 Heather Conley, I'm Senior Fellow and Director of the Europe Program here at CSIS and on behalf of Jim Lewis, the Director of our Strategic Technologies Program, we're delighted you're here. We know you're a hearty group because it's very cold outside, so we hope you have your coffee and are beginning to thaw a little bit and ready for, I think, a very important and rich discussion about transatlantic cyber security. Very briefly, a little over two years ago, Jim and I submitted a proposal to the EU delegation, European Union delegation here in Washington, to think through a transatlantic cyber security dialogue. In November of 2010, a US-EU summit had put forward a project, a transatlantic approach on cyber security and cyber crime, a year later in 2011, a US-EU working group was created to think through some of those challenges and we thought the think tank community that track two effort needed to help think through some challenges, some opportunities in this space. So as we began our project, what became very clear is that we needed to operationalize those transatlantic values that we talk about so much. He was an opportunity to look at norms and values and international agreements and see where cyber security could be placed within that context. How do we think about that? And in some ways, as we went through this project and different international events and opportunities, we understood that those Western values in some ways were being challenged by codes of conduct, by other emerging powers who wanted to have a say in how cyber was thought about and constructed. And so we began this journey with a conversation in Brussels in February of last year. And as we began to plan for the conversation to take place in Washington, two words entered the cyber security space that no one had heard of before. Those two words were Edward Snowden. And in some ways that provided us a very important opportunity, both a challenge and an opportunity to look at those transatlantic values and see how they can be used here. So it's been a fantastic project. We are so grateful to the EU delegation for providing us very generously with the funding to roll up our sleeves and look at this issue. There are many people in this room that have contributed to this conversation to our wisdom and knowledge as we approach this subject. And so we thank you. I could not have done this at all without my true partner in crime, Jim Lewis, who is really the brains behind this operation. But I also want to two special words of note. Yeah, that's a that's a wind up for you, Jim. Francois Rivasot, the deputy head of the EU delegation here, has been a colleague and again, providing incredibly rich insights. Francois spent most of his time in the disarmament security and multilateral universe, which was absolutely perfect because that's where we wanted to think through cyber in this space. And then we have also with us Tom Dukes, who's the deputy coordinator for cyber issues at the State Department. Tom's boss, Chris Painter, has been an instrumental voice and thought leader in this project. He could not be with us. But Tom, we're so grateful to you and the assistance that you've provided us to this project. So so as we begin, Jim's going to give you an overview of the work we've done over the last two years. Then we're going to turn to Francois for some reflections about that from the European Union perspective. And then we'll turn to Tom to give us his thoughts from the State Department. And then we're going to shush, as my mother would say up here, and turn to you for some questions and answers. We have a good hour of discussion. We hope everyone will fall out by that point and then hopefully continue on this good discussion. So with that, thank you so much for being here with us and Jim over to you. Thank you, Heather. And let me start by saying we've had two roundtables as part of this project, one in Brussels and one in Washington and many interviews, including with some people in the room. And so we're very grateful for their assistance. And I don't know if Bob Pollard is here, but oh, there he is. Oh, Bob, of course, has contributed one of the major sections of the report discussing progress within the commission itself. So that will be in the final published version. Thanks, Bob, who has provided us with his deep insights from his experience in Brussels. The project's premise was that the U.S. and Europe can provide the foundation for international cooperation and cybersecurity that there's a shared interest, transatlantically in a stable international order based on the rule of law, open arrangements for trade and a commitment to democratic governance and individual rights. But that these face a challenge that maybe we didn't expect a few years ago. The starting point for international cooperation is the applicability of existing international law and the norms that currently govern state relations. But these norms could be expanded. And we looked at five categories in the report. Norms for international security, for internet governance, for political values and rights, for development, which we learned is very important and for data protection. Right. In international security, there's an understanding that the current framework of the laws of armed conflict applies, but that it needs to be expanded and perhaps amended. There are areas of ambiguity. We tried to think of places where you could do things that go beyond what we do now. So you could have perhaps international agreement to avoid attacks on targets where the risk of collateral damage and escalation is great. The thing that's different about the internet is that distance is not an obstacle. So, you know, we hear there aren't borders, there are borders. We hear that, you know, it's a new kind of weapon. It's really not that new, but its characteristics are high speed and great range. And so in some of the interviews, we had discussions about how you could I should pick a neutral country. You could shoot at New York and end up hitting Pittsburgh, right? Because you don't know the scope of collateral damage. So agreeing that the core infrastructure of the internet, the DNS system, nuclear power plants, things where the risk of collateral damage or escalation are great, should