 We are doing incredible things with the internet and we have to be aware of that that we need to not sell fear But protect hope to make sure that the good side of the internet is always in focus But in order to do that you also have to look at the negative sides Unfortunately, and we have never seen so much crime at the internet as we have right now It's estimated that we lose seven billion US dollars every year to criminal organizations We also see a lack of trust because there is nation-state activities We also see a lack of trust for individuals that we give away our information. Who owns these information? Where do they end up and we have a truly global environment? Which for the majority of the world is unchartered territory because they are used to deal with Security issues inside nation-state borders, but this is not possible So we are entering uncharted waters now and for that we lack a complete new architecture to deal with that We don't have that. We simply don't have the instruments globally to do this So while the change is going like this the trust is basically going in the other directions So we need to look into How we can do this better In a previous panel I had a professor who told me that she was in the first cyber conference 21 years ago And the conclusions of that session was we should Corporate more we should share more information we should do more awareness and here we are 21 years later and I hope we are not Continuing to say that we should share more and we should you know learn more, but we should now action So I think that in that we need to have a much much stronger cooperation between Private and public sector and we need to have a coalition of the willing who actually wants to make a difference So I hope that this panel will bring us answers Also to some of these questions that we have and maybe also a way ahead So I leave it now to you to enlighten us I'm looking very very much forward to it And I hope that we will have a very engaged and active also commitment from the audience to raise questions to these ladies and gentlemen Who are truly experts. Thank you very much. Thank you trolls. I think that's a Fair opener for us to respond to and in some ways Just to problematize what Trolls just said if that was not problematic enough I think all of us are trying to respond to the digital dilemma How do you grow the digital economy? How do you ensure personal rights and safety is are maintained? And how do you ensure national security is is not a victim of of either of the two So the digital trial Emma is what we are trying to respond to and I think Brad Smith is a good person to try and Offer us an insight on what are we really dealing with? Where have we reached? What is at stake and are there parts that we must consider now? Well, thank you. I'm happy to just sort of frame this briefly because we have a great group of people here Who can talk about all its various pieces? But if we're trying to describe in a sentence what we're hoping to accomplish, I think all of us It's really about keeping the world safe The world depends on digital infrastructure people depend on their digital devices and you know what we've all found is that these digital devices are Under attack every single day and you know fundamentally we've seen two trends over the last five years that have continued to intensify One is more prolific and more sophisticated attacks by organized criminal enterprises Sometimes or even oftentimes operating from jurisdictions that are more difficult to reach through the rule of law But using the internet to seek out victims literally everywhere and the second thing We've seen is an increase in nation-state attacks on certain days Acting on a global basis the 12th of May in 2017 was the WannaCry attack launched by North Korea It impacted over 150 nations in a single day. What are we trying to do about it? Well, I think what we're trying to do is really take a multi-faceted approach Yeah, this is the kind of problem that For which there is no single silver bullet. I think it starts with tech companies Those of us who create this technology have the first responsibility to really keep people safe You see across the tech sector individual companies Constantly strengthening their security defenses constantly offering more security services to customers But second the industries found that we really need to act together and not just separately 2018 was an important year both because Siemens really sponsored and helped launch What's called the Charter of Trust and Microsoft we worked with others to launch what's called the tech accord or tech sector accord? We need governments to do more as well. That's one of the things that we've been urging There have been important governmental efforts over the course of this decade One of the notable things has one of the more obscure brand names, but it's called the Talon manual 2.0 But it really advances international norms for governments We've called as we've said for a digital Geneva Convention in some ways I think one of the more interesting days in 2018 was the 12th of November in Paris That's when the French government announced what's called the Paris call for trust and security in cyberspace It advances a number of these principles We can certainly talk about them if they're interested if people are interested but what I think is most notable about the Paris call is is is that it represents not just Multilateral diplomacy by governments, but really a multi stakeholder approach Just two days ago. It was announced that there are now more than 500 signatories to the Paris call There are 60 governments and they're over 300 companies There are over 150 different NGOs and civil society organizations And I think part of what we're gonna need to solve this or at least address this problem more Satisfactory than we are today are more multi stakeholder initiatives like that, but I'm going to come back to you with on two points One is trust in tech also implies trust in technology companies and our is that a factor today? Are citizens or users beginning to doubt the integrity of the companies themselves and how do you respond to that as? Microsoft who might be a collateral of this mood and second of course is You know trying to create global conventions But yet hanging on to ideologies of the past for example The Paris call has not been signed by certain countries because it continues to peddle the Budapest convention Is it time to be more pragmatic and use the clauses where there is agreement and create the pools of consensus rather than this Ocean of agreement I would say first of all you asked two great questions and and the first point you make I think is an important one People cannot trust technology unless they have confidence in the companies that are creating the technology And I think it's a given that as we get come together in Davos in 