Keynote speech
by NATO Deputy Secretary General Rose Gottemoeller at the joint German Marshall Fund – Microsoft event on Countering Hybrid Threats (followed by panel discussion)
(As delivered)
MODERATOR: Thank you very, very much for that, well, very sobering and very thoughtful way to start our conversation and we have a wonderful way to continue with actually and so allow me to introduce Rose Gottemoeller.
Rose is a great friend of GMF but Rose is just a wonderful person to start to address these issues from even a different perspective but some of the perspectives you’ve mentioned already. Rose is Deputy Secretary General at NATO since 2016 but also has a long career of very senior positions inside and outside government where she was intimately involved in debating many of the issues that you began to speak about, especially with regard to nuclear weapons and other things. But Rose if I could ask you to join us and reflect a little bit from your perspective on what these issues mean, well in your current role, but for all of us. Rose thank you so much, thank you.
ROSE GOTTEMOELLER [Deputy Secretary General of NATO]: Thanks. I feel kind of bad after that really cool presentation that I’ve got this podium up here, you guys are going to have to hang with me because actually for NATO this is an important new area and we are taking it extraordinarily seriously and I did put down on paper some initial thoughts, working very closely with our entire team at NATO but we are grappling with these issues and I’ll talk about how we are grappling with these issues during my brief remarks that I think will help to kick off our conversation just as Brad’s excellent presentation has helped to kick off our conversation.
There are two things I really agree with about the presentation we just saw, one is that cyber security is an issue for our time, indeed it’s a global issue for our time. So Brad I couldn’t agree more with you on that and the other one I really liked a lot was the one about we cannot fight the threats of today with the tools of past. We must grapple with the technological challenges that we face across a very broad spectrum and one of the points in my speech is that in the old days it wasn’t so very difficult - you’d see a line of soldiers coming across, coming across a border line and you’d know something was up, conflict was underway or there would be a massive explosion and attack, you’d know something was up, something was underway.
What NATO is grappling with today is so much of it is in the hybrid realm where we don’t know where the borderline is between peace and war, between conflict and war, between crisis and conflict, and so if you bear with me I would like to put a couple of points out there but I’m going to have to read and I didn’t bring a cool presentation along today but maybe next time, alright.
So with that I did want to underscore that for almost 70 years NATO has been in the business of security, NATO is a political military alliance of 29 independent democracies and I want to place the stress on democracies because we are as democracies inherently linked to the rule of law and we take that very, very seriously.
Our shared goals are to protect our citizens from aggression and intimidation by other states and to defend the principles of democracy, individual liberty and again the rule of law.
Our armed forces benefit greatly from modern technology and increasingly they rely on cyber space but they are not immune to cyber risks. This prompts fundamental questions: what do these technologies mean for our security and what do they mean for our defence? So much of what the presentation we just saw focused on were the problems in the civilian world but I agree that they can provide profound dangers to civilian society but they are also very much a problem for our defence.
So what do they mean for NATO as a defensive alliance?
Traditionally, as I said a moment ago aggressive actions were something you could see happening but the cyber warfare challenges that we are facing today are really something that must be grappled with in quite a different way. Rapidly developing technologies including artificial intelligence, driving autonomous systems, are changing the nature of conflict.
NATO must be able to operate effectively in a new and constantly changing environment. NATO’s approach to cyber space embraces our overall mandate and principles and supports our broader deterrence and defence mission. Moreover, NATO promotes a stable and peaceful cyberspace and I do want to underscore that also for this audience: our goal is to nurture, develop and strengthen a stable and peaceful cyberspace.
Here at this podium today I wanted to talk about three of the ways in which NATO can contribute to the global effort to promote greater stability in cyberspace.
The first one is reaffirming the rule of law and exercising restraint; the second one is supporting national resilience, and; the third is fostering deeper cooperation and in all of these areas I think we already have a profound partnership going on within industry about which I’ll talk as I wrap up my remarks, but let me just make a few quick points here.
First, on the rule of law and restraint. Cyberspace does not have to be the wild, wild web despite recent incidents and well laid out in the video we’ve just saw and as you know the United States just today or just yesterday I guess, it was about midnight our time here in Brussels, the United States attributed to the … [inaudible] attack to the Russian Federation.
So it’s wild, wild environment out there but in our view there are rules that apply. Back in 2014, NATO Allies agreed that international law, including international humanitarian law and the UN charter, apply in cyberspace. This was reaffirmed during NATO’s Warsaw Summit in 2016. Not everybody agrees with this among nation states, that’s one important area we have to debate and discuss and I do very much agree with Brad’s remarks that we have to debate and discuss whether there are in fact holes in that body of international law that need to be taken care of.
NATO’s mandate is strictly defensive and we will continue to follow the principle of restraint and act in accordance with international law. Restraint is important since actions taken in cyberspace may have unintended consequences. There is also the possibility for miscalculation given its intrinsically anonymous and asymmetrical nature.
