This symposium convenes senior government officials and experts from academia and the private sector to address the U.S. Department of State’s newly created Bureau of Cyberspace and Digital Policy, the goals of American cyber diplomacy, and how major public and private international stakeholders can advance global cyber cooperation amidst threats from authoritarian states like Russia and China.
The John B. Hurford Memorial Lecture was inaugurated in 2002 in memory of CFR member John B. Hurford, and features individuals who represent critical new thinking in international affairs and foreign policy.
SEGAL: Good afternoon. I’m Adam Segal. I direct the Digital and Cyberspace Policy Program here at the Council on Foreign Relations.
And it’s a real pleasure to be able to welcome back Ambassador Nate Fick back to CFR. I’m not sure I’ve seen Nate since we rolled out the Task Force on Confronting Reality in Cyberspace. So it’s a real pleasure to have him back here today and have the chance to hear his thinking about his time as our initial ambassador-at-large for cyberspace and digital policy.
I want to remind everyone to please enroll and subscribe to all the digital and cyberspace policy products, Net Politics, the newsletter, and keep up with the cyber operations tracker, which is, as far as I know, the largest known database of State operations in cyberspace.
And I just want to take a brief second to thank the Washington Programs for helping put this on; making this a part of the Hurford Memorial Lectures; and, in particular, to thank Connor Sutherland for all his hard, great work in putting all of this together.
So, with no further ado, I’m going to turn it over to Ambassador Fick and Amna—excuse me—Nawaz to have the discussion today. Thanks. (Applause.)
NAWAZ: Good afternoon, everyone. Thank you so much for being here.
I’m Amna Nawaz of the PBS NewsHour. I’ll be presiding over this session and conversation with Ambassador Nate Fick. Thank you for being here.
FICK: Pleasure to be here. Thank you.
NAWAZ: I do want to just welcome everyone both here in the room and online to this John B. Hurford Lecture. It was inaugurated in 2002 in memory of Council member John B. Hurford. The annual lecture features individuals who represent critical and new thinking in foreign policy and international affairs. And a special welcome and thank you to members of the Hurford family, I believe, who are with us, Hilga and Jennifer, and other friends of the family as well. Thank you for your support. (Applause.)
I’m honored to be here in conversation with Ambassador Nathaniel Fick, ambassador-at-large for cyberspace and digital policy at the U.S. Department of State.
Thanks for being here. How are you doing today?
FICK: I’m doing great. It’s great to be here with you, Amna. Thank you, and great to be back at CFR.
As Adam mentioned, I was on the board here for a hot second before I had to resign to take this job in the government, maybe the shortest tenure of any director in CFR history. But during that time I had the pleasure of working alongside Adam to write a task force on—a report on cybersecurity and I don’t think I had any idea at the time how timely and relevant that would be.
So good to be back at CFR. Thank you.
NAWAZ: Certainly a lot to talk about.
Well, we’re coming up on a big anniversary. April 1, right, will mark the first year since the Bureau of Cyberspace and Digital Policy, or the CDP, was established. How is it going?
The federal government is not known for moving very quickly on a lot of these things. Do you have the staffing, the funding, the resources, you need to do what you need to do?
FICK: So I will tell you every day feels like, you know, a struggle in the machine. If I pull the lens back and think about it over the course of the year we’ve come an incredible distance actually.
So we—this bureau for Cyberspace and Digital Policy pulls together work that had been ongoing at the department before in cybersecurity policy, in information communications, and technology policy so the—like, the underlying guts of the internet—the cable and the fiber and the satellites and the wireless networks and the data centers, adds to it under my remit emerging technologies—artificial intelligence, quantum science, synthetic biology—and then puts it all on a foundation of human rights and digital freedom.
So we’re pulling together preexisting work that had been going pretty well, added new stuff to it with the goal of integrating and elevating our approach, and now the challenge is we need to institutionalize it inside the department and inside our diplomacy.
NAWAZ: So the latest White House budget I saw released had something like $400 million for your bureau specifically.
NAWAZ: Is that enough for you to do what you need to do?
FICK: So there are a couple of buckets here. We need the people, right, and those aren’t all on my—my—payroll. We have the team at the State Department, a hundred and twenty or a hundred and thirty people. But it’s fundamentally a service provider organization, right.
If we build a vertical of excellence in technology diplomacy we have failed. The people on the frontlines are out in the embassies around the world and so we’ve started a new course at the Foreign Service Institute to train cyber and digital policy officers with the goal of having one in every embassy around the world within two years. So that’s one piece of it.
The second big budgetary piece is foreign assistance, and I think it would be incredibly useful and impactful to have a dedicated cyber assistance budget that we can use to deploy resources quickly, proactively, to increase the cybersecurity resilience and capacity of our partners but also reactively when the bad thing happens.
NAWAZ: That’s a separate budget you’d propose, separate from what the bureau was allocated, right?
FICK: The bureau currently has foreign assistance dollars. So it would be increasing, over time, kind of both elements of the budget.
NAWAZ: That’s interesting. So you’re thinking about training up existing staff. We’ve heard so much about the severe shortage of—in the talent pipeline when it comes to cybersecurity experts. Are you trying to bring any more folks online? New people into the team, too?
FICK: Yeah, we are, absolutely. In the NDAA we have a special hiring authority to hire twenty-five people in an accelerated fashion that sort of does an end run around a fair amount of the bureaucracy, which is great because, you know, this is one of those areas where, you know, the public-private element here is unique.
I mean, if you want to do arms control work, you know, there aren’t a ton—you got to do it in the U.S. government or near adjacencies, right. You want to do tech work my competitive set is the entire economy to hire people.
So we do. We need to—we need to have the authorities but we also need to create the kind of sense of purpose and mission that attracts people and then the culture that makes it a rewarding place to be.
NAWAZ: You figured out how to end run the bureaucracy. I have some folks who may want to call you and ask for advice.
FICK: Work in—work in progress. (Laughter.)
NAWAZ: The administration did release this huge National Cybersecurity Strategy and I want to ask about your bureau’s role in that because there’s this fundamental shift in that about rebalancing responsibility, right, away from individuals and small businesses and local governments here and more to people, as they put it, who are the most capable and better positioned actors to defend cyberspace.
What does that strategy mean for how you do your work?
FICK: Yeah. So the National Cybersecurity Strategy has been out for a couple of weeks now, the result of a long and inclusive process led by the Office of the National Cyber Director, and my impression in—iterating on drafts and now in the final product is it represents the maturation of our approach to cybersecurity.
It takes—too often we talk about cybersecurity, cyber threats, cyberattacks, as if they’re this exogenous thing. They’re like thunderstorms, you know, sweeping across the plains and lightning comes down.
But that’s not what they are at all. These are human actors on the other side of a connection operating in—generally, in self-interest or national interest with resources and training and campaign planning behind them.
And so what the strategy does is it says, OK, this isn’t some exogenous thing. We have existing enterprise risk management frameworks that we’re all familiar with in business and in government and this takes cyber risk and it rolls it into those frameworks.
So the strategy is heavy on things like regulation, liability, insurance. I think it’s the most natural thing in the world. It is the—again, the normalization of cyber risk rather than treating it like some bolt from the blue.
NAWAZ: So from a diplomatic standpoint what does that mean for you?
FICK: It closes the gap significantly for me between the constant diplomatic challenge of the question of whether our domestic policies support a strong foreign policy. And so in this case now, my perspective is we have a stronger and more robust domestic approach that gives us, me and my team, a stronger leg to stand on when we are now advocating for similarly mature, responsible approaches among allies and partners.
NAWAZ: It strikes me that the first year of the bureau’s existence—I mean, the world is in a different place today than it was a year ago and I wonder how much of this strategy and also your approach to what you do has been informed by Russia’s war in Ukraine and the cyberattacks particularly against critical infrastructure we know they carried out.
FICK: Yeah. I think you’re right. I think the game has changed in some meaningful ways.
I was just in Brussels with our NATO ambassador, Julie Smith, and the perm reps—the assembled permanent representatives of the thirty NATO member states—talking about cybersecurity of the alliance, cybersecurity policy across the alliance, and cyber assistance to Ukraine.
And one of the things that really stands out is the degree to which the war in Ukraine is—it is the simultaneous employment of World War I style weapons and tactics, World War II style weapons and tactics, and World War III style weapons and tactics. You have trench warfare alongside maneuver warfare, tanks and artillery, alongside the really innovative creative uses of commercial off-the-shelf technology, satellite communications and targeting and, you know, a whole basket of cyber tools, offensive and defensive.
The lessons here are the interesting piece. What have we learned? Like, what can we apply maybe in other places? And I mean, there are a handful.
One, the Ukrainian government migrated most of its enterprise to the cloud before the invasion even happened, in the final weeks, really, and that cloud migration gave the government of Ukraine the ability to deliver government services and communicate with its people continuously despite the destruction of its communications infrastructure.
A second game changer, I would say, was the proliferation of resilient satellite communications and everything that that enabled, and then the third was the quickening of the feedback loop between the Ukrainian government, partner organizations that were helping, and the private sector to deploy software updates and patches in order to blunt Russian cyberattacks across hundreds of millions of machines in Ukraine.
It’s not that the Russian cyberattacks didn’t happen. It’s that they didn’t, generally, work.
NAWAZ: Mmm hmm. And this was—correct me if I’m wrong—there were these experts from the U.S. that were deployed to Ukraine in late 2021, right, and this kind of hunt forward sort of operation. Were you able to learn things in those operations that also helped to protect U.S. critical infrastructure in terms of what those actors were doing?
FICK: So one of the sort of baseline realities, I think, of the digital ecosystem is that risk federates. You know, no person is an island. And so, yes, anything that’s happening anywhere can affect everything that’s happening everywhere.
So the lessons that were learned inside Ukraine have affected what has happened in Europe. What has happened in Europe affects what’s happening here, and temporally, too, one of the realities of these cyber capabilities—the offensive capabilities—is when you throw them out there into the world and I don’t—when I say we I mean when one throws them out there into the world—they come back in ways that maybe can’t be anticipated.
It’s not like a kinetic bomb that, you know, it explodes and then it’s gone. They’re out there and they’re like boomerangs spinning in the dark. You know, they’re going to come back and you may not see them coming. And so, one, you need to be careful about throwing them, and, two, we need to recognize that when they’re out there we have a global interest in stopping them.
