 Good afternoon everyone. Welcome to policy at DEF CON. This is navigating the digital frontier, advancing cyber diplomacy in a connected world moderated by Christopher Painter. So a few announcements before we begin. This talk is being hosted on the record. It's being recorded. So as such please make sure your cell phones are silenced and if you ask a question please come up to the mic and speak into it so that we can capture it in the recording. Also as a policy please make sure if you take any photos you don't do so without the explicit permission of everyone in the frame. But yeah with that I will pass it over to Christopher. Great well welcome everyone and I know it's been a long day and it's the end of a long day so what better what better thing to talk about than diplomacy in cyberspace? I should say this is the um it's turned out to be like the world's most dangerous panel because two of our panelists had to cancel one for a family emergency one literally fell into a black hole so they got black hole and uh they're okay but we've been able to field a great group of people rather than me read their their bios I'm gonna actually just have each of them do a short introduction that we'll dive into the substance. Basically this is a pretty broad ranging panel because when we talk about diplomacy in cyberspace it means a lot of different things. There are negotiations happening in the UN both on the rules of the road in cyberspace particularly for nation states but not just nation states. There's a new cyber crime treaty being negotiated in the UN right now which has uh there's lots of different moving parts of that there's lots of other work internationally there's capacity building work uh that my organization uh which I'll talk about in a little bit as doing uh and others are doing on this panel as well there is um standards bodies there's a whole I mean there's there's a huge dimension which is great because for years we tried to say look cyber is important as a technical issue but it's also important as a policy issue particularly as an international policy and diplomatic issue uh and that was often a struggle you know uh I for myself I was in government for a long time 28 years doing uh as a criminal prosecutor uh then at the White House and then at the State Department as the first cyber diplomat uh by successor in the room I see so uh uh you know and and when I created that office that was the first one in the world no one who was thinking about this at the time but now it's really taken off there about 45 countries who have cyber ambassadors or diplomats so this really has become an issue and and one of the things we want to impress on all of you is you may well ask well why do I care we'll try to like make the case of why you should care about this and all the stuff that's going on but with that without any further ado let me go down the line have each person do a little intro from the cells Monica thank you Chris and guess I can pull it okay I'll just speak like this um I'm delighted to be here thank you all for coming uh my name is Monica Riz I'm a senior government affairs manager within Microsoft's digital diplomacy team I'll be very brief in my introduction because I know you're gonna circle back with additional questions but I will say one of the main reasons why I was excited to join Microsoft prior to when I worked at the Hewlett Foundation which was my previous job was because there is a company like Microsoft that has the digital diplomacy team and is engaging in these issues that Chris made reference to and so I'm happy to dive into that a little bit more deeply um but certainly to me it's it's a topic of very much of interest and I'm happy we're making space that I've come to talk about it thank you thank you um good afternoon everyone uh my name is Maurice Kent uh I am the deputy team lead uh for USAID's cybersecurity capacity building team uh based out of Washington uh it's a relatively new team it's about two years old and it joins uh kind of a broader collection of digitally focused teams focusing on you know cryptocurrency on AI on digital connectivity uh uh digital skills all those kinds of things um that USAID uh pushes across all of our projects and I can explain a little bit more about how what our agency is and how we fit into the broader USG uh cyber diplomacy and development uh space and then talk a little bit about all those pieces as we get into it so we'll leave it there. Alright thank you good afternoon everybody uh John Banghart I am senior director for cybersecurity services with a firm called Venable um my background includes time at NIST, time at the White House, time at center for net security, time at Microsoft, I've been at this for a while I've been a lot of different places I'm probably the least diplomatic person on this group in terms of my background um but I'm gonna talk about public-private partnerships I'm gonna talk about international standards and why that's important and why you should care so looking forward to it. Thank you uh hello everybody my name is Orlando Garces I'm a cybersecurity program officer of the Inter-American Committee Against Terrorism of the Organization of American States uh happy to be here I think uh we have to do a lot we have to work a lot on on diplomacy in the region so uh we look forward to have a great conversation uh we in the uh cybersecurity program uh we uh work in three different areas we work in policy development cyber policy development uh also in capacity building and then research and development so uh great to be here. Great uh and um you know I I should say John you say the least diplomatic uh people present here some of the some of the least diplomatic people I know are diplomats so uh um so you know broad range of backgrounds uh everything from public-private partnership in this area to um uh