Cyber Costs Reframed: The Human Costs of Cyber Insecurity

Ryan Chilcote

The discussions revolved around several key topics related to cybercrime and AI. Firstly, the rising costs of combating cybercrime were a cause for concern. The former president of Estonia expressed worries about the escalating expenses in fighting cybercrime globally and specifically in his country. In Estonia, the budget for combating cybercrime has grown five-fold over the past five years. This highlights the financial strain that governments face in dealing with the ever-evolving nature of cyber threats.

Another area of discussion focused on the use of AI by attackers to create sophisticated, zero-day attacks. Zero-day attacks refer to attacks that have no prior fingerprint, making them difficult to detect and defend against. It was noted that attackers do not need to be cybersecurity experts to utilise AI in their attacks. New attacks using AI are being invented on a daily basis, posing a significant challenge to cybersecurity professionals and organisations.

To address the potential misuse of AI, there was a consensus that regulation is necessary. Notably, AI is considered an uncontrollable technology, and there are ongoing efforts by the UN and governments to find ethical ways to regulate it. The goal is to prevent malicious actors from harnessing AI for nefarious purposes, while still allowing for its beneficial applications.

However, regulating AI is not an easy task due to its fast-changing nature. AI technology evolves rapidly, and as a result, regulations need to be constantly updated to keep pace. There was expressed doubt about whether enough time exists to develop comprehensive AI regulations, as it took the European Union nine years to create GDPR regulations.

The need for international cooperation in addressing cybercrime was emphasised. It was highlighted that 40 countries have agreed not to pay ransom during cyber-attacks, showcasing a concerted effort to refuse ransom payments. This unity in refusing to pay ransoms aims to discourage cybercriminals and reduce their financial incentives.

One of the notable points of discussion was the practical implications and boundaries of banning ransom payments. Ryan Chilcote questioned whether a policy of banning ransom payments would also apply to individuals who are threatened with the release of sensitive personal information. This raised considerations about striking a balance between protecting individuals and preventing further harm caused by ransomware.

In conclusion, the discussions brought attention to the challenges posed by cybercrime, the use of AI in sophisticated attacks, the need for regulation to prevent AI misuse, the difficulties in regulating a fast-changing technology, and the importance of international cooperation to counter cyber threats. The rising costs of combating cybercrime were seen as a pressing concern, while the practical implications of banning ransom payments highlighted the complexities of finding effective solutions. The analysis shed light on the ongoing efforts to tackle cybercrime within the framework of peace, justice, and strong institutions.

Mohammad Abdulaziz Boarki

The analysis reveals that the healthcare sector, emerging technologies, and oil sectors are highly susceptible to high asset cyber attacks. The healthcare sector has become a prime target for ransomware attacks, disrupting surgeries and compromising patient data. Similarly, emerging technologies, such as IoT systems, are connected to wide networks, making them attractive targets for cyber attacks. Additionally, systems holding sensitive or valuable information, including government entities, are frequently targeted.

Countries with poor infrastructure face significant challenges in protecting their cyber space due to budgetary constraints and lack of resources. A global effort is needed to protect these countries from cyber threats. Awareness training and capability building in cyber space are crucial in enhancing cybersecurity. Adequate budgetary allocations are necessary to combat cybercrime and protect institutions and citizens. Cybersecurity is now one of the top three priorities for any country, and countries need to invest more in cybersecurity.

Regulating artificial intelligence (AI) is complex due to its fast-changing nature. However, it is important to establish and adapt regulations to ensure ethical and safe use of AI. The decision to pay ransomware depends on the value and impact of the stolen data, and each country has the right to make decisions based on national interest.

In conclusion, this analysis highlights the vulnerability of various sectors and systems to high asset cyber attacks. The importance of global collaboration, awareness training, budgetary allocations, and investments in cybersecurity is emphasized. Adequate regulation of AI and thoughtful decision-making regarding ransomware are crucial in ensuring cybersecurity. By addressing these issues, countries can protect their institutions, citizens, and national interests in the digital landscape.

