 Although calls for restraint on the use of cyber weapons have been extensive, there aren't yet any international agreements to address them. Practical steps must be taken to limit further weaponization, but today many barriers exist towards enabling arms control in cyberspace. This solutions-oriented session seeks to map out the road from non-binding norms to instruments of international law in cyberspace. Here to help us with this task is Allison Pitleck, Disarmament Program Manager of the Women's International League for Peace and Freedom. Allison has over a decade of experience working in arms control and disarmament with direct participation in several prominent international advocacy campaigns. In her work she focuses on arm control advocacy and multilateral disarmament. Joining Allison will be James Shires, Cybersecurity Scholar and Assistant Professor at the University of Leiden. He has written extensively on cybersecurity and international politics. His latest works include countering cyberproliferation, zeroing in on an axis as a service, and the politics of cybersecurity in the Middle East. Lastly we've invited Evelyn Tauchnitz, Senior Researcher at the Lucerne Graduate School in Ethics. Her work concentrates on how digital technologies can be employed to build, support and maintain peace through non-violent methods of conflict transformation. Welcome everyone to the fourth session of the Alternative Security Conference. I'm Amir Kiayi, a member of the DM25 and honored to have these three special guests with us tonight. First though a brief word on our session ahead. The cyber domain of warfare as well as the weapons that exist within it presents a unique challenge to existing arms control frameworks, ranging from attribution to its very digital nature. Unchecked weaponization however, on a weapon that knows no borders, will ultimately not be a benefit to any nation. Each of our panelists will therefore take us through the contours on the arms control map that could pertain to cyberspace. We will then launch an online poll to our audience to gauge opinions on the extent to which certain arms control elements in cyberspace could be desirable and feasible. So looking forward to that participation with all of you. And this poll and any questions that you may have via the chat on YouTube will then be covered in our Q&A session. So without further ado, I have the honor of handing over to Evelyn and she will take us through the first part of our session. Thanks very much. Thank you very much Amir for this great introduction and hello everybody, good evening. I will start first with talking about how possibly such norms like could be grounded in international law with the aim to either like restrict the development also but also the use of cyber weapons. And to start first, like if we talk about how they could be grounded, I think it's important to have a look briefly at what are the sources of international law, like where does international law come from and there we can basically distinguish four possible sources. The first is quite straightforward. That's international treaties and conventions means usually states agree upon some set of norms which they want to make binding legally binding. Then we also have customary law, which is like general accepted practice by states. And then the last two, which are not that important for this purpose, but interesting also is the general principles of law, for example, to act in good faith and then judicial decisions and teachings means what court decides. The most straightforward way of course to codify such norms would be simply to create a new treaty or new convention that is legally binding or integrate them in already existing conventions or treaties. Usually these are states but could also sometimes include non-state groups. Interesting also is however customary sources of international law, like what is already accepted practice. And there I think we can have a short look at international humanitarian law as this is a really old source of customary law. And specifically for armed conflicts and wars means it's like special law applying during armed conflicts only. But given that we're talking about security and cyber weapons, I think that's a really close connection there. And we already have, for example, the provision to attack civilians or civilian infrastructure and also that weapons need to distinguish between who is civilian and who is combatant, actually. So I think there we already have a really good connection point in international humanitarian law. And in fact what is also good is that it's binding for everybody. It means it doesn't depend on a treaty or not. Even states who are not agreeing, they're bound by international customary law. So this means that already now it's actually prohibited for instance to attack civilians or civilian infrastructure regardless of any new treaty that we're having or not. So that would be a really good point to start off, I believe, to also search like what parallels are there. Like what parallels do we have? Because when we talk about cyber weapons, there's a weapon also. International humanitarian law is not only prohibiting certain weapons, but it also prohibits, for example, methods of warfare that do not distinguish between civilian and combatants. So in principle there's already lots of norms out there that can be applied to cyber weapons as well. However, if we would aim to create a new treaty convention or integrate into treaty law, there are two key points really. One, you need the consent of states because the international system is really state-based still. And you need something obviously that states can agree upon. It means you need a convincing and credible set of norms that you then can turn into binding law. So norms are really the pre-stage of law. Like to have a binding law you need a set of norms first, which can be moral, social, political norms, and then they get codified and become legally binding norms. So laws are like legal binding norms. And briefly what is a norm? Maybe if we talk about norms we should know what it is. These are rules and standards of behaviors that are shared among members of a social group. They also serve as guides for action and they basically tell us what we or society, I mean the very culturally dependent often, that's a bit of a problem international level, but however they tell us more or less said it's simple what is right and wrong behavior in a given situation of choice. So what is interesting there if we talk about right and wrong behavior, there's a really strong underpinning of values and we have to be aware that norms are built on values. And I mean a theme of this conference is security. So as the title also said, like we have to think about security for whom to start with and what security means as well. And also like myself, I'm into peace research, so I often ask myself is your security enough really, or should we not really maybe talk about cyber peace or should we not search for some like broader definition based on human dignity or based on human well-being instead of security only. So I think it's really important because also then you then you have to check who you connect to with. And I mean security is a very militarized term for instance. So you might get other actors if you talk about security then if you would talk about cyber peace or then if you would be talking about human dignity and human well-being. So I think it's a really key point first to start with the norms and try to find some agreement on the norms. And then once you agree on the norms you can set the boundaries accordingly. Means you can say is that in accordance with the values that we actually want to support or is it not. And then you can draft the norms accordingly. But I think it's a key step to agree on the values first. Because for instance it's not the same if you say we want to like we prioritize national security or we prioritize a human well-being. You will get probably quite a different set of norms out of that. So where should we