 In this presentation, Bruce is going to be looking at global cooperation in cyberspace. So, to kick off our morning with a few secrets, please give a big warm-up group welcome to Bruce McConnell. I'll leave you the clicker. Good morning everyone, thanks for coming in. As Salon said it's better in here than it is outside, so I've lived in Washington for a long time. New York, I'm in New York now and New York isn't quite as hot today as it is here. O'r myfyrdd yma, Alun, ond mae'n meddwl i'r byw ychydig o'r ddweud i'r gwirio a'r ddweud bethau'r gweithio, ac i'r colleg Sallie Long, nad yw'r syniadau sy'n ei wneud yn hynny'n meddwl â'r tyfu, felly, ond nid yn gweithio'r gwaith honno i'r ddweud. Cadw'n gweld yr un gweithio'r gweithio agor yma, fel y ddweud o Maggy Roth, mae'r gweithio'r arfodol, yn gwirio'r ddweud arlaedu mewn gwirio'r gweithio. Mae yw'r team yma, mae Gwyddon Magbyn yn ddod i ddwyddu'r gweld y gweld yma sy'n gwybod gweld yma ychydig. Mae'r ffordd yn gweithio. Mae'n edrych i'r bobl i gyddo i ddwyngadwyr hwnnw, ychydig ar gyfer ychydig ar gweithio cymryd yn cyfwyr ac yn ddechrau i'r hyn ymgyrch yn gallu hwnnw. I will be speaking for about 35 minutes in order to leave some time for discussion. My plan is to wander around backstage behind the scenes in the world of global cyberspace policy and tell you some of my impressions about the backstory that shows up in the press, mostly as hype about how the world is going to come to an end any day now because of cyber attacks. Well, it does sell newspapers, but as you all know, the story is more complicated than that. And it is a global issue. So I'm Bruce McConnell, Senior Vice President of the East West Institute in New York, and now EWI was established 35 years ago when East West meant the Soviet Union and the United States. In its early years, EWI enabled quiet conversations between military and political forces from both sides, in that case the Warsaw Pact and NATO, during the collapse of the Soviet Union, to assist in a peaceful transition and successful reunification of Germany, along with obviously a lot of other people. Later we worked in Eastern Europe to assist the new governments of the former Soviet Union in collaborating on economic reforms. Today we have a global program. For example, we have working with the Russians to reduce narcotics flow out of Afghanistan, and we are working with India, Pakistan and some of their neighbors to promote commerce and trade in the Southwest Asia region as shifting economics there. In China we host a party-to-party dialogue between the Chinese Communist Party and the US Democratic and Republican parties. Some people say we should try to host a party-to-party dialogue between the US parties, but that's much more difficult. And we also host a military-to-military dialogue between retired senior generals from China and the US. We've been working in cyberspace for about six years. I came to EWI two years ago, as Alan mentioned, from Homeland Security, where I did cyber for US critical infrastructure. Cyber security, of course, is a global issue involving many countries, and we work with the major cyber powers, the US, China, Russia, India, European countries, and with global technology companies who, of course, are cyber powers in and of themselves. Every year we produce an annual invitation-only conference, Cyber Cooperation Summit, as you can see this year it's in New York, and it brings together about 300 people from over 40 countries to work together for two days to improve the level of cooperation around the world on key cyber issues. Last year the summit was in Berlin and was co-hosted by the German government. They've been in other places as well, London, Delhi, Silicon Valley. The summit is the annual capstone, though, of ongoing work that we sponsor using our tried and true methodology of convene, reframe, and mobilize. We bring the right people together, just like you do. We reframe the issues so solutions can emerge, and then we organize support for the recommended solutions in capitals and corporate headquarters around the world. Our work to date has shortened repair times for and increased the resilience of the undersea cable infrastructure, reduced spam on a global basis, kickstarted and advanced conversations about how rules of international law apply to cyber weapons, and promoted international cooperation on cyber incident response. We make progress using small groups of experts, which we call breakthrough groups, that meet throughout the year in person and electronically, then they get together at the summit and sort of expose their work and get socialized to larger audiences. So I wanted to focus on the situation of cooperation among nations and companies in cyberspace today globally, and I'll begin by paying particular attention to relationships between China and the US. I choose these two countries, maybe not for the reasons that you think, but because together they make up more than half of the world's internet users, and because the tensions between the two in cyberspace are really at an unacceptable level. You know, I was really taken by the theme of this conference, the boundaryless information, and it says in the summary of the, sort of the opening summary of the description of the workshop today, boundaryless does not mean that there are no boundaries, it means that boundaries are permeable to enable business. This is what has caused the internet to work, is this permeability of boundaries, not just boundaries between countries, but boundaries of all kinds, and I'll talk more about that later, and so we're developing kind of a set of political and technical boundaries between the US and the Chinese, which is not helpful to either country's business environment, and that is one of the reasons why, in addition to other larger security reasons, why it's important for the two countries to get together and work it out. The East West Institute works especially directly with China on cyber issues. For example, in the past we've worked closely with the Internet Society of China to reduce the incident of spam and malware coming from US and Chinese servers. We are cooperating with two different Chinese nonprofits on cyber arms control and incident response, and I'm frequently in Beijing and I will