Preetam Maloor, strategic and policy advisor at the International Telecommunication Union, Iddo Moed, cybersecurity coordinator at the Foreign Ministry of Israel, Makita Shimokawa, ambassador in charge of cyber policy at the Japanese Ministry of Foreign Affairs, and Diego Molano Vega, former minister for information technologies and communication in the government of Colombia, join the Carnegie Endowment for International Peace's Jessica T. Mathews to discuss cybersecurity practices in various non-U.S. national and international contexts. The panelists consider the state of Internet global governance, best practices for government cybersecurity, and threats from non-state actors.
This symposium is held in collaboration with CFR’s Digital and Cyberspace Policy Program.
MATHEWS: We are turning now to session three. The topic here is defined as Cybersecurity Elsewhere. We’ve certainly touched on the set of issues that we’re going to look at in greater depth already.
This—we’re going to do this in sort of a two-tier discussion. First we’re going to get three national perspectives on the whole set of issues that we’ve talked about—how these issues and state of play is seen in three different—three very different countries. And then we’re going to turn to greater exploration of where things stand in the multilateral system and what the challenges are ahead.
You have full bios in your books, so I won’t repeat them. On my immediate right, Preetam Maloor, who is from the ITU, from the corporate strategy and policy division; Iddo Moed from the foreign ministry in Israel, who’s responsible for cyber issues; Diego Molano, the former ICT minister of Colombia, also very active, a long career in the private sector as well as in the government, and in the multilateral sphere, and Makita Shimokawa from Japan, also from the foreign ministry, looking—responsible for these issues.
So Iddo, why don’t we start with you? Tell us how Israel is coping with these problems, sees the issues, and give us a glimpse. Thanks.
MOED: All right. Good morning. It’s great to be here.
From Israeli perspective, cybersecurity basically has evolved in an atmosphere where security, national security concerns, have always been on the top level of attention of the leaders, so—as opposed to many countries where cybersecurity all of a sudden is also part of the realization that there is a national security threat by itself, and adding to that the technological aspect.
I think that in Israel we’ve been mitigating the issues of cyber as what are the different and special attributes in terms of national security. And so, therefore, in a sort of evolving process—it started in ’97—we’ve set up a national entity under the prime minister’s office that devises the policies, and, being part of the prime minister’s office, has access to all the national organs that are relevant.
And so beyond the security aspect, there’s also another very important aspect that is unique to Israel, I think, and that is the fact that Israel’s economy is very much dependent on high-tech industry. And so it is from a national perspective also very much important to strengthen and to encourage that kind—that industry in cyber to contribute to the national growth.
So a national approach has these two tenets; two pillars, let’s say. And I think that is the most important aspect of where we are coming from when we are talking about the global discussion.
MATHEWS: All right. Diego.
MOLANO: Thank you. Thank you.
Let me—I didn’t know where to start, but I’m going to start with all you guys. Could you please pull out all your cellphones? Everybody has a mobile phone. If you have it, please do it as well. Please do it. Turn them on. They’re supposed to turn them off. Turn it on and please unlock them. Everybody has their phone please? Raise it. Unlock them and give it to the person next to you. (Laughter.) Who’s willing to—who is willing to do it? Who is willing to do it? (Laughter.)
How do you feel? How do you feel? Scared?
MOED: Well, mine is in Hebrew, so I’m not—I’m not concerned. (Laughter.)
MOLANO: But you’re concerned?
IDDO: It’s Hebrew.
MOLANO: I can translate it very easy. Google Translation translates everything very, very easy.
This is what—you know, I don’t mean that—I’m talking about Latin America. That doesn’t mean Latin Americans do this. But you guys, you’re a leading community on cybersecurity. You know what is at stake when you do that. But you are doing that every day in the cyberspace—every day.
Most people don’t read the contracts. Most people do not take care of their own cybersecurity. And most importantly, most people are not aware of their risks. And that’s the main issue of Latin America. When you see the poll—and you’re going to see in a few weeks a report published by the Organization of American States and the Inter-American Bank on what is happening in the region in terms of cybersecurity.
The main issue we have is awareness. Awareness is basically the source of the solution, because if you see—out of 34 countries in Latin America, just half of them have a clear e-government policy. And just four or five of them have a clear cybersecurity policy. Why is that? Because people and leaders are not aware of the risks.
And it happened that—it happened in my country. You know, when I took office in 2010, part of the plan was, of course, to have a clear cybersecurity program. And it was a part of the whole plan called—(inaudible)—which aimed to reduce poverty with technology. Of course, cybersecurity was part of that.
And in 2010 we issued the first policy, but it was not as strong as I wanted. And then in 2014 I wanted to strengthen that. I wanted to issue a new version of that policy, but I couldn’t convince my colleagues of the Ministry of Defense and the Ministry of Justice. And what happened? In the presidential election campaign somebody hacked President Santos’ email. And then one of the opposition campaigns hacked the emails of the peace negotiation—of the peace process negotiators in Cuba. That led to the issue high, and I was able to update my policy very, very easy. It was a very clear order by the president of Colombia. So what we have to work hard is increasing that awareness.
MATHEWS: So, but can you tell us where you took the policy to?
MOLANO: What we did was a comprehensive policy. You know, we got the help of the Organization of American States and many, many governments that use government. You know, Chris helped us a lot; the Israeli government, you know, many organizations. And what we did was, of course, creating the right mechanisms to protect, first of all, critical infrastructures, to create the institutional framework, to create also the right cooperation within the country, not only within the government but also within the country. That includes the private sector, not only the public sector.
