Confronting Reality in Cyberspace: Foreign Policy for a Fragmented Internet

Tuesday, July 12, 2022

Vice Chairman, Board of Directors, Council on Foreign Relations; Task Force Co-Chair

Ira A. Lipman Chair in Emerging Technologies and National Security and Director of the Digital and Cyberspace Policy Program, Council on Foreign Relations; Task Force Director; @adschina

Adjunct Senior Fellow, Council on Foreign Relations; Task Force Deputy Director

Senior Operating Partner, Energy Impact Partners; CFR Member; Task Force Member

Former U.S. Representative from Texas (R); CFR Member; Task Force Member


Technology Reporter, New York Times

The era of the global internet is over, and the early advantages the United States and its allies held in cyberspace have largely disappeared. China and Russia in particular are working to export their authoritarian models of the internet around the world. The CFR-sponsored Independent Task Force proposes a new foreign policy for cyberspace founded on three pillars: building an internet coalition, employing pressure on adversaries and establishing pragmatic cyber norms, and getting the U.S. cyber house in order.

FICK: OK. Good afternoon, everyone, and welcome. Welcome to this report launch of CFR’s Independent Task Force on Cybersecurity. My name is Nate Fick. I had the privilege of co-chairing this effort, alongside my fellow CFR board member, Jami Miscik. And we are delighted today to share with several hundred people, both in person and virtually, the task force consensus report, Confronting Reality in Cyberspace: Foreign Policy for a Fragmented Internet.

And I am a little bit limited in my substantive participation. But rather than just stand here and tell everyone where the coffee and restrooms are, I thought I’d spend my thirty seconds offering some thanks to people who made this possible.

And so, first and foremost, thanks to Jami for her leadership and impeccable judgment at every step along the way.

I’d like to recognize, in absentia, Rob Knake, who directed this project when we first started, before returning to government service; Adam Segal for so seamlessly picking up the torch; Gordon Goldstein for being the rock throughout. These are three outstanding researchers and writers. And writing alongside this group of people is an intimidating process.

One aside—an editorial plug. If you haven’t read Gordon’s book, Lessons in Disaster, and you’re a student of diplomatic history and American foreign policy, you really should.

I want to thank our task-force members, many of whom are present here today. And this was—putting this group together was a lot of fun. It is a diverse, bipartisan group of people, many of whom have done this kind of thing before, and many of whom with private-sector backgrounds really hadn’t. And our intent was to pull together that mix of tech policy and business expertise.

Thanks, too, to the task-force program staff at CFR. Anya Schmemann, who really kind of marshaled this, had the unenviable task of corralling all of us, alongside Chelie Setzer and Connor Sutherland. So thank you to them.

And finally, Richard Haass. Richard gave us the mandate initially to find a way to do something different and interesting in this domain. And then he gave us full freedom to scope it and come to our own conclusions.

And, you know, like many of you, I’m a CFR member. I’m an avid consumer of the Council’s products and have been through the years. And I appreciate their apolitical quality. I appreciate their analytical rigor and appreciate, maybe most of all, the consensus-driven model. This isn’t just the point of view of one author or two authors. But the challenge is finding consensus among a diverse group of twenty-five people, while still saying bold and interesting and worthwhile things. And that, I think, is what makes the products particularly worthwhile.

And Jami and I were hopeful from the very beginning that we could find and sustain consensus in this report while also saying things that advance the conversation on this important topic of cybersecurity foreign policy.

Our shared hope is that you will agree that the task force has succeeded in doing just that. So thank you.

KANG: Thank you so much, Nate.

Welcome to today’s Council on Foreign Relations Independent Task Force launch. The report is titled—and I think many in the audience have a copy of it—Confronting Reality in Cyberspace: Foreign Policy for a Fragmented Internet. And it can be accessed online on CFR’s website.

I am Cecilia Kang. I am a technology reporter for the New York Times, and I will be presiding over today’s discussion. And I’d like to introduce our panelists. We have, to my right, Adam Segal, who is Ira A. Lipman Chair in Emerging Technologies and National and Director of the Digital and Cyberspace Policy Program for the Council on Foreign Relations. And he is the task force director, and he’s the main pen of this report.

To his right and to your left is Jami Miscik. She is the Vice Chair of the Board of Directors for the Council on Foreign Relations and she is the task force co-chair.

And to Jami’s right is Niloofar Razi Howe, who is a senior operating partner of Energy Impact Partners and a CFR member and a task force member.

And definitely not least, but last, in this row is former Congressman Will Hurd. He is a former representative from Texas, a CFR member, and a task force member.

MISCIK: And then there’s Gordon.

KANG: And—sorry. (Laughter.)

GOLDSTEIN: I already got the plug about my book, so I don’t need any further introduction.

KANG: They messed up the order, so now I’m all confused. And of course there’s Gordon Goldstein. He’s Adjunct Senior Fellow of the Council on Foreign Relations, a CFR member, a task force deputy director.

Thank you, Gordon, for being here, and everyone else for being here as well.

Let’s start the discussion with basically going over this pretty dense report. It’s a lot of pages and a lot of ideas and recommendations and findings.

Jami, can you talk about what the key findings were and the key takeaways? Summarize the top line.

MISCIK: Sure. Thank you.

I think it’s important to first frame the report. We are the Council on Foreign Relations, so this is designed to focus on the foreign and international aspects of cyber, not all of the good work that has been done domestically in trying to develop things like public-private partnerships, securing domestic infrastructure, and the like. This is really designed to focus on the international piece.