to some of the capacity building and regional work that the OAS is doing so what I want to do is just to set the stage a little bit have each person talk about what they did one of the things I do now is I run a foundation called the global forum on cyber expertise which is based in the Hague that has a bunch of countries civil society companies part of it that does capacity building around the world helps helps coordinate it Microsoft is a member for instance the US is a member many others are a member um USAID we work with a lot of for instance and OAS is uh a member and partner so um uh but I'd like to get each panelist to give a little perspective of this kind of broad topic and then we'll dig it down and put a little more questions try to make this as interactive in the conversation as we can all right so I will dive a little bit deeper into Microsoft's digital diplomacy team and then um give a little bit of color in terms of how we engage international delegations how we try and plug into what is happening at the UN as Chris said in the context of the open and working group as part of the first committee certainly the ad hoc um committee focusing on the new cybercrime treaty um so the digital diplomacy team is small and mighty uh you have about six individuals um based all over the world so you have one colleague in Redmond headquarters myself I'm based out of DC I have three additional colleagues uh based out of different places in Europe so Ljubljana, Slovenia, Vienna, Austria and Prague Czech Republic and we have one last colleague based out of Singapore and ultimately what the digital diplomacy team does is we advocate for responsible state behavior online and also call for rules of the road um more accountability in the space in terms of the the 11 norms of international uh state behavior that were agreed to in the context of the group of governmental experts and that were then reaffirmed in the context of the open and working group and so we try and provide an industry perspective across these dialogues um and there are different ways that we interact with um the diplomatic community in the context of international cyber norms so we uh try and plug into what is happening in the open and working group unfortunately we've applied numerous times to be accredited but uh we keep getting vetoed by a certain country and so we do not have a formal stakeholder um role you can you can say what the country is okay the Russian Federation keeps that he would be doing uh Microsoft from actively engaging in discussions but we still have found a way to contribute to different delegations that are actively shaping these discussions and so we have been um honored and and and lucky to be able to have a not a voice in the room but certainly a seat in the room at the same time we organize uh numerous different events on the sidelines of open and at working group discussions whether it's around supply chain security whether it's from the issue of cyber mercenaries certainly issues that are being talked about in the open and at working group and how that sort of feeds into what is um ultimately making part of the annual progress report that actually just came out at the end of July last month um so that's one way we engage at the open and at working group we organize side events with delegations we also try and identify what are different stakeholder communities that we can plug into so think communities like the pairs call for trust and security in cyberspace the biggest multi-stakeholder community of industry government and civil society that is once again i'm sorry for my voice here is once again trying um to to call out certain behavior that's happening online across different states and how the stakeholder groups can can contribute to to more accountability in this space and the last thing i'll say we share information as a company in terms of what we're seeing in the broader digital ecosystem so we have something called um the microsoft digital defense report that essentially um it's in like it's an assessment of roughly like 43 trillion security signals that we see every day it's assessed by roughly 2,500 security experts within microsoft and we push that out every year but at the same time we'll organize different briefings for different delegations that provide a little bit more color in terms of what we're seeing in the digital ecosystem from our standpoint and how can that um add a little bit more color to the discussions that are taking place more internationally the last thing i'll say is since the team is uh all over the world spread out regionally we're starting to plug into you know what our colleagues at the OAS are doing our colleagues in the OSE are doing because in large part different issues uh sort of resonate differently across different regions and so we want to be able to A contribute to that but certainly plug in and have clarity on it so um yeah happy to take questions afterwards so thanks amonica and i'd say a couple things i mean i know some people in the room are familiar with some of these things how many of you know uh what the open end of working group is okay smattering a small smattering uh so what's happening is you know now that people have woken up to cyber being an important policy issue there's a lot of activity that's happening maybe too much activity in some ways but the um the un has two processes going one is to negotiate a cyber crime treaty and we'll talk more about that a little bit but one is to bring all the countries of the world so it's all 191 un member countries together which could be kind of a cacophony you might imagine where where they try to endorse rules of the road voluntary rules of the road for cyberspace things like don't attack the critical infrastructure of another country when you're not in wartime when you're in wartime their rules there's