 Alright, hi everyone. Great to see so many of you still here after a long day. I guess that can mean a couple of things. Either you dozed off, you're really curious about international peace and security and cyber space and what you can do to contribute or you think this is about hacking into the UN. If you think it's the latter, it's not, well at least not really unless you count social engineering which I'm sure we'll get to as well. So this is really about how we as a community can better contribute to these war and peace discussions taking place in places like the United Nations but also between multi-stakeholder organizations, civil society and private companies and what DEF CON can do. So my name is Alexander Klimberg. I'm a policy wonk and writer and I have done the cyber policy under different hats, mostly in think tanks and universities, places like CSIS, Atlantic Council and Harvard University. And I've written about some of my views and adventures in a book called The Darkening Web which in its second edition is definitely worth you buying because it has extra darkness. So today I'm monitoring a panel in a different role, namely as a director of something called the Global Commission on the Stability of Cyber Space. So basically this was a blue ribbon commission of 27 world famous experts on all different parts of cybersecurity from 16 different countries who've volunteered their time to help influence the state led discussions on war and peace in cyberspace, mostly taking place in the United Nations but also other places. So our final report was launched in November 2019 at the Paris Peace Forum by the French Foreign Minister, the Dutch Foreign Minister, the head of the Cyber Security Agency of Singapore and an Oxford study once said we were a very influential private initiative. Two of my fellow panelists here on stage with me were also members of that commission. We were joined also by three panelists virtually and I'll introduce everyone in due course but what we all have in common is that we have one where another recently started engaging in these international cyber security discussions that as said are mostly state led and some of our panelists have been part of something called the UN Open-ended Working Group which is one of those discussions that first opened up to outside advice and consultation although to a limited extent and to limited effectiveness as we will discuss. Now that being said the walls are coming down between the hallowed halls of arms control and cyber security and the technical community. The question is how fast are they coming down because this is being diplomacy this happens very very very slowly so part of the point of this discussion is we're hoping maybe we can encourage the process a little bit maybe take down a couple thank you know of those bricks speed it up and see what all of this year can do to contribute. So we're gonna do around with the panelists before opening up to the wider discussion hopefully including a bunch of you and first I want to introduce Lauren Zabiek who is currently the director of the cyber project at Harvard University. So Lauren can you help set the stage for us a little bit tell us where these international discussions are and what do they aim to achieve? Absolutely Alex and the entire DEF CON career there thank you so much for having me this is truly an honor and I desperately wish I could be there with you but anyway as Alex said my job here is to set the scene for you so at one point or another we have all heard that the cyber domain is the wild west there have been little in the way of codified norms and rules to really guide state behavior in cyberspace despite the internet having been around for decades. We've all witnessed the rapid development of cyber conflict over the last decade or so despite the ample attention and work done in the space over the last several years and thank you Chris Pankter one of our esteemed panelists even with Russia's open ended working group or Russian led open ended working group the report that was signed remarkably by all 193 nations at the UN this past spring and which reaffirmed all 11 norms set forth by the previous group of governmental experts. We seem to be no closer to real rules in cyberspace and yet as we know the threats continue to grow in scale complexity and sophistication. So how did we get here? First I think it's important to a revisit the concept norms in the first place and then be understand the general lines of thinking by the major blocks that really serve to underscore you know just how far apart we are despite theoretically sharing a goal of stability and security in cyberspace. Then we'll come back to this the current state. I'd like to say that I'm Tarantino-ing the shebang but truthfully I've never seen Pulp Fiction which as my husband says is a problem. Okay so where the concept of norms and cyberspace come about? Well it goes back to the late 90s when Russia seen the internet and ICTs specifically as a threat to their sovereignty and security wanted to introduce arms control agreements and roles at the UN. The West specifically at the the US thought international law should really apply to conflict in cyberspace and wanted instead to promote the adoption of norms for responsible state behavior. The problem though is that you know we were thinking more about how international law covered cyber warfare and I don't think we're really covering the other stuff and how that other stuff could get so dangerous and then by that I mean the so-called gray zone and it's my opinion that part of you know these authoritarian state strategy has been to essentially exploit that. See show hey you know we need rules this is what happens when we don't