We also issued—we changed completely the law. So cybercrime is punished now by the law. And we also worked with the Justice Department to train judges, to create special judges on this and prosecutors of this, and a lot of incentives in training people—training people, you know, creating new programs with the universities. And also we created a program to increase awareness. For example, in Colombia every high school student has to do a social job—social. So we created this program called Net Revolucionarios (sp). In English it would be like revolutionaries of the network.
These kids go home by home. They knock at the door and they say, do you use Internet? So the family comes and says no. Look at it, this is the great things that you can do with Internet. If they say, yes, we use Internet, they say let me tell you what the risks of Internet are. Of course, we train the community on the risks, such as cybersex, the grooming and the bullying and stuff like that, but also in cybercrime and cyber protection. That’s very, very important.
So we move the country to train people. We created—for example, we transformed completely the education. We connect every single school to Internet, and we deliver millions of tablets for free to public-school students. That’s worthless unless you have a very clear strategy on how to use that. And we understood that working with teachers and the students wasn’t enough. So we created a whole school for parents. We call it the ITT school for parents. And we teach parents massively how to use technology and how to be aware of the risks of technology.
SHIMOKAWA: Yes. Good morning. Let me update you on the status quo of the Japanese response to cybersecurity issues.
Just this January we have enacted the basic act on cybersecurity. This is not the regulatory framework, which talks about liability of private or public companies, but this is a program which mandates the government to come up with a new cybersecurity strategy, which we have promulgated and put in effect just this September.
And it was in this process of formulating the cybersecurity strategy that this most recent and most serious incident on the cyberattack on the Japan pension fund scheme, in which the theft of 1.2 million personally identifiable information theft has been involved, have occurred. So this was also—this gave us an opportunity to sort of beef up the role of what we call the NISC, which is the National Center for Incident Preparedness and Strategy in Cyberspace. This is the central organ that is now established as the secretariat for the headquarters for cybersecurity headquarter function, which is presided by the cabinet secretary.
So we have actually now basic act and the basic strategy and the very centralized cabinet organization to sort of coordinate and formulate the strategies and also carry out assessment as far as the cybersecurity environment of the entire Japanese society is concerned, which is also involved in the assessment of incident response and support, providing support for investigation purposes.
So this is the general framework that we have newly put in place. And I refer shortly to the earlier discussions on information-sharing and all of these things. This is still under transformation. We have many institutions which have been put in place in different parts of the government in terms of private-public partnership; for example, exchange of information in different—under different ministries; Ministry of Communications, Ministry of Economy and Industry, under the context of cybercrime, counter-cybercrime cooperation, also in the area of MOD, defense, self-defense cooperation.
So we still have all those different layers of cooperation as far as the information-sharing is concerned. The NISC, as a central function, is now more or less expected to do a general coordination of what is in place as far as cybersecurity is concerned. And I, being a diplomat in charge of cybersecurity issues, is on the front line of bilateral and trilateral and multilateral dialogues in terms of cybersecurity, both in terms of rule-making, rule of law in cyberspace, capacity-building, and confidence-building. And this is—in this capacity I participate in many dialogues and international conferences. And it’s a great pleasure for me to be here present today with you talking about especially the diplomatic aspect of the cybersecurity. But I just wanted to update you on where we are on the cybersecurity.
MATHEWS: It’s—I mean, for all three of you, thinking back on what you’ve heard and already know about the U.S. system this morning, are there aspects of your national system that you—other than what you’ve shared with us—that you think that are different, that are better, that are worth kind of calling out as being quite a different way to tackle this challenge?
MOED: I think the point is that every country has a very different set of circumstances. So there is no good and bad. Every country is trying to mitigate the threats from its own circumstances, its own environment. So whatever happens in the U.S., of course, bears all over the world—has bearing all over the world, because so much is concentrated here; so much information and technology and knowledge and so on.
But I think for us we have a different set of issues. And so, for example, we have 1991—1981 law of privacy—on privacy which actually resolves most of the issues that are being discussed here in the States now. I don’t think it’s better. It’s different. It’s just a fact. That’s the way we evolved in that particular area. We have a law on the use of digital media that also dates to the ’90s.
So we use these, but probably there are a lot of loopholes and problems with those existing frameworks that we need to adjust. So other countries that are defining new laws and new frameworks actually may have an advantage.
MOLANO: In the case of Colombia, I think one good thing that is happening is the leadership of the government in terms of especially the political side of the government, not only technical part. I mean, for the president, this issue is very important now. And he himself leads the committee on cyber defense and cybersecurity.
And also, you know, based on that leadership, we issued a new set of policies and legislation on e-government. For example, in Colombia, according to the law, every single public agency has to have a CIO reporting to the head of the agency and every single agency has to comply with the cybersecurity rules. It is mandatory. It is not optional at all. Just three countries in the region have that.
And also the Ministry of ICT, you know, defines mechanism to help public agencies to comply with that; you know, in the procurement processes, training people, stuff like that. So now it is for everybody in the Justice Department, in the Congress, and also in the administration, not only at the federal level, the central level, but also in the different states and departments and cities. So that’s very important.
MATHEWS: That’s great. (Inaudible.)