the what's called the law of arm conflict their rules that apply both in cyberspace in the physical world but not in wartime it's not really clear so they endorse these set of 11 norms it's sort of like the the movie spinal tap they couldn't come up with 10 they ended up with 11 so they have these 11 norms and they even though they're voluntary their political commitments by all these countries and one of the issues is accountability as money was saying that you know it's great to have these rules but if countries violate them all the time willy nilly what does that matter so so a lot of discussion is around these issues it's a consensus-based process this this group which means everyone has to agree and you can imagine right now people aren't really in an agreeing mood on things especially because of what's going on in the Ukraine and what Russia is doing so so they've been able to make kind of incremental progress but the key things were creating these rules of the road and confidence building measures which are like more tactical ways to build confidence and and create channels of communication so that's what that group has been doing in the UN this last step being done regionally which I'll turn to Orlando next actually to talk about and what the OS is doing because they're plugging into that so but you have these big international settings your regional settings then you have all the other settings okay thank you so first of all I just want to you know say that the the organization of american states is the oldest regional organization in the world uh it's the premier regional forum for a political uh discussion policy analysis and decision making in the western hemisphere uh you know the OS brings together all the 35 independent states of the americas and fulfills its essential purposes on four pillars democracy human rights security and development uh I work for the SICTE inter-american committee against terrorism and as I said before it's the only regional entity whose purposes prevent and combat terrorism in the in the in the region so we have ambassadors from all of the 35 member states that are representatives from from their countries uh the SICTE you know we look forward to promote uh cooperation and dialogue among member states and uh since 1990 I believe since 1990 the organization has been um you know by mandate of the member states uh discussing measures to promote cooperation and uh trust to contribute to stability uh in the cyberspace so uh uh specifically we have work we have done a lot of work in uh non-traditional measures uh confidence building measures uh and uh we have uh to date uh several exactly 11 uh confidence building measure has been adopted by the OAS General Assembly uh specifically in the years 2018 2020 and um that's very important and I will talk about it later and I should say a CBM is uh does not believe with these terms CBM is what sounds like it's the build confidence and transparency between countries that maybe don't agree on everything and even you know even we had this in the the Cold War with uh Russia and other countries so that there was ways for instance a confident a classic confidence building measure is communication channels hotlines things like that uh directories um that's one example of something practical it's not a policy thing so everyone should be able to do this to make sure you de-escalate a possible conflict exactly now finally we the OAS is an active member in all the international discussion uh discussions on uh you know rules norms principles on responsible behavior of countries in cyberspace and uh for example we we uh collaborate with the UN open ended group uh we also uh uh SICTE you know the in the committee against terrorism is the uh GFC E uh regional America's hub uh we are uh working to coordinating capacity building efforts in the region and uh also in the uh well to work more efficiently uh all together so and I'll delve more in the capacity building in a few minutes um thanks for that and that's an example of a regional organization so not you know in the UN but all the countries and you know and the Americas have been very very active for a long time in this which I think has been great um Maurice let me go to you next um and you purchase from a programming standpoint from USAID I remember back when I was the White House and we did the White House uh international strategy for cyberspace back in 2015 um at that time getting you know that what we call the traditional aid the traditional development organizations involved was kind of tough because they're like look we we deal with water and dams and power important things you guys you cyber guys what are you even why are you talking to us but as we all know those things are now all controlled by cyber and so there's been I think a real um not universally but I think USAID has been a leaving edge of like bringing that together so please thanks Chris uh we're working on it um so I will start kind of zoomed in and then I'll zoom out and then I'll zoom back in I think uh over the next few minutes um so crash course in USAID so we uh as you can see I don't work directly in the White House or the State Department uh kind of two organizations that would be leading on cyber diplomacy um we're on the development side and if you think about kind of the breakdown of diplomacy international development and defense those are kind of the three ways that the three D's of US government policy uh over foreign policy um AID so the Agency for International Development uh is an independent agency that manages the majority of US foreign assistance so that means we work in 70 or more countries more than 70 countries around the world where we have offices um and uh deliver um technical assistance training through disaster response um uh equipment um across a wide range of sectors so global