NAWAZ: Are those U.S. experts still on the ground there? I mean, what does cooperation look like between the U.S. and Ukraine now?
FICK: So it’s robust cooperation and one of the big evolutions that has happened has been, you know, an increase in the ability to deploy this sort of thing—these sort of support capabilities remotely and virtually. Again, it’s the virtualization of everything.
If we can’t deploy cyber capability remotely then, you know, so we should be able to do that and we can and we are. And also I think a conceptual shift from, you know, proverbially, like giving people fish to teaching them to fish and building capacity, and thinking about the capacity-building element of it is intrinsic to that support mission.
NAWAZ: How do you look at the U.S. vulnerability, though, or the possibility of those kinds of attacks? Because I recall early in the war there were a lot of warnings going out. I remember particularly from Homeland Security there was conversation around the potential for attacks against U.S. critical infrastructure and U.S. targets. The longer the war goes on do you see that threat going up?
FICK: I think—look, it’s a double-edged sword always. The United States is more vulnerable because we’re more connected, more vulnerable—we’re more vulnerable because we are the generators of so much intellectual property that is, you know, economically valuable and sought after around the world. It’s not an argument for being less connected or generating less IP.
So the question then is how do you deploy finite resources to protect against infinite threats and there, you know, back to the cybersecurity strategy, I think it does a pretty good job of kind of triaging and identifying the most critical areas that we really need to ensure we are focused on protecting in order to continue to deliver services.
NAWAZ: In partnering in those cooperative efforts are they—can you kind of characterize them? Are they purely defensive meant to sort of repel attacks or are there more proactive measures that you could say are actually punitive towards the people carrying out these efforts?
FICK: So I’ll go back to my private-sector days here. You know, I spent ten years building a cybersecurity software business and one of the things that became really clear in the course of doing that was that offense and defense in cybersecurity look a lot more like soccer than they do like football.
You know, it is not a black and white transition from offense to defense. It is a much more dynamic kind of ebb and take—ebb and flow, and you can sort of parse out operations across a continuum from offensive to defensive and it’s—frankly, in the middle it’s pretty hard to tell where you’re shifting from one to another.
So, look, it’s not my place to comment on the offensive operations of the U.S. government. But it’s a dynamic continuum and I think that trying to categorize things as, really, exclusively offensive or defensive may be rhetorically simple but usually doesn’t accurately capture what’s going on.
NAWAZ: When it comes to the vulnerabilities here just on the U.S. side, though, we know there are some sectors that are just more—much more heavily regulated in terms of mandated cybersecurity protocols, right. Nuclear energy, so on.
There are so many that are not, and I know this doesn’t fall under your purview. Just from your own expertise and your insight how concerned are you about those sectors that just have fewer mandated protocols?
FICK: Yeah. It’s a really interesting question, Amna, and a philosophical one, right, and it extends to—it actually extends to every aspect of what—I feel like every aspect of what I’m doing because, on the one hand, the most critical—historically, the most critical private infrastructure in the U.S. has been the most highly regulated. They’re the pieces of the infrastructure that are closest to the government, you know.
So—well, we all know what they are, but you can sort of look swim lane by swim lane and as you get farther away from the federal government you tend to get less regulated. I think that we—you know, a personal hypothesis here, at the risk of extending a personal hypothesis, is we might be going through a little bit of a phase shift away from this era of really laissez-faire techno capitalism and we’re going to—I’ll give you some examples.
So a much more robust regime of industrial policies seems to be in the offing—export controls, the rewiring of global supply chains, you know, so much of what we see in the CHIPS Act.
Second, the comments we already discussed about the National Cybersecurity Strategy, which is focused, again, on burden-sharing and liability and regulation and insurance. So that is a regulatory approach to drive and generate higher security.
And then, third, the president wrote an op-ed in the Wall Street Journal in January calling for federal privacy regulation and platform accountability, two steps, I would add, that would meaningfully close the gap that exists right now between us and our European partners, and right now we are trying to collaborate as closely as possible all around the world with like-minded partners in order to sustain and defend a technology ecosystem and advantage that we mutually need in the decades ahead.
NAWAZ: In addition to Russia, of course, officials have called out specifically Iran, North Korea, and China for what they call reckless disregard for the rule of law and human rights in cyberspace.
So you are the guy who goes in the room to deliver those messages to other nations. What can you tell us about what those conversations are like, especially with regard to China?
FICK: I think I—well, I think I might have had the first conversation with a Chinese official after the spy balloon incident at a dinner in the Philippines where a Chinese official and I got seated together.
More common are discussions not necessarily with but across from Russian counterparts in fora all around the world and I will tell you, I mean, one thing that’s really palpable there is the degree to which the Russians are visibly isolated.
I mean, just the little human interactions. You know, at lunch nobody wants to sit with them, like—(laughter)—you know, keep an empty seat on the other side of them. It was like—it reminded me of middle school, you know.
At a coffee break nobody wants to risk being at the coffee pot and having a picture taken with them. So there’s a really visceral palpable sense of kind of human isolation that is following their diplomats around the world.
NAWAZ: And what about with China? You thought I’d move on to Russia but I’m going to go back to that meeting you had with the Chinese official after the spy balloon. What was that conversation like?
FICK: So, well, I mean—well, we’ve all read about kind of, you know, wolf warrior diplomacy and, you know, when you’re feeling up, you’re feeling up. And I think that, you know, some of the tone can be quite aggressive and assertive and confident and, you know, I think we also have a fair amount to be confident about and try to convey that in return.
NAWAZ: You talk about the base infrastructure of the internet being a huge part of your portfolio, right.
What kind of—how does it change the landscape? How does it—does it put the U.S. at a disadvantage when you have China pouring all this money into Huawei and Huawei being the force that it is right now? What kind of position does that put you?
FICK: So this is a great example of the kind of technology competition that I’m talking about and the strategic impact of it over the years ahead.
If you and I were sitting here having this conversation in 1992 or 1995—I don’t know. When did you get your first cell phone? I got mine in 1997 or something. So in—if we were having this conversation in the mid ’90s the U.S. and Europe and South Korea together, Japan, you know, we had Motorola and Alcatel and Lucent and Bell Labs and Nokia and Ericsson, and you can go down the list of—we had what felt like an insurmountable advantage in the global telecommunications infrastructure.
We lost it. We lost it. We lost it to two decades of Chinese subsidization of Huawei, two decades of margin compression driven by that subsidization among its competitors that drove R&D budgets down, created gaps in kind of capability and technology and drove companies out of business.
So we’re in a world today where it’s sort of a global competition between trusted infrastructure, which I would, largely, define as Nokia, Ericsson, Samsung, a handful of others, and the whole, hopefully, growing ecosystem of open-ran vendors, and then Huawei and to a lesser extent ZTE.
And this battle is happening, largely, across developing economies in Africa and Southeast Asia and elsewhere. But don’t forget the cell tower on top of the Bayerischer Hof in Munich during the Munich Security Conference last month was a tower with Huawei gear in it.
So, you know, this is happening everywhere. It’s happening in rural areas of the United States where there’s still Huawei equipment deployed. And it—when the architecture of our—of the global internet, the—again, the cables and the satellites and the wireless networks are fundamentally untrusted then it has downstream implications for every other aspect of our cybersecurity.
So, yes, we have a huge national interest and we in the bureau have a huge mission to advocate for and then try to finance, negotiate, deploy trusted infrastructure all around the world.
NAWAZ: How does that complicate your diplomatic efforts? I mean, it sounds like you have almost no leverage. If you go into a conversation with the Chinese and they basically are running the table with this kind of technology how do you do your job?
FICK: Yeah. It’s a couple of things.
So, first of all, it is very hard to meet—for any Western or Western-minded, if I can use that term, vendor to beat Huawei on price on day one. We are working on coming up with creative financing mechanisms to help close that gap.
I think the picture changes if you look at the TCO, you look at the total cost of ownership, which any smart software buyer is going to do, and over the lifespan of the relationship if you’re looking at availability of upgrades, you’re looking at kind of caliber of support over time, you’re looking at political risk and how it impacts your global telecommunications infrastructure over time, looking at the strings that come attached to that sort of predatory financing package, the calculus starts to change.
So I think in a lot of ways the bloom is off the rose on the Belt and Road Initiative. Countries are seeing the price tag over the long term that comes with the goodies, and so that makes the conversations now, I think, much easier than they were, say, ten years ago.
NAWAZ: Who are your strongest allies? A lot of this is building the groundwork of the allies, right, in terms of countering hostile nations or where hostile actors could be working from.
So when it comes to China in particular who are your strongest allies in terms of countering that threat?
FICK: Look, it mirrors, I think, in a lot of ways—again, the broader point for me is it’s very hard and, ultimately, not helpful to look at cybersecurity as some exogenous thing. If we’re talking about the business risk we should integrate it. If we’re talking about the technology landscape we should integrate it, build better products, build better hardware, build better software. If we’re talking about geopolitics, too, we should integrate it.
And so it should become increasingly untenable for anyone, say, you know, my colleagues to do East Asia diplomacy absent technology diplomacy or human rights diplomacy absent technology diplomacy.
And so if you integrate it and you look at it through that lens the answer is kind of who you would expect, right. It’s the Five Eyes. It is the Quad across the Indo-Pacific. It is NATO and our, you know, historical alliances there.
It is kind of the staunch U.S. allies—economic, diplomatic, informational, military—and the extension of those relationships now into the digital domain.
NAWAZ: But if the cell tower has Huawei, in Germany, are you worried that the threat is not seen in the same way even by U.S. allies?
FICK: So I think there have been uneven—there has been uneven acknowledgement of the threat. There has been uneven willingness to pay more in order to counter the threat and deploy trusted stuff, and I would say now there is a much more shared understanding and there are remediation plans in place and, you know, they run up into budgetary and operational realities.
NAWAZ: In terms of the law enforcement angle, I have a couple more questions on this and then I will open it up to members for questions as well.
But there’s a lot of folks who point to models like the European cybercrime center, right, set up back in 2013 by Europol. I think it’s strengthened the law enforcement response to cyber crimes.
Is U.S. law enforcement strong enough, is it updated enough, is this coordinated enough to respond in the proper way to the current threat?