2019 There's more public skepticism even public concern about technology and the technology sector than there was a year ago today You know the Cambridge Analytica episodes really served as a flash point And I think it stood not just for the incident in and of itself But really a watershed moment that seemed to bring together a lot of sort of latent but rising public concerns And so I think it raises a set of issues that you know technology companies and the sector as a whole are going to need to address I think it frankly starts by acknowledging the problems and the skepticism It then needs to go to you know companies Identifying and talking about you know the principles on which they're acting but ultimately it's all a matter of doing something I think the public you know has developed a keen ability to differentiate between words and deeds and You're not going to sustain trust unless there's consistent action And the kind of transparency that lets people assess that now then let's let's go to your your second question and Latent in it is the universality of the Paris call One of the interesting things about the Paris call is it it really seeks in my view to build a coalition of the world's democratic nations And Yeah, it has today all 28 EU member states it has 27 of the 29 NATO members It has Canada and Colombia It has South Korea and Japan just this week Singapore Argentine. I'm sorry Australia New Zealand There's two big countries That I hope in 2019 will sign the Paris call One is India. It's important for the world's largest democracy To stand up to defend democracy with the other great democratic countries of the world And there's at least at this point as I understand it one concern the Indian government has which is the Paris call refers to the Budapest Convention and India is not a signatory to the Buddhist Budapest Convention and my answer would be It's not a treaty. It's not a contract. It's a call It's a declaration You know, we went through this discussion with every government around the world the the British Well, we didn't draft these four words They found a way to get comfortable The world needs India to stand up with the other great democracies and then the other missing nation is My nation the United States government and that of course in many ways reflects a Reluctance at the moment by the current administration to embrace Multilateralism and my answer is the world just as it needs India needs the United States to stand up and defend democracy as well and Democracy can only be defended effectively when the world's democracies act in a united way because some of the most focused attacks on Technology using technology are in fact attacks on democracy itself Disinformation campaigns hacking of candidates and the ultimate concern We all should have those of us who live in democratic nations Which is the vulnerability of voting systems if the world's democracies don't come together We risk being picked apart in ways that fundamentally threaten the values that we all share So that's an easy task getting the US and India to do your bidding. I think that would be easy Let's go to Gottfried now, you know, he spoke about trust in tech. Let's talk about truck trust in institutions Swift is both a platform for exchange, but it's also become a political tool So my two questions to you one. How does Swift? Respond to The whole question of creating a system with integrity when you have cyber fraud cybercrime banking theft digital theft and to how do you insulate yourself from being a geopolitical agent for for some actor Yeah, so the the short answer is you work the problem and and we do that together with the banking community It's always good that we we connect 10,000 banks around the world and we we exchange the information between them That's needed to make global payments payments work Banks compete with each other, but it is also a global community. They can only do that by cooperating with each other so we work with them and I can I can give two examples one is on the on the front of cyber where we had the We had the fraud at Bangladesh Bank now three years ago exactly three years ago actually Which was which was quite unprecedented where we with hindsight saw a nation-state enter the local environment of a central bank and Enter fraudulent payments into the and compromise that environment and enter fraudulent payment into the payment system We got together with our community designed a program to really work the problem Information exchange and and I think that's a really good example of how Globally you can make information exchange in cyber work banks banks exchange with us what they see in terms of compromises What are the the IOC's in the cases of compromise modus operandi, etc We based on that share that information back with them We shared with the antivirus company with the security specialists, etc. That part is is really working We designed a set of controls that all the banks in their environment have to comply with and that's a whole program to beef up security at the at the edge and the other thing is transaction monitoring Making sure that when you see payments that are out of the ordinary It doesn't get paid out, but it gets returned to the bank that has been fraud it I have to say that that program has been successful to the extent that we have not seen a repeat of The type of attack that we saw in Bangladesh the back bad guys keep trying But not with the success that they had in the in the initial attacks And that's really been an effort by the by the global banking community So that that's I think one example of where you can you can make it work at the end of the day Abolishing technology is not the answer. We're not going to go back to live in caves or or not be connected Indeed when you had to go to the bank to pick up the money physically We didn't have cyber fraud now everything is connected and with that comes that challenge you work the problem and make it work Geopolitics, I think is the same answer at the end of the day You you you get together with the community you make it to make it work Obviously sanctions are a difficult one. They are by nature political It it works if they're multilateral in the context of the United Nations And we've always said if they're multilateral then of course we will comply with them It was made difficult last year in November Around the Iranian sanctions where Europe and the US had diametrically opposing views on on what to be done And we were forced to make a choice between the two at the end of the day again We consulted with our community And clearly we all agreed that we had to do what what we do which is Maintaining the integrity of the global financial system making sure that that keeps working. That's our prime mission And I think the feedback we got from banks around the world is given the role of the dollar in in the global financial