Welcome to this critical session here at Davos 2025, the 55th year of the World Economic Forum. Crisis to Confidence in Cyberspace, that's the mission of the 45 minutes we have together. I'm John Defterios. I'm a senior fellow here at the World Economic Forum. I'm a professor of business at NYU Abu Dhabi, and I spent my last 10 years of my time as a correspondent with CNN as emerging markets editor based in Abu Dhabi and the connectivity we see from the Gulf here to Europe, the United States, and obviously Asia. We want to welcome our viewers on the live stream here who are watching. This is an excellent session because in the last two years of the Global Risks Report for the World Economic Forum, we've seen that the cybersecurity and cyber threats rank either four or five in the world, rightly so.
But I would say as a former journalist, it doesn't earn its fair share unless there's a crisis that happens. We kind of think it's business as usual. Companies are ready to respond. But with the onset of artificial intelligence now and then over the next decade and then phasing into quantum computing, it's going to be more of our common vernacular. And I don't think the world's ready for that. And we want to address what it means. But at the center of our discussion today is not only dealing with cyber threats, but it's also the impact that cyber threat does have. And then obviously what impact it has potentially on a brand and reputation going forward. I want to thank the team that runs cybersecurity at the World Economic Forum. I've had a chance to work with them for the last two years.
They hold an annual gathering for themselves in November. They put out an outlook report in the last week, and we'll make reference to it here in the discussion. If you'd like to do social media and provide some feedback here on this session, the hashtag is #WEF25. And we're going to be taking questions from the floor about 15 minutes out. We invite those watching us in the live stream to do the same. Let me welcome George Kurtz. He's the Chief Executive Officer and founder of CrowdStrike Inc. Welcome to you. Öykü Işık is a professor of digital strategy and cybersecurity at IMD Business School. She focuses not only on the response by leaders in the cyberspace and technology, but also the impact that has on brands. So it's great to have you. And George Oliver is Chairman and Chief Executive Officer of Johnson Controls.
The two of you, G1 and G2, as we said in our pre-meetings, have dealt with major cyber incursions, and they learned a lot through that exercise. I'm going to ask them about it, but also they can share their leadership and what was required after having a cyber threat, and Öykü, it would be great to have you weigh in on what it takes to be a leader today and how much should be devoted in terms of time and attention to cyber, and then what impact it does have on a brand. I think it's a phenomenal topic that they've undertaken here. To provide some context, we have a cyber report that was put out in the last week here for the World Economic Forum.
They also did polling from that cybersecurity gathering that they had at the end of 2024, which I'll make reference to for those watching on the stream and here live in the audience. I want to reference a recent report from the World Economic Forum in collaboration with the University of Oxford. It defines cyber resilience as the organization's ability to minimize the impact of significant cyber incidents on its primary goals and objectives. If we can bring that graphic up here. What we're looking at here is the incident, absorbing it as a chief executive or as a company, and then the recovery. You can see that the recovery stretches out almost on a flat line here.
What we're looking for and what I'd love to glean from the panel is like that V-shaped recovery, the preparedness, the resilience that you try to build into an organization here. And I made reference to the Global Cybersecurity Outlook 2025. It was just released last week. Supply chain interdependencies represent the greatest challenge. The report identifies six components. And if we can bring that up on the screen, please, that companies need to contend with in this world of cyber complexity. Geopolitical tensions, which are on the rise. And we heard from the European Union president today talking about this fractured world and how to respond. Cybercrime, sophistication, and many actors in play here. Supply chain interdependencies. I made reference to that initial survey. Regulatory requirements, AI and emerging tech, which I talked about in my opening comments. Cyber skills gap, which I think is interesting.
Only 13% of companies feel like they have the right cyber skills internally. There's a shortage of talent worldwide. Women in cyber is a big issue, which I think Öykü could address. And then 33%, a third of the companies said cyber espionage and a loss of IP as their top concerns. I made reference to the fact that both CrowdStrike and Johnson Controls had cyber incidents. So I think it's excellent that you're willing to come on the stage and talk about it. So George, as a CEO, take us through it. So what's it like to manage something that hits a company that has a very good reputation? Did the scale of the incursion surprise you? And then how did you deal with it as a CEO? And how did your organization respond and look at you and say, you know, what do we do next?
