Uncategorized

Dr. Albert Antwi-Boasiako

The issue of jurisdiction and sovereignty in cyberspace poses significant challenges. With the advent of the digital transformation, traditional concepts of jurisdiction in physical spaces clash with the borderless nature of the internet. This creates difficulties in defining jurisdiction in cyberspace. The lack of clear boundaries makes it challenging to attribute cybercrimes to specific individuals or entities. The growing use of IP spoofing and AI-enabled systems in cybercrime further complicates attribution. As a result, identifying and holding cybercriminals accountable becomes increasingly difficult.

To effectively combat cybercrime, there is a need for international cooperation and legal harmonisation. Ghana’s membership in conventions and treaties, such as the Budapest Convention and the African Union Convention, highlights the importance of global collaboration. By joining these international efforts, Ghana recognises the necessity of unified action against cybercrime. Moreover, the mention of an international treaty to counter the use of information and communication technologies (ICT) in cybercrime underscores the significance of a coordinated global response.

Unfortunately, bureaucratic responses to cybercrime often lag behind the speed of hackers. The slow pace of decision-making and lack of urgency from world leaders hinder the effective addressing of cybercrime challenges. Ransomware attacks and organised criminal networks continue to thrive due to the insufficient urgency exhibited by policymakers and officials. There is a clear call for faster action and a more proactive approach from world leaders to tackle the ever-evolving cyber threats.

Addressing cybersecurity requires concerted efforts at multiple levels. Countries need to establish strong national legislation to combat cyber threats effectively. However, aligning this legislation with sub-regional and global instruments is crucial for comprehensive cybersecurity measures. Ghana’s recent passage of a cybersecurity act in 2020 demonstrates its commitment to addressing cyber risks at the national level. To further strengthen cybersecurity, collaboration and coordination are needed at sub-regional and international levels.

The difficulties in accessing data from big tech firms also raise concerns about data governance and sovereignty. Domestic laws may be enacted to compel these companies to keep data within the country, asserting data sovereignty. Balancing the need for cooperation with big tech firms and the desire for self-reliance in managing data poses a complex challenge for governments worldwide.

The private sector’s cooperation with states is essential for progress in tackling cyber threats. Recognising that the private sector possesses valuable expertise and resources, collaborating with them can enhance cybersecurity measures. This cooperation can pave the way for more effective cybersecurity strategies and the identification of emerging threats.

Ghana’s hosting of the Global Conference on Cyber Capacity highlights its ambition to lead cybersecurity efforts on the African continent. The conference, organised by the World Bank in collaboration with the World Economic Forum, GFC, and Cyber Peace Institute, brings together international delegates to explore and promote cyber capacity building. Ghana’s hosting of this significant event aligns closely with its vision to play a leading role in strengthening cybersecurity in Africa.

In conclusion, the challenges of jurisdiction, attribution, and legal harmonisation in cyberspace demand international cooperation and proactive measures. Efforts at multiple levels, from national to international, are required to effectively combat cybercrime. Collaboration between states and the private sector is vital for developing robust cybersecurity strategies. Ghana’s involvement in international conventions and its hosting of the Global Conference on Cyber Capacity underpin its ambition to lead cyber capacity building on the African continent. Overall, it is clear that addressing cyber threats and safeguarding cyberspace is a complex and multifaceted task that demands a unified and coordinated global response.

Prof. Marco Gercke

Jurisdiction is a crucial aspect of cybersecurity, allowing for the fight against cybercrime and ensuring overall security. However, the jurisdictional limits of enforcement agencies are often defined by national borders, which can create limitations in cooperation between countries. This is especially true when countries have different classifications of crimes, leading to limited cooperation in criminal matters.

Cooperation plays a significant role in addressing cyber threats, extending beyond the criminal field. It can take various forms, such as information exchange and collaboration in cybersecurity. Fostering collaboration across sectors and disciplines is key to effectively addressing these threats.

Jurisdictional limitations also serve a purpose by allowing different criminal systems worldwide. Different countries can criminalize activities that may not be criminalized elsewhere, addressing issues based on their societal needs and values.

Both regional and global cooperation are seen as potential solutions to tackle cyber threats. Regional cooperation has already shown positive results, with successful collaborations between governments in different parts of the world. Prof. Marco Gercke advocates for private sector involvement, highlighting the benefits of multinational companies assisting law enforcement agencies in accessing crucial data.

The advent of cloud services has brought both opportunities and risks to cybersecurity. Initially, there were concerns about restricting access to suspects’ data. However, law enforcement agencies soon realized they could approach cloud service providers directly for necessary information, opening new possibilities in data sharing and investigation.

Solutions for cybersecurity challenges can be pursued at national or international levels. Some propose addressing issues through national legislation, while others suggest involving larger international organizations such as the United Nations. Combining different approaches may be the way forward.

Cooperation at various levels, sectors, and regions is vital in addressing cyber threats. Ghana’s Cyber Security Act of 2020 demonstrates the importance of national-level legislation in bridging gaps in cybersecurity. Sub-regional instruments, like those implemented by ECOWAS, contribute to enhanced cooperation. While global expectations should be realistic, basic cooperation frameworks remain essential.

Efforts to establish effective cooperation frameworks require exploration and evaluation. Existing frameworks and avenues for cooperation can be assessed to develop more robust mechanisms. If negotiations for cooperation fail, it may be necessary to reassess and develop new strategies.

It is important to note that cybersecurity is linked to various areas of concern, from attacks on critical infrastructure to child sexual exploitation. Each area presents different levels of cooperation required and unique challenges.

While regional cooperation has yielded positive results in cybersecurity, a comprehensive global approach is still needed. Many emphasize the need for broader international cooperation to effectively address cyber threats.

In conclusion, jurisdiction is a critical aspect of cybersecurity, enabling the fight against cybercrime and ensuring overall security. However, jurisdictional limits at national borders can limit cooperation. Cooperation plays a significant role in addressing cyber threats and can extend beyond the criminal field. Jurisdictional limitations allow for different criminal systems worldwide. Regional and global cooperation, along with private sector involvement, are potential solutions. The advent of cloud services brings both opportunities and risks. Solutions can be pursued at national and international levels. Cooperation at various levels, sectors, and regions is vital. Efforts to establish effective cooperation frameworks require exploration. Cybersecurity is linked to various areas of concern. While regional cooperation has shown promise, a comprehensive global approach is still needed.

Sheikh Salman bin Mohammed Al Khalifa

The analysis examines different perspectives on the importance of cooperation and legal protections in tackling cybercrime. It cites an example of cooperation between the Kingdom of Bahrain and the UK to address online child abuse, highlighting the positive sentiment towards cross-border collaboration in combating cybercrime.

Effective cybercrime cooperation is believed to be achieved through inter-regional, international, and cross-regional agreements. The GCC agreement in Bahrain is presented as an example that supports the investigation and resolution of online crimes, reinforcing the argument for effective cross-border collaboration.

Some argue that there is no need to wait for the UN to address cybercrime, suggesting that regional bodies and cross-regional cooperation can take the lead. This neutral stance indicates confidence in the effectiveness of regional collaboration without relying solely on international organizations like the UN.

The significance of legal protection for companies sharing information in cybercrime cases is emphasized. It is noted that private sector companies may face legal consequences, such as being sued under the General Data Protection Regulation (GDPR), if they share information without proper authorization. This underscores the need for proper authorization and legal safeguards when combatting cybercrime.

Furthermore, there is support for establishing global or regional mechanisms to minimize the legal risks faced by companies in cybercrime cases. It is seen as a positive step towards SDG 16 (Peace, Justice, and Strong Institutions) and SDG 17 (Partnerships for the Goals). However, no specific evidence or supporting facts are provided in this regard.

The importance of international cooperation in combating ransomware attacks is also highlighted, with 40 countries signing up for collaboration to stop paying ransomware and share critical information. The ability to respond quickly to attacks through inter-regional cooperation is also emphasized.

There is a negative sentiment towards cybercrime due to its impact on individuals and companies globally. The need to extend laws and regulations to protect organizations and individuals from cybercrime, particularly ransomware, is emphasized. It is mentioned that laws supporting cybercrimes related to children are already in place.

In conclusion, the analysis emphasizes the significance of cooperation between countries and regions in addressing cybercrime. It highlights the importance of legal protections, agreements, and regional collaboration as effective strategies in combatting cybercrime. The negative impact of cybercrime on individuals and organizations necessitates the extension of laws and regulations to safeguard against these attacks. Overall, the analysis offers valuable insights into various perspectives on cybercrime cooperation and legal protections.

Bernardo Pillot

In this discussion on cybercrime, the speakers raise concerns regarding jurisdiction and the challenge it poses in addressing cybercriminal activities. They highlight the complex nature of cybercrime, with perpetrators operating in one country, using infrastructure located in another country, and victims scattered across multiple countries. This leads to difficulties in the law enforcement community in navigating and effectively addressing such crimes. The argument is made that jurisdiction is a significant problem in cybercrime.

However, Interpol is recognized as playing a vital role in facilitating collaboration and the exchange of information across jurisdictions. As an international organisation, Interpol has 195 member countries, each with a national central bureau for communication. They emphasise that Interpol’s role is to establish programmes and provide training to law enforcement agencies worldwide to enhance their capacity and knowledge in fighting cybercrime.

Cultural differences are also acknowledged as affecting international cooperation on cybercrime. The speakers note that the handling of this issue varies due to differing legal frameworks and regional challenges. Interpol adopts a regional model that provides tailored support addressing specific challenges and threats in each region.

The speakers express support for Interpol’s role on the UN Ad Hoc Committee as the global law enforcement voice, giving a voice to the law enforcement community. They highlight Interpol’s active involvement in the UN Ad Hoc Committee process. However, they also acknowledge that in such negotiations, many countries are represented by diplomats rather than the people directly involved in using the mechanisms being discussed.

The potential of public-private partnerships is explored as a means to aid in cybercrime investigations in the absence of a global legal framework. The speakers mention Project Gateway, which involves collaboration between Interpol and 13 companies. These companies possess the intelligence necessary for law enforcement agencies to push forward with investigations. The evidence presented supports the argument that private sector involvement can be beneficial in addressing cybercrime.

The speakers place an emphasis on immediate cooperation in cases related to child sexual abuse, which is considered a top priority. They mention that child sexual exploitation material is handled with utmost priority by Interpol.

On the other hand, challenges related to information exchange during ransomware attacks are highlighted. Law enforcement agencies often face limitations when it comes to sharing essential information, indicating the complexity surrounding such incidents.

In conclusion, there is a consensus among the speakers on the need for improved trust and cooperation among international organisations to effectively combat cybercrime. They believe that addressing the challenges of jurisdiction, cultural differences, and information exchange will require collaborative efforts and the active involvement of organisations like Interpol. The speakers’ insights shed light on the complexities of cybercrime and the importance of international cooperation in effectively combating this global threat.

Prof. Marco Gercke:
Good, welcome to the audience and to this session. I have excellent experts here with me to answer questions that we’d like to discuss with you. I’m gonna be just making some brief statements. Jurisdiction is the holy grail of cybersecurity, to be very honest. If we four would be able to solve the issue of jurisdiction or we all together in this room today, we’d made a major step forward. I don’t think this is gonna be possible. And I think what we need to do is we need to distinguish between two topics. There is the topic of jurisdiction, which is usually related to crime, to criminal investigations, to cybercrime. And there is the more broader topic of cooperation. Cooperation can take place outside of any criminal field. It can be cooperation in cybersecurity, exchange of information. So we’d like to address both topics. They’re intertwined, but I’d like to separate them for a moment. And I’d like, as a criminal law professor, to maybe make one comment. There are a lot of people who say jurisdiction is one of the key problems, one of the obstacles to successful fight against crime, against cybercrime, and ensuring our security. I’d like to caution you a little bit. Jurisdiction is what we understand when we’re saying there are limitations to the authority of an enforcement agency within a country. So the enforcement agencies in Saudi Arabia will find their limits in general at the border. That means if a crime is happening outside the country, they will not be able to enforce it unless there is certain agreement of cooperation in the criminal field. There are very few cases where you wanna claim jurisdiction outside your borders. These are very, very rare cases. And in general, jurisdiction and the limitation to jurisdiction serves an important purpose. It allows us to have different criminal law systems in the world. It allows you to criminalize things which are not criminalized in other parts of the world. And cooperation in general finds its limit if countries have to work together and they realize we are not talking about a criminal offense in both countries. If one country criminalizes something, the other country does not criminalize it, the possibilities for cooperation in criminal matters is very much limited. Therefore, if we had jurisdiction or one of the conditions for closer cooperation in criminal matters is actually that we would align our criminal law systems as well, we would criminalize the same things. Okay, that as a general remark. We have excellent experts here and I’d like to pass on the question to Bernardo maybe from Interpol as you are one of the organizations that is closest associated with the first part, fighting crime. What’s your view? What is hindering effective fight against cybercrime? Is it the problem of jurisdiction? Lack of cooperation in general? Is it missing criminalization? What’s the issue?

Bernardo Pillot:
Sure. Thank you first of all for having me here. I’m honored to be here representing Interpol. This is our third year participating in the Global Cybersecurity Forum so I’m thankful to be here on behalf of Interpol. That’s an excellent question. I think it hits different points. Jurisdiction is a big problem. Cyber is not your traditional crime area where you have law enforcement responding to a crime, initiating evidence collection, interviews. The jurisdiction is in the country and an example of traditional crime. In cybercrime, it’s global. It transcends borders. You could have a cybercriminal operating in one country, you could have infrastructure in another country and then you could have victims in a third country so it’s very complicated navigating that environment in the law enforcement community and that’s where Interpol comes in. We have 195 member countries around the world. Each member country has a national central bureau which is the way that Interpol member countries communicate so our role is basically to collaborate and bring countries together to look at cybercrime in particular how to exchange information across jurisdictions and then when we see there’s a lack of perhaps capacity or knowledge in cybercrime, then we do capacity building where we set up programs to train the law enforcement around the globe on fighting cybercrime.

Prof. Marco Gercke:
Can I just follow up with a brief issue? As you are working with so many different countries, do you believe that culture is an issue that we have a lack of cooperation in certain areas because of a lack of culture or is it just that we’re lacking an international instrument that we have in other areas for example organized crime where we have a UN convention? What’s the difficulty?

Bernardo Pillot:
Well, the difficulty can be cultural. For our cybercrime program, we recognize that we can’t treat every country the same. We have 195 member countries. Cybercrime is unique. There’s some similarities but as was mentioned, there’s different legal frameworks in different areas so we look at a regional model where we break the country up, the world into different regions and focus on providing our support for that particular region looking at the challenges that they face and the threats that are important to them and I think that’s the unique way that we have been handling this issue as far as collaboration. You know, the Budapest Convention I believe is 22 years old next month. Obviously, a lot has changed in 22 years. We have a lot of advancement in technology. Interpol has been heavily involved in the UN Ad Hoc Committee process. We’re there to serve as the global law enforcement voice. Obviously, this is negotiations between countries to establish a new way of working which can be challenging obviously based on a lot of geopolitical conflicts but we’re hopeful that by us being part of this forum that we can give a voice to the law enforcement community which are the ones that actually have to do the work. A lot of countries are represented by diplomats and maybe not the people that are actually gonna be using the mechanisms that are being negotiated at this point.

Prof. Marco Gercke:
Perfect, thank you so much. Albert, before I come to you, one issue. It was last year’s forum here where we discussed the UN approach towards cybercrime, the discussion negotiation about a convention. I think we were all hoping that at this stage we would be at a different place. The negotiations were not as successful as we were hoping here last year with a lot of encouraging comments for this. Let’s see where this is heading. The process is not over but it’s definitely at a difficult stage. Albert, with your experience taking this beyond just jurisdiction, the question of jurisdiction going into corporation, where do you see the key challenges at the moment and where do you see the solution for the discussion in cybersecurity field?

Dr. Albert Antwi-Boasiako:
Prof. Marko, thank you for the question. First of all, on behalf of my country, the Republic of Ghana, our appreciation to the kingdom, to the National Cybersecurity Authority in particular for extending an invitation to us. This is the second time participating, this is the last time I was with my minister and I think it’s been a sight. We appreciate the hospitality of the kingdom. I think the issue of jurisdiction, sovereignty, cooperation is an important one whenever the subject of cybercrime comes into the picture. Prof., I think you alluded to the issue earlier. Traditionally, not just law student, but once you came across jurisdiction, then understand there’s a physical space, isn’t it, with a certain boundary. But in the cyber sphere, how do you then define the jurisdiction? When somebody could be in Saudi Arabia and still be able to commission an act targeting IT infrastructure, certainly in Ghana. These are some of the challenges that we’ve seen in this particular area. So, digital transformation is now interrogating the concept of jurisdiction as the law applies. Of course, if you’re talking of cybercrime, then the law is also very important here. But, Prof., one area of difficulties, also attribution, is another huge area. Beyond the techniques of IP spoofing and others, even the advent of artificial intelligence, I think we are interrogating how do we establish attribution when AI-enabled systems are actually behind certain crimes. So, it’s a kind of important discussion. From our perspective, Ghana as a developing country, I think we are heavily dependent on consuming technologies which are hosted elsewhere. Those days of data localization, that also raises its own question. Data governance, data protection, and how to lawfully assess data to support criminal investigation. But, of course, I think at the end of the day, the question you raise is also the variability of domestic legislation. Because if you have the concept of jurisdiction implicates a law governing that particular space. And that has been a challenge in terms of legal harmonization that a particular cyber act will be designated as a crime in Ghana. And that same act will also be seen as a crime in another jurisdiction. I think the world is moving towards that angle. Ghana is a member of the Budapest Convention, which Bernardo mentioned about. It’s among a few African countries, about six or seven, which is a signatory to this. And we’ve also signed up to the African Union Convention just to address those sort of gaps. But Budapest Convention membership is just about 60. But it has been a good foundational international cooperation instrument. And I think I also wanted to add up to the UN resolution that has necessitated negotiations on international treaty to counter the use of ICTs in cyber crime, which Ghana has been participating. So I think, I do believe the world is moving towards that direction. But we are not moving quicker. You know, hackers move with the speed of light. But the bureaucrats, whether the EU, African Union, UN, you know, the pace by which we are, and as a technical person, after such negotiations, I’m like, you get annoyed. You know, we need to move because you see the issues happening. You see the ransomware. You see the organized criminal network acting. And you expect the world leaders to also act in a manner that is equally giving that sense of urgency to address the issue. But unfortunately, it doesn’t work like that. But I do believe, I’m quite optimistic that recent developments at the regional level, at the sub-regional level, but international level is moving us because we do not have a choice. I think it’s an imperative that we find international cooperation arrangement. Of course, we can agree on everything, but the baseline, understand them, and mature mechanisms of cooperation is required to be able to address cybercrime as a transnational crime in this particular manner.

Prof. Marco Gercke:
Prof, thank you for the opportunity. Oh, absolutely. So you see, again, there is great unity in the call for some kind of closer cooperation and having those frameworks in place.Sheikh, it’s a pleasure having you here with your experience. So we would like to benefit from this. When you’re looking at cybersecurity, and again, going beyond only the issue of jurisdiction, which is a more legal thing, but cooperation, if you’re looking at the region, if you’re looking at it globally, what’s the path forward? How can we get to a closer cooperation that we’re not standing there and just looking at crimes and attacks happening, but that we can respond in due time?

Sheikh Salman bin Mohammed Al Khalifa:
So I do see cooperation on the ground. So we cannot just say it’s negative all the time, but there is real examples of successes. For example, we had a case where there was child abuse, online child abuse stemming from Bahrain to the UK. And the cooperation between Kingdom of Bahrain and United Kingdom enabled us to cooperate, track, monitor, and collect the evidence necessary to prosecute the criminal in the Kingdom of Bahrain. Collaboration is a tool and allows us to resolve our problems, even if we don’t have jurisdiction. We can make it as difficult as we would like it to be, and we can simplify it if we choose to simplify it. But I think there is the intent between countries to resolve certainly certain crimes that are common to all of us. And I think as human beings, seeing people being abused is something that we all reject. Seeing crimes committed across the border is something that we all strive to stop. And I think establishing one-on-one relationship is one way of solving that problem, but also we have international cooperation and regional cooperation. For example, the GCC has the GCC agreement that we can, any crime that happens in one country, we will support another country in investigating and resolving it in all online crimes. And that’s the kind of collaboration you want. You want inter-regional, international, and maybe cross-regional agreements. So if we can’t, we do not need to wait for the international community to agree so the GCC can work with the African Union as well, so that we can harmonize our cooperation and utilize each one’s jurisdiction to resolve that cybercrime. So we don’t need to wait for the UN to solve our problem. I think we can have it happen at a regional level and cross-regions, and then eventually maybe the UN will catch up.

Prof. Marco Gercke:
That’s a very good point. I think it’s important to highlight that I had the pleasure of working with a lot of governments in different parts of the world. I’ve been in Africa. I’ve done a lot of work with countries here in the region with the GCC. There are those instruments in place already. We see it. We had the former president of the European Commission here. So in the EU there is regional cooperation. The Council of Europe Member States, there is regional cooperation. We have it in Africa. We see that there is a great degree of cooperation in GCC. We see it also in Southern Africa, sorry, Southern America and the OAS. There is a cooperation. So we see those regional instruments. What is currently still lacking is the global dimension that is adding something to it as cyber threats are truly global. Bernardo, I would like to ask you again on one of the issues. How about the private sector, the public- private partnership? Can that add to it? Can that, even if there is no legal framework, no global legal framework in place, can the fact that we have those large international, multinational companies that are based in the United States, for example, help law enforcement agencies around the world to get access to data that they need, even if there is no legal framework in place?

Bernardo Pillot:
Sure, absolutely. We at Interpol have a project called Project Gateway where we connect with the private industry, public-private sector. We have 13 companies that have signed on to this agreement and the idea is to exchange intelligence. Obviously these big companies are protecting their clients but they hold a lot of the intelligence that law enforcement needs to move forward an investigation, to identify different threats. So this collaboration that’s been ongoing with Interpol and these companies have allowed us to provide that intelligence to countries to act on it. The idea is to have actionable intelligence where countries can actually take action on cyber threat actors that have been identified. So we recognized early on that as law enforcement, especially in cybercrime, companies, big industry hold that data that we need. They have the expertise, the tools and what we need to do is leverage on that and it would be not just for the benefit of the companies but obviously for the benefit of our member countries around the globe.

Prof. Marco Gercke:
So did you want to add to it? Okay but I’d like to have your view on this on this issue as well because there is an opportunity certainly with global companies supporting the work of law enforcement or the fight against against cyber attacks. Is this something that we need to enforce where we need a forum like this one where we need to involve the industry and ensure that there are maybe global standards, a protocol, something even if it is not legislation in place that there is some some kind of mechanism in place that we can improve this cooperation with nation states? For example if you need to access data in the United States do you have the right tools or do you believe this needs to or

Sheikh Salman bin Mohammed Al Khalifa:
should be improved? I think that is a difficult ask because there are legal ramifications to that. If for example private sector companies took action or shared information they were not supposed to. For example take Europe, that’s part of GDPR and by sharing information without the consent of the companies or the information owner they can be sued. So and I think there needs to be some kind of protectionism given at the global level or at least at the regional level should the information shared in cases of cyber crime and we can focus on just that aspect of it and minimize the risk that they have to bear from a legal perspective so that they cannot be sued from the information owner or from the governments in the region.

Prof. Marco Gercke:
Okay that’s a that’s a very interesting point. I still remember discussions with law enforcement agencies at the time when cloud services started to pop up and they were really afraid that they said we will not be able to go to the premise of the suspect anymore and seize material there because they’re all stored in the cloud and that makes it significantly more difficult for us to get access to the material. However after a short period of time they realized okay but there is a centralized cloud provider and instead of having to search at the suspects premise I can simply call the cloud provider and say give me the data and I don’t even need to enter the suspects premise. So there are certainly two sides to each of the issues. There are opportunities and risks. I’d like to discuss a little bit the way forward. We only have nine minutes left. I’d like to to try to look out where do we need to to put the focus. Do we need to do it on the national level? Do we need to solve the issue there? Where do you see where we should take action? Where the focus should be? It can be again as we did last year call for the United Nations to take action. It can however also be to say okay let’s clean up our house first and make sure that we have the instruments.

Dr. Albert Antwi-Boasiako:
Prof, I think there is interrelationships around us. You can’t address this issue. It is only at international level, at a sub-regional level, without looking at domestic level. So I think at each level we need to make some tangible progress. Certainly the minimum is at a national level you need a legislation that is fit for purpose. So for example, Ghana in 2020 passed a cyber security act that tried to address some of this gap. You need to. I think as a rule of law country that is a baseline that you need to. Of course the alignment with a sub-regional instrument is also key and I think from my region ECOWAS has got instruments on cyber crime to facilitate collaboration. It is needed. At the African Union level working with Malabo Convention, the African Union Convention on Cyber Security and of course at a global level. I don’t think we should be overly ambitious with expectation of what to achieve at a global level. But I think at a domestic level, at the sub-regional level, there is that opportunity to agree on basic cooperation framework that we can address this issue. And I think it’s an evolving situation, there’s no doubt. And my last example, what’s the refusal or the difficulty for countries like Ghana to access lawful access to data from the big tech firms is leading to what we call, you know, data governance and what? And sovereignty. You are likely to do a domestic law that will compare service providers, institutions to rather invest in keeping their data within the country instead of keeping them out. So I think the environment is opening up and I think, you know, linking to the private sector issue, I think the private sector needs to be aware of what is happening and cooperate with the states so that we can make progress in this particular area.

Prof. Marco Gercke:
I mean, you heard during the opening presentation and those of you who are following the discussion already knew before that there is now a GCF Institute and maybe that would be something that the GCF Institute could look into and have a look at different frameworks that are already there, different ways of cooperation and maybe to see if it is possible to build upon this. Maybe we have to go get back to the drawing board when the negotiations in the room don’t work. Bernardo, there are different areas that we are associating with cyber security and cyber crime. From a perspective that was discussed here very frequently of critical infrastructure, there are attacks against critical infrastructure, but that’s not the only problem. We can go all the way down to, for example, child sexual exploitation material, which was mentioned here by Mr. Sheikh Salman before. So, what are the areas where cooperation works, where you see that’s something where it’s happening frequently and it’s happening routinely at a high speed, and where are areas where we’re finding it more challenging? Because I think this is really important. If you’re a provider of critical infrastructure and you’re realizing chances for cooperation are limited, that’s where the pressure starts to build up.

Bernardo Pillot:
From an Interpol perspective, the cooperation that we see that happens pretty quickly is anything having to do with children. Obviously, that’s important. Anything related to child sexual abuse material is almost immediate. Everyone collaborates, everyone works together, including private companies, obviously giving access of their information to law enforcement to take action. I don’t see that as an issue. I think the issue that we’re seeing is when you look at a ransomware attack, how are countries working together and exchanging information? A lot of times what we’re seeing, and it’s a tendency in law enforcement, is keeping things to themselves and not sharing with other jurisdictions that potentially can help mitigate the attack or find a way to attribute that attack to an actual person. So I think we need to work together in a better way, a more organized way. I think this is where Interpol plays a big role. We’re a neutral organization. We have 195 member countries, like I mentioned, around the globe. We’re not taking sides with one country or another. Our idea is to facilitate that exchange of information, but it has to come from a place of trust. I think it’s inherent in law enforcement that we don’t trust each other, so we need just to do a better job at that.

Prof. Marco Gercke:
That’s a good word, almost a good final word. We met here twice. This is the second time we’re meeting. When we’re meeting again, if we’re meeting inshallah next year, what will have changed? What are you hoping for as a realistic target? What could we have achieved over the next year when it comes to cooperation? Do you think there is anything where you see there is going to be a breakthrough, or do you believe it’s the small things that you do not necessarily see on a daily basis where agencies are working together, which will make most of the difference in this year?

Sheikh Salman bin Mohammed Al Khalifa:
I see two things. With regards to ransomware, we’ve seen 40 countries sign up for cooperation in order to not only stop paying ransomware, but actually sharing critical information about decrypting certain information. Now, if the whole countries started sharing how to decrypt that ransomware and sharing those keys, we would have less crime. That trend I can see happening. I see greater regional cooperation, so inter-regional cooperation between, say, the GCC and the African Union or South American countries. This inter-cooperation will also enable us to better respond in probably sometimes with the support, obviously, of Interpol, allows us to move faster, and I think that’s what we should see, more inter-organizational established relationship to rapidly respond to these attacks. Yes, you know, cybercrime related to children is an emotion that everybody supports and the laws support it, but we need to extend that as well to ransomware that can destroy organization and the livelihoods of individuals and companies globally.

Prof. Marco Gercke:
Thank you so much, Albert. If I can ask you, if you can make a 30-second wish, you only have… Here we go.

Dr. Albert Antwi-Boasiako:
I was going to ask you, Prof, thank you. Ghana is hosting an international event later November, the Global Conference on Cyber Capacity, being organized by the World Bank in collaboration with the World Economic Forum, GFC, also Cyber Peace Institute. We are expecting close to a thousand international delegates in Accra, and the team is capacity with Ghana’s vision to lead cyber security on the African continent, and we look forward to see some of you, if you receive your invitations already. Other than that, we’ll also be happy to engage on this going forward.

