 Welcome everyone. I'm Liz Sylvan. I'm the managing director of the Berkman Klein Center. Be her. And I am very honored to welcome you to this talk today. Before we get started for people who are virtual today, you can use the Q&A function in Zoom to participate. We'd love for you to send any questions that you have for the panel. And for folks in the room, this is being recorded. You are not being recorded in the room, just the speakers. But if you speak or say your name, that will be on the recording. So this is the third Org Fund colloquium on cyber security and cyber law. And we are very honored to have Marta and her panel here. Before I talk about Marta's many accomplishments, I will want to just say a little bit about what we have come to know about Marta and the time that she's been a fellow with us. She is one of the 2020 3DKZ Fellows. So when we were first reviewing applications for this fellowship, Marta was interested in working on education in multiple countries, including the Ukraine with US AID. And we were impressed with her policy background, her legal background. And I was also really impressed with how she thought about learning and the perspectives that she brought to that. That was not what you would typically find for policymakers. I would have applied about two years ago a little bit more than that. By the time we were reviewing the applications. The invasion of Ukraine had already happened. And when Becca to basket who's sitting over there, and I interviewed Marta, she was not in her home city. She was in a dark space and somebody else's home with the lights and internet going on and off, having to periodically evacuate due to bombing, and was really considering how this would impact her work. And was thinking perhaps she might want to work for a tribunal court, which is also very much within her capacity. Dimensions of her, her capabilities. It was a really trying moment for Marta and it's as it has been for all of the people in Ukraine and for people all over the world who go through these kinds of situations. By the time Marta came to us, we were honored to have her in our presence, and she had already rethought what she wanted to do, and has had this time with the fellowship to reflect on how she can reconnect with what she wanted to do originally, and build it beyond her original conception. And we are very grateful to be able to see this growth path, and to have her as a member of our community. So, I'm also going to tell you about her official accomplishments. She was an expert with an extensive background in judicial and public sector reform in the Ukraine. She supported state institutions civil society and international organizations to improve the quality of governance, including and through integration of technology and digital school tools, including things for schools. So, her work now really is focused, not only on education but on human development for the rebuilding of Ukraine, and also conceiving how this might impact work across the EU and beyond. And so, with that, I hand it over to you, Marta, and to your panel. Thank you so much Marta, it's a real honor for me to be part of this community, and I'm very very grateful to everyone who is here today and participating, hopefully you will participate and ask questions today as well. I had a privilege to work with today's distinguished speakers on two major reforms in Ukraine, one of them on law enforcement, the other one on judicial. And I believe that those reforms have actually helped Ukraine in building its capacity and resilience to withstand security threats, including state-sponsored cyber attacks. In the years we've seen that cyber attacks have increased in their sophistication and complexity. And what we questioned and what we thought we knew before February 2022, unfortunately came to reality with the full scale invasion of Russia. They used internet and other computer network as an additional weapon to first disrupt the work of state and local institutions. They wanted to spread this information, they wanted to saw mistrust. And they also ended up destroying first targeting and then damaging critical infrastructure that puts all of our lives in great danger. So I want to make it very clear that cyber attacks now are not just an attacks of machines on machines, but they are intended on people and they can hurt people. As a citizen, I really felt the impact as you have already mentioned and what the other feature that I feel like we all need to understand of the current cyber attacks is that they expanded to many, many targets. Russia started from targeting first state and local institutions, then they spread to all types of critical infrastructure and utilities, including electrical grid, water supply systems, heating systems, and then they spread to all individuals and businesses of all sizes, even logistics and humanitarian organizations. So I would say no one is immune anymore, and we have to understand that. There is no conversation with the representative of Cyber Security Department of State Security Service of Ukraine, and only this institution alone. Last year countered more than 4500 cyber attacks and incidents. The most if not all of those cyber attacks have been complimented by, they have complimented kinetic military actions, which, again, made put all of our lives in really great danger. So with the cyber attacks. I think the other factor that is different from what it used to be is that Russia is now complimenting them with sophisticated information influence campaigns that included this information and propaganda, and their intention to target not just people in Ukraine, or in Russia, but outside of Ukraine globally, they want to ship the opinions about the reality. They want to so mistrust again, they want to polarize the societies and then they want to threaten democratic processes in different countries, not just in Ukraine. And unfortunately, when we look at the actions of Russian Federation, many other autocratic governments, including in China, North Korea, Iran, they are emboldened by the actions that have been done by the Russians, and they are now targeting not just Ukraine but other countries, including the United States. And I've seen reports from Microsoft, Amazon Cisco, which basically are now reporting about great danger to other countries, democratic processes. So I want to make it very clear that from now on, we don't pose the question of if it's the question of when and then how, how we resist, how we respond, and how we recover. So to think about cyber attacks, I want all of us to think about the irony of that, because on the one hand, they represent, they may represent a successful cyber incident, open attacker, but once identified, they also provide an opportunity for a defender to spot techniques to support tactics and procedures that will help us to identify and then toward the ongoing and hopefully future cyber attacks as well. And today's event, I actually want all of us to focus on significant efforts that Ukraine has made together with the incredible support of its partners. And I want us to think about the lessons we can adopt ourselves in our communities and our organizations to be better prepared for and to be able to respond to cyber attacks that unfortunately exist today. Just briefly, I want this conversation to be as much conversational and useful to you as possible, so there will be after presentations, you may session, please use the opportunity to ask questions. I am delighted to introduce the first distinguished speaker, Dr. Robert Peacock, who is Di Global Senior Technical Advisor in Cyber Security to USAID's Europe and Eurasia Bureau's Critical Infrastructure Digitalization and Resilience Program, to support cybersecurity across 12 countries in Central and Eastern Europe. He also teaches in the Department of Criminology and Criminal Justice and the Global Affairs Program at Florida International University. And he spent more than 15 last years managing overseas training and assistance programs funded by the US Department of State, Department of Justice and the Department of Homeland Security. Thank you very much for that kind introduction, Marta. Let me share my screen here. I don't know why it's moving now. I got it. It's good. So again, I'd like to, not only thank Marta, but also the Berkman Klein Center for inviting me today, and a great job of this, and Zia's been doing, putting this together. And I, as you can see from the slide behind me, you want to share it to the file, don't you? I know I'm making a mistake. Zia's always there, though, saying to me. So what I want to emphasize with the title of this, and I'm going to share two lessons which