SHIMOKAWA: I think, as far as Japan is concerned, we share the basic principles, the basic traditions of (treating the ?) issue. That is public-private partnership, a whole-of-government approach, multi-stakeholder approach. So it’s generally the same principle that we’re working on. And the strategy talks not only about the security concerns but also the positive aspect of vibrant economy, new areas for economic development, et cetera.
If I may say so, but maybe the question in relation to the information-sharing or the question of encryption is not—may not be as acute or as advanced as in the United States as far as the private-public partnership for information-sharing is concerned. It’s more or less starting from a very voluntary approach, on a consent basis. And we’ve had some discussion about scrubbing the private script on personal information.
But we are also doing that on the basis of not the government competence but the sort of agencies’ information, promotion, agency which are quasi-government organizations cooperating with the related industries to work more or less on a voluntary basis for quick exchange and also seeking consent before circulating the information collected to the people’s concern.
So we are building up practices and we are doing this more or less in an incremental manner. So maybe—but at the same time we are facing the same kind of urgency in terms of having to cope with what is going on in the cyberspace. So we are more or less trying to sort of converge the incremental approach against the very fast environment which is—with the increasing crisis.
When we began this morning, Richard alluded to me as somebody who had a misspent youth counting nuclear warheads. The parts that were misspent, I can assure you, were a lot more fun than that. And I didn’t so much spend time counting warheads as thinking about creating regimes that work, not just in the nuclear area but a lot of others as well.
And I know that for several of the panelists the word regime is uncomfortable in this context. I mean by it the sum total of norms, agreements, binding agreements, treaties, and institutions that operate in a particular area. And it seems, although I may be corrected, that it’s the right word to describe where the world has to eventually move in this area.
But we’re going to—and so what I thought we’d do now is first hear about where the U.N.—what it has achieved so far with the GGE, where the GGE is going, and then try to explore some of the issues that seem to me particularly challenging in this area relative to all the international experience that we’ve had on dozens of other issues, particularly, I think, nuclear proliferation, but climate, chlorofluorocarbon agreement, all kinds of issues where some of these problems have been tackled.
But Preetam, why don’t you start us off with a—with a review of what the GGE has done so far and where it’s going?
MALOOR: Okay. Thank you. And first of all, thank you for inviting ITU here. And Diego had his test of—the cellphone test of trust. So I have my Microsoft Surface test of trust. You know, I noticed I was the only guy since the morning who’s using this for my notes. Everyone else is relying on pen and paper. So it could be for two reasons. One, I’m the only engineer in the room, so I need props. (Laughter.) I’m not naturally eloquent in a room full of lawyers and diplomats. Or maybe someone—I intrinsically trust this device more than anyone else.
But anyway, it’s always nice to be back in D.C. And I studied here. I spent quite a big chunk of my life here. So I love this town.
So the question that Dr. Mathews had brings up a fundamental issue. My organization, the ITU, doesn’t deal with the GGE, so—which is a broader issue. Cybersecurity is obviously very complex. It’s a multifaceted issue and it’s a global issue. And within the U.N., the discussions are all over the place. You know, if you need to talk about technical capacity-building, standardization, then you come to the ITU in Geneva. That’s my organization.
Now, if you want to talk about cybercrime, then you go to the UNODC in Vienna. If you want to talk about data protection, privacy, you go to UNESCO in Paris. And you come back to Geneva for human rights, the Human Rights Council. And then, of course, there’s the U.N. General Assembly in New York, where there are three different committees, each of them talking about different aspects of cybersecurity.
You have the (versus ?) oral review process, which is talking about norms. Then you have the U.N. GGE, the governmental group of experts, which reports to the First Committee, I think. And I think all three countries here are part of the GGE. And that’s primarily the disarmament community talking about state-on-state actions. And you have many different processes run—started with the private sector or by some states; you know, the London process. You have the Interparliamentary Union. You have—think tanks are having their own processes, which are all excellent, because what they do is they bring together like-minded people, you do awareness-building. But ultimately there needs to be some kind of a coherence, some kind of a cohesion to the whole dialogue. And that’s probably what is missing right now, bringing the discussions together. And this gives me a good segue to talk about my organization.
The ITU, we—the International Telecommunications Union, it’s a 150-year-old organization. We started in 1865, so this is our 150th anniversary. And we are primarily based in Geneva, primarily engineers. We work on technical capacity-building. We help countries establish organizational structures. We do child online protection. We work on many, many different aspects. We do standardization. We have around 300 security standards.
And if you look at the history of our organization, over 150 years, it essentially mirrors the history of technology, so from, say, telegraph to telephone, from analog to digital, from terrestrial broadcasting to satellites, your mobile phone, your regular land line to your mobile, and, of course, the Internet data. And we are an organization primarily rooted in technology and we’re proud of that.
Maybe—do I have time to make one more point?
MALOOR: Okay. Just as an observer who’s been through—I’ve worked in ITU for 10 years, and it’s quite interesting. ITU itself, we’ve been dealing with cybersecurity over the past two decades. In our first resolution on cybersecurity, resolution of the U.N. document for—where countries agree to something. Our first resolution on cybersecurity was adopted in 2002, and we’ve been working on the topic long before that.
The observation we have is, you know, the first decade we were primarily talking to our own members, which is the ministry of telecommunications, ministry of ICTs. But that’s probably no longer true now. Our delegation has completely evolved. You see the defense ministries. You have the finance ministries involved. You have the foreign ministries involved, health, education. And this is the composition of national delegations which come to ITU.
