We recently had the pleasure of discussing global developments on improving cyber resilience with William Dixon, Head of Future Networks and Technology at World Economic Forum. His fascinating insights into cultural, operational and technical aspects, their commonalities and variances within the evolution of what is now recognised as cyber resilience is warmly welcomed, as the BRIM team supports the design and roll out of the network of Cyber Resilience Centres in the UK. Those of you with an interest in strategic developments at international level may also find this a fascinating read.
When Joanna Goddard, Partner at BRIM met with William, she raised some interesting questions. This post captures some of that conversation.:
Joanna – William, your recent video courtesy of Anna Delaney, wonderfully captured and categorised the evolution from IT Security to Cyber Security to Cyber Resilience and the impact of COVID-19 and lockdown related cybercrime spikes. We truly need to understand and define how we implement and measure Cyber Resilience. Would you tell us a little more about this categorisation and its evolution?
William – Absolutely. Recent global risk reports by the World Economic Forum have identified that, at global level, cyber security becomes the third highest risk in the big picture of economic survival. We no longer have the luxury to view this as an Info Sec (Information Security) approach; the strategic imperative is that security only leads to cyber resilience through development of trust and integrity across the industry. This is largely a challenge for what is, on the whole, an unregulated industry and yet remains within the top three priorities for business survival. Poignantly critical to safeguarding supply chain, cyber resilience deeply impacts healthcare and critical national infrastructure at the highest level.
“cyber security becomes the third highest risk in the big picture of economic survival”
Digital disruption is at the core of effective cyber resilience and we actually need to disrupt our own cyber industry to achieve the trust and integrity required. Strategic leadership and the viability and function of a cyber ecosystem this demands, needs true collaboration between the public and private sectors to achieve the results required. The positive impact of 5G in the next wave of mobile communications balanced with the supply chain challenges faced by Government requires that we need to continually shift both thinking and understanding of the security ecosystem to an assurance model of trust and integrity to develop resilience. Assurance has been one of the biggest trade impacts in the last 20 years and within cyber it needs to achieve a structured pathway to enable organisations to have clear objectives and understand whether or not they are meeting them as they strive to operate in a cyber resilient fashion.
Collaboration, patience and continued focus have proven to be utterly required and will continue to be as we move forward. However; strategic leadership must understand the committed resource that is imperative in developing solutions that appropriately make use of law enforcement from a criminality and investigative aspect as well as private sector resource to appropriately supplement and ensure that law enforcement resources are optimised. This is a big challenge globally, and at the same time securing technical talent within law enforcement is hard when private sector can throw more cash at recruits. There is no one size fits all and cybercrime knows no jurisdiction nor time zone, nor culture. Law enforcement, meanwhile, varies enormously across different parts of the world and therefore the World Economic Forum is playing a significant role in identifying aspects of success models that can be applied in different countries and fostering effective introductions and collaboration to enable progress to be made. A series of very current reports is due to be released in November by World Economic Forum, which the BRIM community may find very relevant and informative.
“the World Economic Forum is playing a significant role in identifying aspects of success models that can be applied in different countries and fostering effective introductions and collaboration to enable progress to be made”
Joanna – Thank you William, your approach to identifying and deconstructing successful solutions to effectively share best practise across the globe with relevance, is really interesting. Our work at BRIM with NPCC on behalf of the Home Office is entirely focused on a robust model that is indeed a strategic partnership between the public and private sectors, fundamentally providing a solution to three key aspects;
1. Executive education on cyber resilience.
2. Affordable solutions for those who are vulnerable.
3. Structured talent pipeline solution.
What are your thoughts on this example from the UK model that we are implementing and how it may help inform others at an international level?
William – It’s really interesting and I welcome case studies as this progresses. Business leaders are used to collaborating in strategic forums, but often due to the roles of those that do there is a gap in cyber resilience knowledge. The work that we are doing at the World Economic Forum to foster strategic intelligence sharing between those who hold technical knowledge and those who can then communicate effectively within wider business circles is developing this very conversation.
Cyber resilience has recently been identified as a tangible threat and we're working with Interpol to develop coordinated developments across the 194 member countries. This is a real, tangible threat. That's our core message in our work and as previously mentioned, developing an understanding away from information security, to this being a type of crime, is critical and that really underlines my points as to why collaboration between law enforcement and the private sector is so imperative.
In short, we are in a high-tech crime culture at global level. Collaboration will be required in a new way. I spend a lot of my time with Chief Communication Officers, translating the technical threat intelligence from cybercrime to feed into general business leadership and governance understanding forums. Governance is a critical aspect of cyber resilience and something in which every company director will require ongoing executive education. It is quite frankly the pace at which the threat landscape is evolving within cyber, faster than any other crime type, that businesses and law enforcement are facing. That is top of the agenda, and something that hasn’t been faced before.
in short, we need to take cyber resilience into a high-tech crime era.
“In short, we are in a high-tech crime culture at global level.”
The Cyber Information Sharing: Building collective security report focused on a number of these points that your readers may find of interest. Data informed analysis is what will drive this, and it needs critical governance to deploy and achieve that trust and integrity to affect change using it. The UK and the US are currently at the forefront of developing models that are robust and scalable. Recent examples of the work of the FBI working in true partnership with the private sector demonstrate how required public-private partnership is to achieve all of this. In the UK we are seeing good cooperation – for example between NCSC (part of GCHQ), Government and the private sector – and we're seeing upstream disruption that's making an impact and this tracks through measured KPI’s. The network of Cyber Resilience Centres is a good example of that in practice.
