UUÂãÁÄÖ±²¥

And we’re back! Cyber 2024 carried us through another series of engaging and insightful discussions, held on June 5th at the thought leadership hub that is Chatham House. Journeying through the security of Critical National Infrastructure, the realistic role of AI technologies, the interplay between cyberspace and trust and challenges to global governance, before ending with the always intriguing ‘Chatham House Rules’ sessions.  

The first session, chaired by Joyce Hakmeh, Deputy Director, Chatham House, began with a frank exploration of how resilient Critical National Infrastructure (CNI) is to cyber threats. Discussing top of the line threats, the panel called out the risk that disagreement in the industry concerning ‘’what’’ CNI threatens a comprehensive, prioritised approach to threat protection, while poor foundational cyber hygiene persists (e.g. not changing your device password) as a superior threat to CNI. Mitigation approaches were suggested: using creative channels to target communication toward end users to ensure they understand the basic steps that can be taken to secure digital infrastructure; or pushing ahead with legislation such as the European Union’s Cyber Resilience Act, which introduces common cybersecurity standards for digital products that industry will have to abide to. While this Act received formal approval from the European Parliament in March 2024, it will be interesting to see if this standardised approach spreads beyond Europe.

Moving to the second morning discussion, chaired by Jon Davies, Senior Director, Cyber Defence, News Corp, the panel addressed the view that AI presents a paradigm shift for cyber security. Immediately rejecting the idea that AI is supercharging all cyber criminals, the panel agreed that AI is a costly tool most cyber criminals don’t have to rely on given the success they already experience. Caution against directing funding toward AI at the expense of foundational cyber protections was expressed, adding weight to the persistently reiterated theme to invest in your cyber foundations. Reflecting on relevant takeaways from the AI Safety Summit, concerns were raised around professionalisation in the cyber community - if AI is brought in to replace cyber professionals without continuing to nurture in-house skills, who will verify AI-powered cyber security measures?

The afternoon kicked off with an eye-opening conversation of the far-reaching consequences of a vulnerable cyberspace: its impact on democracy and the threat of disinformation. Moderated by Alex Krasodomski, Senior Research Fellow, Chatham House, the panel quickly addressed the proliferation of disinformation across cyberspace, often mediated by AI technologies, and the threat this poses to eroding public trust in legitimate institutions. When discussing how to move forward, it was highlighted that governments have an explicit responsibility to introduce policy and direct funding toward protecting their citizens; they should target both the saturation of false or misleading digital narratives, and the societal conditions that leave populations vulnerable to such narratives. Pushing back, it was stressed that industry too hold a duty of care to the users of their products and must introduce tighter measures to keep their digital platforms secure from disinformation campaigns.

The panel series ended with a discussion of global governance in the next generation of cyber-attacks, chaired by Emily Taylor, Associate Fellow, Chatham House. Touching on the fragmentation of global policy and multilateral discussions, possible explanations were highlighted: digital sovereignty prevailing, combined with governments relying on industry to develop and maintain their cyber security infrastructure. It was stressed that industry has a vital role to play in advancing global governance - the security of a country's national infrastructure drives international cooperation, and industry must ensure the infrastructure they operate and maintain on behalf of governments is secure. Considering this, a ‘Brussels Effect’ for legislation like the Cyber Resilience Act could provide an incentive for industry to strengthen the security of their products by design.

Now for the fireside chat and spotlight session. Firstly, it was made clear that the secure-by-design (SBD) movement is here to stay and to ensure resilient products, the expert speaker advised teams to focus on standardising SBD implementation methodologies rather than features. Secondly, I would advise all reading to start wrapping your head around quantum computing now - it’s likely to change the very foundations of cyber security and while inspiring wonder, it's not the most intuitive of disciplines…

To conclude, it appears the cyber domain have some understandings to reach. While the discussions acknowledged the importance of connecting the cyber nodes of influence – the individual, industry, and government - to champion a flourishing and secure cyber space, contrasting opinions were voiced over which of these nodes holds the most influence and bears the greatest responsibility to act. As we wait for a new UN convention on cybercrime to be agreed, the cyber domain will need to increase their collaborative efforts to ensure progress in achieved in the meantime.