- 4 days ago
"Cybercrime has become a scalable, highly profitable global industry, driven by platforms, toolkits, and organized networks that operate like businesses.
The challenge is no longer just prevention, but disruption. Can we make cybercrime harder to scale, harder to monetize, and less viable as a business? This session explores how companies, governments, and regulators can work together to target the economics of cybercrime, disrupting financial flows, reducing incentives, and increasing the cost of attacks. Moving beyond reactive defense, the discussion examines what it will take to build a truly coordinated, cross-sector response."
The challenge is no longer just prevention, but disruption. Can we make cybercrime harder to scale, harder to monetize, and less viable as a business? This session explores how companies, governments, and regulators can work together to target the economics of cybercrime, disrupting financial flows, reducing incentives, and increasing the cost of attacks. Moving beyond reactive defense, the discussion examines what it will take to build a truly coordinated, cross-sector response."
Category
🤖
TechTranscript
00:28Satsang with Mooji
00:46Hello to all, great to see you for another session at Viratech on one of the most fascinating
00:53topic at Viratech, which is cyber. And today we are going to talk about actually one very
01:04important topic in the whole subject because that's the lifeblood of cyber security issues,
01:11the lifeblood of cyber crime. We're going to check how can corporate governments and regulators
01:16break the business model of cyber criminals. And so to do that, so first I'll present myself
01:27briefly. I'm Guy Goldstein. I'm a lecturer at the School of Economic Warfare and I'm also an advisor
01:32to PwC on issues around cyber security, cyber defense. And I have with me the great chance to
01:40have a very distinguished panelist, starting with Tal Goldstein. Tal Goldstein, you're the
01:48head of strategy of the World Economic Forum Center of Cyber Security. You've helped actually
01:53establish the Israel National Cyber Bureau and shape its national cyber security strategy.
01:58And also as a former intelligence, you've been a former intelligence officer and a graduate of
02:02the Tal Piyot program, which is a very elite school in Israel. Also with us, we have Nicole,
02:11Nicole Carignan. Nicole, you're the senior, vice president, security and AI strategy,
02:17field CISO for Darktrace. You are an expert in safe, responsible AI for cyber security,
02:24and you bring 25 years in data science and threat intelligence, including 20 years in US
02:32intelligence, intelligence and defense. And actually next to you, we have a very esteemed guest,
02:38Despina, Despina Spanu. You are the deputy director general in the European Commission in charge of
02:46cyber security. You have been leading at the European Union cyber and security program for the past 10
02:55years, first as a director for cyber security, and also as head of the cabinet of the vice president
03:05of coordinating all EU security policies. And you're also, very important, the co-founder of the Human
03:11for Cyber Initiative, which is actually one of the core issues in cyber. Not to have enough women,
03:17so it's great that you have launched that. And then we also, last but definitely not least,
03:22Clara, Clara Hensdorf. You're a partner in tech and data practice at Widencase in Paris. You are a
03:30technology and AI lawyer advising digital platforms on EU regulations, such as GDPR, the DSA, the Digital
03:39Service Act, and NISTU. And you actually are active both in advisory and in litigation. And you're also
03:48admitted in Paris and in New York. So great to have you here. And why this topic is actually so
03:59much
03:59important. You know, when you listen to the old musical cabaret, money makes the world go round,
04:05the world go round, the world go round. And so it does actually in cyber security. And actually to some
04:11criminals, cyber crime is actually an excellent business. And I'll just give you two data points
04:17around that, which themselves are striking and interesting also, I hope. First, ransomware groups
04:24alone may have generated more than 500 million in revenues in their own pockets in the first quarter
04:32of 2026 at nearly 40% year-over-year, according to Rapid7, which is an American cybersecurity company.
04:41And then, and that's also very interesting, the median ransom payment felt last year to $115,000,
04:52compared to $150,000, the year before, in 2024, according to the Verizon Data Breach Investigators' report.
05:05So that, you know, begs a couple of questions. Either we, the Defender, because of course,
05:12we are here with the good guys, are we actually getting somehow better? Or is the fact that the
05:19price of ransomware goes down actually shows that the market is actually expanding to smaller targets.
05:28That's a big issue. And so to discuss all of that, we're going to indeed go into this fascinating
05:37world of cyber crime as an industry. So actually, what does it mean? Why should we think of cyber crime
05:48as an industry? And, you know, what does it tell us about how we should fight it? You know, let's
05:54let you actually run Robin on this big question. And let's start actually with you, Clara.
