Cybersecurity: expert calls for digital social contract (#13)

00:00:00: Welcome to this special episode recorded live at the Swiss Cybersecurity Days in Bern.

00:00:16: I'm Tobias Bolzern and today I'm joined by Nicolas Mayoncourt, founder and CEO of DreamLab Technologies.

00:00:23: Nicolas is a pioneer in cybersecurity and has been shaping the field for decades.

00:00:29: From his early days as a young hacker to building global security standards his insights into

00:00:35: digital threats and solutions are invaluable.

00:00:38: In this episode we will dive into the evolution of hacking, the growing cyber threats and

00:00:43: what it takes to build a secure and self-determined digital future.

00:00:47: What challenges do we face?

00:00:49: How can businesses and governments take responsibility?

00:00:53: And how can we protect ourselves in an increasing digital world?

00:00:58: Let's get started.

00:01:03: Nicolas, welcome to the show.

00:01:04: Thank you, lovely being here.

00:01:06: If you were to look at the first code you ever wrote, what would you think today?

00:01:12: That this was an inspiring and amazing personal moment to interact with the machine on machine

00:01:19: language level.

00:01:21: This actually defined my trajectory as a person and I just still am driven by passion about

00:01:31: technology and what this actually sparks in my mind is of course the picture of a young

00:01:40: human boy that has fun on a technical level, has fun being creative and innovative and

00:01:47: doing things without any limitation and conquering a new field, a technical field and at the

00:01:55: very same time it of course sparks the memory of the last 30 years I've been doing that

00:02:01: and what I see is that on one hand technology is moving fast and slow at the same time because

00:02:07: on that pure machine assembly level language not a lot has changed in the last 30 decades

00:02:14: but the whole environment has changed.

00:02:17: Whereas I would have seen myself as a technical worker 30 years ago, I still am today a technical

00:02:23: worker but we are not serving technical needs, we are serving societies.

00:02:29: You mentioned in your report Cyberspace Switzerland that over 2.4 million potential vulnerabilities

00:02:38: in Switzerland's infrastructure were discovered.

00:02:41: Which of those do you consider particularly critical?

00:02:47: Maybe let's start with first pre-finding or meta-analysis, we've been doing that now

00:02:54: for years.

00:02:55: It has become a tradition that we do this yearly and one of the most striking insights

00:03:03: to me personally is that we haven't really improved.

00:03:08: The amount and the consistency and the gravity of the vulnerabilities that we have across

00:03:14: sectors in Switzerland remains roughly the same compared to the last year.

00:03:19: So we are not really advancing, we are not really rectifying, we are not really addressing

00:03:24: the problems as we should.

00:03:26: And that to me personally is one of the most shocking insights and varying insights that

00:03:33: we are not actually progressing as we should as a society.

00:03:39: I mean I see if I look further away from Switzerland, I see many countries have a clear cyber strategy

00:03:46: but Switzerland often seems hesitant.

00:03:49: Why is that?

00:03:50: Do we need more pressure, more awareness?

00:03:52: What do you think?

00:03:54: That's a very, very good question and we did actually converse and talk about that in different

00:03:59: formats actually the last days also it was publicly discussed on a panel and the reasons

00:04:05: to that and the drivers, I wish I would know them all so we could actually name it and

00:04:10: address it.

00:04:12: So to give the clear answer I don't know but I can actually guess a little bit what are

00:04:17: the driving factors that are making us not move too fast.

00:04:22: And I think it's also a global phenomenon but with Swiss specificities.

00:04:30: So first let me tackle the global part.

00:04:34: Yesterday we had a consensus on the panel and we took the automotive and the aero industry

00:04:43: as an example.

00:04:45: So the car, the vehicles as well as the planes happened to be actually pretty safe.

00:04:53: Flying is the most safe way of transportation but that hasn't always been the case.

00:05:00: Up to the fifties flying was actually extremely dangerous.

00:05:05: Many, many, many people needed to die up until a real security culture has been put in place.

00:05:12: A positive security culture has been put in place and each and every incident has been

00:05:17: analysed and has been shared across all industries and society and actually ended up in regulations

00:05:24: improving the safety and security of that transport method.