I think are relevant to the United States, and in fact, the wider globe from the first year of cyber war. And I'm saying that very purposely, first year of cyber war, because for two decades, there's always been an asterisk for anyone studying, researching, or discussing cyber war. And that asterisk was, this of course is hypothetical. We don't, in fact, know what a cyber war would look like. We don't know the parameters of a cyber war. We've never had a cyber war. And what I would like to argue is that, what I would like to argue is that we are now in the midst of a cyber war. We have two countries with top 10 in the world IT industries and workforces at all out war. And they are using cyber offensive weapons that have never been used in conflict before. But regardless of how you fall out on that, because it has been debated, I should point out that there's a subject, you know, since 2014, what existed in Ukraine, it was a limited kinetic war, right? I was there in 2014 with my family when Crimea was first taken, and then Special Forces moved into the Donbas region from Russia. But over the subsequent eight years, there was what, without a doubt, was a limited kinetic war. So the debate was, well, is this an all out cyber war or not? And that has been debated throughout those eight years. But before getting to that, I do want to emphasize that over those eight years, there were unprecedented cyber attacks. I think many in the room are familiar with a couple of them, but I do want to go over them, leading up into my discussion. The first was in 2015, when the Russian military intelligence unit by the name of Sandworm created something, another name, the Indistroyer. And they took advantage of substations on the electrical grid of Ukraine, which were in the midst of a pilot program. Ukraine wanted to connect their grid to the EU, which was done this immediately after the invasion, but they had been spending several years to do so. And the first step was a pilot in Western Ukraine, where they had to digitalize for the first time, but the EU hadn't yet funded the cybersecurity stage of that pilot. And when Indistroyer arrived, it did knock out substations in Ukraine for half a day. And that is today the most studied attack on a physical system. So here we're talking about OT. So this great dread we have that besides affecting information systems that a cyber attack could penetrate and actually do harm to the actual machine tools, the actual operational technology in a firm. And this is the course, every SCADA course in America, every electrical engineering program in the country. This is the most debated and discussed purely cyber attack. Now, there are some cases around the world where a USB and an insider did great harm, but this is the most studied SCADA attack. The other famous or infamous, if you will, cyber attack was in 2017, when Natyat was wreaking havoc, not only in Ukraine, but in the outside world. So it's well known. In this case, this was a wiper wear that was distributed and I was also in Ukraine at the time. And in Ukraine, the main attack was through point of sale terminals. A Russian firm had had a monopoly on point of sale software across Ukraine for many years. And even though it was now an affiliate, they had managed to put the malware across the network of point of sale terminals to the point where I was trying to get gasoline taking my daughter to practice. And we went to three gas stations and there was just bricked terminals. They didn't know what to do. They couldn't make a sale. It was psychologically very damaging without a doubt. And Natyat is largely seen as the greatest economic impact of a cyber attack, more than $10 billion worldwide. The UK health system had a system that was so antiquated that the producer of their, the actual vendor provided their network software had gone out of business years before. So it was going into the ransomware era in a very vulnerable state. And sure enough, it was one of the biggest victims of the not petchia virus. But those two attacks, though unprecedented, it was difficult to argue and was much debated whether this was all out cyber war. Was Russia holding back? Did they have red mines? Well, now here it is in 2023 and we've got dozens of war crimes. A Russian state that decides to send a smart weapon from a plane to destroy a theater in Mariupol, which I've chosen here as my picture on my slide. This was a decision made despite months of advertising that those were children in there, that they were Russian, primarily Russian speaking refugees from the city of Mariupol huddled in that theater. And yet a decision was made to blow it up. And so it's very difficult today for someone to make the argument, well, Russia may be holding back, maybe they're a little uncertain of whether they want to take a particular cyber offensive technology that we're unfamiliar with, something that they could be, they could choose to add to the ongoing conflict. Today is largely assumed that Russia is at an all out cyber war, committing all out cyber war, along with their conventional war. But regardless of your view on that, most definitely in February 2022, the Kremlin made a clear decision that they were going to increase the cyber attack as part of their invasion into greater Ukraine, which took place, as you know, a little more than a year ago. And that definitely included an increase in cyber activity. So there were two to three times higher DDoS, or these are denial of service attacks, the sort of thing that bring down websites. And in the case of Kiev Star, the largest mobile phone company in Ukraine, a record two terabyte per second DDoS attack took place. Actually, it's a little shy of the record. There was a attack in Asia on Microsoft Azure that was a little higher. But it clearly demonstrates the high volume that the high volume of the attacks that Russia was willing to commit with the start of their land invasion. So as far as other indications that were at a state of greater cyber war, they also set aside a particular malware that was specifically aimed at the device you see pictured here. The plane I took from Miami to here had a nice Biasat logo on the side of the plane because they are the main provider of Wi-Fi if you fly a plane, if you're on Air Force One, US Special Forces, anyone outside the traditional map of the worldwide web such as offshore oil platforms, they all tend to use Biasat. And over the first eight years of the conflict in Ukraine, the Ukrainian military also used Biasat as their backup for internet hotspots. And on the week of the invasion, malware shut down brick 22,000 of these modems across the world. Now very few of them relatively speaking were in Ukraine. But clearly this was an attack that was a decision on the part of the Kremlin that they would increase and make use of something they'd been saving up over time in order to increase these pressure on Ukraine from a cyber attack. Nonetheless, Ukraine has proved resilient to these attacks. In particular, I always use these presentations, I always include a photo of a cable guy because what's much overlooked is the fact that it's the sacrifice, particularly lives lost of Ukrainians who are continuing to keep up their main source of data transmission, which is the cable guy and which is the wireless tower workers including in the combat zone. You might not know that I'm reading US newspapers because we have a very popular American who has his own business providing backup internet hotspots in Ukraine. And that comes into a very important third place and the importance of data transmission in Ukraine. But I want to emphasize that this resilience of Ukraine can also be demonstrated in terms of the actual security breaches over the year of war. So I'm using data from North Security. North Security is the largest VPN provider in the former Soviet region. It's based out of Vilnius, but they are pretty good with statistics in this region. That is, again, otherwise very difficult to monitor. And they report that over the last year of war there's been a decline in the number of security breaches in Ukraine. By comparison, there's been a considerable up increase in security breaches inside Russia. So I give this first half of my presentation to really kind of set the table about this concept of Ukrainian resilience, which is pretty commonly the position held across the cyber security community in America as well. And I want to reflect on what are the lessons to the United States and other countries from the resilience in the face of an all out cyber attack. Again, unprecedented in history. So the first of those is the topic of supported network software or the opposite of supported network software, which would be pirated software or software that simply isn't maintaining its connection to the vendor so that they can be patched and so forth. And this is particularly important in the global south. And this was very much true in Ukraine. So in 2017, I just I talked about this not petty attack, right? 