And not just that; you know, even within the delegations, you don’t just have the government folks. You have private sector. You have civil society. You have academia. And this is a clear demonstration of how the debate has evolved from being a purely government-led debate, purely among the technical guys, now to essentially being a multi-stakeholder debate.
MATHEWS: So when we have a sort of a joint discussion, from whoever would like to begin it, on the GGE, where it stands, how far it has moved, Chris Painter began his comments in the last panel by saying we’ve made tremendous progress. And I—that took me back a bit, because it’s clear that governments are now recognizing the threat, willing to engage, and beginning to talk. But it can be an awfully long road between that place and actually solving a problem.
So who would like to kind of give us their sense of where the international conversation stands? Iddo, why don’t you go ahead?
MOED: I won’t mind, having spent some time the last GGE—long hours in staff room with a very fascinating discussion that ended up in a report that is a culmination of global understanding where international law stands, how it should be applied in ICT environment.
And in many ways the success of this report is not measured—not only measured by the fact that we reached a report, because this is the fourth session, fourth group, but not every group has been able to come up with an agreed report. So the fact that we have a report is a success, of course. But I think the success is being—can be measured now in the demand of so many countries to be part of this process in the future.
So it seems to be like the best game in town to join if you want to be part of shaping norms and global understandings about cooperation in cyber. And this is so because all the players are there; a lot of regional organizations that do very good work as well, like the OSCE in Europe and the IRF in Asia and the Organization of American States the and African Union. But this is the only place, the only location, where you have all the players sitting together around and discussing the same things.
Having said all that, the room was full of two groups of people, diplomats and legal people. And it’s a very interesting discussion to see our dynamics, to see how this develops into some kind of a report. And so it was important for us to have a report. But we don’t have a very clear end result, where we want to be. That varies according to the discussion. And what we lack, what we miss in the global discussion, is also the technological aspect, which actually leads and stipulates and guides most of the environment. And that’s not the place in the United Nations, and perhaps it’s the ITU’s role.
But what I have come to understand is that you have to have a multitude of players around the table if you really want to make an impact. What the GGE report—I think the most important achievement is that we all understand that international law applies. So therefore the word regime may be overstated. We already agree how we work with each other, and that’s international law, whether it’s international humanitarian law or the United Nations charter. But we already agreed on that a long time ago. We just have to see how that applies in cyber.
So there’s nothing new there. And I don’t think countries feel at the moment that we need some sort of a new regime. It’s not the technology or the effect that cyber bears on international relations and cooperation is any different. But that means that we have to have also other players around the table. And that means that we should have other discussions through the ITU, who’s working in all these other organizations.
But we also found ourselves—find ourselves, as diplomats, talking to technicians and technical people from global organizations yet want to understand how our government works with industry and with the research environment, because they also need some kind of guidance. And if we only focus on the GGE, then we are missing some part of the picture which relates to others that are part of the game but are not affecting it through the existing international organizations.
So the basic point is, as I think was mentioned earlier, we have to think out of the box here and be able to bring in others and to shape the discussion from different angles.
MATHEWS: Let me ask you and the others this question. One of the worst things you can do in an international—trying to develop an international agreement of some kind, set of agreements, regime, is to focus entirely on norms and forget enforcement, because then you simply empower the bad guys, the countries that sign up without any intention of agreeing, and you completely undermine the integrity of the system.
Are we anywhere with respect to the questions of enforcement, the bases for action in this regard, in thinking about cybersecurity?
SHIMOKAWA: Well, on this particular point I think we had this morning discussion about the whole set of tools for having right and just and transparent cyberspace. So I think the work of the norm-setting and the identification of applicable international law, in what form and which cases, has to go in tandem with the other actual tools on the spot in the real world as far as what the countries can do.
And it works the other way around, because if you have this common understanding, at least to a certain level of what kind of international rules or norms apply, it gives you a ground for taking action in whatever—in response to whatever happens in the cyberspace.
This is why I think, in the previous discussion, there was discussion that cyberspace is not a lawless space where there’s no law, so you can’t do everything. It’s not the complete wilderness. There is already a law that is applicable. So you have—to a certain extent you know what you can legitimately do, lawfully do in cyberspace. That is what is important about this norm-setting. And that is why we, Japan, also, with the like-minded countries, place importance on the applicability and the deepening of the discussion of the applicability of existing international law in cyberspace.
MOLANO: In the case of Latin America, the Organization of American States and the Inter-American Bank have taken the lead on, you know, taking the region to another level, trying to encourage cooperation in all levels.
But, you know, I agree with Iddo that the issue, the legal issue, I think, is okay. The thing is how to implement it in two ways—speed, in terms of the legal processes. They’re very, very, very slow, I mean, not only for cyber; for everything. But in terms of cyber, we have to increase the speed of the legal procedures and that cooperation. But technically we have a main bottleneck, a main bottleneck, because technically countries in Latin America don’t have the capabilities to define what they need to do, and sometimes, like the big banks, the World Bank and the Inter-American Bank, come to these countries and they say, look it, this is the money to implement your cybersecurity policy and to create the tools needed to protect your customers, your information, your country. But they don’t know what to do with that money.
So the help has to be really to take that innovation in cybersecurity, put in real tools. Countries cannot develop those tools themselves. That’s key. It is—so the help we’re having is just from the policy point of view. We have to move to real problems, to real projects.
