IGF 2019 – Day 2 – Raum V – WS #195 Cybersecurity concerns everyone - Responsibility and education throughout the digital supply chain

The following are the outputs of the real-time captioning taken during the Fourteenth Annual Meeting of the Internet Governance Forum (IGF) in Berlin, Germany, from 25 to 29 November 2019. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 



>> MODERATOR: Ladies and gentlemen, dear colleagues, good morning.  It is my honor and my pleasure to welcome you to this panel discussion on digital security at the Internet Governance Forum in 2019, my name is Daniel Greenfield.  And I will guide you through this session.

Today's panel is brought to you by the Charter of Trust.  This is in essence the Munich Global Security Council.  And they helped to provide cybersecurity in the business sphere.  In the next 90 minutes or so, we will explore the digital security landscape that private businesses are facing today, and we will try to map out what companies, big and small, can do no to mitigate our cyber risks for the organization.

Title.  Session is "Cybersecurity Concerns Everyone, Responsibility and Education Throughout the Digital Supply Chain."

When discussing this, we want to focus two questions today, the first one is how we can manage digital security risks in the global supply chain, and that in turn is ultimately asks the question how we can establish trust between business partners and related to that is the second focal point for today's session which is the role of education in digital security.  And here we want to cover both the role of cybersecurity experts, but also the cyber hygiene and awareness of the regular employee and citizen.

Obviously, business cannot operate in a political vacuum and this is why I'm glad to welcome our first speaker to the stage, who will set the scene for us today.

Laurent Bernat with the OECD, he's working on the latest iteration of digital security recommendations and policy toolkits for governments and, of course, as you all know, the OECD does not only support its own governments, but is also a sort of the knowledge partner for G20 and other international important global forum.

Without much further ado, Laurent, please, the floor is yours.

>> LAURENT BERNAT: Thank you very much, Daniel.  Good morning, everyone.  I'm going to give some introductory remarks, pretty high level but setting the scene from an OECD perspective, but first of all, I would like to thank the members of Charter of Trust and you, Daniel, for inviting me to participate in the IGF workshop and to say a few words on behalf of the OECD.

If you don't know the OECD, there are two key points that describe our organization.  First, the OECD is an intergovernmental organization that works to build better policies for better life.  Together with governments, policymakers and citizens we work on international norms and find ago solutions to social and economic challenges.  We provide unique forum for exchange of best practice and analysis and public policy advice and global standout setting.

Second the OECD has been working on digital security since the early 1990s and since the prehistorical days, these policy discussions have taken place in a multi‑stakeholder fashion.

Today, the OECD works on these issues through its newly established Working Party on security in the digital economy, and its global forum on digital security for prosperity, which both gather representatives of governments, as well as businesses, civil society, and the Internet technical community.

A key pillar of OECD work on digital security is the 2015 Council Recommend on digital security risk management for economic and social prosperity.  This is an international legal instrument, soft flow instrument, which provides principles on how to approach security without inhibiting the potential of ICTs to integration and growth.  The OECD encourages government and other stakeholders to approach economic security as a risk management challenge other than only as a technical, national security or international security issue.

This is why we prefer the term "digital" over "cybersecurity."  Digital is consistent with the digital economy, and digital transformation.  I'm not exactly sure what cyber means actually, but it's clearly connoted with national and international security and with criminal law enforcement, cyber warfare, cyber defense, and cybercrime.

Digital security helps emphasizing that the benefits and the risks from using digital technologies are two facets of the same coin and should be managed, other than in silo or intention.

So the title of this workshop is cybersecurity concerns everyone.  I could not agree more.  And I will go to steps further than that.  As a first step, I would quote the responsibility principle of the 2015 recommendation that I just mentioned.  The principle states that all stakeholders should take responsibility for the management of digital security risks, based on their role, the context and their ability to act.

Being responsible is more than feeling concerned.  It implies actions and the consequences of one's action or lack of action and accountability and perhaps depending on the context, liability.

And since there are many categories of stakeholders with different roles who are all interdependent and should all take some responsibility, the only way that they can make some progress is by cooperating with each other.

So this is the second step beyond cybersecurity concerns everyone.  All stakeholders should cooperate, including across borders.  That's another principle of the 2015 recommendation.  Cooperation and partnerships are essential to manage and reduce digital security risk, for oneself and for all.

This takes me to the Charter of Trust which we view as an important initiative.  We see Charter of Trust very important on the part of business.  Stefan will explain what is the Charter of Trust right after me.  So I won't speak about it in detail.

But I would like to note that this is a partnership between 16 large firms which have agreed to take responsibility, precisely and to cooperate, to agree on key principles to share good practices, to promote them and to build trust.

This is very important in particular considering the profile, and the mix of roles they represent.  We have in the Charter of Trust firms from industry, from the ICT sector, test inspection and certification companies and insurance and maybe I forget some.  So it's really an interesting mix.

What is particularly interesting with this group is that they are not getting together to point fingers at other stakeholders, like governments or customers or whatever others to say you should take responsibility.  Rather, they work together promote the good practice for themselves and for others.

They are also large firms from different countries and regions with activities spanning beyond national borders and this echoes very nicely the cooperation principle of the OECD digital security recommendation.

As I said, this initiative is a sign of increased maturity on the part of business, with respect to digital security and the presence of our panelists today at the IGF is an illustration of that.  I remember trying to set up a group ‑‑ sorry to set up an ITF workshop with several business speakers a few years ago and I could only bring one.  And he was speaking remotely actually.

So you see, times are changing, and that's a very good sign.  I would like also to highlight that governments are also evolving and public policy is getting more mature.  This is reflected in the work that our member countries most recently agreed to carry out at the OECD.  Over the last 20 years, we have been primarily developing principles on how users, mainly organizations, should protect themselves.

And now the focus of our work is expanding to address new areas.  For example, the OECD global forum on digital security for prosperity held its second annual event in London, engaging in an in‑depth multi‑stakeholder dialogue on digital security innovation.  The event gathered 150 participants, including entrepreneurs, venture capital, large corporations, civil society, academia, and governments.  They met at Plexcel which is a digital home of the London place for Locher, a UK public/private security hub.  We had a meeting in innovation at a place where innovation is happening actually, including cybersecurity innovation.

But our current co‑analytical work focuses on how to improve the digital security of products, while taking into account the complexity of value chain, and the different stages of product life cycle.

In this work products are understood as goods and services, provided in commercial and noncommercial context.  So a software package, a cloud service, and IoT device, but also a government website.

This work takes us to a new area where we are trying to better understand why the market does not generate products with a sufficient level of security.  What are the incentives for vendor to make more secure products.  Why products do not always integrate patching mechanisms, why vendors do not always provide security updates, thinking particularly in the IoT world.

What are the up cycles they face such as the complexity of their value chain, for example.  So this work also requires to understand the information as asymmetries the market to adopting good security practice.  We are exploring the possibility of labeling, certification and new ideas such as bills of material, or software, bills of material, and other approaches to improve this situation.