And our three main findings—and we wrote these very directly and to be somewhat provocative—were that we need to confront the reality that the global internet is now fragmented; that after decades of the U.S. pursuing the goal, the proper goal, of developing a free and open internet, that frankly has not happened. And countries are trying to firewall the internet for their own domestic populations.

We and our allies have virtually no ability to change that, to stop that from happening. And so we have to recognize the reality that we’re looking at and change our foreign policy accordingly. So that would be one of the first findings.

A second is that we should be treating cybercrime as a national-security issue and that we should pursue all available means, establishing an international criminal cybercrime center for countries to share information and the like, and not have cyber be seen as something separate and distinct from our national-security strategy.

And then a third finding, which we kind of shorthand to—we have to put our own U.S. house in order. There are things that we need to do here domestically in our government. There are a lot of efforts in the last couple of years that are really moving in the right direction. Our report is not designed to criticize any of those efforts. Rather, it is to amplify and, if possible, accelerate the pace on some of those efforts.

So I’d say, as an overarching framework for our conversation here today, those are three of the main findings.

KANG: Thank you, Jami.

You know, this is a major pivot in thinking. And I’d like to see maybe some hands on the stage, as well as from the audience. Who was at former Secretary of State Hillary Clinton’s internet-freedom speech in 2010? OK, a few people. I was there. I think a lot of people viewed it as well.

HURD: I didn’t get the invite, Cecilia. No. (Laughter.)

KANG: I’m just showing off. But at that time, it was a bold call for the rest of the world to follow the U.S. in its call for a—this clarion call for a free and expressive, open internet. And it seemed, like, inarguable that that was the right direction. She said at the time countries that restrict free access to information or violate the basic rights of the internet users risk walling themselves off from the progress of the next century.

But as you note in the report, that vision has not panned out. China/Russia have their own successful closed versions of the internet, for example. So this is a major pivot. And Adam, maybe you can talk about what that big pivot in terms of what you’re calling for requires. And you outline in the report three major pillars in a new version of foreign policy.

SEGAL: Yeah, I think the idea is not to abandon any hope of an open internet with trusted data flows, but the idea is to consolidate that as effectively as possible among partners that are willing to move forward in that area. So the hope is to expand that vision among likeminded and to solidify those relations.

We base that around a lot of ideas on the trusted flow of data, right; so not a question about how open or closed you are, but do you have domestic provisions in place for how we think about who has access to the data, who it can be shared with, how can it flow, building on this idea that former and late Prime Minister Shinzo Abe had first introduced, but one that we think can be used to help structure trade agreements and other agreements with our friends and partners, and not putting the United States in some place to judge about how democratic or nondemocratic a country is in this space.

So that is the first pillar, which then has a number of specific tools on how do you strengthen those relations. Jami mentioned the international crime center, cooperation on open-source software, capability building, things like that.

The second is that norms, naming and shaming, public attribution, work better with our friends than they do in slowing our adversaries. So while that is effective in pulling us together, as we move forward, defend forward, persistent engagement, a U.S. effort to disrupt attackers before they get to the United States is probably—we’re going to continue leaning on that fairly heavily. But that requires the U.S. to announce some areas of self-restraint about some targets that might be off limit.

You know, other people have talked about and we adopt the ideas about election infrastructure, financial—some types of financial infrastructure, as well as nuclear command and control. And I want to point out that these are for destructive and disruptive attacks. There are other things that may still be conducted.

And then, finally, a focus on what do we think about talent, not on the—which there’s lots of work going on about cybersecurity talent and technical talent, but what do we think about—how do you think about foreign policy and cyber, right? How do you train people to be able to do these careers, which has, you know, been—we now have a bureau and we’re going to have to have people who have career paths, what type of skills they should have, and how we can develop those with our friends and partners.

KANG: Thanks, Adam.

Gordon, you know, the report calls for a different approach in part because the threats are rising, and they have also evolved. Can you sort of set the stage for us of how cyberthreats and risks have evolved and increased over the last decade plus?

GOLDSTEIN: Thank you for the question. And thank you particularly to Nate and Jami for leading this effort.

We achieved consensus very quickly on the changing character of the international information ecosystem. You can go back 30 years and there was a moment of great optimism as this new technology grew and prospered, and it was supposed to be a mechanism for free and open expression. It was supposed to be a reliable platform for communication. And security was not supposed to be an issue.

Obviously, that’s all changed very dramatically. And that dramatic change has come even in the past ten years. Going back to 2012, it was Leon Panetta who warned famously of a cyber Pearl Harbor. And the fear was the risk to our critical infrastructure.

Now we see a multidimensional threat in this information ecosystem that goes far beyond what I think anyone plausibly imagined going back three decades, or even one decade. There used to be just a handful of cyber powers globally. Now there are twenty to thirty cyber powers. Even small states have very sophisticated means to use the internet for advancing state interests, and in addition to the whole multiplicity of actors.

That is part of the essence of the report. This is a multidimensional threat. We have the threat of fragmentation. The internet is becoming balkanized. China is cut off from the rest of the world. Iran has its own internet. The United States and Europe are increasingly isolated. The idea of a seamless global internet is now anachronistic. We are seeing the rise of data localization.

And most troubling to me personally is to see how the internet has been weaponized, particularly with respect to social media. It is being used for sophisticated information campaigns on a global basis. It’s being used as a tool to intervene in elections, used as a tool to sow civic discord, to mobilize violence against vulnerable minorities. It is a platform for incredibly sophisticated forms of cybercrime on an international basis. There’s a whole underground economy related to that.