Yeah, so first, great to be here. Just to maybe reframe it, we didn't have an incursion. We had an outage. So July 19th was an interesting day, I guess, for us and the rest of the world, as you might imagine. And when something like this happens, you have to go back to your muscle memory, right? And we actually do work with a lot of companies that have cyber intrusions, and we have that muscle memory. So we activated our crisis response team. We knew what the issue was. We were able to roll back the issue really within probably 70 minutes. But there's complexities in the operating systems to be able to recover some of those systems. Therefore, you had a much bigger outage. So once that was unfolding, then you kind of see the scale of it.
Part of the challenge, I'm not sure everyone sort of remembers or has a good appreciation, but there was another technology outage, a different company that had an outage at the same time. What we needed to do is we needed to deconflict what was our issue, which we know how it happened, and we rolled it back. We had to deconflict that from what was happening with another service provider, right? Because all you hear is outage. What's ours? What's theirs? In any event, we couldn't control that piece. What we wanted to do was to be front and center. There were two things that really came to mind. Number one, first was the customer, putting the customer first. You could see the scale of our customer base, right? We wanted to make sure that we got to our customers.
We were working with them to roll it back, and there's things that we did to automate the rollback for them, but just the complexities of the operating system, there were manual things that had to take place as part of that. We needed to be able to get out and educate and tell people what it was they needed to do, and the hard part, some of it required physical interaction, so you had to have keystrokes, and people had to type things in, and there was a lot that went into it, even though it was a relatively simple set of commands for people that don't understand how to do that. It takes time, but you had to get that information out, so one of the key things for me was take care of the customers.
The second piece, as this was unfolding, is we need to let the world know this wasn't a cyber attack because people didn't know, right? This is where I basically said, look, I've got to get on TV. This is within a few hours.
Even though people don't watch TV anymore, that's part of the challenge.
But needed to be on TV. Well, first thing we did was we got on Twitter.
Yeah, there you go.
And we announced it. And then we had continuous updates, right? And this sometimes can be hard because you've got teams of lawyers, teams of PR people, teams. You go on and on as a big company, right? And you have to make a decision. And it's not easy in the first few hours without having all of the facts. And it's a bit of the fog of what's happening. Again, what's ours? What's theirs? How do we make sure we get the right message out? But for me, it was really important to be able to get the message out. It wasn't a cyber attack. We knew what the incident was. We rolled it back very quickly. And then we were in the recovery mode working with customers. And I think that really helped to settle a lot of folks down.
And then the heavy lifting of making sure that we can bring systems back online was an ongoing effort.
I'm going to circle back about your leadership because I want to bring in G2, as we said here. George Oliver, am I correct in saying you're going to retire pretty soon?
Yeah.
What a way to go out, right? Because you had a very big cyber crisis. Is that the first major crisis that you dealt with at Johnson? And I'd love to get the other George's input on this. As a CEO, what's the first thought that goes through your mind when you get hit that hard? And I'd love to get Öykü's view on leadership and how do you prepare for a new era of a challenge that probably wasn't in our vernacular 10 years ago?
So I think it would be helpful to talk a little bit about Johnson Controls so you get an idea of what our infrastructure is like and the journey that we've been on. So Johnson Controls are about $28 billion globally. We operate in 100-plus countries. We're very distributed. And we're a company that has been made up of a lot of acquisitions with a lot of multiple systems that have come together into one. And so we've been on a journey on how do we take all of those systems, streamline, get to one ERP, get to one operating system with similar type systems deployed. And we've been on a journey. And cybersecurity has been a key element of that.
So as we're addressing technical debt, how do we make sure that when we look at our infrastructure, we have over 100,000 devices, 100,000 users, and hundreds of thousands of applications? And so just to give a simple lesson, it's all about response. It's sensing at the device level. It's understanding access and understanding where the people that are coming into your network, where they're operating. And then it's about applications and access to applications. So all of that was being built and making sure that we were resilient. So when we had the incident, or there's always incidents, and they're typically managed and contained. It's all about response. It's sensing and response, no matter what level the incident is. And you'll find that whether it be a device or whether it be where someone's user credentials got compromised, there's going to be events.