While focusing on products, we are also working on how to encourage responsible management and disclosure of inabilities and how to clarify the scope of businesses actions in the course of a task.  The last one we call responsible response.  All of this work could potentially lead to the development of high‑level policy principles and set new avenues for enhancing digital security without inhibiting economic and social prosperity which is really the ‑‑ the objective, the overall objective that we have at the OECD.  I understand that the panel will discuss the second principle of the Charter of Trust on responsibilities throughout the supply chain.  So there are very interesting synergies between what the Charter of Trust is doing and our work at the OECD.

I take this opportunity to highlight that the OECD Working Party on security in the digital economy, which held its first meeting last week, agreed to set up a multi‑stakeholder informal expert advisory group to provide input in our ‑‑ to ensure that our analyst as well informed and balanced as possible.  Experts will come from business, civil society, academia, the technical community, and experts from the members of the Charter of Trust are actually welcomed to join, and some have already provided comments on preliminary draft reports.

So to conclude, I would like to confirm, yes, cybersecurity concerns everyone, but those who take responsibility, according to their role, and cooperate to share good practice and improve risk management, and improve their risk management, are clearly showing the way forward.  So thank you again for inviting me and I'm more than happy to participate in the panel discussion.

Thank you.


>> MODERATOR: Thank you, Laurent for the introduction to the topic today.  You certainly touched upon a lot of points that we will get back to during that panel discussion.

Before we do that, however, I would like to ask our second speaker on to the stage, who will share with us a brief history of the origins and the objectives of the Charter of Trust, cyber initiative, Stefan, please join us here.

Normally, as per the program, I would be welcoming Eva Schulz‑Kamm today, but she can't be with us, unfortunately, I am ever so more to have Stefan here, he's the global security.  Stefan. Stefan Saatmann.

>> STEFAN SAATMANN:  My work will be from my side, it's another good example for acting local.  We are here via the Internet via live stream.  So my name is Stefan Saatmann.  I work with Siemens and I would like to present to you the Charter of Trust, what it's all about and we currently are and giving examples of the results of the digital supply chain and the cybersecurity requirements that we based for that.

So I would like to start with a clear statement.  "Security is the prerequisite for so many things in our public and private life, and it has become more complex as technology is increasing, as processes are changing.  And that is why the cybersecurity topic ‑‑ and I call it cybersecurity.  We can later discuss on the methodology behind it, is becoming more urgent.

So what is behind that?  It is not just for one reason.  Several global trends are driving this.  Let me pick one example, growing cyber risk to business and the alliance which is also partner of Charter of Trust global report on business risk, cybersecurity is another topic of business risks.  And another example is the workforce gap is widening.  So worldwide, there are 3 million cybersecurity experts missing.  So that brings us, in particular to the point that this topic is really an urgent one, and we should act together.  We have a strong need to act together.

So that is why Siemens and the Munich Security Conference, and strong partners from diverse backgrounds have initiated together the Charter of Trust on the 14th of February 2018, and the goal behind that ‑‑ actually, there are three goals behind.

That so first, to protect the data of individuals and companies.  Second, to prevent harm from companies' infrastructure, digital infrastructure, and physical infrastructure, and third one is also to develop a solid base on how to go further with this important topic.  And I will shortly come to the first results of that.

The basis for that and the frame for that is the 10 principles of the Charter of Trust.  They start from organizational point of view, so ownership of cyber and IT security must be reflected in the company organizations, responsibility throughout the digital supply chain, which is really one of the greatest challenges in that environment.  Dealing, for example for Siemens only with 90,000 suppliers is not an easy thing.

Security, which is the development of solution services and products, this has really become also another key differentiator.  User centricity means that you need to think newly from the end.  We have innovation and co‑creation, which is reflected also by the partnering approach in the Charter of Trust.  We have education coming to the trend of the workforce gap.  We have certification, which was already mentioned by Laurent as a big topic, why we need to find the line where we have to be certified, and where self‑assessments are already self‑sufficient and it responds regulatory framework and joint initiatives.

So this is the trend, and the Charter of Trust has developed a new approach.  So we look at technology, meaning that we really analyze and try to find pilots for baseline and best practices.  We also shape the political debate, engaging and offering ideas from these private industry cybersecurity initiatives, which is also one of the key differentiators.

And the third one is, of course, we see there's also some potential for making cybersecurity part of the digital business models.

In the end, it's all about the trust.  Trust needs to be ‑‑ it's not something you just earn.  You have to work on it, and this is ‑‑ this is what we will also continue and after two years, we can proudly say, yes, we did it!  We have achieved first results and on cyber areas.  So several, we scaled supply chain security and harmonization as we have supply chain baseline requirements and we have developed the first phase of concept and we transferred cybersecurity in a real business opportunity, meaning it's all becoming part of our daily business and we drive the education.

Let me give you one deep dive in the supply chain area.  So within these ‑‑ within our trust network, we have ‑‑ we came up with this approach.  So we have agreed upon 17 baseline requirements, as a foundation of the security to the supply chain.  We have to find a methodology for supplier criticality, simply needs, of course, this has to be manageable.

And as it has to be manageable, we have to really distinguish what our high‑risk processes and what is something that we can give another priority?  And third one, the verification methods.  So here you can see that from self‑declaration, self‑assessment, to documented proof, we also distinguish between those verifications, and this is probably something which is really bad to read, however, I wanted to show you that we are not doing this from outer space.  We are looking upon global standards.  So here on the right side of the chart, you can see the IEC 62443, which, for example for the industry environment, a very important standard, mapping also to the METI CPSF, just reflecting that we have a global approach here.

And these baseline requirements, they serve on eight different categories, data protection, security policies, incident response, site security which is the physical layer, access intervention, transfer separation, integrity and availability, support and training.

Let me just simply pick one of them which is for example, access intervention and transfer.  When appropriate, of course, means that there has to be a risk analysis, and what I put to which process.

So that's in a nutshell what we achieved and here you also find some more examples, which I will ‑‑ due to the time, I will not deepen here, and let me sum it up, this is not the end of this.  We want to I take it to the next level together.

I'm looking forward to the panel discussion.  Thank you very much.

>> MODERATOR: Thank you, Stefan.

We will now be proceeding to our panel discussion, and Stefan, please, indeed, choose a seat.  I will now like to call on the other panelists to the stage.  We have here with us Dr. Alexander Wolf of division of assurance of TUV SUD.  And we have Jacques cruise bran Doo with global head of advocacy at SGS, and Jochen Friedrich, at IBM.

Jochen, let us jump straight in.  How has the digital security landscape changed over the last decade, and how did that influence the decision of IBM to cofound the Charter of Trust.  How does that sit together?

>> JOCHEN FRIEDRICH: Oh, that's a broad question.  How many hours do I have?

I think Laurent already made a lot of interesting statements here, how the landscape has changed and it's probably due to a lot of different factors.  We are in ‑‑ I'm not sure whether we are at the beginning or whether digitalization has already heavily started.  It probably has already heavily started.  So digital technologies are pervasive.  They are everywhere.  You look at individual users.  We are more and more using digital devices.  We experience the need to have secure devices, secure communication, individually, probably everybody already has had viruses and luckily had installed virus protection systems on their PC.

