 Good afternoon, everyone, and welcome. My name is Richard Barrow, and I said I'd like to make a very brief introduction. So we're really going to do a brief course at the outset, and we're going to begin with John. And first of all, just to note that we've now come three months off. Both of my almost 30 months off. And the day that we're going to do a talk, shark, remember, we're finished. And the initial press is obviously on the record of their author. They're after the channel has rolled a plight, and they're all responses, and they all deliver. People can use the information, of course, but they can't actually. Okay, my name is Richard Barrow. I'm an abandoned wandering civil servant in the Park of Communications Office. I deal with internet policy issues, and the two minors have security, bits and pieces as well. By the way of introduction, I just wanted to point out that the Internet has changed a lot of things, obviously, in more than a few ways. There's been more confounding and challenging, compelling implications of the insecurity. In many ways, it's really changed the social contract. We've all come to an understanding of the state's role in the security. Historically, we've also seen the state hold the borders to our modern space, to our airspace, to our land borders. Right now, which is in the wake of the large technology companies and the Internet, are leaving borders, institutions, companies, and infrastructure. That's the same reality as the whole of the state's security. As a professional developer, following the needs of the state, the Internet has become a spatial. And in that kind of situation, we're not going to have any reliance on companies than we ever have been before, which takes us neatly to Johnville, where all of this Microsoft, obviously, and very core Internet is very foundation, and on some of the areas that they've ever happened despite their best efforts. Johnville is the vice president for e-government affairs, and he's the Microsoft across the box. Previously, the vice president of the Department of General Counsel for Digital Trust and Security, two foods of all importance with the national security of Microsoft. So that's an extremely probable understanding of history and space. He also, obviously, goes here to seek out their Microsoft's own work in developing a new global framework for cyber security and presumably an extent of what we'll also hear about how states should react on the Internet, which I look forward to doing so. I think we'll come as a group as well, so Johnville. Thank you for the introduction. Thank you for the opportunity to interview me today. I'm going to try to talk about, I guess, this is not meant to be a particular policy discussion, right? This is just a broader awareness about some of these topics, because I do think that this is a 20-year issue. In fact, I think it's a permanent issue that we're going to have with us as long as we have the Internet. Our offices in Brussels are right next to the European Parliament, and just in the other side of the parliament is the European House, which is a museum of European history that just opened last year. There's a room with a single object in it on display. It's a pistol, no bigger than my hand. It's the Brown pistol that was used to assassinate Archduke Ferdinand on June 28, 1914. And of course that was the spark for World War I, which ultimately led 21 million people dead. Now, the lesson of World War I is that I think our industrial capacity to produce weapons that could kill exceeded our statecraft and diplomatic capacity to manage war here. I don't think anybody value to it any idea of a magnitude of the losses that would be created in the disruption. But today we face issues inside the security where our capacity is not yet developed to deal with threats that are all too real. And so June 27, 2017, in the Ukraine, a small piece of code was launched that propagated quickly throughout the Ukrainian businesses. It was done through the update software to a software program called AndyDoc, which was essentially everybody came to for BAT compliance. So it's on virtually every business's computer. And the code was spread within hours. Virtually every federal agency in the Ukrainian government was ground to a halt. Hospitals, the banking system, and businesses. And this was, we later find out, launched by the Russian military. And just, if I can digress for a second, we'll talk about these things in retrospect. We can sort of precisely say what happened. But, you know, people talk about the model of war. Well, in cyber war, the fog seemed greater because nobody knows why it's happening. They just know, my computer's got this weird message that is reformatting my hard drive. And suddenly everybody in the building has the same message on the computer saying their hard drive is being reformat. And so for us, when these things happen, we've got this response center. We can pull together engineers. And we're constantly wanting our hands on one of these computers. From the local team, we can observe the code. But if you're about a malware that is causing the hard drive to encrypt, you don't know what the code was executing. And so you have a harder time just figuring out what's going on. And for us, the question is always, would a fully patched machine be vulnerable to this? And for, there's vulnerabilities in software. We call zero days. That is, those are vulnerabilities in software, but they're not coming to us. And so, even if we know about it again, there's no patch for it. And so when there's an attack using zero day, computers are specially vulnerable. In this case, it was not a zero day. The potential exploit has been disclosed to us. And there was a