06:01Well, obviously, the cyber crime is an industry that you said it, they make money, they make tons
06:06of money, and they reinvest it, whatever they receive, they have a supply chain, because they do
06:13have a lot of providers helping them implementing the cyber attack or laundering the money. So obviously,
06:21it's important. In addition, they are, when they ever get dismantled, because it occurs sometimes,
06:29they don't, they survive. I mean, they adapt, they react, they are not erased from the map. So they go
06:36to different platforms, and still go on, maybe adapt their model as well. So that's why you can see
06:43it's really an industry, not just a tech issue, an economical issue. And as Nicole said on the
06:50previous session, it needs economic solution. Meaning, if you want to fight this industry, you will need to
06:58basically cut the profits, raise the cost, raise the risk for them.
07:04Okay, and we'll go into that, evidently, in this session. Nicole, you've just been mentioned by
07:10Clara. What are the elements you can tell us about the growth of that industry?
07:16I mean, year over year, it's becoming a larger and larger economy, just the financial return of
07:22their investment. And so right now, it's estimated to be third behind the US and China. And it's because
07:28it is a very profitable model. And they actually know how to get the return on investment for their
07:35efforts. I think about specifically in the US, they know where most organizations are incorporated.
07:40That's Delaware, they do massive data surveillance there, they understand the regulatory gaps,
07:45they actually play into the regulatory pressure in order to achieve their economic models. And it also
07:52becomes a financial evaluation game, even from defenders, as to how much do they invest in
07:58cybersecurity if payment is cheaper versus... And that is actually in the benefit of financially
08:06motivated threat actors in order to achieve their goals. We're also seeing a lot of shift to critical
08:10national infrastructure, OT or operational technology environments and ICS environments. And that is
08:16because of this urgency that it requires in order to demand payment. And so moving from a model of
08:25originally encryption to data exfil and extortion and double extortion to now disruption. And really,
08:33the threat of disruption. And a great example and use case for that is Jaguar Land Rover. And showing
08:39how much of a pain point that was to an organization and, you know, I think it was over a
08:46billion
08:46loss. Moving on that, Despina, indeed, from the European Union standpoint, is there also an
08:56understanding and to what extent that indeed it's a business and perhaps in some ways we should think
09:01about it as a business and perhaps we could stop it as a business? Absolutely. So in the European Union,
09:09we are fighting cybercrime in multiple levels. We should not forget, as always, the law enforcement
09:15side. And that has a great role to play. We have the Europol, the European Agency for Law Enforcement,
09:21that has a very competent cybercrime center with some 150 people and agents from across the world.
09:28And I think what we need to see is more deployment of technology for them because they're already
09:33taking down a lot of important networks of cybercrime. But I think we need to equip them with even more
09:38to be
09:39able to go larger when it comes to taking down cybercrime. But that's the exposed. The question
09:46is, what do you do ex ante? What do you do to prevent cybercrime from spreading? So in the EU,
09:51we have a European cybersecurity agency that studies our threat landscape and we know that ransomware
09:56continues to be the number one type of incident. The oldest type of incident continues to be the number
10:02one. It shows you that we cannot fight it. What we can do is to start thinking like them and
10:09to see
10:10how we're going to deal with them. And I think we haven't seen the worst of it yet. Because in
10:16Europe,
10:17we have an extra problem. Some 80 to 90 percent of our cybersecurity world is SMEs, small, medium-sized
10:24companies. And that applies to the rest of our business world. We have a lot of SMEs in Europe.
10:29And SMEs don't always have the means, the know-how, the culture to have a cybersecurity sense.
10:36So we need to give them the incentive, which we have done through European legislation to meet
10:42cybersecurity requirements as much as larger firms do. And we need to give them help. We have recently
10:48proposed the creation of a help desk that will be supported by Europol and ENISA, so the cyber agency
10:54and the law enforcement agency that will allow companies to address themselves there for help.
10:59So this is a bit, again, on the expose. When it comes to the Exante, we are before a huge
11:04opportunity
11:05because with AI and exceptionally now agentic AI, we have seen that this aids a lot cyber criminals.