health disaster response uh economic growth and energy um infrastructure development uh governance support so help with with elections and that sort of thing um and and agriculture uh amongst others um private sector development and all of those programs kind of as Chris was alluding to some of them the digital components are pretty obvious in terms of critical infrastructure and that sort of thing um others are less obvious but uh you know helping out developing uh clinics and uh medical centers that are working with um both at risk and you know kind of regular populations are generating a lot of data that needs to be protected um and so uh we are slowly waking up rapidly waking up in some cases uh to needing to address the cyber risks uh across all of our programs um as well as now considering cyber security as kind of a key capacity building sector that we might work in uh directly on its own so it's kind of a two tier two level path there um so a couple of things have happened to kind of thrust USAID into this now really expanding US government wide uh I think expansion of cyber diplomacy and really pushing it as a priority across all of the foreign policy we do um from our perspective and this is where I start to zoom out um USAID uh in this administration has become part of the national security council uh our administrator sits alongside the secretaries and that sort of thing um which elevates us into those dialogues um uh which is really helpful for us being elevated in those um the second thing that's really kind of pushed cyber diplomacy broadly uh within USG is the creation of the cyber and digital policy uh bureau uh at state that uh ambassador Nate Fick runs so that's Chris is now second or third uh follower I guess um and uh so that whole bureau is kind of in charge of uh implementing and directing uh US cyber diplomacy uh alongside a bunch of things and then the third thing that happened uh this year was the release of the uh national cyber strategy in March um which has five pillars uh they are you know protecting critical infrastructure both in the US and uh in allied nations um looking at taking down bad guys ransomware that sort of thing uh working on securing uh mark improving market forces and doing things like SBOM and uh open source and secure by default um improving standards internationally uh and so those first four uh the first one on critical infrastructure we have a role to play as an agency USAID does um and we will take guidance on the other ones uh we don't really get involved with you know tracking down bad guys on ransomware um but the fifth one uh is looking at uh thought forging I think is the word they use international partnerships to um promote this uh overall what are the three words defensible resilient and values aligned uh digital ecosystem uh and so that's really where we step in uh is being able to leverage all of the uh foreign assistance resources and partnerships and uh programs that we have in uh building relationships um promoting USG and uh country partner objectives national security objectives um and cyber is a huge part of that and so all of our development work uh is kind of a key component of uh USG uh diplomatic efforts at this point um and we can get into that more a little bit more uh as we get on. So so one of the the challenges in this area is you know there's lots of different communities that exist in the space I mean you guys know this there's a technical community the policy community who don't talk to each other nearly enough there is the economic community they kind of innovation community and the security community they don't talk to each other very well but also there's the traditional development community that does what USAID does and the World Bank and others do and they don't really talk to the cyber people and vice versa very well either in the past that's changing which is really important uh and and one of the things that we're doing um later this year in November in Ghana in Acre Ghana we're having a a big conference my organization GFC in partnership with the World Bank the World Economic Forum and the Cyber Peace Institute to bring these communities together to try to make everything you know every country around the world is now saying we need help uh especially the countries in the developing world are saying we need help in in Africa and the ASEAN countries and others saying in Latin America saying you know we're happy to debate these esoteric rules of like you know rules in cyberspace which are important but we need help right now and so that that capacity building element is drawn through so bringing these communities together is important but also bringing like the community here the the technical community and these discussions is important so the more you know about this stuff the more I think to the extent you can influence it you you can I think there are opportunities to do that I would say however that like in this OEWG process not just Monika's group not just Microsoft but they blocked 30 different civil society organizations including mine too so it's not it's there are some there's some hurdles to be sure the UN was not built for other stakeholders it was built for states but there's still some opportunities John um you know there are a number of things you know Monika has addressed a little bit uh the public-private partnership from you know Microsoft it's a kind of a unique company in the sense that not a lot are really involved in that kind of policy issue uh it's changing a little bit but I think Microsoft has been a leader yet you you you've seen this John you've seen it from both sides you've seen it from the government side too and you know one of the things you know going back to this community issue one of the challenges I've seen is like when the UN wrote this rule it came up with this rule