but unfortunately those rules we think would give legitimacy to the ideas that we in the West are against mainly state control over the internet by authoritarian states. So in 2017 the UN GGE collapses over some agreement and disagreements between states and Alex Grigsby famously declares this is the end of norms. Then the Russians come out with their proposal and expanding membership to all the different countries in the UN. Needless to say the US wasn't super thrilled with all of this at the same time we're seeing things like want to cry, crash override, not petia, the election meddling, basically shit's getting real. So the next year US the United States elevates cybercom to a combatant command and then you know comes out with the strategy of persistent engagement to fend forward which all the other nations are like wait what you know recalling the Thucydides trap essentially Ben Buchanan forecasts in cyberspace the actions that one nation takes to secure themselves are going to be seen as threatening by others and Russia most surely sees this as aggressive. So then recognizing relations between our two countries are at an all-time low and quite honestly people are worried. So in 2019 we at the Belfer Center added a cyber component to our track two dialogue with the Elba group. Out of that meeting came a paper exploring rules of the road in cyber with Russia that we just published back in June in that we state that bilateral agreements with Russia could be good for our long term security but we're just so far apart in our interests and our perspectives on the internet that it wouldn't be feasible or advisable to do this in the short term. One thing to keep in mind though and this is something that I learned from writing this paper is that Russia has never publicly acknowledged any offensive cyber capability or activities in cyberspace. So a main barrier to discussions is how to even start these discussions with a nation that won't even acknowledge that capability and then how do we reconcile completely different viewpoints on the internet that speak to the different values as nations. So the questions are are norms so last decade or are they back now? Is bilateralism the way ahead? Clearly there are lots more questions and answers right now and that is essentially where we are. Thanks. Okay thanks Lauren. I'm going to ask Chris Painter to maybe take this a little bit forward and maybe also circle back explain a little bit what norms are but also what non-state actors are really doing in this space and how that came about. We heard from Lauren for instance how Harvard has started a so-called track two process that's basically a formerly informal process between the US and Russia. There are quite a few other such processes but let me just quickly introduce Chris who currently is the president of the global forum of cyber expertise before being elevated to that position and to the member of the global commission. He was a lowly first cyber diplomats of the United States after a long career in Department of Justice in the White House. So again Chris I think those discussions are still very state-led but they are opening up a little bit as we hear right? So just to circle back a little on Lauren said and build on it you know this idea of norms I mean the dynamic here was that Russia to some extent China and China kind of played more in the game later on it was really Russia's leading list in the beginning. Wanted a binding treaty, wanted worried about content on the internet they viewed information warfare but they viewed information as the biggest threat to them not the kind of technical threats that we talk about but things that would undermine their power structure or dissent or issues like that and so you know the US response as Lauren said coming up with these ideas of norms first of all the idea international law applies means this is not a free fire zone not anything goes so international law applies but international law is at this very high level you know it's when we have cyber warfare and despite all you read in the press constantly we're at cyber war we're not at cyber war yes the distinction is blurring but we're not at cyber war and that what we see every day are below those thresholds they're the thefts of intellectual property that we've seen they are the they're not petty they're the other kinds of malicious state activity that we see all the time and they have a large effect we also see criminal groups like the recent ransomware groups so what norms are our expectations of behavior they're not hard law they are a way to say this is what we expect this is what you expect a state to do and they really break down the two categories in the way I look at it or way many people look at it just not me norms of restraint so you know what the US did is counter the Russian idea of having a binding treaty that would try to cover cyber weapons whatever the hell they are with taking targets off the table norms of restraint don't go after X so don't go after critical infrastructure because during peace time during wartime you can just like and go after the train lines you know in a shooting war but you then have to obey certain rules of distinction and proportionality etc so don't go after critical infrastructure don't go after the certs or the C certs it's like going after the hospitals or ambulances on the internet so those are kind of norms of restraint taking targets off the table there's also norms of cooperation work with us on something you know if we have a common threat let's work together let's build build better confidence by doing that so those are the two kinds of norms and they agreed to 11 of these norms which are pretty comprehensive back in 2015 before everything