Adrien Ogée was recently interviewed by the Glen Echo team for the biweekly newsletter of the William and Flora Hewlett Foundation.
Adrien Ogée is the Chief Operating Officer at the CyberPeace Institute in Geneva, Switzerland. Since the inception of the Institute, in November 2019, he has led the Assistance pillar of the Institute which includes the team engaging with Non-Governmental Organizations (NGOs) in need of cybersecurity assistance.
Before joining the Institute, Adrien was the lead for cyber resilience at the World Economic Forum’s Centre for Cybersecurity in Geneva. Prior to that, he was a senior cybersecurity expert at the European Union Agency for Cybersecurity (ENISA) in Athens, and a cybersecurity inspector at ANSSI – the French National Information Systems Security Agency in Paris. Adrien started his career in Brussels, working for Thales, a defense company.
He has over 15 years experience in the cybersecurity arena.
Adrien grew up in Paris, has Brazilian roots, is a father of three children, an enthusiast of the great outdoors and avid learner. He likes exploring the world and creating new things.
- What excited you about the CyberPeace Institute? What brought you to the organization?
The CyberPeace Institute was founded at a critical moment for society. In November 2019, our international team of experts were faced with the challenge of launching the Institute at the beginning of a global pandemic. Cyber threats were increasing against the healthcare sector, the need was evident.
The Institute was proposing a paradigm shift in how cybersecurity is addressed. This was a real motivation for me.
In my career, I have worked in the private sector, the public sector, regional and international organizations, and now a non-governmental organization. This gives me a unique perspective on the importance, and the challenges, associated with multi-stakeholder cooperation in cybersecurity.
Each experience taught me something crucial, nevertheless, I saw the limitations of trying to establish cybersecurity in the confines of working with one government, one country, one region and organization.
The CyberPeace Institute, being a global organization with a clear mission, has a down to earth operating model, a targeted approach and what I feel are realistic ambitions. In short, the Institute helps those whose lives are impacted by cyberattacks, documents the harms and impact to create indisputable evidence which can be used to propose systemic solutions to policy makers and decision-makers whose primary responsibility is, always, to protect human life.
I joined this dynamic team of diverse, international cybersecurity experts to make a difference. The Institute has an ambitious agenda to implement peace in cyberspace, and this resonated with my own ambition.
And the reason why I delved into the cybersecurity arena in the first place, is that it felt like a new territory to explore. In the same way that I enjoy exploring the Alps, navigating new ground in cyberspace provides me with a strong sense of fulfillment, in particular in my responsibility towards my children and society to ensure that others can enjoy the environment around them.
- What projects are you and your team currently working on as the Institute’s Chief Operating Officer?
Two years ago, the CyberPeace Institute launched a trailblazing program, the ‘CyberPeace Builders’. This program assists non-governmental organizations (NGOs) in building cybersecurity capacity through a trusted and dedicated network of corporate partners who provide volunteers and funding.
The CyberPeace Builders enable humanitarian NGOs to build cybersecurity capabilities quickly, for free. Our model is a scalable contribution to cyberpeace that meets two needs. The first, making cybersecurity accessible to the humanitarian sector. And the second, giving corporate sector employees the possibility to participate in the first ever skills-based cyber volunteering program. Ensuring that all stakeholders find value in such social impact programs is critical to their success.
Connected to this program, we have also created a unique online course to help cybersecurity experts develop soft-skills and a better understanding of topics such as the digital divide, diversity and inclusion, humanitarian action, empathetic communication with victims, and more. This is the first-ever course specifically targeted at cybersecurity professionals, helping them develop soft-skills that are important not just for their role as volunteers, but as professionals and individuals. Course participants obtain a certificate they can then add to their resume and share on social media.
Last but not least, we’re currently researching the use of security standards and frameworks in the non-profit sector: too few of the organizations we support structure security controls using such frameworks and we want to change that.