Prof. Marco Gercke:
Thank you so much for basically inviting the people in the room over to the next conference, which would be definitely a pleasure. The only thing I can do is I can carefully close this session, this panel, by thanking the panelists, thanking the audience. I think we have seen that there is already progress, that maybe we do not necessarily focus on when we’re only looking at the big global developments with the discussion about the UN Convention being stuck. We heard various examples of successful regional corporations that we can maybe learn from. We’ve heard that there are areas where cooperation works, because everybody’s interested, like the protection of children, where we’ve heard from successful examples where this cooperation takes place. Do I personally wish for more? Do you think we should wish for more, that we get this broad approach? Yes, I think it’s realistic, but maybe on the way there we need some more research, getting back to the drawing board, and maybe the GCF Institute can play a role there. With this, I would like to thank you all, and please enjoy the rest of the conference, and maybe see you all in Africa.

Excellency Mr. Yusuf Albanyan

Mr. Yusuf Albanyan, a former minister of education with a background in the energy and chemical industry, aims to enhance global cybersecurity through public-private partnerships. He sees himself as a catalyst between the public and private sectors and wants to target the enhancement of global cybersecurity issues. This aligns with the United Nations’ Sustainable Development Goals (SDGs) 9 and 17, which focus on industry, innovation, infrastructure, and partnerships for the goals.

Mr. Albanyan believes that cybersecurity education should be integrated into the education system as a change management program. He argues that the current youth generations are dealing with cybersecurity daily in their communications and learning materials and that their future lives are linked to cybersecurity issues. By incorporating cybersecurity education into the curriculum, students will be equipped with the necessary knowledge and skills to navigate the challenges of the digital world.

Furthermore, Mr. Albanyan emphasizes the role of families and the community in developing responsible online behavior. He believes that a lack of awareness and a weak sense of caution are major challenges to cybersecurity. Therefore, community contributions to the entire transformation plan are important. This highlights the need for collaboration and cooperation between various stakeholders in society, including families, to effectively tackle cybersecurity issues.

The Saudi Arabian government is also prioritizing cybersecurity. It is focusing on creating an ecosystem to address these challenges, and the Ministry of Education is actively involved in this effort. This demonstrates the recognition of cybersecurity as a crucial aspect of national security and the development of a future-ready workforce.

In terms of the education system, teachers play a fundamental role. Development programs are being set up to provide teachers with the necessary training and knowledge to handle cybersecurity issues. Additionally, digital literacy and AI are considered essential tools to enhance teachers’ skills and research capabilities.

The use of distance learning and digital tools is expected to be an integral part of the future education system. The COVID-19 pandemic has highlighted the importance of these tools, and the view of digital education needs to evolve from an emergency model to an integral part of the educational experience.

Private sector involvement in education is seen as a necessity rather than a luxury. Mr. Albanyan believes that the private sector and government should work together and complement each other’s roles to provide quality education and prepare future generations for the challenges of the digital era.

In conclusion, Mr. Yusuf Albanyan’s vision for enhancing global cybersecurity through public-private partnerships and integrating cybersecurity education into the education system reflects a proactive approach to addressing the challenges of the digital world. The emphasis on collaboration, cooperation, and value-driven transformation highlights the importance of involving all relevant stakeholders, including families, communities, and the private sector, in ensuring a safe and secure digital environment for everyone.

Moderator – Nisha Pillay

In the discussion, the importance of cybersecurity education and awareness was emphasised. Living in an age of increasing cyber threats, developing a cybersecurity mindset is critical. Education was seen as crucial in improving cybersecurity, but it was also recognised that implementing cybersecurity knowledge can be challenging due to various addictions, such as internet and social media. The addictive nature of social media poses a hurdle in adapting to a cybersecurity mindset.

Starting cybersecurity education from an early age was deemed fundamental as children need to be introduced to cybersecurity as soon as possible in the face of burgeoning cyber threats. Efforts should be made to educate young people about responsible online behavior given that they are born into a digital world and often take it for granted. The addictive nature of much of social media makes it challenging for them to develop responsible online behavior, but it is still crucial to teach them about responsible digital citizenship.

Several programs are in place to enhance cybersecurity awareness. One program mentioned is AMIN, which involves the National Cybersecurity Authority (NCA), the Ministry of Education, and the Saudi Arabian Vision 2030 Cybersecurity Center (SAVIC). The program includes conducting nationwide exhibitions, providing virtual and physical lectures, and having ambassadors spread the importance of cybersecurity.

The approach to cybersecurity needs to change, viewing it not just as a system or policy issue but as a personal responsibility for the safety and future of individuals. It was proposed to instill values in security awareness programs, making it more of an emotional appeal rather than just a list of dos and don’ts.

The idea of banning phones in schools to increase student engagement was raised. Excessive phone usage can distract students and hinder their engagement, so limiting phone usage in schools could lead to increased focus and participation.

When it comes to education and awareness, the focus should shift from policy enforcement to cyber education and awareness. The younger generation is born into a digital era and views it as business as usual. Therefore, efforts should be directed towards a transformational awareness program that educates and empowers individuals regarding cybersecurity, rather than relying on fear tactics.

The role of teachers in a digitised education system was highlighted. Teachers may not have grown up in the digital age and may need additional support to effectively teach cybersecurity. Therefore, it is important to address the role and needs of teachers in a digitised education system.

Furthermore, the value of digital literacy and cybersecurity training for teachers was discussed. A comprehensive program is in place to provide teachers with the necessary training and support, covering topics such as digital literacy, cybersecurity, and the use of artificial intelligence (AI) in education. Equipping teachers with digital skills is essential for them to effectively teach cybersecurity to their students.

The potential benefits and ethical implications of AI in education were explored. AI can enhance the skillsets and research capabilities of teachers and university faculty, but it is important to balance the opportunities and threats associated with AI in the learning environment. With proper control and implementation, the risks of educational technology can be minimised.

Ethical considerations in AI implementation were mentioned, with global leaders expressing concerns. A strong platform is needed to manage the risks associated with AI and ensure its ethical use in education.

The role of the private sector in cybersecurity was also discussed. Private companies collaborating with the government are crucial in enhancing cybersecurity measures. The private sector plays a significant role in developing innovative solutions and technologies to tackle cyber threats.

Additionally, the value of digital education, particularly during the COVID-19 pandemic, was acknowledged. Distance learning has played a vital role in ensuring the continuity of education during challenging times.

Overall, the discussion highlighted the importance of cybersecurity education and awareness in combating cyber threats. It emphasised the need to start cybersecurity education from a young age, develop responsible online behavior, and introduce values into security awareness programs. The role of teachers, the potential benefits and ethical implications of AI in education, the role of the private sector, and the value of digital education were also discussed. Collaboration between stakeholders, including the government, private sector, and educators, is crucial in achieving cybersecurity goals and ensuring a safe digital future.

Moderator – Nisha Pillay:
Excellencies, ladies and gentlemen, welcome to Building Resilience Through Education. I’m Nisha Pillay. I’m very pleased to be your moderator, and I’m even more pleased to welcome the Minister of Education for the Kingdom, His Excellency, Mr. Yusuf Albanyan. So you may be asking yourselves, ladies and gentlemen, why is education so high up on the agenda of this year’s Global Cyber Security Forum? Why? Well, the reason is clear. Living as we do in an age of exploding cyber threats, it’s imperative that we catch them young, that we develop a cybersecurity mindset and attitude as early as possible. It’s obvious, right? But how do you actually do it? It’s not so easy in this age of addictions, internet addictions, media addictions, social media addictions especially. That’s going to be the topic of my conversation with His Excellency. So if you don’t mind, ladies and gentlemen, and Your Excellency, I’d like to start with a personal question. Is that all right?

Excellency Mr. Yusuf Albanyan:
It’s fine. Go ahead.

Moderator – Nisha Pillay:
As you know, His Excellency was a really top business leader. You had a commanding private sector career until very recently. So what made you change? And what do you think is the challenge for the government sector in being nimble, especially in the face of these kind of threats?

Excellency Mr. Yusuf Albanyan:
Well, initially, I don’t know whether I have a choice or not, but I think it’s – by the way, this is my first time to get introduced on a business setting as really a minister of education. And at the same time, I think this will be a great opportunity for me to meet with our public and private forum. Coming from the energy and chemical industry, we have a very important role that catalysts to play. And I think at this point of time, I look at myself as a catalyst to play between public and private, and hopefully we can achieve our target to enhance our global cybersecurity issues.

Moderator – Nisha Pillay:
How do you see the importance of cybersecurity education then in the education system? How do you embed it?

Excellency Mr. Yusuf Albanyan:
Well, I think – let me start with the points. I think the previous panel have really struggled with the fact that how can we bring global security into the top agenda? I would propose to the expert in the global security to do a change management programs because I think linking security with cyber, this is really box the cyber issue around only security. In my view, the global cyber issues, it’s beyond security. And if we continue – What do you mean? How do you mean? Because I think the issue with the global cybersecurity is not system, is not policy. I think it requires huge change management programs. And this is why in education, we feel as of today, the youth, the current generations, they’re born in digital. So they are basically dealing with cybersecurity on day in, day out, and their communications and their learning materials. And this is why I think we need to program ourselves into the mode that cybersecurity is not only security. It’s basically every day in the morning, we wake up, we do unconsciously a risk management. So dealing with a cybersecurity issue, it has to do with individuals’ future life. In the same time, it’s very important to understand they need to integrate this as part of the skillset requirement in order for them really to survive and their business community. My view, we need to focus on change management. And this is why in our education system, we feel there are very important elements that we need to focus around curriculum. And as of today – Give us some more details. I will give you more details. As of today, we are heavy on knowledge base. We need to have a much better balance between skillsets and values. Say that again. A better balance between? Between knowledge and also skillset requirement. Skillset. So they’re different. And values as well. Okay. I think looking at cybersecurity, it’s not only a skillset issue, but also it has to be an integral part of our value system because we need to protect ourselves, our family, our society, and the entire community we operate in.

Moderator – Nisha Pillay:
So to almost bring young people on with a sense of responsibility to the wider setting.

Excellency Mr. Yusuf Albanyan:
Absolutely. Absolutely.

Moderator – Nisha Pillay:
That’s fascinating. I want to ask you, how do we develop online, responsible online behavior when our young people, our children are bathed in this? They’re born into this digital world. They take it for granted. And when so much social media is so addictive.

Excellency Mr. Yusuf Albanyan:
I think now being on my current role for almost a year, I think we need to make sure that we involve ourselves within the classroom, either in school or university, is only one piece. The other important piece is the community contributions in the entire transformation plan. And specifically, families. And if you look at the challenges poses against cybersecurity today, one of it is lack of awareness. The importance of cybersecurity. But the second, also we need to see within our children, we have weak sense of caution. Children has sense of anxiety and curiosity exceeded their sense of caution. So by default, they will be dealing with social media and gaming in a more aggressive and excessive way. And if they don’t really being cautious, then it will be an issue.

Moderator – Nisha Pillay:
So what can we do to help parents and families, do you think?

Excellency Mr. Yusuf Albanyan:
I think we have a very interesting program. I mean, if you look at the government of Saudi Arabia, we focus on the ecosystem. You see NCA and its role, and you see Sadaia. And I think both of them are creating the right ecosystem to make sure that the entire public and private sector operates on the proper dynamics to tackle the issues. And what do we do? I think we have a very great programs that is basically between NCA and Ministry of Education and SAVIC. And they came up with a very sophisticated programs, AMIN, which basically touches five important elements. How can we enhance the awareness program? We have a lot of exhibitions across nation, make sure that they understand what cybersecurity all about. We have also virtual lectures that we are providing people, they can have access to it. We have also physical lectures either in schools or universities. And in the same times, we have ambassadors that they are going around the nation to make sure that they spread the importance of cybersecurity. But I want to go back also to my initial remarks. We need to expand the view on cybersecurity. It’s in a different approach. This is for you as much as it’s for me. And I think if we look at it only from a compliance perspective or basically a system issue, continuously we’ll struggle. But if we spin it on a different way and we tell individuals, especially young generation, this is for you. This is for your own safety, for your own future. And I think you will see more buying into it and they will be more receptive to it. Because the issue is not a system or policy.

Moderator – Nisha Pillay:
As you were saying, to bring values into the core of it, which is a sort of emotional appeal almost, isn’t it? Into the core of it, rather than do this, do that. Make it more appeal to the heart.

Excellency Mr. Yusuf Albanyan:
I mean, let’s face it, in Saudi Arabia, we have basically asked students not to bring their phones in school. You know, lately for the last year, we see other nations, they are really following what Saudi Arabia have done. But why we have done it? The purpose of banning phones, cell phones with the students, basically we would like to increase their engagement with their teachers and the classroom. Not only this, we would like to make sure that they have also addictions to screen. Internet usage has to slow down, has to basically brought into the proper level. And this is a very important policy that we have introduced. And I think we need to look at it from a different aspect from only policy compliance, as much as this is for the sake of the student themselves. And we see a good level of compliance in the school because of that. So the ban on mobiles in schools brought in a couple of years ago, do you think it’s made a difference to protecting young people in the education environment? Again, I think let’s move away from the terminology security or protection. I’m not a fan of this because you cannot really operate on a fear factor. You need to operate on a more sophisticated transformation awareness program. And I think you need to communicate with the young generations. And by the way, they born it. They are basically born in the digital era. So maybe for us, we look at it differently. But for them, it’s really business as usual. And this is why we need to show the value rather than just look at it from really policy enforcement.

Moderator – Nisha Pillay:
So then it begs the question, what can you do to make cyber education and cyber awareness, let’s say, more appealing, less about the rules and more about the possibilities?

Excellency Mr. Yusuf Albanyan:
This is a good question. If you look at our strategy, we would like to have our education system, both K to 12 and university, to have a pipeline of talent that they are not only competitive domestically, not only regionally, but also on the global scene. Therefore, we look at the global citizenship. The cyber security is a global issue, is not really a regional issue. This is one aspect. The second, if we agree that in order for us to move into a much better space around cyber security, we need to enhance the knowledge and awareness program. This is why in our curriculum, we are re-basically classifying our curriculum programs where it has knowledge base, skill base, and value base. And if you look at knowledge, skills, and value, they are all needed for cyber security awareness program. So if you look at the global citizenship and the programs and curriculum transformation, and basically they will emerge into a very sophisticated environment that hopefully will allow our current and future generations to look at cyber security as basically not as a policy again, but as something that they have to do it, one, for their own safety. They need to feel they are responsible for it, and at the same time, it has become also a skill set requirement for their future workforce.

Moderator – Nisha Pillay:
Essential. So as cyber security, as you say, is a global issue, is there a role for multilateral action for governments to work together, to collaborate, and to cooperate?

Excellency Mr. Yusuf Albanyan:
Well, as you know, the government of Saudi Arabia has really participated on drafting basically the generative AI on 2021, on UNESCO. In the same time, Saudi Arabia has also a committee where basically look at this in a more sophisticated way, and Ministry of Education as basically the largest participant is a member of the committee. As you know, we have more than 6.5 million students on K to 12. We have more than 1.3 million students in universities. We are touching every single members on the society, and tell me about it. I’m getting this pressure every day.

Moderator – Nisha Pillay:
You know, we’ve talked about parents, we’ve talked about the ministry, the education system, cooperation with other governments, but we haven’t talked about yet with the teachers themselves. Now, many of them, like someone like me, would have grown up in a non-cyber age, not born into a digital world. What kind of help and support do teachers ask for, or do you think they require?

Excellency Mr. Yusuf Albanyan:
Ma’am, I think we need to recognize that you cannot have education system above the quality of your teachers. So I think it’s very important that the teachers are really the foundation for any success on an education system. Therefore, we have a very sophisticated program at the last stage at this point of time where we will develop all teachers who needs to go to the classroom. They will go into basically development programs similar what we used to use in our chemical industry engineers in order for them to move to the plants. They have to go through very rigorous programs in order for them to get qualified to go and manage plants, even though they graduate from two universities. And those programs will be basically touches every aspect of their developmental need, and one of it digital, because teachers has to be digitally equipped in terms of knowledge in order for them to deal with the current and future generations. And cybersecurity is going to be part of it and other. For example, how can you use AI from the aspects of positive side? As you can see today, people are sometimes cautious around using AI, but let’s remember, any new technology has its own risk. But as of today, I think we have a very strong technology innovation in educations. They are more or less in control environment. They will be less risk than others, but will allow teachers and also faculty in universities to enhance their skill set and research using AI in a more safe way.

Moderator – Nisha Pillay:
Can we explore that a little further, Your Excellency? So schools around the world are grappling with how to use AI, because if the schools don’t come to term with it, certainly the children will. They can use it for research purposes, a big plus, but they can also use it to write their entire script, which is maybe not such a plus. So I wanted to ask you, what are your reflections on the opportunities and the threats? How does one balance that as a whole new way of learning?

Excellency Mr. Yusuf Albanyan:
One thing I learned from business, if you wait to check the old boxes, you will lose the opportunities. You need to calculate your risk. You need to really basically go ahead and make sure that you are having a very sophisticated calculated risk matrix and move on. As of today, for example, I bet you there is no single individual can tell you what is the implication of AI tomorrow. They just think and they predict, and there are different models that is running. As of today, we are in the ministry. We formed a team to look at how the school looks like in 2035 and 2040. Is it going to be a similar school model we have today? I don’t know. That question remains to be answered, but I do believe technology and AI is going to play a major role on this. How do we view digital? Is it really just for an emergency model or is it going to be an integral part of our educations? Because during COVID, I think distance learning have played a major role for all education systems to continue. But as of today, we view it, some view it as an emergency model, some view it as a blending knowledge on our educations. If you bring this all together, cyber security is going to be an integral part of it and AI is going to play a major role. How do you view AI, Your Excellency, in the education system, a threat or an opportunity? In fact, just as soon as I leave this room, I have a meeting with some of my team because we use AI, by the way, just three weeks ago on different schools in the kingdom. And you will be surprised. We have very innovative teachers who really have leveraged it on their own scale. Imagine if we bring it on a national level, how is it going to look like? But at the same time, we need to be cautious on the implications. And I think from my engagement with the global leaders, the issue in AI is not the functionality, the issue in AI in ethics and values. How ethically we will be able to leverage AI and how can we create a strong platform to manage the risk of AI?

Moderator – Nisha Pillay:
Ethics and values. Very interesting because that’s what you said when talking about broadening our approach to cybersecurity as well. So finally, I’d like to ask you, Your Excellency, about the role of the private sector and the huge cybersecurity industry out there, small and large companies, how can we bring them together with educators and the education ministry to develop new approaches, maybe innovations?

Excellency Mr. Yusuf Albanyan:
Well, again, before I used to use this terminology. How can we bring them together to play their roles on the entire community? I think my duties today are coming from private sector and working on governments, specifically in a very important role where basically influence the future generation. How can we bring a clear understanding that private sector and governments, they are not different. They are one, playing together. Each one of them play its role to complement the end of the day what 2030 Vision really inspired for. I personally see this on the private sector. I see it today in the government when I come into Ministry of Education. Private sector role in Ministry of Education is not something that’s nice to have. It’s going to be something that we have no choice, but each one of us has to complement what really bring us at the end into a success to achieve our 2030 Vision.

Moderator – Nisha Pillay:
Your Excellency, it’s been a pleasure to meet you. My mindset has already started changing. What did you say? Abandon the fear factor. It doesn’t work. Embrace ethics and values. It’s really been a pleasure. His Excellency, Mr. Youssef Albanyan.

Excellency Mr. Yusuf Albanyan:
Thank you very much. Thank you. Thank you. Now, sir, I mean, which is correct, first and last name. Yeah. Thank you.

Kersti Kaljulaid

The analysis examined several significant topics related to technology, cybersecurity, and regulation. One key point raised was the increasing threat of AI in military systems and cybersecurity. The speakers highlighted the potential harm that AI worms could cause to military systems, as well as the planting of false data. The risks posed by these threats require proactive actions to address and mitigate them.

Another important topic discussed was the lag between the legal cycle and the tech cycle. The speakers emphasized the need for a better-functioning legal framework that can keep up with the rapid advancements in technology. They highlighted the challenges posed by emerging technologies such as predictive AI, 5G, 6G, and space technologies.

The manageability of current cyber attacks was also examined. The analysis revealed that Estonia experienced approximately 2,500 serious cyber attacks in the past year, with only one causing disruption in train ticket purchases. While the situation is considered manageable, it comes at a growing cost.

Cooperation and standardization were highlighted as crucial factors in addressing cybersecurity challenges. The analysis noted that countries like Saudi Arabia can play a significant role in promoting positive technological developments by encouraging industry adherence to set standards.

Corporate transparency and the voluntary sharing of development details with governments were emphasized. It is important for companies to share information about their technological advancements with relevant authorities to enable effective regulation.

The speakers also expressed support for imposing sanctions on companies that interfere with political processes. They argued that mechanisms should be in place to hold such companies accountable and negatively impact their share prices.

The European Union’s AI act was seen as a positive development. It was recognized that the General Data Protection Regulation (GDPR) became a de facto global standard, and the speakers believed the AI act should do the same. Global adherence to this act is seen as crucial for ensuring industry security, preventing conflicts, and addressing regulatory queries.

In addition, having a certain set of standards for investment security was highlighted. Regulations play a vital role in preventing potential conflicts and questions in various countries. The importance of basic principles such as human rights and the rights of nation-states was reiterated, as well as involving more women in the cybersecurity sector.

Overall, the analysis emphasized the need for proactive measures to address the increasing threat of AI in military systems and cybersecurity. It highlighted the importance of a functioning legal system that keeps pace with technological advancements, the manageability of current cyber attacks, cooperation and standardization, corporate transparency, global adherence to the European Union’s AI act, and involvement of women in the cybersecurity sector. It concluded that basic principles and compassion should guide the development and application of technology, defining the future of humankind.

Jose Manuel Barroso

The analysis highlights several key points regarding cybersecurity and global cooperation. First, advancements in fields like artificial intelligence and quantum computing pose challenges for maintaining a high level of cybersecurity. This is because these developments can make it difficult for security measures to keep up with new threats, leaving data and networks vulnerable to cyber attacks. The supporting fact provided is that developments in sectors like artificial intelligence and quantum computing might make it difficult to maintain a high level of cybersecurity.

Second, confidence and sincere cooperation among major powers, such as the United States, China, and Europe, have been decreasing. This lack of cooperation is a negative sign for global cybersecurity efforts, as collaboration and shared knowledge are essential in combating cyber threats effectively. The supporting fact is that there was a level of cooperation between major powers such as the United States, China, and Europe when Barroso was in the European Commission, but it might not be the case today.

Furthermore, cyber criminals do not stop at borders, highlighting the need to view technology as a global public good. This means that efforts to ensure cybersecurity should not be limited to individual countries but should instead involve international collaboration and cooperation. Some powers may resist supranational regulation, which emphasizes the need for shared responsibility in addressing cyber threats. The supporting facts provided are that cyber criminals do not stop at borders and that some powers may resist supranational regulation.

Moreover, Saudi Arabia, as an important member of the G20, has the potential to play a significant role in fostering dialogue and cooperation in cybersecurity. By leveraging its position and influence, Saudi Arabia can offer spaces for dialogue and collaboration in addressing cyber threats. The supporting facts are that Saudi Arabia is an important member of the G20 and can offer spaces for dialogue and cooperation in cybersecurity.

In the context of public health, while COVAX successfully distributed 2 billion vaccines across 146 countries, disparities in vaccine access between developed and developing countries were observed. This highlights the need for equitable distribution and access to vaccines to ensure global health security. The supporting facts are that COVAX distributed 2 billion vaccines and that disparities were seen in vaccine access between developed and developing countries.

A multi-stakeholder approach is deemed necessary for addressing global challenges like public health and cybersecurity. This approach involves the participation of governments, businesses, research institutes, and civil society to collaborate and find effective solutions. However, not all countries may be willing to share their expertise in cybersecurity due to defense and war implications. Public-private partnerships can reduce cybercrime, as the cost of cybercrime is expected to reach $10.5 trillion in two years. The supporting facts are that Gavi uses a multi-stakeholder approach involving governments, businesses, research institutes, and civil society, and that public-private partnerships can reduce cybercrime.

Saudi Arabia, with its good connections with both China and the US, can serve as a bridge between the two countries in technological aspects. This can facilitate cooperation and dialogue, leading to advancements in cybersecurity measures. The supporting facts are that Saudi Arabia has good connections with both sides of global arguments, is a member of G20 and BRICS+, and is developing capabilities in the field.

On the subject of regulations, there are some countries that do not support supranational regulation and binding agreements on cybersecurity. This presents a challenge in establishing cohesive and universally applicable cybersecurity measures. The conventional wisdom is to follow the principles of international law on cybersecurity. The supporting facts are that there is a stalemate in the United Nations on cybersecurity and that the conventional wisdom is to follow the principles of international law on cybersecurity.

In terms of strengthening cybersecurity, like-minded countries can forge ahead and extend areas of consensus. By finding common ground and cooperating, these countries can work towards improving cybersecurity measures on a global scale. The supporting fact is that like-minded countries can forge ahead and extend areas of consensus to strengthen cybersecurity.

Another noteworthy observation is that the implementation of GDPR initially faced criticism but is now considered a significant improvement. GDPR, a data privacy regulation introduced by the European Union (EU), has set a global standard, with California following closely in its footsteps. This highlights the positive impact and influence of global standards in regulating and safeguarding data privacy. The supporting facts are that GDPR faced criticism initially, businesses in Europe now agree that GDPR was an improvement, and California followed closely EU’s GDPR, setting a global standard.

Despite the difficulties and time-consuming nature of establishing global standards, they are deemed beneficial and necessary. Negotiation and consensus-building are essential in creating these standards, which may present challenges. However, having global standards is preferable to each country making its own regulations and can contribute to greater international cooperation. The European Union is cited as a good example of successful cooperation. The supporting facts are that creating global standards requires negotiation and consensus, the European Union is a good example of successful cooperation, and despite the difficulty, global standards are preferable to each country making its own regulations.

Cooperation and scale in regulations are crucial for global competitiveness. By cooperating and creating uniform regulations, regions like Europe gain the necessary scale to compete with major players such as the United States, China, and India. This emphasizes the importance of collaboration and the creation of a level playing field in global markets. The supporting facts are that all countries in Europe are considered small, cooperation gives them necessary scale, and cooperating and creating uniform regulations like GDPR allows Europe to compete with the likes of the United States, China, and India.

Furthermore, cybersecurity is a specific but crucial part of overall security concerns. The European Agency for Cyber Security estimates that Europe needs 200,000 cyber experts, highlighting the growing importance of addressing cybersecurity risks. Although there has not been a major catastrophic event globally in terms of cybersecurity, it is seen as a prominent and emerging threat. The supporting facts are that the European Agency for Cyber Security estimates that Europe needs 200,000 cyber experts and that until now, there has not been a major catastrophic event globally of cybersecurity.

In conclusion, the analysis emphasizes the challenges and importance of cybersecurity in a rapidly evolving technological landscape. It highlights the need for global cooperation and collaboration in addressing cyber threats. The involvement of multiple stakeholders, equitable access to resources, and the establishment of global standards are deemed crucial. Additionally, the potential role of Saudi Arabia in fostering dialogue and cooperation, as well as the significance of GDPR and the multi-stakeholder approach, are underscored. Solutions to cybersecurity challenges require proactive measures, efficient risk management, and increased public investment. Overall, the analysis calls for collective efforts to safeguard data, networks, and global security in the face of technological advancements.

Shyam Saran

Shyam Saran emphasises the need for international collaboration in tackling pressing issues such as cybersecurity and climate change. He argues against the competitive negotiation frameworks that are currently in place and advocates for a more collaborative approach. Saran believes that competitive frameworks often lead to compromised results, whereas a collaborative approach can yield optimal results in dealing with cybersecurity and climate change.

Saran also highlights the challenges and opportunities presented by the digital space. He stresses the importance of inclusion in India, where the digital space has enabled a degree of inclusiveness. However, Saran acknowledges the tremendous assault on cyberspace by malevolent forces, highlighting the need for measures to protect against such attacks.

The scale of the cybersecurity challenge is exemplified by the thousands of cyber attacks on sites associated with the G20 summit. This serves as a clear indication of the magnitude of the challenge that nations face in protecting their digital infrastructure.

India stands out as a proactive player in tackling cyber threats, actively collaborating with various partners to address the growing menace. Saran argues that the current international system seems insufficient in dealing with the cyber threat, making collaboration all the more necessary.

One of the key challenges in regulating technological advancements lies in the gap between policy makers, decision-makers and the pace of technological innovation. This gap makes it difficult to develop effective regulations that can keep up with the rapid changes in the digital landscape.

Saran highlights the importance of forums like the Future Investment Initiative in creating awareness among decision-makers and policymakers. Recent initiatives by President Biden and the European Union are mentioned as steps towards tackling cybersecurity issues, indicating a growing recognition of the need for action.

The advancements in the digital space have both positive and negative societal impacts. While it has enabled inclusiveness and positive changes, there have also been negative effects, including infringements on women’s rights. Preventing these negative effects requires proactive measures, including the active participation of women.

Recognising the value of women’s participation in the digital landscape, Saran emphasizes its importance in addressing negative trends and contributing to economic growth. He also calls on universities to actively participate in supporting changes brought about by technology and fostering gender equality.

Despite the usefulness of digital technology as a tool, Saran cautions against allowing it to dominate human beings. He highlights the importance of maintaining a balance and ensuring that humans remain in control, rather than being controlled by digital technology.