continue? Yeah, let's take a look like how norms get strong enough as to make the transition into international law. Because there are lots of norms out there. I'm sure there are already lots of norms on cyber security and cyber weapons as well. Not many of them are legally binding. How can you make norms strong enough? Basically socialization processes mean states get socialized through peer pressure, through pressure also domestically, through their own consistencies. That means through elections and so on. But also an international level like advocacy networks have gained lots of influence. And what is also very promising if you can link up the international level with the national level. Means we're having a good international advocacy network who work together with domestic actors. Specifically from states that you really want to have on board. Like if you want to have for example US on board who's always a bit difficult to get on board. You should work strongly with actors within US who have the same agenda. And once you have like successful cooperation there and you have like some kind of strong support it's also quite likely that other states are going to join in a way. But it really has to do with benefits as a reputation or like social acceptance. Good example by the way where this was very successful is our chemical weapons that were like able to be codified or like prohibited in a certain sense because they were understood also to be weapon of the weak. Like there are certain norms that are easier to codify. Specifically if you can kind of show that they are not in line with what we perceive as right and wrong. Like in the case of the chemical weapons they were an analogy with the poison for instance. There were also like if you have norms that you could say you're going to protect the innocent. If you can the vulnerable groups that also has better chances. Like you need a good reason why you want to establish certain norms. Like protection of civilians for example that's a strong one. What else also you need a kind of right process in order to acquire the necessary political legitimacy. Usually on international level that would be the UN I guess. What else can we say. Then I think what is like the most straightforward way would be to already like in a first step to see if there are already certain norms out there that connect well to private cyber weapons. Mostly it can be found as I already mentioned international humanitarian law. But also human rights law which is the right that applies in peacetime. It focuses on human well-being and dignity as key points. But also the analogy would already existing like weapon taboos. Like chemical weapons, biological land mines like already existing arm controls treaties. And I think Alison is going to tell us more about that point then. Second step like to strengthen these norms. Choose this to dimension socialization processes. And thirdly then to codify them in international treaties or arms agreements. Like how this is usually happen already mentioned a little bit. But there's like a so-called norm life cycle norms emerge. I push by norm entrepreneurs and domestic or international levels. Then you have a norm cascade where peer pressure increases until finally in the third stage. The norm is the internalized means they're codified and then universal adherence becomes the most common thing. So what else can I tell about that? An existing thing is also like what I already mentioned like the pyroreals. I think they're really important because there's like a so-called path dependent grafting process. Means there's like a certain branching process going on. Like three new norms. They are not coming out of nowhere but you have a certain branch that is already existing. And out of that branch you can easily kind of make other norms emerge. So like it's really key to not create them out of nowhere. But when you make the arguments why it is important like the why then it's really that you can build on something strongly. Like for example the ban of other weapons and so on. Or that you have to protect civilians like in the humanitarian law. So this really is key for showing. We're going to have that in a poll later. Not only that it's desirable to prohibit certain weapons but it's also possible. Like if people can see that that already was done they can really connect more easily to that. What else can I say? There's also like given this branching process like it's easier in a sense to do if you have a cultural match. Like if you already have like domestically a cultural match. So in a sense it would make it's easier to start in countries that already have like similar legislations and then kind of get them on board. Just to get the thing going a bit and afterwards other countries other states might join in. So it really makes sense to search for where can you connect international new norms to already existing national legally binding norms which might exist to some degree. Or like see how it is handled also on national level. And then like straight to form some strong advocacies. And given that these socialization process are really the main motivation for states to adhere to norms. It's easier also with like small and interconnected states because they depend more on international reputation. Also in times of changes it's easier to justify that there's necessarily have a new set of norms means like if there is a if there is a crisis of course which we're not going to hope but in a sense we already are in a crisis. And I think the happening of the digital revolution is widely recognized so this is a time of change I think it would be a good time in a sense. And yeah of course like you need the key states to be on board like if these ones are it's easier that smaller ones will follow. And regarding the content of the norm. It's really key to have a clear and specific formulation like you want to avoid ambiguity and complexity complexity like people also should understand the more non experts like these have a higher chance of adoption. Then if there's a lot of ambiguity and also a key point like if you can argue that you protect vulnerable or innocent groups that very have a strong reason. Of course it is ground and on on human well being and dignity also. Like I don't know how much time I have left me how much I have to rush up or not. I mean you're giving so many strategic advice pieces and gems here for the audience and everybody watching, you know, who are active in this area that you can have. If you need a couple more minutes with pleasure. Okay great thank you. Okay because I think something which I haven't mentioned yet I think it's not only about regulating the cyber weapons but also how you respond to cyber attacks. Like you cannot probably avoid that they're going to be used at some point of time by some actors because it's not only states employing them it's also individuals it's non state armed groups and so on. So I think there's a key point to think about sanctions and responses. Because as for example in the US under Trump administration there was some controversy discussed that what would happen if there was a cyber attack against your nuclear control and command communication facilities. And they actually stated that it could justify the use of their nuclear power as such. Means an attack on it could already justify the use of these nuclear weapons and that that's of course highly problematic. Because I mean you also have the anonymity of the cyber weapons that are difficult to identify who was it actually. So sooner or later it would probably happen I guess that somebody would try to to attack their command and communication system also in regard to the nuclear weapons. So how they're going to respond there. I mean there you should also think about both the sanctions of what to do when it happens but how what kind of responses should be like considered or not. Like there I would make the like the analogy again with international humanitarian law which has the principle of proportionality. So you could discuss of course