be in Washington later this afternoon to talk about ways of improving the dialogue between China and the US on cyber space issues. We continue to work with governments quietly. So, in my view, we are at a historical low point in the relationship. There is an unprecedented lack of trust and a lack of mutual understanding. It's a serious situation and one that must be remedied. Cyberspace is the source of great economic and social benefits. It's a wonderful incubator of collaboration and innovation. It's a peaceful operation is of great benefit to mankind. As Chinese Foreign Minister Wang Yi said earlier at the National People's Congress in Beijing, cyberspace should become a new frontier of our cooperation rather than a new source of friction. At the National People's Congress, of course all the ministers come in from all over China, and the skies, which are not always clear in Beijing, as you know, were beautiful, and it was said that the reason this was true is because all these politicians had come into town and all the hot air had blown away the smog. So these things are not that different. We have to break through this impasse. In order to do so, it may be useful to ask, how did we get here? There has been considerable friction between the two countries on cyber issues over the past 10 years. The US complains about repeated breaches of the computer systems of US manufacturing companies and the theft of their industrial secrets by attackers who appear, at least in the eyes of US authorities and US technology companies, to be based in China. The Chinese are similarly unhappy, as are many people, about the surveillance activities of the government, which they suspected but were revealed by Edward Snowden. So there's frustration on both sides and lack of trust. On the US side, the frustration was the Chinese government was unable or unwilling to do anything to stop these attacks, these intellectual property attacks from continuing. This frustration led the Justice Department to announce the indictment of five army officers for alleged theft of industrial secrets. You may have seen the wadded posters of these guys. The Chinese government responded to those indictments by suspending a government-to-government cyber-working group. This cyber-working group had been established by President Xi Jinping and President Obama in Sunnylands, California. It had met twice, once in Washington, once in Beijing, and the Chinese suspended it. So now the two powers are not actually using the existing major vehicle that was set up by their leaders to talk to each other about security issues in cyberspace. So it's my personal view that the US should not have issued these indictments. Actually, they are unprecedented in international relations to indict sitting army officers for doing something. You know, these are not war crimes, right? Second, even if the US believed it was necessary to issue these indictments, the US did not warn the Chinese that it was going to take this action. So nobody likes a surprise like this. And the Chinese view was, didn't we have this working group? Maybe you could have told us. You could even have brought the evidence there. We would have investigated it, so they say. And third, there's no immediate practical effect. Nobody is actually, these guys are not, you know, these are like major level guys, right? Captains and majors, they're not planning on travelling to the United States anytime soon. It's really a symbolic action, a public relations action. The issue really deserves more serious treatment than this does. And you can't make progress on this or on any issue if you're not talking to each other, right? On the bright side, I would note that the visit to the United States in September, coming up President Xi Jinping, will create pressure for progress. Both presidents want to be successful. They have a lot of areas between the two countries where things are going well. Climate change being the biggest one. But there's hope that there will be some progress in this area. And one of the areas is an area that I'll talk about a little bit later, which is about incident response, cooperation on incident response in cyber. So I'll talk a little bit more about some of the areas where I think that China and the US can cooperate. But to get to that, I want to address these six questions which you may have been reading here on the slide. And the good news for me is that these remarks represent my personal views, not the views of the US government. So everybody likes to talk about threats. That's a big thing. Of course, as you guys all know, really what you should talk about is risk. Risk is made up of threats, vulnerabilities and consequences. Threats have the two-factor piece in them capability and intent. So if you maintain that in mind, I'm really talking about risks here. But threat, of course, is hopefully my only bowing down to the hype thing. So let's talk about threats in cyberspace. It's actually an easy question about what the biggest security problems are, at least from the US standpoint in cyberspace, because it was answered by General Clapper, the director of national intelligence on February 26 of this year. And he says in the annual worldwide threat assessment of the US intelligence community, the unclassified version, that cyber threats to US national and economic security are increasing in frequency, scale, sophistication and severity of impact. The range of cyber threat actors, methods of attack, targeted systems and victims are also expanding. However, the likelihood of a catastrophic attack from any particular actor is remote at this time. So take it from General Clapper, the world is not going to end tomorrow. The assessment instead foresees an ongoing series of low to moderate level cyber attacks from a variety of sources over time, organized crime, nation states, non-state actors, which will impose cumulative costs on US economic competitiveness and national security. So this is worrisome for humans who react to things really good seeing if something is moving. It was really good for 10,000 years as we were out there as cave people. But things that move really slowly, harder for us to see and this cumulative cost issue is serious. And I would agree with General Clapper's assessment, but