11:14It proliferates cyber crime greatly. And I think Tal also has a lot of input on that from the World
11:19of
11:19Economic Forum. But I think that there we need to catch up. Because so far, we have seen that AI
11:28agents have been able to be converted from just being the means to being the actual vehicle. We have
11:34seen that even the largest AI companies have had their own agents carry out cyber attacks by themselves
11:40without them being able to control it. So I think the race on the security of frontier AI that we
11:47are
11:48all discussing now. And I think it dominates also VivaTech these days. It dominated the G7 discussions
11:54earlier this week. I think the key is there. Because we need to start using these models for cyber crime
12:01ourselves now. It is our turn. Because so far, it is them who have the advantage. We need to move
12:07from the
12:07defenders to the defenders. So indeed, and by the way, there was a fantastic panel with Nicole
12:12yesterday precisely on that. So indeed, lots of echoes between them. One thing that you said that
12:18struck me, Despina, was the fact that we need to understand to some extent those cyber criminals. So
12:25question to you, Tal. What do we know about them? How are they structured? And we're talking about
12:33an industry other structure also as a business. Great. Thank you. Thank you very much. And
12:39I'll start you to ask, by the way, why it's an industry. First of all, important to mention that
12:44when we look at the revenues of the cyber criminals, it's probably higher than the whole cyber security
12:50industry, which tells us it is an industry by scale. But most importantly, as you mentioned, by the way that
12:57they are working, they're getting much better because they specialize. They have different elements
13:02in cyber crime with different specialties, whether that developing malwares or getting access to network
13:10or monetizing the access. So different elements, which make them much harder for people that are
13:17fighting cyber crime to deal. Because if you take just one element, you are not solving the problem.
13:22You need to deal with the entire network. You need to find the choke points. And to do that,
13:28we need to work together collaboratively. The second piece that we need to keep in mind,
13:34that right now, criminals, cyber criminals are not facing sufficient risks. So they work relatively
13:41openly, which gives them freedom to work like an industry, to work like a company. And one of the most
13:47interesting use cases, four years ago, a group called Conti, which is one used to be one of the biggest
13:53ransomware group, following the war in Ukraine, there was a split in the group between the pro-Russian
13:59pro-Ukrainian, which led to a leak of information from inside that group. And several companies like
14:06Checkpoints, Clear Sky, analyze that data. And what they realize that this group is working like a high tech
14:12company. They have an R&D department, they have a marketing department, they have H&R department.
14:18And one of the things that they are doing is going out, find talent, get them into the organization as
14:24if it was a legitimate company, high tech company. And then with time, they get them into the less
14:31legitimate activities. And this is something that we, on our side, need to face. We need to look at the
14:37human side of the criminal. We need to raise the risk on one side, but also to raise awareness
14:42of the illegitity of those activities. Very fascinating point. Let's perhaps probe a little
14:49bit into that, in terms of the scale and the value chain of that industry. Nicole, to some extent,
14:57how professionalized is that value chain? And also, as you mentioned, AI, what is AI now doing to the
15:05economics of the value chain? I wanted to make sure that wasn't me. Yeah, it's actually quite
15:11professionalized. I mean, it's run like a corporate operation and really maximizing their return on
15:17investment. And so a lot of these financially motivated threat actor groups have compartmented
15:24programs based on speciality. So they have initial access brokers, those that are doing data collection,
15:30surveillance analysis as to what is the best or easiest way into an environment. That might be
15:35a vulnerability as a result of the use of a frontier model or a large language model,
15:40but it also might still be an identity compromise or a supply chain risk that we have in SaaS and
15:45cloud.
15:46And so really trying to find the most efficient way in. Once they're in, how do you maximize lateral
15:52movement and get to achieve their objective quickly? They're going to augment that. And so it's going to be
15:57a lot faster when it comes from a speed to scale. And so it has, they're becoming more professionalized
16:04in harnessing this AI adoption in order to be able to achieve their goal quickly and efficiently.