like what is proportional response and what is not like using starting a nuclear war because there was a cyber attack I doubt that was where that that would satisfy the criteria of proportionality for instance. So I think it's very important also to think like what how do you respond to the cyber attacks because they might actually present more of a problem than the cyber attack itself. Like the cyber attack might at some point be the smaller problem if it if you get into escalation because of it. So that has I think that is really important to avoid an escalation of hostilities based on a cyber attack and that should also be like regulated by some set of norms. And the last point maybe is also to to think about who is who are the responsible actors. Like who are actually the ones who set up these new set of norms who will enter maybe who maybe become legally binding. In terms of agenda setting power like who is it get setting that gender what should be done who is making the decision actually who has veto powers and who decides about the sanctions yes to be taken. So maybe just as a small small conclusion like in some I would be careful to not militarize the Internet and cyberspace. And it should be a human sensing approach we're going to hear about that more from Alison as well I think which is built on already existing norms and rules to be found for example international humanitarian law but also human rights. And I would rather maybe talk about cyber peace and cybersecurity because there you have a bit of a more broader will you have a broader set of actors that would participate in the discussion not only the military. And yeah maybe also think the other way around like what kind of cyberspace do we want to create like what kind of relations or what kind of norms should rule the cyberspace. Like in a more kind of proactive way and then again focus on the values like for example who and what is worth to protect it and yeah build on already existing norms there. Like for example human rights but also existing arms control mechanisms which I think is a good point to shift over to Alison. Thank you. Alison please take it away I think the flow is working wonderfully please thank you. Great well thank you and I also wholeheartedly would support a cyber peace approach to these issues that we're talking about today and I don't think that those two words are used together often enough. I've been asked to talk a little bit about multilateral arms control agreements and the rationale for the inclusion of cyber weapons and there's a lot to unpack in this. So my approach today is not going to be to give sort of a clear path forward but to do a bit of a scoping of the current legal landscape both in cyber and for other types of weapons and raise up what I think are some key questions especially for a conference that is exploring security alternatives. So if if, as a starting point and building a bit on Evelyn's excellent presentation, I thought maybe I would map out some existing legal and normative initiatives in in the area of cybersecurity or cyber peace. There are of course some already existing cyber treaties the Budapest Convention on cyber crime. There's currently a new cyber crime treaty process underway at the UN. And there are also different regional agreements as well. But by and large, there hasn't been a very strong appetite among a majority of states to pursue a global cyber treaty. There are diverse reasons for this. I think that one that gets pointed too often is because if we go back in time a little bit to around 2011. Russia table something that was called the draft convention on international information security, which would have been a proposal or was a proposal for a first ever global cyber treaty. Not a lot of states came on board with that and supported it. In fact, different aspects of it were very concerning, especially to Western countries for its possible human rights implications. So I kind of sometimes feel that maybe that well of the international cyber treaty is a bit poisoned from this particular memory, and there's been a little bit of reticence politically to go down that road again. But at the same time, there is also been a lot of other work happening to establish norms for state behavior in cyberspace and ongoing dialogue processes happening outside of the UN. For example, the work of the GCSE, but also some different processes that are happening inside the United Nations. And I'm going to mention two in particular. One are the UN groups of governmental experts, GGEs, and this is where things get a bit alphabet soupy. And the other is the UN's open ended working group or OEWG. And the reason why I'm lifting up these two in particular is because both of them were established by the UN General Assembly's first committee, which is the UN GA's committee for international security and disarmament. When it meets every October, this is where states and civil society come together to talk about the full spectrum of weapons issues, and that body is what established both the GGEs and the OEWG. Now the first GGE started in 2004, there's been six of them or six of them and the sixth one is currently in progress right now and about to wrap up its work. GGEs can take many forms, but usually they are something that is convened to bring together experts from different countries to really dig deep into subject material and not necessarily with a view to a specific political outcome, but they can be a really good incubator for political processes down the road. And the UN's cyber GGEs have been limited in the number of participating states, the current one has only 25 states, I think the first one had 15 countries only, and it's been closed in all of its work so it's not been possible to to observe their deliberations. But they've produced some noteworthy outcomes along the way, particularly in 2013 and in 2015, the participating states agreed by consensus that international law applies in cyberspace and to cyber operations in line with some of what Evelyn's highlighted, and they also outlined 11 voluntary norms for state behavior in cyberspace. But interestingly, in the context of all of this, there are, there was then and there is still now a small group of countries who really push back on the notion of IHL being applicable to cyberspace. And their argument is that if you say it is applicable, then you are militarizing cyberspace, because you're acknowledging it as a domain of conflict and of warfighting. But a vast majority of countries pushed back on that and say no, we need to say IHL applies in case of conflict so that there are protection for civilians and civilian objects. But the sort of closed format meeting of the GGEs has over time bred a desire amongst member states to have a wider forum to engage in. So that's why in 2018 there was an open-ended working group established. It concluded its work very recently in March of 2021. And I would say it's final report. It wasn't necessarily groundbreaking. It didn't have a lot of new stuff in it, but it is politically significant because this was the first time that the full UN membership was really able to dig into those GGE norms, and they affirmed their importance and their relevance. They also reaffirmed the applicability of international law and identified some practical steps in the areas of capacity building and confidence building measures, amongst other things. And still within the OAWG and elsewhere, there is a grouping of states who really want to have a legally binding framework or a cyber treaty. But there are others who do not. They're saying that it might take too long to negotiate this, too politically difficult. It's better to work with the existing normative framework and with existing law. And so this difference of position has sort of laid the ground for a new proposal from, but supported now by a little over 50 countries to develop a program of action or a POA on cyber. And there are already a handful of UN programs of action. The only one on a weapons issue is the 2001 program of action on small