MATHEWS: The—you know, with some international systems, like nuclear, for example, the system is only as safe as the weakest link. So you can have a tiny little country like North Korea blow—well, threaten the entire system. In others, you really only need to work with the big actors. Climate—you know, there are seven political actors that account for 80-plus percent of the emissions.
Is this a system where we will ultimately only be as safe as the weakest countries, the weakest links in the international system?
MALOOR: Jessica, you stole my closing line.
MATHEWS: I’m sorry.
MALOOR: (Laughs.) So the—you know, we’re as strong as our weakest link is something which applies. Maybe there will be new technologies where that may or may not hold true. You know, block chain—there is an argument that if you strengthen some block chains, then probably you can protect the other ones. But anyway, that’s a different story.
You know, since—today morning in the radio stations what I heard was let’s work with this country or that country. Let’s have bilateral agreements. Let’s have a group of like-minded countries or a small set of stakeholders coming together. Well, that will help. You have to remember that there are still 4 billion people who are still offline. You know, and when they come online, the opportunities, of course, are enormous. But the challenges will also be enormous. Threats can come from anywhere. And that’s something that we should not forget.
So an integral part of any country’s national cybersecurity strategy should also be to help others, less developed countries, kind of develop their own capacity, helping them set up good institutional frameworks, organizational structures. You know, you shouldn’t leave safe havens, because that can be exploited. And you see that in the real world also. You know, there are countries—there are regions of the world that most people couldn’t point on a map earlier, and now those are the culprits. And that could easily happen in the cyber domain also.
So essentially you shouldn’t be thinking of other countries as charity or altruistic reasons. That’s the only way to protect yourselves. So that should be center and focus of any country’s cybersecurity strategy, primarily the developed ones. And international cooperation is key here.
MATHEWS: How are we going to get it? I mean, I didn’t mean that facetiously. But isn’t that a new—a completely new issue for the international community?
MALOOR: It is. It is. And that’s why you need more dialogue. I mean, that’s why you need to talk to everyone, not just countries who think like you or countries you have a financial interest in.
SHIMOKAWA: Well, on this particular point, as I said probably at the outset, our outreach in the international community has three pillars. That’s propagation of rule of law in cyberspace and confidence-building with countries, and also capacity-building. And the capacity-building is not doing for charity, as you say. This is for strengthening the weak spots in terms of cybersecurity measures and policies are concerned.
And this is not only for transferring and the know-how, but this is also against the backdrop of the fact that there are different school of thoughts in terms of how you wish to regulate or how you wish to govern the Internet—the cyberspace. And as I said, in our strategy we place great importance on such values as freedom of expression, democracy, transparency, openness. But some models in terms of cyberspace governance is not necessarily based on the same values. They have slightly different emphasis on more control or more government involvement versus multi-layer facet approach.
So this is not only about sharing know-how, but this is also about how we want the world to be in terms of the—if you don’t want to use the word regime, but what kind of governance is desirable for the security of the cyberspace?
MOED: Yeah, I’d like to continue this point. I think it makes a lot of sense to connect this kind of activity, outreach, cooperation, international cooperation, to the norms question, because in many ways when you’re talking about some kind of a new regime, that means that everybody more or less understands where we are at. And I don’t think we are there. I think that many countries are far from it. Some countries don’t have an interest. They don’t have—they don’t realize that they are part of a malicious chain of events. Or they are not interested because they are just interested in getting to know what’s needed, what’s required of them, and they’ll implement it.
But actually this is a new kind of a discussion, and everybody has to be involved. And from our perspective, as far as the norms go, we feel that norms should be, at this stage, at least, voluntary or non-binding so everybody can join in; everybody can understand and learn what it means; work a lot on confidence-building measures, which are very focused actions that countries can take, and also work hard on capacity-building, because that means that you’re also learning while you are creating this kind of cooperation. Either it’s bilateral, multilateral.
You’re also learning how the perspective is from other countries. And as I said earlier, one country cannot understand. The global situation has so many different circumstances. And just to point out a very good example that I think was mentioned earlier, the London process, the Netherlands came up with a platform called cybersecurity—cyber expertise—Global Cyber Expertise Forum, which is a website, actually, where countries can put their international cooperation programs with another country or other countries, inform others of its existence, and have them join it. So it’s a sort of a pool of knowledge that’s being created where not only states, but multilateral, multinational organizations and private companies can join in and take part in. And so that is being shared. And I think that’s very, very important also in—
MALOOR: To be a part of that, yeah.
MATHEWS: Diego, do you want to add on this?
MOLANO: I think having everybody on the same table to discuss this is impossible, you know. But—and I think the dialogue—and I agree with Preetam that we have to keep on talking. We have to move that talk also to real action, to real action, to enforce action of many countries.
And I see that in Latin America. Again, out of 35 countries, just five or six have a clear policy on this. But most of those countries, they have agreements, trade agreements with the U.S. They have trade agreements with Europe. But we are not—we have to really push them to move towards the right direction.
MATHEWS: Who’s we?
MOLANO: I mean, the whole community. I mean, in those dialogues—I mean, this is not only about having the right recommendations to do. It’s also really using all kind of tools available to say—look at, you want to do trade with me? You have to also increase your cybersecurity capabilities and policies to do trade with me, for example.
MATHEWS: So link it to trade agreements.
MATHEWS: That’s interesting.
