In an interview, Philipp Rosler, who served as the federal minister of economic affairs and technology, as well as the vice-chancellor of Germany between 2011 and 2013, spoke about the state of cybersecurity in an increasingly fragmented world and how this affects global collaborations across sectors. Rosler, who is on the board of directors of $3.5-billion Swiss cybersecurity firm Acronis, also highlighted the increasing role of governments in modern-day cyber policies and why security companies will need to collaborate with, alongside adopting the right regulations. Edited excerpts:
How are major global economies progressing in cyber protection and policies?
Unfortunately, almost all regions are lagging behind in proper cyber protection because developments on the criminal’s end are way faster than at the common people’s, computer’s or infrastructure’s end. There is also not enough awareness among small and medium enterprises (SMEs) about accelerating risk.
We tend only to think linearly so we can make linear prognoses. We have no clue about accelerating such a prognosis, and that is a problem. One critical example is AI—while questions about the use of AI in mainstream cyberattacks came up only recently, AI tools are now accessible to almost everyone, including attackers. This leaves us without any protection, and both the number and quality of attacks are scaling up in a never-expected amount. This is true for every region.
We also have a geopolitical risk rising from nation-states driven by AI, which is even more difficult to defend against.
Would geopolitical conflicts compound our cyber risk, then?
Wars and conflicts are already moving to a more hybrid format. Warfare will increasingly begin with cyberattacks because this has a low threshold for any state. More importantly, for every nation, the basic technology needed for cyberattacks is already available. The threshold is way lower than sending tanks and troops, making ransomware attacks an easier medium—and also comes with the added advantage of anonymity. This leaves us with tangible proof that we’re living in a high-risk environment.
Should the onus to build such defences lie with private companies, or can governments take the lead?
We need both. We need proper regulations in place, and not only national—but even global regulations. If not global regulations, because they’re quite difficult to put in place and align across nations, at least a set of global standards is quite important. Where private companies come in is that in such times, cyber protection of us as individuals, as well as companies and businesses, is crucial.
But with our internet being increasingly fragmented, is a common global standard even possible?
It is certainly fragmented, which is an ongoing concern in general—and not only for cyber protection. But that also means that global committees should not give up attempting to create global standards. Regulations cannot be the only insurance against cyberattacks, which means that we should sit together with multiple countries to decide the way forward.
Global cooperation on topics always starts with standards and subsequently ends up in regulations. We can, therefore, create a standard and discuss them at international forums. At a second stage, these recommendations can then be given into the hands of national governments to subsequently adopt them within national legal frameworks. This could be one way for all nations to get the best of every situation.
But, regulations are only one step in the entire cybersecurity conversation—an important step, but not absolute. One key strategy would be to ramp up threat detection, which will improve cyber protection for every nation—even in the world of AI.
Do governments really have an understanding of the sophistication of technologies to be able to take the necessary steps in cyber security?
Governments do have an understanding of what’s going on and where the gaps lie, that’s for sure. What we do need more of, though, is public-private cooperation. Tech companies are obviously way more advanced and are defining the actual standards and opportunities of cyber security.
Public-private cooperation, in this regard, can accelerate government-level knowledge of cyber security, understand the present scenario, and where risks will lie in future for individuals and businesses within a nation. This will also help governments and ministers understand how to protect their own nation. For instance, Germany has a federal security institute in IT, which offers certificates based on cyber security standards. If any public or private entity wants to be a vendor for the government, they would be required to procure the highest-level certificate from this institute.
This unifies the level of certification and standards in cyber security, which was only achievable in cooperation with the private sector. The latter will always be faster at developing new technologies and tools and understanding future risks. Such a model would be important also for national administrations and policy-makers.
Does that mean that the EU’s spate of tech regulations is now adequate to handle cyber risks?
Cyber risk is overwhelming, and you cannot put it into the hands of only the public sector. Regulators can put in regulations by highlighting impending risks in order to motivate the private sector to put in place adequate cyber protection. This will need some time to happen, but it happens from the top down. The regulations are way better than others and not too bad for private entities.
These regulations aren’t just for IT firms — they’re also for legacy industries and their operational technology (OT) infrastructure as well. Numerous reports highlight companies to be using old software, which has been put out of maintenance by tech companies globally. It was okay to use old software before the internet because, say, a power grid didn’t need to be connected. Today, central distribution and control means that power grids are connected in the developing market. But, they’re not protected even as they are digitized — which is what regulations can help enforce.
There is an increasing global and Indian concern that we don’t have enough skilled resources to fill up cyber security jobs, even as salaries are rising. Why is that so?
You need time to get skilled people in this field. In the previous decade, the Indian and global markets were all looking for coders. Today, every market is looking for coders, as well as cyber security experts with a specific area of focus on cyber security. This will need a few years to be developed, but we’ll get there because studies across enterprises show that by adopting the right cyber security tools and standards, enterprises can reduce losses from cyberattacks to one-third of what they are today. This will require them to hire the right professionals.