I think they're a little bit narrowly focused. So I think there are more complicated problems than just this notion of attacks in cyberspace. And each of these problems that exist in cyberspace undermine the stability and predictability of the infrastructure that all citizens around the world now depend on for many critical goods and services. I've listed four here on the slide, the inability of countries to respond to incidents across borders, which most cyber incidents do, to cooperate effectively on cyber crimes, to create norms and rules of behavior in cyberspace, and even to agree on the way that the internet will be governed in management. So I'm going to discuss these issues in some detail this morning to give you this background picture. The bottom line is, obviously, as security professionals, we have a lot of work to do to secure cyberspace. So what is the US doing, or is this question was posed to me by a Chinese counterpart? As the world's leading cyber power, how does America enhance her cyber security? As you know in the US we place a great deal of emphasis on the responsibility of the private sector. We involve government in economic dynamics of the market only as a last resort. We prefer to allow market mechanisms to allocate the creation and distribution of goods and services to the greatest extent possible. Historically, the US has followed this approach with respect to cyber security. For example, the US Department of Commerce last year released a cyber security framework, which explains to companies how they can better secure their systems. I'm sure you're all very familiar with it. And as you know, as a general matter, the framework is voluntary, not mandatory. Instead of requiring companies to comply with the framework, the government is expecting that market mechanisms will encourage its adoption. And that is already happening. Insurance companies, which you will hear about in the next panel, are starting to use the framework as a basis for evaluating the cyber security practices of companies and setting the price for insurance based on the extent to which companies are complying with the framework. So the problem in insurance, two problems, no actuarial data and no underwriting standards. The framework is becoming a piece of the underwriting standards in this area. So it's a useful market-oriented tool that can help. Similarly, large corporate customers of banks and stock exchanges are starting to require their banks and other financial service providers to explain their level of compliance with the framework. So what has happened in the past is that people would send questionnaires, those of you who are old enough to remember Y2K, people would send Y2K compliance questionnaires to each other and they were all different. So now companies are supplying each other with security questionnaires and it's very time-consuming to fill these out and they're all different. And so in the financial services industry they're starting, they're adapting through an organization called CIFMA, adapting the framework slightly to make it more financial services oriented, but then they can use that to just say, here's my answer to your question. So it's kind of becoming a de facto compliance regime, if you will, voluntary. So it's starting to work. But there are areas, critical areas of health and safety such as the nuclear power industry where the government already regulates cybersecurity. And this is the exception, not the rule. Those agencies have been asked to review their current regulations to see if they're as useful as the framework. If this voluntary approach does not work, I would expect we'll see a more regulatory approach over time. I'll talk about that in another way a little bit later. And as you know for government systems, that was all about private systems. So government systems, that's the responsibility of the Department of Homeland Security and of course of all the agencies except that the military NSA is responsible for protecting the military systems. So as we all know there's a long way to go to defend commercial and government systems from attack. One change that we think would be helpful would be if the core technology that security professionals are trying to defend was more secure to begin with. So it was not really funny to say it's not a bug, it's a feature. So consistent with this market-based approach, one of our breakthrough groups is working on increasing the availability of secure ICT products and services. What a great cue for Andy Purdy to come in. ICT, as you know, is information and communications technologies, that's the international term. And so we're taking a two-prong approach to improving the market signals that are sent to the providers of ICT products and services. First we're encouraging those providers to use recognized and proven international standards and best practices that improve product and service integrity. So we're telling the vendors they should build their systems and manage their configuration and programming and coding and personnel consistent with international standards and best practices so that they bring up the level of technology that we all have to deal with and try to secure. And then second, putting some tools in the hands of the buyers, including the use of procurement practices that are founded on those same recognized and proven standards and best practices for secure ICT. This breakthrough group is being co-chaired by senior security professionals from Microsoft, from Huawei Technologies and from the Open Group, and Sally Long continues to be a major force in that work. So I just talked about what's happening in the US, and earlier we talked about the Chinese, but around the world we're taking a national approach to improving cyberspace. Is that going to work? I mean one of the interesting things about ICT that is not very respectable of boundaries, right? We're talking about boundaryless information flow, and it leads to the erosion of boundaries inside organizations and between organizations at any level. Inside many organizations people no longer follow the strict chain of command when communicating. They communicate directly with their peers, even if they're in another organization, or they'll skip over several levels of