MALOOR: Okay. So Diego mentioned capacity-building and if you have the—you know, even if you have the money, what do you do? You know, there’s one clear gap that I can point out. Most of you must have heard of CSIRTs, computer incidence response teams, which essentially—if I put it simplistically, they’re the first responders in case there’s an attack; national CSIRTs in many countries.
And, you know, out of 193 countries, 92 countries don’t have a national CSIRT. So there’s a clear gap. And that’s an area where my organization is focusing on, helping them establish a CSIRT. And in some countries, you know, it’s just a basic level of CSIRT. Then you give them additional capabilities like forensics and all.
So we’ve done assessments in 65 countries. We helped establish CSIRTs in 15 countries. We are implementing four more. And even after you establish a CSIRT, you need to make sure that it’s functioning well, it’s well-embedded within the regional community and also the global community. So we conduct these cyber drills to make sure that the coordination is happening well internally, externally.
And we also tap into existing frameworks, like there’s FIRST, which is International Association of CSIRTs. And we make sure, once we help a country establish a CSIRT, we also make sure that they can tap into the existing collaboration framework that FIRST offers. So that’s a clear gap. The international community needs to do more.
MATHEWS: Let’s talk for a minute about the role of non-state actors in this. It’s hard enough to negotiate anything or agree on any enforceable agreements in a room of 200 governments. But where a major part of the threat are non-deterrable, non-state actors, how do you even begin to proceed? Somebody pick up on this.
MOED: I think this is a very important question, non-state actors. And we’re talking about malign. So non-state actors, of course, could be private sector, but we’re talking about groups and individuals that are abusing networks to create harm. And that is a very troubling aspect of cybersecurity. And how do you deal with that? They are not members of any international organization or framework. So how do you deter them?
And there are two sides to it. One is, of course, as was mentioned also earlier, is increasing cybersecurity measures either nationally and internationally. But on the other side, how do you work with existing frameworks and how do you make sure that they are not part of—not continue what they are doing?
So in this respect there is the responsibility of states that give home to them, that allow them to operate. But in many instances those states are not even aware. And in some cases there may be even a credible case that they are not aware of the existence of such groups that are operating from their territory. And how should they monitor it? Do we have the tools for that?
So the issue of non-state actors is, I think, one of the biggest challenges that needs to be addressed in the international arena, and especially when it comes to terrorists and terrorist use of networks. Either it’s attacks or the use of the networks for recruitment or whatever. This is one of the biggest challenges that we have to address.
MATHEWS: Anybody want to add on that?
SHIMOKAWA: Well, I quite agree. I mean, this is something—a very difficult issue. And we will probably have to counter those attacks based on different arena. I mean, if it falls in the ambit of cybercrime, I think the reinforcement of information cooperation and also cooperation, international cooperation, between the law enforcement agencies would be the most effective action to take against such kind of cyber issues.
And if it goes more to the direction which involves national security, of course, that would involve cooperation with allied countries in terms of how you address such attacks, especially on critical infrastructure or real-time exchange of information on concrete incidents. And this is the kind of issue that we would like to promote cooperation on with allies, starting with the United States.
MATHEWS: Let’s turn to the room. Who would like to begin? Please. And the same rules apply. Remember, we’re on the record. And we’d like to know who you are and to please wait for the mic. Right here.
Q: Thank you. Mika Kerttunen, Cyber Policy Institute, Estonia.
I have a question about Israeli cyber policy. Sir, as Israel is one of the, let’s say, most powerful countries in cyber field that has not published a cyber strategy—most of the countries haven’t, but Israel, perhaps being a good exemption in that list of countries. How does the prime minister’s office engage the nation and engage the private sector without a published strategy?
And a follow-on that, as we cannot read what is the Israeli development in the field, could you elaborate what are the needs to adjust in Israeli cyber policy? What kind of measures are next on line to update or upgrade your policy, and therefore your capacity? Thank you.
MOED: It’s a very good question. And we’ve been asked that quite often. As I said at the outset, I think the need to have clearly formulated cyber strategy, as we’ve seen around the world, doesn’t exist in Israel because our strategy is very clear. In our environment, we are attacked basically because we are there. We are in the way of some people, probably.
And so it’s very clear that what we are doing has a very clear sense that to protect ourselves, but there is no—there are no secrets here. So, for example, as I mentioned earlier, the process of establishing the Israeli structure or infrastructure to mitigate cyber threats, on that way the government took some decisions, two resolutions that were taken earlier this year that were published that outlined quite extensively what our aims are and what we are going to do about that.
So it’s not a strategy, but it’s—and it’s not in Hebrew. It’s in Hebrew, but it’s in English as well—there is an English version—with the aim of clarifying to the international community where we are going and why we are doing that. And there are two resolutions. One is to set up the organization that will, in effect, implement the national policy, which is the national cybersecurity authority. And the other one is aimed at internal system, and that is to regulate and standardize cyber, cybersecurity, cybersecurity expertise.
So—and the aim of that resolution is to pull Israelis’ organization to follow the government’s example. So it’s leading by example. And so it puts a very clear line where we are going, what we are exactly doing. And I suppose that in time, when we feel it’s really necessary, we’ll come up with a more broad idea, which leads me to the other question that you asked. What are the gaps? And I think for the first time in cyber is realizing that our security also depends on international cooperation. In the past we maintained our security in a very clear way. We are independent. We have to be able to protect ourselves. It’s a basic tenet in Israel security. But in cyber, of course, we all realize that you have to work with others, with other players, with like-minded countries, with allies.