arms and light weapons. If you're really interested in this topic, we published a briefing paper earlier this year that takes a look at some lessons learned from the small arms process that could be applicable to cyber. But a program of action, it's a politically binding instrument. So it's not legally binding in the way that a treaty is, but it does contain commitments and actions that its endorsing parties agree to undertake. And usually within that there's some provision for follow up meetings or for monitoring mechanisms. So a lot of states are feeling like this could be a good compromise between those who want law and those who want to continue with the normative framework. Now interestingly, none of these processes I've just described are really talking about cyber weapons. Most of the discussion has been focused on state behavior in cyberspace. And even within the OEWG, which in its title was meant to be focused on ICT's information communications technologies. There was a really strong preference from the majority of countries participating to take a technology neutral approach and to not be trying to limit specific technologies or devices, but to really focus on behavior. And they all expressed different reasons for this. We know, and especially as a feminist organization, that technology is not in fact neutral and that it is developed in the context of the inequalities and biases of our offline world. But this has sort of been the position of most states so far. So then where would cyber weapons fit in? I should point out that there is not a universal definition of what a cyber weapon is. I think that James is going to talk about some of the challenges and I would assume that definitions might be somewhere in his presentation. So I won't, I was going to say I won't jump the gun on that, but that's kind of maybe not what I want to be saying in a cyber weapons presentation. But generally speaking, weapons are defined by the material that they're composed of, for example, biological or chemical weapons. Sometimes they're defined by other physically identifying characteristics. If you think about small arms and light weapons as a category, they have some common features across them. And then others are also defined by their effects, especially explosive weapons. Some of the complexities, of course, is with a cyber weapon is that it's not a tangible item. You can't really hold it in the way that maybe you could hold a landmine or a bullet if you wanted to. Presumably they're going to be dual use in the nature of what they're composed of, meaning it could have a civilian use or a military use. So maybe a way to define it then would be thinking about intended impact and what are they designed to do? Is it something truly malicious rather than what it's composed of? And in my day-to-day work at Wilf, especially in our disarmament program, we're really active in following a lot of weapons treaty processes and fora across a huge span of issues. And cyber weapons don't really have a home in these spaces necessarily, although cybersecurity is discussed each year at the first committee when states meet for that. And I think that this is maybe a good question that we could come back to you later. Should space be made within existing weapons, fora and processes to account for cyber weapons and related technologies? And how can the cyber related risks and vulnerabilities of existing weapons systems be better addressed in those fora as well? Now, there has been one relevant initiative to control cyber weapons from within the arms control world that I feel I should share. This is through something called the Vasinar arrangements, which is not a treaty but a voluntary export control regime established in 1996, I think. It has a little over 40 countries who are members. They're all significant arms exporters. And the arrangement is a way for them to exchange information about the trade of weapons that are included on their control list. And it applies to conventional weapons. But in 2012 and in 2013, that control list of the Vasinar arrangement was expanded a little bit to include things like intrusion software, telecommunications, interception equipment, etc. And in December 2019, it was expanded a little bit further again, although over the years there's also been some pushback to that. And there's been some exemptions made for some of these things, reportedly because of pressure from cyber security firms who are manufacturing products that are now falling under these controls that they don't like. And sort of along that line, but maybe turning as the human rights community. In 2019, the UN special rapporteur on freedom of opinion and expression called for an immediate moratorium on the sale, transfer and use of surveillance technology in November 2020. The EU updated its export control system to include dual use items, although some human rights organizations feel that this measure is not going to be strong enough to really make meaningful change. But the reason underpinning these steps has really been because there has been an outflux of digital surveillance tools coming from a lot of EU member states that are often being used by foreign governments or other authorities against civilians. And I think that this opens up a really interesting question when we're talking about cyber weapons. This is obviously it's hugely problematic for lots of reasons. Maybe these are less prevalent in state to state cyber conflict, though. So are we thinking of these items as cyber weapons in the same way or maybe as a subset of cyber weapons. This has prompted the human rights community to take a sharp interest in this topic, but peace and security and arms control, maybe less so. And, you know, some of the manufacturers of these items will they're all mainly private businesses who only produce these kinds of products. But it's also important to remember that some of the traditional arms industry and arms manufacturers are also getting into the game and producing these kinds of items. So my final point that I want to leave you on which I think is really relevant to the theme of this conference and looking at security alternatives is that well, some arms control agreements are relatively uninspiring documents. There is a whole group of weapons treaties that have grown out of what we call the humanitarian disarmament movement. And what that means, well, first it means taking a disarmament approach over one of arms control. They're not necessarily the same thing. But humanitarian disarmament really means approaching weapons issues from a people and planet first policy. It means wanting to stop to eradicate and to prevent the human suffering that's caused by diverse weapons and has human security at the core of this movement. And usually the treaties that have grown out of the HD movement are all ones that have really been led by strong civil society campaigns and coalitions and have been progressed through close cooperation with progressive governments. And I feel very lucky that I've been able to be a part of many of these movements over my career. Some of these treaties include the 1997 Ottawa Convention banning anti-personnel landmines, the 2001 program of action on small arms that I already mentioned, the 2008 Convention on Cluster Munitions, the 2013 Armstray Treaty, and the 2017 Treaty on the Prohibition of Nuclear Weapons. And, you know, Evelyn, when you made your comment before about the tree and the branches, I was kind of thinking about this because all of these different campaigns and movements and treaties have really taken inspiration from each other and it's been sort of a progression over time with new generations of activists in different supportive states kind of taking the lead. So what I would like to see, and this is my closing point, I've probably gone over time, in the area of cyber arms control is the same kind of coming together of concerns about human rights, humanitarian and environmental impacts of cyber weapons that inspires actions to limit them or to prevent their development