It's the ability to be able to sense and respond. So we did get an attack, and we were able to respond pretty quickly. It did impact some of our network. And what I would say, the most important thing is planning for what is in the event that if you do have an event, not only from a technical standpoint, what's the response, but from a leadership standpoint, how do you respond? And what are your business continuity plans? And so immediately, it was on a weekend. You get notified that some of our systems were compromised, and then you go to work. And it's easy to kind of try to do a self-assessment, or you can stand up and lead.
And so that day, we had our full extended leadership team across the globe activated, really assessing to make sure we understood exactly what was compromised, what is our plan. And as we worked through that, we continued to operate. And so we continued to stay focused on customers. The other thing is this idea of, as George said, as you learn, maintain transparency with your constituents. Because from a trust and respect and maintaining relationships, it's important. So right from the board to customers and making sure that as you're working with customers, you're keeping them informed relative to now where we are, relative to being able to continue to support them with critical services. We're a building solutions company. So we do a lot of service maintaining our customer's environment on a real-time basis. So that's important. So that really played out well for us.
And then we stood up our leadership team on a daily basis and also engaged partners. So when you have a lot of technology like we do deployed, we maintain strong relationships with all of our partners. And so we not only activated our internal team and leadership with our business continuity, but also engaged all of our technology partners to make sure that we, number one, understood, assessed the incident, and making sure that then we were working together to be able to effectively address it on a, what I would say, on the critical path to make sure that we were positioned with speed to be able to mitigate the risk and ultimately continue to operate. That's what we did. So I was extremely proud of it.
What I would say is, and we can talk a little bit more about this in the discussion, that cybersecurity is going to be part of the culture, and it's going to be embedded in everyone's behavior.
Every company, would you suggest? Because you're a very connected company, obviously.
When you go through.
That strikes the same.
Because you always are training, and you're always putting together processes so that you mitigate any risk and any exceptions. But as you get into any type of incident, you understand, Öykü, was it a device? Was it a user credential? Was it access that wasn't? Once you get into that, you make sure that you create redundancies. And then automation. And the work that we're doing with CrowdStrike is a lot of the sensing and then the automation so that then you have intelligence not only from a device, but from a user standpoint. And then you can. It's all about response. When you see something that's not right, how do you then respond? So part of that was when you go through this, then every leader in the company becomes an expert. Because not only are they involved previously, but really getting to that level of detail.
When we have 100,000 colleagues across the globe, then from a leadership standpoint, making sure that they're totally aligned and behaving with their actions, whether it be their access or how they're using devices, so that they're ultimately making sure that all of the securities that we have in place are being fully consumed and put to work. And so for us, it was, as we look back, it was a test of our culture, our ability to be able to respond and activate a global team, and really continue to be able to operate the company while we're mitigating the incident and ultimately getting back to full operation. So I was extremely proud of the team.
Really, a lot of our partners that stood up with us to make sure that every step of the way, they were playing their role in supporting us to mitigate what we saw as being the contributing factors.
OK, you raised a great point, and it's a great leaping-off point too, Öykü. First, can you spend 10 seconds to tell the audience what your specialty is? Because it'll help us in terms of your context of your research, Öykü.
Yes, of course. As a professor of IMD Business School, we actually exclusively do executive education. So first of all, it's a privilege to listen to two leaders talking about their experiences. This is what really makes a big difference, and my research is really all about chief information security officers and behaviors of organizations when it comes to dealing with cyber attacks.
Perfect. OK, good. We have this case where you could have a prisoner's dilemma because you're in the game together, right? And you have this trust built up. And then you face a strike. And then that cohort starts to look at you and say, OK, I put all my trust in you, and there was a failure. And then there could be panic from that partner. Or as George was explaining, everybody rallied to the cause. So what does your recent research advise future-looking CEOs? Because we know that threats are rising. And we'll get into this discussion about the developed and the developing world, right? And those vulnerabilities a little bit later. And also that brand narrative that I addressed in my opening comments about rebuilding trust very quickly during an incident. Because we want that V-shape to rise quickly. Go ahead.
