Cutting through Cyber Complexity / DAVOS 2025

Summary

This panel discussion at the World Economic Forum focused on the complex and rapidly evolving landscape of cybersecurity in the face of emerging technologies and geopolitical instability. Participants, including government ministers and industry leaders, highlighted the increasing challenges posed by artificial intelligence, supply chain vulnerabilities, and talent shortages in cybersecurity.

Ministers from Malaysia and Spain emphasized the importance of legislation and regulation to build trust and secure digital infrastructure. They discussed efforts to implement cybersecurity laws, data protection measures, and collaborative frameworks at national and regional levels. Industry experts stressed the need for a paradigm shift in cybersecurity approaches, advocating for Zero Trust architectures and moving away from traditional perimeter-based security models.

The discussion underscored the critical importance of addressing basic cybersecurity measures before tackling more advanced threats. Panelists noted the challenges of securing increasingly complex and interconnected systems, particularly in industrial and infrastructure sectors. They emphasized the need for better visibility into operational technology environments and the importance of collecting data for effective incident response.

Equity in cybersecurity was addressed, with panelists highlighting the importance of knowledge sharing, accessible platforms for research and development, and the need to empower smaller organizations and emerging economies. The discussion concluded with a call for focusing on fundamental security measures, understanding business requirements, and fostering public-private cooperation without excessive government interference.

Overall, the panel stressed the urgency of adapting cybersecurity strategies to keep pace with technological advancements and geopolitical challenges, while emphasizing the importance of building trust and resilience across all sectors and organizations.

Keypoints

Major discussion points:

– The increasing complexity of the cybersecurity landscape due to factors like AI, geopolitical instability, and supply chain vulnerabilities

– The need for updated regulations, legislation, and governance frameworks to address emerging cyber threats

– The importance of building digital trust and resilience through measures like zero trust architecture

– Challenges around equity and access to cybersecurity knowledge and resources across organizations and countries

– The need to focus on cybersecurity basics and requirements before pursuing more advanced solutions

The overall purpose of the discussion was to examine the current state of global cybersecurity, explore key challenges and emerging threats, and discuss potential solutions and best practices for improving cyber resilience.

The tone of the discussion was largely serious and concerned, given the gravity of cybersecurity threats. However, there were also notes of pragmatism and cautious optimism, particularly when speakers discussed concrete steps being taken to address challenges. The tone became slightly more urgent when discussing the rapid pace of technological change and the need to act quickly.

Speakers

– Katie Drummond: Moderator

– Gobind Singh Deo: Minister of Digital for the Malaysia government

– Hoda Al Khzaimi: Associate Vice Provost for Research Translation and Entrepreneurship at New York University Abu Dhabi

– Robert M. Lee: CEO and Co-Founder of Dragos

– Jay Chaudhry: CEO, Chairman, and Founder of Zscaler

– Oscar López: Minister of Digital Transformation and Civil Service for Spain

Additional speakers:

– None identified

Cybersecurity in a Complex World: Challenges and Solutions

This panel discussion at the World Economic Forum brought together government ministers and industry leaders to examine the rapidly evolving landscape of cybersecurity in the face of emerging technologies and geopolitical instability. The conversation highlighted critical challenges and explored potential solutions for improving global cyber resilience.

Key Challenges in the Cybersecurity Landscape

The panelists identified several major challenges shaping the current cybersecurity environment:

1. Increasing Complexity: Robert M. Lee, CEO of Dragos, emphasized the growing complexity of digital systems, which creates new vulnerabilities. This complexity is particularly evident in industrial and infrastructure sectors, where the interconnectedness of systems poses significant security risks.

2. Emerging Technologies: Hoda Al Khzaimi, from New York University Abu Dhabi, highlighted how artificial intelligence and other emerging technologies are rapidly changing the cybersecurity landscape. She raised concerns about the normalization of AI unreliability, noting, “We are normalizing the fact of unreliability by saying hallucinations are amazing and poetic and artistic. And at the same time you’re saying you’re drafting a different kind of criteria of reliability I would say and security.”

3. Supply Chain Vulnerabilities: The discussion touched on the increasing risks associated with global supply chains, emphasizing the need for comprehensive security measures that extend beyond individual organizations.

4. AI Impact: The panel referenced a World Economic Forum report indicating that 66% of organizations are concerned about AI’s impact on cybersecurity, highlighting the dual nature of AI as both a potential threat and a tool for defense.

Approaches to Addressing Cybersecurity Challenges

The speakers presented various approaches to tackling these cybersecurity challenges:

1. Legislation and Regulation: Gobind Singh Deo, Malaysia’s Minister of Digital, advocated for aggressive government steps through legislation to build trust and secure digital infrastructure. He detailed Malaysia’s initiatives, including the Cyber Security Act, data protection laws, and the upcoming Data Safety and Trust Commission.

2. International Collaboration: Oscar López, Spain’s Minister of Digital Transformation and Civil Service, stressed the need for collaboration between countries and sectors. He highlighted Spain’s efforts, including a new cybersecurity act and the establishment of the Institute for Cybersecurity. López also provided an example of toy security testing to illustrate the importance of comprehensive security measures.

3. Zero Trust Architecture: Jay Chaudhry, CEO of Zscaler, argued for a paradigm shift in cybersecurity approaches, advocating for Zero Trust architectures. He explained the concept as a switchboard-like system that verifies every connection attempt before granting access.

4. Focus on Basics and Resilience: Several speakers, including Jay Chaudhry and Robert M. Lee, emphasized the importance of addressing basic cybersecurity measures and understanding system requirements before tackling more advanced threats. Lee stressed the need for resilience in cybersecurity strategies, focusing on maintaining critical functions even during attacks.

5. Improved Visibility and Data Collection: Robert M. Lee stressed the need for better visibility into operational technology environments and the importance of collecting data for effective incident response.

6. Cost-Effective Solutions: Jay Chaudhry pointed out that new technologies can often be more cost-effective than older security solutions, encouraging organizations to consider modern approaches.

Equity and Access in Cybersecurity

Hoda Al Khzaimi highlighted the importance of a multi-layered approach to equity in cybersecurity, encompassing government, organizational, and individual levels. She emphasized the need for knowledge sharing and creating accessible platforms for research and development. The panelists agreed on the importance of empowering smaller organizations and emerging economies with cybersecurity resources and knowledge.