We’ve seen the rise of ransomware now becoming a major problem for corporate America. We have seen massive gains in terms of cyberespionage. And we’ve seen this array of actors all having become, in essence, super-empowered by the ability of the proliferation of technology that can be absorbed cheaply, at very little cost, by individuals, by international criminal syndicates, and most importantly by nation-states.

So the environment is just fundamentally different than it was even just a decade ago. And I think one of the main themes of this report is, as we say in the title of the report, it’s time to confront reality.

KANG: Great.

Niloofar, can you talk a little bit about or take into the present with some real examples what Gordon just outlined, the present threat of today? Maybe you can talk about how cyber warfare is being played out in terms of the Ukraine-Russian war and what lessons have been learned from that so far.

HOWE: Thank you for the question.

So there’s a lot of—there’s a lot of early lessons from the Russia-Ukraine conflict. There’s three that I would highlight that are especially relevant, not just to cyber but also to this report.

The first lesson is that cyber operations and information operations are the same thing. We can’t treat them as two separate things. And a lot of Ukraine’s early success in this war was based on its ability not only to defend against destructive network attacks, but also its ability to claim—and it really was sort of everyone’s ability to claim a first-mover advantage in the information-war space.

And that was, in a large part, driven by the U.S., U.K., and our allies declassifying intelligence in real time in order to clarify where the troop movements were going to be, the false-flag operations, and the misinformation campaigns that were going on. And that’s turned out to be a determinative factor in the early success. So we really have to view those things as one and the same.

A second early lesson here—and this one was really interesting to me—is the criticality of approaching cyber from a coalition and a partnership perspective, and especially when it comes to the concept of cyber attribution. So for cyber attribution to work, especially in the context of war, it has to be accurate, it has to be timely, and it’s got to allow for proportional retaliation.

If you go back to 2014 and the Sony attack, what was super-interesting is when the U.S. attributed the Sony attack to North Korea, it created skepticism that North Korea was actually behind that attack. And it allows our adversaries to operate in the gray zone below the threshold because they can deny and deceive; you know, claim that they really weren’t responsible.

Now, fast-forward today and the Viasat attack, hack, by Russia. We knew very quickly that it was Russia, but we didn’t attribute until the coalition was in place, until the U.S., U.K., and EU came together to attribute that attack to Russia. And once that happened from a coalition perspective, denial and deception becomes almost impossible. And now you sort of have to decide what the action is going to be.

So the importance of that and the importance—and, by the way, it took two and a half months, which is way too long in the context of war. And we have to get to a place where the trusted relationships are in place, the norms are defined, so that we can—whoever has the right intelligence can convince the rest of the allies who is behind these attacks so that we can respond in a timely and proportional way.

And very quickly, the third aspect that I would talk about is just the importance of setting norms. So one of the things Ukraine did early is sort of create this cyber-hacker army, right. They enlisted, according to them, 400,000 hackers—that’s, by the way, twice the number of soldiers they have in their army—to go after Russian and Belarussian targets.

And while, from a sort of, you know, everyday perspective you might want to say, yeah, go for it, it’s actually a terrible idea. And it’s also illegal in most countries that host these multinational hackers, because one thing we’ve seen is that the cyberactivity has stayed pretty restrained within the zone of conflict. So the cyberactivity hasn’t really gone outside of Ukraine or outside of Russia except for with Viasat there was some effect on European customers and European energy sector. But with cyberhackers, you know, the possibility of things going out of control and having another NotPetya happen is huge.

So establishing what the appropriate norms of behavior are, where there is agreement—again, not just by democracies, but by allies. People who want the same vision of the Internet as being a trusted and secure mode of communication is pretty critical.

KANG: Great. That’s really clear. And one of the recommendations has to do—or several—go back to attribution and this gray zone, and we can get back to that hopefully at some point.

Will, so sitting in Washington—I know you live in Texas and you have in Washington as well—it’s hard to see one of these key recommendations getting done, which is cleaning up house at home. There is no movement on anything. I’ve been following data privacy legislation efforts for more than a dozen years, and—I sound really pessimistic—I don’t think it’s going to happen this year. (Laughs.) I don’t think it’s going to happen—it’s not a priority.

So talk about what it’s going to take to clean up house or just get some sort of movement in terms of—because one of the key things that’s outlined here is a need for some baseline legislation and regulation. What’s the view on Washington?

HURD: Sure, and I’ll give that—I’ve got to fact-check Gordon real quick. (Laughter.) We didn’t get a consensus right away. I almost walked away at the very beginning. (Laughter.) When Jami was like, let’s be provocative, I was like, oh, we’re going to counter everything that most of us have been doing for the last 40 years? That’s like, oh, my Internet went down, you know? (Laughter.)

But what we need to do to get there is what we just did in this report: be honest about where we’re at, right? We can’t achieve this vision of something that’s open and it’s going to continue to uplift humanity if we’re not honest of where we are. And one of the things that we talk about in the report is, guess what? There is a global standard already. It’s called GDPR—might as well just accept it.

Now this is hard for me to say because I was one of the people going to Brussels, I was in Berlin, I was—I was arguing with EU parliamentarians about how GDPR was going to bring, you know, the world to its knees. And guess what? It didn’t, right? We just learned that we all go to too many websites with cookies.