FICK: So, I mean, generally speaking, I think we’ve seen a pretty robust set of U.S. law enforcement actions over a pretty long period of time, over the better part of a decade, things like, you know, naming and shaming and indictments and sanctions, and I don’t think there’s a silver bullet here. It’s the classic, you know, kind of—it’s a lot—there are a lot of elements.
A very interesting element, in my view, of the criminal and legal approach to all this below the threshold of the use of force. So it’s worth clarifying. Cyber activity above the threshold of the use of force we have a pretty clear and well understood response paradigm—you know, declaratory policy, escalatory policy, all the stuff that national security folks are familiar with.
Where it gets interesting, of course, is where it’s gray and where it’s gray is below the threshold, and so something that we spend a fair amount of diplomatic energy on that is relevant to this is the idea of attribution.
So, historically, attributing cyberattacks to actors was technically difficult. We’ve come a long way in that regard. It is much less technically difficult than it used to be but it can still be very politically difficult to publicly attribute an attack to a particular actor.
But if we’re going to take legal action and we’re going to use the courts below the threshold of the use of force, whether they’re domestic here or in another country or the International Criminal Court or other legal mechanisms, kind of the bedrock of all of it is you have to know who your defendant is, right, and that has to be kind of forensically agreed upon and unimpeachable.
And so it is really important that we get allies and partners more comfortable and more forward leaning and more assertive on the topic of attribution than many have been.
NAWAZ: We’re talking to you at a time when we’ve seen an increase in ransomware, cyberattacks, a surge, and also those being traced to other nations as well, and I noted there when other nations face these sometimes the reaction can be very different. Australia, for example, had massive breaches. Something like 40 percent of the nation had personal data that was compromised. They immediately established a special office to basically rewrite all of their cyber laws.
Is the U.S. lagging behind on that?
FICK: So different countries have all tackled it differently.
Clare O’Neil, the new minister in Australia, is actually a grad school classmate of mine. I’m very glad to see her take on that remit. Different countries are tackling it differently. We don’t have a digital ministry here. We don’t have a telecommunications ministry.
We have the National Telecommunications Infrastructure Agency within Commerce. We have the FCC. We have CISA at Homeland Security. Obviously, we have the bureau now on the diplomatic representation.
So we have a lot of elements and I think the challenge in—I think it—because cyber security is a lateral, because it’s cross cutting, I actually am a fan of our decentralized approach. I think it makes more sense to make sure that this issue is integrated into the mission of all of these agencies rather than setting up a standalone thing.
The rest of the story, of course, is you got to make sure that that orchestra produces music, not noise, and that was the intent behind the creation of the National Cyber Director in the White House, Chris Inglis, who just departed after a very solid two years getting that office up and running.
And I mean, organizationally, I think that’s what we all need to ensure continues is that the pieces play well together.
NAWAZ: Ambassador Fick, thank you for your time.
At this time I’d love to invite members here in person and with us online to join the conversation with their questions. A reminder, this conversation is on the record and I believe we’ll start here in Washington and folks online can join us.
Yes, right here in the front.
Q: Hi. My name is Alex Yergin.
This has been a great discussion so far. I think you’ve mentioned Ericsson and Nokia. So my question is to the extent you can say what would be the impact on your work if Sweden and Finland join NATO?
FICK: Ah, yeah. So I had the good fortune of attending a NATO meeting in Rome last fall and by whatever happenstance of seating I was right between the Swede and the Finn at the table and I can tell you, I don’t think this—they got the smiles off their faces the entire day. I mean, again, the sort of sense you can pick up in the room is valuable and the sense in the room was they were profoundly grateful to be at that table at this moment in history.
And so, yeah, they are really fortunate and we are fortunate that they have strong national champion telecommunications businesses in Nokia in Finland and Ericsson in Sweden. And I want to be—I have tried to be and will continue to be a champion for those businesses around the world because, again, our first priority is trusted infrastructure, and it would be massively helpful in so many ways to have such capable allies in the alliance.
So every—you know, every dark cloud has its silver lining. One of the silver linings of the incredible tragedy spawned by Russia’s war of aggression in Ukraine is the NATO alliance has not been stronger in my lifetime.
NAWAZ: I believe we have a question online.
OPERATOR: We will take our next question from Joseph Nye.
Q: Hi, Nate. Great to see you in this job.
I noticed that in your survey of the diplomacy you didn’t talk much about international—(audio break)—at the UN group of governmental experts in New York, and that’s understandable because when we issued our Council report we talked about a fragmented internet. But given the fragmentation of the internet, is there any room left for developing the kinds of norms that were produced in 2015, which were quite extensive but now seem to be set by the wayside?
FICK: Yeah. I got enough of that.
NAWAZ: You got—OK.
FICK: Professor Nye, it’s great to hear from you.
I had the great benefit fifteen years before taking this job of studying under Professor Nye, sitting at the, at the feet of one of the masters. So leave it to you to ask a very relevant and difficult question highlighting something I left out. (Laughter.)
Look, I think the bedrock proposition here about the work that’s happened at the United Nations, in my view, is that this is a great example of twenty years of the classic three yards and a cloud of dust diplomacy—the hard work, the thankless work, the work that doesn’t garner any headlines but over time results in something that is massively valuable to us.
And I would put the framework for responsible state behavior in cyberspace, which is the—one of the results of that effort that Professor Nye described I’d put it in that category. This is an agreement that has been reaffirmed multiple times by every UN member state. Every UN member state.
I would challenge this room and anybody online to identify another topic today in today’s geopolitical environment where we could get every UN member state to sign on to something meaningful. I can’t think of a single one.
So this framework essentially agrees to extend the existing body of international law into the cyber domain rather than starting fresh to create a new body of international law, which we view as really fundamental to safeguarding human rights online.
The second thing it does is it—as Professor Nye mentioned, it is a set of norms—nonbinding norms—governing responsible state behavior, and the third thing it does is set up a set of confidence-building measures to increase trust and avoid unintentional escalation.
This is really valuable work in terms of putting a moral authority and a legitimacy underneath our positions and that’s essential.
Now, the task force that Professor Nye and Adam and Niloo and others of us in this room—Anya, Connor, where many of us are in this room—were a part of, one of the things we said that I would endorse in this role is that our allies tend to care more about our norms than our adversaries do, which is true.
But it doesn’t mean that the norms don’t matter. So the establishment of the norms provides a moral and ethical and a framework from which we can then reach to achieve new things.
So I do think it’s really important still, Professor Nye. As a matter of fact I’m going to the U.S. mission at the UN on Thursday this week in order to discuss the work of the open-ended working group that’s happened over the past couple of weeks.
NAWAZ: Thank you for that question.
Q: Mark Kennedy with the Wilson Center.
You spoke of the decades of subsidies that Huawei has been getting and the difficulty of matching that from a price perspective. From the National Defense Strategy they said that we need to be able to make sure that we can mobilize our military and part of deterring aggression is knowing that we can do that.
But you have places like Philippines that we rely on for mobilization and, yet, I don’t know that we can say that we have the trusted communications there. What extra measures that we’re not doing that we need to do—that we have to do in order to make sure we have trusted communications in areas where we need to mobilize if we’re going to truly deter aggression?
FICK: Yeah. This is a really important question and I’m not sure it’s something that gets enough kind of coverage in the popular consciousness because you’re right, it’s essential.
Again, I think I mentioned risk federates across relationships. It’s one of the intrinsic realities of the digital world. And so, you know, the old adage that a chain is only as strong as its weakest link—I mean, it’s overused—it really applies here.
If we don’t have a trusted communications network among allies during a contingency then we can’t communicate. We can’t transmit data and information, which is fundamentally why ensuring that these cables—the fiber, the wireless networks, the satellites, the data centers—that they are trusted, that they are reliable, that they are secure.
And, you know, you can probably look at my travel schedule and the travel schedules of others to sort of get a sense of where that’s really important. I was just in the Philippines. Secretary Austin was there right before me, and this is the topic of conversation is, OK, how do we—you know, how do we really ensure the resilience and security of our communications or infrastructure now in the event that we’re going to need it.
There’s a technology angle to that, obviously, and there’s a ground game diplomacy angle to that and there’s a funding angle to that and they have to all come together. But we do have a massive national interest and shared interest across allies in ensuring that arcane—seemingly arcane topics like where do the undersea cables run, like where are they actually routed, that really matters, and does the routing that was done twenty years ago or twenty-five years ago to optimize on efficiency and cost is that the right routing in the future. Or, as with everything, might there be some trade-offs between security and convenience that we need to make in order to ensure that we have a resilient, secure, trusted infrastructure.
NAWAZ: I believe we have another question online.
OPERATOR: We will take our next question from Munish Walther-Puri.
Q: Thank you so much for your comments and discussion.
I was wondering if you could talk more about how you see supply chain issues interacting with some of the cyber risk issues that we’re facing. You talked a little bit about our relationships, but from a geopolitical standpoint it seems like a complicated place. So I would love to hear how you’re thinking about this with our allies.
FICK: Sure. So it’s a timely question. Today marks the launch of the ITSI funds—the State Department element of the CHIPS funding, the Information Technology Security and Innovation fund—aimed at helping to ensure the resilience and security of semiconductor supply chains and also of secure telecommunications infrastructure.
So this idea of rewiring supply chains over time in order to sustain and defend kind of shared technology interest is, I think, one of the core underpinnings of American and partner power in the decades ahead. And this is full spectrum. OK. This extends from, you know, all the—everything we read about in the press around the Taiwan Semiconductor Manufacturing Corporation and, you know, how do we diversify that supply chain in order to ensure the, you know, resilience of it.
I’m guessing just about everybody in this room has a TSMC product on their person right now, almost everybody, and if you don’t here you do at home. So it’s something that really matters. But it matters all the way down to, you know, the simple notion that no member of a U.S. mission overseas, regardless of agency, should be doing things like buying a router on the local marketplace. Like, don’t do that. That’s not a good idea. Trade the security for convenience, order it here, get it shipped to you in a trusted manner, and then deploy it.
But the supply chain question is a foundational one and, make no mistake, it’s going to require trading a little bit of the operational convenience and cost optimization for security over time and that’s a trade that, you know, it’s always going to involve a judgment call. But I think a shift in that direction is well warranted.
NAWAZ: Thank you for that.
Yes. Go ahead. Yeah.
Q: Thanks very much. James Siebens from the Stimson Center.