Dan Cîmpean

Phones, tablets, and laptops are considered the most vulnerable devices to cyber attacks because they are in close proximity to humans. The aggressive digital transformation in recent years has resulted in the installation of numerous applications and tools on these devices, making them prime targets for malicious activities. These devices also contain a significant amount of data and are constantly used, further increasing their susceptibility to cyber threats. Protecting personal devices from such threats is crucial as any negative impacts can have serious consequences on productivity, finances, and daily activities. The healthcare sector is another area particularly vulnerable to cyber attacks. The consequences of such attacks can have a direct and harmful impact on human lives. There have been documented cases, such as a hospital in Germany being subjected to a ransomware attack, which resulted in a patient’s death. The potential disruption caused by cyber attacks on healthcare systems can render hospitals unable to handle patient cases, leading to tragic outcomes. Consequently, there is a need for greater investment and focus on improving the cybersecurity of healthcare systems. The healthcare sector, being relatively less mature from a cybersecurity perspective, requires increased financial resources to ensure the safety and well-being of patients and medical professionals. It is recommended that the cybersecurity of healthcare systems should be given priority by national competent authorities. Privacy protection, especially among young people, presents a significant challenge. While young people are often proficient in using digital technologies, they tend to overlook the regulatory landscape. However, it is noteworthy that young people also play a vital role in knowledge transfer to older generations when it comes to online safety. They are often the ones teaching their parents and grandparents how to behave safely online, as they possess more experience and understanding of digital technologies. Consequently, there is a call to invest more in educating young people about cybersecurity, given their proficiency and their potential to bring about a paradigm shift in the dissemination of digital knowledge. Regulatory measures are crucial in combatting cybercrime; however, the ever-evolving nature of technology poses a constant challenge in enforcing effective measures. Cyber criminals exploit the vulnerabilities of technology, causing harm that is often difficult to prevent and mitigate. It is recognized that the education and resilience of regular internet users play a significant role in reducing cybercrime. With millions of users directly or indirectly needing protection, their behavior on the internet, as well as the resilience of critical infrastructures, become crucial factors in preventing cyber attacks. In order to achieve this, there is a need to improve the education of internet users and enhance their ability to respond effectively to potential threats. Dealing with the ransomware phenomenon is an intricate issue that presents complex problems with no clear or effective solution at present. There are debates surrounding whether paying ransoms to cyber criminals should be prohibited or encouraged. It is acknowledged that paying ransoms can perpetuate the cybercrime economy; however, finding alternative solutions to tackle ransomware remains a challenge. There are difficulties in cascading down decisions of not paying ransomware at an individual or organizational level, highlighting the complexities of addressing this issue. In conclusion, protecting personal devices from cyber threats and ensuring the cybersecurity of critical sectors like healthcare is of paramount importance. Education and awareness, particularly among young people, play a crucial role in combating cybercrime. Regulatory measures need to be continually updated and enforced to keep up with the ever-evolving nature of technology. Additionally, efforts to deter cybercrime include the banning of ransomware payments to discourage the growth of the cybercrime economy. Overall, a comprehensive approach that combines investment, education, regulation, and cooperation is essential for effectively addressing the challenges posed by cyber threats and protecting individuals, organizations, and society as a whole.

Dr. Ahmed Abdel Hafez

Cyber attacks have both direct and indirect impacts on humans, affecting both individuals and digital services. Individual loss of control over data, such as banking credentials and social engineering details, can greatly affect individuals. Furthermore, cyber attacks on digital services like healthcare, intelligent transportation systems, and other emerging service systems that are being digitised can have direct or indirect impacts on human beings.

The psychological impact of cyber attacks and digital dependency is becoming prevalent. The fear of losing a mobile phone, known as “nomophobia,” is a psychological issue that is on the rise. In addition, issues such as cyber bullying cause harm to people, particularly vulnerable individuals like young girls.

The increasing dependency on mobile phones is a concern as well. People’s lives are now heavily reliant on their phones, which contain their bank details, personal information, and social accounts. Even the loss of battery life in a phone can cause stress in individuals.

Awareness plays a crucial role in combating cybercrime. Dr Hafez suggests that teaching people how to handle digital transformation safely is crucial and can reduce cyber attacks by 80 to 90 percent. This highlights the importance of educating individuals about cybersecurity risks and best practices.