2017 had a huge impact across Ukraine. And at that time, triple SCIP, which is, you know, besides stopping a lot, a lot of cyber security attacks, they use more constant as than anyone else in their nomenclature. Triple SCIP is responsible for cyber security for the government agencies in Ukraine. And since the war started, private sector as well. And triple SCIP in 2017 reported that as much as 80% of network software in the public and private sectors was unsupported. Either it was pirated or it was simply as often the case when you have a systemically corrupt country, you often have, well, the most profitable position is often the IT administrator. You're responsible for buying millions of dollars of thin air. The comms come and they can prove nothing if you've paid retail price for a pirated piece of software. The rest of the company, the rest of the ministry, it's without a doubt the most profitable part of any ministry when it comes to procurement. And in particular, public procurement corruption, what it tends to do is incentivizes the wrong behavior. So I worked for several years in Ukraine. I managed the Department of Justice Law Enforcement Project Office. And we would on occasion try to support IT even though we knew it was the wrong side of the track to try to accomplish something. But we often say, for example, we wanted to support a trafficking persons unit. In a new trafficking persons unit, we wanted to create a separate off the stolen and unfortunately untrustworthy main network. So we wanted to buy hardware software and establish this for 10 or 12th analysts. And we would come and they would look at us and say, you've got a nice proposal, but our boss says we buy Oracle or nothing. I said, what of Oracle? You don't have 500 employees. Why would we spend this money? And they would say, we walk or Oracle. And it's for simple reason because it costs a tremendous amount of money up front, huge kickbacks. Yes, you'll never be able to pay the license fee the next year, the next year. If you're the corrupt IT administrator, you don't care. And even at the time we're discussing, I don't mean to pick on Oracle who are doing good things in Ukraine right now. But at that time, Oracle would say, well, we're not even selling right now anyway because no one in this country is paying the license fees afterwards. Because of course, there's no rents to be made. There's no corruption you can gain from paying the license, maintaining their relationship with that vendor. And this is true across the global time. And so what I would like to point out in terms of Ukraine's resilience is this little laptop right here and the auction procurement site known as Prosoro. And Prosoro, which actually was started because it takes a long time to set up a public-private venture that would replace all government procurement. So in Ukraine now, the only way a government ministry can buy anything is through this independently operated private sector, public sector combination of a committee funded initially by the Council of Europe years ago. But now every donor has pretty much added to it. The UN actually uses it for their own procurement now in the country because they trust it more than their own internal system. And this Prosoro, which became sensually operationable on a large scale in approximately 2017 and approximately the time of Napecha. And over those five years since, it's had a tremendous impact on the procurement of IT in Ukraine. So earlier I mentioned that 80% of the networks were unprotected software. Today, well, let's more accurately say in February 2022, SSIP estimates that the ratio had actually flipped. And now 20% of the network at that time, at the time that Russia launched, not only did it launch an industry or two at the time of its invasion, it's already tried 12 different wiper ware that were modeled after Napecha. And this time, however, they were going into a very different place. A place where 80% of networks, public and private, were now not pirated, but actually had a licensed relationship with a vendor, were actually regularly patched, and were far less vulnerable, as has been demonstrated by the Ukrainian resilience. And this is a lesson, I think, and quite honestly, this is one of my main research interests, which is the overall Global South vulnerability to cybersecurity, something that's largely overlooked and globally, at least until last year. 2022, in many ways, was the year of the Global South when it comes to ransomware attacks. So this is just a list of successful ransomware attacks in governments around the world. And these are the governments who admit it. Two months ago, the Department of Justice took down one of the important, one of the larger ransomware organizations called The Hype, and they managed to secure all their servers. And examining The Hype, they found, because they were able to literally determine exactly who paid ransoms across the world, and they found that less than 20% of those who paid ransoms ever even admitted to being attacked, nevertheless being ransomed and paying a ransom. And that number is even lower in the Global South, I would argue. So to finish this first lesson, I would argue that in many ways it's been a perfect storm in the Global South. They leave the world today in a portion of digitalization. They are rapidly becoming digitalized over the last few years in particular. But from the ransomware perspective, they have a preference to pay. So think if you're a corrupt IT administrator sitting over a ministry in a impoverished country with systemic corruption. If you've just gotten attacked and much of your data is locked up, you have a choice. You can turn a new leaf over and become an honest. And I'm going to, from now on, only have legitimate software on my system, and I'm going to pursue a new course. Or you're going to say, well, that corrupt ransomware, he wants me to pay him. We quietly get this all resolved, and I continue with the status quo. Which do you think they choose? Are they going to choose to attack with paying quietly and no one knows better? Or are they going to try and actually strengthen the country? And so as a last point on this, and this is again more personal, I'm trying to turn attention to my own writing, but I have an article coming out at Thurwood Poorly in the next few months, which specifically examined the national cybersecurity strategies from the Global South, at least the 30 that are available electronically. And although 30, and I also threw in the North American and the European strategies as well, but in all those strategies, there's not one reference to the word corruption, not one asterisk, not one footnote. And I would argue, at least in my personal opinion, that public corruption is the single most, the single strongest, the single most influential element undermining cybersecurity in the Global South. And yet it's still largely overlooked both by the donor community and the countries themselves. So that's the first lesson. I want to kind of take a Global South perspective now. I'd like to turn more for a U.S. perspective. And that has to do with the role of the network software vendors in Ukraine since the war started. And this has really been a surprise as well. And clearly part of Ukrainian resilience, unarguably, a major part of Ukrainian resilience is the surprise of particularly the Big Three. So by Big Three, I mean Oracle, Microsoft, Cisco, they, since day one, have moved entire threat intelligence centers into Ukraine. They are operating on the front line of the Cycle War. And this is something that no one could have predicted. They are literally, you know, in the process of both scanning, identifying and patching those vulnerabilities on their software in the country of Ukraine. Because, of course, part of it is they don't want to be victims themselves. They understand the next apetia also impacts them globally if it's aimed at their particular weaknesses, vulnerabilities. And so in the last part of my presentation, I would like to make the case that this role, so if you're in Washington, right, so if you're Kembo-Wandan, right, Kembo-Wandan, National Director of Cybersecurity for the United States in the White House. And you're saying, you're looking and you're seeing the major producers of network software. They're on the front line in Ukraine. But where are