You mentioned a few things that I wanted to ask you to dive a little deeper into. First, the threshold of armed conflict. That’s something that remains somewhat ill-defined in the international space. So how does the U.S. cyber strategy address acts of aggression that would rise to that threshold?
And the main reason why I’m interested in getting a particular answer on this is because you talked about engaging insurers. As you know, insurers will exclude warlike acts from coverage in their policies most often and so how is that determination to be reached in the United States?
FICK: Yeah. It’s a good—it’s a great question. It’s one where I can only give you a wildly imperfect and unsatisfying answer. Part of that is because it’s an emerging body of thinking, part of it because there’s—there should be intentional strategic ambiguity, right, about where that line is. Part of it because it’s going to be highly case specific.
There’s a little bit of the old Potter Stewart—you know, I’ll know it when I see it—in this. I think it was Potter Stewart who said that—I’ll know it when I see it.
Look, if there’s a cyberattack—you know, the classic example people invoke is if there’s a cyberattack on a hospital, you know, and people die, OK, that is clearly on one side of the line. A cyberattack on, you know, air traffic control infrastructure and there’s a collision and people die, OK, we know sort of what that looks like.
At the other end of the spectrum there’s all kinds of, you know, malicious but, ultimately, just annoying behavior that happens where none of us has an interest in escalating or invoking Article 5 or doing anything draconian.
So, again, those two areas are fairly well defined. I think what you’re driving at is where do you draw the line—what happens there in the middle. And, again, you know, the line is not bright red just as it isn’t—you know, I would remind us in the kinetic world, you know, we’ve had presidents declare red lines that have proven not to be so red, right.
I mean, you know, these things are ambiguous. It’s not unique to the cyber domain. And some of that ambiguity is because it’s new and ever evolving. Some of that ambiguity is intentional.
On the insurance question, I think you raise a really good point because that is a carve out in most policies, right. Some of the most interesting businesses today that I am interested in watching from the perch of this job are businesses in the cyber insurance space because, you know, we’re getting to the point where, again, if we’re going to—if we’re going to roll this into existing enterprise risk management frameworks what do you do with the risk?
We can really only do three things with it. You can accept it and just say there’s an amount risk we’re going to bear and you probably ought to do that to some degree. You can mitigate it. That’s what we usually spend our time on—people, process, tech. Or you can transfer it via a mechanism like insurance.
And so the maturation of that risk transfer is going to be really important and I think we have enough attacks now. You know, unfortunately, we’ve seen enough attacks with enough definable economic consequences that it’s becoming more possible to price the risk.
NAWAZ: Could I follow up on that very briefly, though?
Is your sense when you were in the room talking to some of these folks from China or Russia, for example, is your sense that they understand where the line is? Because even on the kinetic side we’ll see there’s been a lot of confusion even out in the open, right.
NAWAZ: What would Russia consider escalatory or not?
FICK: Sure. No, I think—look, I think that our adversaries are very good at creeping up to that line and I think there’s always the risk of kind of a frog in boiling water strategy, too, where something that seems incremental today would have felt wildly escalatory a quarter ago or a year ago or a decade ago.
And so it is useful as an intellectual exercise to continue kind of recentering ourselves on where we thought the lines were before and check whether we’re subject to that frog-in-boiling-water effect.
NAWAZ: Thank you for that. Sorry to take up members’ time with a follow-up.
I think we have another question online? Yes.
OPERATOR: We will take our next question from Erin Dumbacher.
Q: Hi. Thank you so much for your presentation today.
I’m wondering if you could speak a little bit to how, in your leadership of this new bureau, you’re able to divide your team’s time between focus sort of on allies and partners and those sort of in the middle versus the strategic competitors and the adversaries. How are you thinking about distribution of team resources there?
And then, separately, I would love if you could comment on what implications you see from the Viasat hack and takedown early in the Ukraine war relative to sort of cross-domain U.S. policy? Thank you.
FICK: Sure. Let me try to take those in turn.
So on kind of team allocation of time and energy there are a couple things that I would point out there.
One, anybody who read the National Cybersecurity Strategy, which I’m sure is everybody in this room, would have noted that there’s a—the fifth pillar in the strategy is the international pillar and it is not the majority of the strategy.
So it is intended to be like an API, if I can use a technology term, to plug in a more robust international strategy that our team is developing. The essence of strategy, of course, is the allocation of finite resources against infinite priorities and so the exercise of drafting that international strategy is, in part, an exercise to do what you alluded to, which is how do we spend our time and our resources.
I think a really important force multiplier for us there is to cast everything we do in terms of an affirmative vision for what the benefits of a shared technology future can be. Even—look at the conversational dynamic in this room, right. We all do this. We talk about China. We talk about Russia. It intentionally or unintentionally becomes a competitive conversation and it’s easy to go down that path and lose sight of what I would argue is the bigger picture, which is the power of these technologies is extraordinary to bring—to actually bring good things to our lives.
You know, we’re going to live longer because of it. Our kids, they’re going to learn in different and, I think, in many better ways because of it. We’re going to benefit from so many communication and, you know, educational and health care and transportation and, you know, other benefits.
So there’s a massive shared global interest in trying to harness the benefits of these technologies while minimizing the downsides that come with them.
So my answer to your question about how we split our time is we’re going to anchor everything we do in the positive, compelling affirmative vision. That’s going to align us very neatly with our allies and partners. It’s going to provide a more persuasive framing for the middle ground states.
Is it an effective diplomatic strategy to walk into a small country in Southeast Asia and pound the table and say, you’re with us or you’re against us with China? It’s not. It’s no more effective than doing it with my teenage daughters. Like, it doesn’t work so don’t do it.
We have to be smarter about it. So much better to posit a shared affirmative compelling vision that people can buy into for the benefit of their own citizens, not—and then not—you know, avoid the risk of looking like they’re kowtowing to the United States.
So I think that’s the clarifying point for the question and it points to a way to unite how we spend time with allies and spend time with the so-called middle ground states. And as with, you know, any management situation you can run the risk of spending 50 percent of your time on the 2 percent that are problems and we really need to guard against doing that in a policy sense.
NAWAZ: I think the second part of the question was on Viasat. Yeah.
FICK: The second part was Viasat. Yeah. Thank you. Thank you for keeping me on track.
Yeah. Viasat was very interesting, right. So we saw a destructive cyberattack early in the war that clearly had consequences outside the borders of Ukraine and then we didn’t see any more, and I think there was a—you know, there’s a reason for that.
So, you know, collective defense and presenting a unified and collective response to attacks of all kinds is NATO’s foundational purpose and I think we saw, you know, a real circuit breaker kind of benefit in preventing any sort of a cascade of other negative consequences.
It is our shared responsibility now to make sure that that circuit breaker continues to function.
NAWAZ: Can you say more on that in terms of the response?
FICK: Not really. (Laughter.)
NAWAZ: A kinetic response?
FICK: Well, so I am of the view that it is cyber deterrence and, look, we have people in this room who’ve done more work on this—much more work on this than I have, including Professor Nye.
We should not think about cyber deterrence as cyber tit for cyber tat. We should think about cyber deterrence as marshaling every element of national power—digital, diplomatic, economic, informational, and yes, if necessary, military, in order to prevent bad things from happening or from escalating.
NAWAZ: A diplomatic answer. (Laughter.)
FICK: I’m learning.
NAWAZ: Here in the room. Yes, please.
Q: I’m Tomicah Tillemann with Haun Ventures.
If I can pick up on the excellent point you made a moment ago regarding the need for an affirmative vision for our technology future, right now if I’m a human on planet Earth and I want to use technology I pretty much have two choices. There’s an authoritarian paradigm emanating from Beijing where my private information is going to be aggregated and used to manipulate my behavior for political purposes and then there is a big tech paradigm emanating from the United States in which my private information is going to be aggregated and used to manipulate my behavior for commercial purposes. Neither one of those paradigms is particularly compatible with a healthy open society and we’re starting to learn this now. What can policymakers do to move us toward a new paradigm where we’re going to have community-owned community-governed platforms that will give people more control over their information?
FICK: So the view that you expressed, the competition between these two paradigms that are each in their own way similarly unappetizing to a lot of people, I think is widely shared. I was at the U.S.—and the dynamic is particularly acute when we’re talking about the United States and the European Union. I was at the U.S.-EU TTC—the Trade and Technology Council—which is the forum where a lot of this work is going to be adjudicated. I was at that ministerial meeting in December and the EU executive vice president, Margrethe Vestager, who’s a phenomenally capable diplomat, leaned across the table and she said in kind of a moment of candor—she said, hey, this thing is only going to work if we actually like each other, not because we both don’t like the third guy, which is exactly right and sort of helped set the tone in the room to close the gap that I think has opened between the U.S. and the EU on some of these issues.
When I was in Brussels last week an EU technology counterpart said, look, we need to break the model, the paradigm, where, you know, the talk is the U.S. operates and the EU regulates, and that’s just not going to work because we have—our shared interests are too great here.
So the way I think about it is, going back to that telecom point, you know, we had a shared advantage in 1995 and we lost it. What are the areas where we have massive shared advantage today? I think you alluded to one of them. I would say the cloud, kind of broadly.
It’s no accident that the top four global cloud providers are American companies, right. That’s because of historically an immigration policy that attracts bright minds from around the world and then finds a way to persuade them to stay.
Tax and regulatory policies that encourage business creation and growth. Not unfettered, right. I was on the phone all weekend reminding my former colleagues who came in and saved you with SVB, right. So not unfettered.
But the—so we have this cloud advantage. We need to sustain it and maintain it. We would love to see some European or Japanese or Korean or Australian cloud startup scale and become a global hyperscale cloud provider. That would be awesome. That would be great for the global technology landscape and competitive ecosystem.
What we can’t afford to happen is let our differences on issues of privacy and data localization and other things drive a wedge between us. That opens a gap for untrusted vendors to run the table on cloud or other technologies in the way that they’ve run the table on 5G and previous G infrastructure.
So that’s why I think the president’s op-ed was helpful because it moved us a big step towards helping to close that gap, and what I tell my European colleagues is, look, we live in a democratic society so I am confident that we’re going to get there on privacy regulation.