be considered off bounds. You could stigmatize certain kinds of weapons, right? You might want to think about that consistent with the approach that we have done with WMD, so saying that some kinds of cyber attacks or some targets are not beyond the bounds of warfare might be useful. And governance, the thing that we heard repeatedly is that this was the governance structure we have now was designed by the West for a largely Western user base. And this has become a global infrastructure. The majority of users will increasingly be outside the West. And we need to find ways to accommodate their concerns. They have a greater interest in a role for governments than perhaps the original Western model. But when we accommodate those interests, we have to do it in a way that doesn't throw overboard the many benefits we get from the current multi-stakeholder model. And in particular, there's a real tension. There are some countries that would like to use the process of changing internet governance and building greater cooperation on cybersecurity to impose political constraints and to reduce access to content and to rewrite in some ways the universal declaration of human rights. This is an important point where transatlantic effort needs to push back and assert a more positive outcome. Under international law, states are free to impose restrictions on their national networks consistent with their international commitments to human rights. Right? That's a difficult one in the first place. And it becomes more difficult when you realize that some states wish to impose extraterritorial constraints. And the vehicles for using this could be the ITU. It could be other things. So how do you come up with a new approach that protects political rights while recognizing the responsibilities and the rights that sovereigns have? And no one has articulated this in a particularly useful way. We think that would be a good area for development. Development itself is crucial. And if you looked at the World Conference on Information Technology about December 2012, the message that was perhaps unexpected, although it should have been, was that there's a large number of countries that support internet where governments play a greater role. There's a smaller number of countries who defend the existing multi-stakeholder model. But the majority of countries are in the middle. And these are very often developing countries, non-aligned, G77. And when you ask them, what are your interests here? Their interests are economic. They are interested in development. They are interested in broadband access to improve their economies. And that is the fundamental question for them, more than cybersecurity, more than political control. The West, the transatlantic community, can help shape the move to development by ensuring that they have the tools, these countries have the tools and the skills to make their networks more secure. One thing that came up repeatedly when you talk, say, to African countries or some Latin American countries is we deploy broadband networks, but we know they aren't secure. And the minute we connect to the global internet with high-speed networks, we're overwhelmed with cybercrime. How can we help them avoid that? And there are efforts underway, but this is an important issue. As Heather mentioned, there's this fellow who lives in Russia. I can't remember his name. He did sort of derail the project for a while. We had to take a step back and rethink. There's an existing strategy. It needs to be amended, someone. I'd say the biggest amendment is any discussion of international cooperation on cybersecurity has to be expanded to include data protection. In the past, when we talked about protecting data in cybersecurity, the focus was on intellectual property and protecting it from economic espionage. This is still important, and it's clearly in the economic interest of both Europe and the U.S. to clamp down on cyber espionage, but a new transatlantic norm has to recognize the importance of personal data, right? And commitments on personal data. And perhaps you could build on existing principles in the countries of the transatlantic community. They're domestic principles for oversight and accountability based on democratic values, and impress for their adoption internationally. We think that would be useful. A new approach that makes citizen data more secure, right? When we talked about mechanisms for transatlantic cooperation, there has been a debate over a global approach or a regional approach or a like-minded countries approach. Our conclusion was it's time to move to a like-minded countries approach, right? That the global approach will, while important, will be very slow and faces political obstacles. The regional approaches have been very successful in some areas. The work in the OSCE, for example, on confidence-building measures has made a tremendous contribution. But for the democratic political values that we think are at the core of international security, a approach of like-minded nations beginning with the transatlantic community would be the central place to start and would set a precedent for later global cooperation. We use the example of progress in certain areas, the nonproliferation human rights, where this model has worked before, money laundering. It's time to do this now for cyberspace. Transatlantic cooperation on international norms can institutionalize democratic values and help build a stable environment. And what we hope this report will do is contribute to the thinking about the upcoming March summit between the Commission and the United States and can contribute to the work that follows that summit. You know, summits always make a general statement. They're nice. It's the work that follows the summit. And so we hope that this report will provide some useful discussion for the people, the diplomats, the member states on whom this burden will fall as they move forward. With that, why don't I stop and let our speakers. Thank you, Heather. And thank you to the CSIS for organizing this debate and working on these issues, which are so important to all of us. As and if I may say so, Bravo for your report. Well, this issue will be one, probably one point which could be discussed in the US summit. We