Troels Oerting is the head of the World Economic Forum’s Global Forum Centre for Cybersecurity. He previously worked as head of operations in the the Danish Security Intelligence Service, Director of the European Cybercrime Centre (EC3) at Europol, and was Group Chief Security Officer and Group Chief Information Officer at Barclays, the British multinational investment bank and financial services company. He recently spoke to The Innovator’s editor-in-chief about some of the new cybersecurity challenges that governments and companies are facing and how the Centre plans to help.
Q: Why did the Forum decide to create the new global cybersecurity Centre for Cybersecurity?
TO: There is a global concern about cybersecurity, but nation states normally do what is in the national interest, and companies do what is in the interest of their shareholders. The Forum’s idea is to use its neutrality and independence to do something for the greater good and find consensus. The Centre tries to analyze top threats and identity new ones before they spread. We emphasize the importance of cyber resilience to corporates at board level. And we educate and help governments. There are 109 countries that do not even have a national system to fight cyber cybercrime.
When I was in law enforcement I had loads of power and no information. When I was in private industry I had loads of information and no power. We want to combine these forces and get the best out of government, law enforcement, big companies and academia to both identify and codify some of the rules we need to implement at a global level, to minimize the impact of cybercrime. We will not be able to eliminate cybercrime, but we want to level it out to an acceptable level.
Q: Mobile and the Internet of the Things (IoT) are radically extending and reshaping the architecture of corporate networks, increasing the number of points where hackers can penetrate the. How is the Centre for Cybersecurity tackling this?
TO: Mobile and IoT will dramatically change the landscape from the defense side, and that will mean privacy and security will be under heavy pressure. Businesses preparing for the future have to deliver through mobile platforms. The size of the Internet will increase from 3.7 billion people in 2017 to the around 5 billion who are expected to have smart phones in 2019. This shift will mean more growth, more prosperity and more cybercrime. What’s more, the introduction of the Internet of Things means that in the next five to ten years everything that can be connected will be connected — from your fridge to your car to your house to your smart phone. This will impact attack vectors, the ways hackers can enter into the network. It might be through your fridge, your router or a healthcare device. Add to that the magnitude of the amount of data we produce on the Internet. The number of terabytes will increase dramatically. Pair this huge amount of data with machine learning and artificial intelligence and you have the perfect storm for both the good and bad. We need to have a global discussion about how to manage this and the Centre for Cybersecurity can lead this.
Q: The Centre has formed a cybersecurity group specifically for the fintech sector. Why tackle this sector first?
TO: Banks are under heavy pressure from startups. The big financial institutions are trying to fight back. The biggest competitive difference in the future will be trust, so the first thing I would very much like to do is to create a set of ethical rules or standards around responsible innovation, particularly when it comes to safeguarding data. In the future it will be possible to have different identities — one where I sell my habits and another one that is private. Who is going to safeguard the private identity for you? Is there a different, more secure way to create digital identities and ensure that the person you are doing business with is who they say they are? Are banks, who are used to safe-guarding things of value, best-placed to play this role? These are some of the questions we will discuss in future.
Q: Security software company McAfee’s researchers announced at the Defcon hacker in Las Vegas in August that they were able to hack into a medical network and falsify a patient’s vital signs. Are you thinking of forming a special group for health care?
TO: We will form groups for a variety of sectors, and one of them is health care. Health care has been on our radar for some time. There are increasing concerns about a number of hacks into advanced health-care equipment without anybody be able to explain what the hacker wants. Medical devices in any well-equipped hospital in the world are all online, and yet I have never heard about hospitals developing a cybersecurity strategy. One of the things we will look at is whether we can get together with the manufacturers of health-care equipment and set the security standards higher than the present ones. We could try to incentivize this by creating a certification badge.
Q: The Forum conference in Tianjin will feature panels that focus on what companies and governments should do to protect themselves. What are some of the key points?
TO: Security by design: Instead of looking at defending against the most sophisticated cyberattacks, start with simple cyber hygiene. We will also discuss enhanced regional cooperation.
Q: Advice is one thing, action is another. A recent survey of 600 mobile security professionals in Verizon Wireless’ annual Mobile Security Index found that “approximately one-third of organizations have knowingly sacrificed security for expediency or business performance.” Do you believe companies will be held legally liable in future for putting client data in danger?
TO: I do believe that in the future we will see companies being held legally liable. We have seen it a bit with GDPR [The 2018 General Data Protection Regulation, an EU law on data protection and privacy], which includes a rule that says the board is personally liable and can’t insure itself out of that liability. What is clear is that any good intention needs to be backed by some kind of concrete measures.
Q: Critical systems such as electric grids and factories are now vulnerable thanks to the Internet of Things. What is your advice to governments?
TO: If you take down critical systems you can take down the world, so this is an area where everybody has an incentive to work together and maybe create some sort of standard that would increase overall global resilience against cyberattacks from nation states and organized criminal groups. Attacks on critical systems will be carried out for twothree reasons: preparation for war, terror, and blackmail. The next war will start in cyberspace. Critical systems will go offline and then you will hear the boots arriving in the street. You will also see the use of blackmail because as we move toward the creation of smart cities, where everything is connected, that will create vulnerabilities. I have just come back from visits to the U.S., Japan, Korea, Singapore, and China and there is a common wish from everybody to see what we can do to focus on stopping criminal and terrorist attacks against critical systems. Nation states will continue to undermine each other, but we can make the world more safe and secure for ordinary citizens.