I don’t think we’re going to copy and paste the GDPR but I hope we improve upon it, and I think we’re going to get there on aspects of platform accountability and that’s going to help us find a shared way forward that is going to allow us to maintain our sustain—to sustain and defend our technology advantage in these areas that matter.
NAWAZ: Thank you for the question.
I think we’ll go back online for our next question, please.
OPERATOR: We will take our next question from Kenneth Oye.
Q: Ambassador, thank you for your remarks.
My question is motivated by conversations with MIT geeks and D.C. policy wonks. Both have been a bit surprised, not by the total absence of kinetic activity but much lower levels of quasi kinetic attacks than expected. Plenty of information theft and misinformation but less in the kinetic realm. It’s not a dog that is not barking but barking less than expected. Would you agree with those geeks and wonks? Were you, in fact, surprised that there has not been more and to what do you attribute it?
FICK: Do you mean in the context of Ukraine specifically or do you mean more broadly?
Q: I mean it both ways. Certainly, there has been activity in Ukraine. But I can recall sitting in the room that you’re in now a few years ago at a Council function and the predictions, more generally, were for much more in the way of attacks on infrastructure and takedowns.
And what are your or were your expectations, and if this is accurate, if public and open sources are lined up with the information you have now why do you think that’s so? Is it really deterrence or Russians are just bad at it? Or is the information that we have in public sources wrong?
FICK: Look, I think the information we have in public sources is pretty good and, you know, if there were massive kinetic effects from cyber and other digital operations we would—you know, we would see them. We would feel them. We would know about them, by and large.
And I think there are a lot of reasons for it. Deterrence is part of it, for sure. I do think deterrence works, to some extent.
Now, does it work enough? Probably not. I mean, we wouldn’t be suffering from, you know, decades of IP theft if it worked enough. We wouldn’t be suffering from—you know, from the sort of ransomware epidemic that we’ve suffered from if deterrence worked enough.
But deterrence pertains, at least somewhat, and that’s why the gloves don’t come off more. Part of it is our defenses work—you know, deterrence by denial. Decades of investment in security technology and process and training works. It stops a lot of attacks. It limits the impact of attacks.
Partly we’re—we benefit from the analog nature of some of the systems we rely on most, right. You know, a lot of the legacy infrastructure providers that we all rely on in the course of our lives are pretty analog and so, you know, that raises another interesting question of what should we connect.
You know, just because you can connect something to the internet doesn’t mean we should. I would prefer that my refrigerator not be connected to the internet, right. I might prefer that our voting machines not be connected to the internet.
So I think there’s an interesting dialogue to have about what should be connected that societies ought to have.
And then, you know, part of it, too, is that that the—well, I mean, I think that covers it pretty fully. There are a lot of reasons why and, you know, it doesn’t mean it can’t happen tomorrow, obviously. So we need to maintain the vigilance and, you know, the engagement and the investment.
But, generally speaking, so far, you know, I think we’ve kept the lid on the kind of activity that would fundamentally undermine trust in the digital domain, which is ultimately what I think we all need and benefit from is a basic level of trust that allows us to enjoy the benefits of the technology—the benefits of online banking, the benefits of global communications, the benefits of digitally delivered health care—while trusting that the system is basically secure, that it’s open, that it’s free, that it’s reliable, that it’s resilient.
NAWAZ: Whether or not your fridge is connected to the internet?
NAWAZ: I’d love to be respectful of everyone’s time so I think we’re going to have to leave it there.
Please join me in thanking Ambassador Nathaniel Fick for joining us for today’s—
FICK: Thank you.
NAWAZ: —Hurford Lecture. (Applause.)
Thank you so much.
FICK: Thanks. It’s fun to be here.
NAWAZ: Thank you to all of you for joining us as well here in the room and online. Please note the video and transcript of this symposium will be posted on CFR’s website for our in-person attendees. I’m told there’s coffee in the adjoining room.
And then please join us back here for Session Two of the symposium that begins in fifteen minutes, “Digital Diplomacy Around the World.”
Once again, I’m Amna Nawaz and thank you for having me. (Applause.)
RAZI: Good afternoon and welcome to today’s Council on Foreign Relations Cybersecurity Symposium. This session is entitled “Digital Diplomacy around the World.” I’m Niloo Razi, a senior operating partner with Energy Impact Partners, and I’ll be presiding over today’s conversation.
Joining me on both the virtual and the actual stage—(laughs)—is Selena Larson, a senior threat analyst at Proofpoint and previously a cybersecurity reporter.
Ambassador Heli Tiirmaa-Klaar, who’s the director of the Digital Society Institute at the European School for Management and Technology. She’s also the former ambassador-at-large for cyber diplomacy and director-general of the cyber diplomacy department at the Estonian Ministry of Foreign Affairs.
And we also have Ambassador Juliette Wilcox, who’s a cybersecurity ambassador for the U.K. defense and security exports at the Department for International Trade. She also spent over thirty years as a British diplomat.
Ladies, welcome to this conversation. It is great to have you here.
Just in order to set context, over the past five years the U.S. has taken a series of very strategic actions elevating the importance of cybersecurity. In 2018, the Cybersecurity and Infrastructure Security Agency was established and tasked with protecting U.S. critical infrastructure. In 2019, the National Security Agency stood up its cybersecurity directorate, with a charge to prevent and eradicate threats from U.S. national security systems, as well as the defense-industrial base. In 2021, the Office of the National Cyber Director was established, and Chris Inglis was appointed as the first U.S. National Cyber Director.
And on September 21, 2022, Ambassador Nate Fick, who was just here, was sworn in as the first inaugural U.S. ambassador-at-large for cyberspace and digital policy. I want to point out that was five years after Ambassador Tiirmaa-Klaar was appointed to the same position in Estonia. As broad and as sweeping as these actions have been and acknowledging the growing threat environment that we all face, they have lagged behind the actions of our European counterparts in some ways, especially with respect to elevating the role of cyber diplomacy. Just last week, March 2, the U.S., perhaps in culmination of all these efforts and in an effort to lean forward in terms of cybersecurity importance, released the much-anticipated and long-awaited U.S. National Cyber Strategy.
So, Ambassador Wilcox, I’d love to start with you. Can you tell us about the U.K. National Cyber Strategy, how it balances the whole of society approach with the need for international cooperation, and maybe compare and contrast it with the U.S. National Cyber Strategy that was just released.
WILCOX: Thank you very much. And thank you for the invitation to speak. I hope you can hear me OK from your end.
RAZI: We can.
WILCOX: Well, this is a really interesting question. So our cyber strategy is our third effort. So clearly, we don’t all get things right the first time. So for our third attempt at writing a cyber strategy, the first thing to make clear is it’s this time a cyber strategy, and not a cybersecurity strategy. And that’s a really important thing to note, because it’s that aim to create a whole of society and whole of cyber approach that made us want to sort of pull the subject together in one strategy. And I will—I’ll compare it with the U.S. one, because there are some remarkable similarities. And that’s, I know, because the two governments talked a great deal about it as the U.S. was drafting theirs.
But I’ll briefly just describe the U.K. one. So it’s got five pillars. They’re pretty easy to understand. One is to strengthen that ecosystem. And that looks at skills, it looks at professions, and building a really strong cybersecurity industry. The second one is about resilience and prosperity. And it’s about making sure that we understand and manage the risks that we’re facing, but also that we prevent and become resilient to attacks. A third is about future tech. Everybody’s looking at the future technology that will really influence cybersecurity. It is vital. It’s next-generation technology. It’s getting access to that. This goes to trusted supply chains, and making sure that you have access to both trusted and diverse supply chains, and standards, and values that sort of fit our ambition.
The fourth is about global leadership and influence. And this is really relevant to your topic on diplomacy. It’s about taking that collective action internationally, thinking about governance of cyber, cyberspace behaviors and norms, and thinking about how we can influence, using our—what we would say—globally competitive cybersecurity industry and expertise to export our products round the world. And then finally the bit on detecting, disrupting, and deterring, which was the core part of our previous strategies. And of course, it’s integral, but it’s also part of that whole bigger global picture. And so we do want to investigate, we do want to disrupt and deter. We will use all of the capabilities around cyber that we have in this respect.
So the whole strategy looks a lot about that public and private partnership, and that sort of ability to pull government, and academia, and industry together. And when I look at the U.S. cyber strategy just published now, that approach also has pulled together the need to think about the whole of society. But it also wants to make sure that it benefits the average American too. So no longer is cyber just something that’s technical and, you know, large scale. It’s got to—it’s going to impact everybody. But it also has to make sure, and your strategy has to make sure, that the burden of getting it right needs not to fall on the shoulders of individual users, because it’s a very complicated task. There’s a lot that needs to be understood. And there are many ways in which cyber is inaccessible to some people too.
So there are two big changes, I think, in the U.S. strategy. It kind of moved responsibility away from the end user and puts it back into the hands of the people who are creating cybersecurity technology and products. And it really wants to make sure that it can’t be one human error that creates a huge instance. That’s one thing. And the other thing is that clear incentive to increase resilience, whether that’s through proactive prevention measures, through some deep conversations on regulation. And they’re very much focusing on critical national infrastructure too. So it’s looking at the things that have been vulnerable recently. Those are clear, whether it’s sort of energy, or health care, or water. But it’s looking at how do you become a resilient nation.
And you can kind of mix those incentives together to help the people who are benefitting and creating the technology to take some of that responsibility back from the individual user. So those are the things that I’d say I would contrast really. Big tech ambition. Questions on regulation. And kind of a more joined-up across federal approach. Those things are really powerful in the U.S. strategy.
RAZI: And I’d love to pull on this thread with respect to regulation. Without question, the U.S. national strategy makes clear that we’re no longer waiting for market forces to create the right incentive structure to build security into software products, but we’re going to start shifting liability in order to make sure that that happens.
Ambassador Tiirmaa-Klaar, speaking of this, can you provide us with the EU’s perspective on digital regulation and how it might differ from the U.S. perspective?
TIIRMAA-KLAAR: Well, I certainly would think that EU has been a pioneer when it comes to actual digital regulation. And we are not only talking here about cybersecurity. The cybersecurity regulatory field has been developing, I think, since 2010. But the digital platforms and big tech companies have been largely unregulated up to now. And the first attempt to do this has been the European Union Digital Market Act and Digital Service Act. Both of those pieces of regulation are very ambitious and far-reaching. The Digital Market Act is the, essentially, antitrust, antimonopoly piece of regulation that tries to create more equal chances for other online
platforms, except for the usual gatekeepers, as the EU regulation calls them, which are the largest global platforms. And also gives a chance for smaller companies and medium-sized companies to be advertising on equal terms online and also accessing the marketplace in a more equal manner.