they in the United States? Where are they on the cybersecurity struggle in the United States? And I argued that this past year has had a tremendous influence on the decision that was made a few weeks ago when the 20.3 National Cybersecurity Strategy came out. That they are going to make a major shift, a fundamental shift in how we the United States regulate cybersecurity within our IT and OT industries. And by that, I'm particularly referring to the perception on a part of the policymakers that the last decade of carrot approach, we have a voluntary approach to cybersecurity when it comes to makers of software and solutions across the IT and OT industry. Their view is that we failed to one incentivize security and conception, right? Security by design is the popular term now. We failed to achieve that through the current approach. Two, that approach has created a structure in which the most important agencies, the most important firms dealing with cybersecurity are small boutiques to after-sale activities versus the actual companies that are best positioned and most capable of reducing vulnerabilities in our network software, which is the producers and programmers of said software. So I really believe, and I wanted to finish this presentation by making an analogy. An analogy to, well, this gentleman, by the way, a Harvard law grad, Ralph Nader, something this gentleman led in 1966, which was another industry which was failing to design safety within. So in 1966, at the time that Ralph Nader wrote his book, and this is him testifying before Congress, but at the time there were no seatbelts available in U.S. automobiles. Despite the fact that a small boutique in Wisconsin had invented it three decades before and actually made good money selling that to some after-market auto owners who wanted a seatbelt and didn't want to go to Scandinavia to buy their car. There were no bumper tests. And a year later, in 1967, Congress completely altered the universe when it comes to how we interpret safety in the auto industry by creating the National Highway Transportation Administration. And so what I would like to finish making a further analogy, if I go even further down the analogy rabbit hole, I would suggest that the seatbelt is in many ways analogous to today's debate over dual authorization. So all of you are aware of dual authorization when your bank suddenly says, you've got to get a second, besides entering your password, you have to be authorized by a second device. But I was just thinking about this analogy came to me a few months now, I guess, when I was at a cybersecurity insurance panel. And the panel before me had CISOs. These are the chief of information security of organizations. And this panel of CISOs, they were arguing against insurance industry in particular wants to push these companies to have dual authorization. And one CISO said, I can't even spell dual authorization. But our customers don't want it, elderly struggle with it, it's too costly. And this is not something that should be forced by the government on us. And I thought this is so in parallel to what you could find in 1966, when the Ford Company said only 2% of our customers, we just did a survey, only 2% of our customers want seatbelts to even be in their car, nevertheless use them. The radio DJ got 40,000 people on the street protesting against seatbelts. They said it was too costly, the elderly would struggle with it. Our customers don't want it, do not force seatbelts on us. And so as we enter 2024, I truly believe that many of the folks here in Cambridge, obviously are Congress, but Cameron Walden, and this is also the head of the needs for public security at DHS, at State Department, at DOJ, all appearing at a letter council event a few weeks ago. But I believe that they will be part of the transition towards a new approach, a carrot and stick approach, towards getting what is taking place in Ukraine. So actual vendors and solution providers being on the front line and being the lead in cybersecurity. So thank you very much. I believe we'll take one question. Yes, I would like to first thank you all for the wonderful presentation. I already mentioned that we will have Q&A, but I also think it's better to make sure that if anyone has a question, we will follow up immediately after the presentation. I will start with a quick question on cyber resilience. You pointed, you mentioned on the importance of implementing, sorry, I hope you can hear me, on implementing anti-corruption measures. And thank you for mentioning Prozoro procurement platform that has become one of the success stories in Ukraine. But if I'm wondering, do you have any other measures on capacity building in mind that have proven to be effective in Ukraine and that other countries have already adopted? And you mentioned the experience of the United States. They also presented their new national cybersecurity strategy. So I was just wondering whether they have been inspired and adopted any capacity building measures based on Ukraine's experience. And so I brought the allergies from Miami. Unfortunately, we're experiencing the heat of allergy season. And for a person who's allergic to palm, I'm moving to DC, so it'll soon be over. But my voice seems a little far, so I apologize. But most definitely, I mean, there's a framework. I personally think workforce is the biggest problem, not just in Ukraine but worldwide. I mean, there's not a country in the world that workforce for cybersecurity isn't a major urgent concern. And Ukraine, they've adopted what's known as the NICE framework here. So my university, Florida International University were responsible for all training in the conferences that the Department of Commerce missed. You're probably all familiar with the fact that we have this institute for standards called NIST at Commerce. And under there, there's a workforce framework called NICE. And NICE, fortunately, the one person doing it, Karen Leshaw has been the one-man show for five years now, but she's finally getting a tire of six or seven other people. But she has been leading an effort to basically change how both universities and those who hire cybersecurity graduates interact in trying to develop a common language, not based on degrees and subjects, not based on exact positions, but based on skills and how can the two meet to make sure graduates have the skills needed and that the industry also has the ability to work with them and cooperate and provide practical skills. But this is something that is most definitely, I can say in four countries now, there's a version of NICE framework, or the EU in October created their own workforce framework. I believe theirs is the skills framework. But they are in the process of creating a similar environment. My main concern as far as donors is that there's a tendency to look towards computer engineering alone. And as MITRE recently put out, well not that long ago, put out a study and advocated for the idea that our future of cybersecurity workforce, more than half, will only have two years or less of education, higher education. And we have to keep in mind that cybersecurity, I always compare it being a law enforcement guy at DOJ, I always compare it to law schools producing future police men. The future police, some under the Kamala law schools, and we were successful in Ukraine in convincing many, but to the most part it's not the ideal match. And cybersecurity in many ways is the police of the IT and OT world. And the computer engineering alone can't be the focus. We have to also focus on apprentice programs. It's something that Purdue and my university is working on under Department of Labor grants. But trying to take those people, for example, if you're in an impoverished country trying to get critical infrastructure to have cybersecurity personnel, say at a dam in the middle of nowhere in a village, I'm using it, I can't mention the country. I'm kind of limited in what I can say with the programs I work on. But I know of a dam that's in a village of about 600 people, and they need cybersecurity personnel. Well, guess what? The top ten students in the country who went to the prestigious computer engineering program to get their graduate degrees, they're not going to that village. They want to be the next young musk. They don't want to be necessarily sitting and administrating a dam's IT infrastructure for the next two years. The answer comes with how do we get some of the 600 that live in that village to actually be cybersecurity competent in terms of the basic functions. So that's what I think we're going to hopefully move towards. But we are doing a great deal in terms of getting the universities to match