Safeguarding data sovereignty in modern warfare

All right, ladies and gentlemen, one and all, good morning. Oh, there we go. There's the volume

I really hear it today. Good morning. On a Friday, we are caffeinated and we are feeling great

Welcome, everyone, to the final day of DSEI and our very exciting panel here this morning

all about data sovereignty and military operations. I'm JD. Thank you for being here

And I've got not one but two esteemed panelists with me this morning to kick off a great conversation

And I'm going to have both of these gentlemen introduce themselves. Sean, I'll kick things off with you down there at the end

Hi there, my name is Sean Carnu. I am the senior director at a small company called Arkit, responsible for defense, government, and CNI here in the UK and across most of the rest of the world

Amazing. Hello, I'm Alan Jensen from DXC. I'm a strategic growth and innovation partner in DXC, and we've been working with these guys and a whole raft of others to put the solution in place for these capabilities that we're talking about

And by the way, I only found this out last night, DXC is the sponsor on all the badges

Yes. Yeah, we're the platinum sponsor for the whole thing. There you go

Hey, that's pretty sweet real estate. Every time you look at the badge, I'm like, wait a minute. I know I know this logo

My gratitude. Yeah, go ahead. And our carpet. That's the color of our company logo is purple

Wait, even that's part of the spot. Oh, that's a sweet gig. I think it's always purple, if I'm honest

Well, I think it's purple for DXC. It's just looking at it. It's our purple this year

Alan, let's go with that. I like it. Thank you, gentlemen, to both of you for being here

We'll do open-ended questions. And a quick reminder to everyone here in the house, if you would like to ask either Sean or Alan a question, we've got a QR code up here at the podium

And these pop up on an iPad. Oh, the iPad's here at the podium

Excuse me. And we'll also be going around with a microphone later on. If you'd like to ask your question in person, you're welcome to do so

We'll start with an opening question for both our panelists. Why is data sovereignty such a big deal, such a high priority for militaries of the world today

So as we've transitioned into a digital battle space, data sovereignty becomes a key component of the fighting force

So maintaining both the control of and the access to data that is inside your network

whether it's generated data being live on the battlefield or live in operations, or historic data, information about operational capabilities and such

maintaining control of that as a sovereign nation becomes a critical component

It is now effectively another pillar within the warfighting space. Yeah. Alan, what does data sovereignty look like and mean to you from where you're positioned at DXC

So I think it's a really important piece of capability that I have to have

It not just does what Sean just described. It also enables you to get a much better citizen awareness

But it also enables you to not reveal your sources, how you've collected the data, what assets you've used for that

So it's really important from both intelligence, real-time operations, and essentially getting the right information to the right person at the right time so they can take the right action and do the right thing

And sovereignty is key to all that. It runs through the whole thing. Is data sovereignty about tech

Is it about trust? Is it about control? A combination of all the above

I think your comment at the end is it's absolutely everything. So it is about are you able to protect it? Are you able to have access to it

Are you able to enable that data to be in the right place at the right time

And are you able to trust it? So it is all of those things. Now to build that though requires technologies themselves

And we can talk about those in a little bit, where that's going going and some interesting evolution there but it also takes you into areas

around policy it takes you into areas around training and skill sets and it takes you into areas around areas outside of defense that maybe other

government policies GDPR and all the rest of it that all have to be considered towards it so it's a it takes a complete 360 view to be able to look at data

sovereignty it is not simply about saying where is it and who has access to

it yeah Alan how important is the trust component Sean was just alluding to there

So the trust component is really, really important, particularly in relation to coalition warfare and interoperability

It enables you to allow people onto your network that you trust

So in the UK sense, for example, it could be that you have a British brigade

They have two British battle groups, but they have a French battle group. And all of those three organizations need to fight together, which means they need to access data that they're allowed to

and the sovereignty and the management of that sovereignty allows the British command and control systems

to share exactly what's needed with the French to enable them to be the most effective they can on the battlefield