have not yet the agenda, but this is a strong candidate for being on the agenda, despite the fact that no decision has been taken yet. Well, maybe I could just update, start by updating a bit where we are in the European Union on cyber legislation. We are advancing the legislation of cybersecurity. It will be a directive once implemented. It will constitute the framework for our action in this domain. And there are four main objectives we want to achieve. The first one is to ensure that member states are prepared against cyber attacks. So we need to have them appropriately equipped. We want them to set up computer emergency response teams, a competent authority for network and information security. So we start from that, you know, build up the basis. Second is to ensure Europe-wide cooperation cyber, what in Europe we call cyber solidarity against cyber threat and attacks. And this means that we need mechanism for exchange of information on actual and potential cross-border risk. We have already in formal one, but we have, we need to have much more formalized, much more immediate, much more broadly covering, you know, it's like in every defense problem, the safety of any system and the strength of any system is exactly the strength of the weakest point. So we have to make sure that there's no weak points. And this is where we are at now. And the infrastructure has to be secure and allow for confidentiality of information exchanged and coordination of responses. The third objective, the state, the you, the citizens, is to ensure culture of security across vital sectors and all actors, including energy, transport, banking, healthcare, key internet enablers, public administrations and the list is not closed. Operators have to adopt risk management approaches, systematically to report incidents to the national competent authorities and to be responsible in this field. We hope that this legislation, this directive could be adopted before the end of 2014, otherwise it will be probably one year later. But in the meanwhile, we have already launched last June an industry platform in a similar way to the NIST process that takes place here in the U.S. And this is the European Network Information Security Platform which will identify good cybersecurity practice across the value chain and promote the adoption of secure solutions. Now, where are we at the transatlantic level? Our strategy forces a specific place for EU-U.S. cooperation in this regard with ambitious objective which is to preserve an open, free and secure cyberspace which is a global challenge which the EU should address together with relevant international partners and at bilateral level cooperation with the U.S. is particularly important and will be further developed. And this remains valid. Whatever the developments by somebody, you said whose name? I think it has to take with the climate. Yes, we see a lot of snow by these days in Washington also. Now, this is a priority and this issue is high on the agenda on both sides of the Atlantic. With our cybersecurity strategy of last year, we have asserted values and policy guidelines and we know that they are apparently largely convergent with the ones expressed in the U.S. policies papers on cybersecurity. So this issue is increasingly central to our dialogue. Now, what to do with the dialogue? That's where the beef. That's a problem. And I think the approach taken by CSIS is part of the stimulating because it identifies five issues, five domains, which I really think are part of the right kind of approach. We have to be solutions and the problems focused and oriented. But we have a lot of things to do in this field because generally I could tell you a number of nice things on internet governance, on what to do, which would be, which look very much like, I guess, talking under the control of Mr. Dukes, which would very much look like what you are used to hear from the U.S. government that cyberspace has become increasingly a public policy space, that we want to clear definition of the roles of public authorities and stakeholders in internet governance and et cetera, et cetera, and that we are attached to the multi stakeholder model and so on and so forth. Now, where does the EU position itself in the global political debate worldwide? We try to stick to the idea that the European approach represents a third way or a middle ground approach between those who like no change and deny the legitimate role of public authorities in the internet and those who call for increased nationalization of the internet at the risk of fragmentation of the internet system. And that's where the NSA leaks appear and have posed us, I would not say it has derailed, but it has obliged us to focus on some aspects where we were not in a focus probably. And this, as you rightly pointed out, James, is probably the problem of data privacy and how to combine intelligence requirement and data privacy concerns. And this is not easy and we are working on a number of approaches to that. The first one is to see and continue pressing the US authorities to go further, to take action. We have heard with great interest what President Obama has said 10 days ago. We have read with great interest the reports of PCLOB and of review board. We believe all these efforts go in the right direction. The question is, are they going to reach the point where we will consider that we are in safe waters? This still remains to be seen because we are at the beginning of a process and it's the end of a process which will count and define the situation. There's a number of things that are on our table today between the US and you. The first one is an improvement of a safe harbor scheme that would address security issues in a way that strengthens trust in transatlantic data transfers to the US in the commercial sector. It is absolutely vital. We have also to ensure the happy conclusion and the quick conclusion of what we call the umbrella agreement on data protection between EU and US which in the area of law enforcement will guarantee enforceable rights for EU citizens including judicial redress for EU citizens not residents in the US. Because if we don't have an equality of right and treatment then the conclusion will be very clear. European citizens will