00:05:28: Today this is the safest way to get transported.

00:05:32: So this evolution may be missing and I fear and I don't like to say this but I fear that

00:05:41: we are not pained enough to take the right decisions and to actually start that journey

00:05:47: faster compared to other industries where we have seen that evolution happening already.

00:05:55: So we may be just at the start of this process whereas we do know what would be needed technically.

00:06:01: We do know what would be needed in collaboration on the policy level and governance level yet

00:06:08: we are not really taking bold moves and we are not progressing fast.

00:06:13: So yesterday on a public panel there was unfortunately and I dislike that fact but it may be true

00:06:20: was the consensus that probably human societies need more pain to get moving in order to actually

00:06:29: really direct the answer for Switzerland.

00:06:31: I also think it's a bit a mix of different factors.

00:06:37: We are a wealthy and safe country so we don't feel any pain.

00:06:44: Still we are moving a little bit that's good but not enough.

00:06:47: So this is actually the pain factor but there are other factors in Switzerland and it may

00:06:51: also be our system our federated system with the direct democracy which I by the way love.

00:06:59: I love to be Swiss and I love that system but it may not be favorable for a centralized

00:07:07: baseline hardened cybersecurity posture because that actually means that we need to have one

00:07:14: rule and apply it to all the nation and all the federations on the national level on the

00:07:21: continental level on the community level on the critical infrastructure level in order

00:07:25: to create a sound cybersecurity posture.

00:07:29: So one we may not feel the heat two our system of a federated nation may complicate things

00:07:42: and three there may be also a cultural element to it.

00:07:47: We as Swiss we tend to be perfectionists we are on time we appreciate high quality but

00:07:55: I believe you are not yet very good at coping with mistakes or failures.

00:08:02: We are not very receptive to messaging like we have a vulnerability let's fix it.

00:08:09: Usually we don't like that that's what I see in the Swiss culture that we'd rather

00:08:15: prefer to hear good news as everybody does but we're not so good yet at coping with

00:08:21: failures or mistakes and actually just rectifying them.

00:08:26: Another trend I'm seeing emerging is that the Switzerland is increasingly relying on

00:08:33: say foreign cloud and security providers where do you see the biggest loss of control over

00:08:42: critical infrastructure if this continues.

00:08:48: much for that question. And that would be a question for a two hour conversation. I try

00:08:54: to make it as crisp and short as possible. You started with the term cloud, and we're

00:09:02: using foreign clouds. Now we have to visualize what actually is a cloud. I think the most

00:09:09: easiest way to put that, to make that understandable, it's basically your data on someone else's

00:09:17: hard drive. So basically what we're doing is you're putting our data on someone else's

00:09:23: hard drive. Now it turns out that the someone else is not within Swiss soil or jurisdiction,

00:09:30: which as a logical consequence means we are going to be depending even more and more on

00:09:37: the goodwill of the providers. Putting that in perspective with today's world and the

00:09:44: development, the geopolitical development and what we're seeing, what is happening globally,

00:09:50: that could be taking very, very high risks because the global, let's say, rules-based

00:09:59: world is disappearing more and more, is being stressed and challenged more and more, whereas

00:10:05: we see that a new, let's say, world order or a new power struggle is emerging, but it

00:10:13: isn't very clear who sticks to what rules and why, so I foresee this as a emerging and

00:10:20: big risk for us to take to actually park our data on somebody else's hard drive that happens

00:10:29: to be not in Switzerland. In other words, it also means that we at least partially submit

00:10:35: to foreign legislation, which is a direct contradiction to sovereignty. How can you keep sovereign

00:10:45: when your data is being governed by another jurisdiction? That just simply does not work.

00:10:50: So I do believe that we should deeply think about what we are doing and we should deeply

00:10:58: think about our risks and start to actually address them in a more strong way.

00:11:09: You've become one of the big advocates of cybersecurity. Cybersecurity is a very complex

00:11:16: topic yet sometimes it is on the mind because people still use passwords 1, 2, 3, 4, 5,

00:11:24: 5, what still drives you every day to get up and advocate for cybersecurity yet or still?