In conclusion, the need for international collaboration to address cybersecurity and climate change is crucial, according to Shyam Saran. He emphasises the importance of adopting a collaborative approach, rather than relying on competitive negotiation frameworks. Saran also brings attention to the challenges and opportunities posed by the digital space, urging inclusiveness and vigilance against cyber threats. The scale of the cybersecurity challenge is exemplified by the attacks on the G20 summit. India’s proactive collaboration efforts and the value of women’s participation in the digital landscape are highlighted. Saran encourages universities to support technological changes and promote gender equality. Lastly, he reminds us to maintain a balance and ensure that digital technology does not dominate human beings.

Introduction

The plenary session titled “The Evolving Dynamics of Cyberspace” began in Riyadh, with a distinguished panel of experts comprising Jose Manuel Barroso, former President of the European Commission and Prime Minister of Portugal, Kersti Kaljulaid, former President of the Republic of Estonia, and Ambassador Shyam Saran, former Foreign Secretary of India. These esteemed individuals were invited to share their extensive knowledge and insights on public policy and governance in the context of cyberspace.

During the 45-minute session, the panelists had ample time to delve into the complex intricacies of cyberspace and its far-reaching impact on societies worldwide. They discussed the shifting dynamics and emerging challenges within this rapidly evolving domain, while also highlighting the opportunities it presents for governments and policymakers.

Jose Manuel Barroso stressed the necessity of effective regulations and cooperative frameworks at the national and international levels to combat cyber threats, such as cyberterrorism and cybercrime. He emphasized the importance of governmental collaboration and the sharing of best practices to ensure the safety and security of citizens in an interconnected world.

Kersti Kaljulaid emphasized the significance of prioritising cybersecurity as an integral part of a nation’s overall security strategy. She shed light on Estonia’s pioneering efforts in this field, highlighting proactive measures such as investment in IT infrastructure, public awareness campaigns, and strong public-private partnerships.

Ambassador Shyam Saran elaborated on the geopolitical dimensions of cyberspace and its implications for national sovereignty. He underscored the need for robust international cooperation and adherence to norms to maintain an open, secure, and trustworthy cyberspace.

The panelists’ insightful discussions deepened the audience’s understanding of the complex issues at hand and fostered a constructive dialogue on innovative approaches to addressing the challenges of cyberspace.

The session was skillfully moderated by John Defterios, who facilitated the conversation, allowing each panelist to articulate their perspectives and engage in productive exchanges. John’s expertise in the subject matter and his ability to steer meaningful discussions contributed to the success of the session.

In conclusion, the plenary session on “The Evolving Dynamics of Cyberspace” provided a platform for world-class experts to share their knowledge and insights on the challenges and opportunities within this ever-changing domain. The panelists highlighted the importance of international collaboration, effective regulations, and proactive cybersecurity measures. The session served as a catalyst for further exploration and dialogue on how governments and policymakers can navigate the complexities of cyberspace to protect their citizens and harness its transformative potential.

John Defterios

The analysis explores various aspects of cybersecurity and its global implications, emphasising the Kingdom of Saudi Arabia’s role as a convener and active participant in cybersecurity discussions. With its strategic geographical position, the Kingdom is well-positioned to effectively address cybersecurity challenges.

One key finding is the increasing prevalence of cybersecurity as a global issue. Increased awareness and collaboration are needed to counter evolving threats in cyberspace. The full attendance at the panel session indicates growing interest in the topic. The Kingdom’s role as a convener demonstrates international recognition of its active involvement in addressing cybersecurity concerns.

John Defterios emphasises the importance of international collaboration in tackling global issues, including cybersecurity. The analysis highlights the need for a more collaborative approach, as existing negotiation frameworks often yield minimal results.

The analysis raises questions about how to balance the opportunities and disruptions brought by rapid advancements in artificial intelligence and cyber innovations. This emphasises the need for careful consideration and proactive measures to manage their impact on cybersecurity.

The analysis also acknowledges the mixed results of international cooperation in addressing the COVID-19 pandemic. While initiatives like COVAX have distributed a significant number of vaccines globally, there are disparities in vaccine access between more developed and poorer countries. Additionally, vaccine nationalism has led to excessive accumulation of vaccines by some countries. This highlights the challenges and complexities of international cooperation in addressing global crises.

Another key argument is the necessity for collaboration between countries and corporations in the field of cybersecurity. The expected increase in cybercrime underscores the need for collective efforts to combat this growing threat.

Saudi Arabia is recognised for its potential role as a bridge between China and the US in geopolitical matters, including cybersecurity. Its neutral stance and convening ability position it as an influential player in facilitating dialogue and cooperation between these two superpowers.

The analysis also underscores the crucial role of cybersecurity in digital development and the corporate sector. Proper implementation of cybersecurity measures is essential to protect and foster growth in countries like India and Nigeria. Neglecting cybersecurity could erode the progress these countries have made.

Furthermore, the analysis highlights the positive trend of increased female workforce participation. Female participation in the workforce has risen to 37% and continues to grow. This prompts examination of universities’ role in keeping pace with technological changes and ensuring gender equality in the workforce.

In conclusion, the analysis provides insights into various aspects of cybersecurity and its global implications. It emphasises the need for increased awareness, international collaboration, and proactive measures to effectively address the challenges posed by cyberspace. Saudi Arabia’s role as a convener and its strategic geographical position make it an influential player in cybersecurity discussions. The analysis also underscores the importance of balancing opportunities and disruptions brought by rapid advancements in artificial intelligence and cyber innovations. Additionally, it highlights the mixed results of international cooperation in addressing the COVID-19 pandemic and advocates for increased collaboration in tackling global issues like cybersecurity. Finally, the analysis emphasises the significance of cybersecurity in digital development, the corporate sector, and ensuring gender equality in the workforce.

Introduction:
So let’s get into it. Allow me to introduce our plenary session, The Evolving Dynamics of Cyberspace. Over the next 45 minutes, we’re all going to listen and hear from some of the world’s foremost experts on public policy and leading government. So please join me in putting your hands together and give a warm Riyadh welcome to our esteemed panelists, Jose Manuel Barroso, former President of the European Commission and Prime Minister of Portugal. Kersti Kaljulaid, former President of the Republic of Estonia. And Ambassador Shyam Saran, former Foreign Secretary of India. And Your Excellencies, ladies and gentlemen, our moderator today, my good friend, John Defterios. John, the floor is yours.

John Defterios:
Please, if I can get my microphone up. Thank you very much. It’s great to see you. Ryan, thanks for the kind introduction. And it’s phenomenal to be back for a second time. And as Ryan was suggesting, the room is full for a reason, because cybersecurity is taking greater prevalence than ever before. I think it’s commendable, by the way, that the Kingdom is serving as what I like to call the Intel chip inside the computer, if you remember the ad campaign from the 2000s. It was the chip that was driving the computer at the time. I think the Kingdom has a very unique role to play as one that convenes everybody, like we are doing today, lead from behind to take action for the future. And I would suggest geographically, straddling north and south and east and west, it has a particularly strong position in which to do so. Governor, it’s great to see you. And thank you for the opening remarks. And it’s nice to be in Riyadh again. I think I’m here 10 times a year because of the transformation that’s taking place. Can we give a nice round of applause for the excellent panel that’s been assembled today? And we’ll get right into the debate. We have 45 minutes in which to delve into these very key issues. And you all three sit at the nexus of geopolitics and geoeconomics. If it’s okay, Governor, I think it’s also worth noting that we should recognize the global crisis that we’re facing today when it comes to conflicts, and we’d love to see a solution. But our role here at the GCF is to hone in on cybersecurity and a safe cyberspace for all. So we’d like to see solutions, but at the same time, clearly, not in this room because everybody works in cybersecurity, but globally, awareness needs to raise about the opportunities and the threats because cyberspace knows no boundaries. And because you’re both specialists in geoeconomics and geopolitics, how do you see, President Barroso, the forces driving the change in this sector today, and what we should be aware of? Because it’s, what would you call, extreme complexity in the world, there’s no doubt about it.

Jose Manuel Barroso:
Thank you. Thank you, John, for your introduction, Your Royal Highness, Ministers, Excellencies, dear friends. I believe the developments are quite worrying, to be very frank, in terms of cybersecurity in the sense that we have, on one side, technological change in some sectors, like artificial intelligence, generative artificial intelligence, and what we can call superintelligence, and also quantum computing and other areas that will probably make it more difficult to keep high level of cybersecurity. So this technological change is a challenge for the protection of data, protection of networks and cyber systems. And on the other side, as John, you mentioned, there are the very worrying geopolitical developments. From that point of view, I can share with you my experience. I remember when I was in the European Commission that, for instance, in the G20, by the way, where Saudi Arabia is a very important member, there was some level of cooperation and sincere cooperation between the United States, China, Europe, and others. I’m not sure, to be very frank, this is exactly what’s happening today. So the level of confidence and sincere cooperation globally is going down. Technology should be seen as a global public good because, as you said, cyber criminals, they don’t stop at borders. They are threatening all of us. But the reality is that because of the links to technology, some powers, they will try to keep as much as possible their prerogatives. They will resist any kind of, let’s say, supranational regulation or system. So that’s why I think it’s very important to find spaces like this one here in Saudi Arabia. And I’m not saying that just to be nice to you, most of you here coming from Saudi, but because I think Saudi Arabia has a good place globally, being also a member of the G20, to foster some dialogue, being realistic, what can be achieved at some level between all the powers of the world and in other areas, being more, let’s say, precise about what we can develop further. But it’s going to be a very challenging task from a geopolitical point of view. Good.

John Defterios:
Madam President, we had a founder of CNN, Ted Turner, who said he was in cable before cable was cool, right? He was an entrepreneur that wanted to break new boundaries. And Estonia was very much an early mover and an early example of both e-government but also recognizing the role of cybersecurity. I’d love to have you share your perspectives of the key factors you see at play today. Number one, we’ve come out of COVID-19 with record spending by government, right? And high debt. Ten years before that, we had the global financial crisis. And one of the things you noted is that we have to be very aware of what’s going on in society, but you’re seeing the cost of this to fortify industry, academia, our civil society overall in terms of day-to-day living. What are you seeing here as a cost driver and the importance of getting deeper collaboration amongst governments?

Kersti Kaljulaid:
Well, I’ve used an example for about eight years to start these kinds of discussions. And this example tells you about the little AI worm. It’s a little worm which is specifically designed to enter military systems, weapon systems, maybe even nuclear systems. And it is able to gather all the data which you have in that system and hurt it, destroy it. This is how it is trained. But now imagine this system is somewhere and somebody has contaminated the data set of that system by using a computer which also was used to browse the World Wide Web. And therefore, our little AI worm finds some information which shouldn’t be there. And guess what? That information is a press release by United Nations which says United Nations is getting ready to vote on banning and destroying artificial intelligence in military capabilities. Now what our little AI worm will do, having had this information? It does know it is an AI system in a military capabilities. Therefore, my question is, will this little worm do what it was planned to do, destroy the system or take a name at UN Global Headquarters? When I started telling this story, most people would have considered technology part of this as a fantasy. Nowadays, most people think that it is a fantasy, that UN can never come to a global conclusion to ban AI from military systems. This is what we have seen just in 10 years’ time. And of course, I mean, trying to contain these kind of risks, we need to think about singularity. Because if we think about singularity and take into account that our tech cycle is so much quicker than our legal cycle which deals with our international law space, only then can we protect us from the current level of risk where we have predictive AI only, 5G, 6G, space technologies. But you asked about costs. Estonian National Cyber Security Authority budget in last five years has risen five times. I’m really worried.

John Defterios:
You know, you raise a fantastic point because in this week we saw President Biden sign an AI executive order. When he came into office, four months into office, he signed an executive order for cyber security. But Shyam, I’d love to get your thoughts as a former foreign secretary and ambassador. And Madam President talked about it. There’s 21 international laws that touch upon cyber security, but it’s not a holistic legislative bandwork. And at the same time, countries want to maintain their sovereignty, right? So this is the challenge. So how do we advance this idea to protect sovereignty but also protect our society today in the cyberspace? It’s not an easy balance. And you can use the Indian example as president of the G20 this year.

Shyam Saran:
Thank you very much, John. And it’s a pleasure to be back here, Excellencies, distinguished guests, ladies and gentlemen. You mentioned the Indian experience and, of course, the chairmanship of the G20. Our effort was to try and see that in an international landscape, which is today extremely polarized, very fragmented, how do we also at the same time try to keep alive a sense of international solidarity, a sense of collaboration in dealing with issues which are really cross-national in character. They are cross-cutting in character. Cyber security or climate change, if you take some of the examples, these are challenges which no country, no matter how powerful it is, can hope to resolve by itself. You need collaboration. And I think what we are unable to find is that our whole negotiating frameworks are very competitive frameworks. If I go as a diplomat to a negotiating forum, what is my brief? My brief is give as little as you can, extract as much as you can. That is what we operate on. If you operate on that basis, should it come as a surprise to you that we always end up with a least common denominator result, when actually what you are looking for are maximal results, not minimal results. That is what cyber security is, because it is advancing so quickly that you are out of date before you even start trying to tackle it. So how do we ensure that for issues of this kind, we have a global collaborative mechanism in order to deal with this challenge? Today, we are finding that the whole landscape, as I said, is very fragmented. You mentioned the global financial and economic crisis. Since then, we have not had any kind of crisis where the world has actually come together to try and really address the issue. So going forward, how do we bring this about? And I think in that context, a forum like this, and what our hosts have been able to organize, still provides a forum where people from across the divide can still come together to try and see how we can deal with these problems. So going forward, I would say a lot of opportunities, because we have seen in India itself that the digital space has actually allowed a degree of inclusion, which we have not had before. So it is a very powerful tool. But we have also seen that there has been a tremendous amount of assault on the cyberspace from inimical forces. And how to keep that balance is what is going to occupy us going forward.

John Defterios:
Okay, if I can ask a question here on the comparisons of what we’ve seen, and I’d love to get both of our other panelists involved in this. You sit on the board of Gavi, which is in charge of global vaccines, right? We had the Rio agreement in 1992 to the foreign minister’s interjection here, and very little action for the first 25 years, and we still struggle to have cohesiveness when it comes to climate action. Can we use those two examples and say, how do we not make the same mistakes as we develop policy for cybersecurity? How do we accelerate? Because AI is moving so quickly, and it could be an opportunity, but it could also be a great disruptor. Kirsi, do you want to start, and we’ll come to President Barroso.

Kersti Kaljulaid:
Frankly speaking, our academia has been telling for a long time that the only way of dealing with it is to agree that all our analog legal space applies in a cyberspace, exactly the same things which you cannot do in analog space, you cannot do in cyberspace. And we should simply decide that this is how it is. Also, the UN working groups regularly come to the same conclusion. So what you cannot do in the real world, the same things you cannot do in the digital sphere. But as we follow the practices nowadays, for example, the physical situation doesn’t seem so bad. Estonia last year had about 2,500 serious cyber attacks, which we detected. Only one went through to the extent that real people couldn’t buy some train tickets for a while, but all the rest was captured. So it can be done, but as I demonstrated, at the spiraling cost. So if we want to really spend on health care, education, what makes our world generally better, there is nothing else, I mean, which takes us forward than to decide if this is not to be done in analog, this cannot be done in cyberspace. In practice, we have already diverged nowadays because we do not have anywhere to go and complain about these attributions, worthless, because you don’t have a security council where you can then go and complain. We should actually make our analog system, of course, work better, but then we should simply apply it also to our cyber systems.

John Defterios:
Good. President Barroso, were you a bit frustrated sitting at Gavi and seeing that the global south was not getting the vaccines fast enough? Can you apply that to the lessons here as we develop the institute further, as Saudi Arabia convenes people to take action? What would be the advice, if you will, from your personal experience, and you lived through the financial crisis as well as a leader?

Jose Manuel Barroso:
Exactly. So first of all, the results of the pandemic in terms of international cooperation were, let’s say, mixed. We created COVAX, and COVAX was in some sense very successful because we were able to distribute more than 2 billion vaccines in the world in 146 countries. But it is true that there was a difference between the more developed world and the developing poorest countries in the world. So why? Because while in theory everybody recognizes that global public health is a global public good, because there should be no borders when it comes to fight against the virus, because the virus does not know borders, so we should have a common action, the reality is, and I’m very sincere, the advantage of being… I’ve left politics some time ago, so my level of sincerity is increasing day by day. I’m telling you very frankly what I think. The reality is that we saw vaccine nationalism. We saw some countries accumulating many more vaccines than they needed. We saw disparities. At the same time, to be fair, we saw also great generosity. So some of the biggest donors increasing their donations, including in financial terms. So it’s a mixed action. But one thing I believe is important as a lesson for the future is to have a multi-stakeholder approach. I think it is okay, by the way, Gavi, that I have the honor to chair, chair of the board, is based on that concept. So we have the governments, governments of the richer countries but on developing countries, but we also have the pharmaceutical companies, we have the private sector, we have research institutes, we have civic society organizations. I think this is very important. Because on the issue of cybersecurity, I think it’s going to be even more difficult. Why? Because cybersecurity, let’s be frank, is also linked to defense matters or war. And so some of the global powers will never share all the expertise they have in cybersecurity. They may share some, but not everything. For instance, against cybercrime in business, that’s possible. According to the best statistics, it means eight trillion US dollars per year, the cost of cybercrime, expected to go to 10.5 in two years’ time. I think that’s an area where different geopolitical interests and ideology, they can cooperate against this kind of cybercrime. But let’s be realistic. There are areas where the countries will cooperate, others will not. And we need to bring also the know-how of the more prepared corporations in the world. We need also to apply here a concept of public-private partnership. That will be my advice.

John Defterios:
Good. I want to get a quick follow-up from you, if I may, in my opening remarks. I’ll be brief. I was talking about Saudi Arabia serving as a convener. It could lead from behind, but I think geographically and strategically, with the transformation that’s taking place, and to put this into an institute and policy, can it be a bridge between China and the US, where, as you know, in technology, it’s very fierce competition? And Madam President, if you can follow up as well, please, President Barroso.

Jose Manuel Barroso:
I think so. I think, for instance, Saudi Arabia, during their presidency of G20, was doing a very important job. Now, Saudi Arabia is a member of G20. At the same time, it’s a country of this BRICS+. It has good connections with both sides of global arguments. So I think it’s a great place to have a global conversation. That’s why we are here, by the way. And at the same time, Saudi Arabia is also developing real capabilities in this field, and other countries in the region as well. So yes, I believe we need places like that that can offer a platform for cooperation, and I hope that that can be developed so that this global conversation, and not only conversation, hopefully some action can take place. But I’m realistic about what we can achieve, as you understood. And you mentioned it yourself, John, in the United Nations now, there is a stalemate on this. Let’s be frank. There is a stalemate. The, let’s say, conventional wisdom is that we have to follow the principles of international law on cybersecurity, okay. But when it comes to an idea of having some supranational regulation and forced binding agreement, then people don’t, some countries do not agree. So what we can do is, in what I call variable geometry, some, let’s say, like-minded countries can go forward and hopefully extend as much as possible the areas of consensus to have, I mean, a possibility of reinforcing our cybersecurity.

John Defterios:
Good. Madam President, you wanted to provide some follow-up as well. Go ahead.

Kersti Kaljulaid:
Yeah, absolutely. I’m quite sure that countries like Saudi Arabia can catalyze positive developments. Like, for example, my own country certainly has catalyzed digital development in European Union cross-border, because we have digital identities, Stone Age, if we talk nowadays technologies. European Union has decided that all EU countries have to offer all their citizens digital identities. And in addition, they have to interoperate. So absolutely, this country can be a catalyzed of the positive things. What needs to be catalyzed right now most is that we have to understand that if we compare 20th century to 21st century, in 20th century, most technological development always happened under control of the government. Internet happened under control of government, nuclear weapons similarly. Nowadays, far more of this development, which affects our cybersecurity, is company-led, happens in the private sector, in the industry. And here I see the great role for countries like Saudi Arabia to cooperate and call also for industry to apply the set of standards, to define the set of standards together with governments. And the first ones who are able to define these standards will normally prevail for the global standard-setting body. And by the way, these standards could give industry quite a lot of leeway in developing, which they’re anyway doing. They have more resources than governments nowadays. But it also should invite them to voluntarily share with government what needs to be onboarded all the time into the regulation because governments cannot regulate if they do not know what is cooking in the industry. And also, I think, thinking also of some incidents from the last year, if there is one company which is capable to play the government’s game, affect your political decisions by withholding their service from one party and not from the other party, there should be a mechanism which will make sure that the share price of that company tomorrow is very low. Because otherwise, we cannot keep the sovereign’s task only to the sovereigns. I’m sure Saudi Arabia understands these problems very well and can catalyze the positive process.

John Defterios:
Good. We have the benefit of having His Excellency Amin Nasser from Aramco as one of the four partners that Ryan mentioned here. So they have the corporate sector very involved in cyber security, which I think is quite crucial at the front end of this process. Minister Saran, I’d love to get your thoughts on the ability to leapfrog through digital technologies. We saw the Indian example today, called it the belle of the ball at the Future Investment Initiative because there’s so much attention, so much growth. But how do we prevent the fact that if we don’t get the cyberspace correctly, it erodes all that growth we saw in India, where you take a case like Nigeria leapfrogging away from the hard line into mobile? What’s your view of the global south and why it is so important to make sure we get this right on the collaboration our two other speakers have been highlighting so acutely?

Shyam Saran:
So just to give you an example that while the G20 summit was taking place in New Delhi, there were probably several thousand cyber attacks on the various sites which were associated with the G20 summit. And it was a huge challenge trying to protect our systems from such attacks. Now, it has just been mentioned that today, if you look at the UN system, where actually you should have a kind of collaborative responses to these kind of threats, you have actually the entire trend is going backwards. Because we started with a document which was about 40 pages, and now it is more than 70 pages. Many of the issues which had been resolved have come back again, and some new ones have been added. So we are in a situation where it doesn’t seem as if we can, for example, as India, can really depend upon the international system in order to provide us with the kind of capabilities that we need in order to deal with this situation. So this is where, at least over the next several years, our effort is really to try and see whether we can collaborate wherever it is possible, and we are doing that with many of our partners. Also, I think the importance of the forum of this kind is that, how do you regulate if you don’t understand what the problem is? And I think today, the gap between policy makers, decision makers, and the technology, the fact that, as it was mentioned, that it is the private sector which actually is leading the advancement in this technology, unless you are able to get that information, get that knowledge across to decision makers, across to policy makers, there is very little hope for regulation. So you mentioned the fact that a start had been made by President Biden’s announcement. The European Union has also, in fact, made some advance. We are trying to do that in India as well. But it is fora like this where that knowledge which is required by policy makers, that knowledge which is required by governments, perhaps this is the kind of forum where that kind of sensitization, that kind of awareness, at least, can be advanced. And that would be a very, very crucial component.

John Defterios:
What an excellent panel we have here, because you are going deep into the key topics that are faced with today. I would love to tap, President Barroso, your experience as the European Commission President and the general data protection regulations, the GDPR, if I remember correctly. We have assumed that as the norm, which is very interesting, right, because if you open a website today, it says, do you want to accept cookies or not? And people were pushing against that GDPR, but it did take public-private partnerships to kind of determine the roadmap, if you will. So it can be done, can it not, in cyber?

Jose Manuel Barroso:
Yes, it can, but it’s difficult. In Europe, and now I’m with the experience of the European Union, I think the first proposal we’ve made, it was my first commission, 2006-2007, but it was not entering into force before 2016, because we had to put together all the governments of the European Union. At that time, we were 28, before Brexit. And the reality is that in Europe, there is always this trade-off between scale and speed. The best thing is that we have scale, and that’s a great example for globalization, because you have to put together 27 different countries, and among them, there are cultural differences as well, economic difference and interest. But at the end of the day, usually in Europe, we come to a compromise. So we have the scale of 27 countries. But of course, it’s different to have 27 countries agreeing, or 190 in the United Nations. In Europe, it takes time to come to a consensus of these 27 countries, but it’s better than to do it only alone, each country on its own. As we very often say in Europe, at least I’ve been saying, in Europe all countries are small. The problem is that some have not noticed it yet. Because we need that scale. In Europe, we want to be on the same level as the United States and China, or India in terms of popularity. We need that scale that the cooperation gives. So I think from that point of view, it’s a very good example of trying, through negotiation, to overcome differences. But to be honest, it also takes time. It’s slower than if each country takes its own decisions. But at the end of the day, it’s better. And now, when GDPR was launched, General… data protection regulation, in terms of data privacy, it was very much criticized. People said, oh, once again, the European Commission comes with all that bureaucracy. But now, all business in Europe agree that was an improvement. Can you imagine in business in Europe, if each country in Europe, from France to Germany, from Italy to Sweden, from Netherlands to Spain, if each country had its own regulation? Of course it would be a problem. And that’s why, as you said, John, now, for instance, California, they followed very closely our GDPR. So in a way, it was setting a standard. So I think it makes sense, with some, let’s say, common sense, it makes sense and wisdom, if we try to, in some areas, to have global standards. And the European Union can be a contributor for that.

John Defterios:
Good. Madam President, you had your eyes looking at me. You’re ready to jump in. Go ahead.

Kersti Kaljulaid:
Yes, just a little advertisement. The European Union is now cooking AI act, of course. And indeed, GDPR became a de facto standard globally. But I’m sure that we need AI act to become a de facto standard globally quicker even. So I would invite all like-minded countries who want to be part of it to kind of support similar standards and adhere our practices to this act when it comes out. I’m sure this is extremely important. On the other hand, it is also important that we have this regulation for the industry, for the surety of the investment. Because if you are investing into the Wild West where you don’t know, you end up in explaining in some countries’ parliament, we’ve seen it, I mean, in the first phases of tech development. Why did you do this? Why did you do that? Because you didn’t tell us what is the regulation. And that is why I believe it is also very important in this region, which is also quite rich and important market, to come out with a certain set of standards to guarantee the security of the investment. This is extremely important. And this is what this country can do when others close here. I would also like to say that in my understanding, all we have to do is to go back to our very basic principles and values and apply them for every generation of technology. Not we have this one, we regulate this and so on. And these are human rights, the rights of nation states to organize their life as they please, that we do not force each other’s borders, all these basic principles. And simply to agree that never mind technology, this kind of decency, which we collectively have known for thousands of years, since Peloponnesus wars, basically, that this decency which applied then applies now and will apply at every new technological level.

John Defterios:
Interesting. Before I bring in the former Foreign Minister of India, I’d love to, if I can, Madam President, this is a key issue. And it’s one of those pillars that we talked about at the opening of the GCF in 2023. I say this kind of a jest, I have two daughters and they always say, that woman is impressive. She’s a girl boss. You know, she knows how to lead. I mean, you are the ultimate girl boss, president of Estonia. And it was a leader when it comes to technology. But why is it important, in your view, to get women more involved in cyber? And how do you match the curriculums of today? Because I always find, now that I’m a practicing professor, I find that it’s the business sector that goes to universities and says, we need this out of the pipeline. We need this sort of skills. And we need women engaged in this. And what’s the relationship between government and universities and the private sector? Do you want to tackle that for us? And Shem, I’d love to have you jump in as well, please.

Kersti Kaljulaid:
Well, I am an honest believer in market forces. And if Estonian technology sector, and we, by the way, have 10 unicorns per 1.3 million people, this is double the density of United States. If this sector comes together and establishes Unicorn Squad, which is the tech training only for girls, then there must be something in it. And you know, I think what there is, is what has nothing to do with cyber or digital technologies. It so happens that half of the populations are women. Therefore, half of the good ideas come into the heads of women. And if you do not tap into that reserve and these resources, then you are losing 50% of your capability. And this is a too big chance to lose for the markets. That is why Estonian tech sector has come together and done this work for the government.

John Defterios:
Good. But the universities, and I’d like to have Shem do that as well. Yeah, it’s worth noting that in the last six years, we’ve gone from almost zero female participation in the workforce to 37% and rising. It’s changing very quickly here, right? But Shem, do you want to cover this role of the universities to keep pace with the change in technology at the same time?

Shyam Saran:
You know, the big challenge really that I’m talking about the Indian experience. You know, at the end of the day, what are you trying to do? You are trying to wrap your analog mind over a digital space. And that’s very challenging. How do you how do you do that? And in that respect, you know, the participation of society in this whole endeavor, not something which is top down, but something which we see happening in India, it’s a very traditional society. And yet you see that because of these advancements in the digital space, there are good things happening. But there are also bad things happening, including as far as women’s rights are concerned. So this is something which really sort of makes you very much focused on how do you prevent those kind of negative things from happening. And participation of women in a very active way in this space is one of the ways that you can actually address those negative trends. You know, I am very impressed by the fact that in our host country, as a result of recent reforms, you have a very educated, you know, women constituency, 50%, which whose brain power has suddenly been added to this economy. And that’s a huge, huge resource, which has been brought into play. And I think in terms of cyberspace itself, if I’m not mistaken, women in Saudi Arabia are playing perhaps a very, very important and critical role. So this shows how, you know, in this space, having women as equal participants really kind of changes the societal impact of what is this technology doing to us. We have not really focused attention on the societal impact. There are, you know, impacts on the human psyche. There are impacts as far as society is concerned. And while we are very much focused on technology, perhaps we sometimes, you know, are guilty of forgetting about those kind of impacts, because we are so much dazzled by the technology that we don’t really look at the human aspect. That’s why I said with analog minds, you know, trying to manage cyberspace is not very easy.