Public-Private Cooperation and Government Role

The discussion emphasized the importance of public-private cooperation in cybersecurity. However, Jay Chaudhry cautioned against excessive government interference, advocating for a balanced approach that leverages private sector expertise while maintaining appropriate regulatory oversight.

Quick Response Capabilities

The panel highlighted the critical need for rapid response capabilities in the face of potential cyber attacks or technical glitches, emphasizing the importance of preparedness and agility in cybersecurity strategies.

Conclusion

The panel discussion underscored the urgency of adapting cybersecurity strategies to keep pace with technological advancements and geopolitical challenges. While there was consensus on the need for action and collaboration, the speakers presented diverse perspectives on the best approaches to building trust and resilience across all sectors and organizations. The conversation highlighted the complex nature of cybersecurity challenges and suggested that a multifaceted approach, considering various perspectives and leveraging both public and private sector strengths, may be necessary to address global cybersecurity issues effectively.

Katie Drummond: Welcome, everyone. Thank you all for being here. I am delighted to be leading this session, and I will keep my introduction very brief. There is a lot to cover, as we were all just discussing in the speaker’s room. The good news is we have a news peg for this session. A journalist loves a news peg. The WF’s Global Cybersecurity Outlook Report for 2025 was actually just published last week, so its contents will inform a lot of what we talk about. The bad news, or the challenging news, or the reason that this conversation is so pressing is actually exactly what this report highlights, which is the cyber landscape, as our panelists know very, very well, is becoming increasingly complex. Factors like AI and emerging technology, geopolitical instability, supply chain vulnerability, and talent shortages, all of those things are combining to play a role in making cybersecurity considerations much, much more complicated, much, much harder to disentangle, and exacerbating potentially inequity across the board, which is an important matter for us to discuss. A quick reminder, if you’re watching on the live stream, you can share thoughts on this panel using the hashtag WEF25. If you’re here in the room, we will have plenty of time for questions, so please start thinking about what you would like to ask now. We have a stellar lineup to unravel all of this complexity with us. With that, please join me in welcoming Minister Gobind Singh Deo, Minister of Digital for the Malaysia government, Minister Oscar Lopez, Minister of Digital Transformation and Civil Service for Spain,Hoda Al Khzaimi, Associate Vice Provost for Research Translation and Entrepreneurship at New York University Abu Dhabi. We have Jay Chaudhry, CEO, Chairman, and Founder of Zscaler, and Rob Lee, CEO and Co-Founder of Dragos. Guys, let’s get right into it. In reading this report from the World Economic Forum last week, one thing that really stood out to me was actually the geopolitical piece to this and the supply chain piece to this. I think, you know, A, and emerging technology is very buzzy. We’re certainly spending a lot of time, as we rightly should, this week at Davos, talking about artificial intelligence. But these other factors that might feel a little bit less scintillating are actually incredibly important in the context of cybersecurity. Ministers, I’d love to start with you. Maybe Gobind, we’ll start with you and then move on. Just to hear a little bit about the idea of geopolitical instability creating greater cybersecurity risk for organizations and governments. How have you seen that evolve and play out? And then specifically to your countries, when we’re talking about Malaysia and we’re talking about Spain, tell us a little bit about the steps that you’re taking to foster digital trust, to really bolster cyber resilience.

Gobind Singh Deo: Thank you very much. I think we have to acknowledge the fact that technology is moving very quickly and there’s a push on part of most governments to ensure that all its people adapt and adopt to what’s new. And subsequently we see an increase in the number of people that are using devices. And this in itself underscores the importance of us looking at how it is we can ensure that the devices that they use are secure and that they are all aware of the risks involved, in particular the cybersecurity risks. So from a country perspective, I think we need to start thinking about how it is we can ensure that we as government are able to take this message out whilst we try and encourage people to use platforms to go digital. We also have to tell them that the platforms that they use are safe. We now have to build that trust in them. It ultimately comes back to stability and trust. If there is trust, then you will see greater levels of adoption. And I think that is what we’re trying to achieve as we go along, not just in our local jurisdictions, but also working with partners regionally and subsequently looking at things from a broader perspective globally. So in Malaysia, we have taken active steps to bring in legislation. So while we speak about policy, while we say that we acknowledge the fact that there’s a need for us to boost cyber security measures, there’s a lot of conversations that are ongoing, there’s a lot of policy discussions as well, but in Malaysia we’ve taken it a step further. What we’ve done is in March last year, we have tabled a cyber security bill in Parliament. It’s now the Cyber Security Act, and that is a bill, legislation that specifically requires the National Critical Information Infrastructure to ensure that they have cyber security measures and standards in place in their agencies, in the organisations, and if they don’t, then there are repercussions for them. If there are standards that they are supposed to comply with, and they haven’t, then of course there are consequences that follow. In addition to that, we’ve also looked at how it is we can define what cyber security experts really are, because today the conversation on cyber security is very large, and there are many that claim to be cyber security experts, and I think, fair enough, they probably are. But from a government perspective, I think there’s a need for us to see how it is we can ensure that we set those basic standards, and those standards are met before we can accept or creditise them as being cyber security experts. So that’s at the NCII level. Subsequently we’ve also gone to look at how it is we can bolster laws that strengthen data protection. So in Malaysia we have data protection laws. In July last year we amended these laws to make the system more secure. Now for example we have provisions which require notice to be given when there are breaches, and then of course certain steps that need to be taken, and of course I think that underscores again the emphasis placed by the government on how it is we can ensure that whilst we want to build trust, we want to encourage people to use platforms, we can also say to them that look, there are laws in place that makes certain that the data that you place on these platforms are safe. And of course we’ve also increased penalties, so we want to show that. that we are also firm in the event that there are data breaches, then action has to be taken. And I think that that’s something that needs to be done if we are to show that we are serious in how it is we deal with cyber security. In December last year, we did something I think a bit novel. We for the first time introduced data sharing legislation. And with data sharing, I’m sure all of you will appreciate this entire process which there’s a request for data, subsequently how it’s managed, and subsequently if that request is allowed, then there’s a process that has to be followed for the flow of that data sharing mechanism. In that process as well, there was a need for us to look at how it is we can ensure that there’s security. So that legislation also looks at that. So it is important in this context to understand that the government of Malaysia has moved ahead very aggressively, showing that there are conversations, there are policy considerations, but we haven’t stopped there. We’ve gone further. We’ve actually taken steps to legislate. And now, of course, it’s a question of us executing and moving along and trying to build an ecosystem where we can actually build trust. And I think that’s something that is important. Because when we speak about cyber security, particularly in Malaysia, we look at it also from an ASEAN perspective. In Malaysia this year, we chair ASEAN, and we are trying to push ahead with building mechanisms by which we can actually secure cyber security regionally as well. So to me, if we are going to speak about cyber security at a regional level, perhaps even at a global level, we need to first show that we ourselves at local jurisdiction have taken steps to put our house in order. And then from there, we can build on that conversation and ask others to come along. And I think it’s a learning process because we look at countries around us in ASEAN. They too have legislation in place, mechanisms that work. And we actually can learn from them. So ASEAN, as you recall, becomes a very important feature, particularly this year. In that context, I think looking at how these things are developing, and as you said earlier in the question, in your opening, you look at how it is geopolitically, there are concerns globally. But I think subsequently this is an area where all of us must think about how it is we can succeed together, because cyber threats are threats that stretch across boundaries. We are going to ask our people and encourage our people to use platforms that don’t just deal with transactions into jurisdiction. It’s something that goes beyond jurisdiction and perhaps will even expand globally. So in this context, I think it’s to our best interest that there’s a conversation about how it is there are problems in different countries, what best practices are being applied in those countries, and for us to look and see how it is we can adopt, and perhaps also use and scale the strategies adopted by the countries in strengthening our ecosystem. But all in all, I think, as I said earlier, it’s important to underscore the fact that the government has taken aggressive steps. We want to build this ecosystem that emphasizes and builds trust in people, and ultimately I think if we can do that and we can show that this is a serious process that has to take place and we’re doing it quickly, then I think you’re going to see people come along with us. And ultimately when they see the strength in what this provides, particularly in this new world of technology and technology that’s emerging, I think those are the first steps that need to be taken, and subsequently we need to scale therefrom.

