Decoding the Consequences for Cybersecurity Using the 4 SAFIRE Scenarios of the Future

Starting with the one who has the longer way into Frankfurt, with Sunil. You please welcome Sunil on stage.

Sunil, I have a problem, you need to help me out. I didn't find your bio, so you need to introduce yourself a little bit.

Sure, so I'm Sunil Yu, I used to be the Chief Scientist at Bank of America and spent several years there prognosticating on the future and actually putting it to practice as well. Well, that was a very short version. He's a book author, he invented a couple of concepts like the Cyber Defense Matrix, and I think he was also elected as one of the most influential cyber security people. When was it, 2020?

Anyways, alright. It happens so often to you. Welcome Sunil. And I also welcome a good old friend, Peter Lassig, now CEO of Commerzbank.

Peter, your CV I can do a little bit more offhand, because I know you from our time at Deutsche Bank, but you also work for other famous companies like KPMG, like McKinsey, Hypo for Einspank, where you also were CISO, and I think you are perfectly equipped to have that discussion with us. Thank you for joining.

Alright, the first question nevertheless goes to Jonathan again, because I really want to make sure that no one is in doubt here anymore. So, can you give us a good example where this scenario analysis helped someone really in practice? How many do you want?

Okay, I can give you, there's published paperwork by a university in Futschach called Rene Rohrbeck, who did the definitive piece of work or study on this. Futures prepared companies are 33% more profitable, and have a 200% greater chance of succeeding into the future. There was a project called Action Colombia, which was used as part of the peace process there, which was a futures and foresight exercise, and subsequently cited by the president as being extremely significant towards the development of the peace process.

And from the sublime to the ridiculous, Disney introduced futures awareness and foresight training to their main board, because they realized when they introduced it in workshops, that it produced more innovation and more profitable enterprises within the company. So, I can give you political, academic and real world.

So, it helps. Good.

So, let's talk about, let's start with bamboo. So, and let's start with Usenil.

So, in the bamboo scenario, I think we've seen lots of collaboration, even across border. What challenges will this pose to cybersecurity?

So, in cybersecurity, we've all been wanting to collaborate anyway, because we don't necessarily see it as a competitive advantage within most industries, certainly within financial services. It's not a competitive advantage amongst each other.

And so, we've wanted to collaborate. We've been wanting to collaborate for a long time, but there are challenges in the collaboration as it relates to, let's say, data sharing and the specifics around our environment, or the practices that we have that may, at some level, divulge aspects of our environment that we're not necessarily proud of.

So, and this is, you know, we realize that this is universal. It's not, we think that we're embarrassed by some aspect of our environment, but everyone is embarrassed about something in your environment. And we have to get past that. But unfortunately, we have another constraint, and that constraint is the regulatory powers that come back and point out those deficiencies in such a way that it incurs significant costs for us.

And so, we have this interesting challenge where we want to be like, we need to be like bamboo as it relates to cyber defenders, but there's almost a countervailing push by governments that make it really hard for us to share this type of insight. I would say, though, generally speaking, though, so one aspect of my background is that I also used to support the intelligence community in the U.S., and one of the things that we hold very tightly are what we call sources and methods, sources and methods.

However, in cybersecurity, it's somewhat interesting, because when you go to a conference like this or any other cybersecurity conference, what is it that we practitioners share? We share sources and methods. We tell you how we did something, and we tell you what sources we used. What we don't tell you, actually, is the output of those sources and methods, because they're not really relevant to you. And it's interesting that we already model this, but we don't model it in a way that allows us to scale it beyond one-on-one conversations or these sort of conversations. Can I add something?

Of course. Okay.

I think, very interesting, your point of view, right? I absolutely share the regulatory part, right, as we have the DORA around the corner here in Europe, yeah? But one thing which I don't really see as a challenge, I think where we reached Bamboo already is when we fight attacks, when we fight cybercrime, right? So there's an official and an unofficial kind of relationship between the corporates and the regulators as well and the government, yeah? So there I think we reached Bamboo, yeah.