Without that, they can't really interoperate. I think something you bring up there, Al, is really, really interesting

which is I think that's the ultimate friction when you're talking about data sovereignty, which is how do you maintain as a nation or as an entity your sovereignty of your data

yet enable interoperability with allies and coalitions, which are often, there are long-term allies

we know that, the Five Eyes community, NATO and the such, but we often stand up very short notice

working with other companies or organizations or other entities. And how do you do those two things at once

Because the easiest answer around data sovereignty is to lock it all down, make it absolutely almost impossible to access and get people to it

That doesn't allow you then to maintain that interoperability that is how we deliver operations

especially here in the UK with a NATO-first policy, we have to find a way to be sovereign, protect our own data

protect our models, our AI models, and all the rest of it, but also be interoperable with our allies

Walk and chew gum at the same time. Alan, go for it. I don't think you can achieve the aim that Sean's described

without really handling two very, very specific but closely interrelated things. One is a zero trust

what are you going to allow other allied nations see in your data sets

and where are you going to allow them to see that? It could go all the way from the core HQ to the div to the brigade to the battle group

It could go from the in an air sense from the deployed operating bases

to the forward operating bases where you may have French aircraft working with British aircraft

And it definitely applies in the sea environment where you're going to have multi-nation vessels

and how do they operate. So the command and control depends on really decide who can see what

and they have to have that zero trust access, the role-based access, the attribute-based access to data

knowing who's coming in, who's going out, and controlling who can see that

And equally important, which I'm sure Sean's going to talk about, because he absolutely should, is enabling the security model

to enable that and work across that. You can't achieve that without both of those things

And I guess the third component is a network that allows them to do that and survive on a battlefield, which is actually a third leg of the stool

You can do the control, you can do the access, you can do the data, sitting on top of all that

But without a network, you're not really going to be able to do a great deal. And the network's key to move the information around

Gentlemen what is at stake if a nation loses control of its own data I think rather than kind of waxing their cool about going down the deep in real simple terms data is the lifeblood of an organization whether it is a commercial organization or a military or a government

maintaining control, maintaining more and more, maintaining a trust in the data, in what it's telling you

and that it's valid, is going to become effectively, I believe, the core component in warfare, but in government as a whole

And losing control of that is effectively losing the lifeblood of an organization

I would concur with that. I think it's really key to fighting and the logistics

the whole end-to-end operation of modern warfare in the changing character of war that we're facing

The data is the core of everything. You lose control of your data, you lose control of the battle space

And it's controlling the battle space and being one step ahead, making those decisions quicker than the enemy

getting inside their OODA loop, making decisions and taking effective action quicker than they do

is key to surviving. What would you gentlemen say are the biggest gaps right now

in protecting our sovereign data, the biggest gaps in the process? For myself, I think there's three primary ones

and then the fourth one is one where we as an organization focus, obviously our intention and the like

but I think all four of them kind of lay the foundation. The first being that there are really fragmented standards

Within the UK, we have different standards that are being used across different parts of the military

as different pillars and the commands have gone in different directions and then between coalition partners

And if you think about how in commercial industry, standards enable commercial entities to interoperate

and to be able to do that very, very quickly. So standards that they can integrate into their components or their technologies

which means when they sell them, the interoperability with other components that an organization may purchase is already there

So we have a problem with that interoperability when it comes to data. We have a massive set of legacy systems

If you look at any of the commands and you go back into it, what we think probably, you know, on my iPhone, what I have at home and all the rest of that

those systems are nowhere near up to date like that across the entire defense spectrum

And that creates problems because it's not as easy to move your data around or give access to it or connect systems together

And there's a huge interoperability problem there. There's also, I think, limited visibility of what data we have

I know when I was in uniform, we were constantly relearning the lessons over and over again

And it's not that we hadn't learned them or recorded them. It was often getting access to those kind of record records and finding out that data

So that sort of limited viability to that environment, which is only going to become a very more complex environment when you start talking about multi-cloud providers