Katie Drummond: Yes, and really interesting, and sort of to distill and maybe a theme that we’ll come back to as we continue to talk, really it’s regulation, it’s accountability, in service of trust, starting at a local level before sort of broadening your horizons to think globally or even regionally. That’s really, really interesting. Minister López, from your point of view, I would love to get that as well.

Oscar López: Well, actually, as you said before, I mean… I mean, it’s a quite complex question, so it is not easy to answer, and it is impossible to answer it from a national level, so this is an international and transnational level question. As we saw in the report, I mean, if data is everything in the digital era, then cybersecurity is a top priority. So we don’t have all the answers at the national level, but we can do many things. So this is not a question only about geopolitics, as you said, it is also a question about values, about the economy, about companies, about civil society, and even about democracy. You know, democracy has old enemies with new tools. And the most important thing now is the speed, in this digital revolution, is the speed. And cybersecurity is a race, it’s a race between cybercrime, or between those who are using all the branches, and those who have to regulate, who build the system to be safe, to build this digital trust. So it is a race, and it is really, really fast. What are we doing from Spain? Well, we’re working in a European framework, so we follow European rules. As you know, there’s this European Act, NIS2, we are just exposing that in Spain. So just two or three weeks ago, we launched our new act on cybersecurity, so it’s a new act. And just to answer the complexity of the question, in this act, it’s been three ministers working, because it’s all the defence aspects, so it’s the Minister for Defence, it’s everything related to internal affairs, to the police, to cybercrime, and it is also my ministry, because we are talking about… about the new economy, we are talking about the society, about the rights of people, about the data, personal data of people. So we’ve tried to make a holistic point of view in this new act. What do we do? We answer the European question. We put one authority, just to call just one telephone to go to Brussels, from Brussels to Madrid. But this authority is coordinating three authorities. It’s coordinating the center from defense, from the Ministry of Defense, the center of the police, I mean, the internal affairs, and also our Institute for Cybersecurity. We have an institute in Spain for cybersecurity. And so that is from the point of view of regulation. Then we are doing huge investments, even from the public sector. Because as I said before, it’s a race. You have to be fast. And you know more than me or the experts.

Katie Drummond: Well, I’m going to be asking about that race next, yeah.

Oscar López: So we are investing a lot. We are investing a lot. We are also investing in skills. And we are boosting the whole culture of cybersecurity between citizens. They have to learn. They have to know how to move in this new reality. So we are investing a lot in infrastructures and also in digital skills. That is through this Institute for Cybersecurity. Just let me tell you, in the last year, only in 2024, they received more than 80,000 calls. Because you can call this Institute for Cybersecurity when you have an attack. Even if you are a company or maybe a private one, you can call this institute. And they are going to attend you. So law, rule of law, infrastructures, we have this agency. investments, skills, but that is at national level. And we have, at least as European, we have the European framework. So it’s really important what we do in a supranational level. And the key word is collaboration. It’s collaboration between private sector, public sector, between countries, between agencies, between technologies. The key word is collaboration.

Katie Drummond: Certainly, and to talk about sort of regulation, accountability, the rule of law, even collaboration, all rubbing up against the reality, which is that emerging technology, I mean, AI being sort of the giant elephant taking up the entire room here, is changing the cybersecurity landscape so quickly. And I wanna sort of really bring us to that. Now, the World Economic Forum report itself noted that 66% of organizations are concerned about AI’s impact on cybersecurity this year. A much smaller percentage of those organizations, I would gather, actually feel completely prepared to grapple with what that new technology is bringing with it in terms of threat. So Hoda, I would love to move to you. I know you have a lot to say and sort of a lot of insight into AI and emerging technology more broadly. I’d love to hear sort of what really stands out to you in terms of challenges to start and sort of how do we even redefine, how do organizations and governments even start to sort of think about cyber resilience in this moment where technology is moving so quickly that it feels like you snap your fingers and all of a sudden the conversation you’re having about regulation is two years outdated. Talk us through that a little bit and then we’ll move on to Jay and to Rob.