middle managers, sometime annoying the middle managers, and send emails directly to senior management. This change in behavior is creating tensions inside organizations because old roles are not necessarily respected. It can also make organizations more nimble, more agile, more creative. If you read the innovators, it's a story about Silicon Valley, and this is the shift in organizational philosophy that created that Silicon Valley, and is affecting also the structure of war fighting doctrine in the US military. So in real time the field commander is available to make decisions based on widespread information that was never before available, and the question of what those middle pieces of the chain of command is a constant matter of debate. This lack of respect for boundaries inside organizations also applies between organizations and in particular between nations. Nations are struggling to maintain the old notion of a national sovereignty in the face of technology that does not care about where it sends information. It would be overly simplistic to say the US position on sovereignty in cyberspace is clear cut. In some areas the US does exercise sovereignty, for example in the area of taxation of electronic commerce and important export controls. In other areas such as the free flow of political opinion, the US is less interested in controlling what Americans can see on the internet with the exception of child exploitation. But other countries have different approaches. Many countries including China, India and Russia see a threat to political stability coming from the internet and are working to limit the risk stemming from that threat. And in Europe there is increasing attention to this problem, particularly the use of internet by terrorists. In this way the internet has become a proxy and a catalyst for a larger global conversation and for disagreements around political, cultural and social values. In other words it's not about the internet, it's about the information. And here's a prime example. Every June in Strasbourg France, 300 police, prosecutors, judges, diplomats, attorneys and engineers from around the world come together to find better ways to combat cyber enabled crime. So I call it cyber enabled crime because it's very, very little cyber crime. Most cyber crimes are just regular crimes, theft, fraud, destruction of property, trespassing, committed with electronic tools over the internet. It's still the safest way to rob a bank. But this year the talk in Strasbourg had shifted to a new topic, a new dimension, criminal speech. How to prevent terrorist recruitment and violence facilitated by the internet is now topic A among cyber cops especially in Europe. In the shadow of Snowden's revelations it's a tough conversation. How much should the police be allowed to watch the people where are the lines between political speech, incitement of violence and propaganda? What responsibilities do powerful platforms like Facebook play? Today European legislatures are moving to pass invasive surveillance laws which history teaches will be abused. It took the US over 10 years to temper the most extreme provisions of the Patriot Act. Europe, the cradle of human rights now must find its own middle ground while staying true to its values. To help make that happen, not just in Europe but around the world, EWI is collaborating with a Paris-based organization called the Internet Jurisdiction Project. Our breakthrough group on managing objectionable content is focused on internet activity that is illegal in one country but not in another, in the other. So for example it's illegal in France to advertise Nazi paraphernalia over the internet. But not in the US. As a result normal criminal to criminal law enforcement to law enforcement assistance procedures between countries do not apply. So when a person in France sees that kind of content using an internet platform known by a US company such as Yahoo or Facebook this leaves the foreign cybercrime investigator out in the cold so we're working on procedures to make it easier to enforce local laws where the content is delivered no matter where the provider is based. So I want to step away from these tough policy issues for a few minutes and explore an area that I think can be helpful for anyone trying to explain cyber security to a non-technical person. We all have this problem with our aunts and cousins and nephews and grandmothers. And that is of course by using analogies to the physical world. This goes back to when Al Gore invented the internet and we talked about the information superhighway. But I've been using an analogy lately to illustrate similarities and differences between the real world so-called and cyberspace and I'd be interested in your comments on this. I ask people to compare the security measures on a different network that they're all very familiar with, airline transportation, right? With security on the internet. I like the analogy because the size of the air transport industry and the size of the electronic data transport industry, the ISPs around the world, are roughly the same size. But the value of goods and services transported on the internet is 100 times greater than the racehorses, the value of the racehorses and the shrimp and the flowers and the pharmaceuticals that are transmitted on airlines. Yet the security of air transport is way greater than on the internet. To get it on an airplane, you need to prove who you are, do a pretty good job of that. But on the internet you can be anyone from anywhere. You can be a dog. To operate an airplane, you need a license. But anyone can operate a computer to sell an airplane. You need to put that equipment through rigorous testing and certification. Nothing like that is required for computers. Then there's the International Civil Aviation Organization, which sets standards for and conducts inspections of air traffic control facilities around the world. So you have some confidence that where you land, the air traffic control facility is up to international standards. Nothing like that in cyberspace yet. And finally it's illegal under international law to shoot down a commercial airplane. But there's no agreement about what kind of commercial, what kind of offensive actions are legal in cyberspace. I