Cybersecurity Outlook 2026: the view from Interpol and the threat to ‘OT’

This transcript has been generated using speech recognition software and may contain errors. Please check its accuracy against the audio.

Robin Pomeroy: Welcome to Radio Davos, the podcast from the World Economic Forum that looks at the biggest challenges and how we might solve them.

This week I'm joined by the head of the Centre for Cybersecurity at the World Economic Forum. Akshay Joshi. Akshay, how are you?

Akshay Joshi: Thank you for having me.

Robin Pomeroy: Well, it's a pleasure to talk to you. I know you're very busy in the run up to Davos, and in the run up to Davos, you've produced this Global Cybersecurity Outlook. Tell us what that is, and maybe give us a flavour of what's in it.

Akshay Joshi: So the Global Cybersecurity Outlook is our flagship publication on cybersecurity that we publish each year ahead of the annual meeting in Davos, and it really puts a spotlight on what to expect for the year ahead in cybersecurity.

So this year's report is really interesting because it looks at a number of converging factors that are having a significant impact on the cybersecurity landscape.

So AI is definitely supercharging both sides of the equation. Equally, geopolitics has become a defining feature of cybersecurity strategies for the vast majority of organisations. The one that concerns me a lot is the rapid emergence of cyber enabled fraud, and this is really impacting CEOs and households alike.

Robin Pomeroy: So this is report, people can find it online, it's a survey you've done with because you're working throughout the year not just around Davos with companies and with indeed law enforcement organisations as well tell us a little bit more about the work of your centre what you do throughout the year

Akshay Joshi: Correct. To first talk to the survey and all, I mean, we we surveyed roughly about 800 odd respondents for this particular report, with over 100 CEOs providing responses as well. So it's very rich from a data standpoint.

But you asked a good question about the work of the Centre for Cybersecurity, and obviously the report is a big part of it, but we do many things beyond that.

The flagship meeting of the Centre for Cybersecurity is the Annual Meeting on Cybersecurity, which we host each year in Geneva. Last year was a bit of an exception to the rule when we decided to do it in Dubai, but we will bring it back to Geneva from the 5th to 6th May in 2026.

Equally on a year-round basis, we work on a number of initiatives which are aligned with the strategic priorities of the centre. So we work on cyber resilience, which is one of the big pieces of work, especially if we look at today's day and age where incidents are fairly rampant.

Organisations know that at some point or the other either they've experienced attacks or they are going to, and therefore the notion of resilience becomes very important.

So we work with organisations to see what are the best in-class strategies and what organisations should be doing.

Equally, cybercrime is a really growing issue with cyber enabled fraud being one part of it. So the Partnership Against Cybercrime Initiative that we have has been working on issues related to cybercrime for the past many years, also led to the creation of a really impactful initiative, which is the Cybercrime Atlas, that we've also spoken about in various formats previously. And then if we look at the emergence of new technologies, right?

So we look at quantum computing and all AI coming into the mix. The CISOs, the chief information security officers, that we work with, so they're so caught up with the here and now that there is a huge degree of appetite to learn more about the shifts, but very limited time to be able to figure out the ramifications on their own. So that's where the Centre for Cybersecurity also plays a key role because we take it on ourselves to understand some of the implications of these new emerging technologies and how we can help leaders take actions to ensure that they stay cyber resilient as their organisations embrace these technologies.

Robin Pomeroy: Mentioned a couple of things there that we'll be hearing about in these two interviews. You mentioned the annual meeting on cybersecurity, and I was at that meeting in Dubai and that's where I did these two interviews. So I'd like you to introduce the first speaker. I actually did this interview with your colleague Giulia Moschetta, who who works with you in the centre. And Giulia and I spoke to Neal Jetton. Tell us who Neal is.

Akshay Joshi: Neal is the director of cybercrime at Interpol. He's been a great collaborator through the Partnership Against Cybercrime initiative and equally been very committed to the work that we do with the Cybercrime Atlas.

Robin Pomeroy: Right, well let's hear our interview. This is me and Giulia talking to Neil Jetton, Director of Cybercrime at Interpol.

Neal, how are you?

Neal Jetton: I'm good. Yeah. Thank you very much for having me.

Robin Pomeroy: Everyone's heard of Interpol. We imagine this is the international communities of police agencies fighting crime. Your part of that is fighting cybercrime. How is that different from any other kind of crime?

Neal Jetton: You know, I'm biased. So I would say that across the globe it's probably the most pressing challenge that we have.

And I don't just say that anecdotally. We we have these regional conferences where we go across the globe and we'll we'll focus and have these big meetings with heads of police from both in the Europe region this year. We went to Cape Town for the Africa region, and then a few weeks ago we had the Asian Regional Conference in Singapore. And whenever they're asked, you know, inevitably they're asked like what are the biggest threats that you are seeing? It is always cybercrime.

Now cybercrime is, it's a massive umbrella. It goes from ransomware, malware, extortion, sextortion, you know, online scams. So it covers a huge variety of crimes. But I would say that that that is it. I mean it's it's so varied. Everybody knows about it, everybody could be a potential victim. And yeah, we focus on that every day with my with my team.

Robin Pomeroy: It's great to have you here because everyone's heard of cybercrime. As you say, it can be individuals as victims of it, but also companies, governments, organisations. And we'd really like to hear from you some specifics of things that people might have heard of in the media and maybe get a bit of the backstory. Giulia, you had a question for that.

Giulia Moschetta: Yes, perhaps if you could tell us a bit more about Operation Serengeti, because it's been a lot in the news lately.

Neal Jetton: Interpol, for those that may not know, we have 196 member countries. That is across the globe. That is a very wide membership. And so looking at operations across the globe requires us to really focus on like a wide variety of threats. Whereas we can kind of dial down into different regions and and focus on threats that we're seeing specifically to a specific region.

So Serengeti is an annual operation that my team conducts with focus supporting member countries in the Africa region. So this year we had Serengeti II. It's a little bit misleading. We we changed the name of it last year, but we've actually done this operation for several years. But this year we had 18 African countries plus the UK join forces with this. And on here we we kind of looked at a suite of of cybercrimes, specifically ransomware BECs [Business Email Compromise], online scams, and we helped those member countries in the Africa region who participated go after those specific targets and threats.