The Assistance team of the Institute consists of 9 enthusiastic members, including a regional adviser in Colombia representing the Institute in Latin America, as well as a regional adviser in Kenya providing outreach support for African countries. We engage on a regular basis with our corporate partners, which include Okta, LinkedIn, Logitech, Microsoft, Telefonica, and Zurich to name a few, as well as our many volunteers.
The Assistance team also collaborates with multiple projects carried out by the Institute, including a strategic analysis report (to launch in early 2023) which analyzes how NGOs can better defend and protect themselves from cyberattacks and their associated impact and harm.
- Much of your work centers on protecting vulnerable populations by providing cybersecurity assistance — how is the Institute advancing this goal?
At the core of the Institute is the firm belief that it is critical, and in some cases vital, to understand the impact of cyberattacks first and foremost in terms of societal harm: cyberattacks directly affect people and society. To this end, the Institute has developed, launched and implemented key programs to support NGOs.
As a response to attacks on NGOs, the Institute launched the CyberPeace Builders, the first global network of corporate cybersecurity volunteers dedicated to cyber capacity building and support for humanitarian NGOs.
Concretely speaking, we work closely with NGOs who are part of the program to identify their cybersecurity needs, we then develop requirements which we make available to volunteers on a secure web platform. This allows NGOs to tell us what they need, and allows us to translate this into short term missions. We scope these missions to be under 4 hours each so volunteers can easily fit this within their working schedule and available time. Missions range from raising staff awareness through remote presentations, to advice on how to implement two-factor authentication or use a password manager, to reviewing the NGO’s data protection or cyber insurance policies.
Currently, we have 75 NGOs who are assisted by our volunteers, and over 180 missions are listed on our platform with hundreds of hours of support already delivered. Our goal is to assist and protect 1,000 NGOs, with assistance provided through over 3,000 volunteers by 2025.
Our assistance towards vulnerable communities doesn’t stop there. Indeed, it is critical that all the tactical help that is provided yields information on the harm that these communities suffer because of cyberattacks. This enables us to leverage this information to inform and influence decision-makers to better regulate cyberspace to protect these communities, and everyone else.
Since the beginning of the year, the CyberPeace Institute has been helping NGOs in Ukraine, but also documenting cyberattacks related to this armed conflict. The ‘Cyber Attacks in Times of Conflict Platform #Ukraine’ provides insights on how cyberattacks and operations, carried out since the invasion of Ukraine by forces of the Russian Federation, impact civilians. To date, this platform contains data on over 420 cyberattacks and operations, in 22 critical sectors and 31 countries.
Diplomatic and advocacy efforts have also been key to raising awareness and advocating
for responsible behavior in cyberspace to ensure respect of the international laws and norms , to limit conduct considered unacceptable and to hold accountable those who violate these rules. An example of this work to support vulnerable communities via policy instruments is our contribution to the last United Nations cyber discussions via the Open-Ended Working Group (OEWG), where we raised awareness of the problem of cyberattacks and the need for better protection of the humanitarian sector.
- You were recently in San Francisco during your trip to the US to speak at a Swissnex SF event. Can you share with us what Silicon Valley technologists and start-ups can do to use their expertise to help protect vulnerable communities, like local governments and NGOs?
First, it is important to remember that the protection of citizens, whether vulnerable or not, is a state responsibility. With that said, the Fourth Industrial Revolution has completely changed how states need to approach this responsibility. There is a gap at the moment when it comes to the protection of the most vulnerable, and for example the NGOs protecting them.
Furthermore, given how influential Silicon Valley technologists have been in leading this revolution, a sense of responsibility has been growing there over some of the challenges this has brought to the world.
And indeed, many of the companies, including start-ups, that I discussed this with in San Francisco, told me how important it is for their leaders to give back to the world. There is a strong sense of giving back, at a high level, in the region.
Supported by powerful movements such as the pledge 1%, many of the organizations I talked to engage their workforce in skills-based volunteering. As NGOs and local governments only recently started their digital transformation, many of the skills possessed by technologists in the Bay Area will be tremendously useful for resource-strapped organizations to protect themselves against cyber threats. Don’t forget that these organizations find it difficult to attract and retain IT and cyber talent, in many ways due to the shortage of labor and the economic prospects that such professionals can find in Silicon Valley. This is why, as the world’s first skills-based volunteering program for cyber professionals, the CyberPeace Builders’ program is so popular.
