 Welcome back, everyone. It's a pleasure to be here with you all, and thank you to New America for inviting me. And it's my distinct privilege to moderate or discuss with Minister Marina Kalyarand. Her approaches and views to the cybersecurity issue that she's been helping lead at a national and global level for several years. You have her full bio in your book, but let me just hit a couple of highlights. Within Estonia, she served in their foreign ministry for many years, including as ambassador to both the United States, also Canada, Mexico, and interestingly, ambassador to Moscow during the 2007 time period during those cyber events. Secondly, she ended up also serving as their foreign minister from 2015 to 2016. On the international stage, she's been Estonia's representative to the United Nations Group of Governmental Experts twice, I believe. And she is now chair of the new Global Commission on Stability and Cyberspace, which we'll be discussing a little bit as well. Equally important, though, I'd like to point out the symbolic role she's had. A female leader on the global stage of a predominantly male-dominated industry or sector, and also a champion of the multi-stakeholder approach, realizing that governments alone aren't going to be solving this problem. So I'd like to jump in. And first, let's talk a bit about the geopolitical and diplomatic side of things. Estonia is a very technologically modern country, perhaps more so than most countries, even the United States in certain ways. So if you could share a little bit about what you've all accomplished in your country on the commercial, economic, and the political side in cyberspace. Hello from me. Sean, thank you very much for every kind introduction. But to start with, I'd like to say that this conference is already unique. You remember what Anne-Marie said at the very beginning. In the first panel, four ladies, all the discussion so far, at least one lady discussing, so congratulations to New America. And I feel it's the first time I'm speaking here. It's the first time I'm invited. Very happy to be here. Yes, I come from Estonia. As we say, e-Estonia, what are we known for? Small country, one street in Cairo, 1.3 million, size of a country club. But we have had the privilege of enjoying e-lifestyle now for more than 20 years, e-lifestyle. With about 2,000 internet services, I'll bring an example with digital signatures. With population of 1.3 million, so far, we have given 250 million digital signatures. What does it mean for a country? Experts say that we save 2% of GDP. We are NATO members. We are committed to 2% of GDP. We are fulfilling our commitment, which means, in principle, defense comes free. We are very vocal in supporting digital market, digital exchanges in Europe globally. And we also understand that e-lifestyle makes us e-dependent and also e-vulnerable. That's why cybersecurity have been high on the agenda of Estonian government since 2007, to which maybe we'll come later. Yes, we are paying much attention to that. Another specific factor, which is very specific for Estonians, I was listening to the panel with Christy and others talking about private sector involvement. We understood it already in 2007. If we want to be successful, we need private sector, we have to cooperate with private sector. It's a two-way street. So, as I say, the geeks whom government can never afford because they are so expensive, are working free and doing their job free for government because they want. They want to have the same exchange of information, they want to be in the same loop of information, they have security clearances, and it's a real and true partnership. Governments can't do anything in cybersecurity without the support of private sector, but also other stakeholders, academia, civil society. And to just maybe one of the final points I'd like to make, we are the first country in the world to introduce internet voting. We've been doing it since 2007. Nobody, nobody has so far proved that internet voting is less secure than traditional voting on paper. And when I see that governments in Europe step back on introducing internet solutions to their voting, it worries me. Because if we shouldn't step back, but we have to do what we are doing and we have to do it even better. For example, when Estonian people were asked after the presidential elections in the United States, do you trust internet voting? Do you want to participate in internet voting next time? The answer was yes. And it is the obligation of government to make it secure, to have secure authentication, and we want to participate in internet voting. So today, the average of people who do it via internet is about 30%. We thought that we'll be able to engage more young people who are maybe not so politically savvy as they are tech savvy. In real life, the biggest group who is internet voting are women of my age, 55 plus, because we just don't have time. We do internet shopping, we do internet voting, we do everything on internet, we don't have time. But anyway, 30%. And it breaks the stereotype that internet or e-services are for young, savvy, IT guys. No, my mother, 92, is Skyping and doing all her bank transactions via internet. So it's the rule of the government to give the opportunities, but also to provide security and to have all-nation approach to cyber. Let's stay on that topic of elections and voting for a second. Obviously, that's been a big issue in the United States media and politics recently. And who better than Estonia with your large neighbor? You yourselves were former part of the Soviet Union. What can you share about your perception of Russian methodologies and objectives in cyberspace? Well, first of all, Sean, please let me return back to 2007. 