require their data to be stored out of the US. European companies will store the data out of the US. You have seen that already Microsoft has announced that they were going to do so. And the transatlantic free flow of information and datas between both sides of the pound will not be ensured in the same way because different laws will apply to datas following the fact if they are stored on the western or on the eastern side of the Atlantic. And this will be a great problem commercially because this will create an important non-tariff barrier to exchange and free trade between the US and the EU something which is one of our big priority today. But this will also have other consequences and I think the fragmentation of the internet regimes will be the risk of such fragmentation will be seriously strengthened. And we will develop different cultures, internet cultures and at the very end of the road until now we have the same internet culture or more or less. But if this challenge is not properly addressed there is a risk of divergence here. That's why these efforts are important. We have advanced a number of creative ideas. You know, I will give you an example. When we discussed with our US interlocutor and I want to stress that this is in a very constructive atmosphere, we say we need the same than in Europe judicial redress for the citizens and they tell us oh, it's legally absolutely impossible because A, the intelligence agencies will never accept such a thing, B, the constitution is not necessarily helpful in that and C, this would endanger our security possibly. And we say this can be addressed if you have a political will to address it. When we say judicial redress we don't mean that any US judge can call the director of NSA and say oh, because the son of Mr. Snowden want to know what is on the internet in the NSA files on let's say the author of the attack against Yemeni US in Yemen. The judge has to order the publication of that in the public, no. But we have, for example, in Europe, well we are told that sometimes we have some security institutions also in Europe and as far as I know they have never been having difficulties with the principle of judicial redress. So why should we be so different when we share the same culture? The solution has to be to organize that in the framework of two principles. The first one is the principle of indirect access. So the citizen has not a direct access to the judge but he has access to a magistrate which is specifically designated by the intelligence agencies to review the files and make sure that the data has been properly used, collected and properly stocked. And he may, with the agreement of the intelligence agency if the intelligence agency agree, make the data public but only in this situation, only with the agreement. And second point, there is still the question of what we call secret defense which is the classification of the data, a classified data has first to be declassified and the declassification can only be done by the security agency itself. So these are the two barriers which protects the thing but guarantee that an independent authorized eye can review a situation to avoid to avoid undue use of individual datas. And you know what strikes me when I'm here in the US is that the culture of paranoia in the US is much more developed than in Europe. Because, and I wonder sometimes if this is not connected to that. If the culture of paranoia is not higher here because the possibility of indirect access is less well organized. And so I wonder if we would not all benefit of making a creative effort to address this issue. And I'm confident that this is not impossible. We are not been said no, we shall never try. We are said we are going to review, et cetera. That's why I will again say we are the beginning of a process, what counts is the end of a process. We are hopeful that through these two exercise, safe harbor and umbrella agreement we are going to get some progress done. Final thing, final comment. I've been particularly interested in your report by the obviously of a security aspect because the US have set up a cyber command. Some EU member states have done the same without saying it but because it's a much more reduced scale. This is a direction and this is something which is unavoidable, a bit like when the nuclear energy has been discovered people have said we should put the genius back in the bottle and we know that this is not really possible. That's the same for cyber attack, defense, security. You cannot put the genius back in the bottle. So you have to live with it. And we have made a number of progress. The EU supports the work of the UN working group on that, we really consider that we have to set up more and more a logic of, I would say, certainly not disarmament, we are in the opposite phase but arms control I would say. In the development of these fields you have outlined a number of very very important tracks and I think this is a good basis for further elaboration on that. And personally I tend to believe that this part of your report should really nurture and stimulate more of a reflection particularly in Brussels where we are traditionally a bit behind you in that field. I would stop there, thank you. Thank you, thank you so much. Your remarks are very very important. Tom, we welcome your reflections. Thank you very much and thank you for inviting me to participate in this panel. I had the pleasure of sitting next to Francois and being part of the round table that CSIS conducted here in Washington, I guess about a year and a half ago where we talked about these issues. And I guess my first comment would be that in terms of looking at operational cooperation between the US, the EU and the EU member states, I frankly see no difference today than what I would have. So the comments I made a year and a half ago about the level of cooperation particularly on issues like cyber security and cyber crime and especially at the operational level in terms of dealing with incident response, sharing threat information, responding to transnational crime challenges that we both face, I really don't see any difference between the way things are operating now and the way things that we're operating back then. And to me that's a valuable lesson or