You experience it everywhere.  You want to have end‑to‑end encryption if you use messaging tools, et cetera.  So there's a key increase in individual awareness of this, and you want to have the technologies that are easy to handle and to protect you, but at the same time, industry, we are talking about digitalization of industry, industry 4.0 in Germany, industrial Internet as the term is worldwide, or digitalization of European industry.  You see more and more processes, more and more machinery is driven by IT.  Almost every process, every piece of equipment now has an intelligence layer with it.  And with this, it's important that this runs without impact, that this runs secure, that safety is not impacted by this.  So there is a really pervasive need for secure technologies, and everybody is aware of it, and we are all aware of it.  Our customers for IBM are aware of it.

So when being asked to join and cofound the Charter of Trust, I would say we didn't have to think twice.  We thought it was an excellent idea.  It was also very good to work together, not just with IT companies, but with companies coming from different sectors.  So those who are traditionally also our customers, who experience the problem, where we support them with IT technologies, and on this basis, we thought this is instrumental to work together, to cooperate, and it was already stressed and see how we can drive IT security across the full portfolio of technologies that are running and the full portfolio of processes.

>> MODERATOR: Thank you, Jochen.  Laurent, my question to you.  When looking at the materials, the draft documentation that the OECD is working on being I have there's a lot of overlap.  Is there an emerging consensus on what needs to be done?

>> LAURENT BERNAT: Of course, they have copied ‑‑ no, I don't know.  Think I we operate at different levels and it's very complimentary.  We operate at the high level, the high policy ‑‑ the high level of policy.  Something like that.

And these people are operating ‑‑ they are in the field.  They are doing it.  And so they face the complexity of this in a very concrete way.  I think what is happening is that we are probably at an interesting moment, where we sense that there is some more action from the government is coming.  For many years, it was ‑‑ it was basically just let it happen.  It's good for the economy that we have all of these digital things going everywhere.  But now we see the security issues as becoming important.  And so governments are saying, well, perhaps we should have a closer look at that and start to think about regulation.

And at the same time, the private sector is looking at it and saying, well, we should anticipate that potential regulation and inform the policy making policy and we are at the OECD somewhere in the middle, trying to learn from the field which is why we need this input from the stakeholders, and informing the policymakers but also reflecting back what happens at the policy level.

I'm not sure I responded to your question, but that's my ‑‑

>> MODERATOR: Yes, I think you did.  Thank you.

Alex, one of our focal points is supply chain security.  Can you explain what the problem is there and what the approach of the charter is to solve that?

>> ALEXANDER WOLF: I think the problem is twofold.  One thing, you want to make sure that your product is safer and secure.  That's one thing.  You don't want to have anything bad happen.  And the other perspective of this is you don't want to have an interruption in your own production, because it's also going to cost you a lot of money.  And I think Stefan has done an excellent job in showing the two pictures, because it's very complex.

There are these 17 baseline requirements that have been established that will put you already on a level, which is better than what many people have already now.  And then the second step is to run this risk‑based approach or common risk‑based approach where you have the category of three levels and you go for the higher criticality.  And this is actually pretty common.

The good thing about this whole cybersecurity thing.  We have actually seen this in the past, when you had these transitions in technology.  It's trust a bit more complex and fully global right now.

>> MODERATOR: Thank you.  Stefan, you already mentioned the amount of suppliers that you are dealing with at Siemens, how fast do you intend to roll out the baseline requirements to your supply base?

>> STEFAN SAATMANN:  We are already doing it in two ways.  So first, we have added T & T with the cybersecurity clause in that, and second, the new suppliers needs to qualify to work together with us, and who we want to work together with, have to adopt to the 17 baseline requirements.

But this is an ongoing process, and I would say that we look at our suppliers as partners.  So it's not that we leave them alone with the baseline requirements.  We also try to develop together these realization because it brings us to the higher level of security.

>> MODERATOR: Thank you.  Jacques, what approach does the Charter take to assess supplies in the end.  We heard from Siemens in the end that they are treated as a partner, but there has to be some sort of assessment or finding out of whether they are actually living up to the specifications of baseline requirements.  How do we do that?

>> JACQUES KRUSE-BRANDAO: So basically, as the tech industry and we as SGS, we are the ones who are generating trust usually between two parties to ‑‑ who do business together.  Right?  So one is asking certain requirements, certain KPIs and the other one ‑‑ yeah, should believe it.

And this is always difficult, if you are not in the same city, if you are not in the same country, if you are living in different political situations, in different legal situations.  So usually you ask a third‑party.  And this is the tech industry.  And we are generating trust by ‑‑ by assessing what has been said is implemented and we do this for many things, for nearly everything which is ‑‑ which can be tested in the world.  Think about food.  Think about electronic devices, think about minerals or ingredients of food, et cetera.

And also cybersecurity.  So if one is mentioning he implemented certain security features into his devices and services, then of course you should ask a third party to verify this.  Did I do this in the right way?  Usually you ask hackers, right?  Please check my device, whether I implemented my security features properly.  But if you have done this, of course you want to show this to your customers.

The purchasing process is a very important, let's say, task here.  Recently I talked to a purchasing colleague of a big company and I asked, how do you ask your suppliers today?  She said she has a set of questions and it was, I think unbelievable 800 questions.  And I asked her, how do you ‑‑ how long do you ‑‑ do the suppliers need to answer those questions?  And she said, usually eight weeks.  Oh, okay.  And how long does your purchasing process ‑‑ or how long are your tenders for purchasing?  And she said four weeks.

So this does not fit, right?  So we need rules.  We need standards, we need to harmonize standards and as we are living in a global economy, we are here to discuss how we can achieve harmonized standards on a global level.

Of course, we see the Europeans have security act now popping ‑‑ or in place.  In place.  We need to fill the framework and we need to define what exactly are the requirements which need to be fulfilled, that companies have the chance to fulfill those requirements and then to ‑‑ that those features will be assessed and then can be proven by the tech companies.

And this is why we are here in the Charter of Trust active, because trust is the main issue here, and trust always needs ‑‑ not always, but very often needs a third party who ‑‑ which, yeah, certify or at least test and evaluate the implementation has been done properly.

>> MODERATOR: Thank you, Jochen, are these baseline requirements mandatory, or what happens if a supplier cannot meet them?

>> JOCHEN FRIEDRICH: It should be in the interest of every supplier to fulfill these baseline requirements.  And what I think is very, very good this approach and very worth mentioning is the mapping tool standards to available standards.  We are not trying to define now a Charter of Trust technology that you follow and lock in.  We are trying to define requirements and everybody can be sure that you meet these requirements.  If you implement the respective and follow the respective standards, international standards preferably, and IBM has always been very active and our colleagues here as well, in the international standardization for IT in ISO level 2001 was listed there.  There are others in the 27,000 series that are helpful, important.

We do have in Europe an infrastructure in the standardization organizations that can adopt these international standards as European standards.  They could be adjusted to European needs if necessary, but most of the times they are global.  They are available.  So by identifying these requirements, they should be not made mandatory, but it should be in everybody's ‑‑ almost get to everybody's genes and DNA to say, we want to fulfill these requirements and you get practical advice by looking at the international standards, how you can meet them.  And this is the ‑‑ the great advantage, I believe and the great step we are trying to promote here with the Charter of Trust.

>> MODERATOR: Jacques, you would like to comment?