Giulia Moschetta: And perhaps can you tell us a bit more about the role of the private sector and of the Cybercrime Atlas? And for our audience, the Cybercrime Atlas it's an operational collaboration that is hosted at the World Economic Forum and that was launched out of the Partnership Against Cybercrime.

Neal Jetton: Yeah, so I will just say, and and I tell this to Interpol headquarters and anybody who will listen, that to successfully combat transnational cybercrime, it requires partnerships.

And the World Economic Forum, the Cybercrime Atlas, has been a very, very good partner. So we partner with, you know, academia, private sectors, organisations such as the WEF.

Law enforcement, you know, we have our hands full, day-to-day, putting out fires, taking, you know, helping victims, making them whole, investigating pretty much what's in front of us as far as those cases.

Private sector though, they can see you know, out ahead. They can see what the emerging threats are, plus they have the tools and capabilities that a lot of law enforcement do not have. And so what World Economic Forum has is a great partnership with with a lot of different partners, plus they themselves will then come in person to you know our operational coordination meetings. They did that at least twice this year, where they bring out personnel and they will conduct tabletop exercises to those law enforcement that we bring in for those specific operations.

So as for the Cybercrime Atlas, yeah, I mean they're looking at the cyber threat landscape. They have been very, very good partners with us for the last couple of iterations of Serengeti and some of the members of of Cybercrime Atlas are are also partners with us through our gateway initiative.

Robin Pomeroy: Just on Serengeti then for anyone who didn't see that news story, I'm just looking at some figures here. It was at June and August of 2025. There were over 1,200 arrests. There was 97 million dollars in stolen funds recovered. So it was and across all those African countries.

So is this something that Interpol does regionally? You decide, okay, we're going to have this crackdown, see what we can find, and actually then in the real physical world, police are going in there and making arrests.

Neal Jetton: Yeah, so I mean we listen to our member countries to figure out what the threats that they are seeing. So every year we will do a cyber threat assessment. This year we did it for the first time across the globe.

We have funding though specifically for the Africa region and Asia South Pacific region. So we're able to create full-blown cyber threat assessments for those two regions.

Earlier this year we had the 2025 African Cyber Threat Assessment. We're currently in the finalisation, final stages of finalising the Asia-South Pacific threat assessment.

Here we will actually ask law enforcement, what threats are you seeing, what are you dealing with on the ground, and then what issues are you having when it comes to combating cybercrime? We will then also ask our private partners, typically through our gateway initiative. It's a it's a formal information framework for information sharing. We'll also ask them what are what threats are you seeing on the networks that you're monitoring in these regions.

And with that, then we can inform our operations and and make them more tailored. And so that's what we did. Serengeti, we talked about multiple different we went after multiple different crime types, but this year one operation that we did was operation secure. So it was the very first time that we did a regional operation in Asia South Pacific region. We did it earlier in 2025. We were able to bring together 26 Asian South Pacific countries, and here we targeted not not a variety of of cybercrime types, but we actually went after infostealer malware because we saw that that was a big threat in this region, and we did we were very, very successful in supporting our member countries who did an amazing job of taking down infrastructure and arresting arresting bad guys. So that's typically how it works.

One thing that I do want to highlight though, about Serengeti is that two years ago, in 2023, the Serengeti operation yielded I think 14 arrests. Two years later, it's 1,200 arrests. And that is not because of my team primarily. I think it's because the buy-in from the law enforcement on the ground. They see that what we're doing, they participate, and that is the huge part.

But the other thing that we have done is before every operation we will have a coordination meeting where we would bring together those countries that are going to be part of the operation. And for Serengeti we had it in Seychelles. And we'll bring relevant private sector partners in, we will bring organisations such as the WEF, and we'll actually go over the threats that they're going to see, how the law enforcement will best combat them. And then at the end of those two weeks we will then kick out everybody but law enforcement and just focus on the operation at hand.

And I think that coordination piece plus the buy-in has really increased the effectiveness of our operations.

Robin Pomeroy: At a meeting like that, are you satisfied that the police agencies around the world have a handle on the threat? Or do you have to every time you have a meeting like that start from, okay, here's a new thing that you've maybe not heard of? I mean, what what are the what are these levels of understanding around the world?

Neal Jetton: So, you know, I mean, so I'm an American. I was, you know, I've gone through law enforcement there and I can see the resources and the funding that we have. But what being cybercrime director of Interpol has given me a perspective on the other countries.

We are, my team is based at the Interpol's Global Complex for Innovation in Singapore. Singapore does an amazing job combating scams and cybercrime. They do have a really, really nice suite of initiatives. But a lot of countries just don't have that funding. So really it depends on which country we're focused on.

I think every country is aware of cybercrime. I think every country is focused on that. It's just what are the resources and funding that they have to actually put towards that, you know, towards that problem. And I think it's just it's an unfair fight in a lot of cases.

So really it just depends on the region that we were looking at. How I say it, and I just it's a cliche, but a rising tide raises all boats. I really do think that helping member countries no matter where they are become better crime fighters against cybercrime helps the global population.

I mean, because you can have victims anywhere at all. So I really that's how we think.

But I'll say that even the operations, once we're finished, it doesn't stop there. I mean, we constantly think of how we can improve the effectiveness of what we in Interpol are doing to to help our member countries.

And so next steps are, you know, some of the things that I'm focused on is after an operation, the law enforcement seizes a lot of electronic devices. So what do they do with those devices? I think a lot of law enforcers just don't have the tools and resources to then go out and do the forensic analysis. So that is the next step is is to figure out how we can find the funding and the tools necessary to continue the operation because I think what you leave behind with that is a treasure trove of evidence.

Robin Pomeroy: Probably all the time now, there are cyber attacks on airports, on hospitals, on factories, on energy systems. One that stood out to me in recent weeks, and I'm British, was this this cyber attack on a chain of nurseries, which I think surprised a lot of people. It's like what what are they hoping to get out of that? I assume this is some kind of blackmail crime going on here. But is that a new thing? What can you what can you tell us about it?

Neal Jetton: So maybe it's I think it's the first nursery that I've heard, you know, being actually targeted and attacked. But it's not, but that whole field of of of targeting potential victims who are willing to pay not to have information shared is not new.