always ask questions about electronic gifts that I'm given. And so I asked at the front when I was given this whether this had been scanned for security. And the answer was yes, it's okay. We always try to give gifts that can be taken on the airplane. And I'm like, yeah, but what else is in here, right? So, well, the answer was I hope it's okay. Be sure to plug this into your computer. So, I don't know, I'm just paranoid, you know? Analogies like this can help analyze the problem and determine whether or not a different approach is needed than what we are doing today. There's another comparison, for example, that could be made with outer space, this time between cyberspace and outer space. In outer space, like in cyberspace, it's impossible to determine what is a weapon. So any piece of code can be used for good purposes, it could be a weapon. Is that a maintenance port or a back door? A communications satellite may appear to be a peaceful device, but it may also be used to disable communications between the satellites of an adversary. And a peaceful satellite can be turned into a kinetic weapon merely by detonating it and creating space debris which can put out hundreds of satellites out of business. Because of this property of satellites, international negotiating teams have been unable to come to agreement on the definition of space weapons. Similarly, there's going to be a similar problem in trying to define what is a cyber weapon. And so, for that reason, East West Institute has been advocating adopting limitations on targets and levels of effects from cyber attacks other than trying to control so-called cyber weapons. Last year, for example, we recommended that states agree not to attack civilian nuclear facilities. And this year, we expanded that regulation to include major attacks on stock exchanges, financial clearing houses, and the core infrastructure of the internet. Okay, so I'm running a little long here. So with all these areas, where is there a room for progress between the US and China and among nations generally? There's a serious lack of trust and confidence, so we need to work on improving that. I'm suggesting three areas. First, let's find ways to cooperate on cyber incidents. There's a bright spot in this relationship here in the China case because the Sony entertainment hack perpetrated by North Korea, but some of the servers used were based on Chinese territory. This did not make the Chinese happy when they learned about this from the US authorities. After the US authorities provided the Chinese with information, they took those servers down. So this could be expanded, this can be moved into a more standard way of approaching it. We're working, we have a breakthrough group on this, taking the work that's being done under sticks and taxi, and not that these standards exist yet for incident response or incident assistant requests, but there are data elements in there that are standardized. And there'll be a form and protocols, what data elements would need to be sent from one cert to another to get help, what's the expectation of how soon you will respond, with an acknowledgement, what other kinds of things. Second area of work has to do with reducing the risk of cyber attacks on critical infrastructure. There's a group in the United Nations called the Group of Government Experts on Cyber Issues. They've been meeting about this. They've agreed that the rule of law, which includes attacks on civilian targets, or precludes attacks on civilian targets in regular space, applies in cyberspace. They haven't agreed what that means. They're going to make a report pretty soon. And we understand there's a lot of differences between the US and the Europeans on one side and the Chinese and the Russians on the other side about what it actually means, because of this question of sovereignty. So this lack of the rules of engagement makes us think about trying to find where there are emerging consensus, a bunch of different organizations. NATO, the Shanghai Cooperation Organization, which is China, Russia, and some other countries, have come out with different codes of conduct about how people should behave on cyberspace. There's a lot of overlap in those. So we're doing an analysis of that and continuing to look at target and effect limitations. Third area on cyber-enabled crime, we talked earlier about actions where there's no mutual criminality across borders, the speech problem, but most crimes are just regular crimes, theft and fraud, and organized crime, in fact, is using the internet to fund other activities, such as drug trafficking, weapons, sales, human trafficking. So we have a 21st century crime scene, volatile evidence, widely attackers who change their identities daily, and yet we have 19th century procedures that require lengthy written documents to be exchanged in order to share investigative leads and evidence. Moreover, internet companies don't always make it easy for law enforcement to get in touch with them when they may have evidence in their servers. So we have a breakthrough group that's being led by the FBI, the European Cyber Crime Center, and a major internet service provider that's producing a standard form to request assistance and also to come up with what companies should post and make available to law enforcement so they can get contacted easily. So I want to conclude with some more philosophical remarks about the state of play in global governance and our approach to a broad range of security issues of which cyber is just one security issue. The world is becoming smaller every day, and as Adlai Stevenson said over 50 years ago, on the shrinking planet, we can no longer afford to live as strangers. For many in the world, including eight of the world's 10 most populous nations, the post-World War II institutions were formed without their real participation. These institutions, formed by victorious allied powers, have served humanity remarkably well for over 70 years, and in their current form they are losing legitimacy, and the breakdown in respect for the rule of international law is a symptom of an accelerating shift in the concepts of power and leadership. Chinese Premier Li Keqiang suggested in recent remarks in Beijing, reform is needed of these World War II institutions