. And having access to that, having an awareness of how to be effective in using it, that's important. But there are other things too. Strategy policy, social mindset, the ability for leaders of business, as well as government, as well as people that are managing their homes, their local communities, environments. All of that needs investing in, as well as law and regulation and support for the rule of law. When you unpack all of those areas, they're all codependent. There's complexity in cybersecurity capacity. But working together, understanding what the minimal baselines are, will enable us to build trust with each other at national level, at business level, at community level. And that trust is essential to underpin the kind of cooperation which is needed. And the responses that will be required to bring it all back. Yes. Thank you. John, the recently launched global risk report at the forum yet again sees cyber insecurity as both a prominent risk over a two-year time frame and a 10-year time frame. In your assessment, what has changed in the last year? Have we progressed? Has it become worse? Well, thank you. It's great to be with all of you this morning. No surprise to us. We've been working with the forum over the last 20 years in producing that report. And over that period of time, cyber risk has been working its way up to the top of the list each and every year. And what I can tell you is that data confirms what we see as the largest insurance broker in the world and global risk advisor in the world in the conversations that we're having with our clients. It is top of mind. It's on the top of most risk registers for businesses around the world. And it's absolutely clear that the geopolitical environment, all the complexity of today's geopolitical environment is making that risk higher and higher. The last couple of years, it had been really kind of responding to ransomware and what that meant, both in the insurance market and helping our clients be risk ready, put mitigation steps in place to understand how to respond to those types of attack. Today, it's big concerns about how systemic events might impact their business. And I think not just the global south, I think in most developed economies around the world, governments certainly and big business are not prepared for those types of systemic events, be it cyber terror, a power grid coming down, cloud service provider coming down, whatever the scenario is, we're not prepared for that. And while this risk has been working its way up the list over the course of the last 10 to 20 years, to me, the fight is just beginning. It's an arms race. There's no question about that. And AI is gonna amplify that race and the risks for both sides. I don't see it as one side having an advantage over the other, but it's quite clear. I think the fact that it's on top of mine for business and government is absolutely terrific. We're much more risk aware today. And we've all gotten spoiled by what technology can do for us. We don't walk out of our house without locking the door. We need to be very mindful of what this risk means to our business, what it means to us as individuals as well. And so from my perspective, we're just at the beginning of the fight. I want to speak to you about the role of cyber insurance and how it enhances resilience and perhaps how it also creates exclusions because the premium costs are rising. So it's only certain sorts of enterprises who can afford what the industry offers. So how are we rethinking insurance at scale and to cover geographies, as Sadie mentioned, that there's no north and south when it comes to the digital architecture? How do you create affordable insurance? And by the way, affordable drivers of enterprises investing in resilience because insurance in some sense is also a way of to drive market behavior. It is. We send signals to customers and to governments about where they are in terms of risk readiness. And so I think those are really important signals. In fact, we start the dialogue with our clients with a cyber self-assessment tool. And that gives them a sense right away of how they stack up in that particular geography, the industry that they're in and their ability to actually get insurance. There are segments of certain industries that won't be able to get insurance today because they're not prepared and not ready. And so I think those are important signals for business and governments to get. And I think that the industry plays a really important role. It starts from self-assessment to working with security providers around the world to help them begin to mitigate or prepare to mitigate potential risks and also to be ready to respond in the case of an event and a lot of scenario planning around what those types of events might mean, the decisions you might need, being prepared with the right advisors to be able to navigate those types of events. But what I can tell you about the cyber insurance market, after the last couple of years where prices no question were on the rise, really in response to the explosion of ransomware claims working into the market, the market's adjusted to that, granted off of highs, prices are actually now coming down slightly. So there's some good news there. But the bad news though is that insurers and reinsurers who help support the aggregation of risks in the market are very, very worried about these systemic types of events and how they might aggregate in their portfolio. So they're being responsible stewards of their capital. We're in the business of making commitments. Insurers are making