Strict regulations and laws are necessary to control cybercrime. Dr Hafez believes in implementing strict rules and regulations that should be followed by individuals and government officials. In Egypt, for example, anti-cybercrime laws and data privacy laws have been enacted.

A Child Online Protection strategy is essential to help children access the internet safely, especially considering that 40% of the population in Egypt is under 18. This underscores the need to protect vulnerable individuals from the potential harms of the internet.

The role of artificial intelligence (AI) in cyber attacks is significant. AI can be used to invent new sophisticated attacks, including zero-day attacks, which complicates the task for cybersecurity professionals. Additionally, the scope of potential attackers has expanded with AI, as individuals do not need to be cybersecurity experts to use it.

The ethical use and control of AI are important considerations. Currently, AI is seen as an uncontrollable technology, leading governments and organizations like the United Nations to work on managing its use in an ethical manner.

Ransomware attacks pose a significant issue, with losses reaching three trillion US dollars last year. Nations’ efforts to control ransomware have become crucial in mitigating the impact of these attacks.

Data has become the most important asset in the global economy, on par with oil. As such, responsible data management and protection are essential for economic sustainability.

Strong data backup control measures and international collaboration are necessary to effectively combat cybercrime. Dr Hafez emphasizes the importance of a three-to-one backup for data assets to prevent ransomware attacks. Furthermore, increased collaboration among nations is necessary since cybersecurity is a cross-border activity that requires cooperation and collaboration.

Overall, cyber attacks and their various impacts on human beings are significant considerations in today’s digital world. From the direct impact on individuals to the societal implications of digital dependency, it is crucial to address these issues through awareness, regulation, protection strategies, and international collaboration.

Ryan Chilcote:
Chairman of the Executive Beirut Egyptian Supreme Cybersecurity Council Dan Campin, Director, National Cybersecurity Directorate, Romania Major General Retired, Engineer, Mohamed Abdelaziz Bouarki Chief, National Cybersecurity Center, NCSC, Kuwait Ryan Chilcots, Moderator, Master of Ceremonies, former Bloomberg, CNN, CBS, PBS, and Fox News It’s so nice to see so many of you are still here. We must be doing something right at the Global Cybersecurity Forum. This panel, as you’ve probably seen in your programs, is called Cyber Cost Reframe. And the idea is we’re used to measuring financial losses, economic losses, when it comes to cyber activity, cyber disruption, cyber attack, cyber crime. Less used and perhaps less skilled at talking about the direct human harm that can come from cyber disruption. So that’s what we’re going to do just now with my three esteemed panelists who were just introduced, so we won’t have to go through that again. Thank you so much for joining us. I like this topic because we can really take it where we want to. But we need to kind of nail some things down before we get into it. So Dan, let me do that with you. Let’s start with where the harm can be done. In other words, what cyber-related systems are most vulnerable to malicious cyber activity when it comes to causing us humans?

Dan Cîmpean:
Thank you. Thank you so much, Ryan, for the question. Most intuitively are the devices, the systems that are the closest to our own person. The phones. Phones and tablets and laptops and so on. Simply because we saw it in the last years, thanks to the very aggressive digital transformation, we installed plenty of applications, plenty of tools. We have plenty of data on devices that are really, literally on our person. And they are the ones that influence and impact our daily life, our relations, our communication, our work, actually. So everything that impacts a device that I’m using on a daily basis, definitely it harms me in a variety of ways. Whether I lose productivity or I lose money or I lose time or I get impacted in a negative manner in the way I do my work and my activity.

Ryan Chilcote:
Thank you very much. Dr. Ahmed Abdel-Hafiz, I’m trying to figure out, Your Excellency, if Dan’s point just now was kind of obvious and simple as a result of being obvious or actually a bit profound. So if you could weigh in on that. And also, let’s zoom out. Okay, phone. I think we all understand that our phone and losing control of the data on our phone can cause us trouble. If we zoom out, what kind of macro problems can we run into? Yeah.