Moving forward, we need to apply international law in cyberspace and we must continue serious discussions on the specifics of how we do that.
Now let me turn to resilience and again very, very glad to hear about the work that Microsoft is doing in that area as well as other industry partners, but NATO is already doing a lot to help countries become more resilient, that goes for our 29 NATO Allies but it is also a top priority for working with our partners of which there are more than 50 across the globe.
NATO is helping Allies and partners to boost their resilience against a wide range of threats both conventional and hybrid. We are investing in cyber defence, continuing to develop new capabilities, build capacities, share best practices and enhance information sharing. The Cyber Defence Centre of Excellence in Tallinn, Estonia supports this work, in particular on education and training and the Estonians, as you know, weew really among the first to suffer a profound national level attack in 2007 and so they are very good at thinking through these problems and their Centre of Excellence based in Tallinn has gone from strength to strength as it has developed in recent years.
One tool for enhancing our resilience is the NATO Cyber Defence Pledge which was adopted in 2016. The Pledge has helped to focus us, it’s helped to focus strategic level attention on cyber defence and to promote and prioritise investment. Importantly, it also includes the essential human dimension; that is training and education, building up the brain power that can help us inside the NATO Alliance to better tackle these problems.
National implementation of the Pledge is ongoing, progress is going to be reviewed at the next NATO Summit in July so our Heads of State and Government will have a chance to look at how well we are doing and consider about further improving the level of protection, further improving resilience and preparedness across the Alliance. It’s truly a priority, and we must really ensure that we are prepared to respond to cyber threats and challenges no matter where they emerge on the defence spectrum.
Finally, cooperation, NATO can help to foster deeper levels of cooperation; global challenges need global solutions. Within the Alliance, we aim to enhance cooperation and build trust. We have a number of tools to do that including dedicated points of contact in each of the 29 Allied countries. These enable fast information exchange as well as assistance to improve the prevention, resilience and response to cyber incidents. And NATO cultivates cyber defence partnerships, we have more than forty partnerships with non-member countries and with international organisations such as the European Union. This is critical, critical for success. We also work with industry and academia and we train together to share information and exercise with our partners.
NATO has a long history of cooperation with industry and I wanted to take a moment to thank Microsoft for its active engagement with NATO and our industry cyber partnership. NATO has benefited on several occasions from your insights and your analysis be it through briefings to Allies or your participation in our expert events and workshops and through events such as this one here today at your beautiful new centre, so we look forward to more of that in the future.
We recognise that NATO is just one part of a really growing and we hope growing quite large ecosystem in cyberspace, one that is I think really enriched by diversity among its membership.
As an international organisation NATO does not create norms or international law. States do that and we welcome and support activities that feed into the development of broader and more sophisticated international law. In particular, we support the work undertaken in other international fora, those in the organisation for security and cooperation in Europe, for example, where they have been working on confidence-building measures and in the development of voluntary norms of responsible state behaviour in the United Nations group of government experts. These are both important venues and which the states have expressed their views, in particular at the UN group on the applicability of law in the international realm to cyberspace.
Now more than ever we need to reinforce these efforts, build on them and build a more transparent and stable cyberspace. Broader efforts, including initiatives by industry and academia, help to spur discussion among policy-makers and informed state practice. While it’s ultimately states that craft international law, industry has an essential voice in the debate around how we use and shape cyberspace in the future.
Here I would add that many … that industry has not only a voice but also has a responsibility to set the highest standards by designing secure products and services and so I am very heartened to see how Microsoft is taking this responsibility seriously.
So ladies and gentlemen, as I wrap up, I’d just say that for almost 70 years NATO’s essential mission has been the defence of our member states. That remains unchanged now we have to take it to a new level, that’s all there is to say about it.
So I welcome this debate and discussion today, thank you for your patience for my podium here, next time I’m going to bring a cool presentation. Thank you very, very much indeed, look forward to our discussions.
MODERATOR: Well let me invite the panel to join me up here on the stage, all of our speakers and we’ll continue the conversation up here for a while. Brad, I’m aware you have to catch an airplane too so we won’t make it too long, but we will also save a good amount of time for all of you to come in on the conversation with questions and comments.
So please, we’ve had an incredible start to this discussion from two different but complimentary perspectives and we are able to continue with two other people who are really extremely well placed to help us think through some of these questions.
David Martinon who’s digital ambassador at the French Foreign Ministry. David, thank you for joining us and my colleague, Laura Rosenberger, who is a senior fellow with GMF but also director of our alliance for securing democracy which is an exciting new project dealing with many aspects of these issues.
Let me just leap right in if I could, David, if I could turn to you perhaps first, just to reflect a little bit on what you heard in terms of perhaps the diagnosis of the problem but maybe even more specifically you know, who should do something about it and how that cooperation can work. I know you’ve been thinking about that issue, the relationship between the public sector, the private sector, the role of states in dealing with this, so maybe quite briefly just give us a few thoughts.