the needs of the workforce inside this group. Thank you so much. Just to check, Sia, do we have time for another question? Okay. I'm sorry, but we will have Q&A session, and I will provide an opportunity for you to ask questions. But I would like to now push over to another distinguished speaker with whom I also had an honor to work together. He is Dr. Pavel Pushkar. He's the head of division at the department for the execution of judgments of the European Court of Human Rights of the directorate general of human rights in the rule of law of the Council of Europe. He has been working at the Council of Europe for over 20 years, and before that he worked at the registry of the European Court of Human Rights as a senior lawyer. And before joining the Council of Europe, he worked as an attorney and as a public official at the Supreme Court of Ukraine. And today he will talk more about the Council of Europe's role in promoting cybersecurity cooperation and also will give us more insights as to the measures that are recommended by the Council of Europe. The floor is yours, Pavel. Yes, thank you so much, Marta. I hope you can hear me well. I think it's lunchtime in the United States and Harvard, but it's an evening in Strasbourg and we are getting close to the dark hours of the day. So I will try to present the ideas that you have asked me about in a brief fashion and I have prepared a little presentation on this. But first of all, dear Professor Pikok, dear Madam Chair, Miss Bassistuk, dear participants, dear colleagues, it's a great pleasure to be here and to share with you some ideas on the current cyber threats and challenges that we face from the point of view of international law and as well as challenges from the point of view of respect for human rights and the rule of law that the current cyber threats are leading to. So I would like to thank again Marta and Robert as well as Sia for inviting me to take part in this event and to speak about several suggested topics. Just before I switch to the presentation, I think a couple of words of importance about the Council of Europe and a couple of words about the organization that I come from. So as Marta has said, I am currently employed at the Council of Europe which is an international organization composed of 46 member states. It is operating on the basis of three pillars of activities like human rights, democracy and rule of law. It is one of the eldest international organizations on the European continent and it is obviously different from European Union which has now membership of 27 member states. The organization's activities are based on the establishment, promotion, monitoring of common European standards in the areas of three pillars of its operation which I have referred to before which are human rights, democracy and the rule of law. Now in my professional experience at the Council of Europe I used to work at the registry of the European Court of Human Rights and my work was related to processing mostly individual complaints that are lodged by individuals against the states raising allegations of human rights violations. And since 2016 I've been working for the department for the execution of judgments of the European Court of Human Rights which is a department providing legal advice to the committee of ministers of the Council of Europe that is a statutory body composed of ministers and deputy ministers of the member states of the Council of Europe that supervise compliance with the obligations to execute judgments of the European Court of Human Rights. Just briefly about the execution of judgments requirements because I will touch upon it to a certain extent but mostly I will focus on cybersecurity issues. So if we look into what is being done as regards execution of judgments the requirements of execution measures vary from rights concerned and the types of measures to be taken. So thus each judgment of the European Court of Human Rights requires the respondent states in case of a negative judgment against them to undertake individual and general measures aimed at ensuring restoration of the situation that existed before the breach occurred cessation of the ongoing breaches and providing guarantees of non-repetition. I think these three elements will reappear in our discussion today about cyber threats and international law. So but as a result of Strasbourg Court judgments we see that some states managed to introduce a number of real important changes into the domestic systems including the changes to the constitutions, laws of practices synchronizing themselves with the requirements of human rights contained in the European Convention on Human Rights. So my work also at the Council of Europe concerns providing advice to my hierarchy on various issues related to human rights protection and that also concerns the work of the task force of the Secretary General of the Council of Europe on Freedom of Expression as well as the work on matters of accountability for gross and serious human rights violations and that's actually very much related to our discussion today on cyber threats and cyber warfare and the damage caused by cyber warfare as regards Ukraine. I will speak today in my individual capacity rather than an academic and legal researcher but that's now I will try to switch to the presentation that I have and actually will try to share the slides that I have in my possession. So I hope you can see the slides and I will try to walk through these slides with you and starting from the first slide where I would like to suggest the topics that I will cover today. I'm using actually less visuals in comparison with Robert my apologies for that so I hope the text is still suitable for the audience and that these slides are not overcharged with text but there are five main elements that I wanted to cover today. Actually the elements relating to international legal framework as regards the cyber crime, cybersecurity and cyber warfare. The Council of Europe Budapest Convention and the protocols there too is one of the key legal instruments dealing with issues of cyber crime. Also I will touch upon from the point of view of dealing with cyber threats with some elements related to the right to privacy and right to access to information in the cyberspace. I will also touch upon investigation, prosecution and judicial examination of cases concerning cyber crime and also cyber warfare and we'll also cover a little bit Ukraine and then issues related to collection and retention of data versus national security threats and protection of public order and morals and we'll try to come on the basis of this discussion with some conclusions as to potential future for international legal framework based on the gaps that can be easily identified from this discussion. So I think in the first place what I would suggest is actually the discussion on the state of international law facing the cyber threats and cyber security issues. The second is the role of the Council of Europe in counteracting these threats and its key instrument, the Budapest Convention as well as then the potential response of international law to the above mentioned cyber threats, cyber security and cyber warfare and then the issue of accountability will be kind of one of the final elements that I would tend to discuss. To be frank I didn't really foresee initially covering the issues of cyber warfare Robert has already touched upon it but actually based on the materials that you find when you research this topic you cannot avoid speaking about cyber warfare. I think the discussion on cyber warfare that is now happening in the academic circles and in the public is very much allowing us to look into the future of regulating cyber space as well. Cyber threats coming from cyber warfare and also it allows us to foresee on how responsibility for unlawful or illegal use of information technologies, cyber activities not only by individuals, non-public entities but also by the states how this accountability could be established. In this sense cyber warfare as a product of states external activity usually military, its machinery poses unique questions from the point of view of international law approaches to responsibility and attributability of conduct amounting to cyber warfare to states themselves. Even though we see that in many instances the cyber warfare is being conducted by subjects that do not necessarily belong to the state authority and in some states on the contrary we see that these activities are heavily centralized with the state. So in addition to the issues of cyber warfare I think one cannot omit but to speak at least briefly about the most recent technological advancements in the