Image: The Binnenhof - the historical center of government in the Netherlands. Fitting that we should be talking about global cybersecurity and digital peace in The Hague, an international city of peace & justice and home to the International Court of Justice. The Hague was always an open place that attracted many embassies starting its reputation early as an international, open-minded and welcoming city. The Royal Residence was not walled! And that somehow also makes The Hague a fitting backdrop for our discussions this week – because we are here to talk about another world without walls, and that’s the digital world.
As we consider the challenges before us, we must recognize that we live in a digital world.
It is clear where this world is going. We are entering a world where every thermostat, every electrical heater, every air conditioner, every power plant, every medical device, every hospital, every traffic light, every automobile will be connected to the Internet
Think about what it will mean for the world when those devices are the subject of attack. Think what it will mean for people when they leave their office in the evening to drive down the highway if we have to live in a world where nations and others feel free to attack the grid that is controlling the automobiles that are driving home for us The reality is that digital technology has become the cornerstone of our lives, and therefore one of the great questions of our time is this Will this challenge become more serious or less so? It will either get better or get worse But on its current course, one should certainly not be sanguine because we live in a world where the infrastructure of our lives is ultimately vulnerable to the weakest link
One of the interesting facts about cybersecurity attacks is that 90 percent of all of these attacks begin the same way, by somebody clicking on a link in an e-mail that they receive. As we've sought to protect people more effectively, one of the things we've learned is that human nature is both a wonderful and challenging thing. As somebody said in a conference I was at earlier this year, it turns out that every organization has at least one employee who will click on anything.
Unfortunately, we all appreciate that the course of history has so often shown that the evolution of earlier technologies has led to the horrors of war, and it has led to even more powerful military might…
on land, in the water, in the air, and now… in our generation, in our time, in a new place as well, in cyberspace.
And so, the fundamental question, in part, is: What will the planet make of this new development? The reality is that technology in cyberspace is, in many respects, is unfolding as technology always has -- on land, on the water, and in air. Because what are we seeing? We are seeing a new arms race
So as Cyberspace has become a new battlefield - "We are seeing a new arms race. In fact, we’ve entered a new era of invisible weapons”
And as we think about the year 2017, believe that it is altogether possible that a generation or two from now, people will look back at this year and they will look at the 12th of May. And they will say that on the 12th of May 2017, the world changed again. It changed because it was on that day, a Friday, that the so-called WannaCry attack was unleashed.
By any measure, it was an extraordinary day, and it was an extraordinary event. It was an attack that was launched using cyber weapons that had been created in one country and then stolen and used by another.
And even though the attack was thwarted almost by coincidence, by a computer scientist in the United Kingdom, before it ran its course, it impacted, it damaged, it impaired over 200,000 computers in 150 countries. Think about this. In the history of our planet, in the course of humanity, has there ever been a single attack by any nation that affected as many other nations simultaneously as that attack did on the 12th of May? I don't think one can find one.
And that attack affected real people. The WannaCry attack disrupted and impacted hospitals across the United Kingdom. And by impacting hospitals, it impacted individuals. As the National Audit Office showed, there were 6,912 people, patients, individuals who were scheduled for medical care on that day. They were scheduled to see a physician or they were scheduled for a surgical operation and their medical care that day was canceled. There were ambulances on their way to take patients to hospitals that were diverted to other hospitals instead. So this is about people. If that were the only thing that had happened this year, this would be a year that was unlike any other, and yet the challenge is that's just the biggest attack that happened in the month of May.
In the month that followed, in the month of June, we saw another attack, the NotPetya attack. Here was an attack that was focused on disrupting the electrical grid and the civilian infrastructure, the private economy of a nation, Ukraine. It, ultimately, spread beyond Ukraine, but not before it damaged that country.
And NotPetya affected us here in this country as well Right here in the Netherlands, in the port of Rotterdam, the APM terminals grinded to a halt. They could not be used for days. Logistics company Maersk suffered the consequences,and estimated that it cost them between 200 and 300 million dollars globally.
In fact, it was right here in The Hague that the Dutch government announced last year that (foreign) agents had tried to hack into the Organisation for the Prohibition of Chemical Weapons (OPCW) , a good example of how a lack of norms is problematic.
So, with the militarization of cyberspace and the increasing trend of nation state attacks - the age of defending citizens in cities without walls is long gone in our connected world. Cybersecruity and having norms in cyberspace to protect citizens and institutions and work towards achieveing digital peace is increasingly critical.