and greater voice must be given to the global south. In the United States we have our own governance crisis created primarily by our dear legislature and its inability to accomplish the basic tasks of government like enacting budgets and fed by an increasing partisanship with a loss of sense of common purpose. As the leader of the free world and the founding partner of the existing world order, America today retains a diminishing claim to moral and political leadership on the global stage, makes it difficult to have these conversations elsewhere, even while it remains the most sought after destination for immigrants from the rest of the world. Obviously technology is at the back of this, the explosion of transparency, stimulation of expectations of participation, its power to flatten organizational management structures and its ability to support collaboration across boundaries in a boundaryless way of all kinds. This democratization of information access is a direct threat to authoritarian regimes. Which work hard to control its impact, we talked about that earlier, but it's also a threat to industrial age structures of any kind, whether private or public. Chinese investment banker told me recently that the advent of smartphones has created 600 million citizen journalists in China undercutting the role of the Communist Party in reporting information to Beijing and supporting the anti-corruption campaign that they are going on there. One Chinese researcher told me that the erosion of boundaries means the only remaining potential enemy of the state is the people. Of course, it is important to note that the network can also be used to create a distributed control system that strengthens centralization of management. As the latest Russian military strategy states, this is typical bureaucratic writing, none of us are immune from this. It says, strengthening of centralization and automation of military forces and weaponry on the basis of transition from the old system of rigidly vertical command management system to global networked automated systems of management of military forces and arms. So strengthening of centralization through the global network system rather than rigid hierarchical control. This is like, wow. So how do we get there? Susan Rice commented last year that in Asia many of the most vexing challenges are transnational security threats that transcend borders, climate change, piracy, infectious disease, transnational crime, cyber theft, and the modern day slavery of human trafficking. For each of these, a patchwork of formal and ad hoc arrangements is struggling to address the risks. Yes, that's right. Yet these arrangements which supplement these industrial age institutions are key to the transition of the new order. And we need to continue to explore alternative institutions that can take the place of those that are improving capable and to reform the ones that exist then. There's something called multi-stakeholderism which I don't have time to go into in detail. But we are in this position of transition. There's a famous writer from 100 years ago, named Antonio Gromsky, who Kofia Nan quoted earlier this year in a speech. And Gromsky, who's an Italian communist, said, the crisis comes when the old order is dying and the new order is not yet ready to be born. During this period, a number of toxic forms arise. So we see toxic forms like ISIS and other extremist groups arising in this place where we don't know how to get from the old order to the new order. We have a major rebalancing of power relationships, state-to-state, also state-to-private, especially in cyberspace, right? Cyber power among companies is bigger than many countries. And, of course, between individuals and state or any large organizations, that's a whole other topic for another time. In conclusion, I want to summarize briefly my point of view. Cyberspace is a critical area of human endeavor that underpins the global economy. It's therefore very important for it to be peaceful, stable, and predictable. As a retired Chinese major general told me, the current situation is like two people who are approaching each other on a road in the middle of the night. People cannot see each other well, so each is concerned that the other may be a demon, not a person. The general suggested that we need to turn on the lights. This means talking to each other, not remaining in our respective capitals and assuming the other side is a demon. Therefore, all of us here today should take responsibility for working to improve the safety and stability of cyberspace to make it an area of cooperation, not a source of friction. Thank you for your attention this morning, and I look forward to the discussion. Well done. That's scary and interesting. Would you like to take a seat? We'll try and get some questions. Jim Hightell of EPF Security and of our business team. Jim, if the big issue is risk, the security forum is doing an awful lot of activity on risk. Do you want to just give us headlines? We are. Is this on? We've standardised FAIR, Factor Analysis of Information Risk, which is a risk analysis methodology that helps you really try and quantify what risks you have in a given cyber threat scenario. We're also doing a certification program to certify professionals to that standard. So it ties right into what you were talking about. It might tie into the next presentation because a lot of the uptake on the risk analysis framework and so on is from insurance companies. Insurance companies and financial services organisations seem to be at the forefront of trying to understand what their cyber threat environment really looks like, how much risk they have and where to apply their resources to mitigate risk. Very cool. Thank you. So what's the first question? First question, the statement harmonise emerging norms of behaviour really seems to be the crux of the problem when it comes to global cyber security. You've got nation states and cyber criminals operating in parts of the world where those norms of behaviour aren't the same as ours here. Where do you see progress unfolding in changing norms of behaviour and getting those areas to really conform to the rule of law to change the threat environment? So thank you for that. I think in a lot of these tough