But we have to—here in the U.S., if we want—if we want to allow Europe to continue to be eighteen to twenty-four months ahead of us when it comes to policy setting, then accept that; if not, step up, right? The House, the Senate, everybody needs to step up. We can start by talking about something that’s already a global standard.

Yeah, I know what the State Department is getting ready to do. I think we can go even further. I think we can have a cone, a technology cone just like you have a political cone, an economic cone, and a consular cone to where that we have—part of our diplomacy is talking about technology, not just cyber, because all these lessons here that we’re talking about in cybersecurity can be applied to AI, can be applied to quantum. And we have the opportunity to do that.

So what—I spent a lot of time on these issues when I was in Congress. Not every one of my fellow colleagues is as smart as Jim Himes. I know Jim Himes is in the crowd, understands these issues, important leader on the intelligence committee, and hopefully future the leader on the intelligence committee. And not everyone is like that, but having these kinds of reports to talk about here’s where we are, here is where we need to move is the step, and then Congress is going to have to act because if we don’t, the Chinese are going to continue creating their world. If we don’t, the Europeans are going to be the ones that are taking the lead. And so doing something as simple as talking about a breach standard, talking about who owns the data we have is something that needs to happen.

KANG: I’m glad you mentioned AI and some of these more future technologies that are really not so future. As things are right now with the approach that the U.S. has and with the Internet being approached in a fragmented way, who is best positioned right now to lead on AI, and things like metaverse, and machine learning—all these things—quantum.

HURD: Look, these questions are—actually my colleagues are prepared to deal with. You know, what is the role technology should be playing in society? These are big questions, and let’s go back to future—past technologies and how that applies. We have to improve the collaboration between the public and the private sector. It needs to move beyond, just like information sharing. It needs to be true operational collaboration, and some groups and some companies are going to have to accept, hey, you can’t just say somebody needs to do this. You have to actually, you know, step up and do something yourself. And so I am bullish about our future, but it starts with understanding where we are today.

I’ve been out of the country a year and a half. I thought I understood these technologies. I helped write legislation on AI. I helped write things to improve IT procurement; you know, no one is ever going to hold a parade for IT procurement. I think some of these people in this crowd might go—(laughter)—to that parade.

But I spent a lot of time on it. But here’s what I learned. This stuff is moving so fast. In the best-case scenario, we’re tied with the Chinese government, with some of these Chinese. That’s the best-case scenario. And the only way that we’re going to be able to compete with a country that’s four times our size, that has industrial policy focus on this is if we improve our collaboration between the public and the private sectors. And that also means that the private sector—we’re going to have to put our swords away, and come together, and leaders on both sides—on both sides of the aisle are going to have to accept that something has to get done so that we don’t get—that we don’t get left behind. And it could happen.

Our leadership in these areas is no longer guaranteed, and it’s going to require us to accept where we are—in the reality, which we talk about here—and have the willingness to take bold action.

KANG: So along the lines of the private sector, either Niloo or Gordon, can you talk a little bit about what the implications of a fragmented Internet means for the continued leadership of the U.S. technology companies, what the implications are for the global supply chains? I know this is a big sort of question, but what does this mean—what you are proposing—for the private sector?

GOLDSTEIN: Well, I’m modestly optimistic about the role of the private sector. Just to take one example, in the Russian war in Ukraine, what has been our major source of information? One of them has been Microsoft—and has issued two very comprehensive reports that have catalogued the types of incursions, that have identified the countries that have been under attack. They are doing it publicly, they are doing it transparently. And one of their recent reports showed that two-thirds of the Russian efforts actually failed or were disrupted in some meaningful way.

I think the changes—this is a very dangerous area to go into—but Twitter trying to take some greater responsibility for what is—what information traverses their platform is an encouraging step. The growth of the cybersecurity industry, which has expanded significantly in the past five years, is becoming incredibly sophisticated in the types of products and services that they can provide.

So I think the role of the private sector will be one of constructive adaptation to a changing threat environment, and one, hopefully, where we have a greater condominium of interests between the government and industry, the continued increase in sharing information, and hopefully appropriate forums and joint collaboration.

HOWE: And if I can add to that, I think one of the realities that cyber—one of the realities of cyber is that the speed and the agility, the transformative effect, the opportunity for innovation, creativity and experimentation is there. And to the extent that our policy makers don’t move at the speed of cyber, the private sector will. And the question we should be asking is do we want the private sector, through corporate policy, to define what the policies for these technologies should be. We have a great counterfactual with the Internet, right: What happens when we don’t lead from in front and define what the policies are in the world that we want to live in.

Do we want to let the private sector lead, or do we want to lead from a policy perspective? Private sector won’t wait. They’re going to—they’re going to go ahead. There is too much at stake from the economic perspective to not continue experimenting, not continue pushing, not defining the rules of the road. And sometimes those rules are great, and sometimes they’re not.

It is true that with respect to Russia-Ukraine, the private sector’s support of Ukraine has been tremendous, and it is—it has provided some real advantages. But I think we—I don’t think we can afford to give up the policy advantage. I don’t think we can afford to let our European allies lead. We need to be at the table with them doing it.

MISCIK: And frankly—if I could just add a footnote to that—we have to choose to lead. You know, we have to want to be in a leadership position and, you know, sending people at the appropriate level to these international forums; to not take a step back and be kind of passive recipients of what they decide but to actually choose to lead. And one of the phrases that we’ve heard in doing this task force report was that too many times either private sector, international partners, our own administrations, or representatives on the Hill don’t see themselves as part of the action group. You know, they have to understand that they have a piece of this, and working actively to move the U.S. agenda forward in this area because, as data becomes more critical to digital trade, power—geopolitical power—stems from a lot of that. And I don’t think we want to just be passive recipients on that.