16:10We as defenders also have to have that same model in order to break it. So the first most critical
16:15component that I would say that everyone needs to get on board with autonomous containment and autonomous
16:20response. Make it more difficult. Put more friction in. Apply more pressure to them that they have to
16:26dedicate more resources. May they be AI tokens or may they be human labor. Ensure that you're putting
16:32more cost on them. There's a whole bunch of other ways that you can also do that, specifically defense
16:36in-depth strategies, behavioral-based detections, insider threat profiles, changing your SOC operating model
16:44in order to respond more quickly, both autonomously, but also in remediation. But then there is also an
16:51element of, we can make it more difficult through deception technologies. Waste their time. That is also
16:57putting more burden on them. I also appreciate a good hack back. I know that most organizations legally
17:04don't want to assume that risk. But if we want to talk about more quickly, effectively taking down
17:09infrastructure or even being able to provide more intelligence for charging or bringing more risk
17:19to the individuals and the organizations themselves, I say let's do it. Okay, well I can hear the former
17:24US intelligence person talking here, which evidently a hack back is one way to go. We'll see about the
17:30legal provisions to that. In terms of scale, and that question do you tell from the World Economic Forum,
17:38so we heard already a lot of figures, but some of them I mentioned, you know, 500 million
17:44for ransomware revenues in that first quarter. Nicole, you mentioned about something like 10 trillion,
17:51which could be an extent the cost to the world economy damages. Tal, you actually mentioned that to
17:57some extent cybercrime was close to or beyond, as I understand, you can correct me, the investment
18:06that we see in the cyber security industry, which I believe is between 200 and 250 billion a year.
18:13What do all those numbers tell us? Are they all clear? And what does it mean in terms of the
18:20scale
18:20of that industry in data? So it's a very challenging question, and unfortunately there is no clear answer.
18:28So we don't have the data. Cybercrime is overwhelmingly underreported. While we are all aware that cybercrime
18:36is there, that anyone can be a victim, there is still a lot of shame, unfortunately, and therefore
18:41crime is not reported. It's also very global, and we don't have enough sharing of information between
18:48countries on what they actually see. Ransomware, we have a bit more information because it tends to be big
18:54companies. But then when we go to trends like cyber-enabled frauds, which are becoming bigger
18:59and bigger, and quite now there are some estimation putting that nearly at a trillion dollars,
19:05it tends to focus on small organizations, individuals, and then the reporting is even lower.
19:11So we don't have a very good picture, but whether that one trillion or 10 trillion, it doesn't really
19:19change. It's still on top, one of the top, and Interpol also sharing that, as a criminal industry.
19:26It's one of, if not the top, one of the top industries in crime. And it's not, unfortunately,
19:32we are not investing as much. When you look at law enforcement, we look at efforts by governments
19:37and companies, we are not yet there in investing as much. So I think we already know that it's on
19:45top,
19:45and we need to invest accordingly. So cyber has disrupted the old traditional
19:51cruel industry to some extent. And I'll stay with you, actually, Tal. And though we put on the table,
19:59again, lots of money, perhaps $250 billion a year in the whole cybersecurity investment,
20:05it seems that indeed, you know, criminals do stay ahead. I mean, even the spinner, you mentioned that
20:10perhaps we may see darker days ahead. So simple question to you, and actually then to Despina,
20:18is how come, why do criminals still stay ahead?
20:23Yes. So, unfortunately, yes, that's the case. And we are getting better. Defense now is much better
20:30than what it was five years and 10 years ago. But criminals are also getting better. So there is a
20:35cat and mouse. But the equation is not equal. So criminals, attackers, when they need to go into a
20:41network, they need to find one path into the network, into whatever they are trying to achieve.
20:47Defenders needs to defend everything. They need to be good in defending from any possibility. So it's a
20:53much more challenging task that defenders have. But to make it more challenging, what we are defending,
21:00the landscape that we are defending is also changing all the time, right? We added a cloud,
21:05mobile, now we add AI. So we have more and more that we need to defend. So we need to
21:10keep getting
21:11better. Well, from the criminal perspective, these are more opportunities in what they can actually
21:16attack and how they can get more money. So it's a very challenging equation, which we need to make
21:22sure that we are staying on top. I think you mentioned the discussion yesterday, one of the optimistic
21:27directions that AI can potentially change this equation. And this brings it to the last point
21:35on this, that there is also the human factor. So if you look at how criminals, how hackers are working
21:42from the very early days of hacking, one of the main things that they will do is not to hack
21:47necessarily
21:48the system, the network. It will be to hack the human, the user, and find a social engineering,
21:53find a way to convince a person to do something which is against their interest. And hopefully,
21:58we'll have AI system helping users avoiding this type of attacks as well.
22:04Yeah, let's hope, let's be hopeful about that. Despina, you know, same question to you.