The Digital Services Act is a very interesting piece of regulation because it puts human rights and fundamental freedoms in the center. And it ties to protect the human rights and fundamental freedoms of the European Union citizens first. But doing so, certainly it will have the spillover effect on all other citizens in other countries, because as we have seen with the European Union GDPR, which is the General Data Protection Regulation, many other economies and many other markets are taking over the European norms and standards eventually, because they all have their own market interests in the European Union. So once those two ambitious pieces of digital regulation will be implemented, I think we will see a slightly different digital marketplace, what we haven’t seen up to now.
However, it’s interesting to note that on cyber side, or the security side, the EU and U.S. approaches are less and less divergent. The U.S. is following the EU’s suit on regulating. The EU has put out its first directive already, as early as 2016, which regulates how the critical infrastructure should implement the minimum cyber standards and guidelines. And now last year, EU came up with a second edition of the cybersecurity regulation, what we call here in Europe NIS2, which actually enlarges the scope of cyber regulation not just for critical entities but also other manufacturers and also some of the medium-sized companies. So our colleagues in Germany are now scratching their heads, thinking how all these 29,000 companies are able to actually implement the new EU cyber guidelines. And if a rather advanced nation like Germany is having a challenge there, so we can imagine how other nations that might not be technologically so advanced in Europe are still struggling with this.
So but I think eventually this is good for European economy because we will become less easy targets. Our companies need to invest more to cybersecurity. And it’s good to see the same type of government regulation approach now in the new U.S. strategy. As Juliette just mentioned, the U.S. strategy takes away the responsibility from the end user and also talks about creating more trustworthy digital ecosystems. I think this is a very good sign for us, the experts, because eventually we will see more digital trust emerging in this field, which has been very unsecure. And then we have seen a lot of lack of trust so far.
RAZI: Before I move to, Selena, asking you a question with respect to the private sector, how much coordination is there as—how much coordination was there as the U.S. developed its National Cyber Strategy in terms of talking with our European allies and making sure that we are approaching some set of consistent priorities that we want to jointly pursue? And even in terms of regulation, how much coordination is there? And is someone trying to be the leader here?
TIIRMAA-KLAAR: I think what happened here was that EU started this, and everyone saw this kind of light touch regulation in 2016 being not so draconian. Because the usual narrative, when we think back of seven, eight years, is that we should not really regulate the tech sector because this will decrease the innovation and will harm the research and innovation capability, and development, and research capability of the tech sector. I think the narrative now has changed because the cybercrime causes so much economic loss to our economies, and we are losing many percentages of GDP every year because of the cyber problems.
Then the narrative has shifted, and all advanced economies are now looking to solution how we can create more trustworthy technological base for our activities in the future. So I think just the U.S. was adopting this approach a bit later, but certainly there has been already the voluntary standards by NIST, some sectoral standards before. So I think it was an evolutionary development, without major coordination but maybe some talks within the EU policymakers and U.S. policymakers.
RAZI: Great. Thank you.
Selena, you uniquely on this stage represent the private sector perspective. How has the cyberthreat landscape evolved? And as we’ve taken these actions as a government and elevating the role of digital diplomacy and encouraging public-private partnerships, especially international ones, is that having a positive impact on the private sector’s ability to protect itself on information-sharing mechanisms? And I’d love to get your sense too of the cyber strategy and the shifting of the liability.
LARSON: Yeah. So I love that I am representing all of the private sector that exists. (Laughs.) But yeah. So I think—I’m really glad that Ambassador Tiirmaa-Klaar brought up cybercrime as such a huge and impactful piece and driver of regulation, and adopting standards and regulations, because that is very much where I live. I am in the cybercrimes space. I work for a cybersecurity company. I am tracking a lot of these threat actors that are directly and indirectly responsible for billions of dollars in losses. And I’ll use ransomware as an example for highlighting the public-private partnership and the value of information sharing.
So we have, as security researchers like myself and my organization, and others like it, have very good visibility on certain parts of an overall attack chain, and understanding of what threat actors are doing, how are they doing it, and what are their ultimate goals and objectives. So from my perspective, I can see that the malware and the threat behaviors that are used to gain initial access to a compromised organization. From there, there are other organizations that say, OK, here is what we see from the ransomware that is taking advantage of this malware implanted already to deliver—to deliver ransomware, disrupt processes, cause a lot of losses.
And then you have organizations even further down the chain, for example, Chainalysis and others like it, that are tracking the money flowing. That are saying, OK, once a ransomware actor has successfully compromised, once a ransom has been paid, where does the money go? And at each point across this attack chain, it is so important that we are sharing information both with our internal partners, internal stakeholders, but as well as the government, and both from the U.S. and our allies internationally, so they can build a full picture of what are these actors doing? Who are they? What are their goals and objectives? How can we track down the infrastructure that they are using, disrupt it, and then, as Ambassador Fick mentioned earlier, attribute. Who is doing it and what kinds of consequences can we implement on these threat actors? So it’s really a cyclical relationship, and the public-private sharing that has been established is very, very crucial to getting a full picture and full perspective of the threat landscape.
From the cyber strategy perspective, I think that both of my fellow panelists mentioned the taking the onus off of the user and putting it on the organization and the tools and resources that we are using to elevate security and make sure that the people who are using technologies, the money that’s being made off of it, remains secure. So I am firmly of a belief that the user should—like, if a user is compromised, that was a failure of the tools that they were using. Like, I don’t think that someone who clicked on a phishing link, they should never have received it in the first place. Like, I think that is—like, a hack is a fundamental failure of the entire process that got them to that point. And so it’s really great to see that there are a lot of moves being made right now to really elevate the very basic levels of cybersecurity that can really knock out some of this low-hanging fruit, and prevent that from happening.
RAZI: And it’ll be really interesting to see how we establish standard of care when it comes to securing software and building secure software, because that’s not well understood or well established by the tech sector. But you all bring up this really interesting point around technology and the importance of technology, and technology evolution. Diplomacy operates at a place that’s not often in alignment with the pace of—the rapid pace of technology evolution. And arguably, for the first time in human history, we are simultaneously experiences multiple tech evolutions, whether it’s AI, quantum, energy, et cetera. And these evolutions are even intersecting with each other in very radical ways.
How do we ensure that global cyber diplomacy keeps pace with the pace of tech innovation and the ability of threat actors to exploit that technology? Just by way of example, you know, there was a time when we stepped back from stem cell research so that we could come into alignment around the norms that we were going to
embrace universally around stem cell research. Technology, this is much more complicated because we have adversaries who were not going to stop. But how do we make sure that those two vectors are in as close an alignment as possible? I’ll leave that open to anyone who wants to tackle it. Maybe—
WILCOX: Do you want to take this?
TIIRMAA-KLAAR: You first.
RAZI: Ambassador Wilcox, why don’t we start with you?
RAZI: Oh. This is the joy of virtual. (Laughs.)
WILCOX: Who are we starting with?
RAZI: With you, Ambassador Wilcox.
WILCOX: With me, OK.
Well, I guess the first—so I’d go back a little bit to the headline of our strategy, I suppose, (the one we brought out this time ?). It’s to be the leading responsible cyber power. Now, that’s quite a complicated set of words to really define, but what does leading, and what does responsible, and what does cyber power mean? But it does reflect what you’re saying, is how can you set some norms and standards of behavior which transcend the changes in technology so that you can—and we have done it in the past, I suppose, when it comes to weapons, et cetera. You know, how can you set an acceptable level of international behavior and the responses that will kick in if those are not followed?
Now, you can never—the difficulty with cyber is that there’s so much that happens which you can’t easily describe as state activity. So however you then negotiate something in an international arena, in the U.N. and through governmental experts, and whether or not you’re going to get different states to agree with each other, underneath it all, there are still private actors who will behave at the behest of or at least influenced by states who have sort of different opinions. I think it’s very difficult. I do think though doing something is better than doing nothing.
And if you’re going to talk about standards, and norms, and behaviors, and trying to create a global set of expectations so that we can all try to keep the use of cyberspace secure, then trying to come to some conclusion about what is responsible use of cyber, and then how do you make sure that the people’s attitudes to the way cyber can be harnessed for good and protected or, you know, something that makes it work for all of us. But, yeah, I think because so many of these are nonstate actors and not able to be controlled, you’re going to find it very difficult to nail that one completely.
RAZI: Ambassador Tiirmaa-Klaar, would you like to chime in?
TIIRMAA-KLAAR: Yeah. Well, I have spent many hours hammering out those norms, together with major powers in the United Nations working groups on cyber. And I can tell you that agreeing multilaterally between the major powers on some normative framework for responsible state behavior is very hard. And there is a little common ground. And when it comes to the United Nations discussions, we have reached a point in 2021, I think, where we could agree on the basics, which is those eleven norms of state behavior, what you can read when you look up the United Nations Group of Governmental Experts on Responsible State Behavior report in the U.N. website.
And then we also agreed that international law applies. So I think the diplomats in a way have done their homework. We have agreed on the basic roles. And those basic roles are that international law applies and that we should not attack each other. We should not attack each other’s critical infrastructure. We should keep the civilian critical infrastructure out of reach when we plan our military cyber operations. And so the other common sense agreements are there.
The question is, who is following those agreements? Well, all the hard work that we did after all those long years of corona, virtually with all the partners in the world, is really good. But how we are going to implement the norms is another question. And when we see a major superpower not following international law, even in physical space right now. So how can we coerce these kind of players to follow cyber norms or international law in cyberspace? So I think this is the question where we’re all stuck as governments.
And now when we add to the mixture the private sector and some other groups which are kind of between the private sector and the government, because we know that the major cyber syndicates and criminal groups, some of them are very loosely affiliated with certain governments. So they are doing the work for both for their own economic kind of gain and also sometimes for their home governments because the governments let them easily act on their territories. And because of this complexity that we have, I think the international agreements and diplomacy really should be there, but not only diplomacy.