commitments. They want to be there and be able to pay. I mean, they're saying, hey, in certain cat type scenarios, we cannot finance that. In fact, it's easy looking at the pandemic and modeling certain types of cyber risk scenarios to see that these scenarios are way larger than what the industry could finance. And so we're investing quite a bit in modeling. We are also trying to bring new investors in to increase the capacity of the industry, but we're also spending time working with governments. I think there's a real opportunity here for public-private partnerships. Again, I think we can help with good risk hygiene and we can finance parts of the risk, but governments need to be prepared because candidly, I think ultimately, those that are most unprepared and most uninsured or not insured at all are gonna be SMEs much like we saw in the pandemic. And so that risk is gonna ultimately fall on the balance sheet of governments. On the public sector. Correct. And I'm gonna come back to that in the next round and I'm gonna ask all of you on public sector funding as well as public sector planning for these big events. But Gary, let me turn to you. You've spoken a lot about resiliency and cybersecurity and knowing that most companies and folks are thinking about cyber insecurity as a big concern area. What are the major cyber trends you foresee in the year ahead and how do organizations need to think about these trends? Yeah, I think as we enter 24, I think there's a lot of concern to be had. You have this confluence of events. You've got two active conflicts, one other potential large conflict ongoing. You've got an election cycle in the U.S. that, and if you just go back to our last election cycle, we saw a high increase in threat activity as it related to that. And so all of those factors and then you have the ransomware actors that continue to be winning. So you've got a confluence of all these factors that ultimately will drive a very complicated and concerning threat environment that we all have to deal with. Now, the thing I'm very optimistic about is a lot of the investments that have been made, the maturity that has happened, the awareness that has happened, has really raised the posture of private industry and governments about the importance of this. And so while I'm optimistic over the long term, I think in 24, we have to be very thoughtful and be very vigilant because I think it's gonna be a really tough year on the cyber front. And as we look at the cyber divide and the conversation about SMEs, it's been interesting to have a whole, I've had a whole set of conversations while I've been here. The one thing that's encouraging to me is cyber has seen an amazing amount of innovation. And if you look at the number of cybersecurity companies today, we went from a handful 20 years ago to thousands today. And someone can say that that's bad, but at a holistic level, that's a lot of dollars and people focused on innovation to help defend both private enterprise and government. And so while we have a long ways to go, that innovation will ultimately help us. And I think we're gonna see innovation that allows prices to come down so that we can get to more organizations. I think AI will be a facilitator to help organizations that just don't have the bandwidth that all of the skills needed. It's gonna get easier. It's gonna get easier to defend. So I'm optimistic over the long term and I just feel like we've gotta be very thoughtful in the short term, because I think it's gonna be tough year. Gary, you have also spoken about leadership and boardrooms. You know, there's a SEC rule on now cyber incident disclosure, but many countries around the world are now wanting more accountable boardrooms when it comes to many of these incidents. What is the role of leadership in navigating the risks that you just mentioned? And you know, this is a question to you, Gary, but I wanna come to all of you. Are people more willing to disclose cyber incidents today than they were, say, a few years ago? Including nation, then I'll come to you, Secretary General, as well on that, but Gary, go ahead. Yeah, no, it's a great question and we could probably spend a number of days talking about this topic. But at a very simple level, I think the great thing that has happened is, as we've discussed and the panelists have mentioned, there is broader awareness today at leadership level, in boardrooms, this is a top priority, so it is a topic of conversation. So that's a huge advancement, frankly, from where we were even five years ago. So that is progress. Now, these SEC rules, I think, draw the requirement around timely disclosure. It's still a little confusing to me in that we have these rules, but there's no requirement from the SEC to have cyber expertise on a board. Hmm, so think about the world that we live in with we have a well understood finance process where you are required to have a set of financial experts on your board. And those financial experts, there's a definition of what that means. Good, and so we haven't gotten there. So yes, there's been progress and yes, I think people say we should have a cyber expert, but they haven't quite figured it out. And so I think there's room for maturity and improvement in the boardroom as it relates to having a true understanding and, frankly, a level of accountability to... And do you think that is something the insurance industry could enforce that you get insured if you have experts sitting in the leadership team? Go ahead. You're the expert. Well, our industry, be careful about speaking on