Hoda Al Khzaimi: Amazing question. I think, Kate, getting into this is not easy because we are unlayering a complexity network as Minister Sinkto and as well Minister Lopez highlighted. It’s not just in the essence of investment and the infrastructure or regulation or as well in the skill set, but you are in a race of mindsets. fragmentation. You do have a mindset of someone who has taken advantage of the system and who knows the economics of the system, and that is the attackers behind the space who have agility, who have access to information, who have as well access to opportunity in order to build the platforms and increase the threat level of attacks, while the agility structure and the lean structure of countering those attacks is not still perfectly, I would say, structured, because you still have to draft the regulation. We always say this in the field, right? You can launch a cybersecurity attack in seconds and then take down infrastructure that would worth maybe 100 billions, and we’ve seen this in the supply chain, colonial pipeline attack, which caused a massive disruption for the oil and gas industry in the US and then caused a massive subsequent spillover effect all over other as well sectors. It took seconds to have this level of attacks, but it takes maybe years to draft this kind of alignment between different, I would say, private sector and public sector organization in order to get into an act. So we need to really have maybe a different regulation structure that is a bit fast and agile in order to counter this, a different as well urgency structure. If you look at the – you talked about vulnerabilities in supply chain, right? It’s not just the vulnerabilities that exist on supply chain. It’s the intertwined effect, the geopolitical tension that would lead to maybe de-acceleration of developing technologies. We’re talking about developing hardware and software that is going to build a higher level of reliance for AI, for example, maybe quantum into different kind of zones. But because of this kind of chip act that was drafted, we don’t have that kind of acceleration in developing hardware across different regions. It’s only specific regions right now who have maybe access to the sovereign. and infrastructure to develop hardware will be able to join in this race. So we are in the pull and tug of different economic incentives on the play, on the ground. You’re asking me about AI and the maturity of AI in the current field. At the moment AI is heavily being incentivized by the growth, the economic commercial growth of specific organizations who are developing the algorithmic tools. And they are providing them to the public. Are they providing a perfect solution that are safe and secure and that also leads to a perfect status of trust as the Minister Singh Deo just highlighted? I don’t think so, because you are placing a technology in the hands of the public that is 30% reliable. We are normalizing the fact of unreliability by saying hallucinations are amazing and poetic and artistic. And at the same time you’re saying you’re drafting a different kind of criteria of reliability I would say and security. You’re saying, okay, there is bias in the software, but maybe it’s okay to have bias. And we’re trying also behind the scene to encourage the academic community who is providing for those algorithms to be responsible and to make sure that these algorithms, when you develop them, the DNA of the development would remove the bias. And there is like a movement that is happening out there. But this movement is not driven by the commercial arm that is fastly accelerating the progress. This movement is driven by the research, which is slowly being developed for this kind of industry. So there is this level of tension in between acceleration of what is good for the purpose of the collectives and what is as well not idealistic for the purpose as well of the collectives. If we’re talking about regulations, for example, we have different level of regulations. The one that were developed by the European Union. European Union, for example, the risk-oriented amazing development of those regulation structures, but still the attribution structures are not very clear. So I still can’t get away with having, you know, attacks driven by AI platforms in different regions because the attribution mechanism is not being placed into the system. And the fact that sometimes you care about risk while you don’t value risk versus the principles, versus the values of the societies that exist, versus protecting the rights of privacy, for example, the rights not to be analyzed, the rights to be forgotten. We can draft them in the regulation, but it doesn’t mean anything if the technology is not catching up. You don’t have an algorithm today that can have the capability of erasing your footprint of the internet. So we live in a poetic defragmented effort world because, you know, driven by different incentives, the private sector incentives are great, but they’re developing for fast access to market, first entry advantage into this industry that would give them access to future economic, I would say, advantages, not necessarily by building perfect responsible technology at the hands of the public. The government is interested in building their sovereign, I would say, at the moment status of cybersecurity posture, which is totally understandable given the fact that you don’t have control. You don’t have control over what is the mindset of attacker. We tend to respond with a sense of urgency when there is a war, but we are not responding with the same level of urgency when there is an attack against an infrastructure that can trickle down to multiple countries. We’ve seen the NATO attack, for example, on solar wind, which led to 18,000, I think, participants disruption. And that disruption, I think the mapping of the losses that happened is around 10 billion euros. I mean, it’s just in a fractional sector. that you can have this risk. And I think if you live in a world where the attack advantage is being reported to be from three to 10 trillion USD, that’s a GDP of a country, right? That’s a GDP of Germany or other countries. We should take digital space threats as critically important as physical space risk.

Katie Drummond: Yes, that certainly makes sense. And now, Jay and Rob, let me turn it to you. Sort of a similar question, just piggybacking off this idea of emerging technology and how it’s really changing the landscape. I mean, are traditional approaches to handling all of this complexity to addressing cyber threats still effective? I mean, what has changed? What has caught up? What still needs to change for us really to be able to get ahead of where emerging technologies are taking cybersecurity? Jay, let’s start with you.

Jay Chaudhry: Yes, I was asked to present to the board of directors of a large bank. And one of the questions the board member asked me was the following. She said, Jay, you’re sitting in Silicon Valley running one of the largest cloud security companies. And you work with Fortune 500 companies who have lots of big budgets, access to technology and expertise. And still I see that lots of them are getting breached.

Katie Drummond: Right.

Jay Chaudhry: If that’s happening to them, what hope do I have?

Katie Drummond: It’s a very sad question.