I think that there's another interesting aspect of Bamboo, I believe, is the speed of change given the tendency of innovation going on. Now, everyone who worked in IT before knows change is the debt of stability. So how do we deal with this rapid change, or how can we deal with this rapid change in cybersecurity? So let me also offer, there's a metaphor, of course, that we're seeing with trees and vegetation, I guess. Trees. Is Bamboo a tree? I thought Bamboo is like a grass. I think it's a grass. I think it's a grass.

You see, that's what gets through the European Commission these days. But more relevant about the nature of Bamboo is that it's plentiful, fast-growing, short-lived, and it tends to be – there's just so much of it, right?

In fact, some people consider it a weed, but that's a different story. But the perspective here is that we in cybersecurity need to think about what enables us to build systems like Bamboo that can be reused, recycled, is plentiful. And you know what? You don't really care when Bamboo gets cut, or some amount of Bamboo withers and dies. You do care. About two months ago, I was in the Redwood Forest in California. Those are beautiful 2,000-year-old trees, and there are a lot of people who weep and mourn when any one of these trees die, right?

So anyway, I'm stretching the metaphor a little bit, but in the context of Bamboo and how we think about really resilient systems, strong, flexible systems that we have in our ecosystem, we actually need more of our IT systems to be like Bamboo rather than these monolithic systems that live for very long periods of time. Can I make one further point about the technology and speed of working with technology? Would it help if I say no? No. Bamboo is an intensely collaborative scenario. It's the most collaborative of them all and the least competitive.

So yes, if that's where you can sit, that's where you're going to derive the most benefit. So let's move on to Willow for a moment. We still see lots of innovation going on, lots of change happening, but not so much collaboration. So I would assume, Peter, in this scenario, we talk a lot more about confidentiality, privacy, et cetera. Absolutely. And here it is very important that corporates really know what they need, how they can protect their data, right?

I mean, with GDPR several years ago, we did a very good step forward for the personal data. But this, of course, goes much, much, much further, right? There's not an easy answer to that, right?

I mean, you need to strike the balance to what can you share, what is good to be shared, right, and what do you need to keep for yourself. And then you have a kind of, let's say, an historic IT environment as most of the banks do.

I mean, you know it from your Deutsche Days as well, right? So it's not that simple to really keep track of your data and to protect them. What we also could expect in a scenario like this would be less dependence on global platforms. So you can probably expect something like national AIs, national GPTs, et cetera. So what will that do to security?

So Neil, perhaps a question to you. I debate whether there's a national AI. But I'll talk about this in the next session, but I think a lot of the challenges that we face in cybersecurity will pale in comparison to the challenges that we'll see with artificial intelligence. So I'm not sure if I – and there's a degree to which I would make an argument that when it comes to AI and security, I'm more concerned about safety than security with AI. And apologies, I committed it to memory, but I forgot it already. How do you say safety in German? And how do you say security in German? Security.

It's the same word. Because we use the same word, it becomes very confusing. But there is a very clear distinction between the two, and I'll share more about that later. But in the end, we are concerned about – many of us are concerned about AI security. But let me offer worse than an AI system that is unsecure is a system that is both unsafe and secure. An AI system that is unsafe and secure means that we don't have a way to come in and break it. So I would rather make sure that we have AI systems that are safe first. Then we want to make sure it's as secure as possible.

But again, worse than an unsecure AI system is an unsafe secure AI system. One question to the scenario. The Willow scenario is the most artificial, right, of the four? Would you agree? Meaning it doesn't exist? It doesn't really exist, right? I think it depends what you mean by artificial in the context of scenarios. Scenarios by their nature are artificial.

So yes, whether you're saying more or less likely, yes. It's probably the least likely or the least immediately recognizable to us. The problem with scenarios is that inevitably people look at them and go, I want that one, I don't want that one, and I think I might be going to that one. So automatically people get favorites or things they're working towards. The thing about Willow is very few people go, I want to be there.

But with Willow, the problem I have or the problem for multinational companies would be, I mean, if all nations are isolated, obviously they will have their own regulation, et cetera. So then a global company will have to deal with multiple different, potentially very different jurisdictions. Which is exactly what happens now, which is why, for instance, going back to GDPR, there was so much issue across the Atlantic with data sharing. And one of the functions of regulation is that one of the outcomes of regulation is that it is frequently different in different parts of the world.