KANG: Yeah, in fact, Niloo, you talk a little bit about changing norms and thinking. And Adam, there might be some people who read the report and say, this makes a ton of sense; we’ve been watching this for years evolve like this. But it is a big change in thinking.

What’s it going to take in your mind—and more specifically, you have a long list of recommendations. If you were to take this report—as you are, I understand, talking already to people on the Hill and the appropriate agencies—and say, OK, here are—like if I got my dream list of things done, this is what our task force came up with—this long list of recommendations. But here are three or four things that you must do right away because this is going to take a long, long time. What would that be? So big picture, change of thinking, and specifics.

SEGAL: Well, I think the big picture is one we keep hammering, and I don’t think this is new to anyone, right? Anyone who is watching the Internet, and the private sector already knows the market is fragmented. And they, I think, actually would like some support from the U.S. government.

You know, we saw—as we’ve seen it, the private sector has been making decisions on which markets to be involved in and which ones not to be involved, which services to provide. And so I think the force the U.S. government to say, yes, it’s fragmented, which interests are at stake in certain situations, and what do we expect the companies to do would be welcome.

I think the—you know, the most important thing is—which we’re beginning to see the—I think, the Biden administration do is amass a coalition around certain ideas about how data should be handled, traded, what our cybersecurity standards are. We see that, I think, in a lot of different strands: the Indo-Pacific framework, the Quad, the discussions with the Europeans from the TTC. I think we want to see more concrete action and some deliverables. I think that’s what we think would be the most important thing on that side. But I think we see a lot of kind of discussions about those things already happen.

KANG: You know, Jami, you mentioned policymakers and folks in Washington needing to feeling like there is something at stake for them. The consumer feels like they see a story almost every day about a hack, bank, target that breaches some retailer or whatever. There is a certain level of—I think folks generally feel sort of jaded. It’s my perception. I would love to hear, Will, what you’re hearing and what it would take for the public in terms of shifting their thinking, if they’re thinking about this at all, and if that’s an important part of this—these—

HURD: I think—I’m still shocked by how many Americans know what OPM is, right? When that happened—what, 2015—and 24 million Americans who went through a background check, their information was outed. And that was kind of like the first time that a lot of people were like, whoa, what the heck? This has an impact on me.

I think recently Colonial Pipeline, their—impacted their ability to get around or fill up on gas. And the one that I think doesn’t get enough conversation was the hack of the water treatment plants in South Florida. You know, somebody tried to poison the water. And the dude that was, you know, eating his lunch at 2:00 in the morning, and saw the red flashing light, and solved the problem—that people could have been poisoned from a digital hack, I think that made it real to people.

The number of folks that—like I’m sure everybody has some kind of credit monitoring thing because their information has been hacked in some form or fashion. They want tools that are efficient. They want tools that can be easily protected. And so this is a hard issue.

When we talk about diplomacy in this area and open Internet, what does that mean to the individual? How are we going to make them be able to live their life easier? How are we going to make them be able to transact with less friction, and that means these tools have to be secure.

I hope more deaths don’t have to happen for people to wake up. The German—in Germany I think it was the first death of a person, a cyber hack, because they got to a hospital, and they were—there was a ransomware attack going on, and they couldn’t admit this person, and they had to take him to another hospital. And the person died. All right, we have seen a loss of life—loss of life from these types of things.

I think these would have to get worse before people focus on it, but that doesn’t mean we can’t move and try to prevent that kind of thing from happening.

KANG: Great, thank you.

At this time I’d like to invite members of the audience—and online—to join in with their questions. A reminder that this meeting is on the record. We will start with a question from our virtual audience.

OPERATOR: We will take our first question from Harry Oppenheimer. (Pause.) Please accept the unmute.

Q: Thank you. My name is Harry Oppenheimer. I’m calling from Harvard University.

My question is about the implications of the Snowden leaks, and the impact of data flows on intelligence gathering. So my question is sort of, you know, what was the long-term impact of those leaks on digital cooperation? And how did it impact our ability to lead on an open Internet? And how do we get and convince other countries that working with the U.S. is both safe and in their interest moving forward? Thank you.

KANG: Who would like to take that? Jami? Gordon? Adam?

SEGAL: I think we can clearly say Jami would not like to take that. (Laughter.) I’ll start.

MISCIK: Good man, Adam.

SEGAL: Yeah. (Laughter.)

KANG: I tried.

SEGAL: So the Council’s first task force report on cyber—defending the open, free, interoperable Internet—actually came out the day that Snowden showed up in Hong Kong, which kind of, you know, sent us on a tangent.

MISCIK: And who was the director on that report? (Laughter.)

SEGAL: That was also me. (Laughter.) That report was based on what—I think part of the reason why we were confident about, you know, being able to defend the open Internet was that we saw—excuse me—strong cooperation with the private sector and increasing coordination with Brazil, Germany, and some other emerging countries.

Now the Snowden disclosures made both of those things much more difficult, right, so in the immediate aftermath of the Snowden disclosures you saw U.S. companies challenging the U.S.’s ability to collect intelligence legally and technically, right, rolling out encryption and other things. And then you saw, you know, Dilma—President Dilma and President (sic; Chancellor) Merkel being very annoyed, and a breakdown of kind of diplomatic discussions.