And so, perhaps in that respect also, it’s important to come up with some paper that hooks up to the developments in the world. And so I would assume that, sooner than later, some paper like that will come out. Thank you.
MATHEWS: In the back. Yes, go ahead.
Q: Hi. Good afternoon. My name is Fred Tsai from Salesforce.com.
Quick question about China’s role in this emerging global governance of the Internet. Has China been helpful? We’ve heard a lot about—you know, today about, you know, again, bilateral understandings between China and the U.S., China and the U.K. We also hear about a lot of the negative attacks coming from China, from unknown actors. But has China been helpful in terms of global governance?
MATHEWS: Why don’t you take that?
SHIMOKAWA: Well, just—I don’t want to—maybe I should ask the views of the others. But I just want to sort of introduce to you the kind of discussion that we had in the context of trilateral cyber dialogue that we had with China and South Korea. And, of course, China had very much interest in the democratic governance of the Internet world. And the interpretation of that is probably understandable.
But they—although they are supportive of the multi-stakeholder approach, they have a slightly or even substantive emphasis on greater role of the government in comparison to the private sector. And they are talking about what they call democratic governance of the Internet. And so—and it is up to each stakeholder in cyberspace whether you consider it to be the good standard or not. So I just stop here. I don’t want to make my own comment, appreciation on this. But this is what the Chinese government’s orientation is as far as the Internet governance is concerned.
MATHEWS: Anybody want to add to that? No? Okay. (Laughter.)
Q: Thank you. Alan Raul, Sidley Austin.
There was a comment from the panel about tying cybersecurity perhaps to international trade agreements, if I heard that correctly. How would that work? There’s been talk recently in connection with the European Union’s restriction of data flows to the United States as to whether this is a violation of, you know, national treatment and non-discrimination provisions and WTO agreements. How would you envision that might work with cybersecurity? Does it concern intellectual property infringement or national treatment issues? Could you elaborate on that? Thank you.
MOLANO: Look it, what I see is that there is a lot of talk. The dialogue is very active. But we have to move to action. And we have to push governments—and I’m talking about Latin America—to move in that direction, to implement cybersecurity policies, to join those recommendations. And the recommendations are not enough.
And we’ve been talking for many, many years, and nothing is happening. And I don’t see any priority on most of the governments in Latin America to move. So we have to come up with new ways to move them. And I completely agree with you. In the few elements of the current agreements related to technology, there is huge problems. Look at the IP issues. It is huge. In Colombia it is huge. We haven’t even been able to implement the agreement with the United States because the civil society, you know, shows up, because we tried to pass a lot along in the Congress and we couldn’t because the protests were huge. But that’s just the IP.
So I agree. I fully agree that implementing that is tough. Look at what happened in Europe also. But we have to come up with some other ways to push countries to move in that direction, because, you know, we need most countries—not every—because, you know, thinking of having everybody join is very difficult, but at least having the allies join.
MATHEWS: Right. You know, I—I mean, just two, three weeks from now is the Paris summit on climate; 20 years of work, of just enormous amounts of talk and research and policymaking and meeting in which time global carbon emissions have risen 65 percent. So there will be aspects of Paris that will be a big success, governments making individual pledges to cut by certain amounts, by certain dates, although those are intended and not legally binding.
But overall this process has been a tremendous failure. And at least a big reason, if not the big reason, is the free-rider problem, right? For most countries it’s a no-brainer to let others cut emissions and free-ride on the global benefits of that. And surely this is the same problem. And at least I think the new thinking in this area is national action protected by border adjustments. You know, tariffs is the only way that you can—that you’ll never be able to negotiate 200 countries by consensus into an agreement, but you could act in this other way. So I think it’s actually an interesting parallel there.
Over here. Yeah.
Q: Thanks. Steve Flynn at Northeastern University.
It’s understandable that we focused heavily on information technology and intellectual capacity and IT, telecommunications, and all that, trying to get that coordinated. But the cyber physical threat is also something that’s truly international because we share so much infrastructure, whether that’s seaports and ports or power grid, pipelines, and so forth. And to what extent nationally, as well as on the international side, is the cyber physical threat being addressed as a part of our efforts?
MOED: I would say there is no difference. It’s very similar. I mean, there is no exclusion, no physical versus virtual. I think it’s even clearer that the threat to existing—to infrastructures is cause for the international community to come together to reach some agreement. So actually this is one of the key drivers, especially, specifically critical infrastructure, utilities and such, for international cooperation and agreements.
SHIMOKAWA: The same for us. I mean, the cyberattack on the critical infrastructure is a priority area for the overall cybersecurity strategy. So we identify certain number of critical infrastructure area for which we have particular attention on putting in new mechanism for countering measures. Of course, it starts from basic information-sharing, hotline between the central NISC authority and the infrastructure and cooperative information-sharing, and as I said, also international cooperation on what can be done on that respect.
So it is a very important and priority area. But at the same time, maybe—I think the history of cybersecurity started from more of an economic theft to cyber theft and cybercrime. So maybe the sense of urgency in terms of cybersecurity, national security issue or attack on critical infrastructure may not be as heightened as it should be. So I think the question of raising the literacy and the awareness of cybersecurity vulnerability is also an important area.
MATHEWS: Preetam, do you want to answer?