Dr. Ahmed Abdel Hafez:
I would like first to thank Saudi Arabia for inviting me for this great event. Thank you very much for the hospitality and for the great event. First of all, let us talk about if you are talking about any digital transformation or any kind of to help the property of the human being or well-being for the human. So any cyber attack will harm the human being, if it is direct or indirect. So coming up with my friend Dan saying about the phones, there is a psychological disease right now called nomophobia. No mobile phone phobia. Yes. So the fear of losing your mobile phone. Since whole life on your phone. A bank account, your credential, your social engineering, your WhatsApp, everything is on your phone. So if you lost your phone, even if you lost the battery of your phone, you are feeling you are always shaking the life of your phone if it is going to lose the battery or not. So there is a lot of activities. If cyber attack will harm this, will have a direct impact on the human being which is indirect or indirect like healthcare property, like ITS, intelligent transportation system, which will be digital transformation. Emerging service systems which will be digitized. All these services will be digitized. So will be affected with cyber attack, will have an impact or direct or indirect on the human being and the well-being of the human. So everything, every cyber attack, whatever it has a direct impact on the human or not a direct impact, will have a bad impact on the human being about his well-being, about his life. Even in the societal environment itself, for the cyber bullying, cyber bullying in the social engineering, using, abusing of the small girls or something like that. All these activities will be harmed with the human activities. Thank you very much. And that term again was no phone? No mobile phone phobia. It’s called a nomophobia, no mobile phone phobia. Yeah. I think there might be some people in the audience suffering from that right now. It’s a disease for the psychologist known eight years ago. It’s not a new disease here.

Ryan Chilcote:
Thank you very much, Your Excellency. Engineer Borki, we also just heard about health care. So if we, is health care a big concern when it comes to human harm?

Mohammad Abdulaziz Boarki:
First of all, salam alaikum wa rahmatullah wa barakatuh. Thank you for Saudi Arabia for having us here. And I have to greet Saudi Arabia for having the World Cup hosting for the next few years. Second of all, for answering your question, as you said, it’s a wide answer question. Health care has become the last few years one of the highest assets for ransomware attacks as well as financial sectors. Health care is close to financial? Let’s say health care was the first statistically, the first high asset was targeted by ransomware attackers. Because it makes money and money is everything. And because they encrypt data for patients, which cause disruption for executing surgeries around hospitals. That’s why it becomes a high target. Now, statistically, also financial sectors has become one of the highest assets. Money has been always, is the highest asset for everything. And if we want to go also wider with that, any high asset information which lays in a system, it becomes a high asset. For example, smartphone. Your smartphone, if it doesn’t have any sensitive information or bank information, it won’t be a harm if you’ve been attacked. But what lays inside actually the system, whether it’s a smart system or IoT, Internet of Things system, which is attached to the big wide network, it becomes a high asset. Various and as emerging technology becoming very fast evolving and very fast changing, also the high asset for attacks become changing by the time and by how important actually this smart or system is important. So, for example, also as Dr. Hafez said, military system has been always a high asset. Health care system and I can add on also oil sectors has become also one of the highest assets. So, you cannot just define whether this is a high asset this year or next year. So, it becomes a high asset when it becomes a target. So, you will not be targeted unless you are an important entity or a system or a high target for as a governmental, let’s say, target.

Ryan Chilcote:
Thank you. Thank you. Dan, can you give us an example of an attack on a health care system or a part of a health care system that caused direct human harm?

Dan Cîmpean:
Absolutely. As we all may know, about three years ago in September 2020, I think it was the first ever documented unfortunate human death due to a ransomware attack. It happened in Germany, in Dusseldorf, where due to a ransomware attack on a hospital, actually one patient was impossible to be treated by the doctors and had to be moved from one hospital to another. And actually the root cause of the death of that patient unfortunately was assessed, was ruled out as being that particular ransomware attack. And let’s just imagine that one hospital that is treating 1,000 patients every single day due to a cyber attack is not able to handle 1,000 patients a day, but, I don’t know, 100 or 200. So, the risk is gigantic. And honestly, no manager of the hospital, no authority can afford such risk. And we as regular users, we should be aware that any disruption in this sector can produce a tragic impact on our lives. And how well are we prepared to deal with those kind of attacks right now? I’m choosing carefully my words now. Unfortunately, I think there are plenty of challenges and risks over there. The healthcare sector systematically in many, many countries is not the most mature one from a cybersecurity perspective. And it’s simply because there is a proliferation of very specialized technologies for healthcare. It’s also a proliferation of digital technologies that support the infrastructure of hospitals. And thanks to this, it’s very difficult and very complex to have a very, let’s say, good security baseline for the sector as a whole. It’s also one of the sectors that needs very, very high investment. Because lives could be impacted, because patients are at risk in case something goes wrong. And I truly believe that it’s one of the sectors that should be systematically on the top of the agenda of the national cybersecurity competent authorities in terms of focus and investment.