that. Look, industry has all the same norms outside the public. We don't see our role as enforcement, okay? But we send signals, right? Correct. So having that level of expertise inside a firm is a data point, you know, amongst many data points about, you know, a company's risk awareness and their risk readiness, right? So... Okay, so now I want... I want to go back, but I wanted to just finish the other part of the question, which is on this transparency discussion around reporting. So, you know, I view the SEC rule ultimately as a good thing, right? It does bring a level of transparency that is important. And I think overall, the more transparency that we can drive, the better off we are, because we can help each other. We can drive better cooperation. Transparency will result in better outcomes for everybody. It can be painful in the moment. Obviously, it's incredibly painful, but transparency I think is a benefit. And if you talk to CISOs, if we had a whole set of CISOs in the room, they would be advocating for transparency. So, if you have vulnerabilities in the software supply chain, what do you want? You want transparency so you can respond. Because the comments earlier about agility. Agility comes from transparency. You know what's going on, you can defend, you can move, you can make good decisions. So, I'm an advocate for that. We have lots of maturity to have happened, but it's a step in the right direction. So, I'm going to ask all of you, is it, do you want to comment on this? Yes, if I may. Please. Yeah, I completely agree. And actually, when it comes to boards and senior leadership, we have to move from transparency to situational awareness. What we're really talking about is knowing the security posture of your organization, having an intuition for risk, understanding when you hear something, when you're presented with something that's a form of cyber intelligence or you've read it in your favorite online newspaper or for those of us that are really old on the paper version, knowing is this something I have to respond to straight away or is this something I can push back to the weekend? But leadership set tone and culture. You cannot expect all of the people working in your organizations to follow really good cyber practice if your leaders aren't doing it. That's number one. Number two, my guess is the best organizations have some kind of cyber expertise. They may well be advisors to the board. They may be NEDs. But given the level at which we're seeing the threat develop, the pace at which technology is evolving, the pace at which the threat ecosystem is evolving to harness the benefits of the technology and another discussion, we'll talk about how we harness that for defense. I don't think it's conceivable that we can live with one member of the boardroom being cyber fit. I think everybody has too. Everybody can understand financial risk. They are going to have to understand cyber risk. Cyber risk and financial risk are going to be closely coupled in the future. And the way in which I see this is we look after our health. We look after our physical health. We look after our mental health and investing in cyber risk fitness amongst our senior leadership is something that we need to help them do. They need to raise their awareness levels. They've got to have the tools. We've got to deliver the tools to enable them to do that. And they do need to look to their personal cybersecurity. I think there's going to be a moment where some of these AI enabled deep fake tools, that's going to converge with the ransomware attacks and the level of training data that's available on people that are in the public eye. I think we can expect to see some of our senior leaders being very highly targeted in the coming year or two. We've seen incident in India already. But let me turn to Jurgen. Jurgen, you mentioned eight to 30% of the incidents are disclosed. Are people still embarrassed telling others about what happened to them? Is there still a shame associated with being a victim of cyber theft, cyber crime, cyber incident, cyber terrorism? Yeah, I mean, there might be different reasons why people are not reporting to the police. Maybe embarrassment is still a point. Maybe they do not exactly know what the police is doing or the prosecutor is doing. They might think we pulled the plug and we stopped the machinery, which of course is not the case. So law enforcement also has to do more to inform, for instance, private sector, what would happen in case of a reporting of such a crime. Let me, for just for a minute, leave the perspective of a boardroom and individual company. I think what we have to jointly consider is the architecture of security. So what do I mean? It's something esoteric and it's something very pragmatic. How do we organize ourselves in public sector, private sector, and building the bridges on a national level, on a regional level, and on a global level? Because that is what the threat requires. It's also required because we have limited resources and it's because what today pops up in one part of the world will be tomorrow in the other part of the world. So I think many countries, even in the so-called developed world, are still struggling how to work against fragmentation because that is a major risk in effectively pushing cyber crime back. So interesting models are coming up. For instance, I know quite well from Singapore, they have an anti-scam center where people from public sector and from private sector are sitting every day desk by desk, and sharing in real-time information. That is the level