DAVID MARTINON: Who should do something about it? Well basically all of us and if you want I can go down the list.
I can only agree with what has been said earlier and notably to answer your question, if you consider the context we are living in - obviously we are … we have entered an era which could be described as the new cold cyber war with a few strong nuances.
During the Cold War, we were basically talking about a confrontation between two sides which is not the case anymore. We are living in a multi-polar world in which basically every state, every state, even those who appear as probably the less prepared can actually act in cyberspace in an offensive way; (2) during the Cold War, confrontations were never direct, it’s not the case anymore, cyber attacks are direct and the confrontation is direct; (3) and I revert back to my first point, we are not talking only about public entities, governments, we are talking about private entities, legitimate, illegitimate, who can be active and when I was evoking those governments who may appear as not prepared to act, well the thing is they can always rely on competencies that are here on the market and being patriotic hackers, being coercers, being mercenaries, all of them are available provided you can pay for them.
So what we’ve been seeing in the last year is that we’ve made some great progress and you said that the group of governmental experts and I happen to be the French expert and I have, we have with us today our Dutch colleague and friend who is the Dutch expect of the … [inaudible]. So yes we’ve acknowledged the fact that international law is fully applicable to the cyberspace which is a huge step. Second, we’ve managed to conceive and establish a few norms of behaviour that are we believe extremely useful for the future. So of course the question is now how do we make sure that those norms are actually implemented, well that’s for another century. This was off the record.
The thing is we are probably in a situation where we need to change the ways we work on those topics and we have welcomed Microsoft’s initiative with organised, with our Microsoft friends and some other countries and events back in September in the margins of the UN general assembly on how we can better define the role and responsibilities of all the actors when it comes to cyber security. What has been evoked I can only concur with that. You know, how do we make sure that we prevent proliferation of cyber weapons? That is key but also very difficult because basically the whole world would be happy to get those weapons. How do we make sure that the monopoly of constraint remains in the arms of governments, meaning how do we prevent behaviours such as reverse hacking from private actors and this is absolutely key for us and how do we make sure that the digital battlefield in a way sort of disappears in the future. How do we make sure that every actor makes its best efforts to work, to better work on security and by saying that of course we are talking about software, devices, we’ve seen what happened with Intel a few weeks ago … [inaudible] and we need to take care of that too. So I may stop here because I could stay for a long time on this topic.
MODERATOR: We will have a chance to come back to it I’m sure. Laura maybe I could turn to you next, you know a lot of the discussion that we’ve had so far has revolved around you know the cyber attacks we’ve seen and things of this nature, but there was also some reference to a kind of broader use of information warfare in a sense, disinformation, fake news, but also other things that are aimed at destabilising societies, interfering with democracy in a fundamental sense. I know you are very active in this area, I wonder if you could say a few words about how you see this fitting into this overall picture?
LAURA ROSENBERGER: Yeah, so I think it’s absolutely all part and parcel of the same thing, I think Brad characterised the way that some of these tools interact with each other, I think they are actually not separate tools, cyber attacks. Often as you referenced, facilitate information warfare when hacked information can be weaponised and released, but I also think to take a step back too - you know the kinds of attacks that we saw with … [inaudible] and WannaCry also are very much related to attempts by authoritarian nations that have an interest in undermining faith and democratic institutions. And Brad you underscored very clearly that you know one of the important roles of the public sector is to protect the public from foreign nation state attack and when we see the ability of adversarial nations to use cyber attacks to undermine the electorate grid, to take out hospital systems, these are also things that undermine people’s faith in government’s ability and democracies to provide for the good of the people. So I think these are very much sort of part and parcel of the same thing. I totally agree it’s a shared responsibility to address these issues, there is a role for governments, there is a role for the private sector, there is a really important role for a civil society.
I think that on both the cyber security side and on the information warfare side, a lot of what we see is the exploitation of vulnerabilities in our systems and vulnerabilities in our societies. So whether that is technical vulnerabilities that are being exploited for cyber means or whether that is cleavages in our society that are being blown open through information warfare. I think that in that sense it’s really important. Both Rose and Brad really underscored the importance of resilience and I think we need to think about resilience in a couple of different ways. There is the traditional sort of hardening of systems ways; there is the securing of the actual technical pieces of equipment, but then they are closing off some of the societal vulnerabilities that make some of these attacks much more impactful.
It’s in part, you know there is, I kind of think about it as there is a supply side and there is a demand side and you have to think about it from, you have to address the vulnerabilities on both sides of that in order to be able to really address the challenge.
Rose you mentioned some of the technologies that are coming down the pike. AI in particular, this is an area where when we think about information warfare in particular I have major concerns. The technology already exists, I mean the kind of ‘fake news’ disinformation stories that we have seen prevalent not just in the US but across the European continent will sort of, you know, the new technologies are going to blow out of the water in a way what we see coming down.