Ryan Chilcote:
Yeah. Okay, so we’ve talked a little bit about the so-called attack surface, where these attacks can happen. Your Excellency, Dr. Hafez, if you could talk a little bit about, you know, how one measures the impact of these things, if it’s not financial, if there isn’t a… How do you… Because governments are good at dealing with problems that they can measure. And money is easy to measure. But what about, like, what we’ve just been talking about?

Dr. Ahmed Abdel Hafez:
Are you talking about the role of the government to understand the cybercrime will impact as a human being? I’m always saying, awareness is a very important issue. All the governments will take care about it. To raise the awareness of the human being, how to deal with the digital transformation in a safe manner. So all governments all over the world are moving right now for the digital transformation. To make the life of the people very easy or something like that. But in the other way, you should learn with them how to deal with digital transformation in a safe manner. By awareness, by regulations, by laws. So if the people know how to deal with the digital transformation, with the digital life, for all life, even if it’s financially, or the healthcare, or transportation, and every service in a safe manner, will reduce cyberattacks at least from 80 to 90 percent. For that, to protect themselves from being attacked, even personally. Or if this person is an employee of any organization, of any government, if he’s going to be attacked officially, his official credential, for example, his official email, if this has been attacked, the whole organization will be attacked. The mail server of the whole organization will be attacked. So awareness is the most important thing to help the people to deal with the digital transformation in a safe manner. Second one, to put very strict regulations and rules to be followed by the people and the officials in the government. So if you are talking about the human being, a normal human being, like children, like the women, like the elderly, or the disabilities, you have to learn with them how to deal with the digital transformation. For example, in Egypt, we are a big country of about 40 percent of the population under 18, which is by law considered as children. So right now we are making child online protection strategy to help the children to get benefit from using the internet, but in a safe manner. So using regulations to help the people to know their rights. The other thing is the law. We have many laws in Egypt right now, anti-cyber criminal laws, for the data privacy law. So if we are issuing this law, but the people didn’t know about this law, they didn’t know that this activity may be criminalized, or they didn’t know how to get that rights if it had been attacked by something else. So as I said, the most critical three activities in any nation should do to withstand these cyber attacks, which will be harmed directly for the human being, the awareness, regulation, and the laws.

Ryan Chilcote:
Thank you very much. Engineer Borki, we heard there from His Excellency about how so much of the population in Egypt is under the age of 18. You can’t talk about young people without talking about privacy, young people sharing, for example, images of themselves amongst themselves. It’s quite common now, and then those can get in the wrong hands. How big of a problem is that, and how do you deal with it?

Mohammad Abdulaziz Boarki:
I want to elaborate on my colleagues’ feedbacks. It’s a great impact. It’s a scary impact. One of the challenges now is not about having technical and regulation publications. It could be about budgetary. People or country doesn’t have enough budget or the right budget actually to execute publication and regulation for sizing and measuring cyber impacts. If you can measure it, you can’t manage it. So, the great impacts about any country individually or collectively, so it has to be a collective approach and a collective collaboration. And I believe, I suggest, I mean, since we have now a global medical organization for any coming up pandemics, which they can help poor countries for not having medical. Now, there is poor countries which they have poor infrastructure, and they don’t have the capabilities actually for protecting their cyber space. So, why not having now a global effort which helps other countries to protect, because this is a via versa. For example, now, if I am a country A, which have a good high capabilities in cyber, and a next neighbor country has a weakness in cyber, it could be a threat for me. So, now, helping the whole surrounding countries which having a great, let’s say, plan or executive plan for cyber is a must. And the impact is devastating, and it could be costing million of dollars by not having the right strategy or clear objectives. And the clear pillars, as my colleague says, awareness training and building capabilities in cyber.