So you look at cyber criminals who have targeted school systems, they have targeted hospitals, and a lot of times it's not the fact that they're trying to steal like financial information from those those places, but what they're trying to steal is something just as valuable, and that's information that those organisations do not want out there.

Especially, you know, children's personal information. No one wants that. So yeah, so then what the cyber criminals, you know, typically do is they'll put a ransom and say, hey, pay this and you know, extort for money.

So no, it's not a new like strategy or crime type, but I would say that it's the first this is the first type of target I've seen with with children's nurseries.

Robin Pomeroy: And it's something you expect more of?

Neal Jetton: Yeah, I mean I you know, I mean criminals are opportunistic. So if they see that it was successful and I and I'm not sure, you know, that the the specific details behind the scenes on this, but if if they were successful, yeah.

I mean they will look, you know, a a lot of times I think because a lot of these companies, you know, especially like a children's nursery, they're probably not going to have the biggest, the most advanced cybersecurity posture, right? And plus they know that they hold information that could potentially be very, very valuable. So yeah, I mean again, criminals financially motivated, opportunistic, so they're going to take advantage where they can.

Robin Pomeroy: Do you happen to have any advice for like small companies, even for individuals or families?

Neal Jetton: Yeah, so I'll take it from a company perspective. I mean obviously you know everyone's aware of this. It's not I don't think anybody's turning a blind eye. It's just a lot of them don't have, you know, maybe the means or the the resource, the expertise.

You know, multi-factor authentication for any sort of passwords, obviously, you know, do the normal things like patch your networks and things like that when they come out. But also I would say like your your IoT devices, like your cameras that are in nurseries and things like that, to make sure that they're not using a default password. Like to actually look at those because that too could be potential information that could be used for extortion.

And as far as a parent, yeah, I mean it's the it's the greatest fear, right? Is having your child's children's information, photos out there. It's again, if they can log in some from some like parent facing profile to make sure that they're using multifactor authentication for that. Again monitor, if they're old enough to have their own children's like profile out there on the internet to look to constantly look for that.

And then to ask the question to the nursery in this case, to say, what are you doing to secure my child's information? And just make sure that you're only providing the information that's like minimally necessary for for whatever purpose is you know they're asking for.

Giulia Moschetta: Cybercriminals are very opportunistic and also they're rapidly evolving and we see how they're taking their advantage of AI, they're exploiting AI to also advance the techniques. How do you see cybercrime evolving through through the use of AI?

Neal Jetton: Yeah, so I mean AI, AI, AI. We hear it, you know, all the time and you think, oh, it's you know, it's like, well, computers are a fad, AI as it's not. I mean, it's here.

And so of course, from a law enforcement perspective, we're always gonna be behind the curve on on tech. It's just not something that we get to spend a lot of money and funds on up front. So we kind of depend on private sector partners to do that and to assist with.

So yeah, so I see criminals obviously they're using AI. It's it's here.

Primarily what we're seeing, I think across the board is just the use of AI in the in phishing emails, they improve the scope, efficiency and and scale of them, especially the scalability. Now you can send them in in in quantities and whereas you used to be able to like maybe say, the the language is wrong, the punctuation's wrong, there's something here that's just not correct. That's no longer the case.

In fact, what we've seen through some of our cyber threat assessments is that across countries we can see the same type of email sent, but it's actually being tailored for cultural specificity. So it's very, very good. So you think, no, I'm not going to fall for that, but I think we all are capable if it especially if it touches on something that's so targeted that maybe you know that we would believe in. So I would say that.

I do think though, we will see AI powered malware. We haven't seen that necessarily, we haven't had that reported from from our member countries yet, at least coming to us, I think from the private sector and some of the threat intel that they are starting to see that. So that is also something that that we are of utmost concern about.

Robin Pomeroy: What do you mean by that? Explain to us what is malware and what would AI powered malware be?

Neal Jetton: So instead of a human being actually creating malware, which is a which is code that actually will do something kind of nefarious, usually like obtain information, send it back, like infosteeler malware criminals will use to connect to some sort of, you know, a a victim's device, and then it will send back its financial information back to like a C2 server or something like that. So this time instead of a human being actually having to go in and code it themselves, they can actually have a you know, some sort of AI software actually create the malware for them.

Robin Pomeroy: You don't have to be a great coder. Again, the thing you said before, you don't have to be great at writing fake emails anymore because you can get a robot to do it.

Neal Jetton: It just lowers the bar. I mean it lowers the bar for like that technical savviness that you know criminals used to need.

I mean it's not just that, it's not just AI, but now you have these crimes as a platform kind of services where you can go in and you can just whatever you want to do. Scams as a service, AI as a service, ransomware as a service is is a big one. And you can actually just go in and pay money and have someone else who's generated this stuff and then you just go out and you know deploy it.

So yeah, that's something that we've we've definitely seen. I think that's the big thing, is just criminals increasing the scale of their activity through AI, but also decreasing the level of technical ability needed to actually conduct these activities.

Robin Pomeroy: Is it something you've been working on, Guilia? AI and cybersecurity?

Giulia Moschetta: Yes, definitely. That's something that we're looking at closely and also some of the things that Neal was mentioning. We see it in when it comes to scams and cyber-enabled fraud that you know it is in the in favour of offenders because they are they're using it exponentially and so we're always on, you know, the back foot and trying to fight back. But we're trying to do more also to prevent it like systemically.

Robin Pomeroy: I wonder also deep fakes, is that something you're seeing coming through now? There have been even a couple of years ago and we see this stuff getting better by the week rather than by the year, you can actually be called up by a colleague or even a member of your family, even on a video call with voice cloning and video cloning. Is that already a threat? Is it something that's coming?

Neal Jetton: Yeah, of course. And we have several of our member countries who've identified the you know, deep fakes, extortion, those sort of things as key areas of interest for us at Interpol and CyberCom Directorate and other directorates to focus on, you know, to help them support. So yeah, we've seen a huge increase in some regions and especially in sextortion attempts.

Robin Pomeroy: How do we guard against it?

Neal Jetton: Obviously I think the the the biggest thing, especially as I mentioned for cybercrime, is to get the word out. I think you have to do the campaign awareness and sometimes I'm like, oh, you know, another two week, you know, awareness campaign, how how much is this is this effective? And doesn't everybody know at this point, you know, to be careful. I mean 60% of the world walks around with a smartphone.