2007, what happened in Estonia, it didn't happen for the first time in the world. There were cyber attacks before that. There are going to be cyber attacks. After that, cyber attacks are a new reality. But what made 2007 special was the fact that one country used ICT attack to influence politically another country. After that, it was followed 2008 in Georgia, cyber attacks and kinetic attack. Then it was Ukraine and so on and so on and so on. So that was the wake-up call. Is it something new, as I said no? Are information operations something new? No, they're not. We've been living in that neighborhood and we've been living under those influences now since regaining independence in 1991. We have to be aware of that. But we shouldn't, as I said, step back. But on the contrary, stepping back makes us weak. Stepping back makes us seem weak. On the contrary, we have to pay much more attention. We have to put more financial resources. We have to be resilient and we have to have serious deterrence. Many people are asking, how come Estonia, 1.3 million country club still going around the world and speaking about internet services? How come you haven't been taken down? I don't have an answer. But I think that one of the factors is that it's too expensive for those that deterrence is working. It's too expensive for the bad guys to attack or to take some of the systems down. So far, we've been lucky, all of us. So far, maximum what we have seen has been disturbance, stealing of business secrets, economic espionage. Nobody has died yet. Nothing has been destructed yet. But we have to be prepared for that. What's the aim of Russia? I'm not going to speculate about that, but I can just say, read their strategies. It's out there. If information strategy says that the biggest threat is coming not from terrorists, but is coming from some countries who try to influence youth or who try to undermine the historical and ethical values of Russia or who try to change the system of that country from inside involving different organizations. Just read the papers. The aims are there. And we have to live with that. And we have to deal with that. And we have to answer to that. OK, so you've shared a couple of thoughts about Estonia, your progress, and also some of the vulnerability. We've talked about one of the threat actors. I want to stay on the idea of solutions. Expanding to the regional look, NATO or the EU, but NATO is a defensive alliance. As a small country, do you see NATO as a source of protection in cyberspace with the capability and the political will to protect against adversaries, whether it's Russia or another entity? I think that a lot has been done. If I look back, we joined NATO 2004. 2004, we joined both EU and NATO. And when we were then talking about cybersecurity in both organizations, nobody was listening to us, nobody. They were not paying attention to us. I can see that since 2007 it has changed. And if I look at the recent NATO summits, the one in Wales and the last one in Wurzer last summer, I would say big progress has been made. NATO is taking cybersecurity seriously, but all allies also have to do that. When Wurzer declared cyberspace as the fifth domain of operations, it means obligations to allies, to protect, to defend, to pay attention to their national cybersecurity, which means also paying attention and protecting and providing NATO's security. Yes, there are good, I think that there are exercises which are taking place, psychonexercise. And for example, the last exercise in Poland on a KONDA 2016, those were good exercises. And we can see that cyber is becoming more and more part of NATO's planning processes and operational processes, which is very good. NATO has understood that the domain is here to stay. And the better we defend ourselves, the better we are prepared, the better it is. Just jumping back to 2007, during the attacks to Estonia, which were DDoS attacks, which were disturbing attacks, there were some speculations about triggering articles four or five of NATO. We discussed that internally, and we decided not to do, not to trigger consultations, not to trigger collective defence, because as I said, the attacks were disturbing, but they didn't destruct, they didn't kill anybody. They humiliated our society. Some private banks were taken down, some as we call our monumental websites, Ministry of Defence, Prime Ministers, Chancellery were taken down. But after that, NATO discussed it. And NATO has made it very clear that attack could come from different means, what is decisive are the effects the attack causes. So do not exclude answering militarily two cyber attacks. And that's important. I'm not warm on during here. NATO is a defence organisation, and the main role of NATO is to have serious deterrence. Serious defence, serious deterrence. And here I see positive steps taken. And needless to say that of course we're very happy and proud that the NATO Centre of Excellence on Cyber Securities in Thailand, which is a think tank type, not operationally tied to NATO, but is a very good think tank, so go to the website. If you'll allow me, I want to explore a little further on the NATO discussion and triggering articles for collective self-defense. It's a question I would get asked many times in my former role as National Intelligence Officer, what would it take to lead to a military reprisal or considering an act of war? 1941 and 2001, the United States lost roughly 3,000 lives, and those led to very substantial war efforts, decades long in the latter case. From an Estonian viewpoint, 1.3 million people are saying, what level of property damage or what number of casualties do you think would be that threshold? Any thoughts, any discussions in the groups you're in? Of course we're discussing it, but it would be very wrong from my side to say that, let's say, that amount of people equals this article, that amount of people, death of people equals that, that's not so simple. Article IV, Article V, these are always, always political decisions. You referred to 9-11. One day before that, nobody in NATO thought that a civilian aircraft could trigger Article V, it did. So, one part is attribution, one part are the attacks and effects, and then comes the political level. And political level is much, much more complicated, has to take into account all the circumstances, and as you know, NATO is working on, it's a consensus-based organization, so there has to be consensus among 28 allies. But I think that if needed, the consensus