Ryan Chilcote:
And just because you mentioned the word budget there for a moment, we heard during the plenary session the former president of Estonia talking about how… she’s concerned about the spiraling costs of dealing from a governmental perspective. Not exactly our topic here, but you both are all coming from governments dealing with this issue. She mentioned that the budget of Estonia for combating cybercrime has grown five-fold over the last five years. Of course, Estonia has a neighbor that part of the reason why that budget has been going up. But how do you, is that an issue? That attracting the necessary resources to deal with cybercrime in your country and in general for countries right now?

Mohammad Abdulaziz Boarki:
It is an issue. I mean, if you don’t believe that cyber could be devastating, and now it’s the fourth domain in the world, we have physical domains, for example, land, sea, and maritime domains. Now we have a cyberspace domain, and it’s nothing less than those three physical domains and borders. So now, if you believe now that cyber could take you to a nightmare for any countries, now you will set up the right budgetary. But things, now I’m speaking about many challenges now. It’s some countries, and they don’t believe now cyber is a threat.

Ryan Chilcote:
You wanna name names?

Mohammad Abdulaziz Boarki:
Until they have been hit.

Ryan Chilcote:
You wanna name the countries right now?

Mohammad Abdulaziz Boarki:
Many countries. So, I mean, if you believe that cyber could be power, and cyber could be a threat, it’s the way, how can you deal with it? And if I wanna quote from His Excellency Adel Al-Jubeir, he mentioned a very important quote, that now any country pillars, now the top three, I think cyber could be the top three, or it is the top three priorities for any countries. It could hit your economy, it could hit your society, and it could hit your financial system. So this is something we need to actually invest on, and we need to take it in consideration.

Ryan Chilcote:
Thank you. Dan, if I could bring it back, when we think about the attack surface, and we’re gonna move on from this and talk about collaboration in a moment, the issue of privacy and protecting your privacy, which we just started to kind of move into, particularly amongst young people, how big of a problem is it? And how do you deal with that?

Dan Cîmpean:
I think it’s a big challenge, honestly. And one of the root causes of being such a big challenge is that, especially the young generation, it’s by far better and more proficient than we were in using technologies. And something that we tend to forget is that they get their knowledge and their good practices from each other in the very first place. They tend to not look too seriously at regulatory landscape. Kids and young people, they don’t really read cybersecurity-related laws, and they get good practices in the way they find it more appealing and receiving it from each other. So we have to address, actually, this challenge, and also not to forget that, simply because they are more experienced in using digital technologies than older generations, we have a shift in the paradigm. So now kids and youngsters are teaching their parents and grandparents on how to behave safely, how to protect privacy, how to protect their data on the internet. So it’s something that we should look very, very careful at and, honestly, invest a bit more in the knowledge of this young generation to get them to help all of us to get more resilient and more secure in cyberspace.

Ryan Chilcote:
Your Excellency, how does, we were talking about this over the last day and a half, emerging, our favorite emerging technology, AI, how does that complicate threats when it comes to human harm?

Dr. Ahmed Abdel Hafez:
Well, as we, as cybersecurity guys, got benefit from using AI, the attacker as well got benefit from using AI to invent a new attack, a zero-day attack, which will be sophisticated, which will be very complicated to deal with. So AI, it has both sides, it’s a good and a bad one. For the good one, the cybersecurity guys, we’re using, for example, if you have a very big data or a very big incident, we need to analyze, we need to, using AI will help us to accelerate that process. But on the other side, as I said, even if you don’t, a cybersecurity expert, if you’re just a human, a normal one, knowing a little bit about AI, using the very well-known, the track share GPT right now, you ask them to make a new attack, they’re gonna do that for you. So AI, it’s uncontrollable technology until now, since all the government right now, all the United Nations right now, are looking for how to control or to manage using ethically AI, in an ethical manner. Even in educational service, any student right now can write his report using AI. So AI help the attacker very well to invent a new attack, a sophisticated one. So as a security guys, we are suffering right now from a zero-day attack. Zero-day attack, it means that an attack with no fingerprint, for example. So using a new one, so we need to deal with the new attacks every second. Every day right now, there’s a new attack using AI. So the span of the attacker has been increased using AI. As I said, you don’t have to be an expert for the cybersecurity to be an attacker. But since it gives a lot of money, so a lot of people right now using AI gonna be attacker. So it will be sophisticated, it will be harder for us to withstand this activity using AI.