>> JACQUES KRUSE-BRANDAO: And what we did in the Charter of Trust, we mapped the current international standards to the requirements we defined as the Charter of Trust members.  And this was a first task, let's say, this is pretty easy then to, let's say, fulfill those requirements, once you know what you ‑‑ what is expected to implement.

And this is one of the big advantages, what we are doing here.

>> MODERATOR: Stefan, which measures are you taking otherwise to help your suppliers meet that benchmark and are you envisioning any other positive incentives for them, like developing a trust mark or something like, this something that they can put on their website and demonstrate that they are up to the level?

>> STEFAN SAATMANN:  What I think the recognition in the supply chain that cybersecurity and baseline requirements are important, and that for the suppliers' own business, it's important to secure their processes and technologies and to train their people, I think it's really a trend and I think today you don't have to persuade somebody that this is an important task, however, when it comes to business and to contracts, you have to negotiate.  And that is why the baseline requirements really set the floor and set the ground for the digital security.  So you can always do more.  You can do more, of course, when you come to the result in your risk analysis, that this is probably something you have to look on.

What we do at Siemens, we care for our people and our supply chain management.  The cybersecurity, and supply chain management kind of merge together and then when it comes to our suppliers, yes, we do say these are baseline requirements and you have to fulfill them.  If they can't, we offer consulting and also together develop mechanisms and tools that they can qualify for that.

So in the end, we have to do it together, we have to do it in a joint approach but we also have to find the line to say, okay, these baseline requirements we have to fulfill.

>> MODERATOR: Alex, please.

>> ALEXANDER WOLF: On this I see a high similarity to previously, let's say, like, management systems we have experienced in the past, yeah?

I recall the introduction of the ISO9000 quality management in automotive, before you had supplier development.  I can't he?  And this is actually what's going to happen ‑‑ what is also my prediction also now.  You need to educate your suppliers to get better, and this will take some time, but then you will ring the benefits from that.

>> JACQUES KRUSE-BRANDAO: We need to look into the backend systems and the communication channels.  We have a huge discussion about trust in 5G equipment, right?  So we need to discuss that.  What level of security is expected from ‑‑ for which use cases.  So we need to discuss those use cases to come to a proper assessment when we talk about risks.

And also risk is related to impact.  High risk can have low impact or high impact can have ‑‑ can be related to small risk.  So it's not about the risk only, but with ‑‑ and we need to have different views.  We have the business views, of course.  But we have also the society view, and the ‑‑ and the citizen view from ‑‑ from a society perspective.

So taking all of these risks into account, I think we have a pretty good view of what is expected and can implement that accordingly.

>> MODERATOR: You mentioned the question of trust in IoT devices and how to deal with that.  Jochen, what is your approach to that?  How should we deal with the tons of noncompliant IoT devices sitting in homes already out there today?

>> JOCHEN FRIEDRICH: Tough question.  First of all, we have the security by design.  That's very important here.  Already when you develop certain devices, security is a key feature, a key requirement, that you are looking at that every manufacturer is looking at, and this will help to drive forward security.

Now, you asked how should we deal with noncompliant IoT devices.  Noncompliant to the requirements in the Charter of Trust, in B2B, there should be a tough check, yes.  You should really ‑‑ you should check with your suppliers and with the providers of IoT devices, do they meet these requirements and if not, there should be a clear market pressure not to use them, and this requires a high level of education, a high level of transparency, how have they been developed, and exactly tick the boxes and have the requirements been fulfilled, I believe.

>> MODERATOR: Stefan, you would like to add to that?

>> STEFAN SAATMANN:  I think it's security by default.  I think we as Siemens, we really want to have security by design, but this is from a process perspective.  It's also something that we are working on, but it's kind of under development.  So I think security by default is really the highest security standards within the product, within the solutions when you deliver them.  This is also a paradigm shift in the product solution design and delivery.

So I think it's important at that point that we, of course, also transparently speak about what we do and all the suppliers, all the environment, the whole see could system, journalists, society can look what we are doing, what we are developing, and we are actively speaking about it in the Charter of Trust and I think this is also somehow a new approach, which we found here, offering our view, what we think is important for ‑‑ for achieving a higher level of cybersecurity.

Of course, in the end, the governments are responsible to set the frame of the market, but we can say, okay, this is our industry best practices and this is also manageable for us and this is also something where we look, of course at costs, at business perspectives, because we have to make that work.  And I think this is something where also this forum here now is a good point to engage with.

>> MODERATOR: Laurent, you wanted to weigh in?

>> LAURENT BERNAT: Yes, on IoT product security, we are ‑‑ as I said, we are working on how to enhance digital security of products and we have started to look at this IoT problem.  And one of the things that came up already is the information asymmetry problem.  The fact that when you buy something, you actually don't know what the level of security of the product is, and you have no way to compare products on the basis of security.  And that's not driving the market in the right direction.  It's not creating incentives for producers to put more security in the devices.

But another interesting thing that came up in the work, we started to talk with our colleagues that deal with product safety and I'm talking about physical product safety.  Basically, you buy a shelf in a store and you build it at home.  There's a famous brand selling this stuff.  And there is a regulation to ensure that the shelf doesn't fall on your kids when they try to get a book or something.  Product safety regulation.

And when the product has a defect, there is a mechanism in the regulations so that the vendor recalls the product, and it's fixed, et cetera.

So while this whole community of regulators is now thinking, well, many of the products we regulate and the product safety regulation have now a digital component, perhaps not the shelves but others like cows, for example, or home appliances, they have digital components and this can create security issues, information security issues or digital security issues.  So are we ‑‑ we the product safety regulators competent?  Can we apply our framework to this?  They are discovering this digital world, not really at the beginning of the process, not realizing that other people in the security are in the cybersecurity aspects, scratching their heads, should we regulate or not, and how should we encourage the market, et cetera.

Currently we see the very early stages of these two regulators talking to each other, and maybe the second one is not really a regulator, but the two parts of the governments talking to each other to try to improve the situation.  It's really like ‑‑ this is it's not just like the private sector should cooperate.  We should have this private/private cooperation taking part which is very important.  And it's trying to break the cycle, which is very important.

>> MODERATOR: Jochen.

>> JOCHEN FRIEDRICH: Yes, I concur.  You mentioned the product safety regulation, because this is something that works fantastically in Europe, I believe, right?  We have very safe products.  Maybe the safest in the world that go to the European market and this is clearly where we should work with governments and regulators and say this is being applied this and this way.  How can cybersecurity ‑‑ how can IT security be a topic, when it comes to regulation, when it comes to increasing security across the market.  Is this a model to work with?

And maybe the cybersecurity act, which we see, where a lot of discussion is being done about IoT devices and maybe one of the instances of the first ones they come up with, maybe this can be something also to test and go into this direction.  Product safety also works with standards.  I'm coming back to standards.  In Europe, if you have a standard, you implement the standard, and then you reach the conformity and you operate under the presumption of conformity.

And if this can get adopted as well for cybersecurity, I think we would be on a very good way in different areas or different sectors, like IoT devices.