But you would still, you know, I still think there's some some need, especially with vulnerable communities. So we had in in our cybercrime directory, we just had a a webinar focused on youth cyber hygiene. And initially I was like, Oh, another another youth cyber hygiene kind of you know, public service announcement. But you know, I sometimes I just keep my mouth shut and just go, yeah, no, that that worked. Six hundred people signed on to this, you know, so as parents, teachers and and students, so there's clearly a need.

And as a parent myself, to a child, teenager who just got his first smartphone last year, I mean it's something top of mind I've had lots of conversations with and his mother's had conversations with, to ensure that you know, a, responsible use but you use but also to be aware of of the threats that are out there. I mean it is I mean, you know, I didn't have to face those when I was his age and and now he's has to face them, you know, all the time.

Giulia Moschetta: And maybe can I ask you in this landscape, what is one thing that keeps you up at night?

Neal Jetton: Yeah, so I mean that's that's a it's a tough one because there's there's so much.

You know, I I think the thing that I think about a lot is just the sheer connectedness that we have at any one time. And especially as I mentioned children. I think that they're potentially vulnerable to all sorts of of crime type and and you know, we have to get the word out very very quickly and and early about about the threats that that we're seeing.

But I would say one of the things that we're focused on in my directorate for the past year is developing a project trying to increase the cyber resilience of critical infrastructure. So trying to bring law enforcement and cybersecurity agencies together.

So I was in Washington DC and working - I'm a Secret Service agent, so I was with the Secret Service in that in that protective capacity during the Colonial Pipeline ransomware incident. And I remember thinking this is going to have a major impact, not on just me personally, but operationally.

And that's always stuck with me. So we've developed this project we call Symphony in trying to bring together you know, on a large scale cyber security experts in law enforcement across the globe to start thinking about these problems hopefully before before they happen.

Robin Pomeroy: Where do you think things might be going now? You look ahead, we talked about AI. Are there specific things on the rise right now? Or do you get up and go to it every day and think, Oh, something new's going to come down the tracks to us?

Neal Jetton: Yeah, I mean, you know, there's always going to be something new. Any any sort of technology that's that's out there, I mean everyone talks about quantum, AI. Anything emerging is always going to be utilised by or tend to be utilised by cyber criminals.

It's just, you know, if there's a way to make an easy buck, they they will use that.

Mostly what I wake up every day, I have you know, it's just it's simply, it sounds, I guess, cliche, is simply to make progress with my team. And so I tell my team why we exist in the Cybercrime directorate is to help our member countries, support them to combat transnational cybercrime more effectively. And we do that every day through a wide variety of initiatives.

But I would say the strongest, you know, the best avenue for combating cybercrime is through partnerships. And so that is something that my team is focused on on expanding yeah, every every single day we work on expanding partnerships.

Robin Pomeroy: And that the transnational thing, obviously Interpol is the international police. I'm guessing with cybercrime, there's no physical borders, so it must be a particularly international form of crime, is that right? And therefore requires a lot of transnational collaboration.

Neal Jetton: Yeah, I mean it's you know it's it's unlike any crime type where you have a a criminal on one continent potentially using infrastructure, servers, computers, you know, networks located somewhere else, potentially targeting victims across the globe. So without coordination and communication, there is no way, no way we can combat this. So that is something you know that is why Interpol exists. It is to have that law enforcement touch point for 196 countries.

Robin Pomeroy: Neal Jetton, thanks very much for joining us on Radio Davos.

Neal Jetton: Thank you.

Robin Pomeroy: That was Neal Jetton, the director for cybercrime at Interpol, talking to me and to Giulia Moschetta at your Annual Meeting for Cybersecurity.

You mentioned and Julia mentioned the Cybercrime Atlas. What do we mean by an atlas exactly?

Akshay Joshi: Think of an atlas as a mapping exercise of the various cybercriminal actors that operate.

Now, what has been the classic challenge that we're trying to solve? Companies obviously have a lot of information about the threats that we face, but there are significant barriers when it comes to sharing of that information.

So, when we launched this initiative under the support of partners such as Microsoft, Fortinet, PayPal, and Santander, the idea was if we cannot share information that resides within organisations, there is so much that resides open source, OSINT, right?

So, how about we got the best brains in terms of threat response, incident analysis coming together to really analyse the data that is resides open source and discover some of the modus operandi of cybercriminal actors, the aggregation of these insights can be really powerful.

So that's what the Cybercrime Atlas aims to achieve.

As of today, we have roughly around 70 researchers from a host of organisations working collectively to figure out how we recover some of these insights.

Robin Pomeroy: Let's move on to the second and final interview in this episode. Also recorded at the annual meeting with someone called Robert Lee, who is the CEO and co-founder of Dragos. Tell us about Robert.

Akshay Joshi: So Robert has been a great collaborator within the Centre for Cybersecurity for many years now.

He's squarely focused on operational technology and securing operational technology.

Robin Pomeroy: OT.

Akshay Joshi: OT, as he would have said, which is actually a really fascinating domain. So I think classic cybersecurity foundations have all emerged from IT infrastructure, typically how do we secure our networks per se? But as you think about the threats that reside within operational environments, operational technology per se, there is not much that has been done so far, and the approaches are not quite consistent with IT security approaches.

Robin Pomeroy: Right, well this is a very interesting interview and exactly on that subject. I as a civilian on this, you're an expert on the matter, I was quite surprised at this notion that the operational technology, if you're a manufacturer, the technology that is your operations, the way you make stuff, or your power grid, the thing that's running that, that is vulnerable then to cyber attack. He's saying what you've just said is it needs a lot more attention going to it.

Akshay Joshi: No a hundred percent, needs a lot more attention but you know I mean you also have to think about familiarity with that complex infrastructure is also not something that a classic cybersecurity professional would have, right? So it brings in that additional layer of complexity and therefore there's a lot more effort that needs to go in.

Robin Pomeroy: Right, well let's hear the expert on it. This is Robert Lee of Dragos.

Robin Pomeroy: Hi Rob, how are you?

Robert Lee: Yeah, doing well, thanks.

Robin Pomeroy: What's Dragos then?