will be found. I'm not going here to mention any thresholds, but yes, as I said, also going back to our considerations, we don't think that disturbing is something that triggers Article V, which humiliates the country, maybe humiliates our cybersecurity people, which is disturbing for our people. I think that two days without banks will have the same effect as one centimetre of snow in New York, so we're so used to online banking, we don't have cash, so it's really disturbing to the people. But that's definitely not an effect to consider even, triggering Article IV or V. Okay, we've been focusing a bit on the attack and the response, so the dark side. Let's talk about prevention and norms building. UN Group of Governmental Experts. The current one is due to, hopefully, produce a consensus report this summer. You've been participating, and we'll all recall that the 2013 and the 2015 reports confirm the applicability of international law and UN Charter principles. They raised some particular norms that they articulated in the 2015 report. But how is the GGE doing on explaining the applicability of international law? Do you think we should be expecting any detailed implementation suggestions or any new norms in the upcoming report? It's a very good question. Yes, it is the fifth GGE, and I have had the privilege to be in the fourth and in the present fifth one. Before I go directly to your question, I just want to explain that GGE is a group of governmental experts from 25 countries. Can't solve the problems that we have in real life. In real life, there is an ideological battle between groups of countries, like-minded countries who see the benefits of the use of ICT for society, for economy, for education, for people, for culture. And on the other side, there are countries who do not see the benefits, but rather see the use of ICTs as a threat to their countries, to their societies, to their cultures. So the same ideological battle happens also when we discuss cyberspace. Also, GGE will not be able to solve the problems that are not solved in international law so far. Definition of terrorism, we will not be able to agree on definition of cyber-terrorism, and so on, and so on. So we have some limitations. But what is important, it's important to discuss international law, especially coming from a small country. For us, international law is the frame of sovereignty. We respect international law. We are not in a position to change international law, like some countries are doing. For small nations, for small countries, international law and norms are security, predictability, sovereignty. So for us, international law is extremely important. But again, there is a division. Countries who agree that international law applies beyond UN Charter, humanitarian law, law of armed conflict, and there are countries who try to say that cyber is so special, so unique, we have to start writing new laws. And that's something I don't agree. Being in the system of international organizations, you know what writing a new treaty means. It means that after 10 years of deliberations, you're still in the first article in definitions. So sometimes those who are vocal for new laws just don't want to look into what we have today. I don't exclude that at some point, we might come to saying that yes, we need some additional pieces of international law. We might come to that point, but let's look what we have. Let's start applying what we have. It's much more difficult. Jurisdiction, so simple in real life. Jurisdiction, cyberspace, much more complicated. But it doesn't mean that we shouldn't discuss and talk about that. The result of the GG, again, can't run too far. I very much hope that there's going to be a report. I very much hope that it will be balanced. We will have international law, we will have norms of responsible state behavior, capacity building, confidence building measures. As you can imagine, two last parts, capacity building, confidence building, much easier to discuss, much easier to discuss than norms of responsible state behavior, but they have to be there. And the aim of the report, if we reach it in June, will be to clarify what we have said so far. But I'll stop here. I don't want to speculate because maybe it will be a great success and we'll come up with some good interpretations of international law. Well, fair enough, I'm sure we're all looking forward to seeing that product this summer. We're definitely gonna have time for Q&A from the audience, but I want to go away from national governments and international institutions from it. I want to go to the non-governmental. Most of you have probably heard of the Tallinn manual named after the capital of Estonia. Version 2.0 has just come out. That's an academic work coming out of the Center of Excellence, NATO Center of Excellence, based in Tallinn. But it's an academic work, which to my knowledge, no government has officially accepted yet. And in fact, there are some governments in the Eurasian area who have specifically said they don't subscribe to the principles that have come out. But I think it's a very important and illuminating academic work because it not only talks about proposed principles and norms and interpretations of law, but it tries to give concrete use cases of how those norms would be applied. Curious if you have any comments about the utility of something like the Tallinn manual and is it helping or hindering, for example, the GGE process where you have radically different views represented? Again, I'm biased because it's the name Tallinn manual, yeah? But I'll try to be objective. It's a deliberation of 20 best experts of international law. They didn't agree on everything, but they agreed on interpretation. So I think that some of the points or some of the articles they are interpreting are really useful, really good. 600 pages, yes, I'm a lawyer about education, but it will take me lots of time and effort to read it and I'll need assistance from those people who can explain to me what's written there because it's a pretty complicated legal text. So I don't want to ask the audience to start reading