don't attack the certs because they're like the ambulances and the hospitals on the internet I remember I talked to first the former incident response and security teams I gave a key note a few years ago and they had no idea that that was done there was no connection between the people were actually on the front lines and and the people that were making this policy and that's a real problem uh so you see that all the time and I think you also see this in standard in other setting body so yeah no that's that's a great example Chris and I think you know it reminds me of sort of my earlier mental model when I thought about diplomacy you know it was entirely informed by Hollywood right like I was either imagining these people in suits arguing in these big buildings trying to avert catastrophe save us from aliens or whatever the case may be or they were good for nothing no nothing's that the heroes could blame um for uh sort of blame and shame um my mental model obviously has grown quite a bit in a lot of different ways and I mentioned that I'm sort of a non-diplomatic person and what I meant by that is I haven't spent a lot of time doing actual diplomacy didn't really get started in it until 2013 and in fact it was a trip with Chris to in the State Department when we went to Australia um and I actually learned during that that a lot of diplomacy involves good wine and good food so there's a real upside to being involved in diplomacy as well what I want to talk about though a little bit is international standards um and and the relation to diplomacy and the and how we can all influence that how many people are involved in any way in any sort of international standards development I know there's at least a couple hands need to be up because I recognize people so every single one of you are a diplomat right and to some extent and you may not often think about it that way but to Chris's point there is a bit really often a big gap between those of us that are more on the technical side who are operational and the folks that are making policy and international standards is actually a place where we can do a lot about that um one of the questions that that Chris wanted us to address is why should you care right and so I think as you've seen there's an awful lot of policy being made about cyber security right now and I was in a panel yesterday and Peter Brown from the UK parliament made a really really interesting comment he said international standards are foundational to good policy right whether they're technical standards process standards they're foundational to good policy if we don't have good standards if we don't have standards that work consensus standards by the way um then we're not going to have very good policy either we're not going to be able to educate inform or empower our policy makers to make good policy around the kinds of things that we need from a cyber security perspective um standards get used in other ways from a political perspective as well if you've been involved in standards bodies you may have seen this right some countries will sometimes introduce standards into consensus bodies um that very much favor uh their economy right or their region um they may try to stack the deck if you will by sort of overloading um different consensus making bodies or standards bodies to try and drive home the kinds of things that they care about it's one of the reasons that it's so important to be involved and I was glad to see some hands come up for folks that are involved in it and I think I would encourage all of you um to get involved in whatever standard makes sense for you right so for example I'm involved with ISO SC 38 that's cloud security standards that's something that matters to me it's an area that I work in but there are an awful lot of important technical standards out there cyber security standards and an opportunity for everybody to get engaged bring your expertise and whether you see it or not that expertise and what you're doing in that work will inform policy makers it will give them the tools that they need to be able to make good policy which all of us want because if we get bad policy if we get bad regulation because we have bad standards or a lack of standards international standards um we end up hurting our ability to innovate we end up hurting our ability to be able to protect uh the companies the citizens um and and our nations so um I'll stop there I've got some more to say about this hopefully I'll have a chance when the time comes up but again international standards they are diplomacy um in in their own kind of way and super important to policy makers so just keep that in mind. Great thanks so I want to have a little conversation around some of these issues and also brought on to others uh Monica you talked about all the work Microsoft's doing in this area you know as I said pretty unique as a company it's not like the only company that's involved but there's not really any other ones that I think is as active and the kind of policy diplomacy space why is that I mean why why why hasn't been in this grounds well why don't other companies see the value of because what's happening the reason I think it matters to all you guys is what's being negotiated in these UN meetings these you know rooms dark well they're not that dark but they're big cavernous rooms they're not smoking anymore uh in the UN whether it's in New York or in Geneva or in uh the cyber crime ones in Vienna uh you know I think a lot of the folks who it's going to impact are not there and they don't know what's going on and it does make a difference because when people are writing rules of the road and those rules are going to end up applying to some extent to you or the countries you live in and that's going to have an effect but what I think you know your company has gotten that why do you think