John Defterios:
Okay. I’m going to circle back afterwards, Madam President, on your foundation before we finish the session, because you’re starting to study the impact on society of technology, which I think should be a very important component. Oftentimes you look at, you know, the cyberspace and AI and speed and access to information, it should be a calculation of the societal change. But I wanted to get the panel’s view. We did a podcast for the GCF, which is a phenomenal series, but we looked at it through the media, obviously, because of my experience. And I was suggesting cybersecurity should be a top five issue of society today. And then we had a debate within the GCF Institute saying, well, maybe over time, in a very near period of time, it should be a top three issue, because it touches everyone. Do you want to share where you think? Because it doesn’t seem to be on the top radar. If you poll people, they say inflation, worried about climate change, cost of living, right? Security, conflict. Where does cyber fit into that, President Barroso?

Jose Manuel Barroso:
I agree with your concern, because cybersecurity is more specific. It’s related to other issues that are very important top concerns, namely security. The word security. And now in the world, people, besides, of course, the economic situation that is affecting so many people, they are worried with security in general, and cybersecurity is part of that. But I believe it’s going to gain preeminence. It’s true also that in spite of the very important costs, namely for business, that are paying a big cost because of all the disruption, intrusion, all the problems that we are seeing in the business sector, the reality is that until now, knock on wood, there has not been a major, let’s say, catastrophic event globally of cybersecurity. Until now. For two reasons. Those who have the power to create it are not willing to create it. I mean, the governments that have the power to create a major disruption until now have avoided it. And also those who could create it that have not the capacity. I mean, non-state actors. Because if you think about terrorist organizations, or even, let’s say, criminal networks, that could be extremely disruptive until now, apparently, they have not yet the skills, the technical capability to create that major event. But what we have to think, in terms of risk management, is what happens if one of the biggest global players, state player, decides to create a real disruptive attack globally? Or if one terrorist organization or one criminal network is able to acquire that technology and we are not yet there, I hope we will not be. So but in terms of prudent management and risk management, in terms of wisdom, if I may use the word, what we have to do is to prepare for that situation. That’s why in linking to the last question we have put, I think it’s so important that the governments of the world, responsible governments of the world, they match the technological developments with the investment, public investment, including in skills. For instance, in Europe, the European Agency for Cyber Security estimates that we need 200,000 cyber experts. We are lacking men and women, of course, men and women. But we are lacking that. So we need more investment to manage the risk that can come from cyber security threats.

John Defterios:
Okay. I’m going to wrap it up. We had a longer time here, so I’m going to just ask for two final thoughts and we’ll conclude. Madam President, and then Cheyenne, please, very quickly.

Kersti Kaljulaid:
You mentioned my foundation. President Kaluulaj Foundation was set up to understand how Estonian society, which for 20 years and slightly more, is now receiving all public service online, how this has changed our society. And guess what? This year, we understood we have to establish Academy of Democracy for our youth. You know why? Because we came to understanding that when we went to school, you and I, then we learned our emotional intelligence from interacting with each other. And we for 10 years thought that we need to prepare our children for life in tech, surrounded by tech, in teaching them tech. But it’s actually counterintuitively that we have to teach them how to remain compassionate human beings. Yeah, absolutely. And this is the most valuable conclusion. Technology is not going to make us safe and secure. Being compassionate human beings, knowing how to remain a society through all the challenges, this is which finally defines the future of humankind. Maybe somebody is disappointed. It’s not technology. It’s still us. Thank you.

John Defterios:
Yeah, trying to find that balance is important. I completely agree. And I’m sorry to rush this, but Cheyenne, your final thoughts, and then we’ll say our thanks to you.

Shyam Saran:
Well, I would only say that at the end of the day, we are still physical beings, flesh and blood. And I think while we take the digital space as an instrument, it should not overwhelm us. I think that’s very, very important. Thank you.

John Defterios:
Good. What a fantastic session. I really appreciate the depth in which you gave the thoughts of all the major topics that we’re going to have over the next two days. President Barroso, thanks for the time yesterday. We had a deep discussion of where we’re going with cyber. So President Barroso, President Khadjajad, it’s nice to see you. Thank you very much. I’ll say Madam President and Minister Chiran, great to see you again here at the GCF. Can we give them a nice round of applause for the participation? Thank you. Well, thank you to our esteemed panelists. Let’s give another round of applause for what I think was a very frank and insightful discussion. We heard the former president of the European Commission there talk about the sincerity with which he was speaking. And I think all of our panelists, and I certainly appreciate that. I think that was a great start, not just to our two days here, but for all of us as we begin down the journey in building a safer and more resilient cyberspace. So let’s keep that in mind over the next two days, that we’re here to unite across industries and countries to forge that safer and more resilient cyberspace. Thank you, Your Royal Highness, for joining us this morning. Thank you, all of you, for being here so far. We are now going to take a little break before we tackle the big issues for a little coffee and tea, and then re-energize. We’re going to come right back here and reconvene in, let me say this nice and loudly to all of you, we’re going to reconvene right here in 15 minutes. Thank you.

Faisal J. Abbas

The analysis highlights concerns regarding the spread of fake news and stresses the importance of cybersecurity in addressing this issue. The argument is made that cybersecurity should go beyond basic hacking and also focus on the dissemination and veracity of information. The impact of fake news on society is discussed, with the ‘Pizza-gate’ incident being cited as an example of the real-world consequences that can arise from the manipulation of information.

The role of social media in propagating fake news is particularly emphasized. It is noted that 80% of Arab youth obtain their information from social media platforms, and a significant number of people are prone to retweet or repost fake news. This has led to a decline in trust in journalists and has made it challenging for individuals to differentiate between genuine and false information.

There is recognition of the potential of artificial intelligence (AI) in combating fake news. It is argued that AI can play a crucial role in identifying and combating fake news effectively. The creation of realistic fake videos by AI technology is discussed, highlighting the difficulty that humans face in identifying such content. Therefore, AI is seen as an essential tool in addressing this problem.

The analysis also highlights the dangers associated with the misuse of AI to create compelling fake videos. Reference is made to ongoing wars that have been escalated by misinformation. The instantaneous spread of fake news, especially through videos, is seen as a threat to global security.

Due to the severity of the issue, there is a call for a global initiative to combat fake news. The need for collective action is emphasized, and it is stressed that tech companies should take responsibility for the dissemination of fake news. The analysis suggests engaging in serious discussions with tech companies to regulate the content to which users are exposed.

Furthermore, the importance of education and content monitoring for young technology users is emphasized. It is highlighted that young children, as young as three or four years old, are being given access to iPads without proper content monitoring. The lack of literacy and control over exposure is seen as a significant concern.

In conclusion, the analysis underscores the urgency of addressing the spread and impact of fake news through comprehensive cybersecurity measures. While there is a consensus on the need for action, there are differing views on the responsibility of various stakeholders, including media, tech companies, and individuals. The arguments and evidence presented shed light on the complexities of this issue.

Margery Kraus

Summary:

Margery Kraus, the founder of APCO Worldwide, emphasises the importance of embracing technology, particularly artificial intelligence (AI) and cyber technologies, in order to facilitate progress and transformation within organisations. APCO is actively involved in training initiatives that explore how AI can revolutionise and streamline operations. They are utilising AI to automate routine tasks, thereby allowing individuals to focus on higher-order responsibilities. This approach is seen as essential for driving innovation and improving efficiency. The clients of APCO primarily seek assistance with cybersecurity, as well as guidance on how to deploy cyber technologies in a positive manner to shape the future. Common requests include support in combatting online abuse, developing crisis response plans, and exploring the potential benefits of cyber technologies in long-term planning.

Margery Kraus highlights the need for greater media coverage that showcases the positive uses of cyber technologies for social inclusivity. This aligns with the Sustainable Development Goals (SDGs) of Reduced Inequalities and Peace, Justice, and Strong Institutions. There is also an urgent need to teach young people about cyber literacy. Furthermore, the media should focus on instilling a better understanding of how to consume information and highlight the positive uses of cyber platforms. Collaboration across multiple sectors is necessary to address cyber-related challenges. Lastly, it is important to strike a balance between using cyber technologies and understanding the associated risks and fears.

Overall, embracing AI and cyber technologies, promoting positive uses, enhancing media coverage, teaching cyber literacy, promoting digital equality, and encouraging collaboration are all essential in addressing the challenges and opportunities presented by cyber technologies.

John Defterios

The debate surrounding the importance of global cybersecurity coverage in journalism has brought forth various viewpoints. Some individuals argue that there is a lack of sufficient coverage in this area, while others believe that it should be prioritised.

Those who support the notion claim that global cybersecurity is under-covered in journalism. They argue that cyber threats, such as data breaches and threats to infrastructure, require more informed and comprehensive reporting. Currently, these topics often receive only a brief mention in the media before being forgotten. The lack of in-depth reporting on global cybersecurity, which is considered less exciting but highly significant, is a cause for concern.

On the other hand, critics argue that the media tends to focus excessively on major tech companies, such as Facebook, Google, and Apple. These companies attract a significant amount of traffic, resulting in over-coverage of their activities. As a result, important issues like cybersecurity are overshadowed and receive inadequate attention.

To effectively cover cyber threats, it is suggested that dedicated resources and specialised experts be employed. Currently, the knee-jerk reaction is to call upon national security or IT personnel in the event of a cybersecurity issue. However, it is believed that communities should establish a pool of cybersecurity experts who can be consulted in such situations. This approach would ensure a more informed and efficient response to cyber threats.

The role of algorithms in shaping media consumption patterns and opinions is also scrutinised. Critics argue that algorithms tend to divide individuals into polarised groups, limiting the representation of diverse perspectives. This polarisation not only affects the way we consume media but also damages our attention spans.

Inclusivity and global collaboration are emphasised as essential components in effectively addressing cybersecurity challenges. The COVID-19 pandemic highlighted the exclusion of the global south until much later in decision-making processes. Thus, inclusivity across the board is considered crucial in tackling global issues like cybersecurity. It is also noted that collaboration on cybersecurity already exists on a regional scale in areas such as Asia, the GCC, and the Americas, and it can be extended globally.

The importance of an impartial centre for cybersecurity is also stressed. Given that the US and China are major competitors in technology and data, there is a need for a neutral entity to broker cybersecurity agreements. The Kingdom is suggested as a potential unifying force in this regard, playing a role in creating a safe space to address cybersecurity concerns.

In conclusion, while the coverage of global cybersecurity in journalism is a matter of debate, there is a consensus that more in-depth reporting and attention should be directed towards this critical issue. It is imperative to allocate dedicated resources, consult specialised experts, address the influence of algorithms, promote inclusivity and global collaboration, and establish an impartial centre for cybersecurity. By taking these steps, the media can more effectively inform society about the challenges and risks posed by cyber threats.

Massimo Marioni

The analysis highlights several important aspects of cybersecurity reporting and media practices. One key point is the critical role of fact-checking and verification in cybersecurity reporting. This is because false information can spread rapidly and cause significant harm in the realm of cybersecurity. It is crucial for journalists and media professionals to ensure the accuracy and reliability of their reporting when it comes to cybersecurity matters. By diligently fact-checking and verifying information, media outlets can provide the public with trustworthy and credible news.

Another important aspect is the involvement of experts in cybersecurity reporting. By including experts in coverage and reporting, media outlets can tap into their knowledge and experience to provide informed and authoritative perspectives. This adds credibility to the reporting and helps the audience better understand the complexities of cybersecurity issues.

Furthermore, the analysis emphasizes the significance of education and digital literacy in cybersecurity. Many individuals are not sufficiently aware of cybersecurity threats and best practices, making them vulnerable to cyber-attacks. By promoting education and increasing digital literacy, people can become savvier in protecting themselves online. This can be achieved through initiatives that focus on educating the public about cybersecurity risks, providing guidance on best practices, and enhancing digital literacy skills.

The analysis also highlights the need to avoid sensationalism in media reporting. Media outlets have the power to shape public opinion and perception of cybersecurity risks. By hyping up certain aspects unnecessarily, they can spread fear and uncertainty. It is crucial for media professionals to maintain balance in their reporting, focusing not only on problems but also on solutions and progress in the cybersecurity field. This helps provide a comprehensive and accurate understanding of cybersecurity issues.

Additionally, the analysis notes that imparting digital literacy requires collaboration between governments, media, and tech companies. This joint effort ensures that the audience receives the necessary resources and support for developing digital literacy skills. It is important for these stakeholders to work together in designing educational programs, creating digital content, and fostering partnerships to effectively address the digital literacy needs of the audience.

In conclusion, the analysis highlights the importance of fact-checking, the involvement of experts, education, and balanced reporting in cybersecurity journalism. It underscores the need to avoid sensationalism and promote digital literacy. It also emphasizes the significance of collaboration between governments, media, and tech companies in effectively imparting digital literacy skills to the audience. By embracing these practices, media outlets can contribute to a more informed and secure society in the face of cybersecurity challenges.

Intro

The Cybersecurity Market Ecosystem Development event convened prominent figures from various countries in the field of cybersecurity. Engineer Waleed Abu Khalid, CEO of Saudi Arabian Military Industries (SAMI), stressed the need for collaboration between the public and private sectors to drive the growth of the cyber industry. He underscored the importance of nurturing local talent and establishing robust educational programs to meet the demand for skilled cyber professionals.

Dr. Miqat Zuhairi Bin Miqat, Chief Executive of Malaysia’s National Cybersecurity Agency, highlighted the significance of proactive measures in addressing cyber threats. He emphasized the development of a strong cybersecurity ecosystem, including effective legislation and regulations, as well as investments in research and development.

Felix Barrio Juarez, Director General of the Spanish National Cybersecurity Institute, discussed the role of government in promoting cybersecurity innovation. He emphasized the need for public-private partnerships in sharing threat intelligence and promoting best practices.

Engineer Abdurrahman Al Malki from Qatar’s National Cybersecurity Agency stressed the importance of tailored cybersecurity solutions that meet each country’s specific needs. He urged governments and organizations to remain vigilant and adapt to rapidly evolving threats.

The panel’s moderator, John Defterios, provided an international perspective to the discussion, drawing on his experience as a former CNN editor and editor for emerging markets. He emphasized the global nature of cyber threats and the need for coordinated efforts to tackle them.

The event’s panelists agreed that ecosystem development plays a pivotal role in stimulating the cybersecurity market. They highlighted the need for international collaboration, information-sharing, and investment in research and development to stay ahead of cyber threats.

Additional contributions from Massimo Marioni, Europe Editor at Fortune, Rebecca McLaughlin, an international TV anchor and media trainer, Marjorie Cross, founder of APCO Worldwide, and Faisal Abbas, Editor-in-Chief of Arab News, provided valuable insights into various aspects of the cybersecurity landscape.

Overall, the event demonstrated the importance of collaboration and proactive measures in addressing cybersecurity challenges. The diverse perspectives of industry leaders underscored the need for continuous innovation and adaptation to effectively counter cyber threats in an increasingly interconnected world.

Rebecca McLaughlin-Eastham

Rebecca McLaughlin-Eastham, an expert in drone technology, skillfully and successfully landed a drone, ensuring its safe return. She emphasizes the importance of handling technological devices with great care and caution, given their significant costs and potential risks. It is clear that the drone, being an expensive piece of equipment, requires a gentle and controlled landing procedure in order to prevent any damage.

The focus on careful handling of technological devices arises from the understanding of the potential dangers they can pose. By safely landing the drone, McLaughlin-Eastham demonstrates the necessary skill and precision required when working with advanced technology. Her achievement reminds others in the industry of the need for responsible and meticulous handling of expensive equipment.

The supporting facts further emphasize the importance of a safe landing for the drone. McLaughlin-Eastham’s affirmation that the device must land safely underscores the crucial role careful handling plays in preventing any potential damage or loss. Additionally, the mention of the drone’s expensive nature highlights the significance of gentle landing to avoid costly repairs or replacements.

In conclusion, Rebecca McLaughlin-Eastham’s successful landing of the drone not only showcases her expertise but also underscores the vital need for careful handling in the field of technology. Consideration of the high costs and potential dangers associated with these devices is paramount to ensuring their longevity and effective use. Her accomplishment serves as a valuable lesson for professionals and enthusiasts alike, reminding them to approach technological equipment with caution and responsibility.

Intro:
Catalyzing Cyber, Stimulating Cybersecurity Market Through Ecosystem Development Engineer Waleed Abu Khalid Chief Executive Officer, Saudi Arabian Military Industries, SAMI Dr. Miqat Zuhairi Bin Miqat Chief Executive, National Cybersecurity Agency, Malaysia Felix Barrio Juarez Director General, Spanish National Cybersecurity Institute His Excellency Engineer Abdurrahman Al Malki National Cybersecurity Agency, Qatar John Defterios, Moderator, Former CNN, Emerging Markets, Editor and Editor Massimo Marioni, Europe Editor, Fortune Rebecca McLaughlin, East Ham, Moderator, International TV Anchor, MC and Media Trainer Marjorie Cross, Founder and Executive Chairman, APCO Worldwide Faisal Abbas, Editor-in-Chief, Arab News

Rebecca McLaughlin-Eastham:
Good afternoon everybody It’s wonderful to be here, see a packed room and we have a fantastic conversation coming up You’ve just heard my guests being introduced I have luminaries from the world of media, strategic communications and of course journalism on stage with me and we are going to have a deep dive into how cyber security is being covered in the media Is the narrative correct? Is it balanced? Is it informative? Is it constructive? Is it responsible? It’s our duty to inform and to engage but we also don’t want to spook, we don’t want to deter So how do we strike that right balance? Well here with all of the answers I’m delighted to say are my esteemed guests So let’s start with the bigger picture Faisal let me come to you first from Arab News How has the narrative traditionally been when it comes to covering global cyber security?

Faisal J. Abbas:
Thank you Rebecca and thank you for that very important introduction It is actually very telling that we are here discussing this particular topic at a global cyber security forum I say that because people occasionally or more than occasionally most likely relate cyber security to things like phone hacking, going into your bank account etc But the reality is cyber security should and must encompass much more than that We are living in an era which we have as a humanity We have not experienced this before where every person on the planet provided they have wifi or internet connection can disseminate and receive information at the same time What has happened with the advancement of technology particularly with what we are seeing with AI Is not only are you allowed now or capable of disseminating and receiving information You are also capable of faking realities and faking news And if you think this is not related to cyber security then you are wrong Because just look at some of the world events that have happened as a direct result of fake news spreading I can name so many incidents, I don’t want to get very political so I am going to name a non-political one Which is what we all know as the pizza gate in 2016 in the United States Where somebody posted fake news that there is a child exploitation ring being used Children being exploited in a pizzeria And somebody ended up taking a gun and shooting everybody and it was a completely fake news story I am going to end with three figures on why cyber security should include media And to make it easier for everybody to remember, just remember 80, 70, 60 According to the Arab youth survey, 80% of Arab youth get their information from social media According to a recent study by MIT, 70% of people are more likely to retweet or repost fake news 60% according to the Edelman trust barometer now no longer trust journalists and believe they are misleading The conclusion is we are heading in a direction where we will no longer be able to tell what is true from what is fake And this I believe is at the heart of what cyber security should be

Rebecca McLaughlin-Eastham:
100% trust is integral to that and to our discussion today Marjorie let me come to you, talk to me from both sides At APCO what are you doing when it comes to using systems for generative AI and the like And also what are your clients asking you for help on and what are you telling them? Three pronged question from a journalist there

Margery Kraus:
I think for us, I’m a big believer even though we have about five generations in APCO and I’m at the upper end of that I’ve never ran away from technology I think technology is really important and as we get into cyber it’s even more important Because this is not something we’re going to stop So this is something we have to embrace And I think this is something actually that the media needs to educate us more about In terms of how we embrace in a positive way, how we use cyber for good, how it becomes inclusive And so within APCO what we’re doing is a lot of training and how AI can help transform our organization And how we can then use this so that some of the routine tasks that a company like ours would do Whether it’s monitoring another thing that you can train AI to do And then other things that then you can use your people for higher order things And you’re taking a lot of the routine out of the work and making it more interesting And if we can do that transformation I think that’s a really important way to use this So our clients are coming to us for two things One is the more traditional things of cyber security And the fact that as you read in the media that there’s a lot of abuse that goes on online And how do they protect for it, how do they plan for it, how do they organize their crisis response Things of that sort But the other side is hoping that will be an example is coming to us for how can they deploy cyber In the most positive way in terms of what they’re doing for the future So I think both of those are things that we end up doing

Rebecca McLaughlin-Eastham:
Thank you John, nice to see you again You’ve covered breaches, you’ve covered GCF for many years Talk to me about how you see it from a journalist point of view How are we covering global cyber security? Accurately, adequately, and what is the impact on consumers?

John Defterios:
Yeah, you put a lot in there and you’re correct to do so, Rebecca So thanks very much Rebecca and I had a chance to tackle this subject in a podcast two months ago Which you can find on the GCF website And I think it’s a similar approach to this I think it’s undercover and we can talk later in the panel about from the broadcast journalism side Which I did for better than 30 years And the challenges there But at the FII last week, I thought it was very interesting They pulled the people that were attending FII And they said, what are the most pressing issues of today’s time? It varied between the youth at the end and those kind of in the C-suite And the ministers at the start of the FII But the common ground was the cost of living You know, quality of life, conflict, and climate change, right? They listed those as the four major issues And I have a very strong belief that cyber space and cyber security should be at least in the top five Because of all those things I talked about there You get information and make educated decisions based on what you’re reading But you have to have a common trust And in the previous panel, when we said deciphering or catalyzing cyber We got into this idea that right now the consumer is pretty unaware What the challenges are in the near future where AI, generative AI meets cyber So I think as a duty from the journalistic community I don’t think anybody in this panel would disagree with me We have a duty to inform society of what’s ahead We were even talking about in that panel what sort of certifications If you have a driver’s license, for example, to drive a car What sort of certificate do you have to surf the world? Because it’s going to be a much more complex world in which to navigate So we have a challenge now because of not AI But algorithms that we have people in different echo chambers Not believing what is real news versus fake news, right? And that’s a big challenge today But I think, and this is a personal viewpoint That cyber security should be in the top three subjects of our time Because it’s moving quickly So right now we’re lucky that governments like Saudi Arabia And others that we’ve talked to that are participating in the GCF Take the challenge very seriously We rely on the private sector to continue to innovate and invest And take care of society But it’s going to be much more challenging in the future The numbers indicate it So we’re looking at least $2 trillion of lost commerce in the last year It’s growing by 35% to 40% a year That should get everybody’s attention But I think when consumers cannot trust what they have on technology platforms Whether it’s their banking app or a B2B system Or an e-commerce site like an Amazon Because you’re worried about a transaction It’s when we have as a responsibility as journalists and media Strategic communications group to educate society So I think we should start there The GCF and the Institute is a great place to start that journey But I think we need to go into the next layer here Where consumers have a greater awareness And how do we tell those stories so they understand it

Rebecca McLaughlin-Eastham:
Massimo, how do we tell these stories? We have a responsibility We need to heighten awareness We need to inform How do we best do that in a balanced way?

Massimo Marioni:
Yeah, that’s a good question So I think there’s probably six things which help us do that One of those things is fairly basic And that’s to fact-check and verify It sounds obvious and it’s very core to all journalism But especially with cybersecurity I think it’s even more important Number two is to get experts involved As many experts as we can Have that expert opinion across all coverage of cyberspace and cybersecurity Trying to educate, which John touched on Trying to educate a community who isn’t perhaps as… Well, I don’t think many people are as savvy as they need to be In the cybersecurity game and consuming that news So I think the more education and digital literacy that we can give people The better they will be Constantly reminding people of best practices Whether that’s with passwords or whether that’s with banking My mother is 80 years old And she’s quite savvy with digital and things like that But she still sometimes contacts me whenever something comes through She gets an email and she’s not sure about it Sometimes it’s from me And she’s asking, did you really send me this? I was like, yes, yes I don’t need any money, but… And avoiding sensationalism, I think, is also quite crucial There’s a temptation within all of media To hype up either the really bad or the really good And I think that can spread fear and uncertainty across audiences When perhaps there isn’t that immediate need to do that And lastly, balance, I think Reporting on the solutions and progress of cybersecurity or AI or whatever it is Is just as important as reporting on the problems So those six aspects, I think, are ways that media can really help Bring that knowledge and literacy to the audience

Rebecca McLaughlin-Eastham:
Talk to me just before we go any further About the expertise that you do have in-house Arguably every newsroom around the world will have national security experts IT reporters, tech reporters But what about AI, Massimo? Do you have people dedicated to that?

Massimo Marioni:
Yeah, so we’ve got a reporter called Jeremy Khan And he’s been an AI expert for many years So we’re very lucky to have him And he’s covered AI in various forms for a long time And people sort of think that it’s just popped up in the last few months AI has been a thing for a very long time And Jeremy’s been an expert for a very long time So at Fortune, we’re very lucky to have someone with deep, deep understanding And deep knowledge of AI But obviously, that is in an area which every newsroom has devoted time and resource to So that’s very important, I think, for newsrooms across the world To invest those resources into experts like Jeremy Don’t leave, Jeremy, if you’re listening to this Into experts who can really deliver value for their audience For this super, super important topic

Rebecca McLaughlin-Eastham:
Thank you. John, I’ll come back to you in just a second Faisal, take me inside your newsroom Who is dedicated to that beat? Cyber security in particular

Faisal J. Abbas:
Here’s where I disagree I don’t think it’s the job of one person It’s the job for the whole newsroom, collectively Look, let me talk about a much bigger example A huge organization such as the BBC They have a whole initiative called BBC Verify Which, all it does, that team, all it does All they do is go on the internet, look for fake news and identify it Great, great initiative But let’s be realistic here This is a drop in the ocean That is not going to be enough There is, in fact, no newsroom in the world No matter how much resources they have That are capable of standing up to this thing My point of view is as follows What AI breaks, only AI can fix And as we are at a global cyber security forum There needs to be global action towards this I’m not here to do fear mongering But this is a reality We’ve seen, we are currently living a war in this region We’ve seen how quickly fake news spreads And this is now just words And this is with AI still tiptoeing Imagine the same war in five years’ time When you can instantly create fake news videos About babies being decapitated or soldiers being killed, etc This is the stuff that starts wars And there is no human capability to be able to identify Because these videos, in terms of sound, in terms of video In terms of the surrounding Are so real that you cannot tell what’s fake from what’s new So the only solution is a global initiative To have AI filters that can identify immediately What is real, genuine footage Which is then our job as news reporters But immediately label things that are manufactured by AI As manufactured by AI

Rebecca McLaughlin-Eastham:
John, do you want to come in on this?

John Defterios:
Sure, I’ll take it from the prism of broadcasting And I think it’s a tall order And Massimo touched on this and so did Faisal It’s a tall order to say that somebody that covers national security Should also cover cyber security It’s also a very tall order, a big ask, if you will For somebody who covers IT And I think there’s a tendency within the television community Which I spent my career in To stray away from the fangs Or the biggest technology companies of the world So we know Jeff Bezos We know Meta, Facebook, Google, Apple Twitter, now X And the tendency is to gravitate to those big companies And those personalities Because they get a lot of traffic But again, this is where responsibility comes in, right? So that gets a lot of traffic There’s a tendency to cover those companies way too much Or the latest gadgets that are out there Because consumers interface with those gadgets And they’re so pervasive in our lives But there’s a big gap in the middle To have an expertise And I’m suggesting if the private sector And the governments are paying so much attention To cyber and cyber threats And the future of cyberspace And making it a safe place for people to operate We should be dedicating resources Trained resources to be able to cover it Now the second layer of what I’d like to talk about Is how do you tell this story in television? And Rebecca, you have that experience as well There are no visuals So, you say you had a hack on the air traffic landing system in Heathrow, it’s not fair to be using file video of the Heathrow airport and say they had a big, you know, technology breach today because that lasts for about 30 seconds. We had a case in the last year where South Asian Bank was hit for $200 million, which is extraordinary. It’s an extraordinary event or 80% of the airports and 65% of the power systems in the world are being hacked on a daily basis, but you can’t go in and show it physically as a television correspondent. So I think we should, A, be a lot more clever about how we tell the stories, and this is where data visualization would come into play. It works for Faisal at Arab News, it works for Masouma at Fortune. You use data to tell your story and to educate people at the same time, but I think we’re making a profound mistake in our profession to say that the same person that covers national security and the same person that covers IT, oh, try to give this a whack and cover cyber. I think it’s a profound mistake, and we should take it more seriously as a topic is what I’m saying. I mean, I’m talking to the converted there because you educated me for our broadcast, but the reality is we need to be taking it at a much more higher level of attentiveness. Final point that Masouma brought up in his opening remarks, there’s a pool of experts, but I think we often call as a knee-jerk reaction an IT specialist or an ICT specialist to talk about cyber, or we call a national security person to talk about cyber. Let’s as a community build experts that we share the resources and say, if I’m in America, these are the top 25 people. If I’m in the European Union or in the UK, these are the people that really know cyber. If I’m in the Middle East and North Africa, if I’m in Asia, and we should, I think as a GCF, I would even extend, let’s help that process to say these are the top 50 cyber security specialists in the world. So if there’s a story to be told, let’s respond that way.

Rebecca McLaughlin-Eastham:
Absolutely. Marjorie, please.

