An intense two day global cyber security summit organized by New York based Skytopstrategies (www.skytopstrategies.com/cyber) this Monday and Tuesday -in a Rome cursed by recurring nearby quakes yet blessed by a great late summer sun- allowed me to begin to understand the size and power, as well as the scientific, economic, political and social consequences of artificial intelligence, big data and algorithms and the unbelievable technological gap today between Israel, Russia, USA and China and the ‘rest of the world’.
In short: security is freedom from risk and implies advanced management and leadership: a succinct summary of the two days.
The 80 some participants were all bound by Chatham House rules and so I am not authorized to attribute anything to anyone, but this is not much of an issue: the average level of the discussion appeared to me to be an excellent, informative and frankly harsh confrontation amongst and between US and European law enforcers, security and legal experts as well as senior representatives of cyber security and digital vendors and buyers.
Clearly the marketplace is in great turmoil and the complex yet urgent issue of regulation dominated the scene with much discussion over multi jurisdiction constraints..
While there seemed to be general agreement to one management function overseeing the global response outlook despite diverse requirements, there was difference of opinions between US and EU regulatory efforts: the first believed to be too close to digital operators and vice versa, with the EU rules accused of excessive protectionism.
Some 338 billion dollars were lost in the last 12 months to cybercrime alone: the largest illegal transfer of wealth in history.
For example, in Italy alone an overwhelming majority (97%) of senior executives are aware of cyber threats but not more than 40% say they are now ‘considering a strategy’ to reduce those threats. Also 94% admit to have been recently exposed to some sort of cyber attack but only 45% say they have done ‘something’ about it. And only 5% of European companies (20% in the US) have underwritten some sort of insurance versus cyber risks.
Of course IOT (the Internet of Things), considered by all as the single major threat has only begun to produce its effects and is forcing a frantic catch up global race to reduce potential damage.
Also explicit reference was made to the ‘arms race’ going on in the bitcoin/blockchain/encryption/TOR worlds that will undoubtedly increase criminal activities and mention was made that a good 98% of TOR activity has today gone malicious.
From a risk perspective legal, financial and reputational were cited as equally relevant factors (however the latter appeared to some to be over rated -clearly not by the communicators, who in fact claimed that cyber security, after the brand, was a company’s largest intangible value).
Much discussion on why, when, what , to whom and how to communicate/report a threat or an attack. Opinions widely diverged and expert agreement boiled down to ‘as little as possible’ and praised efforts to avoid over communicating -again- withthe exception of communicators.
Employees are considered to be the most risky ‘known’ stakeholder group and there was much talk about how to reduce this risk: opinions diverged between carrot and stick, active monitoring, counterintelligence and surveillance ones.
A surprising (for me) insistence by experts that the issue of employees is mostly social, cultural and behavioral and only partly technological.