that hasn't been more of a grounds well with other other companies around the world? Thanks for the question Chris and I agree with you I think uh Microsoft has um for some time you know the mere fact that we have a digital diplomacy team has allowed us to engage in international forums and regional forums more proactively but what I will say is you're starting to see a trend towards more companies trying to plug into this space and I've actually seen this more and more we talked about the ad hoc committee which is the the third committee process negotiating a new cyber crime treaty and you are starting to see companies like Google companies obviously like Microsoft and others try and actively shape and inform a lot of the negotiations that are ultimately going to result in the treaty next year and so um I I do think uh Microsoft has been uh proactive in the digital diplomacy space um and has been and then we certainly plan to continue to and other companies uh are now starting to to be a little bit more more proactive particularly in the cyber crime space I will also say there are you know government affairs teams across major tech companies that are also engaging countries directly versus engaging in international forums so there are there there is certain you know engagement taking place maybe not not not internationally but domestically across different although in the past most of those engagements have been please don't regulate me that's what usually what companies would go and engage on yeah and policy it's a little more esoteric so absolutely absolutely but but there has been that level of engagement but certainly not trickling up to the international stage but but hopefully I'm hopeful more um tech voices will will get involved and in this cyber crime treaties that's gonna be a binding treaty if they can reach an agreement who knows what they can reach an agreement and the rubber is kind of hitting the road on that um so that will have an effect we did a panel on uh digital authoritarism and authoritarianism and uh surveillance and you know how you get evidence and what the rule of law is makes a difference and so it impacts not just cyber security but human rights and other issues going forward um you know Marisse um as I said USAID I think has been taking a leading role recently in this it's uh been to transition um it's sort of the same question for development banks a lot of them still are like this is not our you know this is not our hood we don't we don't do this so so how do you how do you try to model or get other other ones in the development community around the world to get in the game because this is a big issue you know the UN has these development goals I think what are they how many are they 16 I can't remember 16 and they're high none of them are cyber none of them are even you know digital they you know the argument is well undergirds all of them but there's not even an understanding of that I think that they don't understand how cyber security and even digital connect activity applies to those larger development goals and I think they clearly do but there's not that understanding yet um actually uh Chris thanks for the question um I think that the some of the development banks uh the inter-american development bank world bank are actually pretty forward leaning on cyber capacity building um AFDB we've had a little bit less engagement with so far um I think the key question from a diplomatic standpoint is um the limitations or differences of the US government directly providing cyber capacity assistance versus a multilateral organization that has you know various member organizations and partners and that sort of thing that uh share a wider range of political objectives diplomatic objectives uh then US government on its own um and so finding opportunities to collaborate uh in ways that still support the national cyber strategy um are given you know US government objectives in a given country uh and trying to align all those things together is interesting um and that's I mean I'll try to aggregate from a lot of different engagements but um just to kind of put it in place how um our specific work on a given capacity building thing can play a relatively outsized role in terms of uh diplomacy for cyber um you know in a given country uh and there's in this particular example uh I have a colleague who uh is a foreign service officer down there she couldn't make it here and she would have been better to deal with the story but it's fine too bad she's not here uh I'm sad um and so we've been you know working with this country and with uh a development bank to think about how we can combine our money to do cyber capacity building and the the recipient country uh is interested in procuring equipment uh for their cert uh and we say great uh we would love to be able to do that with some of our money um you know our uh mission director and the ambassador and the White House are all aware of this um there's been you know six eight ten months of dialogue between uh the host government and the development bank and uh USAID um and as we move towards actually moving that money along um there starts to be more and more question around you know if the development development bank is implementing all the money uh what sort of restrictions or controls are there in terms of what technology is procured right do the the the technologies that would be procured counter is trusted technologies as far as our money is concerned uh certain things we can't buy uh certain companies we can't buy certain types of technology um and those you know there's a recent executive order uh that kind of touches on that just this week I think um and whereas the development bank uh is able to um and so figuring out how to blend those those monies together um is uh it's a very much a development challenge and like