22:09You know, why do cyber criminals seem still to be ahead? Something that you kind of mentioned, actually.
22:16Because we allow them. You fight crime by more security. It's as simple as that. So let's talk
22:23about the corporate level. In the EU, we have set up so many rules for critical infrastructure operators
22:30that require them to meet the highest standards of cyber security requirements for the systems. It is
22:36time for these rules to be implemented by default. And we are now trying to simplify them by having a
22:42unified
22:43system for all 27 member states because a lot of CISOs come and complain that they have to apply 27
22:49different forms. We now created a common template. So we're making it easier for companies to comply
22:55with these rules because that will help them. This is for corporate cyber crime issues. Then you need
23:01to help the smaller guys, as I told you also by supporting help. Then you need to go down to
23:06the products.
23:07As of next year, the Cyber Security Resilience Act will apply for every interconnected product that
23:12circulates in the EU, which means manufacturers are obliged to meet security by design. That means
23:18testing against cyber criminals, not making it easy. Implementing encryption, as you said. So we're
23:25going down also to the market. And then I'd like to mention something that we have not yet mentioned.
23:31The other side of cyber crime, humans. Today, you can buy cyber crime services for killing people.
23:39You can groom teenagers to become murderers, to become thieves, to become criminals. And this is a
23:46side we should not forget. It's not just about cyber crime as an economy, but also cyber crime as a
23:53real
23:53issue for our society. So there, as European Union, we're really making a huge effort. All these
24:00discussions around social media platforms, age verification, online fraud, we are now coming
24:05forward with a specific act on that, the Digital Fairness Act. So I think we need to also battle
24:11all these levels and our society needs to become more aware. And there, awareness is key. A lot of
24:18cyber criminals manage to reach an organization through a simple phishing exercise. So we also
24:24need to start feeling a bit more responsible and to find ways to reach people in a better way.
24:33Very interesting point. Nicole, still on this issue, I mean, you're a member, a key member of Darktrace,
24:40and we do see that indeed corporations, which is, I guess, a good thing, still continue to invest
24:46in cyber security systems. And still, we know that the situation is not okay. So,
24:52what's the logic there? And is it a question of not enough? Is it a question of not at the
24:59right
24:59place or not the right provider? Not enough.
25:01Perhaps also?
25:04So we're really in an interesting aspect. I would say we actually saw a massive increase in cyber
25:10security spending and investment in security operations. For most organizations, from resiliency,
25:16risk mitigation, all the way into detection and response. But now we have organizations who are
25:22reallocating their resources for AI adoption and AI innovation. And I do a lot of advisory capacity and
25:31consultancy capacity for both AI and security. I challenge a lot of the folks that I work with that
25:36this is a board-level discussion where if they're talking about AI adoption, they should also be talking
25:42about security and risk. As they're investing in AI adoption, they should also be investing in security
25:47and risk. Because if anything, this is actually just an expanded attack surface that's easier for
25:53financially motivated threat actors to get in. Because you have a more permissive, autonomous
26:00system within your environment that has accesses that could easily laterally move, that is in some way
26:07implicitly trusted because it's been installed and invited into your environment. And that can be
26:13manipulated and misused in order to achieve their functions. And so it's really forcing the
26:19conversation back to the boards to say, okay, let's invest in AI, but let's also invest in security and
26:24risk. Let's make sure that those two are in tandem. I have so many organizations that I work with where
26:31the
26:31security side has no idea what AI has been adopted within their environment. And that is something we
26:36needed to fix yesterday. Because this needs to be really wrapped around it. I mentioned in the last,
26:42I think, this new framework for cybersecurity framework for AI adoption is going to be key and
26:49crucial in the many layers and controls that we need to be able to wrap around it. Because that is
26:55the next prime attack surface for threat actors. We've already seen an example, thankfully, of threat
27:02research, but end-to-end operations of autonomous agents attacking AI systems.