fall fell apart now as Lauren also said this has been the province of states alone this is in something called the first committee of the UN which was the denizens of arms control people and when people talk like nuclear and other issues they don't generally involve other stakeholders states you these and the UN is not built for other stakeholders it is built for states which is great in some ways but kind of sucks in other ways because if you think about the the panoply of issues in cyberspace including the war and peace issues and and how norms are enforced and how they work you need people who understand how the fricking internet works as part of that discussion and that's not or that's not normally diplomats it's not normally government people who go to these meetings now it's increasingly changed there you know I was the first cyber diplomat in the US there are now 40 like that around the world great but you need some understanding of how these things work you need involvement of the technical community of academia of civil society because there are issues like human rights involved and you need the involvement of of industry too so those are important components but the UN is not really built for it there's been a glimmer of hope and change in that the UN in this last thing when they had this big open-ended working group which was all 193 countries they held an informal meeting where other stakeholders came together and I was there and now there was others and and some more other panels were there too and they were able to give statements and they were able to contribute the discussion so that's great by UN terms that's amazing right but it still is not a lot you know it still is a stepping stone you're not really involved in negotiations you're not even involved in a lot of discussions often now they were able to send in comments you can send in comments on various things and that's great but it wasn't clear that was really having an effect on the actual negotiations some countries were really good like Australia for instance in getting formally comments from their their stakeholders and and Canada as well and channeling that into their submissions to the UN and their positions but we're far cry from other stakeholders being clearly involved in these issues and for the reasons I stated I think that's an essential thing not that other stakeholders will drive these discussions at the end of the day states are going to decide what they're what they're going to do we're not going to do you know they're going to be the ones to decide that but it needs to be informed by other folks and that's an opportunity for people in this room to we'll get to that thanks Chris so one of the people to co-cris who knows how the freaking internet works is bill woodcock who leads packet clearinghouse in quad nine and also as a member of the global commission so one of the questions to ask straight off not only why did you join presumably you you saw the common good in it but what were the challenges for you going in and also what did you learn you're about as technical as it gets it was a very different community that you were engaging with what were your key takeaways so you know the the private sectors engagement in this conflict started in nineteen ninety two when the privatization of the internet began and we're twenty nine years into that process now it's you know in prior to that prior to the national information infrastructure plan was sort of the communist era of the internet everything was paid for by the US Defense Department they would decide how much you needed how much you got all the bills went to them you couldn't make more if you needed more and they didn't think that you deserved it you were out of luck you couldn't transact business around it you couldn't buy and sell it because it wasn't your property it was their property so this was Al Gore's big contribution to the internet the NII made it legal to make more internet bandwidth and buy and sell it and sort of turned over the reins to the private sector globally prior to that point also there wasn't really internet in Russia or China you know little tiny tiny token bits but not enough that as governments they took it very seriously so in the early nineties between ninety two and ninety six or so is when you see the emergence of conflict between particularly the US Russia on the internet and the problem here is that this is also the period when the internet is becoming private sector everything essentially everything new that's been built since nineteen ninety two has been built by the private sector at private sector expense private sector maintenance private sector investment this differs from normal national conflict because there is no no man's land no high seas there's nowhere where governments can conflict with each other that is not private property somebody else's private property and so this problem has been getting worse and worse ever since then and the private sector has more and more to lose as we become more invested in the internet as it becomes more central to what we have to do every day so this is not a new conflict it's been going on basically my whole career and you know it it's really difficult to get governments to pay attention when they don't want to and governments as Alex and Chris both said are very used to getting together behind closed doors in the UN just talking to each other and assuming that each government is the fully authorized representative of all of its citizens and their interests when in fact collectively governments have a lot in common with each other and the private sector has a lot in common with each other and the private sector now is pretty transnational in fact the