entirely. I don't feel that this motivation has been quite as strong in the cybersecurity, cyber peace community as maybe it is when talking about other security threats or other weapons issues. I know that some groups like the ICRC in particular have been doing really good work lately to lift up the human cost of cyber operations and put more of a human face and dimension on the problem. In the OEWG, we did hear more calls for a human centric approach to cybersecurity. It hasn't been fully articulated yet, but it is a starting point. Yeah, so I guess I will stop there and just ask, you know, how can we use this as the basis for a conversation and for action towards cyber peace? Thank you so much, Allison, that it flowed so beautifully. I mean, just to reiterate again, and it's actually important to even perhaps try to link the two in terms of what Evelyn was talking about, the national issues and the national waves and the domestic pressure on states and perhaps the humanitarian disarmament view on it and perspective. And if this naturally means that the population needs to become more alert to it and so to build that movement is probably paramount in that sense. And given that we are also running a bit with the schedule, I'm going to quickly hand over then to James who will then take us through some of the barriers that exist and may have been mentioned early on, some definitions, et cetera, and how we can overcome them. Thank you over to you. Thank you so much, Amir, and thanks for such a fantastic lead up. I feel we know that there's not much left to say here. Allison and Evelyn really covered the ground superbly. And I really want to endorse their approach to saying we need to think about cyber issues in terms of human security, in terms of focusing on individuals that once needs desires and potentials and not just human security broadly, but actually for different people with different contexts and identities. Thinking about diverse identities, thinking about gender, thinking about the kinds of plans and projects that different communities want as well across the world. So that's the overall frame in which I think this conversation is really taking root and it's one I want to continue in my remarks. Unfortunately, given that Allison and Evelyn had such a fantastically crystal clear analysis, you know, it's very bright and very precise. It's my role in the channel to sort of bring some of the clouds, right? So we get a bit of sort of doom and gloom overhead, it gets a bit dark, it gets a bit gray. And this is because I'm going to be talking about the obstacles and the challenges that we have to overcome to get towards a real reckoning with the industry and the environment we're talking about. But the keyword there is overcoming, right? So there will be a bit of sunshine at the end, maybe I can point towards how we can try and, you know, lift ourselves away from these clouds and sort of get through them. I'm going to start as Allison rightly suspected with some definitional questions. They may last a little bit longer than I want, but they are important. I'm going to turn on to three distinct issues around cyberweapons and cyberattacks and the control of cyber technologies that are really important and are both logistical and political obstacles in this space. And then finally, our turn to maybe ways we can look to different kinds of actors and how they might collaborate to overcome these obstacles. So first of all, well, should we be talking about cyberweapons, right? It's in the poll, we talked about it so far, but there are limitations to the term, right? And I'm actually going to shift away from cyberweapons to talk about offensive cyber capabilities. And the reason I do this is because the cyberweapon term for me gives too much of a tangible object-based focus on what is actually a broad spectrum of capabilities. It brings together lots of different aspects that then act as views in coordination, right? So it's not a weapon, it's very difficult to think about it as a gun or a missile or something like that. That leads us down not very productive analogies. So I want to talk about offensive cyber capabilities. What are these? Well, they're the combination of not just technological innovations. Sometimes these are very creative, sometimes these are very unique, but often they're very widespread. But also individual skills, right? The capacity, the knowledge that people need to use these. And also bureaucratic elements as well, right? Aspects of institutional organization, right? Direction, funding, this kind of things. These all come together to enable states and other actors to use offensive cyber capabilities. If you just have the technology, it's not going to work. If you just have the people, it's not going to work. If you just have the institutions, it's not going to work. You need all of them. And that's why we talk about offensive cyber capabilities and their use, their proliferation. That's the core of the problem we have here. Now, once we've got that sort of minor definition of issue out of the way, the next question is, well, who's using these, right? Why is it such an important problem? But why is it also such a difficult problem? And one of the answers to this question is because they are very much not in the hands of states alone. So we have widespread around the world. There are lots of companies, lots of private actors, lots of non-state actors that are not companies. We're thinking about criminal groups, this kind of thing that are using these capabilities. So they're very widespread and they're used by different actors. So just thinking about the kinds of comparisons we were leading into this debate with, some of those were things that are very much under the control of states or specific past states, especially the military and security area. This is very much not the case with offensive cyber capabilities. So we have to think more about not just the kind of actors that own and operate the internet, right? There's very much largely private sector based enterprise, but also those people who are trying to pick holes in the internet also as being in the private sector, also having very commercial motivations. And then we have to think about the environment itself. I said because there's lots of different kinds of actors, we're actually in a very different scenario to where we are in lots of other proliferation spaces where these capabilities are not scarce, at least the vast majority of them. There's a lot of different ways to identify vulnerabilities in digital devices and networks. There's lots of different ways to exploit those vulnerabilities and many of these are almost freely available. Some of them you can download and they're pre-packaged, others take a little bit more work and there's only a small fraction of those that are high end, that are really high value and it's shared very tightly within a very small group of actors. So we're not dealing with an environment of scarcity here, we're dealing with an environment of plenty and that's very different and very difficult to control in those ways. So we have this sort of complex environment that we have to deal with. Now what are the key issues that arise in this environment? I'll talk a little bit about the question of human rights priorities for key actors. I'll talk a little bit about dual use as Alison introduced earlier and I'll talk about the question of what a destructive attack is, right? And this gets to the heart of what a cyber weapon should really be. In terms of dual use because maybe that's hard to believe but it's almost the simplest place to start. The dual use frameworks that Alison introduced such as the Bhasenar arrangement, they're really designed to have limitations on technologies that could have both civilian or military uses. So it's not to say we want to ban these technologies. The whole thing recognizes that they have both options and all states have to do is take an assessment based on the risk at the time, based on the particular context about whether they should export it. So