Robert Lee: Yeah, so Dragos is a tech and services company that focuses on protecting critical infrastructure and really the critical part of critical infrastructure. So what we would talk about is operations technology. So it's the systems that interact with the physical environment. So think traditional computers as well as specialised ones that operate everything from electric grids to data centre building automation controls and everything in between.

Robin Pomeroy: I guess operational technology is just an obvious target for criminals, right? And what are they usually trying to achieve? Are these usually blackmail things, we're going to shut down your operations until you pay us and then we'll allow you to start up again? Is that how it tends to be?

Robert Lee: We we see a wide variety of things. There's definitely some of the ransom style of it.

There's also intellectual property theft. If you think about manufacturing, you don't store your intellectual property in in an email. A lot of times it is the manufacturing process itself and figuring out how to take cheap quality inputs and make high quality outputs. So there's a lot of value there.

And also we see a lot of military and intelligence sort of positioning. So states that potentially could be in conflict with each other.

As an example, if the United States were ever to go to war with China, you know, you would expect to see and we have seen a lot of Chinese intrusions into US critical infrastructure pre-positioning and being ready for future effects.

So it's disruption and destruction. We've even seen an adversary a couple years ago that tried to cause an explosion at a facility in Saudi Arabia to kill people at that site.

So it's just a lot of different things you can do. And and the crazy thing is it's largely just been ignored before and so there's quite a bit of vulnerability there.

Robin Pomeroy: So the mission of your company on your website is to 'safeguard civilisation' from those trying to disrupt the industrial infrastructure going on every day. You're contextualising that as an existential risk. Do you really think that's what cybercrime is?

Robert Lee: So I think when you look at the field of cyber, there's a lot of things you could do and a lot of things that are worth investment, and protecting data and credit cards and things like that. And that and that's wonderful. I'm very glad that companies do that.

That's not our focus. All we care about is that OT, that operations technology. And when you talk about that, you're talking about the ability to hurt people.

And we've seen this where people have changed chemical levels in water. They've done attacks, they've tried to kill people, you know, the oil refinery I mentioned. You're talking about civilians and kids and families and local security as well as national security.

So I think when we talk about what we do in cybersecurity, it really is try to protect lives. And to that effect, yes, our goal is safeguarding civilisation, which means really two things to us.

It's not just about protecting the big players. Like we have a lot of free programmes and things that try to take care of a lot of the smaller infrastructure providers that otherwise would never get help.

But also I'd protect anybody. I think this has been slightly controversial statement over the years somehow. But I've always felt that like any 35-year-old mom deserves to go home to her five year old kid. So I don't really care what national origin you're in or what country you're in if I'm legally allowed to be there and protect infrastructure, we will.

Robin Pomeroy: So how do you protect it then? I mean, where do you even start? You've been in it for years.

Robert Lee: So a lot of these environments traditionally had been slight slightly segmented off from corporate environments. They weren't really cloud-enabled or anything like that. So there was a sort of a natural protection that existed in being disconnected and in being very, very bespoke systems. An oil refinery in Saudi Arabia, very different than one in Houston, Texas, very, very different than a water facility.

Nowadays, all that stuff is digital, it's connected, it's highly automated environments, and now there's a lot of commonality in those systems. We see a scalability in attacks that are taking place.

So the first thing is to get in there and just look around, see what's in there. So from an insight perspective of like what do you have in your facility? How is it connected? Who is it talking to? Just getting basic visibility into what you actually have.

And the moment people do that, they realise there's all sorts of gaps, issues, they thought that they were segmented off. Nope, turns out they're highly connected. Like there's a lot of sort of infrastructure work that goes into place after getting that visibility.

And then at the same time looking for the threats and actually being able to detect the threats when they're in there.

A lot of people imagine cyber attacks only to be based on malicious software and code and things like that. But in the world of operations technology, a lot of the worst things you could do is misoperate the equipment. Being able to use the environment against itself to take down the power like you could as an operator, to cause chemical changes as you could as an operator, to misoperate that equipment.

It's really important to be able to know when that's happening and not only be able to detect and respond to it, but if it happens, know that that's what took place so that the recovery can be done safely.

Robin Pomeroy: So it's kind of prepare, mend, fix those holes once you found them and then be ready for those attacks when they happen.

Robert Lee: Gain visibility, fix the holes, be ready to detect and respond to those threats.

Robin Pomeroy: Someone listening to or watching this who's not really been involved in this before, could you give us an example of any real life example that struck you as, wow, this was a big attack and this had a big impact? Kind of talk us through what happened and why and what what was done to fix it.

Robert Lee: Yes, so I was involved in the investigation in the in the 2015 Ukraine attack and that was the first time ever we saw a cyber attack take down an electric system. It was all the theorised before that.

Robin Pomeroy: So this is the electric grid for the country of Ukraine or part of it.

Robert Lee: Correct across across like three regions. They took it down around 60, 70 substations and and caused outages. And that one and the 2016 attacks, the they came back and did it again.

Across those two, it was a really interesting evolution. The 2015 attack was just the adversaries breaking in remotely and misoperating the equipment. Again, opening up a circuit breaker just like an operator could, de-energising the electric system, and then sort of digitally destroying the software and everything after the fact. So the power outage was only about six hours, but the real restoration and be able to get back up and running again fully was like a year. And so that's that's very impactful as you can imagine across an electric system.

What was super interesting though is in 2016, the adversary had sort of returned, and this time they took all that knowledge and those learnings about how to do that, because it had never been done before, and they codified it into software, malicious software malware, right? So they codified that knowledge into software that made it into something that was repeatable. And so that software which we call crash override is capable to do the same thing at like almost any transmission substation in the world.

And so the ability to take bespoke knowledge, cause disruption, and then scale it and make it into really a weapon that could be used across electric systems across the world, like that was a big moment in the industry for sure.

Robin Pomeroy: Do you find these attacks are very kind of focused and targeted or do they often go out of control? I'm thinking of the Stuxnet attack in in Iran against the nuclear facilities there from quite some time ago. From what little I remember of it, it had kind of overflow. Whoever did that, it probably had impacts that they weren't really intending or expecting.

Robert Lee: Yeah, there's there's definitely a lot of that that can take place. So a lot of the adversaries try to be targeted, not so much because they're just good people and want to be targeted, but because the more damage you want to do, the more specific it generally had to be to those targets.