“Data informed analysis is what will drive this, and it needs critical governance to deploy and achieve that trust and integrity to affect change using it.
The UK and the US currently at the forefront of developing models that are robust and scalable.”
Joanna – You also mention being protective with law enforcement within cyber divisions which are rapidly emerging within law enforcement teams around the world. How do you see that we best protect those resources and at the same time protect the trust and integrity that comes from law enforcement when you factor in the private sector support? Do you have a view on ‘outsourcing’ v ‘crowdsourcing’, a topic we recently explored relating to cyber?
William – This is a really good question and I hesitate to use the phrase ‘outsource’ as, whilst this additional resource is from the private sector, it is utterly required to protect law enforcement resources and has a unique position in internet-enabled crime. However, “outsourcing” creates doubt and risk around the accountability of who is ultimately responsible for executive action and decision making, especially when some of the tools and tactics required to disrupt cybercrime requires, rightly, legal powers. Interesting you raise crowdsourcing; this is an interesting nuance and yet important point. It warrants further adoption in principle as well as use of language to ensure when collaboration is in place it is effectively managed between the two sectors.
We urgently need case studies from projects, trials and work that is happening from the US and UK but also much further afield. Learnings and insights from these case studies will help inform law enforcement and the private sector around the world. We look forward to learning from BRIM’s work and the network of Cyber Resilience Centres.
“Learnings and insights from these case studies will help inform law enforcement and the private sector around the world.
We look forward to learning from BRIM’s work
and the network of Cyber Resilience Centres.”
Joanna – Talent pipeline is very difficult to solve. You've mentioned that talent pipeline is an imperative to success in cyber resilience across the globe. How do you foresee that we achieve ‘workplace ready’ technically trained people and at the same time, ensure that the pressure on them in such a high demand industry doesn't burn them out and see us lose them early in their careers as a result?
William – Yes talent pipeline is a huge challenge. It requires effective collaboration between academia, the private sector and law enforcement. Structured solutions to both education and practical application are required and it is an interesting model that BRIM is delivering in the UK. If over the next few years that can generate a solid and expansive talent pipeline that is workplace ready this will indeed play a key part in improving national security which may be replicated elsewhere.
High-tech crime is escalating at local level, regional level, national level, and super national level. This is large scale volume issue, and it needs solutions that can scale up at volume and at great speed. A good paper to digest on this is https://www.thirdway.org/report/countering-the-cyber-enforcement-gap-strengthening-global-capacity-on-cybercrime. It is alarming to see that whilst one in two crimes reported of a non-cyber nature are prosecuted, the comparative figure in cybercrime is only one in three hundred prosecuted. This underlines the sheer challenge ahead of us in regard to protecting those law enforcement resources as previously mentioned and why looking at partnership models and seeking case studies is of such a critical urgent nature. We need to reduce that rate of 1/ 300 to match the 1/2 so that all crimes are prosecuted at a rate of a similar level.
Joanna – What timeline do we have to achieve all this, William? What are your thoughts around how we meet that timeline?
William – Trust and governance are absolutely what success looks like and identifying clear KPIs such as increased and aligned prosecution rates. To get there, we need to define the outsourcing or the crowdsourcing and ensure that we go after that as a priority and embed it in the way that we work.
We need investigations access to forensics like data capabilities. Extremely well governed public and private sector reporting in a structured and measured fashion, at pace to enable continued threat analysis to be combatted is required.
There are some exceptional strategic thinkers with their eye on the ball around the globe and it's interesting as I speak to you from the mists of the mountains in Geneva, that you are talking to me from the mountains of Scotland. I know that one of the leading minds in this space, David Ferbrache, is not far down the road from you in the central belt of Scotland. Having said that, David has not been in Scotland for long and it summarises for me the fact that you also know him, just how small a pool of people truly are working at strategic, global level in reality to the scale of the problem. This is exactly why we need solutions that can scale quickly. It is very interesting the network of Cyber Resilience Centres in the UK and the escalated roll out circumstances due to COVID-19 and lockdown are really testing the pace and scalability of that model.
“It is very interesting the network of Cyber Resilience Centres in the UK and the escalated roll out circumstances due to COVID-19 and lockdown are really testing the pace and scalability of that model.”
I really look forward to sharing our reports in November with you. I hope and trust they will be informative and helpful and will trigger ongoing communications and consultation between BRIM and the network of UK Cyber Resilience Centres and the World Economic Forum.
----
If you would like to find out more about William’s work at the World Economic Forum you can register for news here. If you also register for news from BRIM here, we will keep you updated on any further news when there are discussions and developments with the World Economic Forum.
With sincere thanks to William for giving us so much time, and to Anna Delaney for stimulating this discussion. You can watch Anna’s interview with William here.
About William Dixon - William Dixon has a decade’s experience as an operational and strategic lead for a range of National security and cyber security programmes in the UK Government, which included significant experience working on a number of major and high-profile International cybercrime investigations. Prior to joining the World Economic Forum, William was the Global Head of Intelligence at Barclays Bank, helping lead a programme that sought to defend the Bank and its clients from major cybercriminal, cyber security, and physical threats. He is the author and contributor to a number of publications and has a master’s degree from Kings College London's War Studies Department in Intelligence and International Security.