it's a control list, it's not a ban list, right? That's an important distinction. And the distinction that's based on is between these civilian and military uses. Now hopefully from the 45 minutes we've had so far, you probably get that this civilian and military distinction doesn't really work in cyberspace, right? It doesn't really work for cyber weapons or offensive cyber capabilities. And instead you have a slightly more complex distinction. You have one between legitimate security uses, right? And this is what the cyber security industry really pushes for, saying that we need to be able to use a lot of these technologies that are on control lists in order to find holes in networks, to find vulnerabilities, not to exploit them but in order to patch them, right? And it's one of the structural features of the way that our digital technologies have developed, how the internet has developed, is that it's pretty leaky, it's pretty holy. And the way we cope with it is by patching it constantly, right? Just like on the ship running around trying to fill in the holes. That's how it works. There's a problem, right? This is a structural issue. We should try and solve that issue. While we're solving that issue, we have this problem about the dual use where we need these legitimate security technologies, right? We need people to be doing this research to find vulnerabilities and to communicate them widely so we can patch them. So when you're thinking about controlling the export of the fence, cyber capabilities, what you're saying is we want to stop people using them or finding these vulnerabilities in order to exploit them for malicious aims, but we don't want to stop people finding them so they can communicate them and make our systems more secure. That's a very different distinction. And if one of the major obstacles that has appeared throughout the discussions of export control that Alison mentioned. The second key area of sort of challenges is this question of priorities for key actors, right? And we talked a little bit about the Human Rights Office in the UN really calling out surveillance technologies, and spyware technologies as being connected to human rights abuses. Not only human rights violations of privacy or freedom of expression, but in some cases, especially in authoritarian states, being connected to arbitrary detention and torture as well, because of information found on the devices that were accessed through the use of these technologies. So these are clearly human rights violations related to such technologies. Now a lot of the states and other actors, the private actors as well, do not prioritize this kind of issue. They see these technologies as being crucial for national security investigations and this comes up in the rhetoric again and again. They say we need them to put cash criminals and terrorists, not to be associated with human rights violations. So this question of bringing human rights and human security onto the table, putting it in a dialogue with the state priorities, recognizing that it is as important as other national security purposes is a really important part of the debate. And so far, often, these two conversations really pass each other, right? They don't really understand where the other one is coming from and that's one of the really important obstacles. The last one I want to talk about is this question of destructive uses and other kinds of uses. If we think about the surveillance technologies, what they really are is gaining information, right? They're taking information from devices. Now you can use that information in a variety of ways, often associated with human rights violations in the kinds of abuse cases that are really well documented in both UN reporting and NGO reporting. But it's still information gathering, right? It's still taking information. There's a whole different set of concerns around cyber capabilities without disruption around stopping systems working, whether that's encrypting data or manipulating safety controls, especially in industrial control systems. And these are very different concerns. The problem is that they both start with access to the network, right? So you can use an initial factor of access, a way to get into a network and then decide what you're going to do once you're in the network. It's a bit more complicated than that, right? You can lead one way or the other, but that's generally like the real problem that we have. The actors can decide how they want to use their access once they've got there. And that means that it's very difficult to know whether it's going to be a destructive or destructive use of such capabilities or a mere, right? I'm putting mere in big quotation marks, intelligence gathering work, right? Because they can be equally serious, both for national security and human rights concerns. So that's the third major obstacle. Now I'm going to close out because we don't have that much time left, just to say that the only way we can really try and overcome these obstacles, right? See a ray of sunshine after all these clouds is really to bring together different stakeholders, right? We have to understand where states are coming from, what they want to use these capabilities for. As Evelyn said, they are likely to be used, right? And they are being used regularly at the moment. We need to understand how the industry works, right? What the market is? What are the commercial dynamics? What are the levers you can pull? What are the regulatory pressures you can introduce to try and control and limit the proliferation of offensive cyber capabilities in this domain? And then finally, you need civil society, not just to provide expertise and reporting that we see now, but really to lobby and introduce, you know, much better understandings of what the risks are for these offensive cyber capabilities, right? Putting human rights risks exactly on the table, really holding companies and states to account when they say they're going to investigate abuses or misuses of their technologies in this way, right? That's really a role civil society is performing now and can carry on doing. So there are always overcoming obstacles, but we have to look at the different capacities of different actors and we have to see what they bring to the table and if possible try and get them to work together. Thank you. Thank you so much. For a moment my cursor went vanished and I thought I was under offensive attack by cats, but nevertheless, thank you so much James for that ray of sunshine, multiple rays of sunshine actually and just underlining again the human security aspect of the discussion and how important it is again to bring that to the forum, given that the national security debate has overshadowed the human security portion and this is maybe one of the key takeaways I think that we all are having as the audience and as listeners to this wonderful talk and I can see some comments as well that come in to that effect and it's also time that for us to maybe launch the poll and our technical team will share that with the audience right away and you'll see it coming through on the chat and while that's going to happen I'm going to take a minute to share with you share with the audience the questions and here we go. So what we've done is to provide a quick check with everybody here and the audience and it's really a fast poll and the idea behind it is to try to imagine the possibility so try to imagine what's the journey from a norm a norm's discussion into the codification into considering to some extent what a human centric legal framework could look like and so we've had a whole lot more options but we've selected five because of time to show you and maybe you can just quickly run through them while the audience is getting the link and polling right away as a live poll and so first thing is what we've put up for the audience in terms of choosing from a desirability point of view is how desirable is it to reduce the proliferation of cyberweapons whether to state and non-state actors and you see as we go through some of