patch. So fully patched machines were protected. So we also realize in the Ukraine, we don't have a means to provide customer support simultaneously to the whole country. It's a special problem. You've got everybody, you can't use their computer. So you can't push out information that way. And these hard drives are encrypted, and he's trying to figure out what to do about it. I think there's a lesson both for governments and for us. At the lunch discussion, there were some very good points about governments and private sector will be cooperating more and more on this. You know, the government's back to the public citizens, the corporate sector, we call them customers. And when customers have a problem, they call us. And so we're all in this. The not patched attack didn't just stop the Ukraine border, though. And whether this was intended to impact every western business that dared to do business in Ukraine, or it was accidental, it spread around the world. There were several major corporations that announced or disclosed that they had issues. It would be pretty hard to hide from most of them. The world's largest shipping company operates 74 ports around the world, and 20% of the shipping fleet of the world. And there are operations ground to a halt for about two weeks. And so the ports, the port of Los Angeles, a large part of Cuba's got stuck and couldn't be moved. Now, there was other companies that acts merit the pharmaceutical company, Saint-Gobain and the French construction company that was bought into us. So there's a large spillover effect. The total cumulative cost of this attack, probably about $10 billion. And it was about six, it was more like eight months later, the United States led a group of governments to announce an attribution of this to the Russian military. And so they did that just before the Union Security Conference last February. Interestingly, no country, though, called this a violation of international law. There's consensus that international law applies to cyberspace, but what rules apply and how do you apply them? We gathered a group of Louisville experts who published a review of the story that date before the Union Security Conference in Munich. And we got 12 international law groups there. And we asked to look at the facts, as best we could tell, from a non-petra attack and the one or cry attack that happened the moment before that most of them took down the UK National Health Service. And the lawyers discussed, debated, took a vote. The non-petra attack, they said that would be a violation of international humanitarian law because it indiscriminately was launched and affected civilians. It wasn't just targeted, they've just done the federal government for me, but it was indiscriminately against civilians and it was destructive. You made that message, if you pay someone you can get their data back, if you weren't getting it back. And so, but I want to cry attack the group split 50-50 because there was a sense, an argument that you weren't in a situation of armed conflict with North Korea. And so when they launched a cyber attack, is it, you know, does international humanitarian law apply below the threshold of armed conflict? And the sense there's this gap or soft space in international law that exists. Now, the Red Cross, they take the position called the first bullet doctrine. So the first bullet fire, the humanitarian law is applied. And there are more about the first block. Something else, but as a practical matter, the way international works, it's done by customary application. And again, the Red Cross may say it's a violation of international law, but they don't do that, but countries have. So we've got this sort of system that allows for great destruction of civilian property and we don't have adequate protections. Now, we've called for two years ago, we called the Digital Sheet Convention as a means to deal with this. We set out saying the convention should do. We've got three pillars to our plan. We need binding norms for government behavior. They need binding, not just the like-minded countries will follow. Because right now the situation is we can kind of get consensus among Western Europe, North America countries, but if adversaries don't adopt those, recognize those rules, what's the point? So we've got to start. So we ultimately think we need binding rules. We also need to increase attribution. We need governments to call out other governments when they do this. Up until now it's been this world of intelligence where there might be a news story or somebody, or a quarter's got a source saying that somebody believes something and kind of pointed people in the right direction now, but they were going to change behavior. We do need to maintain the chain, and we need to build a customary international law. We've learned a significant amount about our capacity and the private sector capacity to assist with that identification of who's behind an attack. We get several billion data points a day from all the devices in the world. We've got a pretty good sense of when things happen. Now governments have other means, signals intelligence and other human intelligence, and they have access to information we don't have. We think that together our information is going to be very useful to helping governments more accurately or more robustly attribute attacks. We have learned the process of the nation-state state attribution as a statecraft, not a scientific term, and we have learned that people talk about attribution, but we're going to talk about accountability and not attribution. We want to have a new non-governmental organization, and I expect that next three months we'll announce one that is broad funding that will be a