So the ability to manipulate video and manipulate audio and create whole new, you know, content that appears indistinguishable from something that is real is really terrifying and how we begin to address that, we need to, it’s not just that we need to be you know dealing with the challenges today with not the tools of the past, we also need to be anticipating the challenges of tomorrow, vulnerabilities that are going to be coming down the pike and then I just want to go, I think, again on both the information warfare side as well as on the cyber attack side. This idea of the importance of attribution exposure, I think of it in terms of sunlight and transparency which in any functioning democracy is incredibly important. I think it’s important to both accountability, it’s important to building resiliency, so to me I think that these are all very much related and it’s really important that we think about them as sort of an integrated tool kit that we both need to be thinking about, understanding analytically and being able to address.
MODERATOR: Laura, thank you. Rose, you know we talked a lot about … you’ve all in different ways talked a lot about defence, defences and hardening and hardening society and so forth. Beyond defence, is there also a place for deterrence in this?
ROSE GOTTEMOELLER: Well I think absolutely, we have some examples that at least I’ve read about in the press. People talk about what has gone on and this was rather now an old story but during the previous administration in the United States the approach that was made to the Chinese after attribution had occurred to say cut it out and apparently, at least according to press reports, it did have some effect.
So I do think that there is a role for deterrence but if you are going to exercise deterrence then as always you have to be strong. That’s what we talk about in NATO when we talk about deterrence and defence. You have to be strong, you have to be well prepared; you have to be well-trained and exercised, you have to be ready, able to defend yourself and that has to be evident to your counterpart - to the possible aggressor as we say.
So I wanted to just mention and pick up on some of the points that Laura made. A visit I had last week to the StratCom Centre of Excellence in Riga, Latvia - I was visiting there last week, had a chance to see the battle groups both in Latvia and Lithuania, That’s a great example of how deterrence and defence and physical space, the kind of old-fashioned way, is very present in NATO. But then I went to the StratCom Centre of Excellence in Riga and they had some very important things to say about be trained, be ready, in order to contribute to a deterrence effect. One thing they talked about is being very ready to get out there first with the right information in order to dominate the algorithm, And … I think they are very concerned, as you are Laura, about the advent of technologies that will allow manipulation of files and information so that it really looks real - news reports, films, etc, they are very concerned about that as well but this a notion of being out there first with good information and trying to get ahead of the way I think is one way to think about how to handle it. But also just I think again being prepared and being ready to respond, being ready to respond quickly in every way you can.
So I do think there is a role for deterrence, there is no question about it, but in some ways the link is back to how we’ve always thought about it: know thy enemy, so understand what the enemy can do, what the threat is and then be strong and prepared to deal with it.
MODERATOR: Brad, you spoke, and there has been a great deal of debate about this, especially in the context of the work you’ve been doing on a digital Geneva Convention. This question of enforcement. You know if you go the route of legal regimes, how enforceable and who will enforce them? How are you thinking about that problem? Or is it perhaps not so much about that? It’s simply about the norm setting and enforcement is great too, but say a word about that.
BRAD SMITH: I think both aspects are important and I think from our perspective, especially as a private company, the first principle for us is there need to be clear rules. You know, you can think about any issues of arms technology and there are always important questions, are they enforceable, who will enforce them, you know is anything you know ironclad, I mean we live in a world of laws and yet there is still crime and therefore we apparently live in a world where every day people break the law and so sometimes I find people ask, well gee if we make these laws can we rest assured that everyone will obey them. No, that’s the short answer, but I think to me the first question is, are we better off in a world with law than without it and I think to me I’d look at the issues that have arisen around chemical weapons.
Chemical weapons have been broadly prohibited by international law going back to the late 1800s and yet Mussolini used them in East Africa in the 1930s and denied it for a year before the governments of Western Europe concluded that in fact they had been used and even in our own day in recent years there have been questions about the use of chemical weapons in Syria.
So you know some of these fundamental questions that make attribution difficult in cyberspace are also sometimes attributed … are sometimes present in those kinds of issues as well.
You then get to the same question: if a government has used chemical weapons they clearly have violated international law. Who is going to accept the responsibility to enforce the law against that perpetrator? Sometimes it’s the United Nations, sometimes it’s an individual government, sometimes it’s NATO.
I think as one gets to those questions, one frankly exceeds what I regard as the role of a private company to try to define, I think that this is where the inter-governmental organisations, where the governments themselves need to really address you know that question. But from our vantage point it all starts with having clear rules and laws in the first place.
MODERATOR: Thanks, before I open up to all of you, maybe I could just put a final question from my side to the four of you, or whoever wants to pick up on it, and forgive me from GMF’s transatlantic perspective I can’t help asking this but do you have the sense that Europe and the United States are on the same page with these questions. Perhaps about the assessment of the risk but, you know, the question of what to do about it?