the terms might remind you of other arms control treaties that we have and this very clearly is in some way in a sense to the nuclear norm proliferation treaty. The second one over here regarding the self-mutualization text finds a home in a sense and the land mine treaty which actually has some permission around providing a time limit for land mines and given that offensive cyber weapons and that are programmatic and those can be done this is again another way of putting in a time limit on a cyberweapon if it's needed to be had in the first place and I know Alice in the answer mentioned disarmament versus arms control and this is maybe more on the arms control side of it but just as an example again the third one is in discriminate consequences of weapons and that's quite clear in IHL however IHL as we mentioned before kicks in during an act of war illegal conflict existing and so this might provide coverage for times of peace per se so that's on the third one again desirability one being very desirable five not being desirable the next one and this the fourth one of five it's actually a mechanism that allows for states assuming that states of our party to this agreement that we have at the end of the rainbow here if somehow through error or through contravention of law a cyberweapon is used a state that is attacked requires ways to quickly patch up its systems for example etc and this also could very much come into place when we mentioned earlier on and I think was touched on regarding automated defensive mechanisms AI based cyber defense routines which might want to counterattack automatically etc so in some cases such a mechanism could be handy and lastly regarding this one is more specific around requirement on states to actually communicate what they know if they are aware of zero-day vulnerabilities we didn't touch on this zero-day specifically in the talk but briefly these are the holes of vulnerabilities that are identified and become and that very first day of identification being a zero-day is when systems that are affected by almost vulnerable and so if a state actor becomes aware of it and those could impact say hospitals, dams, power stations, nuclear power plants and so forth core parts of the internet etc as mentioned in the abbreviations there CI and CII those would become obligatory for states to disclose that so this could be again something that we could potentially look forward to and the questionnaire that the audience has repeated itself again the same arms control elements but now at this stage it goes into feasibility level of gathering your opinion and as you can imagine some of these arms control elements could be more feasible because states will generally again agree that they wouldn't want necessarily the further spreading of cyberweapons in a sense because it will impact their own national security calculations for example if taking that rationale however this for example the last part here on zero-day that's quite an important asset for certain countries and to give that card away might be not feasible in a sense not to give answers to our audience in that sense but these are some of the challenges that we have when it comes to this area and how to plot a path forward so I hope the audience has had a chance to answer the questions but we had one question so maybe we can tackle that if possible and then we can have a look at the results and see how that is looking and I'm just going to stop screen sharing here we had a question around and I'm going to read it preemptive defense terminology specifically so how could we control prevent creeping in of preemptive defense terminology especially regarding cyber attacks and I have a feeling I should maybe ask James to have a go at that one Thanks very much Amir and Robert that's a really great question I'm going to just highlight three ways in which this kind of terminology appears and then maybe what we can do about our leap to the other planet so the way it appears first is in terms of the kinds of people who are doing what I call legitimate security activity this penetration testing looking for vulnerabilities in order to pack systems they often call that active defense and this is where you see preemptive defense you're red teaming you're going outside your networks in order to try and defend it that's one kind of way in which you see preemptive defense appear in the cyber world the other one is in terms of organizations that are being sort of subject to the cyber attacks actually going out and responding to them by doing hacking back this is something that you often see comes up occasionally in policy debates it's very controversial especially when done by private companies and the last one is a sort of big strategic question you get a shift in especially the US towards what they now call defending forward that's the current US cyber strategy that means being in what they call adversary networks maybe there's gray space maybe it was an adversary to be defined but you know going out and doing exactly that right preemptive defense defending beyond the boundaries of the US now these are very different issues they're different very different ways in which preemptive defense appears some are more legitimate than others for me I would try and maybe control and limit the kind of uses of active defense in terms of legitimate security research penetration testing for defending forward you have very different kinds of questions about what does that do to our relationships what does it do to sort of assumptions about how the US should lead the way in cyber norms thanks so much for that comprehensive but summarized answer James that's much appreciated from the audience I think and let me just quickly try to turn to another question that came up at Alison I think you also mentioned it in your discussion earlier on regarding whether cyber weapons should have a home in that sense and that was a bit of an open question and that's interesting to try to figure out because as a linking it to the open and the working groups reports where there was very very brief parts of it mentioned some sort of illegal framework in the coming future potentially etc some ideas around it because some states are pushing for that versus as we mentioned other states are pushing for norms only approach to this and so if there is a weapons based process to go forward to the needs to be home and so I thought maybe we could spend a minute possible to on on this question and then we can also then maybe jump to the poll I see some answers are coming in rapidly thank you I mean I can I can further expand on my initial question I think and to some extent the OEWG because there will now be a second one that will last for five years is becoming the home within the UN disarmament machinery I hate that term for these talks but you know I think going back to the point that I said before a lot of it is really focused on state behavior and not so much on weapons or capabilities I really appreciated James is parsing that out a little bit and I'm packing that I think that's a really important distinction to make I do think that what would be important or helpful in some of the other fora that relate to existing weapons systems is a bit more of a discussion or action around the cyber related vulnerabilities of those weapons systems for Wilp we see this as yet another incentive to move us toward disarmament it's yet another risk that we need to think about but we don't really hear a lot you know nuclear NPT meetings or arm street meetings talking about the risks posed to nuclear weapons systems or how elicit arms trafficking is also facilitating or how internet technologies and communications technologies are facilitating elicit trafficking of conventional weapons for example thank you Alison for that much appreciated and I think maybe some of those elements might coming through the poll results and I'm conscious of time we have gone over slightly and I know James you have a hard stock but we'll try to finish before that time and I know we have to jump so let's