Ryan Chilcote:
Thank you, Your Excellency. Engineer Borky, they just had an AI summit in London, which heard the word 50 times in the last several sentences. How do you regulate moving to the solution at the end of this conversation? How do you regulate AI so that you don’t have these kind of problems? I think I’ll rephrase your question. Can we actually regulate AI?

Mohammad Abdulaziz Boarki:
This is the main question. I don’t think it’s something constant. AI is fast changing also, and it could be also a powerful protection, and it could be a weakness and a threat. It depends the way you use it. So regulating AI is not something I believe, it’s not an easy job. It should be constantly changing your publication and policies to keep up with fast and changing technology. AI has been approved both ways, have been approved positive approaches and have been approved negative approaches. AI has been one of the ways of attacking system by the attackers, also as well as it has become a good solution in medical sector, for example, for helping surgeries and around the world by using the 5G connectivities. So AI, it’s a big topic. AI, it’s a deep thought. AI is not something we can, I believe, it’s not an easy job to regulate.

Ryan Chilcote:
Yeah. Okay. That’s a bit worrisome. This is my thought. Thank you. Dan, okay, so if we can’t, I mean, because we were listening to Jose Barroso, the former president of the European Commission, the other day talk about how it took the European Union nine years to come up with GDPR. That was a good thing because they got scale and we all use it now. It’s sort of like the global standard, but AI, I don’t know, maybe it’s another beast and we probably don’t have nine years. So what can, what should a nation do to control this problem of cyber crimes causing harm to people?

Dan Cîmpean:
I think obviously in the very first place, we should have very good regulatory measures, which is something extremely difficult to put in place. For a very simple reason, technology will be always one step ahead of regulatory environment. So first technology will come, cyber crime, for example, will use and exploit the vulnerabilities of those technologies and will do harm. And then national competent authorities at the level of one country or group of states, they will have to come with some measures. That’s one big challenge. It’s not very easy to align those measures because if one country is very resilient, very strong in terms of regulatory measures and others are less mature, basically we don’t fix the issue. Then we have to really, really invest a lot in educating the user. And just to give a simple example, we have to protect millions of users, honestly, either directly in the way they act when they behave on the internet, in cyberspace, or indirectly through the critical infrastructures that need to be resilient, available, and so on. So we have to really work on those dimensions. Regulatory measures, on one hand, and this is not easy to put in place, especially when it comes to, for example, the ransomware phenomenon, the always debatable issue of do we want to ban payment for ransom or not? How should we tackle this? And no one has a magic solution up to this moment. Up to the moment of how to increase education and resilience of regular users that if we put them together, they become a gigantic attack surface that can be exploited by malicious actors. So what I truly believe is that we have a very, very, very serious challenge ahead of us and we have to focus really systematically on this.

Ryan Chilcote:
Let me pick up on the ransomware idea real quickly with you for a second, because just, I guess, last week, 40 countries came together to agree that they would not pay ransomware on a tax. Now, my assumption was that they were talking about on a national level. So if the United States gets attacked and someone tries to extract a ransom from the US, I don’t know if the US was a signatory to that agreement, then the US wouldn’t pay it, just like the other countries, and so they’re coming together to try and, you just mentioned basically banning people from paying ransom. So for example, if someone sends you an email and they say, Ryan, we have some really sensitive information about you and we’re gonna share it with the world, you’re saying that you would ban me from paying those people to get my information back?