system Yeah, that will have to drive the decision that you make at the at the end of the day So we took that decision in accordance with our banks and and our goal of maintaining that integrity Is there now an institutionalized engagement at the level of central bankers and commercial banks? Who regularly interact with the platform like yours? Monitor the integrity monitor the sanctity of transactions and the systems. Yeah, absolutely. There has been We've always had close interaction with top 10 central banks in the world they oversee us But in the context of of the program after the Bangladesh Bank attacks A lot of that had a role for the local central banks to engage their banks on security Monitor them make sure that they implement the controls So we've been we've been quite closely cooperating with the central banks around the world through the banks or directly So absolutely there is a role there. Yes Let me move to Allison Allison from an insurance and risk perspective Is cyberspace worth it? Can cyber security be achieved in reality or do the risk simply outweigh the benefits of engaging with the sector? So I guess the short answer to that would be yes, of course It's worth it and I think trolls opening remarks I could only echo that I think we always need to think about the fact that the digital age and the Connectivity that brings us is fantastic opportunity So we all need to do everything that we can to reduce the risk and reduce the vulnerabilities within that system So that we can all benefit so so absolutely it's a yes But obviously I am a risk officer and therefore that means there is I do look at a lot of the risk That's within that if you look at the forums regional risks of doing business report Then cyber is the number one risk of doing business in Europe in North America in East Asia and Pacific It's second only to the environment in the global risks report in terms of long-term Highest impact highest likelihood risks. So clearly this is not one that we should take unwisely So it needs to be done very thoughtfully It's it's definitely not too late for us to address the risk and look at the vulnerabilities But we do need to get a move on I think to again to trolls point earlier around in 20 years If we move the debate on from words to action I think we really must challenge ourselves what action are we taking in order to mitigate some of these risks now I The scale of this risk is so big it does require public-private partnership And I just want to draw a quick analogy to where this has also been incredibly successfully done to achieve a Wondrous outcome so Apollo 11 the moon landing 50 years ago the risks of that were immense But look at the significant benefits to society and being able to achieve that digital Arguably has even better opportunity But even bigger risks, but I think we should look back and remind ourselves what public-private partnerships can do together When we are motivated for a purpose and we have the same vision as to what we're trying to achieve So so I really I take a lot of Hope in that I guess so so to insurance Yes, of course, it's difficult to underwrite cyber risk. I'm not going to sit here and say it's easy the sheer fact that model estimates of losses range from hundreds of billions to High single-digit trillions the significant Uncertainties that underpin those models to calculate what the exposure is. Yes, it makes it difficult But not impossible So and I think we have to we have to go back to we need to do everything we can to make this work So we need to look for the opportunity and not for the the difficulty So a few things that would make this a lot easier so common attribution protocols So understanding actually what was the underlying? Vulnerability and what was the underlying cause Understanding and monitoring actually what incidents we have what impact they have and what response and its effectiveness And then really thinking about how can governments support in large-scale attacks? Before they happen so that we have that agreed upfront I think if we if we want to make insurance kind of standard So cyber becomes a standard insurable risk that we really need to think about the role of insurance as not just being to Something you transfer your risk to But something where actually it's just part of a solution because actually the bigger solution is around Reducing your risk. It's about Improving your resilience to that risk and insurance and is simply a part of that for the risk that we have been unable To reduce so that you will everyone is exposed with a variety of different vulnerabilities And we can work together to try and mitigate those as far as possible And what is left then can be insured but that requires a lot of exchange and it requires very much to go through his point It requires trust You know I One of the Microsoft supported in initiatives again. It's a multi-stakeholder global commission that's looking at cyberspace stability I am part of that commission and one of the commissioners and I'm not naming him because I'm not sure whether it was under Chatham house rules, but Let it be known. It's not my idea one of the commissioners In the room did mention that risk that Insurances could themselves become instruments of ensuring good behavior once you start pricing markets based on how the companies and Governments and actors behave in those markets. You might Achieve compliance you might get states to do more to ensure The their digital networks are safer that they have certain safeguards in cyber hygiene Mechanisms in place. So can do you see the insurance itself becoming a driver towards pushing the world towards adopting practices that make network safer? price them higher if you want to go to countries who don't practice good hygiene You know assess the risk higher much like the financial assessments on credit ratings and and do you see that coming in? So Without wanting to do an insurance risk 101 pricing guide the certainly part of the insurance value proposition is risk selection It's about determining the better risks from the less good risks. Absolutely. That is part of what we do But I will go back to what I said, which which is particularly with relate to cyber risk Then what we need to do is improve the resilience of everyone reduce the vulnerabilities that everyone faces Rather than just saying okay, you just need to pay more because paying more is not the answer What cyber is a risk without it doesn't it doesn't honor boundaries or borders So it's it's not a risk where actually it's okay for us to just charge a bit more if you drive badly Okay, we charge you a bit more But if you have poor cyber hygiene and you let something in which then actually can infect many others You could cause a system risk. I don't think our answer should just be to charge more money I think we need to reduce vulnerabilities and we need to build so cyber