quickly share with you what's the audience has done and shared with us so as you can imagine this is just to briefly run it through and then we can try to see if there's nuances that any of the panelists would like to cover please you welcome to around the prohibitions there's been overwhelming support for wanting that element to come true in that sense whereas on the self neutralization it's somewhat desirable and it might have to do with I saw some of the comments as well on the chat talking about we shouldn't have them in the first place so it might be you know in that sense bit more radical then there's broadly a broad agreement so far from what we can see again this is just the audience poll that shows again banning indiscriminate consequences I think that's not so surprising right and same with the disclosure part of the of the poll so requiring the disclosure of weapons if there's a contravention as well as the zero day vulnerability portion so those are the desirable part and I think everybody desires the pot of gold and but the feasibility we can have a quick look and we can see the audience desires just as you know if you were thinking about it in a human centric point of view but the feasibility aspect we can see tails down a bit on the first one whereas actually on a technical side of neutralization as well as on that one is again majority views thinking that is feasible thinking same around a peaceful time and indiscriminate consequences portion as well as disclosure as we mentioned and somehow spread over on the zero day and side of things so this is what the audience is saying and I don't know if maybe somebody in the panel would like to if they've noticed something interesting that they would like to touch on while we've got a few minutes perhaps very quickly I think this is really fascinating especially given the difference between desirability and feasibility right it tells you a lot about what the kind of problems there are in the question of offensive cyber proliferation everyone agrees that there is a problem here they might not agree there's the same problem but they agree there's a problem but in terms of the feasibility of actually crafting stuff that works and doesn't limit other desirable activities this is really hard and so I think the audience complete kudos to them for recognizing the difficulties of feasibility in this space thank you so much and I don't know maybe Evelyn would you like to also comment yeah just shortly I think it just really shows the necessity to get to build an already existing normative frameworks because like if you can people show that it's not only desirable but it's also possible that it has happened with other weapons that there are already like very similar norms out there in either human rights law during peace times or international humanitarian law during armed conflicts like not to take it a bit away that it's something so much new like in a sense it already exists we just have to make it a little bit better we have to extend what is already out there I think the resistance could be like diminished a bit because the problem is that if people don't think that it's possible they also not going to do it that's a huge problem there like if you to get them like enough actors on board the feasibility thing is really key and I think it's a way to do it is to build an already existing examples where it has happened or like norms that are already prohibiting certain things like international humanitarian law already like prohibits that attack on civilians and civilian infrastructure no matter what by which way really or by which method so that also covers the so called cyber weapons it just to show that it's not so much new as people might assume Thank you so much as well for actually bringing back that on the table again that these are actually possible there are existing frameworks and we can lean on them and extended versus starting from scratch and I'm again conscious of time and we had planned for a quick concluding remarks portion and perhaps if you could do that and then end the session if that's alright with everybody Alison unless you've got a comment on the on the graphs maybe you could combine it with your all good Thank you. Let me just thank you so much to start the screen sharing and perhaps James would you like to go for the concluding remarks and we can reverse the order and that seems thank you Yeah, I would just build on evidence last remarks I think that's really important that there are important lessons we can learn from other domains right because this is technologically sophisticated right bureaucratically complicated that is not a unique feature right all these other domains are equally technologically sophisticated they're equally bureaucratically complemented right it's all about political will it's about recognizing the requirement to do something in this space and putting on the table getting the right coalitions of actors I'll go back to my remarks industry very important state very important civil society absolutely essential and bring them together to achieve something in this space Thank you James and hopefully with one of the things we will try to aim for is to make this more representative at the next next time we have a session about this topic thank you for that Alison would you like to also for your concluding remarks I didn't really prepare any concluding remarks and I feel like we've covered so much ground and I've now got like too much in my head that I would want to comment on but I see that there is this question here of it being a question of political will and absolutely it is and I think you know what we can do more of is more to change the narrative and do more in advocacy and in public awareness raising I mean this is the first time I've seen a poll like this done in a public event and I think the results are really telling when you look at the desire ability versus the feasibility and it would be very interesting to do this in a national context and see how people really how they see cyber security and what priorities they would like their governments to be pursuing for them so yeah nothing groundbreaking to say at the end just has been a really really interesting and good discussion with all of you. Thank you so much Alison as well for that and also for taking the question that we had that came in a short minute ago and Evelyn please. Yes thank you Amir it is really shortly I think I would just like to emphasize that before going into the details of how such an agreement would look like I think we should really start from from the values like really thinking why do we want these agreements like what what who went what do we want to protect. Like really go back to the to the ground like in the sense of why do we want these agreements so we really know. Like it's better like for their own up the motivation of ourselves I think but it's also like a very important as Alison mentioned to have a good narrative like to have a good story why this is important. Because like if you want to convince people you cannot just really tell them it's we need to have it with the other one to know why. And that is why I think it's found to it's found the really basic values like for a human dignity human well being also as Alison mentioned. Yeah we're planning for future generations in a sense so and it's easier I think also to find agreement there like you can create a common ground first. Because people often tend to disagree when you go into the details and it gets very complex and you discuss on the definitions like what does it mean and everybody understands something different. But on the values usually people can agree more easily so just to like pave the way for a common ground. Thank you and thank you Amir also for your great moderation of this event thank you everybody. Thank you so much again to all of you and good to have you and thank you thank you to audience for the questions and everyone has been organizing and much appreciate everybody's time thank you have a good evening. Thank you.