You talk about data at the edge. You talk about different commands you're working into and the like

And then finally, defense has to look at the quantum threat. there are components within how we protect data in defense now that are sufficient against a

quantum threat but it is not our whole data set and so we're traditionally as we've gone through

the you know classification standards we've a lot of data has set up lower classification standards

using public infrastructure and the like to be able to protect that data that all is going to

have to go through an update cycle to become safe for the future. Al

I'd agree with that. I think it's about future-proofing security of your data

The UK military certainly have a concept of fight tonight, fight tomorrow

What we're really talking about here is getting ready to fight tomorrow and protecting what

they already have as best as can. And the things that Sean has just mentioned, quantum particular is a threat, quantum decryption

of existing legacy security is a real threat. They're doing it already

They'll be doing it better and better as we go forward. So finding a way to counter that

One might look at the way to beat quantum decryption is to have quantum encryption

And they would really struggle to do that. So I think keeping future-proof

and having a plan of how to get there is really key

I also think the changing security models and the changing security technology allows much better, much faster deployment

It saves what they call swap, the size, weight and power of your equipment, which means you have to carry less equipment with you

You have to move less equipment forward. You're using less fuel. You're using less aircraft

You're using less everything. So there's a real business imperative alongside a security imperative

And then the two combined give you a sort of survivability imperative

So it all leads to operational success. And you have to have a whole series of things interconnected, moving forward together, integrated together to allow that to happen

Yeah, I'll ask you guys a bit more about quantum safe encryption in just a few moments

But to stick with the more current conversation with regards to existing gaps and challenges, do you both feel that today's coalition systems fit for the demands and sovereignty, the sovereignty demands of tomorrow

I think it's very clear that they don't. The way that we have traditionally protected our data in a sovereign sense is effectively locking it down and then spending a lot of time and effort figuring out how we connect up temporarily or permanently to be able to share data and do that

We have, for example, in the UK, a different set of classification levels than some of our allied nations, and that causes just a friction on its own, let alone the IT, the tech, the willingness to share data

I think it's going to get even more complex because we're moving into a space where there are brilliant companies all around the halls this week specializing in AI, looking at all the development of those sort of technologies

How do we make data work for us better, both offensively and defensively

You're just increasing the frictions. You're just making it even more complex, you know

And when I did spend time in uniform often on a large exercise let alone during combat operations

A third of your time was figuring out how you even talk to each other let alone transfer high amounts of data and communication

And we have to get much better at that because as we spoke quite early in the conversation

It is one of those pillars that if we don't get right the other arms can't deliver

Yeah, what is the toughest balance sharing with allies or keeping data secure at home

I think I think we're pretty good in the UK keeping data safe at home and to an extent deployed

So I would say. Based on what Sean has quite rightly said in the future warfare, I think sharing the right information at the right time as quick as we can with the allies is probably going to be the largest challenge we've got

Because that undoubtedly is going to be key and getting efficiency and speed into that process is going to be really important

particularly where we're increasingly fighting alongside them and with them in mixed formations and so on

That's going to become the real challenge. Is that a balance, Sean, between the two

Well it going to have to be right We have to have control and access domestically to our own data sets and to our own systems and we have to protect that The world is changing constantly and we have to have that ability

But we are almost always going to be in operations and deployments with coalitions and with allies

And so maintaining that sovereign yet interoperability is the biggest friction. And I think it comes down to things like lack of unified standards makes that really, really difficult to do

And then cross-domain data security. So because we have historically kind of ring-fenced off data based on classification very, very carefully and just completely put walls between those systems

as we start to be able to share those with Al, it's very difficult even domestically to be able to share that data where we need to across systems

When we start talking about then doing that with another organization, it becomes even more difficult

Effectively, a language barrier. A language barrier. Yeah, exactly. How can artificial intelligence protect sensitive data, and where do you think AI may create or pose some newly emerging risks

You know, at some point we'd mention AI. I wouldn't be doing my job if I had mentioned it at least once