internet particularly is really transnational you know most people on the internet aren't thinking well I'm gonna go and deal with other Americans on the internet I'm gonna buy stuff from American companies on the internet and there's gonna be some border there at the edge of America and you know I'll know if I cross that border that's not how it works right we all know that we're buying and selling things with people over the world companies that are incorporated who knows where doing business in lots of different countries and so this divide between private sector interests and governmental interests has become very stark and governments particularly the folks who are doing military stuff have a lot in common with each other and get together behind closed doors to try and figure out how they can create norms which normalize the status quo where the status quo is really problematic for the private sector the status quo of governments just sort of running around breaking shit and leaving the private sector clean up and then awarding themselves ribbons this doesn't really help us so that's that's why I continue to try and engage with them and continue to try and push the norms towards like don't break our stuff if you're not prepared to pay for it all right tired cleaning up somebody else's mess all right got that message going back online Michelle Kumar was one of the most active members from the non-state community in this open-ended working group that we referenced so she represents an NGO called global partners digital which is dedicated to promoting a digital environment underpinned by human rights so she tell please tell us how do you think that non-state involvement in this process worked and where did it not work well thank you Alex hopefully you can all hear me well thank you for inviting me I wish I could be with you and in LIS I've come to you from rainy land and then all our parts of the world need a lot of brains about that but yeah you asked me about how the OEWG was set up and how that worked including from a non-state stakeholder perspective and I think what's interesting as well to comment on is that as as Laura mentioned at the time when the OEWG was set up in 2018 through a resolution it wasn't very popular for for the reasons that were mentioned that enters this political disagreements and lack of common values and an understanding of how the internet work and for who but over time it became a space where I think a number of states who hadn't originally supported it realized it was useful for opening up the discussion and really for raising awareness about what had been agreed in a more closed format the GGE format and that the responsible state behavior frameworks of the norms confidence building measures and other things that have been agreed with a wider community and it was also an opportunity for NGOs or for non-states stakeholders to get involved and as we've heard from from Bill and others that's that's really key because ultimately we're talking about a technology that that is managed by non-state stakeholders so like the thought the fact that we hadn't been engaged at all in the discussion so thus far had been really that had been lacking so there was an opportunity to engage stakeholders and that happened I think as Chris mentioned through an informal intersessional in December 2019 but the substantive sessions where the discussions happen in between states were closed unfortunately in the end to acro-soc accredited NGOs so that was really unfortunate for those who are not ex-soc accredited and that's a lot of my stakeholders who are relevant and who are stakeholders in these discussions so reason for that is the the disagreements around and the values as as Thorn mentioned right who should be involved in these discussions and and who are the relevant stakeholders and unfortunately although it could have been more open it ended up being I think my understanding is like unprecedented in the sense that it was blocked to entry of those that applied to engage but couldn't in the end because of member states blocking that engagement there was an opportunity as mentioned see that informal intersessional but really unfortunately the US is defined by the strictures and it's not the the only time that's been difficult to gain access to discussions so there are apart from the formal opportunities to engage also the informal so NGOs whether it's civil society academia or those who you know the techies can utilize different ways to to share perspectives including what we might call more informal opportunities so space is outside the UN and bilateral or are we like building relationships with the key stakeholders there with diplomats and one thing that we did is proactively create a space to input into the OEWG's report with member states who are supportive of NGO engagement and it was initiative called let's talk cyber which we held through virtual platforms last year we held a series of discussions to directly well indirectly input into all of the OEWG mandate discussions and we we built a report out of that and submitted that to the OEWG so I think you know as we look forward to the new OEWG which is going to be having this first meeting in a few months time with the modalities are still been discussed we need to keep pushing for more open formal modalities and opportunities for engagement because as you know my fellow panelists have just mentioned it's so important for us to do that but we can also utilize informal opportunities and we need to keep doing that because these discussions are very key right well lastly but certainly not least so Martin van Hornebeek so Martin is a former chair of first that's the form of instant responders and security teams which