Margery Kraus:
So I want to come at this just a little different and follow on something Masouma said as well, and take it more from the other end of the telescope. Because I think that one of the things, you talked about media literacy, and there was a whole time when we were teaching younger people how to discern news, how to check their sources, how to look for various things. And we need to do that. We need to create cyber literacy on the part of young people. How do they know what sources? You said 80% get their information from cyber, from these platforms. Think of how terrifying that is, given fake news. So what skill sets, and what can we bring, and how do we demonstrate this through the media to have more educated consumers, especially young people? So they know where to find the news, or where to find information. They know how to verify it as much as they can. They know if they’re being bullied, where to go for help. They know, you know, there’s certain basic skills. And as this cyber world kind of envelopes all of us, we need to give young people the skills, and older adults. So that when they, you know, it’s great that your mother called you to, if she should open the email. I wonder how many other people would call if they’re getting an email like that. They would open it, and they would be subject to all kinds of scams. So I think that’s one of the things the media could do, is to help us all understand better how to consume what it is that we’re getting. I think one other thing that the media could do is also focus on some of the positive uses of cyber, and the way in which we are using it to become more, to have more equity in society, or to give people access to education, and things of that sort. And it tends to be that, you know, like good news doesn’t get covered, as well as difficult things.

Rebecca McLaughlin-Eastham:
That’s interesting. Thank you, Marjorie. Well, Faisal, let me pick up on that with you, in terms of the positive aspects, the good news stories, rather than the scary headlines, let’s say. The media arguably has a responsibility, of course, to be balanced, but is one overshadowing the other? The urgent is crowding out the other important stories that should be told, but aren’t as much.

Faisal J. Abbas:
Well, look, Journalism 101, right? So if a dog bites a man, that’s not a story. If a man bites a dog, that’s a story. That’s always been the case, and that’s always been human. People don’t want to know what they already know. But here’s where I disagree with my honorable colleagues. It’s not the media to blame for reporting negative stories. That’s your job. Your job is to alert people to important things. But let me take you to the beginning of last year, when the Facebook whistleblower Frances Hogan spoke at Congress. And this is not from me. Take it from the horse’s mouth. This is what she said. She said, at some point at Facebook, we realized that the emotion that triggers the most traffic, the most engagement, the most reaction, is anger. So I’m not saying Facebook or Meta or Twitter are evil. I am saying, given that it is in their interest, this is … means more users on their website, on their pages, means more advertising revenue. There is a fundamental issue that needs to be addressed here with that business model. And again, I’m not pointing fingers, and I’m not accusing them of being deliberately behind this. But we need to remember one important aspect. These companies were not built by journalists, like newspapers or broadcasters. These companies were built by teenagers who were coders and engineers, who probably didn’t understand or appreciate the impact of what they are doing. And the result is what we are having to deal with today. And I reiterate, this is very important, because the next war, this war might be contained, the next one might not be containable because of fake news.

Rebecca McLaughlin-Eastham:
Massimo, coming to you at the end. Is the end nigh? Give me an optimistic outlook, or even a bleak one. Do you agree with Faisal or disagree?

Massimo Marioni:
Yes, to an extent. Meta did discover that, and they fueled a lot of the problems that we’re facing today. But I think every news organization, to an extent, also can identify with the similar sort of sentiments and findings that Meta found, that anger and shock drives more interaction than, say, good news stories, or happy stories, or stories of progress and solutions. So I think there is a responsibility there in the media to not just chase that engagement, but to also try to break down the complexities that your average reader may switch off when they’re reading, because ultimately, the cyberspace world and cybersecurity, they’re complex things, and readers don’t tend to read too deeply into things that they don’t understand unless they’re super, super engaged. So the media’s job is, one, to break down that complexity, to avoid sensationalism where they can. Obviously, as Faisal mentioned, it’s our job to report newsworthy events, events which people find interesting, events which are important for the reader’s everyday lives. And usually, that’s on the spectrum of really good and really bad. And the stuff in the middle doesn’t really generate the interest or engagement that perhaps it needs to. And because all media companies are trying to make money as well and keep themselves afloat, it’s a very challenging time for media. The temptation is to veer into that one side of the spectrum.

Rebecca McLaughlin-Eastham:
So I think somebody at Facebook doesn’t like what I said. Somebody is watching. Yes. They sent a drone. Wow. They sent a drone for revenge. Is Facebook coming for us? I mean… It’s so quiet. I hardly noticed it was there. Please, Massimo, continue if you can.

Massimo Marioni:
I don’t know what I was saying anymore. That’s amazing.

Rebecca McLaughlin-Eastham:
He must have said something very inflammatory. I’m sorry. Can you hear us in the audience?

Massimo Marioni:
Can someone shoot it down?

Rebecca McLaughlin-Eastham:
Stay with us.

Faisal J. Abbas:
Can we get the drone to land?

Rebecca McLaughlin-Eastham:
I think so. There we go. Safe landing. Just like in TV. Expensive piece of kit. So you have to make sure it lands gently.

Faisal J. Abbas:
A real-life example of how technology can disturb reality.

Rebecca McLaughlin-Eastham:
Oh, yes. And you’re always being watched. Yes.

John Defterios:
For ten seconds there, I was a little bit worried that it actually might have been an armed drone. But thank God it wasn’t.

Massimo Marioni:
I must have upset Facebook or something.

Rebecca McLaughlin-Eastham:
Sorry, Massimo, please finish your sentiment.

Massimo Marioni:
I think that was it.

Rebecca McLaughlin-Eastham:

John Defterios:
No, the only thing I would add to this is that, and Faisal alluded to it, we’ve taken algorithms for granted, and I think it’s actually caused a lot of damage in terms of our attention spans. So it was into the market to help us. So if you were searching a story and you said you want to get more of this story, or if you’re looking for a restaurant, it offers you alternatives. That’s the good side of it. But it does divide us into the group that could be far left in its politics, far right in its politics, and there’s very little voice given to the center, which I think is part of the problem. And the reason I bring that up, a lot of people may not be interested in global cybersecurity and a safe cyberspace, but they should know. It’s not the sexiest story in town. It probably won’t get you to click, but we could be much more creative in the way we tell those stories. In a 24-hour news cycle, Rebecca knows this, if there’s a major breach, and it was news, as Faisal was suggesting, you do need to cover it. So if there’s a major breach in the world, our role was to inform, because it was a who’s what, where, when, and why. It was big enough. It affected enough people. It threatened our water supply. Our power system went down, right? Could have been contamination in your local drinking waters. That’s just examples of what we’ve seen. A major data breach where people’s private data were breached and went into public. We need to inform it, but we need a much deeper knowledge of the sector to be able to inform people correctly, is my view on this. We should go deep, not quick. And usually, if you’re in a 24-hour news cycle, we’d have a conference call, what are the major stories? Oh, I saw there was a breach on the water system in Australia. It almost killed 50,000 people, but they were able to detect it, but let’s give it 30 seconds, and then it’s gone. It was a Northern Ireland police breach of data, which was a huge story in the UK, but they didn’t have the visuals to tell it, so it lasted for a 24-hour news cycle. But it was the data that goes back 20 years, and it risked lives of those police officers and detectives. So it shows the vulnerabilities of the systems. I don’t think we should be so flippant in our coverage going forward, is my premise here.

Rebecca McLaughlin-Eastham:
Thank you. Marjorie, and I’ll ask all of my esteemed panelists the same question as we conclude. In terms of the theme of GCF 2023, our shared priorities in cyberspace, when it comes to advocacy, strategic communications, what is the most important shared priority that we should all have? Marjorie, what would you say?

Margery Kraus:
I think the shared priority is to try to bring multi-sectors, the way we’re doing it here at GCF, together to come up with belts and suspenders frameworks for solutions of how we can deploy the benefits of cyber with the right frameworks so that the abuses are limited. There are always going to be abuses, and we have to try to keep one step. But if we don’t do what Faisal was saying about engaging with the corporate side, and if we don’t improve the coverage of how we expand the knowledge about cyber, we’re going to end up in a place where this gets so far ahead of us. People are already afraid, and if we feed into that fear, we will never take the full advantage of what cyber has to offer us. So getting this right is really important.

Rebecca McLaughlin-Eastham:
Thank you. Faisal, getting this right is very important. When will we get there?

Faisal J. Abbas:
Well, we need to start with education, education, education. It is mind-boggling. It is unthinkable that we give iPads to three-year-olds and four-year-olds, and we don’t monitor the content that they are watching. To use the metaphor that John used, this is the equivalent of giving a four-year-old keys to a car without a driving license and without brakes. And then we complain when the car jumps off a cliff. There needs to be literacy from a very young age. There needs to be a serious conversation with tech companies to what are we being exposed to, and there needs to be a global initiative to immediately identify what is genuine and what is manufactured by AI, because as I said in my opening remarks, the line is going to become very, very blurry in the very near future.

Rebecca McLaughlin-Eastham:
John, a global initiative much needed.

John Defterios:
Okay, number one, I think, and we’ve addressed this at different sessions, I think it’s extremely important from a policy perspective, and this even trickles into the media, that we are inclusive across the board. So I would say inclusive for the global south. So we can use two examples of the COVID-19 pandemic when there was hoarding taking place and it was every government for themselves until about nine months into it, and then the global south became part of the equation. So it’s very important because cyber has no boundaries. We’ve talked about it. It does cross borders. What happens in the global south, what would happen in Africa would also make the GCC quite vulnerable because they have great connectivity. So we should be aware of that. When it comes to climate, it’s very difficult to try to build a consensus of 190 plus countries but when it comes to cyber, and we’ve heard the collaboration on previous panels, we see collaboration on a regional basis in Asia. We see it in the GCC, and it was articulated, it should extend to the Middle East and North Africa. We see it in the Americas collaboration. How do we make that global collaboration to have this sharing of best practices, the data is where it’s comfortable to protect your sovereignty. And then I think the third leg of this, and this is why I’m very proud to be involved with the Global Cyber Security Forum, we have two elephants in the room. It’s US and China. They compete fiercely when it comes to technology and they’re competing fiercely when it comes to data. We need a center for cyber security that is an equal broker that can go east and it can go west. It tilts north and it tilts south. It can be a unifier. So I think there’s an opportunity in the cyberspace. I think there’s an opportunity when it comes to the regional conflict where the kingdom can serve a role to be a unifier, to find solutions, to allow a safe space to deal with cyber security. And I think that’s our shared responsibility at GCF 2023.

Rebecca McLaughlin-Eastham:
Thank you very much. Massimo, the final word to you. Our shared responsibility and key priorities for GCF and going forward into 2024.

Massimo Marioni:
Yeah, I think, as I said before, I think imparting digital literacy on the audience is probably the key thing because, and that’s a difficult task because you can take a horse to water but you can’t make a drink. So as much as we try to educate and inform and bring the most important news to the audience, it’s difficult to make them consume something that they perhaps don’t understand or don’t have an interest in. So that’s, I think, the key challenge which is not just on one organization to overcome. It’s got to be a combined effort from governments, from media, from tech companies, a very collaborative effort to bring this very important attention or very important topic to the audience and make them interested in what needs to be known.

Rebecca McLaughlin-Eastham:
Thank you very much. And on that collaborative note, that optimistic note, we shall have to wrap up proceedings. But those are your GCF headlines, ladies and gentlemen. For this panel discussion, please join me in thanking my esteemed guests for their contribution to our forum today.

Ryan Chilcote

The discussions revolved around several key topics related to cybercrime and AI. Firstly, the rising costs of combating cybercrime were a cause for concern. The former president of Estonia expressed worries about the escalating expenses in fighting cybercrime globally and specifically in his country. In Estonia, the budget for combating cybercrime has grown five-fold over the past five years. This highlights the financial strain that governments face in dealing with the ever-evolving nature of cyber threats.

Another area of discussion focused on the use of AI by attackers to create sophisticated, zero-day attacks. Zero-day attacks refer to attacks that have no prior fingerprint, making them difficult to detect and defend against. It was noted that attackers do not need to be cybersecurity experts to utilise AI in their attacks. New attacks using AI are being invented on a daily basis, posing a significant challenge to cybersecurity professionals and organisations.

To address the potential misuse of AI, there was a consensus that regulation is necessary. Notably, AI is considered an uncontrollable technology, and there are ongoing efforts by the UN and governments to find ethical ways to regulate it. The goal is to prevent malicious actors from harnessing AI for nefarious purposes, while still allowing for its beneficial applications.

However, regulating AI is not an easy task due to its fast-changing nature. AI technology evolves rapidly, and as a result, regulations need to be constantly updated to keep pace. There was expressed doubt about whether enough time exists to develop comprehensive AI regulations, as it took the European Union nine years to create GDPR regulations.

The need for international cooperation in addressing cybercrime was emphasised. It was highlighted that 40 countries have agreed not to pay ransom during cyber-attacks, showcasing a concerted effort to refuse ransom payments. This unity in refusing to pay ransoms aims to discourage cybercriminals and reduce their financial incentives.

One of the notable points of discussion was the practical implications and boundaries of banning ransom payments. Ryan Chilcote questioned whether a policy of banning ransom payments would also apply to individuals who are threatened with the release of sensitive personal information. This raised considerations about striking a balance between protecting individuals and preventing further harm caused by ransomware.

In conclusion, the discussions brought attention to the challenges posed by cybercrime, the use of AI in sophisticated attacks, the need for regulation to prevent AI misuse, the difficulties in regulating a fast-changing technology, and the importance of international cooperation to counter cyber threats. The rising costs of combating cybercrime were seen as a pressing concern, while the practical implications of banning ransom payments highlighted the complexities of finding effective solutions. The analysis shed light on the ongoing efforts to tackle cybercrime within the framework of peace, justice, and strong institutions.

Mohammad Abdulaziz Boarki

The analysis reveals that the healthcare sector, emerging technologies, and oil sectors are highly susceptible to high asset cyber attacks. The healthcare sector has become a prime target for ransomware attacks, disrupting surgeries and compromising patient data. Similarly, emerging technologies, such as IoT systems, are connected to wide networks, making them attractive targets for cyber attacks. Additionally, systems holding sensitive or valuable information, including government entities, are frequently targeted.

Countries with poor infrastructure face significant challenges in protecting their cyber space due to budgetary constraints and lack of resources. A global effort is needed to protect these countries from cyber threats. Awareness training and capability building in cyber space are crucial in enhancing cybersecurity. Adequate budgetary allocations are necessary to combat cybercrime and protect institutions and citizens. Cybersecurity is now one of the top three priorities for any country, and countries need to invest more in cybersecurity.

Regulating artificial intelligence (AI) is complex due to its fast-changing nature. However, it is important to establish and adapt regulations to ensure ethical and safe use of AI. The decision to pay ransomware depends on the value and impact of the stolen data, and each country has the right to make decisions based on national interest.

In conclusion, this analysis highlights the vulnerability of various sectors and systems to high asset cyber attacks. The importance of global collaboration, awareness training, budgetary allocations, and investments in cybersecurity is emphasized. Adequate regulation of AI and thoughtful decision-making regarding ransomware are crucial in ensuring cybersecurity. By addressing these issues, countries can protect their institutions, citizens, and national interests in the digital landscape.

Dan Cîmpean

Phones, tablets, and laptops are considered the most vulnerable devices to cyber attacks because they are in close proximity to humans. The aggressive digital transformation in recent years has resulted in the installation of numerous applications and tools on these devices, making them prime targets for malicious activities. These devices also contain a significant amount of data and are constantly used, further increasing their susceptibility to cyber threats. Protecting personal devices from such threats is crucial as any negative impacts can have serious consequences on productivity, finances, and daily activities. The healthcare sector is another area particularly vulnerable to cyber attacks. The consequences of such attacks can have a direct and harmful impact on human lives. There have been documented cases, such as a hospital in Germany being subjected to a ransomware attack, which resulted in a patient’s death. The potential disruption caused by cyber attacks on healthcare systems can render hospitals unable to handle patient cases, leading to tragic outcomes. Consequently, there is a need for greater investment and focus on improving the cybersecurity of healthcare systems. The healthcare sector, being relatively less mature from a cybersecurity perspective, requires increased financial resources to ensure the safety and well-being of patients and medical professionals. It is recommended that the cybersecurity of healthcare systems should be given priority by national competent authorities. Privacy protection, especially among young people, presents a significant challenge. While young people are often proficient in using digital technologies, they tend to overlook the regulatory landscape. However, it is noteworthy that young people also play a vital role in knowledge transfer to older generations when it comes to online safety. They are often the ones teaching their parents and grandparents how to behave safely online, as they possess more experience and understanding of digital technologies. Consequently, there is a call to invest more in educating young people about cybersecurity, given their proficiency and their potential to bring about a paradigm shift in the dissemination of digital knowledge. Regulatory measures are crucial in combatting cybercrime; however, the ever-evolving nature of technology poses a constant challenge in enforcing effective measures. Cyber criminals exploit the vulnerabilities of technology, causing harm that is often difficult to prevent and mitigate. It is recognized that the education and resilience of regular internet users play a significant role in reducing cybercrime. With millions of users directly or indirectly needing protection, their behavior on the internet, as well as the resilience of critical infrastructures, become crucial factors in preventing cyber attacks. In order to achieve this, there is a need to improve the education of internet users and enhance their ability to respond effectively to potential threats. Dealing with the ransomware phenomenon is an intricate issue that presents complex problems with no clear or effective solution at present. There are debates surrounding whether paying ransoms to cyber criminals should be prohibited or encouraged. It is acknowledged that paying ransoms can perpetuate the cybercrime economy; however, finding alternative solutions to tackle ransomware remains a challenge. There are difficulties in cascading down decisions of not paying ransomware at an individual or organizational level, highlighting the complexities of addressing this issue. In conclusion, protecting personal devices from cyber threats and ensuring the cybersecurity of critical sectors like healthcare is of paramount importance. Education and awareness, particularly among young people, play a crucial role in combating cybercrime. Regulatory measures need to be continually updated and enforced to keep up with the ever-evolving nature of technology. Additionally, efforts to deter cybercrime include the banning of ransomware payments to discourage the growth of the cybercrime economy. Overall, a comprehensive approach that combines investment, education, regulation, and cooperation is essential for effectively addressing the challenges posed by cyber threats and protecting individuals, organizations, and society as a whole.

Dr. Ahmed Abdel Hafez

Cyber attacks have both direct and indirect impacts on humans, affecting both individuals and digital services. Individual loss of control over data, such as banking credentials and social engineering details, can greatly affect individuals. Furthermore, cyber attacks on digital services like healthcare, intelligent transportation systems, and other emerging service systems that are being digitised can have direct or indirect impacts on human beings.

The psychological impact of cyber attacks and digital dependency is becoming prevalent. The fear of losing a mobile phone, known as “nomophobia,” is a psychological issue that is on the rise. In addition, issues such as cyber bullying cause harm to people, particularly vulnerable individuals like young girls.

The increasing dependency on mobile phones is a concern as well. People’s lives are now heavily reliant on their phones, which contain their bank details, personal information, and social accounts. Even the loss of battery life in a phone can cause stress in individuals.

Awareness plays a crucial role in combating cybercrime. Dr Hafez suggests that teaching people how to handle digital transformation safely is crucial and can reduce cyber attacks by 80 to 90 percent. This highlights the importance of educating individuals about cybersecurity risks and best practices.

Strict regulations and laws are necessary to control cybercrime. Dr Hafez believes in implementing strict rules and regulations that should be followed by individuals and government officials. In Egypt, for example, anti-cybercrime laws and data privacy laws have been enacted.

A Child Online Protection strategy is essential to help children access the internet safely, especially considering that 40% of the population in Egypt is under 18. This underscores the need to protect vulnerable individuals from the potential harms of the internet.

The role of artificial intelligence (AI) in cyber attacks is significant. AI can be used to invent new sophisticated attacks, including zero-day attacks, which complicates the task for cybersecurity professionals. Additionally, the scope of potential attackers has expanded with AI, as individuals do not need to be cybersecurity experts to use it.

The ethical use and control of AI are important considerations. Currently, AI is seen as an uncontrollable technology, leading governments and organizations like the United Nations to work on managing its use in an ethical manner.

Ransomware attacks pose a significant issue, with losses reaching three trillion US dollars last year. Nations’ efforts to control ransomware have become crucial in mitigating the impact of these attacks.

Data has become the most important asset in the global economy, on par with oil. As such, responsible data management and protection are essential for economic sustainability.

Strong data backup control measures and international collaboration are necessary to effectively combat cybercrime. Dr Hafez emphasizes the importance of a three-to-one backup for data assets to prevent ransomware attacks. Furthermore, increased collaboration among nations is necessary since cybersecurity is a cross-border activity that requires cooperation and collaboration.

Overall, cyber attacks and their various impacts on human beings are significant considerations in today’s digital world. From the direct impact on individuals to the societal implications of digital dependency, it is crucial to address these issues through awareness, regulation, protection strategies, and international collaboration.

Ryan Chilcote:
Chairman of the Executive Beirut Egyptian Supreme Cybersecurity Council Dan Campin, Director, National Cybersecurity Directorate, Romania Major General Retired, Engineer, Mohamed Abdelaziz Bouarki Chief, National Cybersecurity Center, NCSC, Kuwait Ryan Chilcots, Moderator, Master of Ceremonies, former Bloomberg, CNN, CBS, PBS, and Fox News It’s so nice to see so many of you are still here. We must be doing something right at the Global Cybersecurity Forum. This panel, as you’ve probably seen in your programs, is called Cyber Cost Reframe. And the idea is we’re used to measuring financial losses, economic losses, when it comes to cyber activity, cyber disruption, cyber attack, cyber crime. Less used and perhaps less skilled at talking about the direct human harm that can come from cyber disruption. So that’s what we’re going to do just now with my three esteemed panelists who were just introduced, so we won’t have to go through that again. Thank you so much for joining us. I like this topic because we can really take it where we want to. But we need to kind of nail some things down before we get into it. So Dan, let me do that with you. Let’s start with where the harm can be done. In other words, what cyber-related systems are most vulnerable to malicious cyber activity when it comes to causing us humans?

Dan Cîmpean:
Thank you. Thank you so much, Ryan, for the question. Most intuitively are the devices, the systems that are the closest to our own person. The phones. Phones and tablets and laptops and so on. Simply because we saw it in the last years, thanks to the very aggressive digital transformation, we installed plenty of applications, plenty of tools. We have plenty of data on devices that are really, literally on our person. And they are the ones that influence and impact our daily life, our relations, our communication, our work, actually. So everything that impacts a device that I’m using on a daily basis, definitely it harms me in a variety of ways. Whether I lose productivity or I lose money or I lose time or I get impacted in a negative manner in the way I do my work and my activity.

Ryan Chilcote:
Thank you very much. Dr. Ahmed Abdel-Hafiz, I’m trying to figure out, Your Excellency, if Dan’s point just now was kind of obvious and simple as a result of being obvious or actually a bit profound. So if you could weigh in on that. And also, let’s zoom out. Okay, phone. I think we all understand that our phone and losing control of the data on our phone can cause us trouble. If we zoom out, what kind of macro problems can we run into? Yeah.

Dr. Ahmed Abdel Hafez:
I would like first to thank Saudi Arabia for inviting me for this great event. Thank you very much for the hospitality and for the great event. First of all, let us talk about if you are talking about any digital transformation or any kind of to help the property of the human being or well-being for the human. So any cyber attack will harm the human being, if it is direct or indirect. So coming up with my friend Dan saying about the phones, there is a psychological disease right now called nomophobia. No mobile phone phobia. Yes. So the fear of losing your mobile phone. Since whole life on your phone. A bank account, your credential, your social engineering, your WhatsApp, everything is on your phone. So if you lost your phone, even if you lost the battery of your phone, you are feeling you are always shaking the life of your phone if it is going to lose the battery or not. So there is a lot of activities. If cyber attack will harm this, will have a direct impact on the human being which is indirect or indirect like healthcare property, like ITS, intelligent transportation system, which will be digital transformation. Emerging service systems which will be digitized. All these services will be digitized. So will be affected with cyber attack, will have an impact or direct or indirect on the human being and the well-being of the human. So everything, every cyber attack, whatever it has a direct impact on the human or not a direct impact, will have a bad impact on the human being about his well-being, about his life. Even in the societal environment itself, for the cyber bullying, cyber bullying in the social engineering, using, abusing of the small girls or something like that. All these activities will be harmed with the human activities. Thank you very much. And that term again was no phone? No mobile phone phobia. It’s called a nomophobia, no mobile phone phobia. Yeah. I think there might be some people in the audience suffering from that right now. It’s a disease for the psychologist known eight years ago. It’s not a new disease here.

Ryan Chilcote:
Thank you very much, Your Excellency. Engineer Borki, we also just heard about health care. So if we, is health care a big concern when it comes to human harm?

Mohammad Abdulaziz Boarki:
First of all, salam alaikum wa rahmatullah wa barakatuh. Thank you for Saudi Arabia for having us here. And I have to greet Saudi Arabia for having the World Cup hosting for the next few years. Second of all, for answering your question, as you said, it’s a wide answer question. Health care has become the last few years one of the highest assets for ransomware attacks as well as financial sectors. Health care is close to financial? Let’s say health care was the first statistically, the first high asset was targeted by ransomware attackers. Because it makes money and money is everything. And because they encrypt data for patients, which cause disruption for executing surgeries around hospitals. That’s why it becomes a high target. Now, statistically, also financial sectors has become one of the highest assets. Money has been always, is the highest asset for everything. And if we want to go also wider with that, any high asset information which lays in a system, it becomes a high asset. For example, smartphone. Your smartphone, if it doesn’t have any sensitive information or bank information, it won’t be a harm if you’ve been attacked. But what lays inside actually the system, whether it’s a smart system or IoT, Internet of Things system, which is attached to the big wide network, it becomes a high asset. Various and as emerging technology becoming very fast evolving and very fast changing, also the high asset for attacks become changing by the time and by how important actually this smart or system is important. So, for example, also as Dr. Hafez said, military system has been always a high asset. Health care system and I can add on also oil sectors has become also one of the highest assets. So, you cannot just define whether this is a high asset this year or next year. So, it becomes a high asset when it becomes a target. So, you will not be targeted unless you are an important entity or a system or a high target for as a governmental, let’s say, target.

Ryan Chilcote:
Thank you. Thank you. Dan, can you give us an example of an attack on a health care system or a part of a health care system that caused direct human harm?

Dan Cîmpean:
Absolutely. As we all may know, about three years ago in September 2020, I think it was the first ever documented unfortunate human death due to a ransomware attack. It happened in Germany, in Dusseldorf, where due to a ransomware attack on a hospital, actually one patient was impossible to be treated by the doctors and had to be moved from one hospital to another. And actually the root cause of the death of that patient unfortunately was assessed, was ruled out as being that particular ransomware attack. And let’s just imagine that one hospital that is treating 1,000 patients every single day due to a cyber attack is not able to handle 1,000 patients a day, but, I don’t know, 100 or 200. So, the risk is gigantic. And honestly, no manager of the hospital, no authority can afford such risk. And we as regular users, we should be aware that any disruption in this sector can produce a tragic impact on our lives. And how well are we prepared to deal with those kind of attacks right now? I’m choosing carefully my words now. Unfortunately, I think there are plenty of challenges and risks over there. The healthcare sector systematically in many, many countries is not the most mature one from a cybersecurity perspective. And it’s simply because there is a proliferation of very specialized technologies for healthcare. It’s also a proliferation of digital technologies that support the infrastructure of hospitals. And thanks to this, it’s very difficult and very complex to have a very, let’s say, good security baseline for the sector as a whole. It’s also one of the sectors that needs very, very high investment. Because lives could be impacted, because patients are at risk in case something goes wrong. And I truly believe that it’s one of the sectors that should be systematically on the top of the agenda of the national cybersecurity competent authorities in terms of focus and investment.

Ryan Chilcote:
Yeah. Okay, so we’ve talked a little bit about the so-called attack surface, where these attacks can happen. Your Excellency, Dr. Hafez, if you could talk a little bit about, you know, how one measures the impact of these things, if it’s not financial, if there isn’t a… How do you… Because governments are good at dealing with problems that they can measure. And money is easy to measure. But what about, like, what we’ve just been talking about?

Dr. Ahmed Abdel Hafez:
Are you talking about the role of the government to understand the cybercrime will impact as a human being? I’m always saying, awareness is a very important issue. All the governments will take care about it. To raise the awareness of the human being, how to deal with the digital transformation in a safe manner. So all governments all over the world are moving right now for the digital transformation. To make the life of the people very easy or something like that. But in the other way, you should learn with them how to deal with digital transformation in a safe manner. By awareness, by regulations, by laws. So if the people know how to deal with the digital transformation, with the digital life, for all life, even if it’s financially, or the healthcare, or transportation, and every service in a safe manner, will reduce cyberattacks at least from 80 to 90 percent. For that, to protect themselves from being attacked, even personally. Or if this person is an employee of any organization, of any government, if he’s going to be attacked officially, his official credential, for example, his official email, if this has been attacked, the whole organization will be attacked. The mail server of the whole organization will be attacked. So awareness is the most important thing to help the people to deal with the digital transformation in a safe manner. Second one, to put very strict regulations and rules to be followed by the people and the officials in the government. So if you are talking about the human being, a normal human being, like children, like the women, like the elderly, or the disabilities, you have to learn with them how to deal with the digital transformation. For example, in Egypt, we are a big country of about 40 percent of the population under 18, which is by law considered as children. So right now we are making child online protection strategy to help the children to get benefit from using the internet, but in a safe manner. So using regulations to help the people to know their rights. The other thing is the law. We have many laws in Egypt right now, anti-cyber criminal laws, for the data privacy law. So if we are issuing this law, but the people didn’t know about this law, they didn’t know that this activity may be criminalized, or they didn’t know how to get that rights if it had been attacked by something else. So as I said, the most critical three activities in any nation should do to withstand these cyber attacks, which will be harmed directly for the human being, the awareness, regulation, and the laws.