>> JACQUES KRUSE-BRANDAO: And we have different challenges coming on top.  Safety assessments have been done for decades, for many reasons, right?  And we see ‑‑ we saw in the automotive world, for example, it started with the safety belt and then there were many, many other safety features in the cars.  And unfortunately, these had ‑‑ those have all ‑‑ or needed to be mandated at that time.

Now we have the cybersecurity, and, of course, the safety feature or the CE mark is very much well‑known to most, is on the day to market.  What does this mean to cybersecurity?  Cybersecurity is an ongoing demand of management.  Cybersecurity management or security management of the devices, which are used during the complex life cycle.  So we need to think different.  We need to think out of the box, how do we ‑‑ how do we need to cooperate and that's why also here, again, the Charter of Trust, the members are coming from different areas.

Everybody is expert in his domain, for example, they are looking into the security of their chips, their chipsets, and then we have Siemens, and Datacom and everyone is expert in their domain.  They take the ownership and we have a principle one, to secure this part of the supply chain.  And IBM does it in the backend systems because you know how to secure the backend systems, while the others know their dough main, right?

And I think this is one of the most important topics which we are, let's say, supporting here when it comes to those challenges.

>> MODERATOR: Thank you, Jacques.  Maybe this is a good moment to turn to the audience for the first time and see whether there are any questions out there that you would like to pose to the panel.

We have one gentleman here.  Maybe you can ‑‑

>> AUDIENCE MEMBER: Yes, thank you, Bertrand.  We are a think tank on cybersecurity, and the question seems to be we never regulate the software industry.  Software, you know, in the IP and in terms of regulations are very difficult.  So you are entering this new field and my question to the panel is that do you believe that the only way it's open source software or can you regulate software which is not open source?

>> MODERATOR: I think this was one other ‑‑

>> AUDIENCE MEMBER: Hi, I'm with NEC Corporation Japan.  And my question is I know there's an agreement or like norm of the cybersecurity, like cybersecurity takeoff goal or other cyber norm.  So what is very different of the Charter of Trust to the other cyber norms?

>> AUDIENCE MEMBER: Hi.  Nicole from Off Com in the USA.  I think is to Stefan with Siemens.  I think you mentioned that you work with 90,000 suppliers.  I was wondering when you apply this Charter of Trust if you essentially did a check or if you, against all of these requirements and if you found that, you know, some suppliers may not comply and if there's lessons learned you can tell us from that.

Thank you.

>> MODERATOR: Maybe we take one more and then we'll get to the answers.

>> AUDIENCE MEMBER: Okay.  I'm coming from the association of the nonfinancial companies in Switzerland, large ones, including SGS.  And just wondering, we are worried that governments are just knowing what they do when they regulate.  And so we are trying to do it actively from a bottom up aspect, that we are instructing in a ‑‑ in conferences and so on what exactly businesses expect, not tech companies but just businesses as an SGS, what they have as a problem.

But my question then is on the regulatory side, in the GDPR, we also have requirements for ‑‑ for cybersecurity, which are heavily fined if not respected.  And how do you see GDPR in your framework?

>> MODERATOR: Okay.  Thank you.  Stefan, would you like to start with the question directed at you?

>> STEFAN SAATMANN:  Yes.  Thank you very much.  So coming back to the question from you from Off Com, yes, of course we checked internally our supply chain and our supply chain management, and Siemens has a diverse business portfolio, infrastructure and mobility and also in the Stratcos and wind industry and the like.  And so these different verticals have different supply chain situations and what we have been doing is that we followed our approach.  So we first take a risk analysis, finding our, let's say, suppliers which are critical for us.  And then we, of course, made a check and, yeah, there have been some cases which supplies have been noncompliant.  So we sit together with them.  We talk with them.  And we are now in the phase of let's say rollout of this based on requirements.  So, of course, we offer some time for them to qualify on that, and then do a reassessment in that, let's say, given time frame.

So it's not something you can roll out and just copy the baseline requirements on your website and that's it.  You, of course, have to engage with the supply chain and this is the approach we take at that time.

>> MODERATOR: Thank you, Stefan.  Jacques, did you want to answer to that?

>> JACQUES KRUSE-BRANDAO: Maybe to the other question, starting with the GDPR.  Privacy is one of our, let's say achievements we wanted to have as part of the requirements in the supply chain.  So it is part of that.  Simple.

Of course, we have a European law on this.  It's the GDPR, the global ‑‑ the General Data Protection Regulation.  And we need, of course to fulfill these requirements, and GDPR is quite a good example, because it's already an achievement in terms of harmonization in Europe.  And, of course, we would love to see this in many more countries in the world, because we are looking, as I mentioned before on a global level and went want to have a harmonized ‑‑ those harmonized norms on a global level because our customers are selling their products on a global level in different regions and different countries and into different legal systems.  So we are facing ‑‑ or our customers are facing the challenge that they need to comply to different rules based on different ‑‑ different regulations.

And this is something coming to the second question on Charter of Trust and norms.  As we miss those harmonized norms in the world, we started to sit together and generated those baseline requirements.  And then we mapped it to whether we have existing norms in place, like to 27001, just to mention one and there are many more and some are in development, like 62443, no one exactly knows what it means to IoT devices, for example.  So we need to find it out together and to implement it in the market.

And this is not only important here related to the European cybersecurity framework but also to the requirements in Japan, to the requirements in the US, and in the US, for example, we see now the California IoT law, but that is only California.  So what is it about the other states in the US?  How do we deal with that?  How do companies deal with that?  We are just the ones who support those companies in ‑‑ in certifying, for example, or in verifying testing, that those requirements have been ‑‑ have been implemented properly.

But what exactly do we need to implement?  This is usually the question that is the companies are asking and we still have a vacuum here.

>> MODERATOR: Thank you, Jacques.  Laurent, would you like to take the question on software regulation?

>> LAURENT BERNAT: Yes, thank you.  So I'm not exactly sure what you mean with the "regulate" word, it may have different meaning in different context.

If you mean government regulation, putting mandatory requirements, I don't see ‑‑ I don't see any appetite for saying open source is better than ‑‑ this is an old debate and I don't think anyone wants to open that box.  We are beyond that now.

But what ‑‑ what we can see is that ‑‑ what we want to avoid is to have, I would say, a reaction from governments facing the stress of cybersecurity becoming always more urgent and important.  Saying, well, let's regulate it and do it in a way that will make it, for example, secure by design.  Because we have to ‑‑ we have to be very cautious with the terms and the concepts used in ‑‑ used in the business world, because they tend to be interpreted in a ‑‑ in a very smart way in some cases, but in a very simple way and basic way in some other cases.  So you will have some policymakers saying, well, okay, make it secure by design and that's going to solve the problem, right?

So ‑‑ and so I make a regulation that software should be secure by design.  And it's your problem, business, to do that.  Of course, they did not understand the concept of security by design, which is not an end.  It's a process, and it's not because you have implemented security by design processes that your product ends up being secure, fully secure by design.  You never have 100% secure products.  You always need to come back to it, which is why you have also to take into account the life cycle of the product, when the product is already in the hands of the customer, you ‑‑ you need to continue to pay attention to the security which is very complex for business.