Dan Cîmpean:
The difficult challenge is how to cascade down decision that is taken at the national level. For example, my country doesn’t pay ransomware. Yeah, that I kind of get. To cascade it down to private actors, to industry organizations, and ideally cascade it down to the level of users. But how to create this mechanism, how to enforce it, that’s very, very complicated, because at the end of the day, users are autonomous, they behave in their own way, and it’s extremely difficult to enforce it, actually. My personal opinion is that we should attempt to ban ransomware payment across the board, simply because by paying a ransom, actually we encourage the phenomenon. We finance the cybercrime, actually.

Ryan Chilcote:
I wanna come over to your excellency in a moment, but real quickly, and Engineer Borki, I saw you shaking your head. Should countries ban their citizens from paying ransomware?

Mohammad Abdulaziz Boarki:
I don’t think there is a correct answer here. It depends on how valuable are, for example, the attack. My information is very valuable. My private information. You answered, actually, the question, is how valuable, actually, the attacker has taken in national-wide or individual-wide. So, for example, now, if someone stole your data, and the only data that you have is in your smartphone, and you don’t have a backup for it, would you negotiate? If it was cheap to get it back, maybe, yeah. If there is a way, and you can get it back in a cheap way, of course you’re gonna, because this is your life and your smartphone. Let’s talk, let’s take it to the next level. Now, if this information or whatsoever that the attacker has been taken and encrypt those data, and those data can cause a national threat or a disruption of services in this country, do you think we cannot negotiate? So, I mean, it depends. I don’t think this is something that it could be a one solution in each country, but each country has the right to deal with it how they see it, and I believe if it’s for the national interest, I don’t think there is a problem to negotiate.

Ryan Chilcote:
Your Excellency, Dr. Hafez, I’m gonna give you.

Dr. Ahmed Abdel Hafez:
Let me add something to my process. The issue of the nations trying to control the ransomware, the losses for ransomware attacks has been increased in the last year, three trillions of US dollars. So, we are trying globally to control the ransomware, but as His Excellency said, if any organization didn’t follow the controls of making three to one backup for their assets, so the data right now, it become the most important assets. It’s gonna be the oil of the world right now. The data will be the oil of the global right now. So, if any organization didn’t control or make a backup for their data, as a punishment, they should pay the ransomware. They would pay the money to get their data back.

Ryan Chilcote:
I’m gonna give you the last word. Sure. Are you satisfied with international collaboration to combat the cybercrime that can lead to human harm or just in general, cybercrime? Are you satisfied with the international collaboration we have now? And if you’re not, because this is GCF and we’re all about having a shared action plan and tangible results, give us one thing nations can do to collaborate better.

Dr. Ahmed Abdel Hafez:
If you’re asking me, I am satisfied. No, I am not satisfied about. I’m almost prefer a word, collaboration rather than cooperation. Yeah. In Arabic word, collaboration means ta’adud, cooperation means ta’awni. Ta’awni means to be shoulder by shoulder for to be with a nation, yeah. Collaboration between nation will help all of us to overcome the cyber attack with keeping the dignity or the classified data for the nation. So, cooperation or collaboration doesn’t mean to reveal your classified data between nations, yeah. But we should collaborate even regionally in the Arabic world, the Middle East world and international. Right now, there’s a lot, many efforts for the whole nation to collaborate, to come up with the anti-criminal law. Regional, it’s international law. But it’s very difficult. Each region has its mindset about the data protection, data privacy, human rights. You know, this is a very conflict, yeah. But if we didn’t collaborate, the attacker will be succeed. You know what? We, all over the world, the spending of, for cyber security in a billion. But the losses in trillions. So, we need to change our philosophy for dealing for cyber security. And one most important thing of them is a collaboration. Since cyber security is a cross-border activity, you didn’t control. You have to collaborate with all government to get agree upon certain controls, a certain framework, a certain laws about anti-criminals. So, I’m not satisfied. We still have more efforts for collaboration.

Ryan Chilcote:
Dr. Achmed Abdel-Hafiz, thank you so much. Dan Simpion, and Engineer Borki, your excellencies. Thank you very much for this conversation. We’re out of time, but I learned a lot, and I hope you did as well. Please join me in giving a big round of applause for our esteemed panelists. Thank you. Thank you guys.