I think for the most part, most of that is gone, right? Europeans in particular made a lot of noise, but they were—they are very dependent on NSA collection for their own concerns about jihadis, and domestic terrorism, and other things, and there was quickly kind of cooperation there. The hangover that we still see, of course, is around Privacy Shield, and data transfers between the U.S. and Europe.

You know, we now have a new agreement that the president announced in April, if I remember correctly. It’s still uncertain if that’s going to hold up to another court hearing. But I think other than that specific case, for the most part, U.S. allies and friends have gotten over it, and are more than happy to work with us on data sharing.

HURD: And why they got over it—because there has been significant changes within the intelligence community on this particular issue. And oftentimes when I engage with my European friends, and they still want to bring up Snowden, I say, well, why don’t you talk about the German B&D who owns a third of the telecommunications infrastructure in Germany and are allowed to spy on German reporters in Germany? How about that issue, right? And so, although oftentimes people are still bringing it up, it’s to defend their own, you know, parochial interests. But those that are involved in setting broader policy understand that things—that the world is very different from when those revelations came out.

KANG: Uh-huh, more than seven years ago. Question from a member. We have mics going—please.

Q: Alan Raul from Sidley Austin.

I wonder whether your report discusses or you have any comments on the various ongoing initiatives in this area. So the G-7, when it met at Carbis Bay in Cornwall, and the U.S., and the EU, and the Trade and Technology Council met immediately after that, addressing technology issues, AI, cyber issues, I think the White House announced the Declaration on (sic; for) the Future of the Internet, where—I don’t know that there were any substantive principles involved in that, and I think that the news element was that India didn’t sign on. But that is underway. And then the cross-border privacy rules, I think, that the Department of Commerce announced as a(n) international initiative.

Are these significant? Are they showing any signs of progress, and do you view those as a way of addressing the types of issues that your report discusses?

KANG: Who feels comfortable answering that one?

HURD: Well, I’ll add on a piece of that. I hope that President Lopez Obrador and President Biden are talking about this cross-data flow issue right now between the problems of Mexico implementing this within the USMCA. That—you know, the USMCA piece on cross-border data flows is kind of the pinnacle of this and should have been the example for other parts of the world, and we’re not seeing the implementation south of our border. So I hope this is a topic that gets addressed in their meeting today.

SEGAL: So yeah, I mean, all of those mentioned, except for the G-7, which happened after the report was done, but the—I think the issue for the Declaration of (sic; for) the Future of the Internet is the one that you mentioned is who isn’t in it, which we think that, you know, a lot of the principles we’re talking about are ways to kind of get around that problem.

You know, not—and address issues that we want to do with India without having to essentially decide that they’re not democratic enough, which they clearly have some issues about how India’s going after Twitter and others right now. We can deal with those on another level.

I think going back to the question that Cecilia asked me, I think the feeling of the task force is that, yes, there are lots of different little strands that are going on all important, all should be supported, but we would like to see a kind of more cohesive push on the issues and a raising of the priorities of them, that the digital issues, you know, is more than just the announcement, you know, welcome, from the secretary of commerce and others about we now have this agreement among twelve of us about privacy—global privacy. We want to see a bigger push on it.

MISCIK: I would also just add to what Adam said, the one thing I think is interesting about countries like India and some of the other countries that did not sign on to the Future of the Internet, my view is that the Russia-Ukraine issue has changed the equation for a lot of the countries that were thinking about just trying to sit on the fence and not really, you know, choose to be in one camp or another camp.

And I think right now it may sound a little too elementary, but it’s almost like the values question has been entered into this. You know, do you want to side on, you know—with rule of law, trusted data flows, and the like, and I think you’re going to see more countries maybe leave the fence and go into what we talk about in the report in a lot of detail, which is this trusted coalition of like-minded countries based on standards and rules of law as opposed to form of government.

KANG: Let’s take a virtual question, please, from a member online.

OPERATOR: We will take our next question from Lindsay Gorman.

Q: (Off mic)—calling in from D.C., where I just recently finished a tour in government in the Biden White House working with the Office of Science and Technology Policy and National Security Council leading our overarching technology strategy.

I just want to give a big congratulations to you for this report. I think it draws on many of the themes that the—that we’ve been working towards and really lays it out in a clear way, and particularly for the ability to bring together all stakeholders of society—the private sector, the think tank space, as well as government actors.

And I wanted to ask, the National Security Adviser Jake Sullivan about a year ago gave a speech to the National Security Commission on AI where he drew on, I think, many of the themes of the report and your work touches on, and one of the things that he called for then was a recognition that all actors of our society really have a role to play here.

So I’d—given the work you’ve done over this last year with the report and the stakeholders, I would love to hear maybe from some of the private sector folks—or if you could summarize some of those conversations—on what this new vision of private sector leadership could look like now that we’ve recognized, as you’ve said, that the world has changed.

What does that look like outside of government? How can actors not just in positions of public policy making contribute to this new vision?

Thank you.

KANG: Who in the—Niloo, you want to try that one?

HOWE: One of the interesting—again, going to sort of cyber realities, cyber is no longer a domain where the private sector sits here and—you know, on one side, and government sits on the other side. Both have to work together across the board to create policies that make sense and that can be deployed and utilized by the private sector.

And I think one of the great things about this task force was—if you look at the list of task force members—there were plenty of policy folks, but there were a lot of folks from the private sector who also joined.