27:09Fascinating. So I know that we're talking about cyber criminals and they're in here just to make money,
27:15supposedly. Well, we know also that, you know, from time to time, we may have nation states, you know, harboring,
27:21helping some of those cyber criminals. So actually, question to all of you, and let's do a quick round
27:28robin on that. You know, how important is actually the geopolitical factor in this size of the cyber
27:36criminal world? Is it something we do need to consider? Or is it just sort of a sideshow to people
27:43who are
27:44actually in there just to make money? I know who wants to start. Well, let's go with you. Let's do
27:51a
27:51round like this. Well, absolutely. Malicious actors use cybercrime also prompted by geopolitical
27:59situations. Absolutely. And there are some state-sponsored actors that are very obvious that
28:05we know they are behind major operations. Often operations also attacks on our critical infrastructure
28:14with the aim of destabilizing our economies, our systems, our democracies, election systems. So
28:21by fighting cybercrime, we're also fighting that level. I think that there we also need to get to get
28:27better informed. But I think already our work puts a priority on fighting these malicious actors,
28:34developers, but they are the most sophisticated. And I think this is where we need to up our game
28:39with the use of AI as defenders in a much more focused way. And also finding a way to disable
28:47the
28:47use of this type of agentic AI from cybercriminals. I think this is going to be key. And this is
28:54going to
28:54take also international work, like-minded people talking to each other. How do you disable certain of
29:01these tools from being reached by the state-sponsored actors? Interesting. Yeah, go ahead, Nicole.
29:07I'm actually going to pull on what you said, because I think that's kind of key and crucial.
29:11We've talked about private-public collaboration, but also international community collaboration,
29:18especially for reciprocity for infrastructure takedown, as well as bringing charges to threat actors.
29:25But there is an element of the infrastructure takedown that's taking a new light when it comes to AI
29:29adoption. And how much can we push on those public-private relationships, especially into private
29:37industry, to take an ownership and a responsibility in taking down infrastructure when it is being
29:43misused in quickly autonomous capacities? Fully agree. For me, the public-private is what we do. And
29:54I would like to emphasize to your question, I think in the past, we saw more involvement of certain
30:01countries in cybercrime. It's still out there. And when we think about the geopolitical elements,
30:06we need to think about cybercrime as part of that. But when you look at cybercrime today, it's much more
30:12distributed. And we see cybercrime come from all countries around the world. Much of that is actually
30:19coming from countries in the global south that would not have the capabilities on the country
30:24level to deal with that threat. So a big part of what we need to think about is not necessarily
30:30countries that are not collaborating, but countries that don't have the means to deal with cybercrime.
30:35And we need to work together with them. Interpol is doing a great job together with the Forum Cybercrime
30:42Atlas. We are bringing companies to help Interpol in collaboration in different regions to help local
30:49law enforcement to understand the criminal actors and find ways to deal with them. So I think this is
30:54something that we really need to put a focus on. Okay. So also thinking about some other countries
30:59that we may not be top of mind. Still, I mean, we talked about sophisticated attacks. Clara, you are,
31:04you know, from the Paris standpoint, have you actually, most of the cyber attacks that have plagued
31:11France over the last, say, 12, 24 months, were they really originating from very sophisticated
31:19actors or, say, like the thing, the teenagers that could hack? Well, we've seen it. It could be from
31:27nation, you know, nation states, say, far more protected, but it could be also from a teenager. We've seen
31:32recently in France, many cyber attacks that have been carried out by teenagers. And that doesn't make
31:39the attack less impactful. Obviously, it costs millions to companies. So that's why we focus on
31:48geopolitical. And that must be the case in most cases. But not only, we really need to see that it's
31:54independent as well, could be any age. Now, the technical barrier is as low as possible. We mentioned AI.
32:02And there is this huge asymmetry here, because, you know, attackers, they use AI, they don't care. It's easy,
32:08it's scalable. While companies, they need, at least in Europe, to comply with very strict rules. It's not an easy
32:15one.
32:15Like every regulation that, for example, Despina mentioned, those are here, but they are costly.
32:21They take resources. They take time. You need to be compliant on every point where the attackers
32:26really don't care. I mean, they just need, as Tal said, one point of entry.
32:31Very clear. So we have now 10 minutes to, as we discussed about the problem, to solve it.
32:37So let's go through kind of quickly, if you may. Let's start with you, actually, Despina, from the EU
32:43standpoint. So what are the measures? And you mentioned always a bit of them, but now let's go.
