Video Transcript

>> ANNOUNCER: Please welcome Worldwide Vice President and General Manager, IBM Security, Chris McCurdy!

>> CHRIS McCURDY: Good morning. It is so great to be back on stage at RSA again this year. It seems like I was just standing here giving a keynote last year, which, actually, brings me to my topic for the day. What is that one thing in our lives that we constantly strive to have power over? It's time. If I just had more time, more time to spend with my kids before they are all grown up. I am soon to be an empty nester, so this one hits pretty close to home for me as my youngest heads off to college next year. More time to study for a test or meet a major deadline for that board presentation. To patch all the vulnerabilities adding up we all know and update devices. To hit the brakes on my car before it's way too late.

If we have power over time, then we can connect enough time to act. Let talk about this time deficit. So we’ll talk about this more specifically for cybersecurity in a bit. But first, let me set some context on why it's so difficult to control time. Well, time is like all other forms of perception. For example, our sense of space, I can gauge the distance of this stage in front of me, to my left, and to my right, so I can walk around it without falling off. Time, on the other hand, can only be perceived in the present. We can't possibly perceive the future and we don't continue to perceive that which is past. There's only the now.

While we can't grasp time, we feel it. When things are moving too fast or not fast enough, you better believe that when a system glitch brings down an airlines network, that hour feels like a century to its CEO. So, how can we control a subjective concept like time? Humans have adapted to exert some control over this uncontrollable experience by focusing on how we optimize its use. Now what's interesting is that scientists argue that our brains are actually hard wired to optimize time. How? By predicting. The brain spends all of its time doing one thing, predicting. It's constantly receiving sense data and reconstituting it to predict and execute an action.

So, when we are attempting to perceive the future, whether that's in ten seconds or next quarter or when we feel a deadline closing in on us that's running out of time, that's our brain forecasting, rewiring our memory to optimize our use of time. The brain, is, in fact, the first and most mature predictive machine that's ever existed. It’s largely why humans have the capacity to prioritize tasks and make decisions based upon importance, urgency, and complexity. So, we have established that we can't control time. But we can control our use of it.

Now, what does any of this have to do with cybersecurity? The fact is, there are some real valuable lessons in how humans have adapted to optimizing time and how we adapt our defenses for detecting and responding to cybersecurity threats. If cybersecurity were to model the brain's predictive aptitude, the industry would get vastly better at acting against threats fast enough. That is why we are seeing AI take on an existential role in security, but I will come back to that. Time in cybersecurity is just as uncontrollable as it is in every other part of life and business. Consider this, over the past five years of tracking the days it takes to find a data breach, you will see little, if any, improvement. In fact, the latest cost of data breach study found it takes 277 days to find a data breach. You have to think to yourself, how is this still possible?

Well, innovation on behalf of the attackers is one of the biggest changes. Remember that time deficit we talked about earlier? It's an even greater problem in cyber. Our X Force team found that ransomware gangs have managed to cut down the time it takes to deploy ransomware from two months to now under four days. They have been able to essentially achieve a surplus of time through the use of automation and new as a service models to start. A whole supply chain has been built to speed up their attacks and their efficiency. A very profitable business has been built around finding back doors and selling them to criminals.

In fact, our X Force team found that these back doors were the top action used to gain remote access to systems in 2022. They are focusing their time on what matters most and delivers the biggest return. So, I made my case from the opening that we can't control time. But we sure can optimize it. And the lessons from humans focus on cognition, structure, and technology all are applicable here as well. Here's how we think you can apply those lessons.

First, know your attack surface and threats. The same way humans have awareness over our environment to prioritize their actions and safety, so must security teams. The threat maze that businesses have inadvertently created by virtue of their expanding digital footprints can't stand in the way of speed. Know where to look first to optimize your time to detect. One way to test your efficiency is to attack yourself. Operate like your adversaries would and think like an attacker to really test your detection and response time. Second, AI and automation are table stakes in cybersecurity. Recent innovation in AI have made its impact more palpable to us. The cybersecurity value here cannot be overstated. The data is proving it. Security teams respond more quickly, accurately, and efficiently when they use AI and automation. We need to use AI to our advantage and unleash speed and efficiency across our defenses. This is how defenders achieve the time surplus that attackers have already figured out how to create.