gritty bureaucratic problem that is my day job but not actually being able to consummate that partnership and move things along and respond to the host country's request for help creates a diplomatic issue up the chain um and so that is kind of you know my day to day is country acts comes up and says hey we're interested in getting separate capacity building and we say cool uh are you you know do you want it from the US do you want it from development bank like are are you a close ally are you an emerging ally are you you know and or do you have an existing infrastructure that we can't really work on and okay I'd love to do workforce development and improve kind of your range of cyber capabilities but at the end of the day if your infrastructure is vulnerable does that matter like why am I spending money on that instead of directing everything towards you know ripping out your cables and putting in trusted technologies so it's all very much diplomatic issue even though it's uh development at the end of the day. Chris can I take thirty seconds to add something? Um so just just uh uh to add on to what Maurice was saying you know you mentioned at the start that you can often get sort of multi-organizational type approaches to this and this is true not just with governments but also in the private sector so I'm working with a number of US based companies uh in West Africa for example not Niger we didn't have anything to do with that um but nevertheless we're bringing together technologies just like Maurice is talking about um to try and help these countries build out their capacity frankly to help provide options to other nations um and what they're doing in those countries but there's those kinds of opportunities exist as well and collaborating with government you can still do things just in the private sector on on that piece of it so thanks. Uh well I was just uh you know um OAS there's two things they've done I mean they've done a lot of things but two things that they've done is they've helped countries particularly in Latin America and the Caribbean develop national level certs many of them didn't have certs at all uh before and now they do and also national strategies part of that process though is you try to get these countries to adopt processes where they get not just the government but other stakeholders are involved how how is that going? Yeah well uh one of our main goal goals is to uh you know to try to promote the debate you know promote debate and promote uh you know the cooperation and collaboration mechanisms in order to put in the same table all the multi stakeholders that are involved in the and our part of the cybersecurity ecosystem so uh we have done a great job uh on one hand uh building the Cicerta Americas that's uh that's a network of uh national uh response teams uh incident response response teams we have uh already 41 uh Cicerts of uh whole Americas um and also uh we what what we want to do is to promote uh and foster trust that's uh our main our main goal because uh right now uh you know 15 years ago this just OAS talking about cybersecurity and we were like uh doing all uh you know working in this uh first and second generation of uh national cybersecurity strategies but now there's a number of uh international community actors uh all around Latin America you were saying you know uh um uh international uh organizations such as uh United Nations uh through the ITU and then we have uh you know development uh multi lateral uh organizations like the World Bank, IDB, we have the European Union, CARICOM, uh we have uh uh um also um private companies uh uh working with uh very closely with governments and so you know the policy making processes in Latin America has been uh changing this has been really hard because uh uh there's a lack of capabilities in in uh you know in governments but uh you have to be very coordinated in order to get uh you know uh better results with all the international cooperation some countries are doing just fine for example Dominican Republic they are just great because they have their own agency and they just they just uh know their their specific needs and they know who to call in order to get that done but other countries in the region they are like they don't have uh a strong or robust uh governance models and so there's uh a lot of uh you know um inefficiency there's so uh we are helping uh the region uh uh in order to you know to to uh create the strategic documents and strategic actions and right now uh what we are focusing um you know um we were talking about I was talking about uh the CVMs that uh the region has uh um adopted through the OAS uh general assembly and uh one of those uh most of them are uh based on uh are um um um uh they are dealing with uh cyber diplomacy so uh we are doing a lot of work uh trying to do uh cyber diplomacy uh uh capacity building uh we have uh we have um uh uh we have uh invited more than 800 official public officials of the region through uh more than 20 international law and international humanitarian law uh courses uh so uh that's what uh we are doing right now and I should also give a shout out to a program called the women in cyber program where there's been a number of countries and my organization has been helping run it we brought women diplomats particularly from Africa but also from other parts of the world to the UN meetings and you know the UN not surprisingly kind of a male dominated place cyber male dominated field but now uh last year over half the interventions half the statements made were by women which is an amazing statement so that's another part of a uh community you're trying to broaden and widen uh I want to maybe leave time for a couple questions but I just wanted anyone on the panel to address one kind of elephant in the room which is that look we're in a we're in a tough role