risk. Therefore are very different Pretty much like limit risks because they want this is right Let's move to the practitioners now and we'll come to the the police chief at the very end because I think you have to Make sense of all of this, but let's go to Our friend from Israel ma'am you've been a foreign minister justice minister You're now head of a political party. You are in election mode. Oh, yeah people are wondering whether Whether the election the candidate who wins will be selected by social media platform or by people And of course you've been pushing for an international framework So sitting in your place or in your position with your experience. How do you assess what we have? Okay, I think that we all can agree about the obvious that we need to address this new challenge that the challenge is Changing and we are far behind talking about states basically Without real well decision to work together To agree on the norms that are needed to translate it into legislation And we all understand that if you legislate something within your own state It doesn't give an answer because as you said there are no borders It's it's something that the international community need to give an answer to Before coming to election as decision-maker in Israel while facing security threats on one hand you can see this as as New tools to act against Against you. So as a state on one hand There's a need to join all the democratic state in the world and to give an answer to these new threats on the other hand Other states that are not part of the democratic world Or they are part of the democratic world, but are not willing to join this They can be those that are using this in order to act against you so on one hand you are joining you are Taking some restriction on what you do and on the other hand you are open and And vulnerable When it comes to those that are using it against you. So this is one dilemma the other which I think that we should understand that this is something that we would face in the future is that We are talking on asymmetrical war when it comes to conventional weapon with terrorist organizations and so now It's clear now that they are behind But in the future they can use this also for terror attacks So in addressing these issues, it's not only about states not only about Organizations and companies or tech companies that there's a need to cooperate in an understanding also The problems and the concerns also of some nation state amongst the democratic world Secondly, as was said Sometimes it is being used against democracy itself and we need also to address another challenge Which is not connected to cyber and this is that the nature of democracies Is being changed? The values are being changed and all together What really worries me is that after hearing and I'm not the one to say whether it happened or not But when I heard about this Suspicious about a Russian interference Within the American election and I said, okay, what's the average American is saying to this? I mean, it's it's it's a kind of Something that I wouldn't have imagined that can happen and the answer that really worries me was so what So there is less of understanding that this is something that really changes what you as a citizen wants And in Israel, we are facing elections in a few weeks from now four years ago Cyber was something or Internet was something that I thought okay. This is great I don't need the mediator to work or to to explain what I believe in to my voters I can use the Internet and they are using it and everything is open. I don't need the press I don't need mediators. It was really great a new world and we were so happy and now the question is whether somebody is going into fear within the election and change the outcome and the results and Also, this was something that need to be addressed and I'm not sure that we have the real answer to it and This is really something that affects the nature of democracy itself Last thing that I would like to raise as a question Because it is not only about states. It's not only about democracy, but it's also about Us as as human beings the citizens of the world about our privacy About the way we live and I think that there is something which is changing Because for me, I'm old enough. Okay for me privacy is something which is very important and The idea of somebody that get the information About me about what I want about what I do is something that it's quite Difficult for me to understand and to absorb but I think that young people For them, it's becoming part of their life and they are becoming indifferent for the to this and therefore I believe that we need to gather and decide what our Partly it's more an issue. We are talking about legislation about norms norms should represent also our more moral values as those believing in liberal values in democracies and I think that we are losing some On the way But I let me bring you into this particular conversation as well. You are someone who's spoken about Influence operations interfering in democracies Is this now a real threat or is this still a perceptional issue? I mean we are told that the Russians elected the American president and it's not important whether they actually did just the idea that They could have has created distrust in democracy itself. I think one should separate two things What led to a specific candidate being elected in a specific election? Yeah, that's always a bit of an imponderable especially in a close election because the truth is there's probably 14 different things That you may have had an impact on an election We will never know some absolute truth there, but let's then focus on what we do know We do know because it was documented in a report last December that 30 million Americans have read intentional disinformation put on to social media by governments a government and They shared it. They liked it. They spread it and by every reason one should conclude they believed it Good and yet this was done I think it's fair to say with the goal of disrupting democracy It has not been confined to the United States. It has not been limited to disinformation campaigns alone You know we through our threat intelligence center, you know have monitored and we've taken legal action Against these kinds of nation-state attacks against political candidates every single candidate running for the French presidency in 2017 was targeted and attacked and some we were able to prevent we have followed this activity around It is of impacted 90 nations including Israel It is a problem. It is a threat to democracy and it needs to be addressed And you know it needs to be addressed in a multiple of ways But it starts by recognizing this is a problem and the democracies need to act together Catherine I'm going to come to you now. You've heard the the private sector. You've heard practitioners You are managing an institution that