DAVID MARTINON: I was in Washington last week to contact the American French cyber dialogue and yes.
MODERATOR: We’re doing very well, we’re doing very well here.
LAURA ROSENBERGER: I’m going to be a little more pessimistic over here. Not that I think that it’s not fundamentally on the same page but I do think there are differences both between the US and Europe on how we think about things like speech and privacy that do make for differences and then, but I also think when we think about particularly sort of hybrid warfare and asymmetric tools, I think even within the European context there are different views, there are different perceptions, there is a different sense in some places of how we should be prioritising certain threats verses others and how to be addressing and so I am very hopeful in the transatlantic spirit.
I mean I think there is no question we need to be on the same page so I put that very clearly, we need a transatlantic approach to these issues, we need you know, I mean Brad you talked about the global approach, I think that that’s right, I think as a starting point getting at least all democracies sort of on the same page on this is incredibly important but I do think there are some challenges to be worked through on that.
MODERATOR: David, please.
DAVID MARTINON: Obviously, yes was a short answer. So on cyber we have share the same goal, we share the same vision, again we acknowledge the full applicability of international cyberspace, we have worked together on establishing the same norms of behaviour. We approached them the same way meaning we see them as lines that basically tells you who is the right guy, who is the wrong guy. We have some nuances notably on the concept of deterrence, for example. We would rather use the idea of demotivation of this incitement because we see deterrence as so intimately linked to nuclear deterrence that it’s a problem, it’s a theoretical problem for us, we obviously in cyber we are not looking at erasing the enemy, we are not talking again, we are not talking about a club and we are again not, and this is why it is so tricky, we are talking about attacks that are under the threshold of the use of force really, even if of course the perspective we are facing is probably human casualties in the future and so far it hasn’t been documented even during, I don’t know, during the black energy attacks in Western Ukraine. Basically if you put down the grid in regions where obviously the winter is quite cold you may suffer that kind of consequence. So far it hasn’t been documented but obviously the risk is there and when we reach to that point then the whole landscape will even evolve.
And on the topics you evoked, yes of course we don’t approach the question of disinformation, of fake news the same way and this is just a starting point and of course the Americans have the first amendment to the constitution. We are not bothered that much about limiting freedom of expression when it comes notably to terrorist content or you know that, so we don’t approach the question the same way but basically yeah we are globally on the same page.
MODERATOR: Brad, please.
BRAD SMITH: Well I would say in some ways I think the US and Western Europe are on the same page and in some ways they are not and you know I do think we have probably seen more progress over the last year but there is a lot more work that needs to be done.
One of the challenges is that this issue actually is multi-faceted. You take something like WannaCry, I mean here was an attack that was indiscriminate but at a time of peace but I think you see a clear consensus across Europe and North America and even reaching into Japan.
You take something like … [inaudible] where views are emerging as you just, as you heard about attribution you know an attack that I would say was indiscriminate but targeted at a single country and again I think you start to see views that are more in common emerge.
When you get to the issues around democracy and you know it may not be a cyber attack like WannaCry and … [inaudible] we use terms like information warfare, I think in some ways we are still groping for the right vocabulary even to use.
I do think that we can look at these attacks and say they are attacks and I do think we can say they are attacks on democracy. I also think that you know the fundamental fact that everybody recognises is that we are living in an unusual time because Washington DC remains largely fixated across the political spectrum in a debate about what happened in the 2016 election. So here we are nine months away from a very important mid-term election in the United States and I think from our perspective and in a disconcerting way people are still spending too much time looking backwards rather than forward. You know we are seeing people who are up for re-election in November being attacked, hacked today and I think the time has really come with a sense of urgency to find a way to look forward, even if people are going to continue to debate the past as they will and should, but it’s time to look forward.
I also think that because there is this unusual moment of time, say in Washington DC, greater leadership is needed than in other times across Western Europe. Greater leadership is needed in Canada where I think Canadians benefit from really being the only democracy that has a minister whose sole role is the protection of democratic institutions and … [inaudible] who has that position is very focused on how to protect the Canadian election that will happen in 2019. But we are going to need I think more steps in that space and that area in particular is not one where I think the United States and Western Europe are moving together in tandem the way in most circumstances since World War 2 they have tended to.
MODERATOR: Let me open it up to all of you, we’ve got about 25 minutes, a little less maybe, and if I can ask you to be quite crisp that would be super, tell us who you are and where you’re from that would help us out a lot. Let me start right here.
QUESTION: Thank you very much, Nicholas … [inaudible]. I am research officer from the [inaudible] Centre for European Studies. Sticking to the topic of deterrence, it was an interesting discussion already, but I would like to ask because deterrence, the work, there needs to be quite a clear idea on behalf of the potential perpetrator that it would be punished somehow if there would be an attack and I would like to hear some ideas of how, for example, if there would be another WannaCry attack eventually in the future, what could be done to have a pretty clear punishment for the potential perpetrator so it might be deterred?