point to think about because I think it emphasizes to the extent that we have good strong institutions that we've already put in place that reflect our shared values and concerns about how to address common challenges that are not just challenges for threats for the US and the EU, but also for the larger global community that we've been able to maintain very strong constructive partnership going forward. And certainly all the dialogues at whether you're talking about the summit level down to the much lower level discussions that take place on a daily basis here in Brussels elsewhere and also the discussions that the US has with the various EU member states. I have to say that things seem very positive and strong and I don't think from the State Department's perspective we have any great concerns about our ability to move forward together to advance our shared vision, our shared values in this area. I would like to go back I think and talk a little bit more broadly about the issues that Jim provided an overview of the norms that the report suggests for further or areas of norms for further work between the US and the EU and broaden it up a little bit. And I think Francois has done a good job of teeing up many of the current issues of debate and concern, but I think it's important and those conversations will continue in the appropriate venues, both between the US and the EU and also the US and the various member states. But I also think it's important that we not lose sight of the very, the great number of challenges that we currently face, that we will have to face in the coming year and years, that if the US and the EU do not continue to partner as we have in over the last several years in facing these common threats, which I'll go into in a little bit more detail in a minute, that we really do risk causing some irreparable damage, not just to our relationship, but really more to the future of the internet. When Francois articulated the idea of having a secure, interoperable, reliable, open internet, I mean, that's the same vision that the United States has, it's what the president outlined in his international strategy for cyberspace that was released in May of 2011, and that still holds true today. So just to touch on some of the specific areas of norms that Jim mentioned, international security, first of all, the outcome of the group of governmental experts in the UN looking at basically international security and cyberspace and the report, the consensus report that was released last summer is an extremely important issue that Jim has done an excellent job, and CSIS has done an excellent job of capturing in the report. And that consensus that included a number of things, but very importantly, the consensus view that the UN Charter applies in cyberspace, that international law, particularly international humanitarian law, i.e. the law of conflict apply in cyberspace, and that further work needs to be done to develop norms and confidence-building measures, that's an incredibly important landmark agreement. But what we currently see right now is sort of a race to define how those concepts move forward. And we already have seen China and others organizing conferences in settings like the ASEAN Regional Forum, where their spin on how to think about the application of international law to cyberspace is markedly different than what the countries represented up here and the US and the EU would like to see happen. And that's just, I think, one example, but we also have work going on in the OSCE to develop norms for cyberspace. It's important that we be thinking about, I'm sorry, the confidence-building measures for cyberspace is important that we be focusing on what sort of peacetime norms and confidence-building measures can be implemented. But there is a real danger, I think, if the US and the EU and the various EU member states and the other countries that are definitely, I would say like-minded in our approaches, allow certain issues to impede our forward progress on those sorts of important international security norms and confidence-building measures, because it does not take much attention to the rest of the geopolitical debate in this area to realize that other countries, Russia, China, very much see this current situation and what appears to be, at least at some level, a rift between the US and the EU as a very good opportunity to not just drive a wedge between the US and the EU, which I don't think realistically would happen, but to undermine the excellent work that we've done together to really expand these norms out to the larger audience, the developing world audience, that really have to embrace these ideas if the G77 does not agree with us on issues from how to deal with international security and cyberspace, development, cybersecurity, political rights or human rights, then we're not really going to get to the type of cyberspace and internet that we all very much want and need to achieve, ultimately. So on a couple of the other norms, I think they're worth brief comment, just to, again, highlight some of the positive things that are going on that I think are the things we will continue to build upon. In the area of cybersecurity, the US-EU working group on cybersecurity and cybercrime continues to be a good venue for us to work together. We certainly can find ways to improve our cooperation on things like incident response, awareness raising, sharing information about threats, improving to cert relationships through things like the International Watch and Warning Network. Those are all good ways ahead. In the area of development, while it's important to ensure that we expand access to the internet and the US and the EU through the External Action Service are both looking to really ramp up their capacity building activities, we also have to ensure that as access is expanded, we do it in a way that builds in a culture of cybersecurity and builds in the right technical standards, laws, institutions, the right collaboration between governments and the private sector and civil society so that you don't just build infrastructure and then sort of let the rest of it sort itself out. If you don't have the right cybersecurity in place with cybersecurity in the most kind of expansive definition, then