32:48What are the measures that the EU is putting in place to respond to all those changes? And what is
32:54the
32:55EU value added to that agenda? EU added value is that we manage to bring solutions that help companies
33:05in 27 countries deal with problems in one way. So this is the internal market way. Plus,
33:12we add resources through our agencies. So in the coming months, we will start discussing a revision
33:19of the mandate of our European law enforcement agency, and their cyber crime will be a very big
33:26issue. How do we equip them with technological means without compromising encryption, but allowing
33:33them to interfere and to stop cyber crime at its root? So that's something that we are now discussing with
33:40the colleges later. At the same time, we're discussing the revision of the Cyber Security Act,
33:46where the Cyber Security Agency will have enhanced the mandate to deal also with issues linked to
33:52ransomware and big cyber crimes. As I mentioned, we proposed even a help desk for companies. So we're
33:58looking at very practical measures that would be of added value to what member states are already doing.
34:04Because the problem with all these security issues and cyber crime is that nobody has enough
34:09people. Nobody has enough people. I want to also mention something else. Cyber crime has a particular
34:15parameter that is linked to the problem of cyber security skills gap that we have in Europe and across
34:21the world. We need to bring professionals from other fields to deal with cyber crime. Because beyond
34:29protecting systems, it is also about what we mentioned earlier, understanding cyber criminals. So you need
34:36more law enforcers, more justice people, more psychologists. So we need to understand cyber crime.
34:45And we need to go to the source, as I mentioned. So we need measures across the board for the
34:50society,
34:51for people who do not understand yet cyber hygiene, and that may open the door to criminals. So we're
34:58enhancing all that through the EU Cyber Security Skills Academy, by trying to attract more people in. This
35:04is part of the efforts like the Women for Cyber that you mentioned. So this academy has projects already
35:10that will help in this direction. Last but not least, I will come back to the issue of the frontier
35:16AI
35:16models. I think this is the train we cannot miss. Because right now, the attackers are using it
35:24indiscriminately. So they go at machine speed. We still go at human speed, even when we use these models.
35:30So we need to see how to cover this discrepancy. And I think this is the challenge. AI could be
35:36the solution
35:38to minimize cyber crime as much as we can. And I think this is a train we cannot miss.
35:43I think we heard echoes of that. So we talk about technology, we talk about the skill gap, which is
35:50an incredibly important thing. Let's talk about the legal aspects, also. And this is to you, Clara, in terms of
35:57the legal frameworks and the limits of those legal frameworks. I mean, what are the big regulatory blind spots that
36:07we still have?
36:07Today? And in a few minutes, how can we fix them?
36:13Well, we have a comprehensive set of, you know, legal regulations. Dispina mentioned those, some of them.
36:19But we have NIS2 or Dura for the financial sector. We also have the Cyber Resilience Act.
36:27But those regulations are important because they push companies through IT hygiene. And it is key to be prepared.
36:37And we mentioned, you know, tech people. But these decisions must be taken at board level.
36:44And that's why these regulations are key, because they put personal liability on governance, you know,
36:50on directors directly. They need to take decisions to allocate money. They need to supervise, you know,
36:57all these security maps. And they need to have this strong notification process.
37:05The CRA, the Cyber Resilience Act, is a good thing, because it shifts the burden. Because with all of that,
37:11companies, they pay the money when you have a ransom. They pay the cost of being compliant.
37:16And nothing on the attackers. And with the CRA, it shifts the burden, because it is the manufacturer that now,
37:23including, you know, digital elements, that needs to be in charge and liable for any vulnerabilities.
37:31The limit there, we're a little bit touched base that, is the fact that the law is territorial.
37:37So, you have laws in Europe. But these attackers, they are not in Europe. Not always.
37:44How do you reach them when they are in a country where they are protected?
37:48How do you reach them where the countries do not cooperate?
37:52We do have international cooperation. But this is not obligation. This is just, you know,
37:57cooperation to the extent the countries want it. And the second limit would be, we have obligation on
38:04these actors. We don't have obligation on all the intermediaries that allow these attackers to work.
38:12Cloud providers, other ISPs. In the financial sectors, you have, you know, this know your customer
38:18obligation, you have to screen, et cetera. You don't have that on these intermediaries,
38:24which makes it easier for attackers to work, basically.
38:28Indeed. Okay. So, we still have four minutes to fix the whole, you know, let's break the business
38:34model of cyber crimes. So, this is a question to you. But actually, I may stay first on you, Clara,
38:40on how we make them unprofitable, how we make this cyber crime all of a sudden losing money,
38:47if we could. And starting with one quick question, which is, well, should anyone pay the ransom or not?