Tallinn manual, but I think it's a good manual for policy makers and legal advisors. Legal advisors of ministries of defence, foreign affairs, White House should look into that Tallinn manual and should see themselves if there is anything they see useful because through state practice, we start implementing international law. Through state practice, we move to a new stage to the political level. Experts, lawyers have spoken, it's now up to politicians to start looking into the provisions and taking on board what they like and saying very clearly what they don't like because I don't think that there is any country who agrees to everything what has been put on the table by Tallinn manual, but it's a good start to continue, to be continued by politicians and political level. Thank you. I've got one last topic I want to discuss with you. Audience, please think of your questions and even raise your hand to get microphones because we're going to go to you and a couple. But you've got a new title, chair, of the Global Commission on Stability and Cyberspace that was launched at the Munich Security Conference. Tell us a little bit about that role and your hopes and objectives for that process and for full disclosure, I have the pleasure of supporting that effort as chair of the research advisory group. But what do you hope to lead that effort to achieve? And we are really lucky and happy to have Sean cheering our research group. Well, yes, I was approached by Dutch government to chair the Global Commission on Stability and Cyberspace. It's a multi-stakeholder platform consisting of 24 commissioners coming from governments, from private sector, from academia, from civil societies. We are aiming at influencing policies and influencing policy makers so that they will work towards creating stability in cyberspace. What does it mean? It means that we all can use and cyberspace and internet are available to all users. Very simple, very easy. So we will be working on policy recommendations. Most probably we will be working on some norms of responsible state behavior. So the target, of course, is a state. The states are the ones who implement international law and who set the rules. But as I said, can't do without other partners. So it's a multi-stakeholder approach. And we will have our first full commission meeting in June in Thailand. And after that, we will not disappear for three years. We'll keep you informed about our deliberations, about our discussions. So again, I can say, please stay tuned and visit us on cyberstability.org. And my question to you, Sean, what do you think about it? What are your expectations supporting the commissioners? Well, let me start with what I like the best about it. I think it has very broad geographic diversity in the commissioners. And I know that was something that was very intentional. From Berkeley to Beijing. Yes. I also think it has very good representation across gender and different, I'll say, economic focus. We've already had discussions about the global south. And that some of those things need to be discussed as much as the high-level geopolitics. So I'm very pleased to have the chance to support that effort. And we're going to have our four tracks of legal, technical, internet governance, and international peace and security as research tracks, taking the comments or recommendations from the commissioners, and soliciting and commissioning input from the global multi-stakeholder group. So I'm hoping that I can help facilitate the commissioners' efforts towards exploring some of the topics that we've seen discussed, whether in Tallinn Manual or GGE Reports, and try to get to some of that level of granularity and specificity to actually make a difference in solving some of these problems. And again, at a global collective way. So that's what I'm hoping to experience and contribute to. I don't know if you have any further last comments on the commission or its structure or anything you want to share before we go to the audience. Just very briefly, yes, so far we haven't had full discussions of the full commission. But the discussions we have had, a couple of smaller group discussions, yes, we see the topics of concern to government representative, private sector, so I'm sure that we will come out with topics that are of interest. And we are not going to replace any international organizations, any platforms. As I said, it's complementary. And of course, I'd like to recognize the Dutch government. I don't know whether anybody from the Dutch embassy is here, but the Dutch government is paying much attention to international law, cyber security. They are doing great projects, and they are supporting financially great projects. So I'm really very grateful to them. Well, thank you. Hopefully that's given a little bit of discussion across a range of topics from Marina's viewpoint. I'd like to invite questions from the audience for the minister, if anyone has one. Harvey, you can talk loud, so go ahead from the front, and then there's a hand up on the left over there as well. Thank you. Harvey Rishikov, hold this, that's OK. Harvey Rishikov, I should full disclosure, I'm a new American fellow, but I'm with the American Bar Association. And I guess I know you both quite well. I guess my question is, given all the international organizations that are working in the cyberspace, what do you see as the three main goals you would like to achieve in the near term, and what you see as the major obstacles to achieving those three critical goals so that we can sort of evaluate where you're going to be going with your organization. And then the last sub-question is, should there be a norm for men's socks on these international? Just to clarify, when you say achieve, you're talking in the context of the commission. OK, that's over to the chair of the commission. Oh, Harvey, thank you for the question. I think, again, maybe it's too early to speculate, but I know what we're not going to be. We are not a development corporation organization. We are not, maybe, we will be dealing with raising awareness about cybersecurity, but not educational organization. So