situations you've got to start small with small things you can do. There are situations where both sides are experiencing intrusions and attacks and can help each other. So the example I gave about Sony Entertainment's example. So one of the norms that's emerging is that countries have, there's like three pieces of it, countries have a duty to control and correct security issues in their own countries. So if you have a server in your country that's spamming or attacking somebody else, you have a duty to shut that down or manage it in some way. Second, you have a duty to assist another country who asks for a request. And third, you have a duty not to attack each other's certs. So those are three areas which Secretary Kerry mentioned in a recent speech in Seoul and are also similar to some of the things the Russians and Chinese are saying. So there's an area where, okay maybe we could get something going there and build trust. It's really a lot about confidence building measures. There's also an interest in not attacking each other's nuclear facilities. So that I think is another area that's possible and a third area might involve the core critical infrastructure of the internet itself. But again with those kinds of international agreements, the enforceability is always a problem as it is with any kind of treaty or agreement like that. Okay, so second question. What is your take on the actors and motivations behind the large scale health insurance breaches that have surfaced recently? There have been a number of them. Is the Chinese government involved? Who is involved and what is their motivation? Yeah, so I actually don't know the answer to that. So I think there's a whole lot of possible things. Most of the personal data breaches have been being exploited in the past anyway by cyber crime organizations who use that to do identity theft. And most of those organizations or the most powerful of those organizations have at least to date been based in Eastern Europe and somewhat connected somehow or another with the Russians. But in these particular cases, attribution, although attribution is always tricky and some actors are very skillful at making it look like it comes from someplace else, as we all know that can be done. But attribution actually is getting less tricky. So I think this idea, just to comment on that about what we can't attribute to it is, I don't think that's true anymore. I think a combination of things that we can know by looking at the attacks and other environmental situations around it. So I'm not sure what the motivation would be, but that's historically been the motivation for these kinds of attacks in the past as criminals. So a lot of what I understood you to say was very bilateral, US-China. I was using them as an example. And the airline analogy, they use international standards. It's the same standard everywhere, isn't it? Right. So when we're talking about these things, to what extent are any agreements between US and China able to be spread out to other parts of the world? Well, that's really interesting that you mentioned that, Alan, because of course the way that they use the same standards in airline manufacturing and things like that is that they require, the Chinese require anybody who wants to sell aircraft at them to build part of the airplane in China and there's a technology transfer that occurs and stuff like that. So I think the US-China relationship is a unique case in so many ways, but I do think that where the US in China or where the Europeans in China can get some things going together that will have a tendency to start setting de facto standards. Right. Is anyone here from France? You want Eric? Bonjour. Bonjour. I was just thinking that if we get a nice agreement between the US and China, are the French just going to go along with it? Or are they going to want to... They never do, do they? And we've probably got about 23 different nations in here. That's great. And the whole idea is to get it close together. The device that you had, that's a great example of where we should be focusing global standards on accrediting the processes that develop those, and that's the work that Sally's group is doing. I'm so glad you mentioned that because... But you used the word that I think is so important in this question about certification accreditation, which is the processes. Or as we would say, processes. I get confused on which side of the Atlantic I'm on. That's well. It's a global world. Because we've already done that in the US in food inspection. We no longer inspect every carcass coming across out of the meatpacking plant. It doesn't have that USDA stamp on it anymore. What we do is we have a whole complex certification of the processes and how the cleanliness and the chain of custody and all that kind of stuff and those kinds of things in supply chain and other things are going to work much better than trying to certify products which by the time you get them certified will be one and a half generations out of date. Which is the value of this relationship we have. Jim. So what is the US doing? What is the difference between regulation where critical or necessary and protectionist measures against non-domestic suppliers? Ah yes. So this is the use of security as a non-tariff trade barrier as we say. And both the US and the Chinese can be for example and others, the Germans now also could be accused of doing this formally and informally in some of their buying practices. And my view is in general that the security element of this is more of an excuse for a protectionist measure. But it's hard to get to the bottom of these things. But if you look at them, so rather than try to defeat that assumption so to speak and say that no really, it's not necessarily more secure to have your information processed and stored by Deutsche Telcom than it is by Alcatel or other European service providers or American service providers just because it's a German company. And that's the work that we're doing in the breakthrough group on secure ICT is saying look people should be able to buy products and services from wherever they are as long as they get the most secure ones that they are. How do we know which are the most secure ones and then going down that line. I want to undercut the ability