We have added more and more data and we are not seeing the improvements you would expect in these detection times. Why is this? I would argue it's too much data for them to act on. AI and automation can have a dramatic impact here. A more connected security operation center experience can help defenders find and respond to incidents with greater precision and speed before they cause major damage. But we mustn’t lose sight of what the real need is here. It is not simply AI, it is trusted AI. Have you heard about AI hallucination whereby AI models essentially make up outputs that cannot be justified, are factually incorrect. It is one of the greatest challenge the industry is trying to tackle right now. When AI is transparent, fair and robust, it can deliver on its full potential and function as reliable asset to security strategies. Otherwise, false positives, blind spots, and limitations will lead to fall short. We mustn’t underestimate the role that AI plays in its effectiveness.

Finally, focus on preparedness. The lesson of structure and an agreement of time has driven humans and it will also change your security posture. The vast majority of organizations, about 74%, in fact, aren't fully prepared to respond to cyber threats because they don't apply plans consistently across the business. The list of steps an organization must take in the wake of a breach is staggering. And it can be that much more daunting without a plan in place. Time is not on your side. And, honestly, it may be your enemy. To be a step ahead of attackers, we need to look ahead. And to look ahead, we need to know where ahead is.

Defense is not limited to reacting. I would argue it's much more about being proactive. An effective cybersecurity response team encompasses a mix of technical skill, legal precision, and regulatory understanding, as well as a robust crisis communications plan. If we are prepared, we can anticipate, and if we anticipate, we can act with speed and save time. So listen, I started with a meditation on time, but the lessons for us on cybersecurity are real. We have the tools; we have the methodologies, we just need to apply them in a more systematic way, the same precision and drive we as humans have. The good news is, we now have AI and other technologies that can help us with the precision. But the implementation is upon all of us in this room.

And just like I argued earlier, the delivery and implementation of AI must be founded on trust. Time is the new currency in cybersecurity, but there is just a finite amount of it. We can't create more. We have to manage what the time we have. There is no bigger stage in the world than the FIFA World Cup, and what a great way to bring some of these lessons on time to life, soccer, football, whatever you call it is a game about time management, and this year's host country, Qatar, did an amazing job at preparing for hosting the millions of fans who love the sport. IBM was honored to be part of the team that worked with Qatar and their national cybersecurity agency to help prepare for and secure last year's event.

Let's learn a bit more about the Herculean effort that took place behind the scenes to secure the event and the millions of spectators on site. It is my great pleasure to bring to the stage the director of Cyber Fusion Affairs for Qatar's national cybersecurity agency, Ahmed Al Hammadi.

[MUSIC]

>> CHRIS McCURDY: Ahmed, thank you so much for making the trip to San Francisco, it is a long 17-hour flight. Let's jump right in, as I know there's lots of territory to cover here. So can you set some context for the audience here on the size and scope of the challenge Qatar and the NCSA had for the size of the FIFA World Cup?

>> AHMED AL HAMMADI: Yes, first of all it's my great pleasure to be here today and as well to be part of this interesting topic. And as well, back to your question. So, the FIFA World Cup is the world's largest sporting event, actually, with billions of viewers from around the globe, and over 3 million spectators. So, given the magnitude of its spotlight that event can represent an important opportunity to the host nation, the global reputation, and as well to ensure a smooth operation, tight security is required. And not only in the traditional physical sense. Currently cybersecurity now is an integral equation of the security – it's an integral equation of the security operation, and especially with the rising of operational technology, all aspects related to secure a big event and all – like an event on a big scale, it's all susceptible to cyberattack from the technology within the stadium, to the transit system that's carries fans to the venue, to the operational technology of dozens of government entities working with the host country for the month long. So, the surface attack for big scale event have never been broader.