is probably the closest thing that we have to a globally representative body of technical cyber defenders so Martin why were you guys involved in this I mean you're involved in a lot of things and do you think that though and some of the things that you're involved in are pretty informal so you're involved the formal process as well so how did that play out for you the formal component versus the informal component first of all thank you for the opportunity to be here today Alexander when first got involved into this it really dates back quite a few years first is the global community of incident response teams of blue teams if you will and we have about 590 teams across 98 countries so we are truly global and historically we have been an organization of engineers people who felt they could solve internet issues through code to working together and building technological solutions and we did that by making sure that incident responders when they had an incident they could find other incident responders within our community to respond effectively and making sure that they have the right standards and technology to work together and exchange information now within the incident response community what makes it really unique is that it has this very deep mesh of trust I remember very well when I lived in Belgium in the mid 2000s and I was working on a set of targeted attacks investigating them I could very easily send an email to another incident responder in the United States or anywhere in the world and ask them for some help and we would start collaborating in that trust would really develop now in the last 15 years or so there's been a significant increase in governments policy makers taking really strong interest in cyber security and I think that just makes sense there have been a ton of incidents from the big internet worms in the early 2000s over Stuxnet Diginot or Avalanche SolarWinds that have just had a lot of impact both on national security in some cases or the economy in other cases and as a result they have started looking at us and sort of describing or trying to understand what it is that this technical community does and I think in many ways they kind of categorize incident responders as being sort of the fire brigade of the internet the people that kind of jump up when there is an incident and deal with the technical outcomes now first over the years added us goal to educate these policy makers on what it is that incident responders actually do to avoid being prescribed or bucketed in a particular category and that would make it difficult for us to actually do our work and a few years ago I had a good conversation with a diplomat from a particular country who shared with me that they were working on an idea to have essentially every cyber security incident in the country be reported to one national entity and that entity would be responsible for international collaboration and I kind of asked them why they were doing that one of the things that came out of that was a document that a UN GGE another UN process in 2015 published and that document actually literally said that states needed to take some ownership to not allow their territory to be used for internationally wrongful acts using technology and that can be actually a scary sentence like by itself if you read it as a technologist you might not really worry about that but when someone who isn't a technologist reads that they might suddenly read that they need to take responsibility for everything that happens in their country and as I said incident response where the big incident happens we have to be able to respond to it in minutes and hours not in days and weeks so we can't really push it to a national entity to take over that coordination and so as a result we felt it was really really important to provide some of that technical insight some of that perspective in the OEWG discussions and that's why we really really go involved and I think we didn't get a ton of the language that we directly propose necessarily into these documents but with any political diplomatic process the process is as important as the outcomes and so what we did see was that through our own engagement and working really closely with people like Schittel who really enabled civil society to engage with particular stakeholders we were able to help shift that language shift that thinking and that's an ongoing process that I feel is going to take many many years and is going to require a lot more of us to actually get engaged and and educate and I should just add there's a sort of funny incident that Martin is aware of that years ago during one of the first annual conferences in Malaysia I was giving the keynote speech and I talked about this idea of norms including the one protecting certs and the other disconnect here is that the people who do these norms including back in 2015 didn't really have much connection with the people even they were trying to protect in this case the the C-certs and several people in the audience raised their hands after I gave my speech and said hey wouldn't it be great if the UN did this and I said well they did do it like two years ago and that and not having any dialogue between those communities makes so little sense just on that point and just Martin also for you to follow up and really everyone to comment I thought it was really important to highlight that you were getting involved also more or less other defensive purposes because you were reading basically bullshit and you needed to comment and call it out and it just reminds me that in some of the conversations I've been in and like in the OSCE and other intergovernmental entities the first thing we want to establish is for instance a hotline