00:11:35: I can't help it. I was born that way. This is my life passion, so this will never fade

00:11:41: out. And what drives me, what drives me is what initially attracted me to this industry.

00:11:47: I do believe that with this innovation, society have the key in their hand to create a utopian

00:11:56: society. This technology can really help us a lot and fuel us and propel us to the next

00:12:03: level of evolution. And so this is my motivation to secure that development, to help to build

00:12:11: a sound cybersecurity posture to secure those innovations. And this will never leave me

00:12:20: resting up until we do that in a responsible and a secure fashion.

00:12:25: When you look back at this moment, let's say in 10 years time, what do you hope will have

00:12:31: changed fundamentally in digital security by then?

00:12:37: You're very well and good question. What would I hope would change? So there are different

00:12:46: layers to that. I think one on the technical layer, we have to overcome the cat and mouse

00:12:53: paradigm. We actually have to build true secure technologies. So the concepts that have been

00:13:02: driving the technology for the last 40 years, they were very good. They brought us to a

00:13:08: very, very big, impactful digital fabric. But they're fundamentally missing security

00:13:17: properties. And we have to build that and we have to overcome that paradigm. So I would

00:13:23: hope that we will take a next evolutionary step on the technical level.

00:13:28: Now, when I look at the businesses, humans and societies being built up on that digital

00:13:38: fabric, then I do hope that we can accelerate human evolution and that we can also go for

00:13:46: the next step and actually improve or evolve our societal contract to actually include

00:14:00: the digital. What do I mean by that? I mean by that that we have a society, we have laws

00:14:07: and we have a societal contract where every citizen, every individual has rights and responsibilities.

00:14:18: And that has worked very well for the last century in Switzerland. But now we have this

00:14:24: digital house, which is changing things. And so I would hope that we will start having

00:14:33: a digital societal contract where it is clear what a person has as digital rights, but also

00:14:42: as digital responsibilities, how it comes, how do we treat privacy? How do we protect

00:14:50: our children? How do we educate for the future? And how do we actually assure that we also

00:14:56: have a cyber peace globally? And how do we assure that our products that we're using

00:15:02: on everyday basis can be employed in a responsible manner so we can actually live up our duties

00:15:09: of being conducting responsible business and having a responsible society? So that is on

00:15:15: the regulative societal layer. And the third one, I know that human evolution tends to

00:15:22: be in very long cycles. So we have, as human embodiment, evolved our thousands of years

00:15:31: and we have mastered the physical dimensions. But now our innovation that we have done 70

00:15:36: years ago, the digital, the internet, digital fabric is actually overwhelming us. We don't

00:15:43: have a sensory access to that digital fabric. We don't feel when our devices get hacked.

00:15:50: We don't feel when they're happy or unhappy. And therefore, we are disconnected by our

00:15:55: own innovation. So I hope that this today pure cognitive space will become a new normal

00:16:04: so that every person being connected to the internet actually consciously understands

00:16:09: what is happening and consciously understands where are risks and chances and what are these

00:16:16: persons, individuals, responsibilities in that digital space?

00:16:22: One final question to go full circle. We're an audio podcast so people don't see this.

00:16:27: You're sitting here now in a suit, still black, but do you also still wear black hoodies?

00:16:34: So I was just using that image. I do actually like hoodies. But the stereotype of the hacker

00:16:41: being in the cellar with the black hoodie and the pizza has long gone, has long, long, long

00:16:48: gone. If ever existed, we don't know. I personally like hoodies. I also personally like actually

00:16:56: doing things like every normal human does. I enjoy social contacts. I enjoy sports. I

00:17:03: enjoy culture. And so I do believe that we have to get rid of that stereotype. And so

00:17:08: I'm very happy about that question. I do also like black, but that just happens to be a

00:17:15: personal choice.

00:17:16: Thank you, Niklas, for these insights and for being our guest.

00:17:21: Thank you so much.

00:17:22: And of course, a big thank you to you, our audience, for tuning in to this special episode

00:17:27: for the Swiss Cyber Security Days in Bern. If you enjoyed the discussion, don't forget

00:17:31: to subscribe. And until next time.