you're not gonna reap the economic benefits, the social benefits that will flow from expanding access to the internet. In the area of governance, again, the WICCIT process, the treaty conference for the ITU that took place last year in Dubai was a, the end result was that the US, EU member states and a number of many other developed countries walked away and did not sign the new treaties, the treaty documents because of concerns about how they would impact issues like internet governance. As we move into the events that will take place in the coming year, things like the Quadrennial ITU Plenipotentiary Conference, where many of these same issues that were discussed at the WICCIT will be, for lack of a better word, relitigated, reconsidered as we look at things like the upcoming ITU development conference. Again, these are opportunities where if the US and the EU do not continue our strong partnership, do not continue working towards our long-term strategic goals of ensuring a good environment for the internet, then the good work we've done in the past could be undone, could be undermined in a way that could have very long-term and wide-reaching effects that would not be pleasant for any of us here. Two last things that I'll mention that I think are worth further thought and work between the US and the EU. In the area of political rights and human rights, what one of the things that we, in my office, see as a very positive development in the last few years is the creation and launch of the Freedom Online Coalition, which was launched by the Dutch government, has a little over 20 members right now, but has also demonstrated that you can find a group of like-minded countries that will come together around a key issue. And if you look at the membership of the Freedom Online Coalition, which essentially is designed for countries to express their support and promote human rights online, freedom online, you've got core EU member states, but then you also have countries like Ghana and Kenya and countries in the Americas, countries in Asia, and it demonstrates, I think, a good successful example of a model for bringing together a like-minded group built around a core issue that reflects our values that's broader than just the US and the EU and sort of the usual suspects. And then my last comment I would make is one thing that personally, and this may reflect my background as a cybercrime prosecutor, but one thing that when I looked at the five pillars that seemed to me to be another potentially very good pillar would be advancing norms on cybercrime and advancing cooperation around cybercrime. Because if you look at, for instance, the success of where we are with international cooperation in this area, particularly built around the Budapest Cybercrime Convention, which now has over 40 parties. And if you look at the sort of the evolution that is laid out in the CSIS report of talking about finding projects, norms that reflect the shared US, EU values, and then needing to bring in other countries in the developed world to also embrace that, that's exactly what the Budapest Convention is. If you sort of set aside the fact that it's a treaty and think of it instead as a set of norms that say that to effectively deal with transnational crime, involving electronic evidence, high-tech crime, cybercrime, however you wanna think about it, that you have to have agreed common definitions of what's a crime. You have to have a certain set of investigative powers so that law enforcement can effectively deal with the challenge and then you have to have strong, informal, informal international cooperation mechanisms so that countries can work together to deal with what is a transnational challenge. And the evolution of the Budapest Cybercrime Convention in the, since it was initially open for signatures in late 2001 is that the US, Canada, Japan, the Council of Europe Member States, which largely overlap with the European Union Member States, signed on to the convention and worked towards ratification. But most of the ratifications that, so all the ratifications that took place in say the first decade or so of the convention the first eight, nine years were those core states. But if you look now at the dozen or so countries that are currently in the process of becoming parties and you look at the most recent new parties to the convention, you see that it is greatly broadened in its membership. So in 2012, you had Australia and Japan become parties. In 2013, you had the Dominican Republic and Mauritius become parties. But you also had countries like Columbia and Senegal and a number of others asked and received formal invitations to become parties. And there are probably another eight or 10 countries that are in the process of getting to the point that they will receive formal invitations in the near future from the Council of Europe to also become parties. And all of those countries will be members of the developing world. And so right now, when you look at the countries that are in the process, you see essentially every region of the world, because I don't think I mentioned Morocco is one of the countries that's in the process. So again, you can look at something like the Budapest Convention and I think it serves as a very good model for how to build a norm that's based on our joint values and then build it outwards and get it embraced by a large number of countries. So I'll wrap up with that and just again make the final point that at an operational level, I think that the cooperation between the US and the EU and the EU member states is actually extremely good. Definitely room for improvement, but not because of recent, you know, concerns and debates over how to proceed about a variety of issues, whether it's things like how to deal with data protection in the context of safe harbor, a debate that was already taking place that has taken on new dimensions with the advent of the NSA disclosures. But if you set aside that aspect of the discussion, which is very important and will continue and focus on these core issues where we continue to have extremely strong shared values and interests and also need to very much continue our strong partnership to ensure that we don't see the good work that we've achieved over the last decade