I love that visualization, the V-shape. And we talk about shrinking.
Pretty good team that we work with.
Exactly. Exactly. And there were two things that George talked about: the muscle memory. I love that reference. Because that only happens if you think detailed enough of scenarios and if you practice enough, right? And George talked about how it's part of the culture and how quickly you were able to continue working, right, servicing your customers. So first half of that V, absorbing the incident, that's a great example of that. So you were prepared. The culture was there. So you were able to, despite the incident, were able to operate. And the other one, the significant part of the resilience is that we actually can practice this enough so that we can, after absorbing, recover from the experience. So I think there were two really good examples of long-term thinking.
Answering your question, the necessary shift from more traditional short-term cybersecurity thinking to a long-term resilience-building thinking is, I think, with these two examples greatly represented here.
But who would have thought five years ago that the brand would suffer if you don't respond? I mean, George was saying, look, I was ready to communicate. Both of you said, I had to communicate to my partners, my customers. And then you had to say, I need to get ahead of the curve here. Go ahead, Öykü.
Because you talk about trust, right? How do we build trust? And the first question that comes to mind, especially, there are, of course, anecdotes we can learn from. When it comes to doing research, it all comes down to how do I quantify trust? What do you mean trust? Is it the financial health of the organization? Or are we talking about finding a way to measure the reputation of the organization? What we know from, if we look at trust from a financial health perspective, to be honest, we don't know much. We only have very little research on this because it's very difficult to collect reliable data at large scale to really understand. And the research is all over the place. But when you look at trust from a reputation perspective, then we know for sure minor incidents. We tend to actually forget.
Organizations do recover from minor incidents relatively quickly with minimal stock value impact, but for major incidents, we do have evidence that it really takes quite a bit of time to recover back, but I want to add something here that most people don't think about, which ties back to preparation, is that what type of incident we're talking about makes the difference, and we know this from research, so if it's an internal insider threat, then the perspective, the trust on the organization really decreases. If this is an external threat, there's a threat actor, then really it is less of a trust issue on the services of the organization. Yeah, so if it's negligence, then the question arises around the culture of the organization, for instance.
Good. Both of your comments led me to believe if you had to do this again, what would you have done differently, and there's always that question that comes up because you have businesses that need to sell cybersafety and security and fortifications, and when do you know you have the right tools? Go ahead, George.
You never want to be in a position, but you have to prepare for it, right? And this is what we're talking about. We help a lot of companies go through incidents. And we drill ourselves. And this particular one, it's hard to put this in the playbook of what happened, right? But we used the same, again, muscle memory to be able to roll things out and activate our teams. I think as you go through any of these, there's always areas where you can pick at and go, OK, we could have done that better, or we could have communicated this. Or you come up with various scenarios. But I think by and large, something like this, any incident, if you are upfront, if you're transparent, if you communicate not only one time, but frequently.
This was a big part of our response. We immediately said internally, and then we said externally, we will tell everyone as much as we know as soon as we know it. Basically, we had a whole portal that we stood up, right? Then as we knew things, you just went to the portal and you got updated, right? I think that really served us well. When I was.
Has the business been hurt as a result of it now? Would you say the CrowdStrike brand suffered?
I think the trust is even up more. I mean, walking around Davos, I run into CEOs of many of our companies. And they say, you know, I had one organization say we actually used CrowdStrike in our responses as the prototype for how you should respond. That was just last night. So I think, you know, again, everyone's going to have their own opinion. But I think our customers have looked at it. And I think anyone in business or IT realizes things happen. And it's really how you respond. And we want to be known for our response to this, not necessarily the incident that actually happened. So that's the way we would look at it. And again, could we do things better? I'm sure.
But I think overall, with trust and transparency and communication, we did the best we could with what we had in front of us.
OK.
May I quickly add here?
Of course.
Because we really do know that during the incident, communication is the biggest differentiator, and being transparent, honest, and owning up to it does make a big positive impact on the image of the organization, but I wonder what you think about the possibility that in your case, product stickiness and vendor lock-in, how much that plays in, right? Clearly, for smaller organizations, this may lead to customers leaving, but I wonder if there was a way for you to kind of measure the impact of that.