Now, that's not true anymore, but that was at the time with Stuxnet.

And so Stuxnet only activated at the Natanz facility. It was it was written by lawyers almost of it, can only operate inside these parameters to actually cause the attack, which was physically destroying P1 centrifuges and having them burst from their caskets.

That only could have happened at Natanz. However, the malware itself was very capable of spreading, and because of some things they didn't understand when they wrote it, it was able to spread to thousands of sites around the world.

And so there's companies all over having to clean it up anyways. So it couldn't do the effect, but it was still you had malicious software in your systems and people had to not go clean it up.

So what we've since seen is because of that ability to scale attacks that now exists with commonality and digitization, we are now starting to see malicious software developed that can just be picked up and used other places. And so the real concern is not just that the initial attack gets out of control. The real concern is criminals and non-state actors who don't have the types of capabilities to develop these very sophisticated weapons, then end up finding and it proliferates to them. And then you start to have ransomware criminal gangs that can now go after an electric system or a water facility that ten years ago they wouldn't have been able to do that.

Robin Pomeroy: And is this malware that gets written deliberately to do these attacks, is that stuff other criminals can then buy?

Robert Lee: Yes, you know. So there's there's not as much good stuff out there that you could just pick up the shelf and buy, but the capabilities that do exist can proliferate very quickly.

So in 2021, Dragos worked with the United States government and an undisclosed third party and found a state actor had developed a capability that was very much their wartime capability. It was very clear that this was the thing they were going to use if they got into a war with the United States or NATO countries. And it was the first time ever we saw a capability that could be used across industries and be reusable and be something that you could use to cause physical destruction if the environment allowed it. You could use it on everything from unmanned aerial vehicles, servomotors to water filtration facilities to gas turbines. It's a fantastically scary capability called Pipedream.

And that capability really only exists now in the government that developed it, the US government has a copy, Dragos has a copy, and I think there's like one other security firm that has a copy of it. And we don't want to let it out because the moment that were to get out, that's a good example of something that anybody could just copy and paste and leverage.

And so it was the first time ever we saw something sort of take state level capabilities, bring it down to where almost anybody could leverage it, and it's not something you can just fix. There's not some vulnerability it's taking advantage of, it's just using native functionality built into these environments, and so it will be capable for years and years to come.

Robin Pomeroy: I guess you have to get yourself into a mind of a cyber criminal to you know what might they try next. So I'm not a cyber criminal, but if I were I'd try and find out what the dark web is and I'd maybe try and buy one of these. But another option open to me now, surely, is generative AI. I could say to ChatGPT, write me some code that will close this oil pipeline or, you know, disrupt this military function. Is that a genuine threat or is that still science fiction?

Robert Lee: I think that generative AI and AI in general is going to help accelerate people's knowledge in doing the research and targeting. Hey, what are the critical oil facilities in this country? Hey AI, have there been any known vulnerabilities against these systems? Or just sort of the research and development stage, I think it'd be very impactful.

The making malicious software to then deploy, I haven't seen any examples of it.

There's a number of security vendors that say there's examples. I've asked them for copies of anything. I haven't seen it. So I'm not saying it won't happen. I do think it's quite a bit hyped today.

The problem though is, and then where I want to be cautious on that, is things move so quickly, and defenders and the cybersecurity people, it takes a long time to roll out security programmes.

And so, on one hand, there's a little bit of hey, this may be a bit overhyped right now, but there's also the moment that it's not, you don't have time to play catch-up.

And so I think a lot of the industry is trying to get ready anyways, but it doesn't require this transformative approach. A lot of people think, well, if the AI, if the criminals have AI, then I have to use AI to do security. No, you don't. Like there's a lot of the fundamentals in security that are just valid no matter what your threat is. And so you got to be able to do those first.

You mentioned Stuxnet earlier is as capability that was developed. There's still most of the world's infrastructure that could not detect Stuxnet today. That's 15 years ago. And they still couldn't deal with that capability today. They want to talk about quantum encryption and AI and all this, and it's like, hey, go fix what we know, go be able to deal with the knowns, then we can talk about the unknown unknowns.

Robin Pomeroy: And does AI pose any other risks, I wonder, you know, organisations are all pushing, we're all being told, use AI, don't know what for, you know. Try and implement it. I wonder whether that potentially opens up vulnerabilities that weren't there before.

Robert Lee: Massively. So it one of the things is happening across the industrial world today, by large, again, oil and gas, electric, water, name your type of industrial facilities. All of them at one point in time were kind of segmented off. But you can't have a segmentation strategy and an AI strategy at the same time.

So all these boards are pushing and all the interesting data for the AI is in the operation technology environment. It's the manufacturing processes, the oil processes, et cetera. So they want all that data. And there's usually a desire to get it in and out of those facilities.

So these once upon a time systems that were slightly segmented off are now just completely Swiss cheese porous getting up to connect to the cloud infrastructure and AI models.

And so just by taking that AI journey, all the defences that they previously had are sort of getting lowered to be able to enable that journey at the same time that state actors and criminals know to target OT and how to do it now.

Robin Pomeroy: So what should organisations do?

Robert Lee: Rapidly look at OT security and and close some of those gaps. The same discussions of fundamentals of have a response plan. Like if you get attacked, what would you do? What would you need? What are the questions that you're going to need to get answered in lawsuits? Board filings, whatever for operational purposes, et cetera.

Develop a response plan, and then figure out what your operations environment and people will need to do to be good in that re response plan, essentially reverse engineer out the plan. Get the visibility of what's actually happening in your facilities, be able to detect the threats and close those gaps. And so that's that's just paramount for these facilities.

I think what scares most policy leaders I talk to and most military and and and national security leaders is about 95%, round numbers, but around 95% of all the security spend in the community has always gone to enterprise IT, the website, the computers, etcetera. Only about 5% has gone to the OT, where you actually generate revenue and have societal impact.

So there's this big shift that's got to take place very rapidly, and there's also just a shortage in the skills of the people that know how to do that.

So there's there's a big transformation taking place, but usually when we see it go well, it's usually a CEO-driven initiative.

Robin Pomeroy: Now on your LinkedIn page it says since February you've been a lieutenant colonel in the ninety first brigade it's IOSC, or tell me what that stands for in a moment in the Army National Guard in the US. What is IOSC?