or more of working together, undone, setback, undermined. I think those are things that I would like to see us focus on as we move ahead and continue this dialogue. Thanks. Thanks so much, Tom. What I'd like to do now is turn to you with some questions. What we'll do is we'll bundle them and I'll let our speakers will have a final close-out. You can respond to the questions and give any closing thoughts to these very thoughtful presentations. So with that, I think we have a colleague right here. We just need a microphone coming your way, right here. Thank you. Thanks, Arwan Nagadek from George Washington University. A couple of questions to Francois. To what extent are you confident that, you know, talking about the man who has no name from Moscow, that the European Union member states themselves do not need to work on shared norms and behaviors? You know, one of the shocks to the system from the Snowden revelations was the extent to which it's not only a discussion or the paper being removed from the cracks between the EU and the US, but among the Europeans themselves. I mean, the questions being asked of the British in the sense that some European nations' reaction to the NSA leaks was to try and negotiate to approximate the five eyes no spy agreement. So to what extent are you confident that the EU has its act together? And I suppose the broader question would be that you all touched upon, to some extent, is the terminological vagueness that plagues the whole cybersecurity debate. You know, we, from your comments and the paper, there's a sense that we're talking about many issue areas while the EU and the US are still working very closely together as against the whole espionage data privacy issue. Can we, should we, de-link the several pieces of the puzzle? Or is that, as Francois had put it on another issue, but is cybersecurity, can it not be unbundled because it will fail based on the weakest part of what we mean by cybersecurity? But can we de-link the component pieces there? Thanks. I have to add one myself. Francois, you painted a very bleak picture, potentially, if some of the key issues around data protection cannot be adequately addressed. And I think in some ways, Tom's presentation showed the strength of the US-EU relationship in times of great political strain, that we understand the importance, we have to operationally maintain it. But Francois, you suggested, and this is, Jim and I have had many lively debates about this over the last several months, the politics of this become extremely fraught and political leaders have to respond to that pressure, no matter if they understand the operational imperatives on the security front, they understand this. We can call each other hypocritical, we can call each other different things, but the fact of the matter is we have a big political challenge in front of us and we have to find a way to manage that. And I think I see willingness on both sides of the Atlantic, but I sort of, a little more sympathetic Francois, we have a start, it came seven months after the initial revelations, but the proof will be in the implementation and the pudding, as we say. So I'd welcome, and Jim, you can, we can have a little debate on that, I'm sure. So with that, why don't we just work down the line, Francois, you can, again, closing thoughts, respond to the questions, and we'll just move down the line. Thank you, Heather, thank you. I will agree with everything that Tom has said about the strength of our cooperation. This is a fact. Another fact is that, as you said, Heather, the reaction in Europe to the NSA leaks has been stronger than many imagine here. And not everywhere, not in every country, Tom. It changed. You have countries where the reaction has been minimal. You have countries who were not interested, but you have countries where the reaction has been really maximal, I would say. So we are not completely homogeneous and unified space in Europe, you know. And that's why also the Council has taken the wise decision to define a sort of two-track approach. The question related directly to intelligence are questions which are in the EU system, first and foremost, of the competence of member states and so the dialogue with the US and these issues has to be conducted through member states. That's why I want, I'm not the best place to answer to your question about five eyes of a discussion between the UK and other member states because this is something which, and the dialogue with the US and these issues, this is something which takes place on a national basis and we think it's better like that because if I am sure of something, is that our cooperation against cyber crime and cyber security will remain very strong, whatever. I don't think that the danger are mostly there. I think the risk, as I said, is more in the reaction of the public on one hand and it impacts it can have on the business and the reactions of the business to adapt itself to the wishes of the public on one hand and on the second hand, which could lead, as I said, to a sort of divergence in the cultures on the two side of the Atlantic and the second kind of risk would be a political outcry on certain quarters of Europe. You know that we should have like you election this year and have made for the EU parliament, so a sort of move which would push parliamentaries to request some measures of temporary protection being made, such as suspending the safe harbor, you know that we have had some, a number of EU parliamentaries who have advocated, who are still advocating that, and some indirect impact also on the whole trade, our whole trade approach. You know, a point which is important to know is that we see now in a country, in a big central country in Europe, I would say, I will not name it either, in one of the biggest, if not the biggest one country in Europe, a movement of public opinion which is based on this NSA revelation and which asks for suspension of a negotiation with the EU. This is the kind of challenge we have to address. It's a political challenge that we have to address both together. But if we want to address it, we have to realize the exact size, not to overkill, not to overreact, but not to underreact also. We have to react properly and to address properly what the citizens