Ryan Chilcote:
Thank you very much. Engineer Borki, we heard there from His Excellency about how so much of the population in Egypt is under the age of 18. You can’t talk about young people without talking about privacy, young people sharing, for example, images of themselves amongst themselves. It’s quite common now, and then those can get in the wrong hands. How big of a problem is that, and how do you deal with it?

Mohammad Abdulaziz Boarki:
I want to elaborate on my colleagues’ feedbacks. It’s a great impact. It’s a scary impact. One of the challenges now is not about having technical and regulation publications. It could be about budgetary. People or country doesn’t have enough budget or the right budget actually to execute publication and regulation for sizing and measuring cyber impacts. If you can measure it, you can’t manage it. So, the great impacts about any country individually or collectively, so it has to be a collective approach and a collective collaboration. And I believe, I suggest, I mean, since we have now a global medical organization for any coming up pandemics, which they can help poor countries for not having medical. Now, there is poor countries which they have poor infrastructure, and they don’t have the capabilities actually for protecting their cyber space. So, why not having now a global effort which helps other countries to protect, because this is a via versa. For example, now, if I am a country A, which have a good high capabilities in cyber, and a next neighbor country has a weakness in cyber, it could be a threat for me. So, now, helping the whole surrounding countries which having a great, let’s say, plan or executive plan for cyber is a must. And the impact is devastating, and it could be costing million of dollars by not having the right strategy or clear objectives. And the clear pillars, as my colleague says, awareness training and building capabilities in cyber.

Ryan Chilcote:
And just because you mentioned the word budget there for a moment, we heard during the plenary session the former president of Estonia talking about how… she’s concerned about the spiraling costs of dealing from a governmental perspective. Not exactly our topic here, but you both are all coming from governments dealing with this issue. She mentioned that the budget of Estonia for combating cybercrime has grown five-fold over the last five years. Of course, Estonia has a neighbor that part of the reason why that budget has been going up. But how do you, is that an issue? That attracting the necessary resources to deal with cybercrime in your country and in general for countries right now?

Mohammad Abdulaziz Boarki:
It is an issue. I mean, if you don’t believe that cyber could be devastating, and now it’s the fourth domain in the world, we have physical domains, for example, land, sea, and maritime domains. Now we have a cyberspace domain, and it’s nothing less than those three physical domains and borders. So now, if you believe now that cyber could take you to a nightmare for any countries, now you will set up the right budgetary. But things, now I’m speaking about many challenges now. It’s some countries, and they don’t believe now cyber is a threat.

Ryan Chilcote:
You wanna name names?

Mohammad Abdulaziz Boarki:
Until they have been hit.

Ryan Chilcote:
You wanna name the countries right now?

Mohammad Abdulaziz Boarki:
Many countries. So, I mean, if you believe that cyber could be power, and cyber could be a threat, it’s the way, how can you deal with it? And if I wanna quote from His Excellency Adel Al-Jubeir, he mentioned a very important quote, that now any country pillars, now the top three, I think cyber could be the top three, or it is the top three priorities for any countries. It could hit your economy, it could hit your society, and it could hit your financial system. So this is something we need to actually invest on, and we need to take it in consideration.

Ryan Chilcote:
Thank you. Dan, if I could bring it back, when we think about the attack surface, and we’re gonna move on from this and talk about collaboration in a moment, the issue of privacy and protecting your privacy, which we just started to kind of move into, particularly amongst young people, how big of a problem is it? And how do you deal with that?

Dan Cîmpean:
I think it’s a big challenge, honestly. And one of the root causes of being such a big challenge is that, especially the young generation, it’s by far better and more proficient than we were in using technologies. And something that we tend to forget is that they get their knowledge and their good practices from each other in the very first place. They tend to not look too seriously at regulatory landscape. Kids and young people, they don’t really read cybersecurity-related laws, and they get good practices in the way they find it more appealing and receiving it from each other. So we have to address, actually, this challenge, and also not to forget that, simply because they are more experienced in using digital technologies than older generations, we have a shift in the paradigm. So now kids and youngsters are teaching their parents and grandparents on how to behave safely, how to protect privacy, how to protect their data on the internet. So it’s something that we should look very, very careful at and, honestly, invest a bit more in the knowledge of this young generation to get them to help all of us to get more resilient and more secure in cyberspace.

Ryan Chilcote:
Your Excellency, how does, we were talking about this over the last day and a half, emerging, our favorite emerging technology, AI, how does that complicate threats when it comes to human harm?

Dr. Ahmed Abdel Hafez:
Well, as we, as cybersecurity guys, got benefit from using AI, the attacker as well got benefit from using AI to invent a new attack, a zero-day attack, which will be sophisticated, which will be very complicated to deal with. So AI, it has both sides, it’s a good and a bad one. For the good one, the cybersecurity guys, we’re using, for example, if you have a very big data or a very big incident, we need to analyze, we need to, using AI will help us to accelerate that process. But on the other side, as I said, even if you don’t, a cybersecurity expert, if you’re just a human, a normal one, knowing a little bit about AI, using the very well-known, the track share GPT right now, you ask them to make a new attack, they’re gonna do that for you. So AI, it’s uncontrollable technology until now, since all the government right now, all the United Nations right now, are looking for how to control or to manage using ethically AI, in an ethical manner. Even in educational service, any student right now can write his report using AI. So AI help the attacker very well to invent a new attack, a sophisticated one. So as a security guys, we are suffering right now from a zero-day attack. Zero-day attack, it means that an attack with no fingerprint, for example. So using a new one, so we need to deal with the new attacks every second. Every day right now, there’s a new attack using AI. So the span of the attacker has been increased using AI. As I said, you don’t have to be an expert for the cybersecurity to be an attacker. But since it gives a lot of money, so a lot of people right now using AI gonna be attacker. So it will be sophisticated, it will be harder for us to withstand this activity using AI.

Ryan Chilcote:
Thank you, Your Excellency. Engineer Borky, they just had an AI summit in London, which heard the word 50 times in the last several sentences. How do you regulate moving to the solution at the end of this conversation? How do you regulate AI so that you don’t have these kind of problems? I think I’ll rephrase your question. Can we actually regulate AI?

Mohammad Abdulaziz Boarki:
This is the main question. I don’t think it’s something constant. AI is fast changing also, and it could be also a powerful protection, and it could be a weakness and a threat. It depends the way you use it. So regulating AI is not something I believe, it’s not an easy job. It should be constantly changing your publication and policies to keep up with fast and changing technology. AI has been approved both ways, have been approved positive approaches and have been approved negative approaches. AI has been one of the ways of attacking system by the attackers, also as well as it has become a good solution in medical sector, for example, for helping surgeries and around the world by using the 5G connectivities. So AI, it’s a big topic. AI, it’s a deep thought. AI is not something we can, I believe, it’s not an easy job to regulate.

Ryan Chilcote:
Yeah. Okay. That’s a bit worrisome. This is my thought. Thank you. Dan, okay, so if we can’t, I mean, because we were listening to Jose Barroso, the former president of the European Commission, the other day talk about how it took the European Union nine years to come up with GDPR. That was a good thing because they got scale and we all use it now. It’s sort of like the global standard, but AI, I don’t know, maybe it’s another beast and we probably don’t have nine years. So what can, what should a nation do to control this problem of cyber crimes causing harm to people?

Dan Cîmpean:
I think obviously in the very first place, we should have very good regulatory measures, which is something extremely difficult to put in place. For a very simple reason, technology will be always one step ahead of regulatory environment. So first technology will come, cyber crime, for example, will use and exploit the vulnerabilities of those technologies and will do harm. And then national competent authorities at the level of one country or group of states, they will have to come with some measures. That’s one big challenge. It’s not very easy to align those measures because if one country is very resilient, very strong in terms of regulatory measures and others are less mature, basically we don’t fix the issue. Then we have to really, really invest a lot in educating the user. And just to give a simple example, we have to protect millions of users, honestly, either directly in the way they act when they behave on the internet, in cyberspace, or indirectly through the critical infrastructures that need to be resilient, available, and so on. So we have to really work on those dimensions. Regulatory measures, on one hand, and this is not easy to put in place, especially when it comes to, for example, the ransomware phenomenon, the always debatable issue of do we want to ban payment for ransom or not? How should we tackle this? And no one has a magic solution up to this moment. Up to the moment of how to increase education and resilience of regular users that if we put them together, they become a gigantic attack surface that can be exploited by malicious actors. So what I truly believe is that we have a very, very, very serious challenge ahead of us and we have to focus really systematically on this.

Ryan Chilcote:
Let me pick up on the ransomware idea real quickly with you for a second, because just, I guess, last week, 40 countries came together to agree that they would not pay ransomware on a tax. Now, my assumption was that they were talking about on a national level. So if the United States gets attacked and someone tries to extract a ransom from the US, I don’t know if the US was a signatory to that agreement, then the US wouldn’t pay it, just like the other countries, and so they’re coming together to try and, you just mentioned basically banning people from paying ransom. So for example, if someone sends you an email and they say, Ryan, we have some really sensitive information about you and we’re gonna share it with the world, you’re saying that you would ban me from paying those people to get my information back?

Dan Cîmpean:
The difficult challenge is how to cascade down decision that is taken at the national level. For example, my country doesn’t pay ransomware. Yeah, that I kind of get. To cascade it down to private actors, to industry organizations, and ideally cascade it down to the level of users. But how to create this mechanism, how to enforce it, that’s very, very complicated, because at the end of the day, users are autonomous, they behave in their own way, and it’s extremely difficult to enforce it, actually. My personal opinion is that we should attempt to ban ransomware payment across the board, simply because by paying a ransom, actually we encourage the phenomenon. We finance the cybercrime, actually.

Ryan Chilcote:
I wanna come over to your excellency in a moment, but real quickly, and Engineer Borki, I saw you shaking your head. Should countries ban their citizens from paying ransomware?

Mohammad Abdulaziz Boarki:
I don’t think there is a correct answer here. It depends on how valuable are, for example, the attack. My information is very valuable. My private information. You answered, actually, the question, is how valuable, actually, the attacker has taken in national-wide or individual-wide. So, for example, now, if someone stole your data, and the only data that you have is in your smartphone, and you don’t have a backup for it, would you negotiate? If it was cheap to get it back, maybe, yeah. If there is a way, and you can get it back in a cheap way, of course you’re gonna, because this is your life and your smartphone. Let’s talk, let’s take it to the next level. Now, if this information or whatsoever that the attacker has been taken and encrypt those data, and those data can cause a national threat or a disruption of services in this country, do you think we cannot negotiate? So, I mean, it depends. I don’t think this is something that it could be a one solution in each country, but each country has the right to deal with it how they see it, and I believe if it’s for the national interest, I don’t think there is a problem to negotiate.

Ryan Chilcote:
Your Excellency, Dr. Hafez, I’m gonna give you.

Dr. Ahmed Abdel Hafez:
Let me add something to my process. The issue of the nations trying to control the ransomware, the losses for ransomware attacks has been increased in the last year, three trillions of US dollars. So, we are trying globally to control the ransomware, but as His Excellency said, if any organization didn’t follow the controls of making three to one backup for their assets, so the data right now, it become the most important assets. It’s gonna be the oil of the world right now. The data will be the oil of the global right now. So, if any organization didn’t control or make a backup for their data, as a punishment, they should pay the ransomware. They would pay the money to get their data back.

Ryan Chilcote:
I’m gonna give you the last word. Sure. Are you satisfied with international collaboration to combat the cybercrime that can lead to human harm or just in general, cybercrime? Are you satisfied with the international collaboration we have now? And if you’re not, because this is GCF and we’re all about having a shared action plan and tangible results, give us one thing nations can do to collaborate better.

Dr. Ahmed Abdel Hafez:
If you’re asking me, I am satisfied. No, I am not satisfied about. I’m almost prefer a word, collaboration rather than cooperation. Yeah. In Arabic word, collaboration means ta’adud, cooperation means ta’awni. Ta’awni means to be shoulder by shoulder for to be with a nation, yeah. Collaboration between nation will help all of us to overcome the cyber attack with keeping the dignity or the classified data for the nation. So, cooperation or collaboration doesn’t mean to reveal your classified data between nations, yeah. But we should collaborate even regionally in the Arabic world, the Middle East world and international. Right now, there’s a lot, many efforts for the whole nation to collaborate, to come up with the anti-criminal law. Regional, it’s international law. But it’s very difficult. Each region has its mindset about the data protection, data privacy, human rights. You know, this is a very conflict, yeah. But if we didn’t collaborate, the attacker will be succeed. You know what? We, all over the world, the spending of, for cyber security in a billion. But the losses in trillions. So, we need to change our philosophy for dealing for cyber security. And one most important thing of them is a collaboration. Since cyber security is a cross-border activity, you didn’t control. You have to collaborate with all government to get agree upon certain controls, a certain framework, a certain laws about anti-criminals. So, I’m not satisfied. We still have more efforts for collaboration.

Ryan Chilcote:
Dr. Achmed Abdel-Hafiz, thank you so much. Dan Simpion, and Engineer Borki, your excellencies. Thank you very much for this conversation. We’re out of time, but I learned a lot, and I hope you did as well. Please join me in giving a big round of applause for our esteemed panelists. Thank you. Thank you guys.

Joy Chick

Phishing and social engineering attacks are prevalent across various industries, including healthcare, government, and finance, due to people’s busy schedules and lack of attention. These attacks have become the easiest way for criminals to obtain sensitive information and credentials. The increasing volume, scope, and sophistication of social engineering attacks are a concern, as attackers continue to evolve their strategies.

It is important to note that cyber attacks can happen to anyone, regardless of their level of technical knowledge. Therefore, individuals must remain vigilant and take necessary precautions to protect themselves and their information online.

The use of emerging technologies like Gen AI and machine learning by cyber criminals has enhanced phishing attacks. These technologies allow for automated and personalized campaigns that are difficult to detect and deceive people. This underscores the need for individuals to stay informed about the latest cyber threats and adopt robust security measures.

However, AI and Gen AI can also be used to enhance cybersecurity efforts. Companies like Microsoft employ AI to evaluate the security of user identities, devices, networks, and data. This technology can detect anomalies and breaches by analyzing vast amounts of information, while Gen AI automates these processes and reduces the burden on cybersecurity specialists.

To effectively combat social engineering attacks, individuals are advised to use phishing-resistant multi-factor authentication (MFA) and remain cautious of potential threats. However, it is important to recognise that MFA is not foolproof, as attackers have found tactics, such as SIM jacking and creating fake websites, to bypass these security measures. Maintaining a high level of vigilance is therefore essential.

The inconvenience of managing multiple passwords poses another challenge. Remembering different passwords for various accounts can be difficult and can lead to security risks. Password management solutions are necessary, and individuals should avoid reusing passwords and credentials across multiple accounts.

Responsibility for online protection should not solely rest on users. Collaboration among industries, authorities, and society as a whole is crucial for implementing effective cybersecurity measures. Biometrics and device-based authentication methods, such as Fast Identity Online (FIDO), are increasingly being adopted to securely verify users’ identities.

A zero-trust approach to identity verification and security is essential. This approach involves continuously verifying identities, granting minimal privileges, and assuming that breaches can occur, focusing on prompt detection and remediation.

In the era of cloud services, protecting workload identities is crucial. As more customers transition to the cloud, safeguarding non-human identities becomes increasingly important. Streamlining and decentralising verifiable credentials are necessary to ensure robust protection.

AI has the potential to revolutionise the security industry by identifying anomalies, detecting breaches, and taking real-time action. It simplifies the work of cybersecurity professionals by reducing reliance on multiple tools and logs.

Overall, security is a collaborative effort that requires the active participation of various stakeholders. By staying informed, adopting robust security measures, and fostering cooperation among industry players and societies, we can effectively combat the growing threat of cyber attacks and safeguard our digital ecosystem.

Moderator

In a recent discussion on the topics of smoke and mirrors, social engineering, and sophisticated phishing, Joy Chick, the President of Identity and Network Access at Microsoft, and Lucy Hedges, a technology journalist and TV presenter, explored the intricacies of cyber attacks and the necessary steps to protect against them. The discussion provided insights into the deceptive tactics employed by cyber criminals, including the use of smoke and mirrors to create illusions and misdirect attention. These tactics often result in successful social engineering attempts, where attackers manipulate individuals into revealing sensitive information or compromising security.

Both speakers stressed the critical importance of educating people about the various tactics employed in cyber attacks. By raising awareness and promoting digital literacy, individuals can become more vigilant and better equipped to identify and defend against deceptive strategies. Chick emphasised the need for organisations and individuals to invest in comprehensive cybersecurity training covering topics such as phishing awareness, safe browsing habits, and password hygiene.

Furthermore, the discussion highlighted the increasing sophistication of phishing techniques, noting that attackers are constantly evolving their methods to outsmart security measures. Traditional approaches to identifying phishing emails, like checking for spelling errors or suspicious links, are no longer sufficient. Cyber criminals have become adept at crafting highly convincing and targeted emails that are nearly indistinguishable from genuine communications. This necessitates the implementation of advanced security measures that go beyond traditional email filters and firewalls.

In conclusion, the discussion underscored that smoke and mirrors, social engineering, and sophisticated phishing are persistent threats that require continuous improvement in cybersecurity practices. Education and awareness are key to mitigating these risks, and organisations should prioritize implementing robust security measures to counter the evolving tactics employed by cyber criminals. By staying informed and proactive, individuals and businesses can enhance their defenses and safeguard their sensitive information from falling into the wrong hands.

Lucy Hedges

Social engineering and sophisticated phishing attacks are emerging as increasingly concerning threats to our digital society. These attacks exploit human vulnerabilities and security gaps and are executed by highly skilled perpetrators. It is worth noting that emerging technologies, such as Gen AI, are accelerating the innovation curve in these attacks.

To effectively defend against these threats, it is crucial to have a deep understanding of how social engineering and phishing attacks work and how they are evolving. These attacks are becoming more sophisticated, necessitating individuals and organizations to stay informed and updated on the latest tactics employed by cybercriminals. Without this knowledge, countering these threats becomes increasingly difficult.

In this context, Lucy Hedges implicitly praises Joy Chick, highlighting her authority in the security landscape and her exceptional leadership role in managing Microsoft’s Identity and Network Security Solutions. With oversight of the largest user base in the world, encompassing both consumers and commercial entities, Joy Chick’s leadership underscores the importance of expertise in combating security threats.

Lucy Hedges emphasizes the evolution of social engineering attacks over time, noting their increased intricacy and sophistication. It is crucial to recognize that cyber attacks can happen to anyone, regardless of their technological knowledge or industry of work. This serves as a reminder that no one is immune to such threats and that everyone must take precautions to protect themselves and their data.

In conclusion, the escalating threats of social engineering and sophisticated phishing attacks present a significant risk to our digital society. The evolving nature of these attacks calls for continuous education, awareness, and the adoption of advanced security measures. Strong leadership, exemplified by Joy Chick, plays a pivotal role in navigating and mitigating these risks. Cybersecurity is a collective effort that demands vigilance from individuals and organizations alike.

Moderator:
Smoke and Mirrors, Social Engineering and Sophisticated Fishing. Joy Chick, President, Identity and Network Access, Microsoft. Lucy Hedges, Moderator, Technology Journalist and TV Presenter.

Lucy Hedges:
Hello, hello. I hope we’re all having a great event so far. Lots of insights and lots of inspiration to go home with after today. So we are here to talk about social engineering and sophisticated fishing. You know, these are the kinds of attacks that involve the use of deception by incredibly skilled perpetrators who are really adept when it comes to exploiting human vulnerabilities and security gaps to really capitalize on trust to gain unauthorized access to sensitive information and systems. Now these kind of attacks are moving at unprecedented speed which is in no small part down to emerging technologies like Gen AI that’s really accelerating the innovation curve when it comes to modern social engineering which is ultimately escalating its threats to our digital society. So it’s crucial or critical even for us to really understand the intricacies of these attacks which are getting more sophisticated by the day in order to really understand how to defend against them. Now I am joined by someone who is very well-versed in this area. Joy Chick is, I think it’s fair to say, a force to be reckoned with in the security landscape. She runs Microsoft’s Identity and Network Security Solutions running the world’s largest security systems across consumer and commercial which has over a million enterprise users, a billion enterprise users and almost a billion consumers on a monthly basis. So Joy, how are you?

Joy Chick:
Great. Thank you, Lucy. And good afternoon, ladies and gentlemen. It is actually my first time visiting the kingdom and it’s very much a great honor to be here.

Lucy Hedges:
Absolutely. Now we’ve got a lot to get through in a short space of time so I’m going to dive straight into my first question. So we’re going to start by defining the problem and the impact of this issue. So why are phishing and social engineering attacks such a big problem in cybersecurity?

Joy Chick:
Yeah, with any breaches, the most important thing that our criminals want to get is your credentials. Yes. And guess what? The easiest way to get credentials is through social engineering and phishing. That’s because it’s easy when we are busy. It’s easy for us when we’re not paying attention. Yes. You click on that email link and you get hacked. I think we talked over the break, like, geez, even us as security professionals, we get tricked sometimes. And when it happens, it really feels like it really breaches our trust, if you will. But it happens. And actually when it happens, it’s not just for consumers, it’s across the entire industry whether it’s healthcare, whether it’s government, critical infrastructures, financial industry. Yes. And the impact is devastating.

Lucy Hedges:
Yeah. I think there’s this misconception, isn’t there, that these kind of attacks happen to people that aren’t very clued up, they don’t work in tech, they don’t really know. But it can happen to anyone.

Joy Chick:
Anyone and to every one of us.

Lucy Hedges:
Hands up who’s been a victim of a phishing attack or have clicked on a nefarious link in the past. I know I have. I was busy, I was on the move and I clicked a link in WhatsApp and, you know, my phone got taken over. Exactly. It was really scary, a really scary time. You know, things are evolving so quickly at such an incredible pace. It really keeps us on our toes and especially you in your line of work. So how have social engineering attacks evolved over time and in what ways have they become increasingly sophisticated?

Joy Chick:
Yeah. And I want to say the sophistication is both volume, scope and also just the scale, if you will. And, you know, from Microsoft, you know, we see globally all the attack that happens across our cloud services. Just some data points. In 2021, we see about almost 600 passwords get attacked every single second. OK. And in 2022, that number has doubled to over a thousand. And guess what? In 2023, we haven’t finished yet. And the numbers has already quadrupled to 4,000 passwords attacked every single second. So it is really that exponential scale, if you will. And also at the same time, you know, our criminals are getting very well funded. And, you know, frankly, I would say that they’re innovating at the speed just like our cybersecurity professionals, if you will. So they get really well organized and many are backed by nation state and the multinational criminals, if you will. And some of the patterns what we see is, you know, you can say the old days or the easiest way is really just to send you an email, trick you to a website, and then you accidentally type your credentials and, you know, and you get hacked. And that still probably remain to be predominantly the primary attack factors. So we tell all our users, our customers to turn on multi-factor authentication, which by itself, by the way, so multi-factor authentication is in addition to a password, you know, second factor, you know, SMS, you know, second factor authentication. By itself, it really reduces attack by 99.9%. Yes. However, the, you know, cyber criminals then continue to work around it. So some of the techniques is called, you know, MFA SIM jacking, because the majority of the MFA is through SMS. So what the attacker does is they get in between your, you know, telephony and your, you know, your phone. So they intercepted the SMS signals and then kind of reply that multi-factor authentication on your behalf. So that’s something they are escalating. So then we said, hey, then we can talk about, you know, maybe doing phishing resistant MFA, if you will. But the reality is, you know, I think Lucy, you and I all get a lot of MFA prompts every day. Yes. Sometimes we just get fatigued and frankly confused. Yeah. So what happens, you might accidentally approve the one that is not being intended. And then there’s other methods. For example, like, you know, the criminals can do something called adversary in the middle phishing, which is they can fake a website that looks exactly like the real website and get you over there and then store your credentials through that method. And sometimes they can come across as from some kind of official authorities. And like, you know, hey, I come from officially some tech support. So you thought you are being helped, but instead you are being hijacked.

Lucy Hedges:
Yeah, it really is unbelievable just how sophisticated and complex these attacks are. And like you say, these kind of nefarious characters are moving at the same pace in which the industry is moving. And, you know, if these guys could only just apply this incredible knowledge to good, the world would be a much better place. But unfortunately, that’s not how it works. You’d be out of a job, that’s for sure. And I’m gladly to be, if that’s the case. Let’s talk about Gen AI, because, you know, this is a massive talking point at the moment for various reasons. So how are cyber criminals leveraging emerging technologies like Gen AI and machine learning to really enhance these phishing attacks and create more convincing and targeted phishing emails and websites like you just discussed?

Joy Chick:
So I would say, you know, in the past, we probably, for those of us a little bit more sophisticated, we say, hey, maybe you can detect phishing email forms, like, you know, an email is poorly written with grammar mistakes. Or kind of in a form, you know, it is, you know, sort of massively produced, you know, so like, I don’t need this, right? So you kind of can filter some of that. Or the address looks a bit dodgy. Or the address looks a bit dodgy and all that. But now with Gen AI, they can improve the quality of the email. So, A, it’s a lot more compelling email. And frankly, they can also tailor that email. A, they can tailor to be more coming from, like, your work, you know, from people you know from work. Because they can actually use some of the AI to learn what’s your context. Yes. You know, so through that. They can also tailor to your own personal needs. Like, Lucy, if you like, you know, shopping or sort of specific website, they might tailor as if it comes from that specific website that’s tailored to your needs. So they have more context about you. So from that perspective, you know, I think it makes it a lot harder to detect it’s a phishing email. And frankly, a lot easier to trick people. Yes. And at the same time, also, Gen AI helps, you know, to generate these phishing email campaigns much faster. Yes. And the fact that you can, you know, using kind of natural language. So even for the, you know, attackers, they actually have to write less code. They have to write less scripts. And they, you know, Gen AI help them to automate the phishing campaign for what it’s worth. So, yes. So I think that’s why we see the, you know, the attack patterns that has been exponentially escalating over the years.

Lucy Hedges:
Yes. It’s almost enough to make us incredibly paranoid, isn’t it? Absolutely. Yes. And I think the rule of thumb here is to really always assume breach. I think sometimes that can be detrimental. You know, something good might come in and you’re like, I don’t trust that. And you don’t click it or you don’t get involved in it. And that can be detrimental to the user. But unfortunately, the sophistication of which these attacks are coming, it means that we always have to have our guard up. Absolutely. Yes. So let’s talk Gen AI for good. You know, we talked about the evil side, you know, the nefarious side. How can Gen AI, no, would Gen AI also, how can Gen AI help defend and protect in the cybersecurity space?

Joy Chick:
Yeah. I would say both AI and now Gen AI, if you will. So, you know, one of the things that, you know, at Microsoft, we’re really thinking about protecting our customer is you have to think about an end-to-end approach. Because, you know, it starts with identities, user identity and credentials. But, like, you know, you’re using the iPad. The device that you are on, whether the iPad can be trusted or not or it’s being compromised or not, the network we are on, whether the network is secure or whether the network is compromised. And, frankly, the application you access, the data you are trying to really try to protect. So we are really looking at what we call the digital estate of end-to-end for our customers. So from that perspective, as we’re looking through all the, you know, trillions of signals in our cloud services, we can really apply AI machine learning to detect what are the anomalies and how to then real-time, if you will, to help to, you know, help our customer to detect any breach and to remediate it quickly. And then with the Gen AI, what it helps is really to help us to automate a lot of this process as well as helping security professionals so that rather than they have to use different security tools, rather they have to understand the logs, then they can use more human natural languages to understand, hey, if Lucy is being compromised, why Lucy is compromised? So by simply asking that question, rather than have to be the detective to go through all the tools and find out what’s happening. So I think Gen AI really democratize in terms of skill set, skill set that’s required to be a cybersecurity specialist.

Lucy Hedges:
Yeah, yeah. And this is, I think it’s fair to say, quite relatively new territory for a lot of businesses. You know, Microsoft is obviously incredibly well-versed when it comes to this. But do you think there’s maybe a bit of a apprehension or, you know, this lack of knowledge and education that prevents companies from really benefiting from this technology that ultimately is going to affect, benefit their customers and benefit them as a business?

Joy Chick:
Yeah, like, you know, go back to the phishing campaign, if you will. And we always, you know, talk about education is important. Yes. But guess what, Lucy, just, you know, just, you know, admit it. Do you share your credentials across your user accounts? Maybe. Some of them. Some of them.

Lucy Hedges:
But you know, my to-do list is always, you know, switch, you know, on the iPhone, for example, it’s constantly telling you when you’re using multiple passwords. And I know it’s there. Right. But I, you know.

Joy Chick:
But it’s not convenient, right? Exactly. How many passwords do you want to remember?

Lucy Hedges:
I’ll do it later. I’ll do it later.