And if you want to be a global corporation, then you have to work with the regulations in the place that you're working from. As I say, we did 40 local scenarios for 10 different regions of the world, and you can imagine the regulatory aspect of each of those was distinctly different, whether you were in sub-Saharan Africa or you were in Southeast Asia.

Now, moving on to at least the one scenario I personally don't like at all. So Peter, if you were a CISO in that scenario, what would your biggest challenge be? How to find a new job, I would say. Because this is really devastating, right?

I mean, Oak is no global orientation, right? But we stick to what we know. So no change. This is the beginning or the end, I would say. So it was kind of interesting that you said, what if. Let me pose a scenario for you. I'll ask you, who am I describing?

Okay, what am I describing? So imagine an environment where you have strict security policies. We want them to be closely adhered to. We monitor for adherence to these policies. We install agents on your machine to make sure that we can monitor your behavior and activities. A lot of things that you can browse are tightly restricted. And if you violate some of these policies, then you may suffer termination. What did I just describe to you? I just described to you North Korea. I just described to you an authoritarian government. I just described to you Oak, I think.

So when you said, what if, I think many CISOs operate in this sort of mindset that that's the type of environment that we actually think we need. Who wants to live in North Korea? But I will make one argument to what Peter said, looking for a new job. I would say in no other scenario, the CISO's job is so easy than in Oak. And that's absolutely right. The workshops this morning, I'm used to doing some political work with these scenarios. And they all go, oh, we don't want Oak. It's North Korea. It's Putin's Russia. It's scary.

It's all about control and exclusivism and no climate mitigation or anything. Talking to a whole bunch of cybersecurity people, they were going, oh, Oak's quite nice, actually. We can control things in Oak. We can build nice big walls. And I think there is a, yeah, it's very easy to be a CISO. I think it's probably less easy to be a human being, but I think it's very easy to be a CISO. But when you look at the ransomware attacks on small towns, on the IT of small towns, right, isn't that Oak? So they do business as usual, right? No global orientation, and they get encrypted all the time.

So it's not a good thing to be a CISO there, right? No, it's not.

Oak is, I don't know. Part of the work we did this morning was to look at options, ways we could exploit certain interventions. And I was very surprised that a lot of the interventions in Oak we were able to exploit very well. So you're right that these are not – it's not a natural place for us to want to be. But part of the thing to remember about scenarios is they're not just about risk. They're also about opportunities, and there are opportunities in Oak. And I would argue Oak is also the epitome of bureaucratic regimes.

I mean beyond authoritative ones, just bureaucratic regimes are very strongly rooted in Oak. So take any government – well, take most government, functioning government. Let me see. There aren't too many of those. But take – many governments describe the properties of Oak in that they're bureaucratic and they resist change. They're very – they tend to try to consolidate power within certain – I don't want to crash the scenario, but the attacks are flexible. They change all the time, right, and so on.

But the really static thing like Oak, you are – you will not really be able to be resilient, right? Well, that's the whole point about Oak, isn't it? The thing about an Oak – this is where the comparison comes in. An Oak tree will go blam under certain pressure. And this is a society that's prone to revolution. So if one was to think of an Oaky state – and I'm trying to do this without mentioning that country between Mexico and Canada. So under a certain previous president. But if you were to think of Bolsonaro or Duterte, they are very – they were very Oaky states at the time.

Now, the advantage of that pressure from the top is it promotes massive civil society disruption from the bottom. But they also illustrate the point that both of these fell over when pushed sufficiently hard. Do you really want to be at CISO there? That's a question I would pass over to other CISOs, not to me.

Obviously, that's also the scenario where cyber war will be around, big deal. I think cyber war explicitly.

I mean, I think it's permissible to expect – I mean, there is cyber war. This is why all of our countries have substantial government cyber intelligence capabilities. And that's in any scenario. But I think certainly within the exclusionary scenarios, if you're looking at Willow and Oak, where you're looking at competition rather than collaboration or competition rather than cooperation between countries. That's naturally where you're going to get into state actor cyber war, yeah, absolutely. All right. So I don't like Oak.