Good. Just so we can, that's a great question. We're going to look at the vulnerabilities of SMEs in our next round. So I'm glad you brought it up. Go ahead, George.
Yeah. I think when you look at this, I mean, we're a public company. We talk about our retention rates, right? They're 97-plus%, which is fantastic. So even after the incident, I think when you, to your point about the product and the stickiness, I mean, the good news is we've got the best product in the market. So customers like it. And I'll just tell you a quick story of a customer. It was a large financial services company. We went through what happened, why it happened, why it won't happen again. And they said, look, you've got 10 years of trust deposits in the bank, in their bank. 10 years of trust deposits. And on the 19th, you had a withdrawal. But net, you're positive. Net, you're way positive.
That was nice from a financial services company to say it and put it in that.
And it was, but they went to this system went to the board and said, if it wasn't for CrowdStrike, they recovered pretty quickly. If it wasn't for CrowdStrike of 10 years of protecting them, it would be a much different story. And this is, again, building trust over time. And I think that has really helped us out with a great product.
Right. I don't want to get into Midwestern values, but the company's based in Milwaukee, Wisconsin. And for those who know America, that's where they value it. I'm from the West Coast. So it's a little bit different mindset of like blue sky thinking.
I would like to contribute to that last question about the two things that come to my mind. Because cybersecurity, of course, is a top priority across all companies. And then it's more about how is that then built into your operating system so that all of the key metrics, response times, if there's any exceptions around sensing of devices or any, as far as the strategy around user access, really the CEO at least should understand that. You know what I mean? Understanding what their network is, how that's configured. And then from a cybersecurity metrics, they should be embedded in their operating metrics across the company. And that allows every leader to really understand how they lead cybersecurity, right? Typically, I think historically, it's been more of an IT-type metric.
So, I would say number one, making that front and center, really understanding your infrastructure network, how that's made up with devices, users, applications. And then the whole strategy is sensing and then reacting so that when there is anything unusual in the most simplest form. And the second is, and I think this is where George comes in, George One comes in. I purposely, and I'm an engineer, so I can consume technology. And we're going through all of the reviews and felt that we had all of the best technologies and capabilities deployed. What I learned was the technology development is so rapid. And now with the threats being much more sophisticated because of AI and other capabilities, that be versed on the state of the industry.
And so I spent time with a number of other CEOs in the cybersecurity to make sure that I fully understood, as far as the work that we had done to build our security, I understood then how does that compare to what you'd consider the next generation kind of best in class. And I think that's helped the organization so that as we're prioritizing where we're now deploying resources and the like, it's, I think, pretty clear to everyone now why we're doing what and when.
OK. And my question on values, what did you learn about the values of your organization during a crisis?
I mean, for us, as we've gone through a transformation, it was a test of leadership. When you're the CEO, it's when you get that notice that you've got an incident, and then you quickly scope it, and it's significant. You can reflect. I think what happened was we immediately did what we all did best was lead and engage, right from the day it happened to.
No panic?
To business continuity. We had daily understanding, OK, how we're going to operate, where we had some challenges, how we're going to operate around. And it was seamless, meaning every day, every business leader with their teams, the workarounds or some additional capabilities that we could activate. And so that was a real-time learning, shared, kind of a stand-up meeting just as you're assessing and acting. And I think from that standpoint, you then have now the combined knowledge. And you're acting real time. And you're communicating. You're communicating to customers and ultimately employees and partners. And what you want to do is instill confidence that, OK, everyone's going to have an event. How do you manage that? How do you respond? What is the leadership that you demonstrate?
And I think for us, as we've worked with a number of partners and advisors working through this, we got high grades that our team was prepared. And we acted and continued to run the company fairly well while we're mitigating the risk.
OK, good. I want to bring up the next set of data here. We have about 16 minutes left. Looking at this cyber inequity, and that would be from a large company that has budget and can play with this into your supply chain with small organizations that probably don't have the budgets to, and that's the trust that we wanted to talk about. But I also would like to have you address the developed versus the developing world, right? Because everybody likes to tap that growth of emerging markets. But do they have the capabilities to be your partners? So if we can look at the surveys here, the key challenge, 54% of large organizations highlight supply chain challenges as the greatest barrier to achieving the cyber resilience. How do you test your supply chain is one question I want to have you consider.