what we need. We are doing the same in Interpol with a gateway project also in Singapore and our global hub for innovation where we're sitting with some representatives from global players in the private sector every day and sharing in real-time based on a proper legal framework information. And a lot is going on in Africa, in South America. Currently, those centers are being built and we have to work together. We need the support from the private sector to build a most effective global architecture because you cannot fix that problem just on a national level or on a regional level. You need, we all know that it's a global problem and it requires a globally coordinated response and there's a lot to do in that and Interpol stands ready to work with the private sector on that. Look, I'm gonna turn to you folks now if you wanna come in, a couple of questions from the audience, but before I conclude, I'm gonna ask you all the final question from my side as we close the panel. How can cyber defenders win? That was a question of the panel. I want you to give short answers on how can we win? One thing that we should be thinking about doing in 2024 to turn the tide. The lady here can have the mic here, please. And please get my attention, I'll come to you as well. Someone else wants to pose a question, go ahead. Thanks, thank you, really insightful. I'm Susanna, I'm from Chile, Latin America. I have been working in these topics in Latin America, but what do you think if this is a big talent for the European Union, for US, for India, for big countries, what do you think about these topics in emerging countries and specifically in the supply chain because even big companies are struggling with this. So what is going to happen with all the suppliers and what is going to happen if they are not able to jump in this, that they are going to be left out of the market or what do you think or what do you recommend, actually? Any other question from the audience? Yeah, go ahead. Yeah, Marbelle de Gestes, CLS, financial market infrastructure. You mentioned transparency, but you didn't mention a condition for reconnection. When you are in a network and there is a transparency, the first thing you do is to disconnect. We saw it recently in the treasury market in US, but the condition to reconnect are important and the more work we do in advance, the better we will be. Okay, so we have two questions. One is smaller companies, supply chains and how do you build capacities for them to invest in resilience and how do they protect themselves? And of course, the connections for a condition, transparency and response frameworks. But please, as we now go down the panel, we will also respond to that one thing we can do so that cyber defenders can win. So Gary, let me start with you and then come to you again. Okay, let me start on transparency. I look at some of the events we've had in the software supply chain like SolarWinds. The earlier people found out about it, the more that they could do. And so just the time to respond and agility and while that transparency has implications associated with it, we've got to figure out how to get through that because we have to collectively as an industry and governments all have to collectively respond. So the faster and more transparent people are, the better off we're gonna be. And my answer on how defenders can win, we only need to do the basics well. Just do the basics well. I think the bad guys are better organized in many ways than the good guys. So we talked about disclosure requirements and transparency. We're certainly working and trying to do our part around aggregating that data and using it in an effective ways. But governments are also now, many governments that are requiring reporting are aggregating a tremendous amount of data. We've got to press public officials to help us learn from that data so we can improve security. Ceddie. Yes, and make sure that our senior leaderships, our cyber fit can deal with the risk. Supercharge our cyber defense by using AI and there's lots we can do there that we're not doing currently or that we're doing a lot. And then finally, both for single organizations and supply chains, don't assume the parameters will hold. Get used to doing insider threat detection and get good at threat hunting. Don't wait. Try and get there first. Being proactive. Yes. Live journey. You know, I think AI is going to be absolutely fundamental to cyber security and it's going to provide game changing capabilities to whoever uses it, the good guys and the bad guys. I think it's going to be important to fight AI with AI. So companies, governments have to build capabilities to use the technology well, not just to build cyber resilience, but also to address this tremendously important point of. Technology has to do it and skill people to make it happen. I mean, crime always did exist and will always exist. So it's about the reducing the risk. That is the key. Of course, as I said earlier, building an effective architecture of security, institutionalized cooperation. It requires a holistic approach and I agree, artificial intelligence used in an ethical way is a huge opportunity for law enforcement to provide for more effective deterrence and prosecution because bringing the criminal behind bars is an important part of fighting cyber crime. Thank you so much. We have run out of time, but my only final comments and thoughts, cyber defenders must win. It is important for us. Please join me in applauding the wonderful panel for their contributions. And see you next time, next year at Davos.