is today in an interesting continent countries can't seem to agree with each other You have the rise of the right. You have the rise of radicalism. You have American companies stealing your data You have Chinese companies wanting to steal your data and you have all sorts of easy problems to respond to now as the Executive director of Europe who you who's working with governments who are seeding sovereignty to your institution How easy is your role? It's a very challenging job, and I like it very much. I took over office in May this year And our goal at Europe all is to make Europe safer as I heard is for private companies the same So our aim is to work on it. We are not a regular law enforcement agency We do not have coercive powers. We are not the FBI of the European Union We are in our DNA. We have the cooperation. We are the criminal information hub We put everything we get from member states and third countries together We analyze and we try to find solutions for the investigators We have also a lot of expertise and we are known in the European Union and around the world for our expertise certainly in cybercrime we have The cybercrime center in the European Union is in Europe E3. It has been founded by Mr. Truls By the way and in the E3 from the start we did were aware of the fact that alone We cannot do anything. We will have to cooperate The two main things we see in the cyber world That are very threatening to us and that are important to gain or to lose trust towards the public is Identity, how do we know that we are talking and about the right person on the web on the in cyber world And the second thing is difficulties we have to link the acts And to prove the acts and to get the evidence to get convictions before court This is very difficult for us and alone with the law enforcement community. We cannot do it So that is the reason why we have to collaborate. It's in our DNA. We have advisory groups We have people from the financial sector because we have a lot of issue with money laundering We want to invest more in financial crime. We have academics to be aware of the ethics About cyber and of the new technologies and the developments We have people from the economical world world because if you have an attack in a country or a cyber attack in a country It has a direct impact on the economy of the of the country and we have of course the internet service providers We work together with and then from government level. You see we have It's a very complex and multi-dimensional Dimensional environment we have law enforcement. We have intelligence services. We have different ministries ministry of interior justice economical foreign affairs and so on so we have to try to bring this all together to have the Possibility to look at what's going on in the cyber world and how can we have a holistic approach? to deal with it and how we can we maintain security and And and how can we gain trust from population in the use of cyber? That's the reason why we always have to look for new solutions We need very creative people for these new solutions and this is not always easy to find out We believe for instance in crowdsourcing we see an increase of Child abuse online. We see the live streaming. We see the We see that we have a real increase increase in the world It's not possible for law enforcement to identify the victims to identify the perpetrators. So we did We we call on the public we show the public through Twitter to our Facebook account our website photographs of Crime space crime areas and we ask them. Do you recognize this object? Do you recognize this place? Of course, we do not show the faces of the children and of the perpetrators We had the first test case a few weeks a few months ago, and we had 22,000 people responding to our demands We had we were able to identify eight children and get a mod of the system because we have direct contact through the national law enforcement with The places where the abuse takes place and we had one perpetrated convict perpetrator convict it So it's a strong tool to help us in the identification Now we are working. We see that virtual currencies are a real threat We have to work together now and we are working on it with the virtual currency Exchanges they help us in the investigations and also there we have and we see good results so for us the key is cooperation, but we need governments national governments and Governments from all over the world. We need the European Union to allow us to have a good legislation for information exchange Also with the private sector because we have in our legal framework possibilities to cooperate, but we want to go from a Compliance exchange to a more intelligence-led exchange so that also private sector gap give us the information We need for our investigations and what we also see is the frustration sometimes in private sector Because we cannot give something back and it's always Yeah, and we need we need to work on it and we need to create awareness No, it's like that was going to be my follow-up question that how easy has Access to data become in the recent years under Europol or do you still rely on member state and their own? Treaties with international institutions through which you obtain data. Yes, so We are working with sovereign states National law enforcement authorities are responsible for the investigations and they share the information with us If it is information related to our mandate so serious and organized crime and terrorism And then we get the information from the whole of the Union and we put The dots to we connect the dots and we try to create new information for them and for the whole of the Union So we are depending on information coming from the national states and we work with this information So Brad again, let me come back to you on this. I keep I keep coming back to you Data is an issue, you know, there are many countries who don't sign on to many international agreements because they believe that the agreements do not serve They're fundamental obligation of protecting their citizens. They don't have access to data getting data out of America is impossible It takes two four three years, you know some long duration If you can't prosecute you can't create trust governments lose legitimacy because they can't prosecute criminals now Is this one area of international cooperation that requires urgent revamp? Well, I think the short answer is yes And I'd actually you weave together a couple of strands from what you've just been talking about you know first that The child exploitation issue is always worth pausing and thinking a bit about In part because it actually is a problem that was mostly eradicated before the internet brought it back to life Second it's probably qualitatively the single most horrific You know crime that one sees you know get committed on using the internet third It your description, especially