It's a really fascinating question. It's a really good question. I don't think we it's not completely understood yet where AI could fit with this

I guess you could look at sort of no coming all the way back from the big headquarters to the very edge of the

Forward line of troops there's a whole Massive data coming down and it's really wide at one end and really narrow at the other as they need less and less as they get forward

Conversely to that from the from the frontline coming back the other way

They're picking up all the information from the sensors and as a flow of data going back the other way

Which also gets less in the sense that they're aggregating as they go back

AI is a really fascinating question. There's a lot of discussion around Where does AI at the edge the guy in the trenches the guy on the ship

I think we've yet to work through where's the best place to conduct a lot of that AI along that journey

Where do they intersect because for me and what we do? that's where the compute needs to be and AI takes an awful lot of compute and an awful lot of compute takes an awful lot of power

So where do you decide where you're going to do that AI along that along that spectrum of data

information flow and And that's going to be I think a key driver for where we use AI and I don't think we're quite

Understand that fully yet. I don't think enough being thought about where do we need AI

And I really think it's also true just because she can Doesn't mean you should just because you can doesn't mean you should use it now use it

I mean, yeah, you just can use it doesn't mean you should use it in any one given place

Oh, that's great. Sean your thoughts on this especially and man Alan brings up a good point that put the compute power their energy required

It's got to be part of the serious conversation with regards to leveraging modern AI technologies

How do you view that so I think AI is like any new technology and whether it's in defense or in a commercial space

which is it comes with benefits and we focus on those benefits very rightfully so but it often comes with threats or risks are associated with it

so you know where do your initial kind of question was around where can it help us in the protection of sovereign data

What role might it take and I think there's you know evolving models that look at automating threat detection

You know the computer and the AI model being able to work faster than human and understanding what the threats are and

Initiating responses or providing responses to the human in the loop to do that

Additionally, we're now going to and continue to generate exponential amounts of data

The traditional process was a human classifying that data. An AI model could be a very big assistant in doing classification of data

and being able to filter it into the correct systems that it needs to go to, labeling it, putting it through that

because a lot of the control of those data sets is going to be based on their classification

and therefore you're automating that process. Additionally, doing some of that predictive ysis about where data access risks are

you know, looking for the holes in your defenses faster than you can as an operator yourself

I think there's a lot of areas there where AI will help us in protection of our data

in that sovereignty aspect. The flip side of that is what threats are a model is going to do to that

And I don't mean people just using an AI model against us. It's a lot of our aspect to it

But AI models that are trained on coalition data, for example, that opened up an avenue for information leakage, something that has to be considered

So information leakage, you said? Yes. Confirming. So you're sharing information, you're putting it into there, and through doing so, you then potentially, as you're training AI models, expose data to where you don't want to do so or have risks

And then the sovereignty demands, one of the aspects is going to be around, is your AI model explainable

Is it audible? Do you have local controls over it? And then also, so that's around that sort of governance and all this

And then you tie that also into AI infrastructure. Do you actually have your infrastructure in your nation or is it in someone else's nation

And actually you're dependent on data centers that you don't actually physically have access to control and the like

So I think it's a double-edged sword and it's one that can highly benefit us in this space

but also poses a significant amount of risk that we need to really contemplate and to find mitigations for within our deployments

All right, let's jump back to quantum. That was a fun conversation. Is quantum safe encryption a must-have now or still a few years away

Well, as a company that focuses on that, we are not at a state where there is a cryptographic relevant or quantum computer

advice coming from all the governments including NCSC here in the UK is you know that period is now

and it changes three to five to ten years out the issue is not that there is one today or there isn't

one today it's the roadmap to make yourself ready for when there is one when it's not a predictive

date that it is not a one because the likelihood of that being developed in the UK or in the US is

as likely as it being developed in an adversarial nation so predicting that actual you know Q day

is very very difficult but the route is not just flicking a switch with the

technology it is understanding where your risks are understanding what you're using today and being able to do ysis of it and where your risks are

and which set of your cryptographic inventories and technologies are the greatest risk and will take the longest implement solutions for it because there

isn't just one solution we as a company have a solution that we provide and we're

working into the marketplace but we cannot be the only solution there needs

to be multiple and there are different ones for different data sets or different systems