Joy Chick:
So, you know, we talk about, hey, don’t reuse your, you know, password, don’t use your credentials for multiple accounts. You know, sometimes, like we still say, even to this day and age, we still put a little password on a sticky note on our, like, you know, iPads or computers. I can’t believe people still do that. That is crazy. Right. I don’t do that at least. Or share your credentials with your friends, you know, because of some services you want to use. So these are some of the basics. But the reality is, I would have called it, we don’t want to, you know, have the burden of protecting our users to be on the users. Right? Like, they can have the education, but that’s just not an excuse to say, hey, oh, you get hacked. It’s because you don’t know. Yeah. I think at the end of the day, we ask, why do we need passwords? Frankly, it is really, I mean, passwords is not a magic. It’s really about how to identify, like, Lucy, you as a unique person. And so we now look ahead to say, hey, what is a better way of doing that? So one of the things that’s industry standards is called a Fast Identity Online FIDO. It is an industry standard. It is a way to use leveraged biometrics because your biometrics is uniquely, you know, Lucy. And then in addition, something you have, like your iPad. So both something you are and something you have is a great way to identify Lucy as a unique person and as your credential. But in a way that is so user friendly because you do not have to remember password at all. So some of the examples are like, you know, Microsoft Windows Hello, if you will, the Authenticator app. And then now some of the newer inventions that we collaborate across Apple, Google, Microsoft and industry is about passkey support. So it is a phishing resistant passwordless method that can roam across trusted devices. And these are the things that we’re moving forward as an industry so that we can help our customers to users to be secure. And so they can, you know, prevent things like these, you know, credential theft.

Lucy Hedges:
Yeah. And it really is about time that this stuff becomes more mainstream, more talked about. I was saying to you earlier when we were having a chat about five or six years ago, I wrote an article for the Metro newspaper where I used to work, which was the password is dead. And, you know, I wrote this article, you know, we’re moving on from the password and years later, we’re still using passwords. And I want to say at least now we have more and more ways for us to accomplish that. But we still have a ways to go as an industry. Yeah, absolutely. And of course, not everyone is up to date with these latest mitigation techniques. So what I want to ask you, what role does education and awareness training such as, you know, digital literacy initiatives, what role do they play in preventing social engineering attacks?

Joy Chick:
These are the, you know, if I tell all customers, one thing they need to do is really turn on multi-factor authentication. Because even like we talk about, you may have still legacy, you know, applications. They still use passwords. Turn on MFA, multi-factor authentication itself. By itself, it reduces attack by 99.9% of the time. So I think that’s a great start. But I don’t think that that’s enough, right? So the next thing we really tell, I think that’s more about like, you know, the government and all our enterprise, the commercial customers, is really how do we apply techniques that we call the real-time conditional access risk-based access control. Basically, you know, we’re sitting here. I typically don’t travel this far. So suddenly, if I’m right now at this moment, I signed in into my work account. At least there’s a policy trying to validate, hey, is Joy really trying to access the work at this location at this time? What we call is an anomaly, if you will. And these are the things, if we can apply these in real-time based on user’s identity, based on where their location they’re trying to sign in, and based on what kind of applications and all these kind of we call the risk factors or condition factors, then we can really help to protect our customer. And you earlier talked about zero trust. Yes. You know, one of the key principles we always apply is always use zero trust, what we call assume breach. You always verify, and then you apply the least amount of privileges. You know, so you only get only the access you need with the amount of time you need for the resources you need, right? And you always assume breach so that you can detect when it happens and how can you quickly remediate. And also how can you reduce that blast radius or the impact, if you will. Yeah, yeah. Oh, and then I would say we talked a lot about human identities. But as we all know, as our customers move online, move to more and more cloud services, and guess what? There are more non-human identities than human identities combined. Wow. And so how do we think about protect what we call a workload identity? Just think about all the services, the microservices across the cloud. How do we protect them? It’s equally, if not more important. Yeah. And last thing I would just say is we still have too many identities. So how can we move to a system so that we have fewer identities using techniques like digital identities, that kind of decentralized verifiable credentials, so that we can have portable identities, so that we can make it secure and make it apply across all different applications?

Lucy Hedges:
Absolutely. That’s the way moving forward. Yeah, absolutely. Now, just to quickly wrap up, my final question. What advice do you have for organizations trying to stay secure, in addition to all the amazing things that you’ve said already on this stage? I’m sure there’s a lot of people in the audience that want to know.

Joy Chick:
Yeah, I would say, you know, AI, right? Do what I just said, and then really look into how AI can revolutionize for us in this industry. You know, AI, I think it can be scary. But at the same time, it can use to really help us to secure for all of us. And so I think, you know, keep that mind open. And I think we need to, you know, I would say security is a team sport. Yes. We have to do this together as an industry, as a society together.

Lucy Hedges:
Yeah. And what a brilliant sentiment to end this whistle-stop conversation on Joychik. It has been an absolute pleasure. I did not doubt for a second that this conversation would be nothing but insightful and inspirational. And it’s brilliant to hear from someone like yourself, who is such an impressive force in the world of cybersecurity. So I want to thank you very much. Thank you so much. Let’s give it up for my amazing panelist, Joy. Thank you. Thank you.

Ben Miller

In the analysis, several speakers provided insights on various aspects of cybersecurity in relation to industrial control systems (ICS) and digital transformation. Dragos, represented by Ben Miller, is a notable company dedicated to protecting and securing ICS. Miller leads Dragos’ services team, which includes instant response and preparedness checks, demonstrating the proactive approach of the company.

The analysis highlights a shift in companies’ cybersecurity approach from solely relying on protection-based measures, like segmentation, to more proactive measures that involve creating visibility for threat detection. This change is needed as companies integrate more similar systems, increasing the attack surface. Outdated infrastructures, running on systems that reached end of life several years ago, are particularly vulnerable and require enhanced visibility.

The analysis emphasizes the need to combat obsolescence and vulnerabilities through implementing appropriate technology. Recent incidents, such as a case where ransomware affected an undetected traffic control system for months, highlight the urgent need for improved defensive measures. Prevention alone is not enough, and visibility is crucial to understand the environments.

Additionally, the analysis acknowledges that prevention in terms of security measures can eventually fail. It is crucial to create a defensible architecture with active system monitoring and capable personnel to respond to threats or incidents. Staff members should understand how to operate in an environment where they may be provided with incorrect information.

The analysis suggests that achieving a completely secure system is not a realistic goal due to the constant introduction of new technologies and capabilities by adversaries. Cybersecurity is an ongoing journey that requires continuous adaptation and improvement.

Collaboration between IT and OT is crucial in the context of cybersecurity. It is acknowledged that the life cycle and pace of change in IT and OT are significantly different. Conversations between the domains should focus on understanding the facility’s mission and working within constraints to avoid disruptions. IT disruptions to OT systems can cause downtime in revenue-generating assets, leading to tension between the two domains.

In conclusion, the analysis provides a comprehensive overview of cybersecurity in relation to industrial control systems and digital transformation. It highlights the proactive approach of companies like Dragos in protecting and securing ICS. The shift towards creating visibility for threat detection, combating obsolescence, and the importance of a defensible architecture with active system monitoring are emphasized. The analysis recognizes that achieving absolute security is not feasible and that cybersecurity is an ongoing journey. Collaboration between IT and OT is seen as crucial, focusing on understanding the facility’s mission and constraints to prevent disruptions.

Joshua Kennedy-White

The rapid pace of technological change leads to obsolescence as new technologies continuously replace older ones. Telecommunications, for instance, have moved from 3G to 4G and now to the latest 5G network, rendering previous generations obsolete. This highlights the constant need for adaptation to keep up with the ever-evolving landscape of technology.

Adaptability emerges as the best approach to embrace these changes. Being flexible and adaptive is crucial in navigating technological advancements. Surara, for instance, actively cultivates a culture of adaptability through research and development, training, and promoting workforce diversity. This helps prepare their employees to anticipate and embrace obsolescence.

Technology itself is a major driver of obsolescence. The introduction of new technologies like artificial intelligence (AI), 5G networks, quantum computing, and space technologies fuels rapid change. For example, the development of a new navigation system for airlines can make an entire fleet of aircraft obsolete. Similarly, the potential rise of driverless cars could make drivers themselves obsolete.

However, the biggest challenge in transitioning from legacy to modern technologies lies in people. Individuals are often resistant to change and may struggle to adapt to new technologies and ways of doing things. Despite being the largest asset of a company, human resources can be the pain point in the transition process. Overcoming this challenge requires effective training and change management strategies to facilitate successful adoption of new technologies.

The concept of absolute security is explored, suggesting that it is impossible to achieve complete security. The security vendor community’s obsession with achieving absolute security is questioned, as it is proposed that resilience and good enough security should be prioritised instead. This highlights the importance of finding a balance between security and usability in technology.

The expectations of consumers and the government also need to be recalibrated in response to technological changes. It is argued that the government does not always hold the responsibility to address every issue, and consumers should have a concept of resilience. Furthermore, the sudden criticality of modern services necessitates a revised understanding of their importance as critical infrastructure.

Strategic planning emerges as a crucial factor in successfully transitioning from legacy to next-generation technologies. Without a well-thought-out plan, organisations risk accumulating a plethora of technologies without a sense of security. To mitigate this, it is recommended to establish a shelf life for technology, adopt a modular architecture, and involve vendors in the upgrade processes. These strategic considerations can help facilitate a smooth and successful transition.

In conclusion, the constant change in technology drives obsolescence, necessitating adaptability to embrace these changes. Technology itself is the leading cause of obsolescence, and the transition from legacy to modern technologies can present challenges, particularly related to human resources. Achieving absolute security is deemed impossible, and instead, the focus should be on resilience and good enough security. The expectations of consumers and the government need to be adjusted, and strategic planning is crucial for a successful transition.

Major General Manjeet Singh

Obsolescence, the concept of something becoming outdated or no longer useful, has long been practised in military inventories, with certain percentages of outdated equipment maintained. However, the pace of technological advancements, user expectations, market forces, and security requirements have significantly accelerated obsolescence.

In response to this accelerated obsolescence, it is crucial to establish a cycle to effectively manage it while ensuring functionality and security. This means finding ways to address the challenges posed by rapidly changing technologies, evolving user needs, and the market-driven demand for up-to-date equipment.

One notable effort in mitigating the impact of obsolescence is being undertaken by Major General Manjeet Singh in India. India boasts a large population of approximately 800 million internet users and 1.3 billion phone users, resulting in a significant number of transactions, around 10 billion per month. Recognising the importance of minimising obsolescence in such an advanced and connected society, Major General Manjeet Singh is working towards finding effective strategies to manage and reduce the impact of obsolescence in India.

Furthermore, India is also making commendable strides in securing its cyberspace. They are actively addressing governance issues related to cyberspace, developing comprehensive crisis management plans, and creating resilient infrastructure. Additionally, India is taking measures to ensure disaster recovery and backup plans for data, emphasising the importance of network resilience.

The analysis reveals that obsolescence is not a new concept for militaries, with certain strategies like maintaining specific percentages of outdated equipment being employed. However, the increasing speed of technological progress, evolving user expectations, market dynamics, and security considerations present challenges that require proactive management of obsolescence. The case of India highlights how the country recognises the significance of addressing obsolescence in its technologically advanced society and is taking measures to both minimise its impact and secure its cyberspace.

Overall, the detailed summary highlights the various factors accelerating obsolescence and the importance of managing it effectively. It also underscores the efforts made by Major General Manjeet Singh in India, along with the country’s commitment to securing its cyberspace.

Dr. Yacine Djemaiel

The obsolescence of software and hardware components in critical infrastructure can pose significant threats to the services they provide. There is a strong dependency between the software and hardware for each component in most cases. When the hardware fails to respond after software updates, the process to replace such hardware is initiated. However, this process can be time-consuming and may lead to potential threats regarding critical infrastructure if not addressed promptly. This raises concerns about the need for up-to-date regulations and strategies for critical infrastructure.

From the Tunisian experience, it has been observed that targeting regulation is essential in addressing this issue. In 2023, Tunisia defined a new law for cybersecurity, updating a previous law from 2004. Critical infrastructure had a dedicated chapter and a set of laws that major companies must respect. This demonstrates the significance of up-to-date regulations and highlights the importance of having specific laws that govern critical infrastructure.

Regulatory guidelines for critical infrastructure are also crucial. Dr. Yacine Djemaiel emphasises the need for such guidelines to ensure that these infrastructures are maintained and updated in a timely manner. Including criteria against which the components of the infrastructure should be certified in the regulations can further enhance their effectiveness.

However, upgrading hardware or software for critical infrastructure can be challenging for government companies. It requires detailed planning and budgeting. The process of acquiring the necessary budget and carrying out the changes in compliance with regulations may be lengthy, causing delays in maintaining and improving the infrastructure. This issue underscores the need for more efficient solutions to reduce the time required for infrastructure replacement and upgrades.

Dr. Yacine Djemaiel advocates for reducing the time needed for updates, as it would make compliance with regulations more efficient. Faster replacement and upgrades can mitigate the risks posed by outdated infrastructure. By streamlining the process and making it more time-efficient, the potential threats to critical infrastructure can be reduced.

In conclusion, the obsolescence of software and hardware components in critical infrastructure poses significant threats to the services they provide. It is crucial to have up-to-date regulations and strategies to mitigate these risks. Regulatory guidelines, along with efficient infrastructure replacement and upgrade solutions, can help maintain and update critical infrastructures more effectively. By addressing these issues, the potential threats to critical infrastructure can be mitigated, ensuring the smooth and secure provision of essential services.

Rebecca McLaughlin-Eastham

This comprehensive analysis examines the level of preparedness and protection of companies and entities against obsolescence and vulnerabilities. It sheds light on the budget companies allocate for upgrades and resilience measures, questioning whether it is adequate. The analysis also explores the broader perspective of how well-protected or exposed entities are in the face of obsolescence.

One of the key points raised is the budget companies allocate for upgrades and resilience measures. This raises concerns about whether companies are sufficiently prepared for potential obsolescence and vulnerabilities. The analysis emphasizes the importance of investing in upgrades and resilient infrastructure to mitigate the risks associated with technological advancements and changing market dynamics.

Another significant point is the overall preparedness of entities when it comes to obsolescence. The analysis urges us to take a broader view and consider the extent to which entities have considered the implications of obsolescence and taken proactive measures to protect themselves. By doing so, entities can ensure their sustained viability and competitiveness in the face of rapidly evolving technologies and changing industry landscapes.

The analysis also notes the neutral sentiment surrounding this topic. While it does not provide a clear indication of stakeholders’ views, it signifies the importance of a balanced perspective when examining the level of preparedness and protection against obsolescence and vulnerabilities. It suggests that a well-rounded assessment is essential in identifying areas of improvement and developing strategies to address any gaps.

In conclusion, this analysis highlights the significance of preparedness and protection when it comes to obsolescence and vulnerabilities. It underscores the need for companies to allocate sufficient budget for upgrades and resilience measures, as well as the importance of taking a comprehensive approach to ensure entities are adequately protected against obsolescence. By addressing these issues, companies and entities can enhance their ability to adapt, thrive, and remain competitive in an ever-evolving business landscape.

Rebecca McLaughlin-Eastham:
Good afternoon, everybody. Nice to see you all again. I hope you are continuing to enjoy a fantastic first day of GCF 2023. It’s wonderful to be back on this hallowed stage with another fantastic panel. Our topic is obsolescence, the long or maybe the short goodbye we shall have to debate and see. In today’s world, with such rapidly advancing technology, the life cycle of critical systems is becoming ever shorter. So what exposure, what challenges, what threats does that pose to organizations around the world today? And what can we do to traverse these waters to mitigate those dangerous times? So I have all the answers in my learned friends to my left. You’ve had them introduced, but let me come to you each individually first just to set the scene. Tell me a bit about your role and your remit and what you bring to this conversation today. Major General Majid Singh, it’s wonderful to see you. Thank you for being here. How are you? Thank you.

Major General Manjeet Singh:
Thank you, everyone. At the very outset, let me thank the global cybersecurity team for having invited us to speak on an important issue such as obsolescence. I also thank the moderator who has introduced us and to my fellow panelists to be all here. Let’s hope we have a great discussion on the topic. Obsolescence, in my initial thoughts, is something I would like to say that it’s not a new concept. It’s been practiced all over. It’s been practiced by the militaries. They do lay down certain percentages of what do they really maintain in their inventories. Say, 30% of the equipment which is obsolete or in the obsolescence phase. About 40% is current. And there is 30% wherein the induction of the modern technology or the modern equipment happens. So 30, 40, 30 concepts. Some people may practice 20, 60, 20 concepts depending upon various factors of technology regulation, the budgets, the HR, all those concerns. However, in light of the technological advancements, the going analog to digital, the user aspirations, the market-driven forces, our aspirations, our security requirements, all that has really speeded up the way the obsolescence is happening. So, therefore, it’s really become a challenge to take care of that cycle of obsolescence. And, however, the bottom line is that we should be able to maintain the functionality as also maintain the security. So we have to maintain a very fine balance between the two and ensure that we have a cycle wherein we are able to manage obsolescence.

Rebecca McLaughlin-Eastham:
Thank you so much. Ben, nice to see you again. Familiar face in Saudi Arabia. Hope you’re enjoying GCF 2023. Tell us a little bit more about what you do for those who might be unfamiliar.

Ben Miller:
Yeah, absolutely. It’s great to be back here, two years running. I work at Dragos. So Dragos is focused on obsolescence systems at the end of the day. We focus on defending and securing industrial control systems, sometimes called operational technology. And in my role at Dragos, I lead the services team. So our instant response team, our assessments team, the teams that do preparedness and checks against the defenses. And so, in many ways, what I’m representing today is not so much Dragos but our customers at large and what we see from that ground level.

Rebecca McLaughlin-Eastham:
Thank you. Thank you. Dr. Yassine, nice to see you. How are you today? Thank you. Talk to me a little bit about, from your point of view, when it comes to Tunisia and the importance of not only core systems but obsolescence.

Dr. Yacine Djemaiel:
Yeah. This is a great issue that we should discuss carefully when we deal with critical infrastructure because there are many factors that should be considered when we look carefully to the component of critical infrastructure. So we will find that there is a dependency between the software and the hardware for each component in the most cases. We are updating. We will update the software the first time, the second time. But at the moment, there is a limit. There is a point where we stop because the hardware does not respond. And this will initiate for us the process to replace such hardware in order to be able to continue providing the needed service by this critical infrastructure. This is an important point. Now, this time out between the instant where the system does not provide the needed hardware properties may lead to a set of threats regarding our critical infrastructure. And this is most dangerous because we are providing critical services. And at this time, we are not able to provide this service in an efficient manner. It means that there is something that is missing. There is some vulnerabilities related to this system that may be exploited by attacker to engender damage to this infrastructure. In this way, from the Tunisian experience, we have tried to focus on a major component that is the regulation. And we have defined since 2023 a new law for cybersecurity since we have a law that is dated from 2004. And in this year, we have elaborated a new law text for cybersecurity. And we have dedicated for critical infrastructure a chapter and a set of laws that should be respected by major companies. So, this is very important. And this is the first step if we need to help company to be compliant with the requirement of critical infrastructure. So, this is the first point that should be discussed here regarding the regulation that should be up to date. Followed by the strategy that should be also up to date in a country regarding critical infrastructure.

Rebecca McLaughlin-Eastham:
Thank you very much. Policy and regulation will definitely be discussed. Absolutely so important to our conversation. Joshua, let me come to you from the standpoint of Surara by STC. How are we currently positioned when it comes to obsolescence?

Joshua Kennedy-White:
Yeah, thank you very much and thank you for having me. It’s my second time here. And I’ve been coming to the Kingdom since about 2005, which I think is a nice backdrop to think about how much has changed. Just when we talk about obsolescence, we normally think of legacy technology and how we adapt and change. It’s interesting that we’re having that conversation here at the Global Cyber Security Forum in a quite new and modern country that doesn’t have a lot of existing legacy, perhaps less than others. I’m privileged to be an executive board member on Surara, which is a young company that we spun out of STC, the Telco, with a young team that is addressing a lot of the problems that are emerging now in the Kingdom or the opportunities, if you like. When I think of the obsolescence question, I’d like to just take a step back. If we were having this conversation 200 years ago and we were talking about critical infrastructure, probably the two things that would stand out would be a lighthouse and telegraph lines, two things that don’t really exist anymore, or maybe they do as a tourist attraction. They existed for a long time. Technology didn’t have much of an effect on them. Lighthouses went from using wood to oil to electricity. Telegraph had morse code and other things, but they generally didn’t change. Now we’re in an environment where the thing that fundamentally changes the obsolescence of critical infrastructure is technology. It’s just compressed in such a short space of time. If you were to think of just three things in business, telecommunications, we now have 5G, that’s made 4G obsolete, that’s made 3G obsolete. We have multi-core processes. We’ve got the cloud. There’s so many things there. What does that mean? When I look at that from a Sarah perspective, the ultimate question is, we know that things that we’re dealing with today are going to be obsolete tomorrow, so how do we plan around that? I think back to the best trait in evolution is to be adaptive, to be adaptable, to accept those things that are coming. From our perspective, it’s not to be too fixed in our ideas, to be able to have flexibility to say we need to adapt, we need to change. That has to be pervasive throughout the organisation as a culture, as an approach to R&D, as an approach to training, as a diversity of the workforce. When I look at what we’re trying to achieve with Sarah, I think that sits behind that. When I look at the numbers that we have in terms of what we’re doing, the people, the projects they’re working on, I think in the background, we’re preparing ourselves for a constantly changing world and how we can help our business and government clients adapt to that. What are the leading causes of obsolescence? Let’s take it back to basics. How do we make sure that they’re on our radar, that we’re aware of what we need to be fixing? Let me come to you, Joshua, first. I think the biggest one is technology. We’re now living in, I don’t know, is it the fourth or is it the fifth industrial revolution? The rate of change of chat GPT and large language models, it’s happening right now. When we look at the first industrial revolution with steam and others with electrification and automation and mechanisation, those things took decades to happen. We’re looking at things that are happening now in literally months. I think that the technological change, which poses so many challenges, the things we define as critical infrastructure, there are many, many more of those. The regulations around them, I mean, look at AI. We haven’t even begun to get our heads around that. I used to work in government. With all due respect to government, we’re not normally on the cusp of technology and the ability to regulate it. We tend to go through a cycle of making something illegal, compulsory, obsolete. These cycles happen. I think the big one for me is technology, the pace of the change, the depth of the change, whether it’s space, quantum, AI, 5G. There are other things that sit behind that. We might bring in a new navigation system for airlines, which makes a whole fleet of aircraft obsolete. Or we might driverless cars. It’s probably going to make me, as a driver, obsolete. There’s a range of those things. Or traffic signals might be obsolete or railway signals. I think that as we devolve to harness all of the benefits of this next digital transformation, enabled by this amazing new technology that’s out there, it will create a wave of obsolescence. I don’t think that’s necessarily a bad thing, but it does pose many, many questions to how we’re going to secure it, how we’re going to regulate it, etc., which we’re only just thinking about.

Rebecca McLaughlin-Eastham:
Let’s talk about security and regulation, not least for a variety of sectors, because the impact is different, of course, across many different industries. In Tunisia, Dr. Yassine, what regulation do you want to see? What is it critical to put in place to make sure that there is a more manageable, seamless transition?

Dr. Yacine Djemaiel:
We deal with this regulation. When we focus on the content of this regulation regarding critical infrastructure, we will find that there is some restrictions that should be applied for this infrastructure regarding if the components are certified against a set of criteria. We should keep these constraints available. to implement the needed replacement updates in time in order to comply with this law. This is the first point that should be mentioned regarding these obsolescence. Now another problem that should be also presented is related to the act of replacement. When we make the upgrade, the needed upgrade for the hardware or the software, especially for the government companies, when we need to plan to get the budget. And this time to plan the needed budget and to get the needed amount in order to be able to make this change in order to be compliant with the law may be for a long period. And this period will be also another issue for our infrastructure. So this is among the aspects that should be also discussed, and we should find a solution for that in order to reduce this time and to be able to make the needed change in an efficient time. So this is another issue that should be also discussed.

Rebecca McLaughlin-Eastham:
Ben, when it comes to budgeting, when it comes to spending, protecting ourselves, making ourselves more resilient, sometimes the CAPEX is not there or even the OPEX as we were discussing backstage. So what level of preparedness and protection do companies and entities tend to have today? If you were to give us the broad view, how protected or how exposed are we when it comes to obsolescence and the vulnerabilities that causes?

Ben Miller:
Sure, yeah. Sure. I think the challenge within many of the critical infrastructure environments is around the idea of first 10 years ago, it was we were segmented, we’re okay. Or actually, no, it was air gaffed. We’re air gaffed, we’re not touching any other systems, we’re fine. And then it moved to what we’re segmented, so we’re protected. Now with the age of digital transformation and we’re adding more systems that are talking to each other and they’re more homogeneous, so they’re very similar from an attack service perspective. We have this challenge now where we can’t just rely on prevention, it’s getting in front of that. So when prevention fails, what’s next? And the old proverb, chance favors the prepared. How are we getting in front of an attack so we have the right visibility to detect them when they’re in their environment? Backstage we were talking about a recent case my team supported, ransomware related, that affected a traffic control system. They were within that environment in an order of months, and it wasn’t until they deployed the ransomware that they were detected, pretty obvious at that point. But there’s an opportunity there if you’re deploying the right technology to create that visibility. I think that’s the, when you’re dealing with old technology, and by old technology I mean systems that went end of life seven, eight years ago, the mitigations there are creating visibility and understanding what’s happening within those environments.

Rebecca McLaughlin-Eastham:
It may be basic to observe, but the actors are moving faster than we are. The technology is moving faster than companies and even governments are. So how do we bridge that gap? How do we step one step ahead, given some solutions, but what would your key advice to entities, to governments, to companies in the room be?

Ben Miller:
It really does come back to the idea of prevention does eventually fail. And so not just creating a strong architecture, but a defensible architecture. So that means people that are actively monitoring the systems and able to respond, and creating the expectation that the operators and the engineers know what to do if they think that if it were to go into a dangerous state, it’s actually a human safety issue. It’s not my database is corrupt. There’s a degree of impact there that’s really important to understand. And those staff members that are in that facility need to understand how to operate in an environment where they might be given the wrong information and make the wrong choices because of that. That’s the leading edge in training and where we need to build towards.

Rebecca McLaughlin-Eastham:
Thank you. Major General, how are you minimizing the impact of obsolescence in India? What examples can you point to?

Major General Manjeet Singh:
India is a huge country, has got a huge cyberspace. If we look at the numbers, we have about 800 million internet users. We have 1.3 billion people using these phones, but in the large quantity of them is smartphones. So the interconnectedness is very heavy. If you look at the overall payment landscape, it’s 10 billion transactions happening every month and they run into billions of rupees. So it’s a huge landscape. If I look at the resilience aspects at the strategic level, we are addressing it at the policy and the strategy level. Then we have the governance. Governance of cyberspace is being addressed through suitable governance structures. We have a huge amount of infrastructure development, capacity building programs. That’s at the strategic level. And if we come to the technical level, we are putting in place all issues which contribute to the resilience, whether it is the crisis management plan, or whether it is putting in place resilient infrastructure, having disaster recovery, backup plans for the data, the network resilience, the network time protocol, the DNS systems, the safety and security of our submarine cables, all that is being put in place. So it’s something a work in progress. We are doing fairly well to secure our cyberspace. It’s a work in progress.

Rebecca McLaughlin-Eastham:
Joshua, talk to me about the biggest pain point, transitioning from legacy to modern technologies and infrastructures and reinforcing those core infrastructure systems. Where is the weakness or what’s the biggest headache, if we can call it that?

Joshua Kennedy-White:
So I think in a word, it’s people. You always hear people are our greatest asset. They’re also incredibly hard to change, they’re hard to train, they’re hard to find, they’re hard to keep. I used to have a very large team with a lot of people. I’m sure I miss them individually, but in aggregate, less so. So I think the people piece is hard. But I just want to pick up on a theme that was talked about there, and Rebecca, you mentioned it with minimize. This seems to be sometimes, maybe often in the security vendor community, this obsession with making something absolutely safe. I can tell you, absolute security is absolutely impossible. And so if you think of that in the context of critical infrastructure, I think historically, the government had more of the ownership of those assets, power stations and the like. And today, if I was to define critical infrastructure in my house, it’s probably Netflix and it’s probably the Uber deliveries and Grab and all these other things. So I think that poses a couple of questions. The first of it is, let’s not always assume that it’s the government’s fault and the government has to fix things. But that the other side of it is, as a consumer of that service, whether it is provided by the government or not, maybe we do have to have an idea around resilience and good enough to be able to get there. We manage perfectly well without these things that suddenly is embedded. It owes us a favor. Why can’t I have Wi-Fi streaming on the airplane? So I think we have to recalibrate that discussion. And that’s a subtle political piece as well of what we expect of our political leaders. Maybe I’m being kind because I used to be in that frame. But the key thing, I suppose, when I look at moving from legacy through to the next generation is, in the absence of a really good strategic plan, you end up doing these tactical things and you amass a whole bunch of stuff. You feel secure because you’ve got one of everything and that doesn’t really happen. So I think a better approach is to be able to say, this has a shelf life. It’s an interim solution. We’re planning to do something else. We’re going to have a modular style architecture. We’re going to have a relationship with our vendors, that they’re going to be part of the upgrade process, that it’s not… There’s a lot of people involved in legacy infrastructure to get from where you are to where you need to be. And I think there’s interesting contracts that you can write with your technology providers. You can kick the question to them. I’ve been to multiple conferences where you walk in and if you’re someone trying to buy a solution, you’d be baffled. There’s 4,000 things all with a variation of shadow this, carbon that, trace this. And it’s quite baffling. I think the other part of it is we always think that it’s some super sophisticated hacker, probably criminal gang backed by a state. I can tell you, in a lion’s share, a lot of these things are kind of mistakes that people make. It goes back to the people thing because they’re not trained. They don’t understand it. They don’t know what they’re doing. So it’s a complex problem. I don’t think it’s going to be easily solved by perfect technology solutions. I think it’s about redundancy, resiliency, a discussion with people. I would say that because as a service provider.