the reference to live streaming You know really reflects the sort of cat-and-mouse nature of you know crime and and law enforcement Because originally people were were trafficking in the images and photos Yeah, we were able to help develop technology to identify the photos called photo DNA It then moved to videos Google and others together with with us as well. You know worked on technology to identify video Now it's moving to live streaming in part to evade both law enforcement's ability to use photos and video And then that really brings us then to the need to rely on the data. We do have And the other thing about child exploitation is that it's always required close coordination by law enforcement agencies across Borders you certainly across Europe, but it's really globally and It therefore is an important case study of you know what we need to do You know to enable data to move across borders. You you don't find anybody anywhere Who's opposed to enabling law enforcement to work faster internationally to address this problem? We have an you know an institution globally You know to facilitate the movement of data for law enforcement You know these so-called MLATs or mutual legal assistance treaties and you know, they worked really really well in the 1800s You know, that's what they were designed for And and so you know there's a whole host of reforms that are needed to modernize these and we've started to see some some additional Steps over the last year Yeah, in the United States there was new legislation adopted the cloud act what it really does is it creates a Domestic legal framework for new international agreements and we need a new generation of international agreements And yeah, I think that needs to be a priority For today and we need to go after this priority with the recognition that you know It will take us into the middle of the next decade to put in place around the world all the agreements that are needed and This singularly will impact each of yours domains in many ways this this new architecture for managing sharing and accessing data We are opening it up to all of you now I can see ambassador gill who's the secretary of the high-level panel of the UNSG So do you want to come in at some stage and we had some Others who want to can you bring the mic here and can you stand up the camera wants to catch? That's what I was instructed to tell you Thank You Samir Fascinating discussion. My main concern is the fragmentation of effort. So at the bottom you have 30 plus vendors and Malware software and at the top you have all these different Policy initiatives. So how do we bring it together in a year when you have two? Intergovernmental processes the GG and the open-ended working group starting within the UN and no Common end in insights. So how do we bring it all together? I am a strong believer in pilot projects for instance together with the International Institute of Finance We in Europe all are trying to bring together the financial sector the law enforcement sector We make an assessment for instance of the national legislation in the different countries and then we try to see which Country is working very well in information exchange. We need for law enforcement and to have more security We try to identify the gaps and then we try to make a good case out of it to talk about it to tell the stories behind and to create awareness also in law enforcement, but also in the private sector and also with our governments To make proposals how we could do better in the future and which systems is working Which system is not working and for us it is important as law enforcement In the fight for instance against money laundering to have information exchange and There when you can give effective practices and prove that there are systems that are working in national environments We win a lot. We have in this pilot project six European countries two countries out of Europe and we have 14 or 15 financial banks Dealing with it and it's a it's a growing process first you need a trust Then you need results for the objectives you have and then you have to try To work on your results and to have to you have to try to implement them in the system But if you have trust and if there is willingness for different partners and if you have a really Good conversation and an honest conversation and you have the same goal We want to to try to solve the problem I think then then you will have a lot we in Europe. It's in our DNA We have to work together with sovereign states We have to work together with a private sector because we have to be the experts We have to be at the forefront of innovation so we have to go beyond our normal boundaries and we did create a lot of these initiatives and we see that That this can really help and and but it's a question of trust in the beginning you want to come in Well, the other thing I was just going to add was some if you look at some what the forums doing with the Center for Cyber Security I think that's an excellent kind of indication of what actually can be achieved if you put together the multitude of private Organisations and public who are engaged in this space. I think if you look at the goals and initiatives that they are working on I don't think of itself. It's bad to have competition and a lot of different suppliers I think that's important, but I think you still that you need to have a neutral body who could not form in a bridge Yes, and I think the Center does that Well, I agree with these comments, but I'd also Qualify them a bit at least as I think about it In the quest for global consensus It is unfortunately too easy. I think to gravitate towards small solutions for big problems And I think that is a real risk And so then the question becomes how do we build on global steps where they're possible? But not rely on that alone. Yeah, and you know, I think we've seen you two things over the last year You know one of the points of feedback that that we got that I certainly got from people in the diplomatic community Was that if the world's governments were ever going to come together with bigger solutions? The tech sector needed to start to lead the way if tech companies could come together across borders At least there would be more of a model and that is an important part of the thinking that led us to launch the Tech Accord last spring The fact that we've now got 79 companies from around the world You know endorsing for important principles and then implementing them with concrete steps is a building block And then I think we need to look to a coalition of the willing Yeah, if you look at the Paris call, you know It was clear from the first day that there were certain countries that would never sign on And you know, we thought the French government others thought about well, what did this mean? You know, especially at basically the same month when there were these votes