Robert Lee: Yeah, so it's the Information Operations Support Center. So so in essence, so I was an active duty Air Force officer, tasked at the National Security Agency for years, got out, started Dragos.

But there's always been this one challenge that we just really haven't solved yet, which is what does it look like between government and private sector and really government getting on the same page across its various agencies to have a response plan to national critical infrastructure going down. So focus on OT, how do we, what what role does the government have, and how do we play well together and how do we deal with this? And on the the idea that there's a lot of geopolitical conflict and and and stress between countries, it was a big rush on we really need to get this right on OT nationally.

And so that problem has just never been solved and I was asked by someone in the field, hey, could you please come back and do this? I was a bit sceptical at first, if I'm being honest, of okay, I'm just going to actually be in charge of being able to deal with this and everything's just gonna work out and yeah, sure, I remember being in the military the first time, that's not so simple. But everything they committed to me, they delivered on.

So yeah, I'm Lieutenant Colonel down there, there's about a thousand soldiers across the brigade, and we're trying to enable them to be OT cyber defenders, but also developing out the national plan to submit back to Congress on what does this look like when done well and being given that opportunity has been wonderful.

So day job being CEO of Dragos at nights and weekends, being able to put on the uniform and go down to base and and get some work done, it's it's it's been fantastic and I think for anybody that has the opportunity to serve in some capacity in your country, whether it's military, whether it's Peace Corps, whether it's just civil service, whatever it is, I think adding that balance into your life is very fulfilling.

Robin Pomeroy: And so that raises the the question of collaboration across sectors, because the military could just decide to do this all itself. It sounds like it values not just your experience in the military, but your experience in the private sector here.

Tell us something about and we're speaking here at this cybersecurity meeting hosted by the World Economic Forum in Dubai, what are the benefits of bringing private sector, public sector, perhaps military and and others together? What can you win by that?

Robert Lee: So I mean collaboration is key, but it's always come down to the detail of how are we going to collaborate, right? And so there are certain areas that that organisations and people are the best in.

And I think one of the very first things that was important in this discussion on the US side, was to say, what are we not good at? Let's not pretend we can do everything. Let's not pretend we can do everything on our own. But what is our comparative advantage? What is the thing that we are really, really good at?

And if you look at the private sector as an example, m like all of the really good cybersecurity technologies have come out of the private sector. Government's just not good at building cybersecurity technology. Not national labs, none of them, there's not one national lab of cybersecurity technology that has come out of the US no matter how many congressional briefings they get, that has actually been widely deployed and used. It's always subpar to what the private sector can build in a competitive market.

So right off the bat we're like, we don't want to build our own technology. We want to depend on the private sector vendors.

Robin Pomeroy: Why is that? Is that just a mentality thing? Kind of the profit motive pushing? What is it?

Robert Lee: I think it's a lot of things, but I think it has a lot to do with the com competition. Like when even for my company, when we started inside of a two-year period, I think there was like twenty-seven other vendors competing. Now there's like three left, and the market has decided.

And so when you're in government and you kind of don't have really the ability to fail, and then you also don't have competition, and then you're also not getting the feedback loops, and also companies are usually a little bit sceptical deploying government things, and you just add it up, add it up, and it just it never leads anywhere good.

So, right off the bat we said, okay, we're we've got to use private sector technology, let's look at what our our stack of software and things are going to be. Talking to the private sector security vendors, a lot of them have better insights. You know, you would think that your national intelligence agencies know more on cyber than your private sector, and it's just not true. They have very unique insights, very good insights into things like attribution of who did it. But the insights of how an attack happens takes place in companies that usually those security vendors are watching and preparing and helping with. So they actually have better insights as well.

So we knew technology and intelligence we wanted to get from the private sector.

Now you look at the asset owners and operators themselves, electric system operators and things like that, they know their system way better. There's no chance that anybody from the military, department of energy, anybody would be able to go into a power company and tell them how to operate their power company better than the operators at that site. They they know it well. So we know they know the system and how to deal with it.

But what the military can bring, what government can bring is is a little bit of extra specialisation. The Department of Energy is very good at in the United States as an example of having highly specialised people that really understand certain switching and infrastructure components for substations as an example. So we could use them as highly specialised folks. We also know that across the National Guard is an example, in the US, we've got bases and and and military sort of teams in every state. So in terms of manpower, you know, even just at the brigade that I'm at, we've got a thousand of them. But you look across fifty states plus four territories, you now are talking thousands and thousands of folks that we can train up to be sort of that front line, that they're not going to be the highly specialised folks, but we can have them be sort of the tier one that goes in and and helps.

And also, in a big national crisis, there tends to be more trust put in government during those cases. So a water operator out in Wisconsin, it's very likely to have never heard of your big cybersecurity vendor. They know the person in uniform and they they probably actually know them from their local towns and go, oh, okay, yeah, come on in and help. And so there's those roles as well as then there's legal authorities that are very important as well.

So long story short is as long as you play to everybody's strengths and don't try to boil the ocean, what you will find is that collaboration is not only core, it's very, very powerful.

Robin Pomeroy: What's the one thing you wish everyone would understand about cybersecurity?

Robert Lee: Yeah. So I would love for all business leaders to understand, especially in the CEOs and boardrooms that I go into, is to understand what business capability they need in terms of their operation technology environments. Like that is the reason the business exists. So what do you need out of it? What are your requirements? And being able to say, look, I need to be able to recover it within an eight hour period, or I need these type of data sets from lawsuits or SEC 8-K filings if you're a public company or whatever. Just know the requirements. And then once the cybersecurity talent has the requirements and they understand that they have to take an OT specific approach, they can't just copy and paste their IT strategy into a power plant, then they can match up their expertise with those requirements and deliver a right size solution.

When boards and CEOs don't know the difference between IT and OT, or they just go, Well, we want to be cyber secure, there's not any actual requirements and so your security teams go off and they overspend. They're trying to mitigate every risk. They don't have any focus, they get burned out really quickly and it it just doesn't work very well.

Robin Pomeroy: I'm really surprised to hear that CEOs don't get it immediately. The OT, the technology that's running what the company does, is surely the thing that needs protecting.

