Cybersecurity should be top of mind for attendees of the World Economic Forum’s annual meeting in Davos, according to the Global Risks Report 2018.
“Cyberattacks are perceived as the global risk of highest concern to business leaders in advanced economies,” WEF reported ahead of this week’s annual meeting of global leaders in the Swiss resort town. “Cyber is also viewed by the wider risk community as the risk most likely to intensify in 2018, according to the risk perception survey that underpins the Global Risks Report.”
Addressing those concerns, experts at WEF spent a year compiling a playbook for cyber resilience that identifies 14 policy areas where there needs to be public-private cooperation. Davos will also see the launching of a Global Centre for Cybersecurity to facilitate that cooperation.
“This comes from trying to come up with a common language both about security policy and the values that underly it so that at least the discussion is transparent and can take place before an emergency situation,” Daniel Dobrygowski, Project Lead for Cyber Resilience at WEF, told Yahoo Finance. “If we’re all speaking the same language, then we’re apt to get more done.”
Staff talk in the Congress Hall ahead of the World Economic Forum (WEF) annual meeting in the Swiss Alps resort of Davos, Switzerland January 22, 2018 REUTERS/Denis Balibouse
‘We need a new model for a global security platform’
Yahoo Finance sent WEF’s cyber playbook to top cybersecurity experts and asked: What is the topic or topics that business and government leaders should be focusing on when it comes to cybersecurity and policy in 2018?
“We need a new model for a global security platform that combines governmental and private-entity resources to counter the challenges on the emerging threat horizon. Davos, where the world’s biggest stakeholders come together, may be just the place to start the discussion.” – William J. Bratton, Executive Chairman of Teneo Risk and former Police Commissioner of New York City
“Something I would like to see is governmental [groups] — whether that’s overarching bodies like the European Commission or whether that’s on a national level, having representatives from governments or civil services of various nations coming together — to engage more with the private sector.” – Rik Ferguson, Vice President of Security Research at Trend Micro
“Pinpointing blame for a cyberattack takes a blend of cutting-edge digital forensics, traditional intelligence, ever-better defensive technologies, and more robust public-private cooperation including threat intelligence sharing. Conflict managers in the public sector will be wise to have all available resources collaborate on attribution and response design – while deflecting public clamor for quick revenge.” – Steve Grobman, CTO of McAfee
“Traditional defense is simply not enough. Companies must do more than monitor and assess threats, they need to be proactive about collecting intelligence and context about bad actors. If they truly want to defend their networks, organizations must complement commercial threat intelligence sources with analysis about all potential vulnerabilities within their network — known and unknown. Only then can they get a fuller picture of actual risk.” – Leo Taddeo, Chief Information Security Officer for Cyxtera and former FBI Special Agent in Charge of the Special Operations/Cyber Division at the New York Office (Check out more detailed analysis from Taddeo.)
Cyber-attacks are the third most likely global risk for 2018, according to WEF. Photo: WEF
“Focus on making companies more secure through automated and integrated solutions: The way into my organization might be through my trusted relationship with your organization; your risk often becomes my risk. Neither of us can sufficiently manage the security problems of speed and scale without adopting the solutions of automation and integration.” – Philip Quade, CISO at Fortinet and former Special Assistant to the NSA Director for Cyber (Check out more detailed analysis from Quade.)
“Redefine a win in cyberspace. You will get breached, mitigating the impact of the breach before data is stolen is a win. In 2016 we saw on average a dwell time globally of 99 days before a breach is detected. That’s the time between when a hacker compromises a system and the organization either detects the breach or is notified by an external party of the breach. That dwell time needs to shrink to under 10 minutes if we want to be successful in almost always mitigating the impact of a breach. Think of it like a security system on your house, a burglar breaks in, the alarm sounds, they run out and no one is harmed and nothing is stolen. Everything worked as planned.” – Tony Cole, VP and Global Government Chief Technology Officer at FireEye
“Go on the offensive against your own systems. Be the adversary and perform aggressive red teaming that mimics their tradecraft. Patch quickly and ensure all patches are actually effective by thoroughly testing them.” –Mark Kuhr, CTO and Co-Founder of Synack
“One of the most pressing areas is how to best secure IoT devices. Malicious botnets incorporating IoT devices are extremely representative of today’s evolving threat landscape, and recent IoT threats have challenged our collective defenses. Unfortunately, this trend will continue to accelerate exponentially as more devices come online.” – Bill Wright, Director of Government Affairs at Symantec
Participants use their smart phones and laptops between sessions during the annual meeting of the World Economic Forum (WEF) in Davos, Switzerland January 22, 2016. REUTERS/Ruben Sprich
“The biggest topics right now from both a business and government perspective are definitely these: cryptocurrency ecosystems, election security, ‘DevSecOps’ (this may sound dull, but think: IoT, cars, airline computer systems, smart homes, smart cities, Intel chips, Juniper routers, Huawei, the Internet, basically everything digital under the sun), increased regulation, cyber warfare and attribution.” – Jason Glassberg, co-founder of Casaba Security (Check out more detailed analysis from Glassberg.)
“Nation State hacking and targeting of Critical Infrastructures — since this is an economic forum that may greatly impact any of our countries, should we examine the potential for rules, guidelines, rules of engagement, or even a moratorium on targeting member countries critical infrastructures?” – Jeff Bardin, CIO of Treadstone 71
Dobrygowski noted that while WEF doesn’t recommend policy, the organization’s mandate involves “expanding the universal tools available for people in leadership positions to make intelligent decisions around these sorts of challenges.”
He added: “We need to get everyone who has a stake in this conversation in the room to help decide what our expectations are around security and the internet.”
This post will be updated with links to more detailed insights from various experts as the week progresses.