what I want, I think we can succeed if we come up with norms. I'm a norm person. I'm a law person. I'm a norm person. For example, if we can suggest to state something on protection of some part of critical infra, let's say, financial systems, norm not to attack financial systems. Here I'm very practical. That was a norm that Estonia proposed to GG in 2013, coming from the same 207, when our financial systems were attacked. And that's something where I think governments and states can find common language, because it's in everybody's interests. Everybody agrees that financial system is the backbone of each and every economy. So maybe in that field. But I'm not a technical person and we're going to have four different spheres. So I don't want to influence the research advisory group so far and so strongly, but that might be my personal interest. And I just want to underscore, the research advisory group are my role and the deputy chairs. We are not going to be doing the research. We are going to be helping marshal the resources from multi-stakehold, industry, academia, think tanks from many countries all around the world. We are a facilitative, coordinating effort, along with the secretariat who's directly supporting the commission. So there's not going to be an insular internal research effort. It's going to be an outreach effort. Second point from one lawyer to another will take under advisement. Gentlemen on the left. Hi, my name is Patrick Maldrey. I recently joined FireEye and worked here on cyber intelligence there. As a proud member of the Estonian Defense League Cyber Defense Unit, private sector individuals even across the ocean can contribute to Estonia national security. So I'm happy that you mentioned that. But my question is about deterrence. I thought it was an interesting comment that deterrence has been working so far. We had a report recently released by the Department of Defense, Defense Science Board, if I remember correctly, that dealt with this exact topic. And Estonia, for example, is creating a cyber command. Many countries are developing and formalizing their offensive cyber capabilities. Some talk is bubbling up about a NATO cyber command sometime in the distant future. I'm wondering what both of your thoughts are about the role of deterrence in future strategic stability. Thank you. Yes, Patrick, thank you for a question. I can only say what I said that NATO is a defense organization. It stands on deterrence. If deterrence is not working, it will be already a failure. So deterrence is important, resilience is important. And it has to be strategic and it has to be serious. So that those who are looking at what we are doing in defending and deterrence believe in what they see. In some of the countries they want to see, they don't believe unless they don't see our policies, our commands, our concrete measures. So deterrence, for me, it's crucial. My only quick thought on that would be the United States Director of National Intelligence Worldwide Threat Assessment to Congress in 2016 and 2015 basically said that deterrence wasn't currently working in cyberspace, pretty clearly. And what I've been intrigued by in the last couple of years is the number of governments who are starting to publicly discuss offensive capabilities. We heard it from UK minister. We saw it now in France's cyber strategy. And I think you're gonna see a little more open discussion of offensive capabilities from some other countries in the near future. Maybe that's an effort towards deterrence and maybe it'll have additional success. I think we may have time for one last question and please very quickly. I'm getting the stop sign from the back, so. Christy was in the back first. Oh, I'm sorry. It's okay. Okay, thank you. I'm sorry, I didn't see your hand earlier. Hello, my name is Stan Byers. I actually used to work in this building with USAID and then at the NSC on more traditional stability operations. But one of the things I've been looking at more recently is this overlap between what's happening in technology and developing countries and how these are changing. And part of my question is, what do you see as the trends as maybe half of the world that doesn't currently have access to internet and advanced technologies moves into that space in the next 10 years in a very short timeframe? And is that part of what you're looking at? And how do we need to think about that? Thank you. Well, thank you for the very good question. First, I'd like to refer to the World Bank Report. It was World Bank Report 2016 digital dividends. I think it made very clear where we are today and how the countries who are using ICTs can benefit from the use of ICTs. Now, as to the developing countries, when I said there is an ideological battle, then I think it's very crucial to engage them, to involve them because they will decide the future of internet and they will decide the future of cybersecurity, whether they will trust us who are supporting the use of ICTs or they will prefer not talking about human rights, not talking about freedom online, but prefer the positions of the other group. So they are the swing states and cooperating with them is crucial. And now coming back to my country, I can say that the majority of our development cooperation is aiming at introducing e-services. E-governments, e-services showing in practical terms how a society can benefit from using ICTs. So even if we don't use the word corruption and we don't use the word democracy, all these steps are in the direction of democracy and less corruption, you can't bribe computer. So I think that we all have to understand that developing countries will play a crucial role but they have to be equal partners. It's not like we go and tell them what to do, how to behave, they have to have their ownership and they have to be equal partners in the development. Well, thank you very much. We could obviously all benefit much more from the minister's insights on many more topics but alas, we're out of time. So please join me in thanking Marina Kalyarand and best of luck with the commission. Thank you so much. Thank you.