Keynote speech by Angel Gurría
13 February 2020 - Munich, Germany
(As prepared for delivery)
Ladies and gentlemen,
I am delighted to participate in the 6th edition of the Munich Cyber Security Conference, focusing on how to build a more secure and resilient digital society. What a topic! What a challenge!
Not so long ago, cyber security was considered as a technical issue by many businesses. Some governments used to treat it solely as a subset of national security. Today, it’s a pressing global challenge – with extensive social and economic implications - requiring collective action by governments, companies and the public. I therefore congratulate the organizers for getting us all together here today.
Cyber security: a widespread and growing concern
The world is becoming increasingly dependent on digital technologies. While this may seem self-evident, it’s our job at the OECD to measure the digital transformation, understand the implications, and recommend public policy approaches that work. In 2018, 64% of Internet users in OECD countries made online purchases and 73% used social networks . In 2019, 68% used online banking , a very significant increase since 2016. We are in an economy that is increasingly digitalised and we should act accordingly.
In addition, the digital transformation is touching our lives in new ways from the digitalisation of election systems and healthcare to smart homes and connected cars. This digital transformation, despite being full of promise, also makes us more and more interdependent and vulnerable to digital security threats.
For example, the Wannacry and NotPetya attacks, in 2017, showed how the successful exploitation of a vulnerability in a single product can paralyse global firms, lead to billions of dollars of damages, threaten critical infrastructures, and have direct human impact.
Digital security incidents like these have taught us a lot over the years. Businesses have realised that digital security needs to move up from the IT team to the boardroom. Policy makers have recognised the need for digital security to become a whole-of-government priority, with integrated strategies that encourage digital security innovation, develop relevant skills and empower small and medium enterprises (SMEs) and individuals.
These are marks of progress, but the mission to build a safer and more resilient digital world, must advance and keep pace with the change of the digital transformation. And it’s a rapid pace.
Artificial intelligence, for example, has an immense potential to improve the well-being of people and help solve some of the major challenges of our times. It can also enhance digital security by detecting anomalies. But it also comes with new risks. For example, researchers have shown that data can be poisoned to deceive an AI system. Are we ready to face this challenge? Where should we start? The principles adopted last year by the OECD and that informed the G20 AI principles recommend that AI systems be secure and safe throughout their entire lifecycles, that traceability of outcomes be ensured and a systematic risk management approach be applied. There is an urgent need to implement these principles and to address emerging threats such as deepfakes and misinformation.
Towards a more secure and resilient digital society
Failing and learning from our mistakes is one of the most important success factors in developing businesses, and, probably in life. Risk taking and economic success go hand in hand. As recognized in our 2015 Recommendation on digital security risk management, the objective of building a resilient digital society is not to eliminate risks entirely (this is simply impossible), but to manage and reduce them to an acceptable level.
Smart products are not smart enough to be 100% safe. Attacks will happen, sometimes successfully. What matters is to be prepared, able to detect them and respond adequately. Resilience, our ability to ensure continuity and recover from hardships, should be top of mind.
A recent survey showed that 27% of organisations suffered security breaches because of an unpatched vulnerability. Many products, including maybe your smartphone, continue to be used after their “end-of-life”, meaning that the manufacturer no longer provides technical support, including security updates. Criminals, however, continue to attack relentlessly. With the number of connected devices expected to reach 20 billion worldwide this year, this end-of-life challenge is a ticking time bomb.
With the advancement of the Internet of Things (IoT) and cyber-physical systems, successful attacks will also increasingly impact human safety. For connected pacemakers and autonomous vehicles, “failing safe” means saving lives.
In many cases, products are not secure enough. Why? Is it only because of the technology? Our current work shows that the market often fails to provide enough incentives across economic actors. In response, some governments are developing labels with the private sector to increase transparency and promote security as a factor that differentiates products in the market.
The contribution of the OECD
The OECD is helping governments build more secure and resilient societies and economies.
Since this Munich Cyber Security Conference was first launched, the OECD developed international legal instruments on digital security. In 2015, we adopted the Recommendation on Digital Security Risk Management for Economic and Social Prosperity. In 2019, we adopted the Recommendation on Digital Security of Critical Activities which calls for sustainable and trust-based partnerships among all stakeholders.
We launched the OECD Global Forum on Digital Security for Prosperity, which connects technical experts with policy leaders to focus on the economic and social aspects of digital security. We met in London last year, to identify successful strategies to encourage digital security innovation. Next week, experts will meet at the OECD to identify and discuss best practices in product security and the responsible management of vulnerabilities. We will meet again later this year in Israel. I invite you to join us there.
And next year, we will review our Guidelines on Cryptography Policy. Those were adopted back in 1997 and marked the first international consensus on the deregulation of cryptography, which is, as you know, a foundational best practice to enhance the security of digital communications and transactions.
Stepping back, we should be asking ourselves a simple question: is digital security improving? I don’t have to tell you that the answer is complex. Lord Kelvin said “if you cannot measure it, you cannot improve it”. Our challenge is to move from anecdote to building a stronger evidence base. This is OECD’s mandate. But to gather data we need more involvement from businesses and governments.
Ladies and gentlemen:
It is time to join forces. From innovative business leaders to courageous policy makers and technical communities, many are already “acting brave”, championing digital security across companies, sectors and countries. Let’s help them!
The Paris call for trust and security in cyberspace (2018) and the Charter of Trust launched here at the Munich Security Conference, two years ago, are great examples of what stakeholders can achieve together.
Let’s work together, learning from our countries’ successes and mistakes, identifying and sharing best practices, and designing evidence based policies and regulations. It is the OECD’s mission.
I wish you a great Conference. Thank you.