and everyone wants a hotline it's the favorite thing that everyone has and I asked at one point have any of you heard of I-Knock DBA which gentlemen next to me has had a definitive role in setting up and that is already kind of a hotline for for cyber defenders and of course they haven't so they ended up building up their own hotline so my question to really that all the panelists is what happens when these things really are get introduced on top of each other to the conflict and it's a conflict really a question also for for Bill did it just get ignored or is it really a value added and if it isn't a value added if it's a conflict do you have to do what Martin does and get directly involved with your policymaker and say please back off you're about to break the internet again I think you know Martin really has it right that you know when government looks at this and you know behind closed doors several governments have gotten together and said well you know there's a problem here clearly we're the ones who should solve it because we're the only ones talking to each other you know we'll solve it by making ourselves individually responsible for what happens inside our countries which we already are and to be responsible that means we have to take it over you know no you don't want your fire department run by UN bureaucracy you'd like your fire department to arrive before the fire has already burned down the neighborhood not like next year sometime and you know my take is that I'd rather governments weren't exclusively the domain of pyromaniacs who like burning shit down so you know this stuff seems kind of self-evident to us but we're not the ones behind the closed doors in this echo chamber it's really hard to know how to deal with that other than this sort of continued campaign of engagement and education many governments are like the US government where the average age is 24 and they've just graduated from you know a poli sci program somewhere and done an internship and now they're the experts making laws and you know they haven't actually been out there doing anything and they haven't actually had responsibility for anything yet with any consequences to it and so it's really difficult particularly I mean the military big militaries are the worst there because they just you know award themselves medals for offensive actions they're sitting there throwing rocks with no concept of whose responsibility it is to repair the glass houses and you know no idea of defense right there is zero blue team out there you know in military so you get these these weird splits like in the US between DHS with defensive responsibility and and cyber command with offensive and cyber command I mean I can't even guess what the difference in budget between cyber command and sysa is but you know safe to say that it should be the other way around if we don't want to be constantly having things broken okay well speaking about burning things down and throwing stones and glass houses and things like that government sometimes is concerned with letting people like Bill into their hallowed halls so what are they particularly concerned about Chris and what are the rules what are the rules that people need to learn certainly don't have monopoly and Laura and I think you were you were government only don't monopoly of burning things down and certainly you know I think it's it's sort of my office to say it's like the US and Russia at only every country that has the ability to build you know cyber offensive tools is and that's a lot of countries so these this idea of norms this idea of expectations the idea of taking things off the target off the table is really important because that helps build stability in the long run so so I don't think there's you know the danger to have that engagement you want that engagement to help inform these things and some of the norms even that we were just talking about like the one about you're responsible for things happening in your territory that could be used in a very good way so let's take the ransomware example that's happened now even if these criminal groups are operating without the imprimatur of the Kremlin you know I can argue that both ways but let's say they're not then that's what the by the administration said that norm I think would apply in saying that Russian the Russian government still has a responsibility to do something now it doesn't mean take over the internet it means that they have responsibility to go after the group and I think that that's really important so so you know it's part the norms are important how they're interpreted and actually used I think it's really important and that's where other stakeholders I think can really provide that context Lauren you want to jump in yeah just you know on the question of you know the practitioners being in the hallowed halls of government I think more and more at least we are understanding the utility of that right so the whole conversation around you know public-private partnerships bringing experts in I mean look at our our leadership now you know at the highest levels of government these are people who really understand these particular issues so I am hopeful at least that the conversation is starting to evolve and you know we're getting better at that she told it what do you think in particular your group focuses on human rights concerns and some of the security topics are pretty dominant there's always been the point out there that because of security we might infringe on other interesting aspects of daily life like for instance our right to privacy how does that all play out for you and how do you see your role in in getting to governments to to rein in their behavior yeah well I mean these the norms