Sir John Scarlett, former chief of the British Secret Intelligence Service, Michael Hayden, former director of the NSA and former director of the CIA, and Jeh Johnson, former head of the Department of Homeland Security, joined Oracle's chief executive Mark Hurd and chief corporate architect Edward Screven for a keynote session discussing security and privacy issues.
According to Johnson, the US and UK security services are now a lot better at connecting the dots relating to threats originating from overseas, but identifying homegrown threats is "much more challenging".
"The global threat is going to get worse before it gets better."
And while we are seeing a return of Great Power rivalries, "technology is a great leveller."
Hayden observed that while the world was a more dangerous place during the Cold War, the situation "has never been more complicated" than it is today.
"Cyberspace is really the new battle space", and we need policies to defend it, said Johnson. Public-private partnerships are required, especially to defend critical infrastructure.
"We think about this through a cyber lens," said Hayden, whereas Russia took a wider "information" perspective, for example by targeting the general population via social media, and the US response was to harden election infrastructure – and that, he seemed to imply, was insufficient.
It is normal for nations to conduct espionage on each other, Hayden said, so if the US gained access to United Russia party emails, it would take them. The difference is that Russia used the DNC emails to covertly influence the US electorate.
Similarly, China's behaviour is natural for a nation in its circumstances, so activities such as joint naval exercises with Thailand should be seen as a good thing, especially given the incidence of piracy in that area. What's important is to get the US-China relationship right.
Scarlett agreed about the importance of that relationship, but said he sees "agitation and anxiety" in the US because of the possibility of China taking the technology leadership position.
Understanding Russia's and [its President Vladimir] Putin's drives is relatively easy, but predicting China's behaviour is much harder.
In this context of threats from nation-state actors, Hurd asked the panel whether the move to the cloud is good or bad.
Screven pointed to developments such as Oracle Cloud Infrastructure Gen 2, always-encrypted data ("we don't let [users] turn off encryption" or other security features), CASB, and so on. If you leave the choice to users, they tend not to use the security features even if they have paid for them, he said.
The impact of AI on cyber security is "a great unknown", said Hayden. While it may favour defence over offence, "I can't say that for sure."
Johnson said the Department of Defence was looking at the issue of cloud security, but "it depends where you're coming from" – if your existing on-premises security posture is not great, moving to a secure cloud provider makes sense.
Cloud providers have the scale to provide good security, said Hayden, so moving to the cloud can improve security "as long as people didn't make dumb decisions."
One problem is that organisations are probably not putting security at the top of the list when making decisions about the cloud, said Scarlett. You need to protect whatever you consider secret, but "you're not able to protect everything".
The writer attended Oracle Open World as a guest of the company.