being made in the United Nations And you know any month that the UN can take a new step that helps is a good month But I actually think that one way to spur more global action is to create a bit of an alternative Where you know more governments together with so with a multi stakeholder approach Which I think can give more support for a government for governments You know can can start to move faster and towards bigger solutions. Do you want to come in on? Yes, I want to add to this that frankly the situation is that this is a huge failure of the international community To face this challenge together even without agreeing who should deal with this is it going to be a nation-state with Companies experts politicians all this discussion Is being dealt without real understanding Agreement what is the next step? What are the norms? What are the parameters who should be part of it? So let's put it on the table and face it. This is the situation now So you had a intervention So just a comment and a question. So Yavusha chairman of the Board of Swift First I naturally have to agree with Gottfried and and Brad about the coalition of the willing does work Because in times of uncertainty and chaos people getting together governments tech center Agencies etc lead the way and that seems to be working However, that's point one real question to you all is There is an increasing and accelerating gap between those institutions Banks technology companies and it's geographic that are in likely the developed world that have the capability to defend Detect correct and then recover from cyber attacks all three But in the emerging markets, yes, many many it is not there How in addition to the coalition of the willing do we address that? Increasing gap because we're only as good as our weakest link. I think that's a great question I think and let me pose this to all of you because Allison and I'm and you mentioned as well You're working with banks. I think resilience is a word that's come up capacity building implied In many of our responses Coalition of willing is getting people to sign on to a paper But a coalition of capacities is what we really eventually have to move towards that We have created capacities with these partners to respond to challenges or mitigate them So let's go down the panel and let's get your views. Let's start with Brad Well, the first thing it is all about capacity building And I think there's two elements that are among many and others will probably have more and better Thoughts than me, but the first thing I would say is you know, we are seeing more technological capacity you know being constructed in Emerging markets around the world, you know the fact that a company like ours, you know Just opened two data centers in South Africa. We've got data centers in India We've got data centers in in Brazil. We're serving You know countries, you know from these regions themselves and as that enables more institutions to move From say running their own server computers to relying on the cloud that by definition is a real step up in increasing cyber defense capability But you know in addition to that, you know one really does need to take on this question of how you you institutionalize these capabilities throughout these societies It probably has to start with both governments in these countries and the larger enterprises in the commercial space The ultimate challenge and it's the ultimate challenge in some ways, you know Whether you're talking about, you know, the United States or South Africa or anywhere else is how you help small businesses That don't have great capabilities as well as consumers and part of that is a technological solution A lot of it is an educational path as well Yes, I totally echo on the education piece And I think actually this is probably one where insurers can play actually quite an interesting role because we will probably have contact with many of the Companies and I would very much echo Brad's point that I mean, this isn't just an emerging markets challenge Actually the number of SMEs in in the United States, for instance, who wouldn't have cyber cover is Scarely high. So I think this is one where if you think okay, most companies though would have property cover Because that I mean, that's fairly standard So so there is a pathway in to raise awareness for education to help people understand the risks that they're exposed to and then to talk About what vulnerabilities they face and how can we a build resilience again That's more important than than having to pay at the end and then provide protection category Capacity building is key also for us and what we did for instance in Interpol That we did for see money to give the possibility to with the emerging states to send people to the headquarters for training sessions So it was free for them and for us. There was also for Interpol. There was also a gain because we had the potential or the potential high ranked people to develop themselves so and At Europe level we invest together with the European Commission in third countries And we foresee capacity building for them Yeah, I Can sketch it for our our microcosm, which is the banks in those emerging markets I don't think it is a top-down approach In fact, I think the top-down approach hopefully went out with the Soviet Union I mean you some extent you have to let the let the market do its work and let people let people do it Is the right thing so you mentioned central banks before so we have a multi-pronged one To work with these central banks in these jurisdictions The gold standard there is is of course in the west where you've seen the Bank of England the Fed and the ECB They now all have programs to really do red teaming on the banks to to look at sector resiliency Etc. Some of that is now being copied by bank by central banks in emerging markets Who have a natural role to secure the banking system and they're starting to apply these frameworks another angle? Is is the private sector so working with the technology providers? We yesterday we had a discussion with the audit firms who need to audit all these controls Whether these banks are secure what they can improve etc So I think it is a multi-pronged approach at the end of the day to do that capability with the overseers or regulators in the country The service providers the banks themselves There's a role for the larger banks as well a big part of securing these smaller banks is for the larger banks Who do business with them say we need to do our own counterparty risk assessment here And then the cyber security of their counterparty bank becomes part of the global counterparty assessment that they do from a liquidity perspective from a know your customer perspective and All of that so these big banks play a role in making sure guys unless you shape up your cyber practices You we will either not do business with you But all or only do