to use that as a trade barrier, security as a trade barrier through transparency and that kind of thing. So regarding your comment on software defects, do you see the value of enterprise event correlation that is software facilities, SIM and data center infrastructure management as a mechanism to secure enterprise to enterprise government to government operations? So I'm sure there's a proprietary version of that question, right? But I think big data. No, never not. That's right. Anyway, I think that's right. Yeah, absolutely. We have to use the data. We're generating so much of it. Event correlation has got to be a big part of it. The more advanced security platforms are not mostly about keeping stuff out. Yeah, you have to keep stuff out but it's mostly about dealing with the stuff that you don't keep out and how do you spot it and fix it and clean it fast and then put those signatures in real time out into the firewall again so that you're not having to clean it again. So when you mentioned earlier about the internet companies don't make it easy for you to get in touch with them, I was sitting there imagining you say, oh, we've got a problem. Got to contact us, fill in the form. You don't really do that, do you? Well, so you don't do it that way actually in law enforcement side of things, right? It's much more informal than that. You make phone calls and deal with stuff like that. But if you don't know who to call, it does create a problem. You stop there. Okay. So last question, is it possible or I'll add advisable for the US to control cyberspace or should we establish a NATO-like consortium to control it? Ah, controlling cyberspace. Well, so there's different parts of cyberspace that when you take us controlling it, it's a very broad topic, so we explored some of those issues today, and who, does that mean controlling the information that flows or are we looking very narrowly at the question of who controls the internet naming and numbering schemes and make sure the root servers are up and kind of the basics of it and that, gee, if it's about crime, maybe we should have the interpol deal with the crime part of it rather than create something new. So there's this question of which institutions to use, and there's also an issue about whenever, if I were to ask this question in Washington, they would like go, no, no, don't ever say the words control cyberspace or govern cyberspace in the same sentence. You know, internet, yes, can be managed, but you know, it's free, it's free. So that's one part of the question. So is it advisable? Well, that kind of depends. Second is the, you know, is the US, so the short answer on the US thing is no, that doesn't work anymore. So we have this thing, the US promotes a lot called multi-stakeholderism, which is about having not just governments at the table, but companies who are major cyber powers and of course civil society, so that's all good and we should use that to make the internet, you know, good for everybody. But what other countries here when you say multi-stakeholderism is, oh, continued domination by US technology giants. So we're kind of, you know, the US is kind of in a bad spot for, I mean I can never forget the comment of the former Indian, she was still then the Indian Deputy National Security Advisor who said to me in a meeting in Delhi when I was still at home on security, she said, you know, thank you so much to the US for bringing us this global resource of the internet and now I think it's time for everybody to manage it together. And so I think it has to be done together, I therefore wouldn't use a NATO-like example because that still is, you're still in your western alliance and the Russians and the Chinese will say, well we have the UN and the Americans are like, the UN is too slow and pondersome and besides one country, one boat, you know, doesn't work necessarily either, but there are some interesting structures inside the UN that are more agile and stuff. So there's something there. Yeah, I was going to ask a question about the UN because there's been very little visibility of them recently. So are you working with them at all? Yeah, so they have this group of government experts I mentioned, that's one thing. So there's a group in, that's part of the UN system called the International Telecommunication Union and it was founded almost, I think, 100 years ago. And maybe more. Anyway, it sets standards, you guys all know about it, for telecom standards. It also helps promote access to technology around the world. There was a brief flurry of activity about two years ago when there was a fear that the ITU was trying to take over the internet, sort of like the FCC. But that has died down, I think, and so it's not. But there are other UN organizations that maybe could be adapted to do this. I mean, I talked about the International Civil Aviation Organization. That's within the UN structure also. So there is some hope, but it's very slow. And that's why I say we have to get these problems solved more quickly, including planetary overheating, including terrorism, including pandemics, including migration. You know, we need something that moves faster than state governments, I mean, national governments and the UN. We need more agile forms of governance that use the network to make it work. So we don't know what those are yet, but we have to find those. Yeah, and we've got to move fast. Laws have always been behind new crimes, but things are moving at such a pace now that we need something that perhaps government is just too slow to do anyway. It could be. Jim? Good, good. So, yeah, that was fascinating and scary at the same time. Well, good. That's a good mix, I guess. I'm really pleased about the work you're doing. There's so much. It's not just what we hear on the headlines about Snowden and things like that. There's the grooming of young people for terrorism. There's terrorist activity. There's organized crime. There's everything going on. And I guess that, you know, working together with more organizations, we can do an awful lot. One final comment on the ITU. They did invite us, OMG, and a lot of other organizations to Geneva a few years ago and said, we're going to take over everything you're doing. That was fun. Thank you very much. Thank you.