>> CHRIS McCURDY: It's clearly a huge moment for Qatar and you guys did a fantastic job. When did the preparations for securing the event happen? Because it's been like ten years in prep and planning?

>> AHMED AL HAMMADI: That is correct. So the bid was awarded to Qatar, the State of Qatar in 2010 and, actually, the overall planning and preparation began immediately. And because of that, the State of Qatar formed a supreme committee for delivery and legacy shortly after winning the bid in order to build facilities and to enhance infrastructure to accommodate millions of fans. And as well in relation to cybersecurity initiatives, Qatar established an execution plan for the World Cup, five years prior to the World Cup. And as well, they were focusing, like, to – and as well, this framework aims to enhance the security posture informational perspective and as well the objective is to enhance the security and capabilities within the organization, within the State of Qatar. In parallel to these engagements, State of Qatar have established the national cybersecurity agency in order to unify the efforts and to be a channel as well between the public and private sectors, in order to be ahead of the attacker. If we work in a very collaborative methodology, and as well to be more focused towards securing the cyberspace of the state of Qatar and annual events may come in the future.

>> CHRIS McCURDY: So where do you start with such a big task, I mean we are talking about building and securing eight stadiums, the millions of people that were coming into the country, dozens of applications, and even the transportation systems.

>> AHMED AL HAMMADI: Yeah, actually in our case we need to consider everything, especially when it comes to our critical national infrastructure. Such as you mentioned, application, transportation, electricity, oil and gas. But, like, to be honest, there is not many playbooks out there for doing something at this scale, so we have certainly engaged with FIFA and other nations that have executed similar events before in order to obtain knowledge from them and as well to learn from them and to share information and experience.

So, once we have conducted our research, we started crafting our own plan on building a framework with several dimension. And to be honest, it was a very comprehensive engagement because we didn't develop the framework by our own, actually. It was a contribution from over 100 representatives from the government, from the civil society, as well as subject matter experts, consultants from around the world, and it was a very collaborative methodologies between the private sectors partner. And returning back to the dimensions of the framework, it was describing that cybersecurity ecosystem, the FIFA World Cup cybersecurity ecosystem and as well the cybersecurity operation layered with the example of the capability names and the pillars, focusing on the pillars of operation which contained the prevention, detection, and response.

>> CHRIS McCURDY: Very good. One of the projects that we worked on specifically with you was the Hayya app, which is essentially a comprehensive mobile application that consolidated everything from your event tickets to public transportation passes, to the visas to enter the country. Could you share some of the controls or protection strategies of rolling out an app in this scale?

>> AHMED AL HAMMADI: Yeah, that is correct. So during the World Cup, so the Supreme Committee for delivery legacy because they want to make the trip for the visitors smooth and easy and as well to enjoy the event. So they have developed an application, it's called Hayya app and, actually, it was our most visible tool for that visitor. In order to make that trip easier and part of getting granted Visa, immigration, going to the stadiums, using free transportation.

So, but at the same time, it's also presented a vulnerable target for our adversaries. We had an objective over here because we were working side by side with the developer of the application in order to assure that the application was secure by design. And after that, we needed to test this application against real world scenarios. There were then IBM team helped us in order to create interest around 150 different compromise scenarios for this application. And as well to evaluate it against threats such as like distributed analysis service and malware and attack, account takeover, and as well insider threat.

>> CHRIS McCURDY: So as you heard in my opening remarks a few minutes ago, time is the new currency for cybersecurity. With such a condensed timeline and so many variables, I would imagine speed of detection or response was a priority for the NCSA team. Can you tell us how you managed time?

>> AHMED AL HAMMADI: Actually, this is a very good question. And because in cybersecurity, you know, like, technology is always evolving and a lot of countries are going toward digitalization, and we have a lot of technologies is coming in the area. So, we know that we had the time and the benefit of time to plan for the event. But as well, at the same time, so here I am going to speak more about the operational perspective for it, because when we manage time, we are speaking about the governance as well. We are speaking about the enablement. But I will be focusing more toward the operation.