area of IT the artificial intelligence even the famous chats that are being created now and their potential unethical or illegal use also to the extent that these could be considered amounting to cyber criminality. Also the use of IT and cyber space for operations amounting to disinformation and misinformation something that was mentioned by Marta to pose particular issues from the point of view of freedom of expression and access to information. And finally an element of importance in all of these discussions that I find extremely interesting to explore is a public-private collaboration in the area of information technologies and the issues of implications of such collaborations on protection of human rights and the rule of law. So going to the first slide one can definitely say that international law is increasingly being called upon to develop new forms of international response in order to anticipate, assess, minimize and mitigate the risks posed by emerging or novel technologies including by the risks of use of these technologies by the states that act illegally. Indeed information technologies pose new challenges to international law and there are even definitions that exist now that probably partly cover the elements of our discussion because new developments rapidly emerge and it is rather difficult to define and to actually to assess these new developments from the point of view of the legal construction. Also the difficulties that arise from the cyber criminality that generally relate to definitions they don't only extend to the issue of defining what is illegal but they also extend to complexities of cross-border cooperation and jurisdictional issues that focus on evidence-gathering and the miscibility of such evidence from the point of view of legal proceedings. So indeed there are many elements that I mentioned here that already from the point of view of the definitions they probably lack sufficient precision just as the elements I list here the cyber threats, cyber attacks, cyber security, cyber crime, cyber warfare because indeed these are just tools that are used for illegal purposes and I think essentially the legal framework we have in international law is rather focused on the domain not of international law as such but regulating cyber crime and counteracting cyber criminality through the means of transnational criminal law being rather based on prosecution of such crimes via national jurisdictions rather than having a single unified sort of approach to some of the international crimes through unique system of international law enforcement. If we look at the Budapest Convention itself that is a key legal instrument from the point of view of the activities of the Council of Europe but it can be said also that it's an important legal instrument an instrument of universal importance from the point of view of international law the Council of Europe Budapest Convention has indeed evolved into not only an important legal document but it has evolved into a framework that permits hundreds of practitioners from the state parties to the Budapest Convention to share experience and create relationship that facilitate cooperation in specific cases, emergency situations beyond the specific provisions of this Convention. Budapest Convention in this sense it's a treaty that has produced significant effects not only for the Council of Europe Member States and you can see that I'm mentioning here 68 Member States to that Convention but it has also invited some 20 more states to exceed to this treaty. It covers such issues as definition of substantive offences under its provisions so access offences, use offences and content offences are covered by the provisions of Budapest Convention but it also provides rather largely for harmonization of domestic criminal law procedural rules governing cyber crime prosecution and it provides for a specific international cooperation regime. Indeed within the framework of this Convention expert bodies of the Budapest Convention produce an enormous amount of expertise in the area of counteracting cyber crime and cyber threats for instance they produce an extensive set of guidelines notes to state parties and other interested states on various issues of cyber security already a dozen of these guideline notes have been produced to harmonize the approaches to cyber criminality. Budapest Convention also contains as a treaty two protocols to it one dealing with the counteraction against racism and xenophobia committed through computer systems as well as on matters of enhanced cooperation and disclosure of electronic evidence which actually strongly facilitates interaction between the states in counteracting cyber crime. So it's a strong platform of cooperation between states and counteracting cyber crime and it is actually a strong possibility to enhance and facilitate criminal investigation and proceedings through use and exchange of evidence available with this crime. Indeed there has been a lot of criticism of the Budapest Convention initially and the criticism itself largely relied on the idea that not all of the offenses were originally covered but we can already see that the additional protocol of 2003 relating to racism and xenophobia committed through computer systems is an important development in this sense and there are many more elements which are being studied and developed under the auspices of the Budapest Convention. I think in a sense the discussions at the UN level at this stage for a broader UN cyber crime convention they went into impasse and originally there was a proposal in 2010 at the UN Crime Congress held in Brazil as regards establishing of such convention but they think we're still far from developments in this area. Now as regards the instruments and measures targeting cyber crime I think we can mark certain of these actually instruments and measures targeting cyber crime already from the available Budapest framework of the convention proposed by the Council of Europe but I think one of the most complex elements in relation to preventive measures and investigatory or prosecutorial measures is actually a complexity of obtaining and I would probably single it out obtaining electronic evidence that may be stored in foreign multiple shifting or unknown jurisdictions. It's actually a problem of limitation of law enforcement by territorial boundaries and I think the second protocol to the Budapest Convention actually responds to this difficulty to a certain extent. It provides for tools for enhanced cooperation and disclosure of electronic evidence and that's something that actually helps in a sense with prosecutorial measures that are mentioned here. But again I think more generally there are many examples of effective preventive measures that I mentioned here and international cooperation measures related to evidence exchanges and measures relating to coordinated counteraction against cyber crime which are visible from the activities of for instance Eurojuice, Eurojust or the joint investigation teams established under the auspices of various European structures. So if we look at the cyber crime itself I think the developments that have occurred recently they allow to say that there has been quite a lot done in relation to preventive measures, prosecutorial measures international cooperation measures but again if we look at the issue of addressing the cyber crime and it is very much different from the how we would address the cyber warfare. I think there are elements which I refer to here that are of importance in this sense and actually in this sense the cyber crime very much differs from cyber warfare because the perpetrator is regularly the state itself. Then of course we can speak about the conduct of private or privately undertaken cyber acts of war that in many instances could still be attributable to states and then it's actually the difficulty that relates to investigation and prosecution of such cyber war crimes that might be seen to be more direct in a situation that I have mentioned where the activities of cyber warfare are very much centralized but it might be also very complicated in the situation of decentralized cyber warfare and there are many examples of actually from the events in Ukraine where we see the emerging majority of cyber attacks or cyber threats coming from pro-Russian activists for instance that actively fall under the umbrella of kill net the nexus the kill net itself with the such organizations as Anonymous Russia, Anonymous Sudan, Infinity Hackers which are kind of centralized in the activities and that produce as it has been reported for more than 50% of all pro-Russian hacktivist activities tracked by some