This is a level of complexity that some policymakers understand, but not all of them.  So the terms and the concepts are, we have to be cautious with them.  I'm not sure there is an appetite in the most advanced countries, those which are leading the debate here.  I think they probably understand that jumping at regulation and, you know, going fast and it's not the way forward, because they have an industry and they don't want to undermine their software industry.

So they have that level of understanding.  The devil is in the detail and the complexity.  They really ask the question, how do we do it then?  We have to do something.  It’s not just regulation that will freeze the market or just undermine our own industry and ‑‑ and stiffen innovation.  How do we do it?

And that's where it becomes more complex and we have to do work to understand how to do it.

>> MODERATOR: Alex, I think you wanted to direct to that.

>> ALEXANDER WOLF: Yes.  And I take the freedom to put this on a bit more abstract level.  I took three points from this.  One is the government involvement.  The second thing I would say is the complexity in implementing these things and being forced to implement some stuff.  And the last one is fines which can be put out by the government or in other ways.

Let's start with the involvement of government.  Our past experience is that negotiated agreements.  So the voluntary approach to things often work, which also means in some cases, especially if there's a lot of money behind an opportunity, they don't work.  So I think it makes sense to have, like mentioned on product safety, we have a couple of things this would never have happened without product safety requirements.

Or like the equipment directive and so on.  So we recently had a session with an advisory council in Bavaria for economic advisory council and I was honestly surprised that from the audience came a lot of questions asking for certification and asking for rules how to certify, and what came up in this discussion was also ‑‑ which doesn't come naturally for me, because I have to admit, I'm only since eight months in this tech industry, yeah?  And I have been over 20 years in the industry, and usually you will try to avoid spending money if you are forced to doing it.

But what they were looking for is a level playing field.  They wanted to have some standards and they wanted to have a clear guidance on what can I measure against.  So that's the topic of government involvement.  So I think sooner or later, and when you speak about software, you can also go further.  You can speak about algorithms, yeah?  Autonomous driving, et cetera.  Complex field but I'm really happy that the Charter of Trust has started this because how do you start a journey?  With the first step.

I think is not only a first step but a giant leap, which has been done by Charter of Trust.

Which takes me to the second topic.  The industry and our customers is the main point, what's the complexity?  I mean, you have, like I mentioned PED, missionary, global directive, you have T3G conflict, and tons and tons and tons of standards, and ISO9000, IOTF and whatever you need.  That's why I also appreciate the fact that CoT has mapped them into what the Charter of Trust is asking for.  This is not inhumane.  That's why it's called a baseline requirement.

Which takes me to the last point, fines.  As we said or as I said in the beginning, voluntary commitments sometimes work, but sometimes you need to fine.  And fines can come from government, but from my own experience, I can tell you the worst fine is if you don't get sourced from our customer.  And that's, I think, the level which Stefan has indicated.  It's pretty common that fulfilling some standards or certain standards and adhering to them, and sometimes also proving that you adhere to them, is your ticket to dance.  If you don't have that, you are out.

And I think that's the ‑‑ probably that's the toughest thing, which can happen to you, even, of course, government regulations help sometimes, but it's not necessarily needed.

>> MODERATOR: Thank you.  I would now like to turn to our online moderator to see what we hear from the community out there.

>> Yes, thank you.  We have one question from our online forum.  It's asking, are there any plans to involve other companies from other sectors?

>> MODERATOR: Jochen, would you like to take that and Charter of Trust, open for new members?

>> JOCHEN FRIEDRICH: Yes, absolutely.  And we already have quite a diversity of sectors anyway.  Yeah.  And for sure.  It's not a ‑‑ not a closed ‑‑ not a closed club.

>> JACQUES KRUSE-BRANDAO: We also publish everything what we decide is for us important, and we encourage other companies and SMEs to follow those requirements, right?

It's not only about ‑‑ and it should not start with the purchasing department asking whether you have ‑‑ can you show me the certificate XYZ.  It should start with taking the ownership.  It should start with taking the initiative, putting cybersecurity on top of the agenda of the management of all of these companies, SMEs and not only corporates, and down to start‑ups.

So even a start‑up can take initiative and secure his solutions and devices and whatever they are developing.  And it could be part of an innovation process, and should be part of an innovation process today, and I very often hear that start‑ups, they do not have the ‑‑ the money for that, or they do not ‑‑ should not take care on cybersecurity, they should take care on their application.  But on the other hand, their financial report or unifinancial report they are not doing themselves they are asking a third party.  Ask for help.  Ask for help and they are really outside.  Yeah, to mention it, there are hackers in the field, who can help you.  And if you do it right, I think every investor will appreciate that.

And I even learned yesterday from a discussion with the investor that the ‑‑ how do you call it?  The definition of the money of the ‑‑ of the ‑‑ how much is the company ‑‑ or the value of the company was also based on the ‑‑ on whether they should ‑‑ or would be able to cope with the cybersecurity topics.  This was an important topic.

>> MODERATOR: Stefan, please.

>> STEFAN SAATMANN:  I think we have associated partners in the Charter of Trust and we have launched the ‑‑ we have members of the Charter of Trust, first layer and the second layer is the associated members, which are academia and think tanks and regulators and we also start to think about the Charter of Trust community, which then is what ‑‑ what Jacques just said with SMEs, with start‑ups.  So all of environment.

So I think, yes, it ‑‑ it will stay exciting.  So stay tuned.  I would like to say in answer to that question.

>> MODERATOR: Thank you very much.  Before we turn to the second focal point of this panel which is education, I just wanted to open the floor once more for question, if there's anything else you would like to ask on supply chain security at this stage.

Yeah, one follow‑up question we have here.

>> AUDIENCE MEMBER: Follow‑up.  What happened today is that you black list.  Yes, I want a 5G network but don't choose Huawei.  So you say that education is tough if you refer to, for example, to the economist, he says in terms of sovereignty, I already asked the tough question.  When I build my 5G. network, on which ground is built, and do I keep my sovereignty or not.

The question is just starting to tilt the head and I will make a parallel with open sources.  In the driverless community, it's most effective IoT, if you want.  The industry after having made many mistakes, recognize that, ah, we have been stupid, because we have done 1235 in the same bucket.  And now we play, we have autonomous vehicle and the rest is assisted driving.

And this clearly under the leadership of Mobile, we will have an engine which will be open source and they are pushing into this open source standard, in order to solve the issue.  So my point is that I don't see if you do that under most sophisticated IoT, which is the driverless car, why don't you do it on the very unsophisticated home device and things like that?

So for me, open source is a solution.

If you have another one, please spell it out but the urgency is there.

>> MODERATOR: Thank you.  Any other question in the room?  That is not the case.  Do we have an immediate reaction from the panel to the last contribution?  Jochen.

>> JOCHEN FRIEDRICH: I will try.  I agree with you and I don't agree with you.  So regarding urgency, it's not, I would say, it's not that we are currently at a decision or at a point where you say, do nothing or do things.  It's a continuous process.  If you look at cybersecurity or IT security standardization, this has been going on for many, many years and has been steadily improved.  The standards have been refine improved and new technologies are there.

So it's a continuous process.  It's not that we say, okay.  Now we need to start or we don't start.  And this is also where the Charter of Trust takes its starting point and says all of these requirements we identify.  Some of them have already been there for a long time.  Others are maybe new requirements, where we say we need to put more focus on this aspect, this aspect, this aspect.