Jay Chaudhry: Took me 20 seconds to think through because I hadn’t expected the question. But reality is that larger companies are stuck with inertia. You look at security, the way security and networking is done today is the same 30 year old technology. Firewalls, VPNs, you build a moat around the castle. The castle is your data center. Inside, everything is trusted. Outside, everything is untrusted. That model worked for several years. When data center. was the center of the universe. And everyone sat inside the office. Castle, outside good. Now applications that left the castle, you got Salesforce, you got Office 365, you got all these clouds out there. Your people no longer work in the office. IoT, every device is everywhere. The model had to change. That’s where Zero Trust architecture has evolved. We at Zscaler focus on building Zero Trust, which is disrupting the old technology of firewalls and VPNs, which is saying you can no longer build these modes. Zero Trust starts by saying don’t trust anyone. In this architecture, rather than a mode around the castle, you build a switchboard, which says if you want to connect to something, you’re gonna come through me, I’m gonna check A, B, C, and D. If all the checks pass, you’ll be connected to application A or B or C. That’s what has to happen. And it’s happening, actually. U.S. government in the past four years actually made a big push on Zero Trust architecture adoption. I think some changes need to happen. Hackers have no inertia. The bigger the organization, the slower they move. And that’s really what’s causing all the issues. But from cyber point of view, if you think about it, the applications and systems you build, one, you need to be building them with better security so you can’t break into them too quickly. So when you build those applications, security needs to be embedded in them to start with. Now, knowing that no systems will be perfectly secure. Then the second thing you do is when you want to allow access, you make sure that access happens through Zero Trust architecture, where you’re not on the corporate network. Otherwise, the most common hack is, just like Colonial Pipeline, they stole credentials of a VPN system. The VPN kind of says, come in, connect with me. Once you get in, you’re inside the castle, you move inside. And you find high-value assets, in that case, the billing application. You encrypt the data, the application can no longer run, and access to gas for millions of people is gone. Most of the attacks are not sophisticated. Some are. But technology needs to move. And I think it’s not the government’s role most of the time. In fact, sometimes over-regulation can stop things. Each entity needs to do its own job. Government need to do its own job to protect its own organizations. And some level of regulation is good. Over-regulation is always bad.

Katie Drummond: Sure, sure. I like this idea, sort of, as you were talking, I was thinking in my head, sort of, starting from a premise and really a strategic approach of zero trust really is what’s necessary to build the sort of trust that you were talking about at the beginning of the conversation. I think that’s interesting.

Jay Chaudhry: And you build zero trust is not always zero trust. I mean, start with no trust.

Katie Drummond: Start with no trust, yes.

Jay Chaudhry: And then you give them this much trust to access application A and A only.

Katie Drummond: Right. Incremental trust.

Jay Chaudhry: You’re not on the network. You’re not insider. Like, if you come in the building, you just can’t move around. You’ll be taken to a meeting room, your meeting happens, you get escorted out.

Katie Drummond: Right.

Jay Chaudhry: That’s the model.

Katie Drummond: That’s the model. Similar to the security environment I’ve been navigating this week, actually. Rob, same question to you, sort of, talk to us in the context of emerging technology, how quickly things are moving. I mean, it’s really overwhelming and where that sort of rubs up against cybersecurity from your point of view.

Robert M. Lee: Yeah. I mean, just in general, as we look at, like, that complexity discussion, right? I think most people would be shocked just how much transformation is happening in our infrastructure, especially in my world, which is mostly what I would consider operational technology. So the industrial side of these companies, power grids, manufacturing facilities, water facilities, et cetera. They used to have a lot of legacy infrastructure, but they made a lot of investments years ago. This isn’t, like, just emerging. To start having automatic switching, to start having… electric systems that can sort of, quote unquote, heal from different types of effects that happen, whether it be hurricanes or whatever. And all of that digitization is now providing an opportunity for attackers to be able to take advantage of it and misoperate it. A lot of times we hear about cyber attacks, it’s not, in the infrastructure world, it’s not always the zero day or the vulnerability, whatever, sometimes it’s just misoperation. If an operator can open up an electric panel, so can an adversary. If an operator can pour chemicals into the water for good purposes, an adversary can do it for too much and then have a sort of an ominous approach to it. So as we look at that digitization, as we look at that complexity, that presents a couple of major issues that I see. One, again, the ability to attack it is there, but two, it can just end up being non-resilient in of itself. Sometimes we just don’t understand how all these complex systems work. Some of these private companies are so excited to take that automation journey and all that it can do for the profit share that they really don’t understand some of the systems they’re putting in place. And once upon a time, there may have been somebody at that oil facility, she worked there for 20 years, her daddy worked there for 20 years, her granddaddy worked there for 20 years, they know that environment, but now you come in and digitize everything, lots of automation. Now it’s not one person that knows it. It’s five consulting companies, three different original equipment manufacturers, a bunch of contractors. And what that means is when something goes wrong, you don’t really go to anyone anymore to try to figure it out. The scary thing, I think, even from a government perspective, is you can have infrastructure disruption and we cannot get root cause analysis if we didn’t invest ahead of time. So you could be in a situation where you have an explosion at a refinery and have no idea if it was a maintenance issue, if it was a cyber attack by a foreign state, or it was a mistake by a contractor. And that is a really scary place to be in.

Katie Drummond: That is terrifying.

Robert M. Lee: You just don’t know what actually happened. All of your response is out. And again, a lot of companies don’t realize that in the world of operation technology, you have to invest ahead of that. The data is transient. It’s gone if you didn’t collect it ahead of time. So you think about, again, a world that’s getting so much more automated, so much more complex, at a time that you introduced… of a geopolitical discussion that states and criminals, for whatever reason, think it’s a valid target to target civilian infrastructure. We’ve seen a bunch of different water taxes past year, cyber attacks on electric power systems, et cetera. They see it as a valid target to go after our civilians. And I’ve got three kids, that’s awful. Go rob from the bank, no offense. Like, I’ll live with that, but don’t take down the water services, the electric services, et cetera. That’s just evil. And so we have this growing automated world, massively complex, executives and boards that may be disconnected from what’s actually happening in the building, and a lot of investment for that with a trailing cybersecurity budget. Cybersecurity teams are getting pulled in many different directions. So I always hear about, like, do the next thing, and what’s coming with AI, and how can we do the next thing? And I’m like, man, you have no idea how little is being done currently. The basics do work, it’s just a lot of companies aren’t doing the basics. You’d be stunned at how many infrastructure companies around the world have no idea what’s going on inside their plants. They have no visibility into anything happening in there, and then we’re having serious discussions about how are we gonna prevent AI attacks? I’m like, could you just go do the basics? Like, let’s start there, and you’d be okay. And the last thing on, as we talk about the regulation side of the house, you know, I see a lot of governments trying to create regulation. I think Jay hit it very well. We need a lot more approach to harmonization of regulation, especially for multinationals. I was actually very impressed with the Malaysian delegation. Went over to the Singapore CSA’s conference, and the Malaysian delegation came trying to think about the regulation they were crafting, and the question was, before we try to think we know right, what is Singapore doing already, and what is the US government doing already with NERC and the electric systems? And I sat them down and sort of mapped it out. I was like, here’s what worked, here’s what didn’t, and there was no ego. It was just, hey, we wanna get this right, let’s go look at what others did, and I would encourage a lot more countries to take that approach.