Some companies invest significant effort and resources in offering such opportunities, structuring elaborate social impact programs that seek to maximize the impact of these efforts. This is what companies like Okta, Rapid7, Splunk, Salesforce, Box and others have done for years. We need to see more such programs, more corporate foundations and corporate philanthropy.
Whilst skills-based volunteering and philanthropy is important to bridge the gap we currently face until resource-strapped organizations can safely embrace the Fourth Industrial Revolution, this will not be enough long-term. It is just as important that private companies engage much more with NGOs and local governments to innovate with their needs in mind; too often, digital products and services are developed for other audiences and provided at a discount to those who can’t afford them. This is good but not enough, in particular in cybersecurity, as this can create an illusion of security that can be very damaging. This is closely linked to the stakeholderism movement that made the news in 2019, though it has much older roots; what are the positive and negative impacts of new products and services brought about by technologists and how can they limit the latter?
- Since you travel the world so much, what can different countries learn from each other on their cyber strategy? What is something you’re seeing in Europe that the US could adapt to strengthen our cyber capabilities, or vice versa?
Each country, region is different, and it is natural to see differences. Not all strategies export well; for instance, Europe has played a leading role on data protection and critical infrastructure protection regulation. Not all countries are willing or able to follow this example. For the same reason, social impact activity differs across countries, some prioritizing government leadership, others corporate give-back programs, others philanthropy.
But I would like to see more social impact programs in the corporate world, beyond Silicon Valley and the US. We have a number of notable examples in Europe, with companies like Zurich, Logitech or Avast doing great work on the cyber capacity building front, but there could be more.
Yet strengthening cyber capabilities isn’t only done through regulation and social impact programs: education, training opportunities, industrial strategies, even military agendas play a role in strengthening such capabilities. For what interests me, and my colleagues at the CyberPeace Institute, strengthening the capabilities at the base of the pyramid is a global challenge. Every country struggles with this, even the most advanced, from a cybersecurity perspective. Yet over 1 billion people depend on NGOs for something critical to their lives and livelihoods like access to healthcare, food, water, and the rest of the global population depends on local government entities for these services too. Both are resource-strapped organizations that struggle to protect themselves in cyberspace.
My biggest fear is that if we don’t solve this critical and urgent challenge, our societies as we know them will be at greater risk. I fear that the Internet, we technologists have created, whether in San Francisco or elsewhere, will have been deemed and used by many as a weapon to attack the most vulnerable, those that no one should ever target such as orphans, refugees, sick and injured people. This is a negative externality, the responsibility for which I as a global citizen don’t want to bear. Collectively, we must do better to help those who need us, and to leave to our kids an Internet that is more peaceful, not more violent.
In my closing intervention at the Swissnex event in San Francisco I argued for something simple: we need to start caring about this issue and to start doing whatever we can to solve it. Too often in my career have I heard reputable decision-makers argue for the need for a multistakeholder approach, and too often have I felt this was an excuse not to own the problem and the solution. No single entity will tackle this, so it is up to every one of us to do our part, to strengthen the cyber capabilities of the most vulnerable. At the Institute, we know what our role is, and we’re proud to be working with many partners, public, private, academia, civil society, who also know their role and embrace it fully. For it is only with increased accountability, that we can start envisioning cyberpeace.
About CyberPeace Institute: Headquartered in Geneva, Switzerland, the CyberPeace Institute is an independent and neutral nongovernmental organization whose mission is to ensure the rights of people to security, dignity and equity in cyberspace. The Institute works in close collaboration with relevant partners to reduce the harms from cyberattacks on people’s lives worldwide. By analyzing cyberattacks, the Institute exposes their societal impact, how international laws and norms are being violated, and advances responsible behavior to enforce cyberpeace.
This blog was originally published in Code Review Newsletter by The William and Flora Hewlett Foundation