So we should have so many more cooperation agreements. We should have the democratic nations having this kind of coalition where they collectively try to protect themselves first, and maybe also lend this kind of capability for less advanced nations who are out there. There are plenty of nations out there that do not have minimum capability to protect themselves. So we shouldn’t also forget about them. And all these discussions that we have had, internationally we have tried to address all these gaps, but I think now we are just kind of at a point where discussions should also become actions when we talk about diplomacy.
And of course, we are looking forward to new leadership in the U.S. State Department, and hope that the U.S. leadership also will help some of the diplomatic problems to overcome. But when it comes to the actual challenge, what we all have is disruptive and emerging technologies, and no agreement whatsoever what we are going to do with AI, with other transformative technologies. And there, I also do not see any common approach or agreement emerging any time soon.
RAZI: Selena, I’ll throw the last question before we go to members to you. Given this dilemma of so much of the tech innovation is happening in the private sector, is being driven by the private sector, what’s the probability that private sector will self-regulate in an ethical way that preserves—(laughs)—the greatest sort of freedoms, human rights, and liberties for the greatest number of people? (Laughs.)
LARSON: Well, I think that if that were a priority, I think that that would have happened. And we would have a lot more progress I think in terms of where—defending against threat actors exploiting technologies and services in the way that they currently are doing. So that’s a really good question. And you can kind of think about it from multiple different components, right? So you have the regulatory side of cybersecurity, preventing exploitation of people’s tools and services, but also companies themselves.
If you look at, for example, ransomware effectiveness, if you look at the types of industries that are targeted and effectively targeted—oftentimes ransomware actors will list, you know, companies on these potential leak sites—you can notice patterns in the types of companies, in the businesses that have been leaked. And oftentimes, those are not belonging to the industries that are currently regulated by cybersecurity policies. And you can kind of see the very real impact of regulation and ensuring that companies are secure publicly displayed by a lot of these ransomware threat actors. Like, they’re going after certain organizations.
But you can also think about it from the flipside of it. Facebook, Twitter, social media websites, a lot of different platforms and services that are being used maliciously by threat actors. And that could be for
disinformation operations. That could be for social engineering and targeting specific individuals. And as we’ve seen historically, social media can be leveraged in such a way to have very, very real-world impacts and consequences. And it’s often not until those consequences are actually seen that we have observed companies actually take action to restrict certain types of behaviors.
So I think that, you know, if we’re talking about what’s the likelihood of companies doing anything without, you know, seeing a consequence from it, historically evidence has shown that that just doesn’t happen.
RAZI: With that, I’d like to invite members to join our conversation. This is just a reminder that this conversation is on the record. And we will start with the Washington audience.
Q: My question is for Selena specifically, and then if we have time for also the people who are coming in who are speaking as diplomats. Selena, as somebody who’s representing the private sector, what are some of the impacts of bad policy when the rubber hits the road, when you’re actually doing the work to clean up the situation as an analyst, as you do? And then I think almost the opposite question to those who we have coming in: What’s the impact of—I guess, perhaps in an effective private sector? So, Selena, I’d like to start with you, if we can.
LARSON: Yeah. That’s a good question. So I think—you know, we mentioned information sharing earlier. And there are a lot of restrictions in place that prevent organizations, entities, governments, from sharing information with individuals who might not be under certain TLP or who might not be directly involved in certain incidents and events. And I think that oftentimes those policies can be overly restrictive. That can prevent organizations from understanding the true scope of the threat landscape, or preventing defense and prioritizing mechanisms to reduce cyber risk. So the best way for organizations to get a full picture of the threat landscape is to have as much information as possible. And it can be very difficult oftentimes to get the full picture if there are fears about information sharing, if there are restrictions on information sharing that might be overly broad.
I think that an example why it’s so important that we tend—that the security community but also businesses can—no one understands the threat landscape is—I’ll use an example from my organization. We are writing threat detections based off of the threat landscape. And in the early days of the Ukraine war, all of the information was coming out about the Ukraine wipers specifically targeting that region, we were able to very quickly write detection, write defense, and push it out to the community. Not just the customers, but to the community overall, based on the information that was shared. And so there’s real action that can be taken on timely and actionable threat intelligence that are oftentimes—we might not have the best of the ability. And too just for various information-sharing restrictions.
But I’d love to hear from a more direct policy perspective on what my fellow panelists think.
RAZI: And just to frame the question that Andrew posed, are there—I’d be curious to know also, are there ways that the private sector interferes with diplomacy in terms of things it does that undermines diplomatic efforts? I’m not sure, Andrew, if that was the question you were asking, but—(laughs)—
WILCOX: Well, should I—can I offer a couple of thoughts on that? I mean, and it’s related to information sharing. It’s actually the decision of whether or not to make illegal the payment of ransomware, or the ransoms, and the sort of whole concept of what happens when people are attacked and ransomware is—ransom is demanded. And you know, do they report that, or do they go running to their insurance company and say, please pay up, and maybe get the insurance company to fix the problem without reporting it?
And I think that it’s a knotty problem, because if somebody’s a victim you don’t want to make them a double victim necessarily by criminalizing the payment of a ransom. Equally, you want to discourage that and you want to encourage the reporting of the issue (in the first place ?) because that is sharing useful information that
could be then helped—help other people. So the debates about whether or not to make it illegal to pay ransoms, the decision to encourage people to report ransom attacks, you know, all of that becomes a really knotty problem, because industry doesn’t necessarily want to report it. And yet, it’s really useful if it does. And government wants to—I said in the U.K., we’ve deliberately made our NCSC not a regulatory body so that it can create a relationship with industry and share some of this either threat intelligence or actual incident.
And so the end result is a sort of complicated dance, I think, which is yet to be resolved, about how do you make it possible for threats and attacks to be properly reported, and handled, and understood at the center for the good of all, while also wanting to maintain some of the reputation of industry or, indeed, anybody who’s been attacked, should they feel that they have not put in place the right measures to start with? So I think that’s a complicated area for policy which we haven’t, any of us, quite got right.
RAZI: That’s a great example. And in the U.S. national strategy, it explicitly states not to pay the ransom which, as you point out, is not always practical, when you’re trying to get your business back online.
I believe we have a question from the online audience.
OPERATOR: We’ll take our next question from Maryum Saifee.
Q: Hi. Maryum Saifee, a CFR member.
This week the U.N. is convening its annual commission on the status of women, where the theme is digital rights are women’s rights. So my question is, how can we leverage cyber diplomacy to close gender gaps? And how do we ensure women and other underrepresented groups have a seat at the table in both crafting and implementing digital diplomacy strategies? Thank you.
TIIRMAA-KLAAR: I can—I can maybe start answering this question. When I was Estonian cyber ambassador we had many women from developing nations invited to the United Nations working groups. And we created a scholarship scheme to make sure that women are included as well in these discussions. This is what we could do. But of course, as a larger question how women could be more represented in the digital policymaking processes, I think we just have to make more awareness raising here. And the marginalized groups, when we speak about women as marginalized groups, I think it’s mostly the nations where the human rights situation is not ideal, what we talk about. So I don’t think that we have it in the Western world.
So I think one of the diplomatic initiatives Freedom Online Coalition has been launched in order to take care of the more equal kind of distribution of internet resources and digital resources in different groups also outside of the Western world. So there are initiatives, but of course they are always not maybe so numerous. And it could be useful to have more of those initiatives.
RAZI: Great. Thank you. Do we have another question from—yes.
Q: Sonya Stokes, term member at the Council. Thank you to this panel for the excellent discussion, as well as for all the work you do.
My question is about misinformation and disinformation policy and diplomacy. You talk about real-world harms, and one of the first examples that comes to my mind is vaccine misinformation and disinformation. What have been some of the challenges you’ve seen in this aspect of creating policies around misinformation/disinformation? Here in the U.S., we’re seeing some backlash against people who are being accused of things like censorship, right, for trying to advocate for safe vaccines misinformation/disinformation policy. What have you encountered? What places are doing it successfully, if there are any? Thank you.
RAZI: Ambassador Wilcox, would you like to start with that? We’d love to get the European perspective on- we have hit some roadblocks here in the U.S. in terms of countering misinfo/disinfo from a government perspective. But it’s clearly a very important issue.
WILCOX: Yeah. I’ll try some brief response here. I mean, clearly trying to legislate against and criminalizing misinformation and disinformation depends a little bit on the kind of information you’re talking about. I mean, if you look at the way different countries are approaching it, the U.K. would have a very different view of what it would regard as legitimate free speech, the ability to use open forums in order to give opinions. And we know that that’s not a value shared by other countries. So when you’re trying to think about how you tackle sort of misinformation/disinformation, you do find that there is a kind of mismatch. And it’s really sort of difficult to get global agreement on that. And I’m sure Heli will talk a little bit about how people, like, have sort of thought about that at the multilateral stage.
I think in the U.K., one of the other things that—challenges we’re facing is just to try to attack, you know, some of the ways that misinformation and disinformation are being produced in order to influence events as well, trying to assess whether these things are, you know, directed in order to affect decision making and individuals behaviors, and pull people into violent situations in a way that is—that you would want to be able to have some sort of attempt to stop, or to bring down websites, or to sort of tackle some of the advocators. But always bearing in mind that line we have with freedom of speech and to allow people to sort of express their views. So I do think that there is definitely sort of a different views that make it a difficult thing to align internationally on it.
TIIRMAA-KLAAR: Yeah, if I may maybe add, that interestingly the misinformation and disinformation is a bigger problem in countries with large languages. As an Estonian, I come from an extremely small language area, where only 1.3 million people speak or understand this language. And we are able to detect misinformation and disinformation quite easily, because most of the automatic translation that has been used for disinformation, we detect it. But as for large language nations—English, German, French—it is a problem, because you have troll farms for all languages. And I think countries in Europe have learned a lot in the last seven, eight years how to deal with this issue.
And each country has its own approach, as Juliette just said. So we do not have this kind of one-size-fits-all because of our legal situations in Europe are very different. For instance, in Germany hate speech is criminalized, which is not the case in some other European nations, and so on. So therefore, it depends really on the European nation that we talk about how we deal with this phenomenon.
RAZI: I had to pause recently in conversation with a government official who pointed out that freedom of speech includes the freedom to lie, which I am still trying to process. (Laughter.) Should we go to an online question?
OPERATOR: We’ll take our next question from Tarah Wheeler.