ROSE GOTTEMOELLER: I’m going to start by repeating an aspect of what I said, one aspect of deterrence is strong defence and a sense that you’re … the perpetrator of the attack would not simply be able to gain his objectives in the attack, so that’s why we do emphasise resilience. At NATO we do emphasis the security of our networks, the security even if there should be a breach that we can recover very … [inaudible]. But I can't agree enough with the point that Laura made that it’s really the responsibility of institutions everywhere to do everything they can to ensure that their networks, if not being invulnerable to attack, at least can easily or quickly recover. Sometimes it’s not so easy but you’re … the attacker is not deriving the effect he wants because simply the system is so resilient that it bounces back quickly.
I am oversimplifying that you see what I mean, I wanted to make the case that deterrence is not only about striking back all the time, sometimes it can be making it very clear to the would-be attacker that they will not gain the effect they are looking for.
DAVID MARTINON: You know obviously you have to look to think about what your really looking at, we are not looking at punishing the attacker, we are looking at making the attack stop and re-establishing a normal situation, so obviously yeah the best defence is defence which is the best description of deterrence by denial and then second, what we would be looking at is really how to make the attack stop and how to raise the cost of an attack for the attacker and so what means do we have in our heads, well prob... so this is still an ongoing discussion between governments. We would probably look at several tools, not necessarily cyber, and basically it’s the usual job of diplomats, we would then act on you know diplomatic aspects, economic, cyber.
I mean there are a lot of options and probably the best one sir would be a cross-border reaction.
BRAD SMITH: One point I would add is I think that this is an area where it’s very important to think about the different roles of governments and the private sector.
From our perspective, deterrence is really the role of governments, organisations like NATO and others. I don’t think the world is served by private companies getting into the deterrence business. Occasionally, you hear suggestions that companies should be allowed to hack back and I think that’s probably a recipe for more things to go wrong than be done right.
I do think that there is a special role in responsibility for the tech sector, in particular, to do an effective job as acting as first responders because that is in fact what we are. We are the people who show up first to try to help people who have been attacked and we found it helpful to at least think a little bit about what can be learned from how governments and civil society responded to the first really great advances in weapons technology in the middle of the 19th Century.
In part it led to the invention of the Red Cross and sometimes people have asked me, do you think tech companies are now like the Red Cross for the internet, and the answer is no, we are not the Red Cross. I think there is a different analogy though that is interesting to think about because when the governments of Europe came together in Geneva, Switzerland in 1863 they did two things: they established the Red Cross but they also said that medics, even medics who worked in uniformed armies, had to be protected as neutrals and had to take on the responsibility of neutrals. And what that meant literally was when there was a battlefield with weapons technology that was far more dangerous for all of the combatants than the world had previously seen, the medics had a responsibility to stay on the battlefield and treat the wounded and they needed to treat the wounded regardless of nationality, that was the responsibility that came with being neutral. But the protection that they therefore deserved from militaries of all variety was that the medics would not be shot as they were treating the wounded.
And I do think there is something to be said that in the word today the cyber security engineers that work for tech companies and work for customers they are the medics of the internet and I think we have a responsibility to help everyone to treat the wounded and I think that we can do that work only if governments accept that we have that responsibility and need that kind of protection that has preceded us with other prior generations of technology.
LAURA ROSENBERGER: I have 30 seconds. There have been some very good remarks on this already. The asymmetric nature of the way that we are seeing these cyber attacks being employed poses fundamental challenges to conventional deterrence theory and I won’t get theoretical on this crowd but the point being that an adversary who is willing to launch high-risk, indiscriminate attacks is going to sort of fundamentally create challenges for how you respond as responsible nation states.
And so I do think as … [inaudible] mentioned your thinking about our own across the full tool kit available to those who are under attack, thinking outside of just the cyber domain is incredibly important where we can think about the ways that we can impose costs and raise the costs for such attack in a way that is still true to the rule of law, to the values that we seek to protect as well.
MODERATOR: OK, let me go back there, a lot of hands here and not a lot of time. Let me ask you perhaps to take a few together and come back to you to close it out. So maybe just right here and then just to the back of you there.
QUESTION: Thank you, Brookes Tigner, Jane’s Defence Weekly, I have a question for Rose Gottemoeller primarily. NATO MODs yesterday as you know agreed to reform NATO’s command structure. A lot of this will involve prearranged, predefined arrangements to second or lend national capabilities to NATO and yes I know they also agreed to strengthen the cyber security centre in SHAPE. However, I heard no talk about setting up predefined agreements to transferring national cyber capabilities over to NATO in times of crisis.
So my two questions to you are, given the urgency of the cyber threat, how much time should NATO give itself to do that? And might that directly involve industry or will it just be strictly gov to gov? And second question, should that particular predefined assignment have priority over the more physical aspects of transferring you know C2 commands in air support etc? Thank you.