And I think in our first meeting we were all sitting there going, woah, wait a minute, are we going to agree on anything? But it turns out that there’s a role that only the government can play in terms of policy, in terms of deterrence, in terms of establishing the norms. We don’t want do it by corporate policy. We want it to actually be broadly agreed to with a coalition of partners.

But the private sector has to have a seat at the table, so there has to be engagement with the private sector to make sure it reflects the realities of how businesses and people and consumers engage with the internet, and I think that’s happening now. You look at the way the various government agencies are working even—whether it’s CISA creating the JCDC and pulling in the private sector into how to protect U.S. infrastructure. You look at NSA, which has the delegation for the defense industrial base, creating the cyber collaboration center, and pulling in that sector that it’s tasked with protecting.

People are coming together. We realize we have a shared reality, a shared risk, and a shared opportunity, and we just now have to lead. We need to get Congress on board.

HURD: And the private sector needs to provide feedback in the public sector. If I’m in an AI company, I’m probably spending more time in Brussels than I am Washington, D.C., because they are going to move on AI legislation there that is going to have global implications.

You know, articulating that, explaining that, how is that going to work so that we can do something. Whether we’re going to be able to move faster than them, I don’t think that’s the case, but we need that—we need that feedback loop.

I think the way we get the private sector also to do more—you know, I always—whenever I ask CSOs at big U.S. companies I always say what’s the best piece of information the federal government has ever shared with you? That’s their response. It’s like—there’s nothing. (Laughter.)

And we need to be—we need to think about how we think of cyber intelligence. It’s way more perishable than HUMINT or SIGINT. And making sure that we’re helping these companies to defend because they’re an integral piece.

So I think that’s another way we get private sector to be a little bit more engaged in defending our digital infrastructure.

KANG: Interesting. How about a member in the audience here, please?

Q: Thank you. Thank you for this excellent discussion. Sam Visner with MITRE. I’m also on the board of directors at the Space Information Sharing and Analysis Center.

What is your view—what is the panel’s view on how we can improve the cybersecurity and resilience of our space systems, which increasingly now are commercial? Tens of thousands of satellites are expected by the end of the decade. We’re already up to some five thousand now—mostly from the private sector, not all from the U.S.

What can we do to bring on board stronger cybersecurity in the private sector for space systems, in the context of the fact that we have yet to declare space systems as a sector of critical infrastructure?

KANG: Yeah, have you considered that, the space infrastructure?

HOWE: So I think this is actually a critical question because most people don’t understand how important satellites are to our critical infrastructure, right. They enable the communications for agricultural research, for banking transactions, for the energy sector. So it’s not just about your GPS system that satellites control.

And I think—you know, again, one of the—with Viasat, it was the first time that cyberwar extended into space. Even though there had been hacks to satellite systems before, this was the first time it happened in the context of war.

The other thing was, a couple months ago security researchers showed that you can hack a decommissioned satellite and cause it to broadcast messages. So all this space debris that we’re leaving out there also creates—assuming the Kessler syndrome doesn’t happen anytime soon—also creates, you know, a lot of vulnerabilities for us.

So there’s no question that especially with respect to these lower Earth orbit satellites, we have to turn to the question of, how do we secure them, and how do we establish norms? We touch on this in the report a little bit when we talk about nuclear command and control and the importance of having norms around not attacking nuclear command and controls, but a lot of times those are embedded in satellites with other communications.

And so really understanding the full spectrum of activity that takes place in space—that’s happening through the private sector, the most ubiquitous surveillance platform ever is being put up there without a ton of regulation—is something that has to be turned into.

HURD: I’m going to make news. A former CIA officer’s going to say something nice about DIA, all right? (Laughter.) DIA put out a report I believe it was three years ago about the challenges in space, and it’s really fascinating. And it’s not just cyber defense and how do we defend our overhead infrastructure, it’s physical defense.

The only reason you put a claw on a satellite is because that claw is going to attack something else up there, right, and these are the kinds of things that are happening, and it is contested, and it should absolutely be considered as part of this—things that we need to defend.

We always talk about DIME. We’ve got a lot of foreign policy nerds here talking about DIME. I think it should be DIMEC—you know, Diplomatic Intelligence Military Economic and Cyber—or T, Technology, right.

This is—we need to be thinking about all these elements because this is going to have an impact on us. It’s not just space, it’s going to be the Moon as well, too. You’re going to probably start seeing habits on the Moon in 2026, and so this is a real issue that we need to be thinking about. And we have the opportunity now to get a head of some of these things.

MISCIK: And I think one of the things that you’ll keep hearing us talk about here is pace—you know, the need for acceleration of policy attention on these issues. I think this is another example where the Russia example of having attacked a satellite is going to accelerate the pace of government prioritization on this issue.

It was something we did talk about in the task force. We had a small group, largely of intelligence-based folks, who talked about it a lot. The old system of redundancy is our best protection—we have a lot of them, so if that one doesn’t work, you know, or something happens to that one, we’ve got another—is not going to be the answer for the future, so. Just piling on here.

KANG: Let’s take one—another question from the internet, from online.

OPERATOR: We will take our next question from James Siebens.

Q: Hi, everybody. Thank you very much for this discussion. My name is James Siebens. I’m with the Stimson Center.

I wanted to ask, kind of building on the security focus on the last round of comments, how the U.S. should balance the need to abide by the principles and voluntary non-binding norms that are being espoused and advocated for versus the application of law, right, binding obligations based in treaty? And how should the U.S. balance the capabilities it needs for hunt forward and defend forward versus abiding by those kinds of norms and law? Thank you.