That evolution will take quite a long time. And you can think of it, in my mind, you can almost think of it like the rollout of different

technologies in say just communication itself. So when we've moved from out 3G to 4G to 5, it's not a flick of the switch and we all go

There's a lot of change that has to go with that. And it will be the same thing when it comes to Q-Day dealing with the quantum threat

it is a relevant threat to defense and one that needs to be addressed today or

starting to be addressed today to enable the operators in the community to be

ready yeah I'm gonna state the obvious Q day is a really sweet phrase by the way

I love I hadn heard that one that awesome Alan your views on Q day and quantum safe encryption and our timeline for it I think we going through a transition for that I think everyone recognizing that certainly maybe for the immediate future

we are where we are and we're on the kit that we've got right now

But I think it is transitioning and I think the threat is there and I think people are aware that anyone that supposes may well be applying quantum compute

to decryption of what we've already got. There's most certainly the risk there

So I think to move forward on it, we've really got to look at the problem and the challenge for the customers

for the militaries around NATO, and start with the problem and the challenge

and then work back how the compute and how the quantum can address that

It's not something you can just jump straight into as Sean's absolutely right

You can't switch and it's all working. You've really got to look at the problem. Operationally, what's that problem

There's a whole raft of different things go into that like the whole defense line the development aspect of doing it

You know the training the operations and then Go as quick as you can to get the best benefit that you can immediately and then have a much longer view of how you're going to be

Three four five years down the line, so it may be right now today. We're using

No quantum safe algorithms but that's a very viable thing to do right now today it could be in three times we've moved off that and we're on to

silicon on the chips and we're doing chip based quantum protection on the chip itself and you don't need other things that it's going to be a

journey in the technology sense that we just need to make sure we stay aligned to the customer and not promise them no panacea

to see your answer when it really might not be there just yet. And we take them with us and they take us with them

As a reminder to everyone here at the panel, if you would like to ask Sean or Alan any questions

go ahead and scan that QR code. We'll also go around with the microphone in a few minutes if you've got one for us in person

Just wanted to add to that. Please do. Whilst, yes, we're not at a point today where there is a cryptographic quantum relevant computer

that can break into, say, AS256 or some of the public infrastructure we have today

There is a threat though today to certain data sets. And those are the data sets that are long term or have long life data sets

Because very, very publicly advertised by many agencies and talked about in the press

is the threat of capturing data in transit today that is not breakable

or is very, very difficult to break at scale. But then once those computers, once those technologies become available

reverse engineering and breaking into those data sets or those information five years in the future, eight years in the future

The problem there is most of that data will have expired or won't have value at that point in time

But there will be significant data sets within there that do. Think of patent data

Think of operational long-term planning data. It could be personal data, financial data, and all the rest of it

So that information is available today. And we do have knowledge of adversarial nations collecting huge amounts of that data

both in the defense space but also in the commercial space. So the threat is here today for certain individuals

and dealing with it is something that has to be looked at sooner than later. How important is the partnerships component of all this

I think of Arkit's relationship with other major tech players, those sorts of partnerships

Maybe it gets to the broader point Alan made earlier with regards to interoperability

But Sean, from where you're positioned, does that make a difference, those partnerships