QUESTION: Thank you very much, my name is … [inaudible]. I am the cyber coordinator in the Dutch Ministry of Foreign Affairs and I would like to thank the panellists for their wonderful introductions and the interesting discussion.
For my part I can only … would like to start off by answering that … [inaudible] pertinent rhetorical question, are we better off in a cyber domain where law applies. We definitely are, I completely agree with you and that’s why as the Netherlands we try to do our best to spread the knowledge about how international law applies to cyber space internationally, to foster the discussion also about how indeed it applies because it’s very important that we definitely operationalise that and furthermore we are also trying to actively engage in this discussion about how we can complement that with norms of behaviour that plug the gaps. And we also very much are aware of the fact that this is not something for states alone, although governments traditionally have this responsibility and also monopoly in international peace and security, it’s definitely … it’s obvious that in cyber and in the digital world we have to team up with private partners, with the tech community, with civil society and join in and be in that endeavour together and that is why last year we were proud to help establishing the global commission on stability of cyberspace under the inspiring leadership of Marina Kaljurand, former Foreign Minister of Estonia, where indeed this discussion is actively on track.
What I would like to ask you indeed is the following. To ensure that there is more stability in cyberspace we need to up resilience. Ms Gottemoeller already rightly underscored that resilience is important but when we look at the world it’s obvious that apart from the front runners there are many countries that don’t feel resilient enough. There is a lot that we can do more in the area of capacity-building, capacity- building in the area of first-line resilience but also perhaps capacity-building in as far as in the area of knowledge on international law and norms, etc.
How can we better team up together, states and private sector and other involved and bring that to the next level capacity-building worldwide? Thank you very much.
MODERATOR: Thank you very much, if I could go just perhaps right over here on the aisle, thank you.
QUESTION: Thank you, Nad’a Kovalcikova from Public Diplomacy at NATO. I have a question about the actors. So we usually understand cyber threat as part of hybrid threats who are coming from the attackers who are in the weaker position who are not able to rage a normal warfare and therefore they don’t have enough money but they have enough money to fund these cyber or hybrid threats so would it be in your opinion a good idea to maybe follow the money, cooperate more with financial institutions?
And secondly, I have seen a lot of very impressive and touching videos by people, so the people who feel vulnerable, who feel attacked and unsafe in this time. What role do you see of the civil society and academia in order to counter these new threats?
MODERATOR: Thank you very much and I think, and I am conscious about time as well, I think probably time for one more and then we will come back to our panel here. Just right here please.
QUESTION: Thank you. … [inaudible] from Latvian Representation in the EU. Thank you, thank you so much for your presentation and for information given. I heard your concerns about … and the Dutch concerns better having some role in place than no role at all. But my question was … you mentioned the Geneva Convention on cyber threats. Geneva Convention, it means that it is humanitarian law convention but humanitarian law applies only during time where war on conflict. So if there is no war, if there is no declared war or no threshold violence reached there is no law applicable. And I rather suggest you to stick to human rights law - it’s safer they apply all the time. Thank you.
MODERATOR: Thank you, OK, thank you very much and thanks to all of you, my apologies, I know there were a lot of hands out there but I did want to save some time to come back to the panel. So lots of things here, please feel free to pick up on any that you would like very briefly.
QUESTION: Sharing cyber capability in NATO, national capabilities in NATO and how to share them. Capacity-building for resilience and norms. Following the money. The role of civil society; and what kind of law to apply. A lot there but very briefly without letting Brad miss his plane.
ROSE GOTTEMOELLER: Well maybe I’ll just start because there was one question addressed to me quite specifically and so I’ll just take that one and then let my colleagues take the other ones.
But you’re making a big assumption about authorities and how authorities get used around NATO in peace time and war time. In the case of NATO Allies, some authorities essentially are exercised on a national basis and essentially something might be offered to NATO to share. It goes for, you know, the cyber domain of operations I mentioned … no maybe I didn’t in this speech, but now we are looking at cyber as a domain of operations just as air, sea and land, they are all domains of operation.
Authority is conveyed and used within NATO in various ways, sometimes a state essentially offers up a capability and it is available for use in the Alliance, sometimes there are actually, and we are looking also - you pointed out quite rightly - at adaptation of the NATO command structure and in that case there will be more formalised definition and then articulation of authorities and that process is still underway. In fact our Heads of State and Government will be making some final decisions on that at the time of the July Summit.
So I cannot answer your question precisely because it’s very dependent on circumstances but I did want to make you aware, and the entire audience aware, that this notion of how authorities are articulated and then used in any particular circumstance, whether in conflict or crisis, it is dependent on the specific circumstances and dependent very much on the substance of the situation.
DAVID MARTINON: I can give you the French position on that. France is not ready to put its cyber capabilities in the hands of NATO but we are absolutely prepared to put them into motion to look after the goals that have been defined by NATO. Here is the nuance. And by the way we have been advocating a lot for the NATO cyber pledge because we consider that the best preparation is for every member state to actually commit to invest on the proper preparation.