private sector organization to work on cybersecurity resilience and provide assistance to countries who are under attack and can be a means of private sector coordination so that we can perhaps work not just on our individual products, but on the collective ecosystem of the internet and the corporate networks that we operate in. So we have taken steps by gathering some industry groups. There's a group called the Tech Accord, the Global Tech Accord which is now signed by about 60 companies. The Siemens has something roughly analogous called the Charter of Trust where private sector companies are trying to do more collectively to enhance our security and really resilience. The older model was if you build a big wall around your computer, you'd keep it from getting in. Now you realize that's not going to work. And so you have to assume that people are going to get in and how do you think through that scenario and minimize damage and maximize your ability to rebound. So resilience is the key concept that we're going to be working on with other companies. The Charter of Trust company does take some points of view about we're not going to do offense against private sector. Now at Microsoft we've committed that we're not doing offense for anybody against anybody. We're not working in big ways. Stop it all. But other companies do work for militaries which have worked in the space that have been technically considered. And so the Charter of Trust, the Tech Accord group of companies is important. The international process is kind of broken, just to be honest. The UN has been in the forum and they've had experts appointed for a few sessions and they did make some good progress. So the basic affirmation that international law applies to cyberspace was there was a consensus which was announced in 2015 and there are some new arms that are being developed there. So in 2017 the group was unable to reach consensus and there were a lot of things going on but some governments were essentially blocking it. And we do have some very fuel-hot disputes at the moment that are just as practical about it. The Russian interference in Western elections is a significant complication in how you talk about cybersecurity in the National Forum. And last month the new General Assembly adopted two resolutions. One appointing a new group of government last words with a very limited mandate and then the second appointing adopting the Russian resolution which will have an ongoing working group in the different parts of the UN. And our part, going back to the private sector, we're the ones who own and operate the internet. We operate the corporate networks. It is our developed technology that is operating not just in the private sector but in the public sector and largely in the military as well. And so we have a state and we want to see it at the table. So we had some discussions last summer about what can we do. And President Macron was convening the Paris Peace Forum in connection with the Sampdonaire of the Armistice and that was last November 11th, just three weeks ago. And so I was given the assignment of filling into the other day and pitching the Macron administration on a joint declaration that was made by governments and by the private sector and civil society on the importance of cybersecurity. And so it eventually became the Paris call for trust and security in cyberspace. You'll reach out a copy at the end. But it's important because it brings together previously recommitments and puts them in one place. It's also important and kind of strengthens that. It's also important because it is multi-state order. When launched we had 52 governments that had signed about 200 corporations and 100 civil society groups. You know, we've got very good each of the EU 28 in the end sign. And so there is opportunity consensus in Europe to advance this. The question is where to go with that. There's some sense that it's easy to define norms and easy to write rules. People shouldn't do that. And you know, as Moses found out in the Ten Commandments you can make rules, get people to follow them, that's part of the thing. But that doesn't mean you shouldn't make the rules. But the right now is in the international community the discussion we want to have is how do you have rules that people will abide by? We think that is increasing accountability, attribution and development of greater means to global power. But in a sense, we all know who's doing these things. We know it was Russia that produced the war cry. We know it was North Korea that did the war cry. We need to actually have real discussions with the Russians about some of these issues. There's a disagreement saying well they want to control content that goes into Russian on the internet. That's the issue they care about. And we only go there. We're in a standoff situation though and I think dialogue is essential or we're not going to make progress on this. The Russians, they're not trying to be subtle there. We need to figure out how to work with Russians. The Chinese have significant capabilities we need to work with. And we're going to need to figure out a broader system. To support not only this, we've also helped support a broad-based campaign. We have 100,000 signatures now on digital peace now. We've also got a copy of the presentation. But it is trying to reach out especially to the young people in the interest of civil society groups to raise the idea that digital citizens want digital peace. And we do need to devote time and attention. And I know government's agendas have lots of important priorities on it and our pitch is this should be one of them as well. So with that, I think we'll turn to the discussion. And we'll take on some questions.