Rebecca McLaughlin-Eastham:
Of course, he would never say that as a service provider. I’ve got to bring in Ben here. It takes many people. It takes a village. Absolutely safe is absolutely impossible. Do you agree?

Ben Miller:
That it takes a village? That it’s possible. Oh, that it’s possible. I think it depends on what your end goal is. I think if you’re focused on creating a robust, resilient, defensible system, absolutely. If it’s about preventing all attacks or that we’re 100% bulletproof, secure, I don’t think that’s a reality that we live in. And even if it were, it would be very transitory of, hey, we reached this state. There’s a new technology. There’s a new capability that the adversary is deploying that pushes everything to this side. I think a lot of our customers, as an example, focus on secure remote access. I’ve seen adversaries take advantage of secure remote access and use those appliances and that equipment to actually gain access, unauthorized access. So it’s always a cat and mouse game and it’s a journey, not a destination.

Rebecca McLaughlin-Eastham:
Speaking of cat and mouse or perhaps friction of a different kind, IT and OT. What’s the future? Never the twain shall meet. One will always outpace the other or have a disagreement, shall we say.

Ben Miller:
Yeah. In your last question, you had a great phrase that stuck out, actually, a legacy. I think perhaps in many environments, the IT teams see all the what they would call legacy equipment and software that’s deployed at pick your type of infrastructure, refinery, generation plant, green energy, they see that as legacy. That that plant was built maybe ten years ago. It’s not legacy. It’s that the pace of change is way different than IT. It’s not a phone. And so that the life cycle there is entirely different and it’s not, again, on we need to patch all your systems all the time, because that would put that facility in outage. And so that’s that friction, right? Actually, we’re generating the revenue for the business. Why are you creating downtime when we’re actually operating and building the capacity that’s needed for the business? So there’s that tension that exists. And I think as we understand the mission, as IT staff understands the mission of the facility and the constraints of the facility and works within those constraints rather than trying to constrain that revenue generating asset, I think that’s where the conversation needs to go.

Rebecca McLaughlin-Eastham:
I wish we had more time. We need to talk about collaboration as well, but sadly the clock has beaten us. But ladies and gentlemen, please join me in thanking my fantastic guests for their contribution today.

Iain Drennan

The threat of child sexual abuse material online is growing and becoming more diverse. According to a global threat assessment published by the WeProtect Global Alliance, there has been an increase in such material appearing online. This includes the alarming trend of children being tricked into providing intimate images, which can have serious consequences. Additionally, there are concerns about the use of AI and deep fake technology to create intimidating images, further exacerbating the issue. The overall sentiment towards this issue is negative, highlighting the urgent need for action.

International action is required to address child sexual abuse online. Saudi Arabia’s initiation of a holistic framework to combat this issue is seen as a progressive step. The responsibility for child online safety lies with the global and national community, including the government and the private sector. Empowering children with tools and choices online is important, as is the need for user-friendly platforms with easy reporting systems to enable children to report any discomfort.

There is collaboration between the public and private sectors, with technology and software engineers engaging with governments and regulatory bodies. The aim is to establish high privacy and protection standards for child users. A collaborative and cross-sector response, including referring child protection issues to law enforcement, is essential to effectively address the problem.

However, funding for online child safety is inadequate and unevenly distributed. While there has been progress in legislation and regulations, with countries like Saudi Arabia, Nigeria, Singapore, the UK, Ireland, and Australia drafting laws to regulate the digital space, there is still room for improvement. It is hoped that the engagement of the global community with these difficult issues will lead to stronger measures for online safety.

In conclusion, the challenge of child sexual abuse material online requires urgent action. International cooperation, involvement from various stakeholders, and sufficient funding are crucial steps in safeguarding children online. Prevention measures should also be a focus in addressing this issue. While progress has been made in legislation and regulations, continued efforts and collaboration are necessary to ensure the online safety of children.

Moderator – Rebecca McLaughlin

During a panel discussion at the GCF 2023, experts convened to address the critical issue of protecting children in the online world. The focus was on the shared responsibility of ensuring children are well-educated, protected, and responsible digital citizens. The panel acknowledged the numerous existing threats and emerging challenges, particularly concerning AI and deepfakes.

The panel recognized that simply removing devices or disconnecting children from the internet is not a feasible solution. Instead, experts emphasized the need to effectively inform and protect children. Esteemed guests, including Dr. Maimouna Al-Khalil, Secretary General of The Family Affairs Council, Saudi Arabia, outlined the council’s work, shared reports, and discussed initiatives.

Ian Dreenan, Executive Director of We Protect Global Alliance, presented their latest findings, specifically addressing the emerging threat of extortion. Dr. Yuwan Park, Founder of the Deque Institute, provided insights into their work on holistic approaches to online safety and referenced the safety index.

Regarding policy and regulation, Dr. Al-Khalil stressed the importance of reinforcing efforts to protect children globally, particularly in Saudi Arabia. She highlighted the need for next steps, milestones, and regulations that can effectively safeguard children from potential harm. Dr. Al-Khalil emphasized the profound repercussions for children if appropriate measures are not implemented.

Ian Dreenan acknowledged that although legislation and regulation are crucial, much responsibility lies with the children themselves. He underlined the importance of encouraging children to share information and express their fears, particularly if they are unaware of the real threats they may face online.

The panel also discussed the vital collaboration between the public and private sectors, including tech and software engineers, in creating safe and engaging online environments. They debated the level of communication and cooperation necessary to develop platforms that prioritize safety while still being entertaining and educational.

Dr. Park highlighted encouraging developments in both the public and private sectors, indicating progress towards a safer educational environment. He expressed hope in ongoing initiatives and the increasing dialogue and funding for development in this area.

Concerns were raised about funding, research, and data collection. The panel suggested allocating greater attention and resources to ensure the protection of children online, emphasizing that it should be a top priority for society as a whole.

Ian Dreenan shared his concerns frankly, emphasizing the need for continuous vigilance and action. However, he also expressed hope for the future, acknowledging that child protection is a collective responsibility even for those without children.

Dr. Park echoed the importance of addressing societal taboos and encouraging open conversations, alongside increased investment in development. He acknowledged the progress made thus far but stressed the need to address tangible risks and maintain hope for the future.

Dr. Al-Khalil, as a parent and representative of the council, shared her concerns and hopes for the conversation surrounding child protection. She emphasized the need to move forward and increase awareness and education on this urgent matter.

Lastly, the moderator, Rebecca McLaughlin, recommended specific apps and protective tools to monitor children’s online activity and directed attendees to seek additional information from the respective agencies present.

Overall, the panel discussion highlighted the shared responsibility of protecting children online, emphasizing the need for ongoing collaboration, education, and regulation. It called for increased funding and attention from governments, the public, and the private sector to create a safer digital environment for children.

Dr. Yuhyun Park

The report titled “Persistent Cyber Pandemic” highlights a concerning trend in which 70% of children between the ages of 8 and 18 have consistently been exposed to at least one cyber risk for a period of seven years. This issue transcends regions and persists both before, during, and after the COVID-19 pandemic.

The report emphasizes that addressing cyber risk is not solely a children’s or family matter, but rather a persistent problem that requires the collective efforts of policy makers and industry leaders. This collective approach is crucial for effectively tackling cyber risks and ensuring the safety of children online. The report commends the approach taken by the Kingdom in addressing cyber risks and calls for its continued support.

Dr. Park, an expert in cybersecurity with 15 years of experience, emphasizes the importance of focusing on children’s issues in cybersecurity discussions. She argues that reducing the current cyber risk exposure of 70% among children should be a collective target, advocating for a decrease to at least 50%. To achieve this, she recommends reforms in the family, education, and technology sectors.

In the family and educational sectors, Dr. Park proposes implementing a digital skills framework and teaching responsible and ethical use of technology. She also highlights the need for ICT companies to prioritize safety by designing their products with user empowerment, age-appropriate measures, content moderation, and unified reporting systems in mind.

Furthermore, Dr. Park stresses the significance of policy and regulation in addressing cyber risks. She underlines the need for end-to-end safety measures, ranging from prevention to intervention and reporting. This underscores the importance of establishing comprehensive policies and regulations to safeguard children online.

Aside from the specific findings and recommendations, there are concerns regarding the impact of digital transformations, web developments, and online safety risks on children’s well-being and the security of their living environments. The dynamic nature of these advancements necessitates a mobilized effort to understand and address future risks, ensuring preparedness for potential challenges that may arise.

Overall, the report sheds light on the persistent and widespread nature of cyber risks faced by children, emphasizing the necessity of a collective approach involving policy makers, industry leaders, and the implementation of comprehensive reforms. It stresses the significance of prioritizing children’s issues in cybersecurity discussions and highlights the importance of policies, regulations, and safety measures to protect children online. Furthermore, it calls for ongoing efforts to anticipate and address future risks, aiming to create a safer digital landscape for children.

Dr. Maimoonah Alkhalil

Children in Saudi Arabia are actively participating in various online activities, with nearly 99% of them engaging in socializing, communication, and gaming. However, this increased involvement in the online world presents significant risks. Children are vulnerable to safety risks and exposure to inappropriate content, especially as boundaries between the virtual and physical worlds blur. Cyberbullying occurs both online and offline, further compounding the dangers associated with children’s online communication.

To address these concerns, Saudi Arabia has introduced the National Child Safety Online Framework. Developed with input from over 25 stakeholders, this framework will be overseen by the Family Affairs Council, responsible for its implementation, tracking, and reporting over a five-year period. The launch of this framework signifies a positive step in safeguarding children from the risks inherent in online activities.

The family also plays a crucial role in protecting children against online threats. Open conversations about these dangers are necessary, and parents need to be supportive and receptive when their child shares any online threats or discomfort they have experienced. Teachers also have a responsibility to raise awareness about online risks, helping students understand the various dangers that exist in the online world.

Efficient legislation and law enforcement are essential in tackling online threats. A well-defined system for reporting these threats, along with clear reporting channels and helplines, is necessary to support those affected. Additionally, a robust national infrastructure is required to effectively counter and address these challenges.

Funding is crucial for making progress in child online safety. It can be utilized to raise awareness through campaigns and develop tools that help children identify and manage online risks. Furthermore, a unified approach to measuring and assessing progress is key to ensuring effective intervention and evaluation.

Empowering children to handle potential online risks is crucial. Teaching assertiveness, resistance to peer pressure, and educating them on who to reach out to in case of danger are important aspects of enabling their safe navigation of the online world.

While concerns exist about the unknown and unexpected aspects of Artificial Intelligence (AI) in the future, it is important to remain vigilant and prepared. Plans are being implemented to address current challenges associated with AI and to ensure that children are adequately equipped to adapt and regulate their online experiences.

The family’s role is emphasized in adapting to future changes. Ongoing conversations and discussions, both nationally and internationally, are necessary to keep up with evolving trends and ensure the protection of children online. Preparing children, both in terms of their personality and their ability to regulate and face obstacles, is essential for their development.

Parents have a significant responsibility in safeguarding their children online. Actively seeking information and knowledge about online safety is crucial in ensuring their children’s well-being. It is imperative to disseminate awareness through various channels, equipping parents with the necessary information on parental controls, detecting signs of distress in their children, and encouraging positive online experiences.

In conclusion, while children in Saudi Arabia are heavily involved in online activities, there are risks associated with their online communication. The introduction of the National Child Safety Online Framework is a positive step towards addressing these concerns. The involvement of families, educators, legislation, and law enforcement is essential in creating a safe online environment for children. Funding, awareness campaigns, measurement, and assessment are crucial elements for ensuring progress in child online safety. Empowering children with the necessary skills and knowledge to handle online risks is essential, while also being prepared for the future challenges that AI may bring.

Moderator – Rebecca McLaughlin:
activity. Ian Dreenan, Executive Director, We Protect Global Alliance. Dr. Yuwan Park, Founder, Deque Institute. Dr. Maimouna Al-Khalil, Secretary General, The Family Affairs Council, Saudi Arabia. Rebecca McLaughlin, ISTAM, Moderator, International TV Anchor, MC, and Media Trainer. Good morning, everybody. Nice to see you all again on day two of GCF 2023. We have a very important topic to discuss in this panel, and it is all our responsibility to listen up and to protect the children of the world online. How do we make sure that they are well educated, that they are protected, that they are responsible when they grow into digital citizens? There are so many present threats. There are so many emerging ones, not least with the advent of AI, with deep fakes, and many new challenges that we will talk about. It’s not as simple as removing their devices. We can’t unplug the internet. We can’t prevent progress. So how can we best inform and protect them? I have an esteemed panel of guests to help me drill down into these important topics. Thank you for joining me, one and all. Shukran. Let me start by asking you, Dr. Al-Khalil, tell us a little bit about the council, the work that you do, and also the latest findings, the reports and initiatives that

Dr. Maimoonah Alkhalil:
you will be launching. Thank you. Good morning, and it’s very happy to be with you today. The Family Affairs Council specializes in the family as a unit, in empowering its members, in instilling values, and in ensuring cohesion. Particularly, we’re interested in the best interest of women, children, and the elderly, and the family as a unit as a whole. We are very alarmed by the numbers that are coming out on child online safety and the risks that are involved with that, and so it is our responsibility to, first of all, study the current situation, understand what is going on at the national level, and then begin to plan ways in which we can address some of these risks. We know that Saudi children are online by percentages that are almost up to 99%. We know that they are very active, they are socializing online, they are communicating online, they are playing online, they are being entertained online, and so that is a reality that we need to face. In addressing the issues and the risks that come with online communication, we also know that there are risks to their safety, there are risks to the content that they are being seen, there are risks associated with who they communicate with, and we know that there is the line separating the virtual world and the actual world is slowly disappearing, and so what happens in terms of cyberbullying, for instance, that is occurring online, it is coming offline as well by the same harassers, and so in response to these risks that we have noticed, we are very happy to be launching next week at our family forum on November 12th the National Child Safety Online Framework, where we convened and had many debates and many discussions with over 25 stakeholders from the industry, from the government, from the civil society, where we came together and identified who the main stakeholders are, and identified the roles that we want for them to take on, and put that together into a five-year plan and under this framework, and we will be launching it, and I extend an invitation to everyone here to join us next week, where we will be discussing how we can make sure we are implementing this plan, and the Family Affairs Council will be in charge of implementation and tracking and reporting.

Moderator – Rebecca McLaughlin:
Thank you very much. Ian, the important work that you do at WeProtect, talk to us about your latest findings, and also the new threats that are emerging, not least extortion.

Iain Drennan:
Thank you very much. So at WeProtect Global Alliance, we bring together experts from government, from the private sector, from civil society, intergovernmental organizations, to develop solutions to one of the most serious threats facing children online, child sexual abuse, and we heard His Excellency earlier today highlighting the risks posed by child sexual abuse material online, and the need for international action to address it. We published a global threat assessment last month. It’s on our website, it’s available in Arabic as well, and one of the key things we found was that the threat is growing, so we’re seeing an increase in material appearing online, and it’s diversifying. So an example is we’re seeing an increase in financial extortion, so where children, particularly targeting adolescent boys, are duped into providing intimate images of themselves, and then that’s then used to blackmail them, and the consequences of that are really serious. Boys have taken their own lives as a result of this, and now we’re also seeing AI coming in, so that image isn’t necessarily even of them. It could be a deep fake. So these are all issues that we have to address as policymakers, and I really applaud the initiative to launch a holistic framework to address this within the Saudi government. I think it’s incredibly positive and progressive work.

Moderator – Rebecca McLaughlin:
Thank you very much. Dr Parks, from your work at the Deque Institute, holistic approaches is very much something that you believe in too, but talk to us about your latest findings, the safety index

Dr. Yuhyun Park:
findings that you have recently released. Thank you very much. It is an honor to share the stage together with two esteemed speakers. Last year in this stage, we announced the 2022 Child Online Safety Index, and this is our fourth publication on the Child Online Safety Index, which we titled Persistent Cyber Pandemic. We actually track exposure to cyber risk, including cyber bullying and sexual extortations and risky content and contact and so on, and what we found is that from 2017, 70% of children aged 8 to 18 have been experiencing at least one cyber risk, and this number has been a little bit fluctuated, but consistently about 70% across seven years. Of course, there’s an increase in certain risk and decrease in certain risk, but what we found is that it’s across the regions before, during, after COVID, this persistency exists. What does it mean? It is not just about the children issue. It is not just about the education issue. It’s not just about family issue. It is a, there’s a persistent issue that we need to address together as a policy makers and industry leaders as part of the big frameworks of cyber risk, so I really appreciate Kingdom’s approach as a collective approach to address this issue, and we’d love to support if there’s anything that we need to support the Kingdom.

Moderator – Rebecca McLaughlin:
Thank you. Well, Dr. Khalil, let me come back to you. In terms of policy and regulation, so important to really reinforce our efforts when it comes to protecting children around the world, not least in the Kingdom, what would you suggest are next steps, next important milestones and regulations when it comes to protecting them?

Dr. Maimoonah Alkhalil:
Well, I believe that the family plays a major role. We are surrounding these children. We need to have a very open conversation about these threats. We need to know who they are speaking to. We need them to feel they can, they are comfortable to speak to us about any threats, anything making them uncomfortable online. They need to know that we are their number one supporter and that we, without judgment, we will help them. Now, that is in terms of the family surrounding them immediately, but the child has several spheres of existence, and so in this framework, there is a role for the education system. We need to have the same conversation in schools. Teachers need to be able to detect if there is any threat going on and need to include this awareness about what could happen and the risks that are online in their conversations and lessons. We also have to acknowledge that there is a mental risk here affected and connected with cyberbullying and with other threats online, and so health-wise as well, we need to be aware and be able to detect if there is any health issue that we need to address as well, and so reporting lines, helplines, need to be also playing their role here and making sure that we have very clear reporting systems. Once that is reported, we need to have the legislation in place as well, and we need to have law enforcement mobilization so that even the offenders before the children know that if anything of this is ongoing, that there will be consequences, and so from this comes the holistic approach where we understand that a country alone perhaps cannot do much. We understand that this is a global problem. However, we can, nation by nation, at least make in place the infrastructure to be able to counter and address these challenges instantly

Moderator – Rebecca McLaughlin:
as the repercussions are quite profound. Thank you. Ian, as much as we can be prepared, as much as we can put legislation and regulation in place, a lot of it does rest with the child and their confidence, as we were saying, to share the information, to share their fears. How do we encourage them to do that, especially if they’re unaware of the real threats out there, not least

Iain Drennan:
with deep fakes, as you say, with AI? It’s a real challenge, and I think it’s really important to emphasize to the child that the burden is not on them. We should be, as a community, as a global community and as a national community, exactly as you said, say that we are there for you. We are there to help, and I think that goes to private sector companies. It goes to governments. Everyone has a role to play on this, but I think it’s really important that children have the tools and should feel empowered to make the choices that they need to when they’re online, so that I think it should be as user-friendly as possible, and that’s again for the private sector to design it right from the get-go so that it’s easy to report something that you feel uncomfortable with, so that you’re able to block someone easily, and I think just to keep that system in place around them, so that they’re able to take advantage of all the opportunities that there are online, but do it in a safe way. I suppose that’s my question.

Moderator – Rebecca McLaughlin:
What is the level of collaboration between the public and the private sector, and certainly with the tech and the software engineers? Are they speaking to governments? Are they speaking to bodies like yours about creating entertaining, edutaining, but safe, engaging environments

Iain Drennan:
online? I think there’s a lot of positive things we can point to. I think we can look at things like putting positive default settings in for child users, so that when they log in to use a service, that they have the highest levels of privacy, that they have the highest levels of protection, but also I think that there is that dialogue and connection, because there are some things like referring to law enforcement that only governments can do, so I think there needs to be a collaborative response, and it also needs to be a cross-sector response. Thank you.

Moderator – Rebecca McLaughlin:
Dr Park, what have you seen in terms of encouraging or positive developments, not least in the public and the private sector, that give you hope that we’re moving into a safer space, education-wise when it comes to initiatives, or even with those tech and software developers?

Dr. Yuhyun Park:
Well, well, well. This is a million dollars worth question. Before going into that, I want to actually echo back to this morning session that His Excellency mentioned about the sustainability, because I found it is quite interesting analogy that we wanted to actually bring up, because a lot of times the children issue is not the center of cybersecurity discussion. Why is that? I want to actually ask that before we can actually discuss about a million things that private sector governments and families and education can do, but before we even go into that, why children issue has been so neglected? Because I’ve been speaking about this topic for 15 years. I think same with And same with our core speaker. And nothing has been changed. Do you feel the frustrations, actually? Well, let’s ask them. Just to pause there. How many people here believe that it should be a top priority when we’re talking about cybersecurity? This is how it’s supposed to be. So I’d like to boldly suggest, you know, we have this 1.5 Celsius degree. When we talk about the climate action, we have set the goal, 1.5 Celsius degree, no more will be permitted, right? Just like that. We have a 70% cyber risk exposure among children. Can we target at least 50%? Can we work together based on the research, based on the scientific approach? We work together, bring down this number to 50%. Can we work together with that? I think we need a collective approach, at the same time, collective target. And which I’d like to suggest that, you know, GCF can take the leadership to make this happen. And that’s, I’d like to see as a first target that we want to have. What is the barrier? What do we need to remove to make that happen? Exactly. So we need to start with family, right? We need to ensure that there will be the right frameworks from education, from the Minister of Education to set the digital skills frameworks, starting with the digital citizenship that teach children’s AI and digital safe and responsible and ethical way. That’s for sure. That’s minimum. Family, children, education, that’s number one. But at the same time, we need to ensure, like Ayaan just mentioned, we need to ensure the ICT company to have the right frameworks to self-regulate their technology to be safe from the starting point. We just shared about the several functions, but we need to think about safety by design as a very core of their technology development, user empowerment, content moderation, age-appropriate measure. At the same time, the lastly, most importantly, is about the unified reporting about their transparency report. Current transparency report, if you see that, if you compare the transparency report from MEDA and TikTok, can we make it consistent measure so that we know who is responsible on what risk they’re permitting to happen in their platform? And lastly, we need to have the right policy and regulations. And what I actually was quite encouraged about that this whole public health-wide ecosystem that Saudi is building, it is from the end to end, when prevention to intervention and reporting and intervention again, it has to be a virtuous loop that we have to create. So we work so hard to get our technology infrastructures to get in place. Look at this kingdom, and look at how we are actively using social media and digital media, which is great, but now we want to move into the next phase. We need to really think about the sustainability, not just in the digital physical place, but also digital place.

Moderator – Rebecca McLaughlin:
Thank you very much. Doctor, let me come to you. Controversial question, but is there enough funding? Is there enough research? Is there enough data collection, enough development on every front when it comes to making sure that we ring fence and safeguard our children? Is there enough attention going into this important issue, which we all agree should be a top priority?

Dr. Maimoonah Alkhalil:
Very important question. From where I’m standing, no matter how much we do, I still feel like we need to do more. I believe that we need to prioritize child online safety when it comes to funding, and I implore all the entities to make that a priority. I think also that there are some very good opportunities that we can, even in situations where there could be a lack of funding, to utilize and capitalize on other sources of expertise. I want to take an opportunity to thank the UNICEF for helping us and providing the expertise required and the international expertise in coming up with this framework. There is a lot to leverage on, and I don’t believe that lack of funding or that lack of opportunities should stop us from continuing to work, but I do believe that enough funding will go a long way, especially in awareness campaigns, and in bringing to the fore that although we will do everything in our might and this framework to ensure a safe space for children, in the end, it is just the child facing that screen, and so we need to make sure we are putting all our might into their ability to identify risks, what to do when they do sense a risk, how assertiveness, resistance to peer pressure, knowing who to speak to, knowing also that they have a role as a bystander and not to allow any cyberbullying to occur, and so there is so much to be done. Funding is key, research is key, measurement, I cannot agree more, is key, and so we need to have an especially unified way of measuring and assessing progress is key, otherwise it will be very difficult to continue that cycle of intervention and initiatives followed by implementation and then evaluation and intervention and restarting that cycle again.

Moderator – Rebecca McLaughlin:
Thank you very much. Ian, talk to me about your greatest concerns, speaking frankly going forward, but also what gives you the greatest hope, because even if we don’t have children, we all know children, we have them in our family, so what do you see that we don’t?

Iain Drennan:
So I would say, I would like to pick up on the back of Dr Al-Khalil’s point about funding, I think there is funding there, there is not enough, and it is not evenly spread. So this is, so during this week, so I am here in Riyadh, I have a colleague in Nauru speaking with the Pacific Islands Law Enforcement Association, I have another colleague who is in London at the AI Summit. What we were struck by is the shared experience and the shared appetite for engagement on online safety. It resonates around the world in these incredibly different places, but you could have a victim in Saudi Arabia, you could have a perpetrator in Ireland, you could have, and they could be using software or service that’s headquartered in Korea. This is a problem where we can’t build a boundary around it on a national basis and say, right, we’ve got a perfect solution, because that’s not how the internet works. It’s not something where we can invest nationally and then expect to resolve the problem globally. So I think a concern is that there’s not enough funding out there, it’s not being directed enough towards prevention, so stopping the harm before it happens, and that it’s not being shared evenly. I think in terms of grounds of hope, because I think that’s really important to finish on, we are seeing progress. So I think the very fact that I’m sitting here talking about this issue and seeing the words child sexual abuse appearing up there in large letters up on that screen, five, six years ago, I don’t think that would have happened. I don’t think I would have been able to do that. I think that we’re getting to grips with these issues that we face as a global community that are difficult, that are challenging, that are uncomfortable, that make me as a parent sometimes want to look away. But I think we owe it to children not to look away, to grip the opportunities that we have to make things better. And we’re seeing legislation happening all around the world. We’re seeing a framework right here in Saudi Arabia. We’re seeing legislation to regulate the digital world in countries as diverse as Nigeria, Singapore, the UK, Ireland, Australia. People are recognizing that we need to set a baseline here. We need to set a baseline for action. So I think we have seen progress. I agree with Yuhim that we haven’t seen enough. But we’re seeing momentum building. And I think now is an opportunity to really leverage that to turn the tide.

Moderator – Rebecca McLaughlin:
Thank you very much. Dr. Parks, removing the taboo, be it cultural, societal, even within families, getting that conversation and the dialogue flowing as well as the funds into development in this area is so important. As Ian says, we’ve made strides. Not far enough, but we’re getting there. Again, your biggest concern when it comes to the tangible risks and your greatest hope going forward?

Dr. Yuhyun Park:
Yes, we are gaining the momentum on this. And then we’d love to see more practices, more holistic practices, just describing the kingdom. But at the same time, it is very important for us to notice that now Web 2 and Web 3 and metaverse and generative AI, everything is just going to boom. What is going to be like to our children? We don’t have an answer. So it is very difficult for us to stop the speed of technologies. But at the same time, we have to be mindful about that. These changes will change the dynamic on the human’s life, especially starting with our children. So with that regard, I think it is very important for us to really focus and mobilize our effort to understand what is coming risk because we have to be more ahead of the curve. That was His Excellency talked about this morning. We can predict. We have enough smart people in this room and also who is actually working together. Think about what’s coming, new risk to our children and our living room. It’s not about somebody else’s issue. It is my issue, your issue, our issue. So we need to really more proactive and that would be the very important part that we need to have the more provocative discussions.

Moderator – Rebecca McLaughlin:
Thank you. So the final word to you as a parent but also in your capacity, of course, at the Council. What concerns you the most but also gives you the greatest hope of how our conversation will hopefully have moved on when we meet this time next year?

Dr. Maimoonah Alkhalil:
I guess what concerns me most is the unknown and the unexpected. Knowing the challenges now, we are putting the, you know, what measures we could in place and we are willing to follow through and make sure that all these plans are implemented. However, AI is something that we are honestly watching very closely and I believe that and that is why I’m talking about the role of family and about focusing on the child and keeping this conversation going nationally and internationally and having these reports coming up annually where we could as best look ahead and prepare these children for a future. We honestly don’t know what it would look like or what it will be but prepare them as much as we can personality-wise in regulating and facing obstacles as they come. And therefore, I mean, I would like to end on a happy and optimistic note but I do realize that we have a lot to do still.

Moderator – Rebecca McLaughlin:
And just as practical tools for those in the room who may be interested, where can people find out more information and are there specific apps or protective tools that they can use to help monitor their children’s activity? What would you recommend?

Dr. Maimoonah Alkhalil:
Yeah, I recommend seeking knowledge everywhere honestly. There are wonderful reports coming out, there are short videos for parents to see and as part of the framework, there will be a very huge awareness campaign following the social and behavioral change approach. And so there will be a lot of, as part of this framework, a flooding of awareness snippets where just parents know what kind of parental controls they should be aware of, how to approach an issue, pinpointing and finding, detecting elusiveness or sadness or disinterest in family affairs in the child and trying to approach it in a way that would allow the child to open up. And so I believe knowledge seeking is very important on all platforms and we’re happy to use the family affairs platform as a source for this information.

Moderator – Rebecca McLaughlin:
Thank you so much. Your respective agencies have lots of information too, all of that can be found online. Ladies and gentlemen, my incredible panel, please thank them for their contribution here today.