Davos panellists call for cooperation amongst countries to stave off cyber threats

This article was licensed through Dow Jones Direct. The article was originally published on The Straits Times.

Countries should cooperate and share information about cyber attacks to tackle the threat posed by cyber criminals, said panellists at a World Economic Forum (WEF) discussion on Tuesday.

Albanian prime minister Edi Rama, whose country suffered a massive cyber attack last July that shut down public services, said sharing information with Albania's allies is crucial so that they can identify the type of cyber weapons being used.

The cyber threat is akin to the pandemic, but worse, he added at a panel on securing critical infrastructure. "This is not about one virus. It's about a multitude of viruses and mutations that happen every second."

Sharing information will increase "immunity", he said, cautioning that cyber attacks can inflict an "apocalyptic" degree of harm.

Singapore's Minister for Communications and Information Josephine Teo, who was on the panel, said enhancing international cooperation is one of the key planks of the Republic's cyber security strategy.

Cyber criminals do not respect geographical boundaries, said Mrs Teo, who is also Minister-in-Charge Of Smart Nation And Cybersecurity. If nation states do not cooperate in areas such as exchanging information on cyber incidents and plugging legislative gaps that criminals using ransomware are taking advantage of, "we will continue to find it very difficult to get on top of the game", she added.

The WEF had flagged widespread cybercrime and cyber insecurity as one of its top 10 global risks in the 2023 edition of its Global Risks Report released last week.

Mrs Teo said the world today is very dependent on IT systems and operational technology (OT) systems that control industrial equipment and processes.

She cited how a cyber attack on a hospital could mean patients are unable to get the right medication, as their records cannot be retrieved. An attack on an air traffic management system would have horrific consequences, she added.

Mr Oyvind Eriksen, who is president and chief executive of Norwegian industrial investment firm Aker ASA, said his company had previously paid more attention to cyber attacks on IT systems rather than actual operating systems.

The biggest risk today to Aker - the second-largest oil and gas producer in Norway - is hackers taking control of critical operating systems, which would have major safety, environmental and even financial consequences, he said.

On how to counter such threats, cybersecurity expert Robert M. Lee said governments need to collaborate with industry players and not simply dictate how to improve security.

"When we try to bring our biases of what works in IT security and try to apply it to these operational technologies, you're going to get a lot of money spent and not a lot of return," he added.

Mr Lee, who is chief executive and co-founder of industrial-focused cybersecurity firm Dragos, held up Singapore's Cybersecurity Act as a good example of collaboration.

The Act, which came into force in August 2018 and is currently under review, defines who is responsible for the cybersecurity of critical information infrastructure in crucial sectors such as water, energy and healthcare. It also includes a code of practice for operators of critical infrastructure, to improve their cyber defences.

"Also, we must understand that even the software vendors, and everybody else, love their own software. It's probably the least important part of it," Mr Lee said. "It's always going to come back to having smart humans, because you're talking about human adversaries."

As to funding cyber defences, Mr Lee said companies need to find out whether they are devoting resources to where those are most needed. "When I go speak at boards... it's often surprising to folks just how much they're spending on the website and not the gas turbine system."

Mrs Teo said defending IT or OT systems will not come cheap. But businesses cannot think of cybersecurity only in terms of cost, but also how it impacts their competitiveness, she added.

"If your business goes down, you do lose a lot of that revenue. If your reputation is gone, for certain businesses, it is very hard to recover," she said.

"If you're a bank, and your customers have lost money because you failed to secure the systems adequately, who dares to bank with you? That's going to be an even bigger cost."