We won't deliver solutions without them. There is no one company showing up to deliver everything themselves

so and I look at how we operate right now so our partnerships we have a

partnership with DXC who has a systems integrator delivers all that sort of

capability around bringing technologies together for us and delivering that for the customer and then supporting it and enabling and delivering training and all

the rest of it but underneath that there are numerous organizations there are the

large equipment providers that provide the boxes and the hardware and the such then there are the public companies such as an Intel who are creating technology

such as the TDX chip which is secure compute moving forward which is required

to be able to protect AI workloads in the cloud and the like and then there's

companies like us and SME who come along and how could the innovative technology that goes and how do you secure that in transit or at rest how

you do that but all those layers together my team will be sick of using

this ogy it's making a meal and you need to have multiple ingredients in the

meal we as as our kid are a very very small ingredient in that but we're a

critical one potentially to making the whole stack of technology deliver that capability which can i

sorry which ingredient in the meal are you is it that you're an ingredient of the meal or it's like

this is thanksgiving dinner and you're like you're the cranberry sauce like you're one of the dishes

well the reference of thanksgiving being slightly american yeah that's true i apologize but i i agree

with the the ogy it's that sort of we're critical to that so and how that's delivered

Because within those solutions, within those capabilities, it's not just bringing them together

You need somebody who can bring them together, have done the testing, have done the work, looked at how it's going to be delivered and operated

looked at those threats that we talked about earlier and managed those adversities. You need all those aspects

So this is not a SME versus prime. This is not, you know, it requires that

And it often requires companies to sit in the same space that might be deemed as competitors to each other

to work together because actually those technologies together allow us to move faster rather than saying

I want my part of the pie and you can have yours. And doing that is good. Is it ever, one more follow-up

is it ever a bit begrudging to have those relationships saying, you know, we are usually competitors

We usually duke it out. But for right now, we put those differences aside

in the spirit of collaboration. I think it's easier for smaller companies to do that

I think because they have that flexibility. They haven't got the large shareholder base behind them

that maybe has come from a generation where you wouldn't have done that level of collaboration

without it being contractually driven and the like. So I think it is difficult

but I think there is the right mentality. I know this week, the conversations I have had

with lots of our partner companies, I have had conversations with organizations

that if on the outside you would look that they were our direct competitor to us or we are a threat to them

to say actually, is there something we should be doing together and exploring

Those conversations are happening now, and I think events like this are very critical to that because it gives us the opportunities to have those conversations rapidly

Excellent. Alan, forgive me. Please go. No, I think Sean's right. So we are the systems integrator, and I think we have about 15 companies doing the end-to-end capability and covering a whole range of things

I think anyone going down this is sort of going through a journey, a sort of set of steps

Yeah, we've innovated and we've gone through that initiating the tech and we're now into iterating that tech

We're into, is there a better bonded router? Is there a better radio

Is there a better anything that we can look at constantly improving? And I think we're now moving into what the National Armaments Directorate

calls scaling. How do we build it? How do we produce it on an industrial scale

We're no different to tanks, right? So if we're constantly looking if the if the government any government came back to it and said I need a thousand of these to deploy

How do we rapidly produce a thousand of these to deploy and it covers

Software and hardware and it's quite a difficult balance to get that and then you have to worry about how do you maintain

maintain it in the field. Who does that? How do you train the soldiers to maintain it or the sailors or the airmen

It's a really complicated thing and we're just sort of all, I think it's fair to say, going up that step

And the idea is to keep everyone on the same step at least as you go up that level

But we're getting there. I think we're moving through to what they call a minimal deployable capability

where you could actually take it out and you could use it in the field. And we're sort of getting there. We'll be experimenting with that in November, I think

roughly we're all on that so I think it's a journey really I hate to use that words everyone

says it's a journey don't they but it really is a you know moving up that ladder to get to something

that's actually really going to work and be deployed and support people and could be replicated

and it has to be dual use right anyone everyone dual use means it can be used in the mod sense it

could be used for the army the navy the air force it can be used for smart bases it can be used for

as many different uses they've got. And in our case, dual use also means we've got a commercial version of it

that supports Amazon. So 80% of the same tech. The gold and dust is in the 20% that the military use that Amazon don't need

But we can still industrialize it because we've got a massive footprint

to deliver that sort of capability so we do economy of scale

Amazing. We do have a, please. It is a journey. By the way, it's all a journey

So I appreciate that. We do have a question from someone in the audience, and thank you for this