reporters. So I think it's different in this sense but it is also different on the level of targets of such cyber warfare. I think the targets of this cyber warfare are regularly the Ukrainian state authorities. In some instances these are actually entities that facilitate or ensure international support for Ukraine so these could be not necessarily the public entities but also non-governmental organizations, civil society and actually the cyber operations at this point are not only aimed at creating cyber havoc but also they are aimed at a certain degree of misinformation and disinformation that also sort of questions the whole need for support to Ukraine in the West and in some instances these are aimed at providing and ensuring domestic support in Russia for the continued war. I think in this sense it is interesting what the Budapest convention has provided as a part of a platform of assistance to Ukraine it has actually through some of its activities like Cyber East and with the assistance of the European Union it has provided assistance to amend the domestic criminal law in Ukraine to increase the effectiveness of criminal justice action against cyber attacks so these are properly criminalized it provides supported training to OSINT investigations which are being mentioned in collection and gathering of electronic evidence in war crime proceedings it actually reviews and provided assistance in reviewing the legislation as regards the OSINT investigations in criminal proceedings to allow such evidence to be admissible in court and eventually it provided various types of trainings as a part of the assistance to Ukraine on ransomware offenses which are kind of being on the rise in relation to the current cyber threats vis-a-vis Ukraine and actually vis-a-vis its partners as well. What is interesting and I'm mentioning it here that I think cyber space is being used not only for threatening action against Ukraine and public authorities and civil society and NGOs but also that there are some tools available for the civil society and engage in collection of electronic evidence that are very prominent and I just wanted to mention in this sense such an initiative is Berkeley Protocol on digital open source investigations that was published recently with the assistance of the UN Office of the High Commissioner on Humans. Now if we turn into the issue of actually privacy and access to information, I think there are two elements here and I would not go into much of a detail that I wanted to mention that of course the cyber criminality and counteracting cyber criminality and counteracting cyber warfare requires action on behalf of the state that actually limits the right to privacy and limits the access to information. This is quite an inevitable action that is stemming from the situation at hand and the national security and public safety demands of course there is quite an extensive case law of the European Court of Human Rights which speaks for necessity to regulate for instance data collection and data retention through law with requirement of proportionality being in place and necessary safeguards against arbitrariness to be put in place. Indeed the protection against cyber crime and cyber warfare might lead to limitation of access to information and actually counteracting false information disinformation might lead to such limitations but indeed these limitations should still be acceptable from the point of view of the requirements of both articles 8 and article 10 of the European Convention on Human Rights that provide for protection of privacy and right to access to information. What is interesting is and I have mentioned this in context of Budapest Convention there are some new elements that appear in the case law of the European Court of Human Rights that remain at this stage not touched upon by the Budapest Convention regulations that relate for instance to new cyber threats and I mentioned here the threat of domestic cyber violence actually quite an interesting discussion on how and what kind of requirements in relation to domestic cyber violence should be put in place as regards to counteracting it as another cyber threat. Now if we look at the probably final elements of the discussion coming to an end I think it's a list of questions that I have largely relating to cyber warfare maybe these would inspire some of discussions and that is based on actually something that I was looking at while preparing for this event I think once again when we look into international law regulation of cyber warfare or illegal cyber war I think we can say that the acts of cyber warfare they can fall within the ambit of international humanitarian law and that means actually that a number of these acts based on and the results of interference the results of interference and the chain of events that these interference can lead to they actually amount to again to kinetic war if they are compared in this sense and indeed the principles of international humanitarian law are applicable in such a situation to cyber warfare I think what we can see in context of Ukraine and cyber warfare against Ukraine that cyber warfare goes along the lines of classical warfare with major aimed targeting state infrastructure the aim of seeding chaos, panic and terror targeting civilian infrastructure and civilians then kind of suggestion or development of propaganda and psycho operations that can be seen as forms of cyber crime because these are images and information which is disseminated through social media networks and we are again looking at the information technologies we can also see specific threats in this sense and use of cyber tools in relation to conflict based sexual violence there are some elements of discussion in this sense also as regards the trafficking in human beings there are some unique tools which are covered by another body of the Council of Europe which is dealing with the issues of trafficking in human beings and again the issues of spread of propaganda and misinformation and disinformation I think all of these are specific to Ukraine and we can see that there are many of these questions and I don't know if you remain unanswered yet but these are kind of clear from the point of view of legal regulation at least at this stage for me that indeed acts of cyber warfare are covered by the provisions of international humanitarian law and once again they can be prosecuted in the same way as the classical war crimes that could be prosecuted and that's finally a sort of the wrap up of what I was trying to produce to you today I hope it was actually useful for and it is useful for our discussion I think one can argue and one can conclude that the cyber crime methods are developed from an individual action into the actions used by states or affiliate groups in cyber warfare they need a separate response or a new response from the point of view of international law to fill out the accountability gap I think it is quite important that cyber warfare must be addressed by international criminal law in a centralized way and it seems like from the review that I had that only fragmented international criminal justice efforts by separate states are not sufficient in this respect and a collective response is quite required to address the illegal cyber warfare there is also a need for general international law tools to prosecute certain forms of illegal actions with the use of IT tools, computers and systems and these tools such as notions classifying certain types of cyber warfare should be flexible enough to accommodate new cyber threats such as the potential use of artificial intelligence and I think in this sense some generic definitions and guides should be elaborated similar to those under the Budapest Convention permitting a wider safety net I think in this sense I have also mentioned the rules of accountability and state responsibility they are of importance from the international law point of view and I think they should be applied to lead to international responsibility of states for damage in the legal acts caused by cyber warfare and such responsibility should be imminent and no impunity should persist from the point of view of damage caused by such an illegal acts of cyber warfare and that's probably a conclusion that I would like to come on to and I would like to switch off the sharing of the presentation and thank you for your attention would be ready to reply to your questions Thank you so much because we are running out of time I will open the Q&A session to everyone and I will invite everyone to raise their hands and ask the questions We can take about three questions from the audience On the first presentation there