think and believe. And that's our challenge. And that's why we have welcomed, as I said, the speech of President Obama of this month. But as I said also, it's the beginning of a process. And particularly if you note that this speech was mostly focused on an answer to the concerns expressed here domestically. And if you note, for example, that an important body like the PCLOB has divided his report in two, one dealing with internal aspects and the other dealing mostly with external aspects. So we are still at the beginning of a process of answering the concerns expressed in Europe. That's why we have to continue with the effort. Thank you, Francois-Thomas. Great, thank you very much. And just briefly, I agree with Francois very much that we're, I don't know, necessarily at the beginning of the process, but I would say that we have a very good process and we have a very good basis for having very frank and I think constructive discussions between the US and the EU on a broad range of issues. I remember, and I think it was 2004 when I first heard about safe harbor and the issue of data privacy. And at the time it struck me as a very contentious, difficult, intractable problem. How were we going to somehow bridge the differences between the US's approach to privacy and data issues and the EU's approach? And I have to say a decade later, it seems like we've always managed to find a way to move forward to work through these issues and I'm confident that we will continue to do that because again, we have very strong shared values and commitments to the same way ahead whether it be on the trade front or on the security front or on any of the issues that we're talking about. I know that this weekend, the Munich security conference will start off for the US side will have my big boss, the Secretary of State, also the Secretary of Defense will be there and I know a number of very high level leaders from across the EU and the rest of the world. I'm sure that it would be fascinating to be able to be a fly on the wall listening to some of their private discussions. I'm sure that this will come up but as in some of the recent high level meetings we've had with officials from the EU, NATO, you name it, at the end of the discussions we always say, but we also have to remember there are many other great challenges facing us right now for instance, Syria, Middle East peace, you name it, there are a whole host of security and other challenges and this is one issue but I think if you look back historically, you're always gonna be able to identify times in history, times in our history between the US and the EU where we've had issues political or otherwise that have caused us to have momentary disagreements and I am thankfully not a politician, I've been a career civil servant focused on law enforcement and security issues and now diplomacy but I have great confidence in the political leaders of the United States and the European Union and the EU member states to find a way to work through any current or future disagreements or areas of tension that we have and to continue to make good forward progress on our shared goals and values particularly in this area of making sure that we end up with a cyberspace that really is open and are operable, secure and reliable because anything else is going to be a really bad outcome for all of us and for the rest of the global community. Thank you. Thanks, Jim. Last words. How lucky. Some of it all wrong. I won't. What I'll do, I will answer the question about can the issues be delinked and I think the trend is actually the other way which is in the last year, we've seen a convergence of issues and so it's difficult now to have a discussion of governance without touching on cybersecurity without touching on political rights, without touching on conflict, right? And so whether that's in part driven by some of the other countries who have a more unified agenda or whether the difference was artificial when we started thinking about internet issues almost 20 years ago, it doesn't matter. Well, it does matter but it's convergence is the trend and so you can't really delink these things. Of course you have to deal with them in different fora but you have to realize the issues are associated in a way that you can't do something in one area without affecting the others. You know, I think the message that we've heard is the strong shared values. The one part that perhaps we haven't emphasized enough is that these shared values are facing a much greater challenge than we might have expected a decade ago and there is a dispute infamil. We've been caught doing something that has generated a legitimate response but I would hope that these disputes don't disrupt the larger strategic interests of both sides. There is a solution to these things I think. It will take time to work through them. We've certainly seen similar debates in the past between European countries in the US over strategy and security related issues and the process that's begun will hopefully lead us to rebuild, re-strengthen, expand the relationship because I think the alternatives will all be unwelcome. So if the report can help contribute to that, that would be a good outcome, thank you. Very much agree and I'm pretty sure to join Tom in expressing the confidence that this is precisely because we all believe that that we are going to a summit that we want to illustrate the convergence of all these aspects and to remind to everybody here on the two sides of the Atlantic that our cooperation is much more important than in so many fields that your report has touched. And I'm pretty sure that the summit will offer us an opportunity to restate that. And once again, thank you for reminding us these basic truths. Well, in a very brief thank you again to the EU delegation in Washington for supporting our thinking on the subject and for your intellectual contribution. Thank you Francois. As always, thank you Tom for your insights. Jim, it's been terrific two years working with you. I'd like to thank my colleagues, James Meena and Claire Freitz for assisting us so ably throughout this journey. We look forward to more conversations about this and again, on behalf of CSIS, thank you for joining us on this very cold morning. Have a great day.