February 24, 2023
Resilience, regulation, and standardization emerge as core levers for global cybersecurity.
On the eve of the 59th Munich Security Conference, senior private and public sector leaders from around the world gathered at the Munich Chamber of Commerce for a side-event to reflect and agree on the future of cybersecurity.
Over the course of last year, cybersecurity proved how its borderless, fast-moving nature challenges nation-states and companies of all sizes. In this context, the agenda of the Munich Cyber Security Conference 2023 aimed to answer the question, “Who is in Charge? Dealing with Blurred Lines of Responsibility.”
Cybersecurity lessons learned from the war in Ukraine were a common thread in many conference contributions. And with the benefit of hindsight, a year after Russia’s invasion, a number of speakers chose to highlight positive facets: while remaining a challenge, the future of cybersecurity appeared at least manageable to attendees as long as more work gets done in the months and years ahead. The war and its reverberations in the cyber sphere have yet again underscored the importance of three pillars for effective cybersecurity: standards, resilience, and cross-border collaboration. It is safe to assume that these three aspects will more evidently inform regulation and underpin decision-making at the highest echelons of government and industry going forward.
Based on panel discussions and bilateral talks with attendees on the sidelines, summarized are key takeaways from this gathering, which brought together government officials from the United States, the European Union, its member states and heads of security from large international corporations.
A Regulatory Shift
Speakers and panelists agreed that when it comes to cybersecurity regulation, less is not more: more ambitious and more standardized regulation is what the industry should expect in the next few years. Representatives from the U.S. and the EU also reached consensus that these regulations must be devised in close collaboration between the public and the private sector, so that they can appropriately mirror business and societal challenges – as is the case to incorporate open AI and quantum criteria – and can achieve effective implementation without creating inefficiencies and unnecessary cost.
To this end, several speakers highlighted the risk of discrepancies between various regulatory approaches and urged to devise and/or amend existing regulations with an eye on the international nature of common challenges and the reality of the private sector.
A clear example of this quest to provide solutions to existing challenges was embodied in the three focus areas (call-to-action) that the newly appointed Acting National Cyber Director of the U.S., Kemba Walden, shared with the audience, summarized as follows:
- Shift responsibility from users to producers – companies will have to bear more of the cybersecurity responsibility.
- Incentivize long term strategic investment in cybersecurity capability and training.
- Harmonize the regulatory framework for and with the industry.
At the EU level, the Head of Cabinet for the European Commission Vice President, Ms. Despina Spanou, emphasized “security by design” as a key direction for regulatory developments to come – everything that goes to market (soft- and hardware, systems) must be secure by design. The challenge, she admitted, is finding enough talent to implement and enforce new regulations. The need to upskill people at scale, in the private and public sectors, is critical at this juncture and a pivotal part to make this – and other – cybersecurity regulations work.
Investment in Resilience
One of the key lessons learned from the year-long war in Ukraine is the need for more investment into cyber resilience. Resilience is the product of years of preparedness and testing. It entails a steadfast commitment to building capacity and training people who are at the core of achieving resilience, especially during times of stress.
Multiple panelists discussed the potential for more conflict, highlighting the importance to continue investing in resilience programs that not only focus on technology, but also on the people who operate, protect, and defend the systems that protect their organizations and societies.
In addition, the Deputy Assistant Secretary of Defense for Cyber Policy at the U.S Department of Defense, Mieke Eoyang, asserted that conflict needs to be incorporated in every organization’s risk management framework.
Government and industry must share a collective will to build resilience, awareness, and preparedness.
The panelists continuously highlighted the need to harmonize cybersecurity standards and develop new software that is secure across the board. There was consensus around the digital interdependence that underpins today’s global economy and its associated risks and opportunities. These common challenges are not exclusive to the U.S. and the EU, they also include the Global South.
International standards that provide clarity and consistency across the board can lower the cost of doing business and encourage investment.
AI is an excellent example of this need to drive an international standard, and to ensure a responsible and ethical use that does not pose more cybersecurity risks. Popular AI chatbots have proven enormous potential to deliver at speed, but it can also be used by criminals, for instance, for sophisticated phishing attacks, malware code-as-a-service and to launch a plethora of disinformation campaigns.
The Bottom Line
Global cybersecurity is at a critical juncture and corporations will increasingly be tasked with responding accordingly. With far-reaching and shifting regulations, a proven need for resilience and preparedness, and the interdependence of digital ecosystems, organizations of all sizes will need to rely on internal and external experts who can coalesce and anticipate the rising needs in this space to help proactively prepare for upcoming regulations and cybersecurity crisis.
 Adam Janofsky, “European Commission’s Despina Spanou on why cyber officials must ‘learn lessons from crises’,” The Record (August 19, 2022), https://therecord.media/eu-commissions-despina-spanou-on-why-cyber-officials-must-learn-lessons-from-crises/
This article was co-authored by Adriana Villasenor and Oliver Mueller.
The views expressed in this article are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.
©2023 FTI Consulting, Inc. All rights reserved. www.fticonsulting.com