Furthermore, 71% of cyber leaders at the annual meeting in November of the WEF Cybersecurity Group, small organizations have already reached a critical tipping point when they can no longer adequately secure themselves against the growing complexity of cyber risk. SMEs, of course, represent about 50% of growth or 50% of jobs around the world, no matter where you are in the economy. George, what are some examples and lessons how to successfully rebuild trust with the stakeholders? How about everybody in your supply chain? How do you make sure that they're up to snuff? I think it applies to both of you. OK, you can weigh in with the research and recommendations on that.
I think when you look at supply chain, this is one of the areas you saw the stats of risk. I know we talk about it a lot, the interconnectedness of the world. I don't think it's fully appreciated. It's almost when you have these visuals, a dollar bill is really thin, but a billion of them goes up to the moon kind of a thing. You really don't know how interconnected the world is until you have an issue. When you look at supply chain, which is one of the biggest areas of risk right now, you've got small companies. They make one little part, one little bolt, one little something for a spacecraft or the government or what have you. They're all connected.
Typically what we find when we do incident response for companies is there's a lot of large companies that do the right thing. They spend the money. Then it's a third party. And you don't hear about the third party because they're 10 people or 100 people. Nobody wants to talk about it. They want to talk about the company that has an incident. That's one of the biggest areas. I'm sure you can reflect and comment on that. Making sure that that is locked down is incredibly important. Overall, just assessing where the real risk is and where the dollars need to be spent. From a smaller company perspective, they have a lot of risk, right? They have a lot of risk, whether that's ransomware or whether it's supply chain into a larger organization.
This is why AI and even managed services are so effective. Because you can basically, in even a small company, we can bring the same technology that we bring to the largest banks to a small company at a very efficient price point. That's the way we do it.
There's the other threat of the deepfake. Like somebody takes over your board and they hold a board meeting, then they kind of hijack your narrative for 24 hours if you're not careful, right? So that's complexity for a leader, is it not, Öykü? What's your.
Absolutely.
This whole idea of trust, you could be completely bought into a deepfake. It changes the game quickly.
And I think sometimes I still do hear from leaders of SMEs, small organizations, that makes me think that there's still lots of awareness work to be done there as well. One manager of an SME shared about a ransomware incident they experienced and how this experience brought the team together, that made them a team at the end, almost thankful to the experience, saying that "I had zero preparations in place before I experienced this. Now I am a team, a real team with the rest of my organization. And we actually have processes and policies in place to deal with this." So it makes me think that maybe sometimes still this thinking, "oh, I might be flying under the radar," can still be a thing for SMEs.
But coming back to leadership skills, I think it still applies whether large corporations or SME, still being able to decide under pressure, having emotional intelligence and composure, being honest and accountable, all these characteristics, whether for international corporations or SMEs, I think the same.
Good. George, do you mind Oliver dealing with this issue that you're a global company and there's vulnerabilities of a developing world that they want to grow? But they even admitted they don't have the skill sets inside your short cyber.
We have a very complex supply chain. It's global. We have all size suppliers. We do try to mitigate risk by having multiple suppliers, dual-sourced and regionally developing suppliers, so there's all kinds of supply chain strategies, but what I would say, what we've learned is that as we're assessing suppliers, we go through supplier assessments, and then you can tell when you go through an assessment the ones that actually understand it and are proactive in what they're doing to protect their infrastructure and maybe ones that are not, and so we have a role to play that number one, we now make sure that's part of their assessment, and then as we can educate and help and assist, then we obviously make our teams accessible to do that.
I do agree with George that when I think with the ones that maybe don't have the depth and expertise within their company, then it's going to be very difficult for them to manage themselves. I do believe, and I think what we're trying to do, and I get lots of inbound calls from other CEOs as far as how we dealt with it and how we responded. I think the biggest thing is this, we want to help everyone, right? We all want to make sure that we're all learning through this journey we're on, helping other companies, helping suppliers. There's a huge education that I think everyone's going through because this is becoming much more sophisticated. And then demanding it. What will happen is you're going to have to either suppliers are going to have that core capability or not.