So, in my case, we were focusing on the three aspects in order to manage time. We had the prevention, detection, and response. Prevention we have talked area about the framework, like developing a framework and as well the preparation and thing that we did in related to this framework because it contained disaster recovery, business continuity, and having around 14 capabilities within this framework. And as well, we have part of our preparation that we have built our frontline escape in order to identify the threat and in order to build a risk register in order to identify the risk peer sectors and to build more scenarios.

So for example, more detail toward the workup. We have conducted a detail assessment of potential security threat at all eight stadiums and actually with the help of our strategic partner, political partner, and IBM in order to understand the potential impact that may happen at the stadium or at any other critical areas. And as well on the detection part, really, like, central around building a world class security operation center with our private partners and IBM. And at the same time, we were, like, we need to focus on the response part of it. So, as well, we have developed our worst-case scenario. But like in terms of the detections, like our employees personalized the high-level plan in order to integrate and provide real-time threat visibility. And most critical application and more than 2500 components across Qatar.

We needed to make like personalize our ally and make faster decisions, giving the nature of the event and the time is always critical for us. And in terms of the reactive actions, so, we have developed our unique plan in order to ensure there is fast level to respond to any incidents because it is a time critical. And because of that, we have developed two teams. We have developed a one team focuses more toward the country. And another team focused more toward, like, the event in order to be more focused and emphasized. As well in order to avoid any kind of logistics obstacles, we have developed different small operation room within each stadium, and that was a very comprehensive engagement and as well to build the relationship between the incident responder and as well the other operation within the stadium and as well in order to assure we are – like we can take litigation procedures and technical procedures without any kind of impact.

We are really proud that NCSA was able to reduce its investigation time by as much as 85% with a work that we did and some innovation in our partner and IBM. So, yes.

>> CHRIS McCURDY: That's fantastic. An amazing accomplishment of efficiency and time. So my final question as we wrap up, the next World Cup in 2026 is going to be right here in America – or in North America – sorry. Sharing between U.S., Mexico, and Canada. And I am sure significant number of people in this very room will be supporting it. So, what's your biggest advice to the folks here that are going to be supporting the next World Cup?

>> AHMED AL HAMMADI: Sure, I hope everything we have talked here helps inform the leaders tasked with securing the next World Cup. And I will take the opportunity to say that NCSA Qatar is standing by and eager to be part of the process in any way that we can help and provide information. So, my biggest piece of advice will be focusing on cooperation, and as I said earlier, we have seen the valuable output from our comprehensive engagement that making the public sector working with the private sectors, it will always keep us ahead of the attacker.

So, we cannot compare the World Cup that happens in Qatar in 2022 with what's going to be happening in 2026 because to be honest, it's a bit different. So, the State of Qatar had more, like, condensed and centralized environment to protect, because we have our own law, regulation, policies that organization need to be comply with. But I believe in the World Cup in 2026 it will happen among the three different countries. But we can see it's a one mission that all these countries are responsible of. So, they need to find a way to have a very cooperative methodology to work on. And because it's a one mission, maybe they can build a framework in order to host the next World Cup.

I would say, and I believe maybe most of expertise people in the service security will agree with me that when it comes to cyber threats and attacks, there is no boundaries. There is no borders between countries. What happened in a region, it may happen in a different region and we may suffer the consequences based off this. So, I will always emphasize in the collaboration because it will always keep us ahead of the attackers in order to share information and knowledge.

>> CHRIS McCURDY: Thank you, Ahmed, for sharing that powerful advice and story. Let's give Ahmed a round of applause, please.

>> AHMED AL HAMMADI: Thank you very much. Thank you. Thank you.

(Applause)

>> CHRIS McCURDY: The work the NCSA team did to prepare and execute the 2022 World Cup is a case study we will be referring to for years to come. If you have some time today, stop by the IBM booth on the show floor where you can learn more about the Qatar and IBM partnership. I want to thank everybody for being here this morning. I hope everyone has a great show. Enjoy your day. Thank you.