So an open question for both of you. What is one immediate step you would take today to address risks to data networks to improve security while ensuring sovereignty and interoperability

One immediate step you would take today to address risks to data networks in order to improve security

I think the guidance has actually been given by the NCSC and in the U.S

by other organizations and all around the world, which is understanding what is actually in your network

If you think about all the different contracts over the last 30 years that we have led as subcontracts and these and all the rest of it

all of them have been implemented independently by different organizations. So we don't have one solution deployed today

Understanding what's in your network, being able to take that inventory, being able to look at where your risks are

and very quickly go, that's my highest risks, and address those and start to do that prioritization

I think that would be the absolute first step. It's one that's recommended by the NCSC here in the UK

And that's both commercially and leads into defense as well. And I think that would do that piece

Who should take the lead on data sovereignty? Is it governments? Is it industry

Or is it coalitions, groups like NATO? Or maybe a combination of all the above

I think it's the government and the coalition partners. It goes back to what I said earlier

you know we collectively need to understand what their real problem challenge is and what they trying to achieve And it their data not our data They the ones that can tell us what we need to protect solid and what we can protect less

Whether we're going to have to do it at Mission Assured Secret or whether we're going to be able to do it at OS

Whether we need to do it at Buff Secret. And I think once they tell us that, then we can work out the technology to do it

So we sort of go on what we call left to right thinking. If you start with what's your big strategy, what's your outcome, not your requirement

and then we'll design the tech to address your outcome, which will then align you to your strategy

And the outcome and the strategy is their data, it's their sovereignty, not ours

They need to help us help them. Yeah. I'd agree that it's a government-led operation or, you know

effectively data sovereignty is a nation's ability to deliver it and maintain it

However, it needs to be holistic. And I'll use that specific example being that traditionally we would say

we're going to go buy a weapons system or our capabilities. So look at UAVs as an example

And you go and buy the technology and data then, and the protection of the data is delivered by a different organization

or a different entity and is not a primary component within the bid process

or in thinking about the capability. But that doesn't create from the start a secure by design principle

which is heavily driven by Defence Digital. We've heard them talk about that. That's been a process here in the UK for two years to move to that secure by design

So it requires everybody to think about this from the start, whether that is when you're designing your capability as an OEM

when SIs are looking to pull together or small companies are looking to pull together bids to go after aspects

and also on the authority and on the government entities to be able to say, you need to consider these, you need to meet these standards within the bid process or in the providing capability

So it's on all of us, I think, to be able to deliver that. And I think the organizations, especially the OEMs, who think about can they, inside their capability, work with other partners, people like ourselves and others, to bring data protection as a core component of what they do and what they deliver

Not just the innovative tech that flies, sails, dives, whatever it would be

Because data is now effectively a key component of everything we do

And often you think of it, the data is actually the more component, an I-star asset

But the asset is just creating the data that is actually the part of value from that, for example

Yeah. Sean, you mentioned the GDPR earlier. And I was wondering the broader role that that plays

And I'm also reminded of what I believe just passed earlier this year, the Digital Operational Resilience Act, or DORA for short

Do those two initiatives here in the U.K. play a role in this broader conversation as well

Resilience is a big thing. resilience both at home but also when they're deployed forward

So you have to have resilience in the field and you have to have resilience back at the bases and in the UK or America or wherever so Absolutely resilience is is key and it means different things at different levels goes back to this What your outcome

What are you trying to achieve outcome of resilience in the field

May be very very different to resilience in the HQ in London and how you work that and understand that

determines what you design and I Think we need to get a little bit smart about that. We need to work out

You know how we enable that and and security and the resilience and the protection

There are lots of things. I think I think in where we are right now today. We've sort of traditional security the way we operate in the future

Can you really afford we've limited bandwidth at the edge to have a security capability that takes 20% of your bandwidth up

when you need all the bandwidth you've got for your operations and your movement of your data itself

Can you afford the sort of security models where if you change one thing, you've got to change everything