Katie Drummond: Now, I wanna make sure that we have time for questions, but I don’t wanna miss the opportunity to ask you all about equity in the context of cybersecurity. Jay, you talked a little bit about sort of the bigger the organization, right, the slower it is to move, and I think, Rob, your comments just now about sort of different geopolitical players coming to the table with no ego, that’s an interesting comment with regard. to equity as well. Hoda and ministers following, I’d love to hear sort of what stands out to you when we think about smaller and larger organizations, when we think about developed and emerging economies, making sure that there is sort of this equitable access to knowledge about cybersecurity, to implementation, to sort of effective strategies. How do we make sure that the playing field, especially in the context of emerging technology, is as even as possible, right? At least that we are making progress towards a more equitable future. Just very briefly a few remarks from each of you so that we can open it up to questions. Hoda.

Hoda Al Khzaimi: I think the mass opportunity that exists in the equity space is understanding that it’s a multi-layered approach. It’s government as well having equitable access to resources as well as organization and individuals, which mean allowing governance, the government, their sovereign spaces to create their own cybersecurity assets. Because there are indigenous as well structures within their own infrastructure that they want to preserve for the longer run. As well as organization allowing them a space to grow and allowing a free flow of capital and investment for those organization. What we’re seeing at the moment is structures of monopolistic approaches across industries, even in the emerging technology space or the cybersecurity space, that doesn’t allow SMEs to come in to tackle these niche ideas and to grow in a healthy prosperous manner so they can provide for different spaces within cybersecurity. Because cybersecurity is a complex space. It’s not just a technological question, it’s a geopolitical question and it’s individual questions on privacy. So on the equitable access to knowledge when it comes to individuals, they need not just the basic information of how to attack a system and protect a system, they need as well accessible platforms for research and development, for science. Because right now the knowledge, what is, as the minister have said, what is exactly… cyber security professional, what does it mean? Because it’s a multi-layer 360 view of the world, you need to have a holistic understanding of the geopolitics of the world, of the legislation structures, of the regulation structure, and you need to know your ABCs on cryptography, on AI, and on the multiple asset structures that exist on the science aspects. So I think allowing them this space, an open box and tool, to experiment, to develop those intrinsic, I would say primitive, is very important, and not to just perceive them as deployment entities. Like we’re building, I think, for a segregated world, and we should be very careful from doing this level of developing AI or emerging technologies in specific economies, and perceiving the rest of the world as just deployment structures of those economies.

Katie Drummond: Absolutely, I love that. Ministers, anything briefly to add before we open it up for a few questions?

Oscar López: Well, I think the opportunity is proportional to the threats. I mean, when you talk about inequality, you can talk inside the country or between countries. So the thing is, we are talking about security, who’s got the whole sovereignty? Nobody, even the US, the most powerful, doesn’t have the whole sovereignty on AI, on new technologies. Maybe three players in the world can do something, US, China, European Union, don’t know about India, but the rest of countries, as I said before, even the US hasn’t got the whole sovereignty. So it’s really, really difficult to, who’s feeding the AI? What’s learning the AI? Just imagine Palo Alto wasn’t in California, but in Afghanistan, ruled by Taliban. What would the AI be? answering now. Let me give you just one example, because there’s not going to be time. Sure, yes, yes, very briefly. It is not about this, but as I was saying before, now in Spain we are testing this Institute for Cybersecurity. We are testing toys. We are testing hundreds and hundreds of toys, because toys, they use chips and they are connected. So we bring our homes for the kids, all the toys, and they connect to the Wi-Fi of the home. Half of them have security breaches. They can get you with a virus and get into your personal, your home Wi-Fi, and then get into your bank accounts, half of them. So the challenge is huge. There are so many aspects, so many economical and companies and countries and rules, and it is really, really difficult to solve it from the point of view of the government, only from the national level. So that’s why.

Jay Chaudhry: So if I may add a couple of comments. Security can be complex, but it doesn’t need to be. Okay, if you’re trying to be 100% cyber-proof, you’ll never be.

Oscar López: Yeah.

Jay Chaudhry: I think we should think about, let’s build a four-foot fence around our house first and move on, rather than keep on talking about a 20-foot fence we need. There are lots of arguments here, here, here. There’s a basic security they need to put in place. That’s not very expensive. In fact, if you talk about equity, the bigger issue ends up being knowledge.

Katie Drummond: Sure.

Jay Chaudhry: The simple technology for security is not expensive. Old technology is far more expensive. When we go into zero-trust architecture, if they’re spending, for example, a million dollars on security products, we remove most of them and probably replace them with far better security at half the cost. So technologies can be simple. What’s lacking in some of this emerging world is lack of knowledge. understanding that’s a bigger thing and I think the other piece ends up being when we start combining government regulation geopolitical this it looks complex but let’s start focus on a farmer corporation with a thousand people my focus is to protect my employees first that can be done and the consumer world gets its own complicated stuff but the compartmentalize the problem solve those problems but I’ve been debated forever.

Katie Drummond: It’s like starting your own backyard yeah the four-foot fence exactly then look over the fence see what else is out there I want to …