Robert Lee: I think there are plenty of CEOs who do. Like most CEOs, CFOs, and COOs know where they generate revenue. But I'm going to come back to that one because that's there's an asterisk next to that. But but most of them think this was already getting done.

When the chief security person in a company stands in front of your board and says, here's the enterprise IT strategy, and they show all their green KPIs and heat maps and everything else, it looks very nice and oh, we're compliant and all of this. They go, okay, we're good. And most of them just never went back and asked, hold on, is the enterprise IT the enterprise or just enterprise IT? And every security person will tell you, no, no, just enterprise IT, not the operation side.

And so I I've seen that happen in boardrooms and CEO has like eyes light up. I'm like, so you're telling me all of our spend and all of our reporting was on the portion of the business that we don't generate revenue in. They're like, yeah, and like, oh my gosh. And and so there's a big light bulb moment for a lot of them.

Now that being said, I'm going back to that asterisk, what I'm a bit concerned about is historically, and this this doesn't represent everybody, but historically, if you were running a power company or oil company or whatever, you came from that industry. So you had somebody from the switchyards that knew the electricity system, got promoted up in the company, eventually became the CEO. What I'm seeing a lot of now is investment bankers and and financiers and so forth that are sort of like JP Morgan or somebody's like assigning a CEO into a power company. And some of them have done very well, but a lot of them don't know their business as well as a result.

And so they're spinning up and they're trying to, and a lot of them get there. They're very capable people, but it is a scale. At the same time, you've got a lot of board members who've never been from that industry. So right now, people keep asking for more cybersecurity experience in the boardroom, and that's good, but there also needs to be the experience in the boardroom of what you do as a company, making sure that you can navigate these transformational projects and things that are going on in a way that doesn't do societal harm.

Robin Pomeroy: What do you imagine will be the next shocking attack? What kind of thing, what is the you know, the known or unknown that we should all be expecting?

Robert Lee: I mean we we've seen we've kind of seen everything. So everyone's always looking for a wake up call and I'm like, I can point to all of them. Which one do you want? So we've seen chemical levels being changed in water. We've seen

Robin Pomeroy: Well what's the chemical levels in the water?

Robert Lee: Yeah, so an adversary broke into a water facility in Florida and tried to modify the chemical levels. Luckily, the operator was sitting there and saw the mouse moving on the screen, and the physical valve wouldn't allow too much dangerous chemicals to get in.

Robin Pomeroy: Do we know why someone was doing that?

Robert Lee: Being a jerk. Like some of these folks are just can't use the language in the WEF, I guess, but but they're they're jerks.

And so we've seen that happen. We've seen water tanks overflow, we've seen electric systems go down, we've seen intellectual property in the billions getting stolen, we've seen attacks try to target human life through explosions, like we we've seen them. Anything you need.

The thing that bothers me the most though, and it's something I wrote recently in for the WEF on a blog, is this topic of root cause analysis. Most people think that they'll know when a cyber attack took place and then they have their plans to action. And if it's not a cyber attack, they've got insurance providers, they can contact their vendors, they've got other options to play.

But all of that depends on actually being able to know what happened.

And that topic is called root cause analysis. Like our plant went down, an explosion happened, something took place, what was the root cause? What actually took place? And a lot of under investment has been put into OT security. And what investment has been there has been traditional IT security copy and pasted in, and it doesn't lend to that.

And so at the same time that we're getting a lot more automation and a lot more complexity, we're now also getting to a place that we don't really know what's going on in our systems. And we can't see, we don't have the visibility to really understand it.

So there are attacks that I know of that have taken place that the asset owner and operator didn't think was a cyber attack, and they activated insurance or did something else instead.

So I think about, especially between states and international policy leaders, being in a situation where there's an explosion or an outage, people die, and you have no idea if you were attacked by a criminal, a state, or it was just a mistake. And then all the plans that you thought you had can't be activated. And and that leads to quite a bit of paralysis, especially in a policy world where I think has some pretty, you know, sort of drastic consequences.

Robin Pomeroy: Rob Lee, thanks very much.

Robin Pomeroy: That was Robert Lee, the CEO and co-founder of Dragos.

So Akshay what what are your hopes or your fears maybe for for the next year for 2026? And you've got Davos setting the scene. What will people be talking about there and what do you hope people will be talking about throughout the year when it comes to cybersecurity?

Akshay Joshi: It's a very unique opportunity, you know. I mean, oftentimes cybersecurity is wrongly perceived as a technical issue, but the Annual Meeting really provides this unique platform where senior leaders have the ability to engage with the topic, and it's fascinating, you know. I mean, in terms of what are the varying levels of experience also driven by the context, you know. So it's a really good opportunity for us to be able to unpack a bit more in terms of cybersecurity from the leadership lens.

Robin Pomeroy: In in my mind, throughout the year you're dealing with the, what's the acronym? The CISOs, the chief...

Akshay Joshi: Chief Information Security Officers.

Robin Pomeroy: Information security officers. In Davos, there'll be lots of those there, but the chief executive officers there, the people at the tops of these organisations. It must be a mixed bag, though how how savvy are they when it comes to this?

Akshay Joshi: I mean you'd be surprised. I have to say that, you know, I mean, there are certain CEOs who are really, really on top of their game when it comes to cyber because if you think about it, right, CEOs are focused a lot on risk management, and as of today, pretty much every one of them is thinking about cyber as well.

Having said that, there is a huge variance. It's often said that those that have unfortunately been subject to a cyber incident probably care a lot more about it than others who may not have been at the receiving end.

But across the board, you know, we find that there is greater appreciation. Now, whether it translates into action or not is debatable across different organisations, but definitely there is wide recognition for cyber and potential enhanced.

Robin Pomeroy: Well I to talk to you again right at the end of the Davos Week.

But for now, Akahay, thanks for joining us on Radio Davos.

Akshay Joshi: Thank you very much for having me. Always a pleasure.

Robin Pomeroy: Such a pleasure. You can follow Radio Davos wherever you get podcasts. You can watch this episode on our YouTube channel where you can watch lots of video-podcast episodes. You can find all our podcasts at wef.ch/podcasts, including our sister programmes Meet the Leader and Agenda Dialogues.

This show, Radio Davos, will be back next week, but for now thanks to you for listening and watching and goodbye.