38:54As ransomware is a critical lot. So, let's start with you and then let's go with Tal and Nicole
38:59and Despina, of course, on this issue.
39:01We mentioned at the beginning, I mean, to cut the model, you need to cut the profit. So,
39:06to the question, should we pay? The question should be no. And that's the trend you have in multiple
39:11countries. In the UK, for instance, you have a consultation on the fact that for public sectors,
39:17it's absolutely prohibited from paying ransom. In private sectors, you will need to, you know,
39:23to notify before. Australia has also adopted this kind of law. And in France, when you want to
39:31be insured, you need to file first a suit. So, you can see the trend that is not, do not
39:37pay.
39:38And, but, you know, in practice, it's kind of easy to say that. And that's why, to this decision,
39:44you know, should we pay? Should we not pay? That should not be a decision to be made on the
39:49spot,
39:49because you're under pressure, urgency, you know, the stress of losing all your business. So,
39:55that's why the key attitude is to prepare that, have a policy, decide this, you know, much more in
40:03advance with your board. Should we pay in this case or should we not? And not to leave it to
40:08a single
40:09individual on the day you have this cyber attack. Okay. So, think ahead with the board. Nicole,
40:15still around this issue of, you know, how we break the business model of cyber crimes. How do we do
40:21that?
40:23I think there is multiple layers that we've all kind of touched upon. So, at the corporate level,
40:28there is an ownership and a responsibility to ensure that they're investing in security and
40:34defense in-depth strategies in order to break the really profitability market or of cyber crime.
40:41Then there is the element of how much information do they disclose? And obviously, that's been up in
40:46debate for the last several years. And in the U.S. right now, it's day three. That isn't sufficient
40:52information. So much more information comes out after that. And that actually helps with being able
40:57to defend against other similar type attacks. Then there's the element of that information and
41:03organizations like the World Economic Forum and EU Commission, as well as NCSC and CISA and other
41:09government bodies building up a behavioral-based threat intelligence framework that is agnostic to vendors and
41:16technology that's shareable that can actually help to detect earlier on some of these
41:23offensive attacks and mitigate the amount of damage that could be caused, as well as
41:27the amount of money that could potentially be profitable. And so, ensuring that we're continuing
41:32to do that information sharing that's going to be best suited for the smaller companies as well as
41:37the larger organizations to be able to defend against it. And then very quickly, I wanted to touch on
41:41something that Clara also said, which was really, where do we put responsibility on those
41:47intermediaries? Where do we put responsibility on infrastructure in order to lock down and ensure
41:53that their technology, their infrastructure is not being utilized in a cybercrime operation and to be
42:00more collaborative in that process with the public entities?
42:04Very clear. Tal, same question. You know, let's put it, you know, as we have very little time now,
42:11to really, what is the one thing, the one level we should do?
42:13I'll make it quick. We recently published a report on what we call systemic defense.
42:18We need to be more systemic in our approach against cybercrime. We talked about
42:23infrastructure of criminal taking it down and sharing information. But one thing that I want to put,
42:28emphasize, is that we also need to be more systemic in the way that we protect users,
42:33especially SMEs and individuals. We need to shift the burden from the victims,
42:41and then find ways where we can protect at scale in a systemic way. Belgium, for example,
42:46is doing a great job in protecting citizens from phishing. In India, there is a great initiative to
42:53protect citizens from malwares on their mobiles. Companies like Google and Microsoft are doing a
42:59good job in this as well. So we need to be more systemic also in how do we protect every
43:05user. And
43:06just like we think about clean water, we need to think about a clean use of the internet.
43:11Very clear. And last words for you, Despina. What is the one level, one thing that can be actually
43:16probably, you know, action at the EU level to break the business model of cyber crimes?
43:21I think one thing is really hit cyber crime hard. You know that in some countries,
43:27cyber penalties for cyber crime are not as high as for regular crime. That has to stop. We need to
43:33go really high. And I think that's already going to help a lot. The second thing on the ransomware
43:39payment, I think before we get there, because it's going to be difficult to do that, we need to start
43:46with
43:46reporting obligations. I think it's very important to know when companies decide to pay. So we need
43:51to start creating a culture of sharing the info and transparency so that we learn from that and we get
43:57better. Fantastic. So you see, let's go high, let's share, let's think ahead and somehow it will be solved.
44:04Thanks a lot. Thank you all.
Comments