MALOOR: I agree with the other panelists. You know, in 2003, 2005, there was this world summit on the information society, which essentially was a global dialogue on high-level principles governing the information society. And there was a big debate on cybersecurity, on exactly the aspect that you mentioned.
You know, in the end, if you look at the document, you’ll see you probably won’t find the phrase cybersecurity, or maybe you will. But what you’ll find is building confidence and security in the use of ICTs, which is much broader than cybersecurity. Cybersecurity is one layer. You talk about network security, a variety of other security aspects.
Q: Yeah, George Lau (sp), retired from Department of Commerce; was doing the export control security issues.
And talking about the cybersecurity, this morning one of the panel mentioned about bilateral between U.S. and China or China and the U.K., another country, already is a step forward for Chinese government to at least admitting such kind of problem. And the panel mentioned that is a step forward.
And since China has more people use computers and more people have mobile devices than any other country, so if their government participates in international cybersecurity governance, which is a positive move to improve the international cybersecurity. And this morning’s session we understand a lot of problems, but we haven’t get into too much solutions. But I like one panel mentioned about one of the solutions could be put cybersecurity as a condition in trade agreement.
I don’t know. Can you tell us a little bit more specific what kind of things in your mind should be put in the trade agreement? What kind of wording you’d like to have?
MOLANO: You know, there are some issues that could be included, especially in terms of cooperation, international cooperation. That’s clear. In terms of law enforcement, in terms of, you know, of course, us, we’re trying to do with IP, doing a kind of coordination of the legal frameworks, because something that—we could—what is happening in some countries in Latin America, in some countries in Latin America cybercrime is not formal crime. So you’re trying to move those countries to a more common platform in terms of protecting the cyberspace.
MATHEWS: Anybody else?
I wanted to raise also the question about whether the sense I have, that people are measuring progress by governments’ willingness to engage on this issue and to talk, isn’t drastically out of relation to the degree of the threat. I alluded to this earlier, that it can be a very long road between when you sit down to talk and which you reach some kind of agreement that actually addresses the mutual vulnerability here. And I—it seems as though all of our discussions, this panel and the earlier one, suggest a sense of real progress having been made on the willingness to talk. But is that—bear any relationship to the degree of the mutual vulnerability that we, in fact, experience?
MOED: I would say, if I may, there’s a distinction to be made between political willingness and technological preparedness of governments to communicate. So many countries still have to get their act together. And most of the countries around the world are still doing that. And once they feel that they are already sort of more or less organized, that’s when they say, okay, now, let’s tap into the global discussion and try to find out how we can enhance our security, our international cooperation.
So in that respect it’s a sort of inward-outward process that needs to take place. Countries have to understand what are their vulnerabilities. And so they have to be able to gauge what kind of cooperation they would need in order to enhance that security. I think that’s the most important problem. Politically everybody’s prepared to talk because everybody understands that it’s necessary to find common solutions.
You can see that in the GGE. Everybody—every country has been contributing and being very active and initiating different ideas. So there’s no lack of political preparedness. But it’s an issue of how do you connect the different strategies and environments and try to build up something global. And that’s a complicated part. And in that respect the GGE’s report was very important because that sets a common ground to everybody. International law applies. So we can move on from there.
Q: Hi. I’m Michele Markoff. I’ve been the U.S. negotiator on the GGE and in charge of these issues since 1998. And I’m Chris Painter’s deputy. I thought I would offer perhaps a minute on the U.S. view of the value of the GGE, taking off what Iddo had said.
The countries that are coming together in the GGE are coming together out of a common interest in preventing conflict, state-on-state conflict in cyberspace. What has been so useful about the GGE is that we turned it from an early conversation in 2005 from arms control proposals to ban the development, deployment, and use by states of what the Russians called information weapons to a discussion about what are the standards of responsible behavior by states in cyberspace.
It is a conversation that’s been going on now for 10 years. We have made progress. As Iddo says, we have affirmation by the states that are participating that international law applies, which has extensive ramifications in terms of restraining state activity offensively against other nations. And in this last GGE, which ended in June, we also came up with 11 voluntary, non-legally binding norms that states should begin to adhere to in order to prevent conflict.
These included—I think—I’m sure Chris said it; I wasn’t here then—not attacking critical infrastructures, not attacking SCIRTs, being willing to work with victims, victim states of attacks that appear to be emanating from your territory, whether or not they’re state-sponsored or third-party-sponsored.
So the reason why this is such a popular activity now is we have made progress. Unlike other GGEs, it has become the bellwether for state agreement here. But a GGE is just the recommendations of governmentally appointed experts. It is not binding. So the notion that there should be enforcement is premature. We are trying to come up—I wouldn’t call it a regime, but a framework of—with two pillars, norms of expected responsible behavior by states, confidence-building measures which allow states to cooperate in real time to prevent conflict or crises from getting out of hand.
That eventually is developing into issues of how does one maintain stability, international stability, in cyberspace? And that would be through restraint, which these norms that Chris talked about, peacetime norms, really represent. They’re issues of restraint in the interest of stability. So whether or not we end up in five years or 10 years with a treaty document, I think it’s premature to say. I think we have to educate the international community. We have to continue to arrive at further conversations about what other norms ought to apply in cyberspace.
MATHEWS: Thank you. That was helpful.
Are there any last questions? If not, please join me thanking the panel. (Applause.) And we have, I think, five minutes before the keynote address.
This is an uncorrected transcript.