ROE GOTTEMOELLER: And exercise and train and be ready to deal with circumstances that may be thrown at us.
MODERATOR: Questions here you’d like to pick up on.
LAURA ROSENBERGER: I would just say absolutely on following the money. One of the challenges that actually, that David mentioned earlier in terms of the patriotic hackers in particular, one of the things we see from some nations actors, Russia in particular, is that sometimes it can be difficult on the attribution side to determine whether or not these are actors who are under the government direction/ guidance control or whether they are sort of freelancers who are acting at the behest of … . There are networks that operate both on the cyber side … the [inaudible] networks are the most well known when it comes to Russia and in fact those are networks of hackers that are held together in some ways on an official side and in some ways on a less formal side.
We have seen similar behaviour at times in the past by certain Chinese entities which may or may not be affiliated formally with the government, or may sometimes work for the government or not. All of that to say that when you’re trying to determine who is in fact being funded from where or getting direction from where the money piece is incredibly critical both to understanding the networks, how they operate and then being able to cut them off.
BRAD SMITH: I’d offer just a couple of thoughts although with the conference today I think the questions that all of you have asked are really some of the most important questions for all of us to be thinking about and they are challenging questions and therefore there is no easy answer or definitive response from you know a single panel.
I do think when one thinks about the public and private sectors working together on resilience that there is something to be learned from thinking about … [inaudible] because I think traditionally tech companies have focused on helping customers one at a time because typically customers were hacked one at a time. Typically organised criminal groups do target individual consumers or companies with the specific intent typically of financial gain and therefore one needs to work with a customer at a time but … [inaudible] showed that an entire country could be attacked simultaneously.
WannaCry showed that the whole world could be attacked simultaneously and so I think that there is an important opportunity for us to ask, OK when an attack is unfolding, especially in real time, what is the preparedness of the government and the role of the government, what is the preparedness of the tech sector and how do we work together, you know, quickly the way a country or the world needs us to act. And that is a new level of resilience that we are going to have to establish.
I think the other questions really underscore in so many ways the profound nature of the challenges that we are now confronting and in some ways these are not altogether new. I mean these attribution issues are very challenging but I sometimes think it’s worth recalling that when the first Nazi troops entered Poland in 1939 they were wearing Polish uniforms because they were designed to create a pretext for Hitler to claim that Germany was being attacked and needed to respond.
So we have in fact dealt with challenges of attribution for many, many decades and now we just have some more sophisticated challenges of attribution that we need to address but at the same time the point about international humanitarian law is a really vexing one because here we have this body of law that says that governments must protect civilians in times of war but it doesn’t say they must protect civilians in times of peace. Why not? Well it’s peace. They don’t need to be protected. But what are we living in today, I think that’s where this word hybrid comes into and in effect, you can see these attacks take place as isolated incidents, as warning shots, no-one really knows what the motivation was for WannaCry. I think some day the world may know but it may be years before we get to the bottom of it or at least have the kind of public information that would enable us to determine it.
I don’t know exactly what one calls what happened in Kyiv on the 27th of June. It wasn’t entirely isolated because there have been other military incidents clearly in Ukraine since 2014. You know so we are living in a time we are not quite certain how to label and yet what we do know is that civilians need to be protected and I think part of the answer is to follow the money but I also think that a fundamental lesson for me is the role of civil society. And for this purpose I will define civil society as anybody that’s not in government and therefore claim to be part of it.
If you look fundamentally at that question that Albert Einstein posed: how does humanity respond to advances in weapons technology so that humanity can organise itself to protect itself from the potential of the horrors of war that otherwise will be unleashed?. It has always been the voices actually of people in civil society. You know it was on … [inaudible] who mobilised public opinion by in effect giving a voice to the victims at the Battle of … [inaudible] in 1959 and he did it through a book that was widely read across Europe and so that has been a course that has been followed many times. We wouldn’t have laws today that would protect against landmines if there hadn’t been a determined campaign by civil society.
So I think that there is absolutely a role today for the groups in civil society that respond to these attacks that protect civilians, that help customers. And frankly a big part of what led us to send people to Ukraine with a film crew was to ensure that the voices of victims could be heard because I don’t think one can solve these problems in any meaningful way unless one mobilises public opinion and I don’t think that one can mobilise public opinion fully unless we give victims the voices they need to have and I think that’s part of what I hope we can continue to carry forward.
MODERATOR: Please join me in thanking our speakers. This has really been an extraordinary conversation and we are very grateful to all of you for helping us have this and thanks to all of you for joining us. Let me also just also not least thank Microsoft, John, your wonderful team and if I may also be permitted to thank my wonderful team including … [inaudible] who organised this for us.
This has really been a great conversation, I look forward to having others and we also invite you to a reception outside. So thanks so much.