and the discussions at the UN are about how states behave and states have obligations under international law which which includes international rights so ultimately the the way they behave what they invest in what they do what they don't do has an impact on on human rights so it is a question of being there and reminding them of that and the links and also how what the commitments that they've made for example the norms linked to human rights but it's also I think something that like as someone else said like it's something that is it's a process it's kind of continuing it's a way that we we are constantly defining and understanding the norms and the commitments and that's why it's so important for a wider community to be involved in shaping that understanding because it is an evolving discussion and that's how we see I think it's really important for everyone who's a stakeholder which is really because we're also dependent on the on the internet and we're also impacted by how states behave in cyberspace and so that's why it's really important we are involved in these discussions that can bring to the table what's actually happening in the real world outside the hollowed walls how it's impacting people and societies and so that the discussions that are happening there are shaped by reality what's really going on so just a final question to the panelists and then it would be great to hear questions from everyone here so Chris and I had an interesting question that around table we did this morning which was basically the point of this panel which was this really scares me how can I get involved I'm reading really scary stuff in the paper every day bad laws bad bills bad treaties what can I do so this is the question to everyone on the panel what's the best way for people who are not part of prestigious universities or established NGOs to really get involved in these discussions and participate so who wants to go first maybe I'll start and just say look there's you know there's strength in numbers too lots of people here are members of different professional organizations they're members of universities as Alex said that there are lots of you know there are lots of civil society organizations that you can join and be involved in one thing that even though there were some states that blocked this larger multi-stakeholder involvement not surprisingly like China and Russia don't really you know all the stakeholders in China and Russia are kind of owned by China and Russia so it's a little different dynamic but they were able to agree all 25 countries are able to agree that where all stakeholders have a role isn't implementing the norms where it's really where the payday is right so how how you interpret those norms how you carry them forward how you actually implement them is a critical part and that's where I think there's not even opposition to other people getting involved Alex mentioned that one of the things I do now is run this global forum on cyber expertise it's got 60 countries it's got about dozen about two dozen industry participants it's got a lot of civil society including some of the people on the screen and so it's been a good forum to do exactly this to use capacity building to train diplomats talk about norms talk about building C-shirts talking about cybercrime issues there are lots of opportunities out there they're not as accessible as they should be I think Alex I think the problem is that especially folks in this room just don't know what those opportunities are and we need to do a better job of trying to make those more available to them I think Alex one thing that I would add is from my perspective it's still too easy to discard another stakeholder groups perspective it's still too easy for engineers to sit together and say we don't want these policy people involved let us do our thing it's still too easy for government representatives to think they can actually solve it all and I think the first thing we all need to do is really think about like what are our roles and responsibilities and understand that the internet is actually something that involves all of these and really describe like what is our piece in this and what is the thing that others don't understand about what we're doing and how do we get that across I think if we can solve that problem and we can really figure out how to engage with each other across those boundaries by learning each other's language and starting to use it a little bit more and I think that is going to be a really really big impacting thing for all of us to get closer together and then I think it's just the key of finding organizations such as the organization that Chris is responsible for first many other types of organizations that engage and just asking for opportunities to connect because those opportunities do exist but to Chris's point they're not always equally accessible but if you reach out you can find a way in I think just reacting to what Martin just said I think you know I would like to credit all participants with good faith participation in the conversation but I think it's difficult for internet folks who view the internet as underpinning commerce globally to credit good faith on the part of diplomats when diplomats are looking at all of the things in front of them as being fungible and are happy to throw the internet under the bus in exchange for a pipeline right of way for instance it only a majorly gross over simplification yeah it's it's a it's an example it's a gross simplification but it's what diplomats do it's their job to take a whole lot of different unrelated interests and trade them off against each other and you know the internet is an interest and we don't really like being traded off against