However, I fear that in five to ten years, we will see some Oak around somewhere and we will have to deal with the problems it poses to us. But before we get too emotional about Oak, let's move on to Redwood.

And here, we again see more collaboration. Obviously, still not a lot of innovation and change going on. So what does this give us?

Obviously, we have collaboration. We have already the privacy issue coming in again.

Here, people want to protect their intellectual property. So what does this mean to a CISO? Do you want to be a CISO in that scenario? I think Redwood is today, right? It's interesting because that is what the people said this morning as well.

So yes, I have to be a CISO in Redwood, right? Because it's today.

For me, this is fascinating because Redwood is today for CISOs. But it isn't for quite a number of other industries, interestingly. So I don't know if I – I don't like either Redwood or Willow. So by the way, I used to be a former – I used to be a CISO right before my current role. And in my role, I either wanted bamboo. I wanted to either operate in bamboo or I wanted to operate in Willow. And the example – the way I think about it is I use another metaphor. And the trees are going to throw it off a little bit. But this notion of pets and cattle, okay?

Pets are things that you care about a lot. Cattle, at least in the U.S., we don't care about it. You brand it with a name that you can't pronounce. And when it gets sick, you shoot it and you move on. Cattle are like bamboo in the sense that we want to build systems that are flexible, can constantly change, can be constantly repaved on a regular basis. Oak are my pets, okay? And I want to be the most fascist, authoritarian, controlling over those pets, okay? I read an article about – I remember someone said your political alignments change in different dimensions.

At the federal level, you might be a Democrat. At the family level, you might be a Republican. At a family level, you may be a communist, okay? With your dog, you're a Marxist, okay? But the point is that we want to operate in a very – in the context of pets. You want to make sure that pet is really well taken care of because any harm to it creates massive disruption to your business. So as a CISO, I absolutely want to operate in an oak-like environment for those resources that I consider to be the most critical of my business.

However, I don't want that many pets. I want as many things to be operating in the bamboo environment. As long as they stay and as long as they get constantly repaved like cattle, as long as I don't care about taking care of them, then it allows me to concentrate my resources on running the most authoritarian government I can within the context of oak for those few pets that I care about. All right. Now let's move away from the four scenarios for a moment, and I would like to pose a couple of questions to you, Peter, and Sunil, for the last rounds.

And we'll ask you to, if at all possible, please just one sentence, but not a 100-word sentence. All right. So first to Peter, how does this resonate with you? If cybersecurity is not achievable, recovery will get more important. Both belong closely together. It's called resilience. Sure enough.

So, Sunil, data protection will become a key competency. What do you think about quantum and blockchain in that context?

I agree, and quantum and blockchain are orthogonal to data protection. Peter, multinational companies will probably see multiple futures like we just discussed them. You already talked also about multiple regulations. Does this concern you? Not at all. It's daily business, and regulations drive innovation as well.

Sunil, how will the metaverse change cybersecurity going forward? Well, it's funny, because the cyber and Neuromancer. William Gibson. William Gibson, yes. So I don't know if it's going to change.

In fact, I would argue that it's really the final manifestation of what William Gibson kind of envisioned in the past. And it's a dystopian story, so I think we're already living that.

Peter, human and machines will be more and more difficult to be distinguished. What will this do to trust in the digital world? Doesn't help at all. That was at least short.

A very, very, very difficult question. Can I – I want to answer Peter's question. Go ahead.

Step in, step in. Rachel Botsman, Who Can You Trust? Really wonderful book. She wrote this wonderful book on three types of trust. Three types of evolving trust. One-on-one, group, and then distributed. And she explains what this notion of distributed trust looks like in the future.

Now, last question will go to both of you. You complete my sentence. In the future, cybersecurity will become, first Peter. What? The new normal. Irrelevant. Thank you. Irrelevant. Thanks to Sunil. Thanks to Peter. Thanks to Jonathan. Thank you.