was a very interesting statistic that you passed over from North Security which is the decrease in breaches in Ukraine but the huge increase in Russia could you address that I know there is probably not that much known but where are they coming from and how many are from state actors and how many have been admitted since USAID is very uncomfortable in the cyber security sphere and they have stopped my publication of materials on offensive by Ukraine cyber security activities so I'm always hesitant to discuss but I hope to just kind of put it in there as a side note I like Russia's there's a cyber army in Ukraine do we count that as government do we count that as volunteers it's hacktivist right I think that in the second presentation the term hacktivist was used I personally believe that certainly from Russia but from Ukraine they are closely connected to the government it's kind of hard there were freelancers that I think faded a little bit on the attacks on Ukraine Anonymous in particular was very active in the beginning and so I personally don't know about successful breaches and who was more successful I think most of these again are more DDoS style that you see a lot of Russian television has several times broadcast speeches from Ukraine when things got switched through hackers it's definitely something where I'm waiting for a definitive report on that from an academic or a practitioner I haven't personally seen it and unfortunately I know it's not a fruitful area for me to pursue so I kind of avoided it but it's not an answer it satisfies you My question is going to be difficult but I need to ask that when Russian sponsored AI companies get hard in the United States Can you hear us? Yeah, it's a little bit distant in the voice now it's better So when US states hire Russian AI companies like Toloka AI which is completely owned by Yandex which is Putler's own company and nothing getting done and not only that but American University for example yesterday in Northeastern University and I spoke with a professor who invited them and therefore we can discriminate and we ran it by our law department at the university Who's responsibility do you think it is to stop the Russian AI companies that are controlled by Putler? I'm sorry and who... Pablo, do you want to answer the question? I just I don't understand really the content of the question but rather a statement or question Can I clarify? Because I want us to be on the same page As far as I understand here we have different understanding of responsibilities that countries and governments bear and then private companies and with the war in Ukraine we see how important is the collaboration as you mentioned but then we also have some private companies in the United States The company is not in the United States Toloka AI is not in the United States it's a fully subsidiary of Yandex which is one of the Putler's companies and yet American states are hiring it for AI as a state government What responsibility it is to stop that type of thing And I will also add maybe you have any ideas about international measures that can be taken to basically prevent countries like Russia and other autocratic regimes even though we do know I want to make it very clear that those countries are not members of the Council of Europe and then Council of Europe is the first international organization which expelled Russia once it started the war so we have those countries which are not members of the international community so they no longer follow the internationally recognized principles and rights So Pablo do you have any ideas as to what measures at international level can be adopted to hold these countries accountable or their private companies accountable for the breaches they may make? I think it's one of the most complex questions that one can ask I mean if you look at an inverse side of the question for instance if you read reports from Google and Microsoft on what was done to counteract cyber threats and cyber warfare against Ukraine actually you can see that the Microsoft and Google they are very much working against the threats of cyber warfare actually supporting the Ukrainian authorities in this sense and critical infrastructure and analyzing the threats that emerge it's very interesting in this sense because eventually and that's something what Robert said maybe it's interesting for Robert to comment as well in a sense if you have software which is produced by private entities which is used by the government and the infrastructure of the government eventually the companies that produce the software and the systems for use the computers the IT infrastructure they are obliged to be engaged with the product they have provided for use by the governmental authorities and actually in this sense if you look at the attacks on the power grids or if you look at the attacks on the critical infrastructure points it's inevitable that the company that services these products will be there that's a part of the obligation so in this sense the attack against the states and public infrastructure is also an attack against the products developed by the companies that service these critical infrastructure and in the inverse sense if you look at the analysis produced by the Microsoft and others as regards the structure of cyber threats coming from against actually Ukraine in this sense it's more centralized that there are I mean it's basically quasi military entities that are engaged in these activities and that's I think much easier to define as something attributable so maybe Robert would also want to comment on this I was thinking that Yandex was already sanctioned by the United States but I'm not certain on that are they sanctioned? they fully subsidiary whose founder never had another job other than at Yandex is still allowed to sell the AI software which is collecting I guarantee you it's fine information on American citizens and state is used by the state governments in the United States which is why I was asking the question I can say one thing I know the Department of Treasury is hiring nine sanctions employees specifically towards cyber security sort of sanctions which is new you know we're trying to do this for the first time the Office for Assets Control and so I think that this is your question is one that we'll be dealing with for sure exactly how we it's not an easy question because I'm sure there's many steps you know in ownership and so it will keep law school graduates busy for quite a while I know that we have run out of time but if there is anyone else who wants to ask the final question or do we have questions online that I welcome folks who have any lingering questions to say within the room but we are going to now end the event but again thank you all so much for joining us in we're going to hand it back to Marta to wrap up the show first and foremost thank you so much to Rob and Pablo for their excellent presentation I'm very very happy that we collaborated today on the very important issue for Ukraine but I also believe for other countries as well I wanted to make very clear for everyone what my main lesson learned from the cyber security situation is that everyone bears responsibility even though governments and private companies will bear the most responsibility to go to play for everyone and it must be a collective endeavor so when it comes when the war started we all Ukrainians received different type of messages emails from our government saying that we must adopt basic security measures including anti-virus programs to always remember about software updates use multi-factor authentication that Rob was telling us about those basic things can actually prevent 90% of cyber incidents and I want all of us to start thinking about what we can do and create this new mindset of people that it's up to us to first think about cyber security and then I am convinced that this will help with deterrence strategy because we all want to make for the attackers to for all of the attacks that they may think to conduct to be more complex more risky more expensive so I just want all of us to think about today you made the first step of being more aware about the situation that is currently is so I am very thankful but also think about other measures that you can adopt personally and then how we can also aid our governments to do more so I just want to thank you very much our speakers and then a big shout out to the incredible BKC community especially LIS and especially XIA they put so much effort into this event I can't be more grateful and also to BACA and to Patrick and to the entire BKC as well so thank you have a great day and I hope you enjoyed it thank you so so much