restricted business with you So I think it is a multi-pronged approach to really do that capability building in in these local markets and lift them up And I agree if I had to name one one problem It is it is the inequality between between the more sophisticated geographies and and you're only as strong as your weakest And you're only as strong as it seems to be. No nothing to add to this I mean I can agree with everything but I believe in top-down approach because I think that without top-down approach We would not face the problem on only different aspects. It is clear that we have some problems with some big players In the international community, but I believe that it should be addressed because otherwise it would You've not be addressed properly as it should We have a we have time for one last intervention. Okay, we'll take two and then we'll come back to the panel But 30 seconds each one at the back and one in the front here the two interventions Hi, I had asked gold with CNN We just heard that being is being blocked in China So Brad, I was wondering if you could respond to that and also if everybody could speak to how you can do these big Multilateral agreements with cyber security when you have such huge actors that seem to have a different kind of basic point of view of what should be allowed And there was one intervention right here Excellent Thank you so much Vivian Lonella from the European Commission and thanks a lot for this fascinating discussion I was really happy to hear most of you at Paying much attention to attribution and how important is in dissuading attacks, but I'd want to hear very much the Reaction from the private sector especially on what comes after attribution to member states because what we've seen the European Council has Also called the member states to work on that, but we see the example for example of non petty attack which was attributed by Many countries to Russia and then you've seen insurance companies saying but it's a state-led attack and hence not covered By the policy whereas it's far of course not a targeted attack So just to see where your thinking is on that. Thank you So let's again all of you the final word now that you're responding to them and this is also your final intervention for the morning Let's start with sippy this time sippy. Do you want to respond to any of these two questions? You want to say something your final word for the morning? Anybody else was come on a big I I'm saving bread for the last I can I can give my answer I was in China last week And indeed I relied heavily on Bing because it's the search engine that worked and last week at least Bing was still working in China Let me put it that way I use it extensively because Google indeed is blocked in in China But I was quite grateful to Microsoft for having having the ping engine That's a temporal opt-out last week it worked. That's a good answer. I'll keep it for a different Catherine We in Europe all we are not involved in state sponsored attacks. It's not in our mandate But when member states in the first stage of an investigation Ask our support. Of course, we will help them in the investigation when we have an indication that it is state sponsored We have to go out because it's not in the mandate of the organization So maybe I'll take the attribution point then So I think it's really important that there's clarity for the insurer and for the insured as to what exposure and what coverage is actually given It's very different if someone's taken a property insurance cover out And it's trying to claim for cyber on that policy versus if they've taken a cyber insurance policy out and acclaiming Yeah, first, yes, you know, we're aware of reports and are experiencing ourselves that Currently, you know, there are issues for Bing in China We're not yet certain whether it's you know confined to Bing or as something that is broader There's been a report in the Wall Street Journal About a broad set of websites that are not accessible at the moment in China It's not the first time that we've encountered issues like this for Bing in China. These do arise periodically You know, we do adhere to the global network initiative set of principles when it comes to search services in China And that does mean that there are days When you know, there are either difficult negotiations or even disagreements But we're not aware of any ongoing negotiation or disagreements. So we're working to understand it better I do think that the last question is a really good last question Because twice Since 2017 the world's governments at least to some degree have come together Multilaterally to publish attribution decisions first regarding want to cry and the second regarding not pet you and I think you are so right to then ask well, what follows attribution and you know clearly I Think if we want to discourage or deter acts, which I think the international community would broadly regard as unlawful Then there need to be consequences. It's sort of the essence of part of why Europol exists even though Europol as you mentioned doesn't address this particular area want to cry was interesting Because you know that attribution announcement was made at the White House in December of 2017 Tom Bossert the Homeland Security Advisor Was pushed by journalists that morning Well, what was the US government going to do and as he put it? Well, the US had so many sanctions in place against North Korea There wasn't much left that it hadn't done as he said the cupboard was bare what he did announce what we announced together Was that Microsoft Facebook and another company had acted the week before? To dismantle much of the malware capability of the North Korean group that had launched the want to cry attack It's the same group that launched the Sony attack. So that too shows At what I think needs to be a very thoughtful and careful Approach to appropriate multi-stakeholder action in certain circumstances with respect to not pet you or others You know, I don't think one should expect governments to change what they're doing if there are not consequences And yeah, I think it's absolutely right that in the wake of these disinformation campaigns, for example Governments are putting more pressure on tech companies Whether it's informal pressure or even through new laws and regulation that bar should be raised But we shouldn't look to the private sector alone to respond to what are effectively military grade cyber attacks The private sector has never saved a country from military attacks in the past and to expect it to do so now And especially to do so alone. I think is is a recipe for disappointment So, you know, we need new areas of action and real thinking in this space We are out of time completely and I'm not going to try and sum up the session. You've all heard it Join me in applauding the panel for the intervention this morning. Thank you very much