If that's going to pose any significant risk to our ability to be able to continue to execute, then we'll probably have to look at other, which we do on a real-time basis.
Do the screening then on real-time.
But it's suppliers. And so even though everyone seems to want to get down to the resources, you can't afford not to put the resources to work. Because think of it as more insurance than it is once you have an event, then all of that is for naught anyways.
Good. I want to open the floor. Thanks, George. Open the floor to questions. If you haven't, just raise your hand and we can get a microphone into your hands, and don't be shy. I'll give it a breather. I've got another question at hand here. State actors, man, it's getting pretty nasty out there, right, and they wouldn't call out different countries, but they do often now, right, so U.S. accusing China or Russia, the fight in the Ukraine's become a cyber warfare as well. That's a pretty easy way to disrupt if you reach into the U.S. Treasury Department, right, or the Federal Reserve. How nasty will this game get now with AI coming on quantum computing power? How do you see that?
It's already nasty. I think most people really don't see below the iceberg, right? When you respond to.
That's a perfect way of putting it, by the way.
When you respond to these things, you see how prevalent it is. And you only hear about it when it bubbles up to something that can be sensationalized. But China is very, very active in these areas. One of the things that they're really focused on is operational preparation of the environment. So being able to prepare in case of conflicts, say, South China Sea as an example. And this is a huge issue for certainly the U.S. government and other governments, right, if these sort of things happen. And there's a lot of capabilities there. But I think we can talk about different countries and adversaries for the next hour. But I think the harder question is, what does it all mean and how bad does it get? Well, we think about adversaries in maybe three categories. And I can think about it as a pyramid.
So in the top part of the pyramid, you have nation-state actors. In the middle band, you've got e-crime, and in the bottom, you've got hacktivism, and in the very top, you've got the most sophisticated actors, and then what we see is that their techniques trickle down into the center band, which is e-crime, so you don't have to be a true expert actually to be able to execute an attack. Now, when you talk about GenAI, you've now democratized all the smart things that have been done by the nation-states, and now you make it available to multiple adversaries that are out there, and even if you don't know what you're doing, A, you can buy these capabilities, but we see it now where an adversary maybe is not all that sophisticated, they buy a kit they can break into a company, an access broker.
And then they actually have one of the GenAI tools create scripts to actually bypass the technology. So that's the biggest thing that we're going to see is it's going to compress the speed. We talk about response, right? You had so much time. Now it's going to even get shorter. We track breakout time. It keeps getting smaller. And it's going to democratize how many more people can get in the game of being an adversary.
Interesting. Öykü ?
Just to add to that, because I do realize also in the classroom that most executives do not really know how accessible these things are and that you can still inflict damage even though you're not an expert in this, right? So the accessibility, growing cybercrime as a service market is something that we really need to continue talking a lot about. And we know that even more damage is possible with AI. Research shows us what's possible already. And so there are things that we can start preparing for even though we don't see them out in the wild yet. So there are many different resources we can turn to to start preparing and scenario planning for these things.
But your thoughts?
I would say similar to George. I think it's really just playing offense, meaning that we can be as sophisticated as they can be with AI. We do believe, and my assessment, the technology community is making incredible progress. So technology is available today to really be proactive to mitigate any significant risk. And so I would just suggest that how do you now take that technology and be really proactive using AI and thinking like the bad guy? Because I think that allows you to be agile in taking all of your data, whether it be around your devices, around users, around applications, and become really sophisticated in how you ultimately then, because like George said, it's all about response. When you see anything unusual with a user or with a device, it's immediately shut down. Because they're going to find a way in.
What you want is a sensor and response that they're putting in the cloud, as I say it, so it stops the progression as they get into your network. That is probably what's most critical, and I would say, based on my experience, really understanding the technology and then understanding how you get this defense in depth around all of your critical elements of your network, which then allows you to be able to create that response on anything that's unusual that could potentially be more of an impact, and I think doing that will be as good, and then through service providers, you have good intelligence relative to what the broader landscape looks like, and so that sharing relative to how we're proactively deploying now the technologies I think is very helpful.