some random unrelated thing and that's that's something that's really hard to get past particularly when we are used to multi-stakeholder governance and we're used to in fact being a bunch of the different stakeholder groups in a multi-stakeholder governance discussion and government is used to top down you know a few governments get together make decision and tell everybody how it's going to be so that that's a really tough divide to bridge in how to have a conversation which is not say that we have any alternative but to try and bridge it okay well thanks do we have any questions from the audience I mean we covered quite a lot of ground here can have a general show of hands a bunch of them in here too okay please sir similar structure okay just repeat the question what you literally said is if it's possible to apply national and international bail bondsman concept I don't know about international bail bondsman but a bail bondsman concept overall to an international international domain so I guess what you're also asking is about the ability to hack back on behalf of governments or to pursue or to pursue cyber criminals abroad is that right and that's exactly the issue look you know there's no real in fact even in bail bondsman let's take it out of cyber for instance the bail bondsman goes to France and tries to kidnap a criminal and bring them back to the US they're going to get prosecuted in France that's that doesn't work in that scale what happens in cyber crime and cyber and these other instances if it's not state sponsored let's say it's these criminal groups we just can't like land marshals in the territory and go after them we have to get the cooperation of the other government and there are treaties or MLAT with mutual legal assistance their extradition treaties the problem is there are countries that are safe havens we're seeing this with Russia and ransomware now so how do you deal with them and that because more of a geopolitical issue you have to put pressure on the leadership of that country to play ball that's hard with Russia for instance but that's what's being attempted right now and then if you can't you have to think about how you can disrupt these criminal groups or in addition to that how you can disrupt these criminal groups even if you can't get a hold of them and that's the reality and governments love to play coy about whether they are doing something or whether it is you know unsanctioned private parties within their country that are doing something or whether haha it wasn't me it was you you know stop stop beating yourself on the head right it was a botnet in your own country and yeah let's not discuss where the CNC for the botnet is coming from it so it it's it's really complicated to do this when governments are not governments are not declaring war here right Chris got it thank you got it thanks yeah it's not terrorist it's it's well there's also that also gets on the topic of which some governments get really excited about which is hackback as a concept and in our commission that we we have eight norms that we put forward one of the norms are don't do hackback in the sense of not that you should protect your your own networks but you shouldn't go off and try to steal back your stuff or destroy the you know the mothership with a CNC server where that stuff is on precisely because you never really know who started that fight and governments are worried about inadvertent escalation happening when there's two parties fighting and that can't be really clear who who started this let me just go to the chairman over here do we have any other questions so okay that's gonna be the last one thanks oh that's really interesting question so the question was do the digital cyber sovereignty infrastructure structures that some countries like Russia and China have will it spread to foreign to other countries so basically their emphasis on protecting their own quote unquote cyberspace having a clean information domain and policing their own information the information published in that domain right okay so you're talking about bricks net and stuff like like like the bricks going off and creating their own internet and stuff like that okay so an interesting question to ask is why have governments not always regarded the cyber domain as something that they have defensive responsibility for so China and Russia both look at the cyber domain and say well we have to be able to exercise our defensive responsibility here what do we need to be able to do to make that happen what does defensive cyber look like at a national scale and that drives their actions and we look at that and say well you know that seems pretty totalitarian but you know it there's at least a clear logical path there and you know we don't have any of that so I sort of I sort of agree with that to a point but what underlies they're trying to control the internet is about political stability more than it is about cyber stability so they are worried about descending speech there were you know the great firewall China is built for this and the worry I have and I think you're right I think the one of the worries I have is that a lot of the developing world wants to be a prosperous the prosper wants to prosper and the economic growth and other things that a strong internet can have is great but the same time they like stability and so China and Russia are working very hard in those countries to get in their building their infrastructure and others to try to sway them in that view all right thanks we're over time already and we haven't completely taken down the walls between infosec professionals and cyber diplomacy maybe we've loosened the bricks a little bit so please join me in thanking the panelists