Gobind Singh Deo: Just just to put things in perspective I think at the end of the day when you look at cybersecurity we’re looking at a whole spectrum of different instances you you’re going to encourage people use devices you’re gonna start with the man on the street who’s working on his hand phone right out of an e3 then you’re gonna look at small businesses you’re gonna look at larger businesses industries you’re gonna look at government so it spreads as well across a spectrum and I think what’s important for us to understand is that these different groups have different challenges exactly they have different needs so I think we have to come back to basics I completely agree awareness is key knowledge is key but the way in which we deal with things I think has to be looked at for from the perspective of the sector itself what do they need how do you empower how do you make sure that everyone invests in cybersecurity and this is where if I may just take it to where the discussion was earlier when we speak about regulation for example in Malaysia what we’re trying to do is we’re trying to empower government to make regulations in areas that are necessary so that we can ensure that cybersecurity is is is a key focus of those areas now in addition to that we also set up different groups of people for example at the National AI office we also have a cybersecurity Academy and we also have what we propose to launch in in June this year the data safety and trust Commission because ultimately what we want to do is we want to get all these different sectors to come forward tell us exactly what they think we should be doing I think that interaction and collaboration is very very important so we understand their needs so we have organizations that takes into consideration what is is what they need, what is required to be done to ensure that we are secure. At the same time, the government also has the mechanism by which we can make it happen. And, you know, when we speak about – I like this example about how it is, you know, when there’s a war, there’s a sense of urgency. I mean, not very long ago, all of us looked at a screen in one afternoon and it was just blue screens in front of us. None of us knew exactly what was going on. We didn’t know whether it was a cyber security attack, whether it was just a technical glitch. Point is, at that point in time, things came to a standstill. We didn’t know where to look to for answers. We didn’t know what was going to happen next. But the next day, we were told that it was a glitch. It was always okay. Everybody expressed how important it was for us to ensure that we had systems that were secure. But today, it can happen right now again. The question is, are we ready? So I think from a government perspective, we have the responsibility to take the lead. We have the responsibility to create structures within government that allows us to act quickly in the event something happens, or also to look at policies to formulate ways in which these different sectors can actually succeed. So I agree, but I think this is a question of approach. From a government perspective, of course, it’s huge. There’s a lot of challenges, many things to be done.

Katie Drummond: I so appreciate all of this, and we could be here all day. I want to try to squeeze in one question, if anyone has one, before we wrap. This has been so interesting. There’s been a lot covered. Any takers?

Robert M. Lee: In the absence of one, could I just say that, on the report, I do think people should go actually take a good look at the report. Julian teamed a phenomenal job with it. I have a copy of it in the speaker’s room, if anyone wants my copy. It’s really good. It lays out, as we’re talking about the basics, one of the things that I talked about that I think we kind of missed a bit, or at least I’d missed in my part to push in, is the resilience discussion of the requirements. Again, what do you actually need the system to do or the environment to do? I see a lot of cybersecurity people come at this with, here’s what I want to do to do cybersecurity. And it’s like, stop. What are we actually trying to accomplish as a business? How do we reduce the V, as they talked about in the report, to actually make it where, if I’m a pipeline, I’m back up and running, regardless of the… cybersecurity vulnerabilities and you’ll find that that basic question of what do we actually in the business of is not happening in most of the CSO discussions I’m in and so you get people misinvesting you get people spending 95 percent of their budget on the website and nothing on their operation environment so just what’s the requirements figure out the requirements I think the report digs into that well and I think you can encapsulate a lot of this.

Jay Chaudhry: One comment I’d like to make is I think public and private sector cooperation is good yes we do but public sector a government shouldn’t interfere too much government shouldn’t be telling private companies do this do this because a lot of those companies are motivated because otherwise they won’t be successful and learn from it.

Katie Drummond: We are going to wrap let me just sort of sum up if I could take one thing away from this all of this complexity all of this emerging technology sort of all of this almost this feeling of sort of hand-waving panic in the context of cybersecurity I think what we heard from everyone in their own way today was really rewind go back to basics build your forefoot fence make sure you are ready ahead of the game instead of trying to play catch-up after something goes wrong and I think that is sort of a great sort of building block to build the kind of trust that the very beginning you were referring to is so important so thank you all so much for being here hope this was interesting and I hope it was helpful and thank you again I think we’ll wrap it there.

Agreement Points

Importance of collaboration and international cooperation

speakers

– Oscar López
– Gobind Singh Deo
– Jay Chaudhry
– Robert M. Lee

arguments

Collaboration between countries and sectors is key

Need for international cooperation beyond national efforts

Balancing public-private cooperation without excessive interference

Governments should focus on harmonization of regulations

summary

The speakers agree that addressing cybersecurity challenges requires collaboration between countries, sectors, and public-private partnerships, while emphasizing the need for international cooperation and harmonization of regulations.

Need for basic security measures and understanding system requirements

speakers

– Jay Chaudhry
– Robert M. Lee

arguments

Focus on building basic security before advanced measures

Importance of understanding system requirements and business needs

summary

Both speakers emphasize the importance of implementing basic security measures and understanding the actual requirements of systems and businesses before implementing more advanced cybersecurity strategies.

Similar Viewpoints

Both ministers emphasize the importance of legislation and international cooperation in addressing cybersecurity challenges, highlighting the need for a coordinated approach that goes beyond national efforts.

speakers

– Gobind Singh Deo
– Oscar López

arguments

Legislation and regulation to build trust and security

Need for international cooperation beyond national efforts

Both speakers highlight the inadequacy of traditional security approaches in the face of increasing complexity and digitization of systems, advocating for new approaches like Zero Trust architecture.

speakers

– Jay Chaudhry
– Robert M. Lee

arguments

Traditional security approaches are outdated; Zero Trust is needed

Complexity of digital systems creates new vulnerabilities

Unexpected Consensus

Balancing regulation and innovation

speakers

– Jay Chaudhry
– Robert M. Lee

arguments

Over-regulation can hinder progress; limited government role preferred

Governments should focus on harmonization of regulations

explanation

Despite coming from different perspectives (private sector and cybersecurity expert), both speakers agree on the need for a balanced approach to regulation that doesn’t hinder innovation while still providing necessary guidelines.

Overall Assessment

Summary

The main areas of agreement include the need for international collaboration, the importance of basic security measures, and the challenges posed by emerging technologies. There is also consensus on the need for a balanced approach to regulation.

Consensus level

Moderate consensus with some variations in emphasis. The speakers generally agree on the major challenges and the need for collaborative approaches, but differ in their specific recommendations and areas of focus. This level of consensus suggests a shared understanding of the complexity of cybersecurity issues, which could facilitate more coordinated efforts in addressing these challenges.

Different Viewpoints

Role of government regulation in cybersecurity

speakers

– Jay Chaudhry
– Gobind Singh Deo

arguments

Over-regulation can hinder progress; limited government role preferred

Governments should take aggressive steps through legislation

summary

Jay Chaudhry cautions against over-regulation, preferring limited government involvement, while Gobind Singh Deo advocates for aggressive government steps through legislation to address cybersecurity challenges.