Is that affordable going forward in the current budgets and the climates that everyone knows we're working in

So I think all of those things need to be sort of holistic, and I think holistic is a great word

This isn't just about one thing. There's a whole string of things that need to be considered

together and that's quite hard. That can be quite hard, particularly where you're looking at the HQ in London

versus somebody that's five miles from the enemy. They're two very different things

I think, well, whilst not an expert on either of those frameworks

or those compliance rules and regs, I think the point is more that defense is not exempt from them. We operate within these other frameworks

And so we have to both understand them, but we also have to be able to influence them and understand that when those new laws are coming into place

or those changes and amendments, getting ahead and engaging so that we understand

what are the potential implications on us and making people understand that

And that's not to say that we don't want those regulations. We think, you know, defense holds a lot of personal information

for people who serve and the right, and that needs to be protected. So there is an aspect of it's important for us to meet those rules

because we do need to legally, but also from just doing the right thing by our people and the rest

So those frameworks have an impact on us. And we need to ensure that those individuals who are writing them and implementing them and bringing them into being understand or at least have insight of what the implication could be on defense and our ability to do what we are asked to do

But also when we come back to the coalition aspect, we have laws in the UK, but then we're then dealing with other nations that may have different laws

And that just complicates that picture. All right, we've got a few minutes left

We're going to do a lightning round. I'm making this up on the spot. Let's have a little let's have a little fun the final day here at DSCI all right first up guys

What grade would you give European data security today on a scale of a to F

All right that the only trouble I get myself in with that one No well if you need a hedge you certainly can Or maybe a range I think it definitely not an absolute

because it is implemented at different levels where you go organizationally, even within a single government

You know, different departments do this, and it's very skill-based. So I'm going to say we're sitting between that sort of that B and that D

Okay. Right? Yeah. I would agree with that, I think. and I think it's because we are exceptionally good at protecting some types of data

without a doubt. In fact, I would say in a lot of cases, the UK, the Five Eyes, the NATO

they're the best in the world at doing that. But to Sean's point, we're not the best at the world in everything

And I think the coalition integration and sharing is going to be so key going forward

It sort of moves us down the B to the F. So we're in between somewhere

We're really good at some things, not so good at others. reaching that and getting it a

Good level across a patch got a mixed report card. It's nice to bring that home to my mom all the time

Yeah, pretty good on these but your math it needs improvement. What should be the biggest priority better tech better people or better policies

I'm gonna third fourth column to that which is Moving faster to try new solutions to look at what's out there, right

If we wait three years if we wait five years a lot of the companies that are bringing interesting tech

may not be here and therefore the tech becomes unavailable but also the

assumption that the tech is going to be there if defense doesn't engage with

those companies that provide it is is a dangerous one so I think at the fourth

one is actually the answer which is in this space we need to be trying more and

when we find things that it succeed we need to implement them at pace okay

Alan I think I would say as well I would agree with that but I think there's a

There's another element which we always seem to overlook is these things need networks, they need communications

The communications are going to vary depending on where you are. And it's great having all of this capability, but if you don't have the networks that allow them to talk together, you're going to be truly struggling as well

So it's a combination of tech, I think. If all of that's in tech, it's a tech

I think we've got quite a lot of good policy. Sure. We've got about 30 seconds left

One thing you want the audience to remember today about data sovereignty. Data sovereignty is about how do you maintain data sovereignty whilst maintaining interoperability

That friction is the most difficult one we need to solve and address

Excellent. Alan? I think it is the biggest, most important challenge. And I think working out how they're going to share that across different nations is a really big challenge that we haven't yet really got to the bottom of how we're going to address

Alan, Sean, it is a great privilege to share the stage with both of you

Let's put our hands together one more time for our esteemed panelists here this morning. And a huge thank you to all of you

You made it. They're like last day at DSEI. We've got to hustle over to the panel. Enjoy the rest of your time here in London, everyone

And we will see you again soon. Thank you