As someone who comes from a company like Microsoft who spent almost two decades working in the tech sector, I would absolutely be the first to say that, in fact, we have the first responsibility, after all, we built the stuff. As discussed in Brad’s recent book, what we’ve built, technology, can be used as either a tool or a weapon. And so there is a great deal that we do to protect our customers and partners against cyberattacks – to prevent others from weaponizing technology that is designed instead to be a powerful tool.
But we also need governments to act. I think one can look at all of these issues and ask, "Can't the technology sector solve this problem by itself?" The answer is: No. It is a resounding no for one simple reason -- nation-state attacks are growing because of increasing investments that are leading to increasingly sophisticated cyber weapons. We simply cannot live in a safe and secure world unless there are new rules for the world.
And that means a need to create new norms, while also working to ensure that existing norms have meaning and have the force of law.
We are not starting from scratch. We can learn from the past and be inspired by historic moves like The Geneva Conventions which established the standards of international law for protecting civilians during times of war. What we need now are norms and international instruments to protect people from cyberattacks during times of peace.
With Cyberspace as the new battlefield - the technology sector, governments and civil society need to come together to move laws and norms forward to protect civilians in the age of Cyberspace.
Of course there are a number of significant initiatives already in place. The UN’s Sustainable Development goals, and SDG16 specifically address the commitment to Digital Peace and Safety. And more recently (June 2018), the The Hague Charter for Accountability in the Digital Age drafted by the Institute for Accountability in the Digital Age (I4ADA) in collaboration with UNESCO and the city of The Hague to offer a guideline and reference for future discussions on Accountability in the Digital Age.
Let’s look at another example…
One recent example of a norms building is the Paris Call for Trust and Security in Cyberspace. It was announced in November 2018, less than one year ago, by the French President Emmanuel Macron. One year ago, MSFT President Brad Smith spoke here, in the Peace Palace. He called on the need for Digital Peace in an age of nation-state hacking, ahead of the Paris Call announcement
What truly distinguishes the Paris Call is that it widens the base of support for its commitments to, for the first time, include civil society and industry groups as supporters All have agreed to uphold and further collaborate on the agreement’s 9 principles. It serves as an example of a new kind of diplomacy - multi-stakeholder diplomacy - where governments, the private sector and civil society come together to protect our online world.
Endorsers of the Paris Call affirm their willingness to work together, notably to: Prevent and recover from malicious cyber activities that threaten or cause significant, indiscriminate or systemic harm to individuals and critical infrastructure; Prevent activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet; Strengthen our capacity to prevent malign interference by foreign actors aimed at undermining electoral processes through malicious cyber activities; Prevent ICT-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sector; Develop ways to prevent the proliferation of malicious ICT tools and practices intended to cause harm; Strengthen the security of digital processes, products and services, throughout their lifecycle and supply chain; Support efforts to strengthen an advanced cyber hygiene for all actors; Take steps to prevent non-State actors, including the private sector, from hacking-back, for their own purposes or those of other non-State actors; Promote the widespread acceptance and implementation of international norms of responsible behavior as well as confidence-building measures in cyberspace.
One year on, the Paris Call has now been endorsed by 67 governments, 358 industry members, and 139 civil society organizations – nearly 600 entities in total. This represents the largest ever multi-stakeholder group assembled to support a cybersecurity focused document.
Endorsers include all 28 EU member states, four-out-of-five of the “Five Eyes” countries, more than one hundred civil-society entities as well as dozens of globally recognized companies such as Accenture, Cisco, Citigroup, Deutsche Bank, Dell, Ericsson, FireEye, Google, IBM, Intel, Mastercard, Microsoft, Nestle, Nokia, Oracle, Palo Alto Networks, Samsung, Schneider Electric, and Visa – as well as all the companies making up two prominent industry-led cybersecurity initiatives: the Cybersecurity Tech Accord and the Charter of Trust.
But there is no need to stop here!
The Netherlands is at the forefront of leading the way in defining how international law is applied to the digital space.
This conference and its participants is a great platform for us to discuss how we should proceed
Paris Call for Trust and Security
A multistakeholder commitment
Protecting the Internet
enabled theft of
public core of
the security of
of cyber norms
139 Civil Society Organizations
Paris Call for Trust and Security in Cyberspace