Unexpected Differences

Approach to international cooperation

speakers

– Oscar López
– Jay Chaudhry

arguments

Need for international cooperation beyond national efforts

Balancing public-private cooperation without excessive interference

explanation

While both speakers acknowledge the importance of cooperation, Oscar López emphasizes international collaboration, while Jay Chaudhry unexpectedly cautions against excessive interference, even in the context of public-private cooperation.

Overall Assessment

summary

The main areas of disagreement revolve around the role of government regulation, the approach to basic security measures, and the balance between international cooperation and private sector autonomy.

difference_level

The level of disagreement among speakers is moderate. While there is consensus on the importance of cybersecurity and the need for action, speakers differ in their preferred approaches and the extent of government involvement. These differences reflect the complex nature of cybersecurity challenges and suggest that a multifaceted approach, considering various perspectives, may be necessary to address global cybersecurity issues effectively.

Partial Agreements

All speakers agree on the importance of addressing basic security needs, but they differ in their approaches. Jay Chaudhry emphasizes starting with simple measures, Robert M. Lee focuses on understanding system requirements, and Gobind Singh Deo highlights sector-specific needs.

speakers

– Jay Chaudhry
– Robert M. Lee
– Gobind Singh Deo

arguments

Focus on building basic security before advanced measures

Importance of understanding system requirements and business needs

Different sectors have different cybersecurity needs and challenges

Similar Viewpoints

Both ministers emphasize the importance of legislation and international cooperation in addressing cybersecurity challenges, highlighting the need for a coordinated approach that goes beyond national efforts.

speakers

– Gobind Singh Deo
– Oscar López

arguments

Legislation and regulation to build trust and security

Need for international cooperation beyond national efforts

Both speakers highlight the inadequacy of traditional security approaches in the face of increasing complexity and digitization of systems, advocating for new approaches like Zero Trust architecture.

speakers

– Jay Chaudhry
– Robert M. Lee

arguments

Traditional security approaches are outdated; Zero Trust is needed

Complexity of digital systems creates new vulnerabilities

Key Takeaways

Resolutions and Action Items

Unresolved Issues

Suggested Compromises

Zero Trust starts by saying don’t trust anyone. In this architecture, rather than a mode around the castle, you build a switchboard, which says if you want to connect to something, you’re gonna come through me, I’m gonna check A, B, C, and D. If all the checks pass, you’ll be connected to application A or B or C.

speaker

Jay Chaudhry

reason

This comment introduces the concept of Zero Trust architecture as a paradigm shift in cybersecurity, moving away from traditional perimeter-based security models.

impact

It shifted the discussion towards more modern, adaptive security approaches and highlighted the need for fundamental changes in how organizations approach cybersecurity.

You could be in a situation where you have an explosion at a refinery and have no idea if it was a maintenance issue, if it was a cyber attack by a foreign state, or it was a mistake by a contractor. And that is a really scary place to be in.

speaker

Robert M. Lee

reason

This comment vividly illustrates the complexity and potential consequences of cybersecurity vulnerabilities in critical infrastructure, highlighting the importance of comprehensive monitoring and analysis capabilities.

impact

It deepened the conversation by emphasizing the real-world implications of cybersecurity failures and the need for proactive investment in security measures and analysis capabilities.

We are normalizing the fact of unreliability by saying hallucinations are amazing and poetic and artistic. And at the same time you’re saying you’re drafting a different kind of criteria of reliability I would say and security.

speaker

Hoda Al Khzaimi

reason

This comment challenges the current approach to AI development and deployment, pointing out the disconnect between the acceptance of AI unreliability and the need for robust security measures.

impact

It introduced a critical perspective on the rapid advancement of AI technologies and their potential security implications, prompting a more nuanced discussion about the balance between innovation and security.

Security can be complex, but it doesn’t need to be. Okay, if you’re trying to be 100% cyber-proof, you’ll never be. I think we should think about, let’s build a four-foot fence around our house first and move on, rather than keep on talking about a 20-foot fence we need.

speaker

Jay Chaudhry

reason

This comment provides a pragmatic perspective on cybersecurity, emphasizing the importance of starting with basic, achievable security measures rather than striving for perfect but unattainable security.

impact

It shifted the conversation towards more practical, implementable solutions and highlighted the importance of taking action rather than getting paralyzed by the complexity of cybersecurity challenges.

Overall Assessment

These key comments shaped the discussion by moving it from theoretical concerns to practical considerations, emphasizing the need for fundamental shifts in cybersecurity approaches, and highlighting the real-world implications of cybersecurity failures. They also introduced critical perspectives on emerging technologies like AI and their security implications. The discussion evolved from outlining problems to exploring solutions, with a focus on balancing innovation, practicality, and security in an increasingly complex digital landscape.

How can governments create regulation structures that are fast and agile enough to counter rapidly evolving cybersecurity threats?

speaker

Hoda Al Khzaimi

explanation

Current regulation processes are too slow compared to the speed at which cyber attacks can occur and cause massive disruptions

How can we develop attribution mechanisms for AI-driven attacks across different regions?

speaker

Hoda Al Khzaimi

explanation

Current regulations lack clear attribution structures for AI-related cybersecurity incidents

How can we create algorithms capable of erasing an individual’s digital footprint from the internet?

speaker

Hoda Al Khzaimi

explanation

This capability is needed to fully implement the ‘right to be forgotten’ in practice

How can we improve root cause analysis capabilities for infrastructure disruptions?

speaker

Robert M. Lee

explanation

Many organizations lack the ability to determine if an incident was caused by maintenance issues, cyber attacks, or human error

How can we achieve better harmonization of cybersecurity regulations, especially for multinational companies?

speaker

Robert M. Lee

explanation

There is a need for more coordinated approaches to regulation across different countries

How can we ensure equitable access to cybersecurity resources and knowledge across different countries and organization sizes?

speaker

Katie Drummond

explanation

There are significant disparities in cybersecurity capabilities between developed and emerging economies, as well as between large and small organizations

How can we create accessible platforms for cybersecurity research and development?

speaker

Hoda Al Khzaimi

explanation

There is a need for open tools and spaces for individuals to experiment and develop cybersecurity skills