Also, the risk management approach, the different levels we take is something that is moving on and is moving on with high speed.  The industry does invest a lot in this and gives high intention in it.  I don't think it's the decision, do we not do it, or do we not focus on it.  It is urgent.  The urgency has arrived.  We mentioned here it's up to the highest levels in companies to the sea levels to take this up ‑‑ the C level to take this up and take on the responsibility.  On this topic of open source again as much as I'm enthusiastic about open source in IBM.  We see that open source developments help to provide trust in some areas, but I would say you can ‑‑ it needs to be done well as well.

If you do open source wrong and if you do not consider the basic requirements you have to achieve security, then it doesn't help if you have open source or not.  I would not make this distinction that open source is safer, more secure than non‑open source software, right?

It's transparent, but if you implement ‑‑ if you implement the software in a running system, you need to implement it just as other software as well.  So it's important to do it right, and to have security as a ‑‑ as a key topic when you develop the software, when you manage it, et cetera.

>> MODERATOR: Thank you.  I think since we only have 15 minutes left, maybe we should briefly touch also on education system.  Jacques?  It's close to your heart.

>> JACQUES KRUSE-BRANDAO: I think on the urgency, it's really important.  While the processes are covered in many companies, but not in all, at all, we see now 7 billion connected devices but we know about numbers of ‑‑ expected numbers, of 30, 50 or up to 200 billion connected devices and we do ‑‑ if we do not act now, how many vulnerable devices do we expect on the market if we do not act now?

Yes, we do ‑‑ we need to act now.  The urgency is there, and ‑‑ but we need to do this on an ‑‑ on a harmonized and joined approach.  That's why it's important.  That's why we are discussing with all the governments in this world to have this level playing field.  On one hand we call it the baseline requirements and then, of course, going up, based on the risk approach and then also this have harmonized standards.

And by the way, to these open source topics, I think there's no software at all which does not contain open source today.  Yeah.

So we need to deal with that anyway, and we need to ‑‑ and how to ‑‑ how to check whether implement ‑‑ things are implemented properly, and so if you look to devices, many vulnerabilities are because security features are not implemented correctly.  So even the chips offer a good functional set of features, but if you do not use them properly, the end devices will be vulnerable.

And that's why when you need to ask third parties to have a look at it and emulate it and give you feedback and you can correct it in the right way.

>> MODERATOR: Thank you, Jacques.  Alex, one century ago, our society started to grapple with the questions of communicable diseases.  We talked about that a little bit earlier, give than we had a couple of people that could not attend our panel.  An important building block was teaching the people about the basics of hygiene and it went down to showing people how to wash their hands.  There's a museum on hygiene, where you can see how this was done a century ago.

For cybersecurity, for digital security, what is the role of basic cyber hygiene of the people and how important is that in winning this night.

>> ALEXANDER WOLF: This is a leading question, right?  This is definitely the most important thing and it has to start ‑‑ basically it has to trickle down from the top, yeah?

And this also reminds me a bit, sorry if I'm making the analogy, quality management, when this was introduced, and they would say, do you have a quality management?  Yes, we have a department for this.

Now today, it's instilled into the processes, going back to what Jacques said.  It has to be ‑‑ it's part of your DNA.  And this is exactly the same thing which has to happen and it can start actually on a very low level.  I mean very simple things, like don't click this button if the mail looks fishy.

And, of course, moving up and down in the hierarchy to make sure that you behave correctly and the other thing is enable the people to have their own judgment on ‑‑ to be able to assess what is my exposure in my very on context.  And this can go from using software to just applying something.

>> MODERATOR: Laurent, the basic cyber education, is that a task for industry?  Is it a task for the states?  Where does that sit?

>> LAURENT BERNAT: Well, I think it's both.  It's a task for everyone.  And it's a ‑‑ it's a task for industry.  It's a task for government.  We see ‑‑ well, historically this has been the first thing that governments have tried to do.  They started with awareness raising, actually.  There is a problem.  Getting the message across that there is a problem and that people should do something and they targeted this at everybody, users, end users, families, populations, businesses, SMEs.

Businesses have always played a role in that space.  Of the ICT sector has been quite active in promoting good practice.  So I think it's a shared responsibility, and ‑‑ and, yeah.  That would be my response, yeah.

>> MODERATOR: Thank you.  Jochen, how much cyber awareness do we see in board rooms today?


>> MODERATOR: Board rooms.

>> JOCHEN FRIEDRICH: Board rooms, I would say a lot.  I would say we see a lot of awareness.  It's one of the key topics discussed everywhere, I would say.  But still, there is the sense of urgency about cybersecurity, but there is a need to educate what you can do and how you can drive things forward and this is, I believe, what the Charter of Trust has put up as their key topic to take up this, if you like momentum.

And bring it further with education, with guidance, the community building that was mentioned, all of this is important.  There are maybe too many people are still a bit sort of ‑‑ don't have a clear idea, how can I move forward?  What do I need to do?  And this is where we need to start.  And, yeah, help people also to take the responsibility.

Yeah, I think there's a lot of readiness to take the responsibility but there's guidance required on what everybody in companies needs to do and can do, how to move forward, how to take this responsibility, how to implement the proper steps to ‑‑ to get to better security.

>> MODERATOR: Yeah, thank you.  Stefan.  One question to you also.  You mentioned in your opening presentation, the emerging gap of cybersecurity experts.  What are the objectives that a Charter of Trust is setting itself there in this regard?

>> STEFAN SAATMANN:  Yes, I think companies take the approach, okay, what is the necessary and desirable level of education and what process?

So first of all, cybersecurity concerns everybody.  So all employees should be trained on a certain level, however, due to products and processes, we need to specify the training level as well.

So that's why we come to the special point of role and responsibilities, the structured approach which is currently under discussion within the Charter of Trust and it builds upon the IT management that we have.

What we in Siemens also do and the community network effect.  So we have an annual conference, internal in Siemens cybersecurity conference for three days which brought the effect that these community is growing constantly, that the exchange between experts is growing constantly and so this is also in effect and educations, that we also really need.

>> MODERATOR: Thank you.

Jacques, maybe a question to you.  In industry, is there and consensus on what a cybersecurity expert looks like?  And are we making it easy for the education system to churn out the experts that we need?

>> JACQUES KRUSE-BRANDAO: Oh, this is interesting.  Yeah.

I think different roles ‑‑ and this is what Stefan said, it's about the role and the responsibility and, of course, the requirements related to cybersecurity training is ‑‑ should fit to this role.  We see a lot of certificates for different purposes in the markets.  There are plenty of opportunities to train.  What we are missing is that the companies sent their employees to train ‑‑ to those trainings.  So this is something we need to promote.

And on the other hand, we all look for experts, and what is really missing is that universities are releasing more experts.  Recently I had a discussion with a German place that train forensic experts.  How many do they release per year?  What do you think?

18.  Those experts are completely taken by the German LKA, which is the police forces, and the businesses do not have any chance to benefit from those experts, right?  So we need more experts coming from different domains, not only from the ‑‑ from the IT department, but also from management, from economics, lawyers need to understand cybersecurity, what are the requirements in terms of contracts, purchasing departments need to understand what is the requirements.  They receive a catalogue, but they don't understand the catalog.