Q: Thank you so much. Tarah Wheeler, senior fellow for Global Cyber Policy at CFR, and also CEO of Red Queen Dynamics.
This is a question that is going to start at its base with cybercrime and then step up into geopolitics. We can isolate civilians in many forms of kinetic warfare just by the fact that, you know, they’re not making parts for MERVs or toting around an AR, right? But what do we do when nearly all civilians carry on them or have in their homes the platforms that are being used by threat actors? They’re not just on the battlefield, they are the battlefield in this really fundamental way. And I think their choices in security from individuals to small and medium businesses, they make up this entire cyber ecosystem we’re operating in. Is their vulnerability to cybercrime a good proxy for how vulnerable the whole collective is to cyberattack? And how do we keep the people who aren’t in this room right now safe?
RAZI: Selena, why don’t we start with context setting. How vulnerable are we to cybercrime? As Tarah pointed out, you know, are we all carrying basically the battlefield in our pockets, and the threat vector?
LARSON: I don’t know if I could contextualize it as battlefield. So I think that their—everything we do carries digital risk. And I think that we—that there are currently a wide variety of the level of insecure, you know, devices, what have you. For example, if you have an iPhone you’re going to be more secure in terms of your mobile device than perhaps various different Android devices, just because of Apple’s mobile ecosystem and the level and measure of cybersecurity that Apple carries. I would say, though, that there are humans as a vulnerability to the overall organization, or business, or the social network in which you operate I think is a concept that, in many ways, the cybersecurity strategy is trying to address, which we kind of talked about that.
But if we’re thinking about how threats actors are using technologies, they’re using and exploiting technologies that we use every day, right? So you have cloud services that are hosting malware. You have email providers that threat actors are using to send emails. You have VoIP services that they’re using to send malicious text messages, and trying to get your to engage in conversation and ultimately steal money from you. So I think that the truth is, anything, any type of platform or service can potentially be used maliciously.
Where I think, though, that policy can come into play is implementing standards and regulations and policies governing those organizations to have some type of confidence for when their platform or service is being exploited or used maliciously. And I—but, yeah, I think that hopefully we can move away from this idea of human—like, the human person is the weakest link, if we are, you know, better educating and understanding what the threats actually are, what the threat landscape looks like, and who is responsible for defending and implementing cybersecurity processes to protect the end user.
RAZI: Do we have another question from Washington?
Q: Hi. I’m Adam Segal.
So maybe the panel, and particularly maybe Heli and Ambassador Wilcox, could speculate about where they think the global discussion on norms is going to go. The Russians have introduced a new binding instrument around cyber. There’s a PoA about taking forward from the OEWG. And, Heli, you mentioned before that the norms, you know, really only seem to be being ignored by a great power. So how do you see the kind of development in that space, and where are we going to be going next?
TIIRMAA-KLAAR: I feel like I should start—(laughs)—to answering this. Nice to see you, Adam.
So I think we are not in a good place right now to go anywhere, as for the next. So if you can hold onto the agreement being made in ’21, which as quite powerful. I don’t know if some international lawyers are in the room, then, for instance, we agreed with our major adversaries that international humanitarian law applies in cyberspace. So which was not so clear cut earlier. And some other good agreements we made in 2021 in the last GG (ph). I think if we can implement this now, and basically if these agreements hold, is already achievement.
When it comes to the current United Nations processes, I am not too hopeful over the open-ended working group, because it basically goes in circles, and just dusts all the previous documents and previous agreements, and confuses the large majority of the nations in the world even further. Of course, as European, we are all very hopeful here in Europe that the Program of Action and PoA that you mentioned is going to be a good framework for the progress. But the PoA then has to offer something for all the participants around the table. Something for more advanced nations, who are interested in threat reduction. Something for those less-developed nations, technologically less-developed nations, who would like to see more capacity building offered to them by somebody, someone, somewhere.
So on capacity-building side, we, on the Western side, we are not so joined up ourselves yet. We do not have very good understanding how we deliver this, who delivers this, how we are going to assess the weaknesses and gaps and so on. And also for the middle ground countries, who are kind of undecided what they think about our future of cyber stability discussions, and what is exactly the view. And of course, when we add the geopolitical situation to the mix, I’m not too hopeful that we can reach any proper progress or agreement in couple of years to come right now, when it comes to diplomacy. I’m sorry. I’m not academic, so I don’t have to speak a politically correct way anymore, so. (Laughter.)
RAZI: Thank you. I believe we have a backlog of questions online, so we’ll go to one more online question.
OPERATOR: We’ll take the next question from Munish Walther-Puri.
Q: Hi. Thank you, Ambassadors Wilcox and Tiirmaa-Klaar, and Selena and Niloo, for your leadership in this area too.
My question is about lessons from other areas of diplomacy. So there are areas that overlap—you know, Wassenaar agreement, trade, nuclear policy. But I wonder if you might speak about where you’ve drawn directly from those lessons either to replicate or to avoid. Thank you very much.
TIIRMAA-KLAAR: I understand Wassenaar agreement is essentially export control agreement, and has been useful in new technologies. So as you might know, European Union has launched export control also over certain cyber tools. There are European Union export control measures now applied over the tools which allow mass surveillance and some other malicious activities in cyberspace. I think Wassenaar agreement is intellectually interesting idea that could be the way forward for further discussion between the more advanced cyber nations.
WILCOX: Would you like me to add a quick point to that?
RAZI: Yes, we would love it.
WILCOX: Sure. I mean, I think that sort of—the point I think I would make is that international diplomacy and agreements also looks at standards. And I think that’s an area where we could have influence, in the sense that you could describe standards that require a higher level of technology and security. In fact, we’ve got some sort of laws that we’re bringing in on security standards for Internet of Things devices, for example. And if you look at in history how we’ve got standards for aviation, we’ve got standards that we know about electrical safety standards. It’s something that you could negotiate and build in, I think, in the international standards area, which would raise the level of requirement for security to be built in, and similarly you could apply that locally as well.
We should start to make the market trickier for lower standards of security, of cybersecurity, and then start to—and then there would be some market forces which would start to apply here. And you may well never stop cheap products that have an insecure standard from being somewhere in the world, but at some point you start to build in reputation. You start to build in the ability to sort of be completely trusting in your devices and your supply chains. And these kinds of things I think, which are market driven and which start to be reassuring in their use of products and services, might help. And some of those are debatable, and can be agreed at an international level, I think.
RAZI: Thank you. I believe we have another online question.
OPERATOR: We’ll take our next question from Patricia Rosenfield.
Q: (Off mic)—very much. Patricia Rosenfield, the Herbert and Audrey Rosenfield Fund, and a longtime CFR member.
I want to, first of all, thank the participants in this session and also from the previous session with Ambassador Fick. This has been a really important day. And I wanted to ask something that we haven’t—with all the very extensive discussion we’ve had—that I’d like to return to, the idea of public trust and public confidence. And how—what are the processes that are being undertaken by the diplomatic community in particular, both national—both in this country and internationally, and perhaps globally, to educate the public and to build a sense of public trust and public awareness, to the kind of community education that was referred to earlier? And I think this will be especially important when Ambassador Tiirmaa-Klaar talked about the technologies that we can’t even begin to get a hold of yet, with AI and quantum technology. So just how are we building the basis for public trust and public confidence?
TIIRMAA-KLAAR: I think I can—I can start with this. That, first of all, in European nations there are many agencies and many organizations that are doing awareness raising on cyberthreats and cyber issues. I think October is deemed as cybersecurity awareness month in all European Union nation-states. And I think this is more, like, internally looking cyber agencies that are doing this kind of public awareness raising in Europe. And as for diplomats, they are not traditionally very strong talking to the internal public, you know, internally. They are usually better for working with other governments and having those meetings in, you know, United Nations corridors or somewhere outside of their countries.
But I think your point is very important, because in all these discussions, where we are most of the time having great challenges, help from the larger public would actually also help us, the diplomats, to strengthen our case and our point. So I think some sort of public diplomacy and a more public audience-facing explanation of what should be done to curb the influence of new destructive technologies, for instance, and how we preserve peace in age of AI, I think this is really warranted. And I’d welcome any interesting proposals how we can do it better. And I think, of course, all the diplomats would be happily supporting all the academic and civil society activities that are thinking about these questions.
RAZI: Selena, how is the private sector contributing to either building or not building public trust? I mean, in the U.S. we are at such a low point when it comes to public trust, based on all the polls that are out there.
LARSON: Yeah. So that’s a really good question. I’m glad you asked it. And I think, interestingly, historically a lot of these industries that we’re thinking about—technology, cybersecurity, artificial intelligence—a lot of these things that are very concerning have been very, very bad at telling the story of what they do, and what the threats and the risks are. You think about the people—like, if you think about someone who is an engineer—a cybersecurity engineer—you don’t typically think about somebody who is really great at telling a story of what it is that they do.
And there has been, I think, a really big shift, certainly in the cybersecurity industry but I think we’re seeing it a lot in AI as well, to hire people from potentially nontraditional backgrounds that are very, very good at identifying the gaps and challenges and effectively communicating risk, threats, and defense, and how we can kind of overcome a lot of these challenges. And I think that—from my background, I used to be a journalist, right? And it was very, very difficult to convince an editor that a cybersecurity story mattered, because there was just a fundamental misunderstanding of, like, oh, well this is too technical. This is too complicated. I don’t understand the risk here.
But I think that we’ve really gone and progressed past that, because we are focusing so much on explaining becoming more effective at talking about the threats and the risks. I think from an information warfare perspective, a lot of propaganda on a lot of these platforms. They’ve been a lot better about saying, hey, we identified this malicious activity. We were able to attribute it, and we’re taking it down from out platforms. And in a way that’s not scary and that people can very much understand.
So I love—I’m so excited, Ambassador Tiirmaa-Klaar, that you said that you would love this public involvement, because I think that it’s so important too. Like, it’s not just academic. It’s not just engineers and tech brains that are working on this and communicating this. I think in order to fully understand the scope of the problem, you need people who are effective communicators of what it is we’re actually looking at.
RAZI: It is something that the industry often lacks, is the expertise and the soft skills. And it is so critical.
And with that, I believe we are out of time. I want to thank you for joining today’s session, and I want to especially thank our panelists, in person and virtually. The video and transcript of this session will be available on CFR’s website. So please join me in a round of applause for our panelists. (Applause.)