KANG: That’s interesting. Norms versus laws. Who feels comfortable taking that one? Adam? You took a deep breath.

SEGAL: Yes. So I think the report essentially calls for a higher degree of transparency about U.S. actions when possible to reinforce those norms and the U.S.’s following of international law as it conducts cyber operations. I think there’s a sense that there have been missed opportunities when the U.S. has conducted operations, that it, you know, has very rarely owned them. You know, the cases mainly being with non-state actors around ISIS.

So I think as we, you know, continue to embrace, defend forward, and persist at engagement, there is going to be a need for the United States to explain what type of operations were conducted under what legal or normative kind of frameworks.

You know, the—as I said at the very beginning, I think our feeling is—you know, the U.S. has stated that international law applies in cyberspace, and the issue is how we apply it. We are still, you know, getting some pushback from the Russians and Chinese and others in international forum about what that actually means.

But you know, the council—the task force’s findings about still engaging those processes through the U.N. group of government experts, or the open-ended working group, or if the two are merged in the future, I think—again, we think is important for clarifying among all of our friends and allies how we abide by those norms of international law.

KANG: All right. Let’s take another in-person question. The man with the laser thing.

Q: Good afternoon. Che Bolden with the Charles F. Bolden Group. First, to your question earlier, space is impossible without cyber, so when you move in that direction, you’ve got to think about that.

Question, how much—what kind of conclusion did you all come up with for Web 3—decentralized identity, self-sovereign identity, and the implications those have for both security and privacy?

KANG: Looking forward to Web 3, Metaverse, all kinds of things—cyber, crypto, et cetera, chain.

SEGAL: We did not address—we are cognizant of the changes coming over. But given the rate of change in that space right now, we were fairly focused on technologies we are struggling with now as opposed to the emerging kind of challenges that are going to come from DeFi and other areas.

MISCIK: But I do think as we go further down the road in artificial intelligence, quantum—again, that’s where some U.S. leadership in a stronger more whole-of-government-type of approach and then whole-of-country-type of approach. Working with the private sector is going to be really important—choosing to lead.

KANG: Let’s take another online question, please.

OPERATOR: We’ll take our next question from John Mathiason.

Q: Thank you, everyone. This is a very interesting discussion. I’m John Mathiason. I’m from the Brooks School of Public Policy at Cornell University, but I used to be in the U.N. and I did write a book once called Internet Governance.

My question has to do with, if you deal with the issue of norms and law and whatnot, this is an area—the internet is an area in which there is no international consensus on what the norms are whatsoever. There are some things happening, and I did notice that in the report you only mentioned the U.N. in footnotes more than anything else. What is your view of the role of the U.N. and international organizations in achieving an agreement on what the norms should be for governing the internet?

Just one quick point, I do know that there is and there was a mention of the—that there is negotiations in process on a potential treaty on cybercrime, and there’s another thing in the First Committee of the General Assembly on international security. But what is your view on how or what has to be done via international organizations to achieve consensus on what the norms should be?

KANG: Who would like to take that? I know, Gordon, you represented ITU a few times.

GOLDSTEIN: As for my past experience, I had the pleasure serving on two American delegations to the specialized agency at the U.N., the International Telecommunications Union, which would have these international conferences that my colleague David Gross, who’s in the audience, previously served as the leader of more delegations than anyone in history while he was at the State Department.

And to take very complicated question and compress it to a more simplified answer, the internet was never supposed to be a subject of discussion at the United Nations. In 2010, the WCIT, the World Conference on Telecommunications, the American perspective and the American negotiating position was let’s talk about telecommunications and information technology, but the U.N. is not the appropriate body to be legislating global rules and global norms about the internet simply because the multiplicity of actors.

I mean, 193 actors trying to come to agreement is not plausible, and some of them espouse views that we find to be inconsistent with our values. Russia has been fighting for years for its so-called doctrine of internet sovereignty, and they’ve been executing it based on their own management of the Russian internet. Obviously, China has done the same. Obviously, Iran has done the same. Obviously, many other states have taken this step.

I think we have one statistic in the report—I’ll ask my colleagues to help me out—there were how many states? Sixty states that over nine hundred times in a short period completely shut down the internet in their countries during different periods of civic unrest.

I hate to be a pessimist about the role of the United Nations in crafting these norms, but I regret that I am.

KANG: Well, we are—

HURD: Before we end—

KANG: Yeah, please.

HURD: I always hate it when end negative on these things, right? (Laughter.)

KANG: Yes. Yeah, let’s end on one—let’s do rapid fire.

HURD: Here’s the reality. Here’s the reality. Right now, because of the internet, hundreds of millions of Russians a day are getting information about what’s really happening in Russia and in Ukraine. Today, there are a number of women in Iran that are taking off their hijabs in opposition to the oppressive government in Iran.

You know, this is a tool that has been so important, has led to openness and democracy. And all the things that we’re talking about is, how do we ensure that that continues to uplift humanity, and it’s complicated, but we can do it.

KANG: Well on that positive end note—thank you, Will Hurd—thank you for joining today’s session, and thank you to our speakers. They were all fantastic. (Applause.)

Please do note that the video and the transcript of this symposium will be posted on the CFR website. Have a great afternoon.


Top Stories on CFR


U.S. Presidents Trump and Biden have both turned to tariffs to support local industries amid economic confrontation with China. Here’s how these taxes work and how they’ve been used historically.



The new defense treaty demonstrates a growing closeness between the two pariah states that is likely to make the rest of the world uneasy.