So we need, again, norms or rules that they ‑‑ that it makes them more easy in the daily life to understand what is ‑‑ what is requested from the IT department, from the device manufacturing or the development department.  So I think that's the point.

>> ALEXANDER WOLF: If I may add to this.  This is a marathon.  Industry service, when you check a, let's say a chemical plant or something like that, you have a graduated engineer which has gone through a pretty exhaustive education, and then afterwards it still takes this person five to ten years to be allowed to sign off the tests and checks and certify it, basically.

And now suddenly this person on top gets to challenge the cybersecurity.  Yeah?  So suddenly you have wireless transmitting sensors, how do you judge now.  What is the risk?  And this is even the next step coming back to the question what is a cybersecurity expert?  You can have domain experts in the IT but in the future and the midterm, you will have to have domain experts with IT knowledge.

>> MODERATOR: Thank you.

We are almost running out of time for this session.  I nonetheless wanted to turn one last time to the audience whether we have any questions with relation to education.  Yes, one here in the front?

>> AUDIENCE MEMBER: Do you see the use of realtime auditing with the monitoring software?  For example, Bitside technology, they look at your assets and give you a security rating and you can focus on the red dots.  You can focus them on exactly the stuff they need to do, and so it's realtime and it's databased and not only awareness, because it's ‑‑ you will never manage that.

>> MODERATOR: Jacques?

>> JACQUES KRUSE-BRANDAO: Maybe I will answer that from a supply chain perspective, we receive more and more requests from customers to not only look into the device, whether the features have been implemented properly but to look into the complete life cycle of the supply chain.

So looking to the production facility which is probably somewhere in Asia, looking into the development department, which is in the US, whether there is implemented access control.  Who gets access to the keys, to the ‑‑ who does the key management?  Is the key management properly documented?  All of this is important here.

And until the end of life of a device, if you throw it into the basket, what is it about the keys?  Or if you sell it on eBay, who will receive it?  And what do they ultimately do with the device.

>> These things are very important and need to be taken into account.

>> AUDIENCE MEMBER: There are a lot of systems running in the middle of Sahara, yeah.

>> ALEXANDER WOLF: This goes back to education.  A couple of CIOs I talked to, they didn't understand how a vulnerable web server can impact the robot in the manufacturing.  Because it's disconnected.  I have OT and IT.  No, it's not that way anymore.  And I think for many people in the room, we are preaching to the choir, but we have to go to the people and approach them on the level of knowledge they have today.

>> MODERATOR: Against our best efforts, we didn't make ‑‑ have much success this morning in about bringing diversity on to our panel, but there's a question related to that, that I wanted to ask.  Stefan, how do you see diversity challenging cyber or if you turn it around, how large is the untapped potential that you have?

>> STEFAN SAATMANN:  Well, I think diversity you can really bring to two different levels, yeah?  So when you look to the people who work in the cybersecurity and bring diversity to, that I think we should engage all of the people to really choose cybersecurity career path.  I think it's interesting.  We have to promote that.  We have to make it more attractive.

When you also look at the diversity aspect, in process technology and people all together, I think this is something we should really focus on and, yeah, offer structures of ideas of our methodologies, also from industry perspective to really meet that bottom up regulation idea.  I kind of like that.

And diversity, cybersecurity also on the board level is for me connected to what awareness and this is also what Charter of Trust is really working on to keep it level high, and now it's done, and we know it all and that's it.  It's constantly moving.

I think the last aspect I would put to that is also that we should really heavily engage to be a thought leader in that field, and to really also try to offer ideas and results and approaches to the wider public.

>> MODERATOR: Thank you.

Unfortunately, we are running out of time.  I think I would like to close with one round here, if I could ask all of you to make a short statement of what you would like the audience to take away from today's session, that would be much appreciated.  Jochen.

>> JOCHEN FRIEDRICH: And you want me to start?


>> JOCHEN FRIEDRICH: Okay.  I would say there's a high sense of urgency about the need for improved security.  The Charter of Trust provides a fantastic basis with identifying key requirements, supporting and spreading the necessary knowledge what you need to know about cybersecurity.  We are strongly committed to drive this further and we are looking forward to others joining community, taking up, looking up at the website, everything is available.  And it's a task that we members of the Charter of Trust take a lot of responsibility and want to make this successful, because it's important for the industry to grow to take up new technologies, and to have the necessary trust and reliability in the new technologies.  And that's important for the future of Europe and global trade.

>> MODERATOR: Thank you.  Jacques.

>> JACQUES KRUSE-BRANDAO: Well, perfectly, I can only add something.  I think it's really about encouraging you as companies, as SMEs as start‑ups to make use of what we developed here in this group.  It's available.  It's mapped to certain standards, which you can fulfill, which you can show as a ‑‑ as a supplier to all of your customers, and as the tech industry, I think we are ‑‑ we are there.  We are a partner to you as ‑‑ as ‑‑ yeah, to fulfill what you ‑‑ what you implied properly, and to support you to generate trust between you and your customers.

>> ALEXANDER WOLF: What I really like about the Charter of Trust approach, it's really, really pragmatic.  It's going back to existing standards.  It's not re‑inventing the wheel.  It's not super complicated and I think it's an excellent foundation and guideline which should be applied to enable the people to make their own judgment in their very own context, what is the risk they are exposed to and how can they mitigate it?  And that's a classical thing, which the tech industry can help and also certify where required.

So I think this needs to be really carried out into the world.

>> STEFAN SAATMANN:  Yes, I think the two takeaways, one abstract and one concrete.  The abstract one is, and I connected to President micron who says we will not get defeated by complexity.  We have made a start with the Charter of Trust.  We offer really results and the second thing is that this was a start of an ongoing item.  Stay tuned and keep the Charter of Trust watching.

>> LAURENT BERNAT: Okay.  So self‑regulation works sometimes.  So it's good to see.  Sometimes regulation is needed.  Sometimes.  It should be well‑informed and it should well-thought through.  There are very constructive initiatives out there and the Charter of Trust is clearly one and it's very encouraging.  It's a private/private initiative.  This is a sign of maturity.

Perhaps ending with a positive message, cyber ‑‑ when we talk about cybersecurity, in the media, in particular, it's always a bit frightening and scary, and rightly so.  Some level of that is needed.  There is also ‑‑ so we have a sense that, you know, oh, we are lost.  Well, there are also some positive messages and this ‑‑ the Charter of Trust and other initiatives that bring together stakeholders to progress and to bill trust are really assigned in going in the right direction.

There's still a lot of work to do on the skills and other areas, but really we should ‑‑ we should contribute and leverage this type of initiatives and ‑‑ and need the dialogue with the policy level.  That's my angle.  I think the input from the Charter of Trust to the policy level is particularly important, and I'm sure we're going in that direction.  So it's very positive takeaway.

>> MODERATOR: Thank you, Laurent.  This brings this panel to its end.  I would like to thank all of you for your contributions and to all of us, your audience for your interest.  I hope you enjoyed the discussion and please join me in a round of applause for our speakers.

Thank you.