WHAT I HEARD AT THE G-20 CYBERSECURITY DIALOGUE THIS WEEK
This week I was honored to be one of the 17 outside experts (3 Americans including myself) asked to address the official G-20 Cybersecurity Dialogue in Riyadh, Saudi Arabia. This meeting was designed to assist the G-20 Digital Economic agenda for this fall’s full G-20 meeting which will also take place in Riyadh (Saudi Arabia holds the rotating Presidency for this year).
I have to say I was pleasantly surprised by the overall tenure of the discussion among the G-20 representatives and the invited experts (I summarized on my own presentation in this space earlier this week — see What I’ll Tell the G20 Cybersecurity Dialogue Meeting in Riyadh Today and now refer exclusively to other presentations).
The opening keynote was provided by Troels Oerting from the World Economic Forum (WEF) who stressed that the pace of digital transformation was already exceeding generally understood speed and was creating far more extensive cyber damage than the typical breach media reporting would suggest. Troels noted that soon there would be 5 billion cyber devices in operation and more than 80% of them would never touch a human — instead conversing exclusively machine to machine. In addition WEF predicts that by 2020 the economic losses from cybercrime would rise to as much as 6 trillion dollars annually and that the rate of cybercrime was increasing nearly 50% a year (all of which tracks quite closely to the ISA report issued Monday).
Even more threatening than the oft-reported problems of theft and privacy Troels noted that “deep-fake” technology threatened our understanding of integrity and that within the foreseeable future it may be nearly impossible to verify who we were communicating with.
Of equivalent interest in the gathering is the notion that the digital age is already functionally shifting the focus of power and control from governments to the private sector. As the digital age progresses it will be (perhaps already is) the case that the private sector would dominate information and with information control functionality power will follow. Obviously this would call for a more fundamental rethinking of the government industry relationship than is generally being discussed in government and industry fora.
As the sessions were on a number of consensus points, often departing from what is the general consensus at typical cyber conferences emerged. These included:
* The cyber security discussion needs to be about far more than technology.
* While it is critical to get basic technical controls (NIST/ISO) right, this will not be enough to address the security challenges of the digital age.
* Regulation in the traditional sense of Cyber Security is not a practical solution. Technology simply moves too fast for the traditional regulatory structure to keep pace.
* A new culture and mindset needs to be developed at both the industry and governmental level. The discussion of how this mindset will emerge must involve a broader group of stakeholders than has historically been the case due to the asymmetric nature of cyber issues.
* Business risk overall is intimately intertwined with cyber risk due to the ubiquity of cyber systems in all manner of business and commerce.
The next step is for the Cyber Dialogue Working Group to report its findings to the full Digital Economy Task Force and craft the digital agenda for the G-20 meeting this fall.