Great. We have questions here on the floor. Please, one here. And just if you can direct it to somebody, if you have one in specific, and just let people know who you are.
Sure. Roshan Navagamuwa with AIG. George, good to see you. The question's directed, maybe starting with you. You actually triggered this for me when you're talking about nation-state actors in terms of threat actors, right? Just your thoughts on what you think is a corresponding public-private partnership opportunity, maybe a more kinetic partnership opportunity when you're thinking about defense and kind of routine?
That's always the big question of what can be done. When you look at the private sector, we do work with law enforcement all the time. We explain what's happening. I mean, we didn't even talk about North Korea and some of the things that they're doing, which is really interesting. What can be done? I think we started with the public-private sharing of information with things like JCDC, where you have these fusion centers and they can share all this information, which is great. Then what is the next step? How can governments be more active in shutting this stuff down? There was a recent example with one of the ransomwares or kits, I forget which one it was, where basically the government's kind of defanged it, right? They went out and they were able to, you probably remember which one it was.
But those are the kind of things that we would look at. And then how do you disrupt their infrastructure? You have to remember the infrastructure is actually fairly not costly in dollars, but time to be able to set up. And they want to reuse that, right? So if you can burn their infrastructure every time, it makes it that much more difficult for them to keep wash, rinse, repeat. We see what happens. And it literally is wash, rinse, repeat. Just go down the list of companies. So I think that's where it can be much more interesting and more offensive where you can disrupt that, I think, in a controlled fashion.
OK. In 30 seconds, if you can, George Oliver, are governments prepared? Because I know they take it very seriously at the White House, for example. They have a cybersecurity desk, and they liaise between National Security and National Economic Council. They take it seriously, but they can't potentially keep pace with private sector, right?
I mean.
Just a minute if you can, and then I'll go get Öykü's final thoughts. Thank you.
I mean, on that, I mean, I don't want to assess the governments. I think at the end of the day, there's different levels of sophistication and resources that are deployed across the globe. I think for all of us, making sure that there's transparency relative to what is happening so that then they ultimately are putting their resources to work to ultimately protect the broader environment. I think it varies, right? I mean, across the globe.
Yeah. I do have those concerns, and I've shared it with the WEF about the Global South in terms of they have to deal with energy transition and climate change and dealing with something like this. You're trying to grow, feed your populations, and deal with cyber threats, right? And we've seen the attacks.
I mean, I think, I mean, what I'm finding internally with our own resource that we're putting a significant amount of resource, and we're finding that from a technology standpoint, we're leapfrogging some of the older, less effective technology now with the new technology. So you can do it very efficiently as you're now continuing the journey to really be proactive with the technology that's being deployed.
Great. Öykü, in 40 seconds, any final thoughts on this and what you learned out of this from two leaders in the space?
I guess we heard that's a leadership imperative before I even started.
Yeah, it is an imperative.
So there's a very big technology side to this. But clearly, culture and leadership and awareness creation in the organization is still the pushing power behind this. And I think it's a very interesting thing to look into how can we be more proactive rather than defending ourselves. How can we proactively engage and disrupt the operations of a cybercrime network on one hand, right? On the other hand, I'm thinking from an information sharing perspective, bringing SMEs up to speed, what kind of incentives can we create out there so that it doesn't end up becoming only an issue of protecting myself, but how can we incentivize investing in resilience is also a good question that I have in mind.
Yeah, that's great. Our session was From Crisis to Competence in Cyberspace. I'd like to thank the panel, Akshay Joshi, your team, Felipe, Juliana, thanks a lot for all the support leading up to it. I appreciate those who are online. I would highly encourage those in the audience here and online to take a look at the annual report, which came out a week ago. It addresses this wholeheartedly, and you'll see where we got the data that we shared on screen here. I appreciate your candor, by the way. Most CEOs who've had something, an incident, if you will, wouldn't sit up and face the music. You did it when the incident happened, but you're also willing to share the lessons learned, which I appreciate. Can we give a nice round of applause to our panel, and thank you. Thank you.