right now it's a lot of geopolitical tension there's a lot of challenges cyberspace is not devoid from contact with the real world with the rather physical world uh the way you get countries to work together is they cooperate with each other and they just don't cooperate in cyberspace they cooperate on other things and if they're enemies or they have problems that affects everything else and of course you know Russia's invasion of Ukraine uh has caused uh you know even more uh uh conflict than usual on these international bodies just as a prognosis matter I mean where you think we'll be able to make progress with us these big geopolitical issues which don't seem to be going away anytime soon not everyone has to answer that but whoever wants to answer that are opined on it I'm happy to answer I think I have the least to lose of everybody out here so um yeah I mean to some extent I think what we're seeing now from a geopolitical perspective is cyber as a national security issue right if you've worked in this space you've known that cyber security is a national security issue for a long time but folks that have otherwise policy makers and leaders who have otherwise been uninformed about that now are suddenly informed and now they're suddenly concerned and I think come what comes with that is that greater sense of our interdependence right and I was going to say maybe we can treat it like climate change it's a global problem I'm not sure the way we've treated that has been very good so I guess you know brought that up but nevertheless as a corollary it's it is a global problem right I mean the cyber secure cyber security is sort of like the weather like everybody depends upon it everybody is involved in it and so for me I am hopeful I think there will always be conflict that's just the way it works but I do think there is this recognition that we can really start to hurt each other in cyber security right and I think with this new movie Oppenheimer people have started to talk about it in terms of things that happen there and AI and cyber and all these pieces I don't know if that's a good corollary or not but I do think there's hope I do think we can find a way forward on this because it's it's it's a mutual problem we all share it we can all hurt each other with it so maybe we can try not to and I just say that you know all these countries want to have you know digital transformation they they're betting their economies on that future but without the security as as an element to help bolster that that could fall apart and so I think that's the the argument to try to advance this let's see if there are any questions we only have a few minutes left but see yeah go to the microphone so the talk was concerning like a lot of high level policy change that happens from the top down but when there's a cyber incident from the lowest level we always start at attribution so how do you your guys is organization still with the complexity of attribution as in who did what and how does that inform your policy and diplomacy and decision making choices in that space who would like to jump in on that that's a great question I think that's a really good question and a lot of the conversation at least from from our vantage point has started to shift towards that and in large part so I mentioned the Microsoft digital defense report is something that we put out every year that's sort of given as a kids an assessment of the geopolitical landscape and we as a company have actually started well have been attributing certain activities to certain countries that are behaving nefariously online I think that doesn't necessarily inform what we do we just want to share certain insights for the sake of being very transparent in terms of what we're seeing but it certainly is starting to trickle up into international negotiations of what is responsible state behavior online and how that's how that's being colored one of the key elements in the national cyber strategy is you know encouraging and rewarding is kind of a that's a loaded phrase so encouraging and promoting ethical state behavior responsible behavior responsible use of technologies and you combine that with I think this is a pattern this is my observation as a non I don't know it take off my government hat that this administration recently has been very forward leaning I think in terms of attributing things whether it's you know and using that strategically and if an incident comes in you know a country comes in and says hey we've had an incident we need assistance we're working on as best we can there is a whole you know series of processes that can get turned on the attribution and once we find out what's actually happened is well outside of USAID is concerned that's the you know state department defense and the president and all that kind of stuff we're interested in repairing and recovering at that point so but I you know I think that the caution around attribution and you know utilizing what information we have when we have it is you know that there's been a little bit more of a openness around that because it creates kind of talking to I had the point what you were saying earlier about countries wanting to sort of move forward and oh in terms of what commonalities are there right that that that reduces conflict things like ransomware right for the most part once you have an idea of where that's coming from that is a really shared thing where everyone is getting hit by ransomware it's not necessarily a nation state to nation state issue it can be but if that is something where there's a lot of common interest in identifying where that's coming from and how to reduce it and so I think attribution there's powerful yeah although I would say that sometimes states act as safe havens for ransomware we've seen that and that that's a challenge and also say there's this mystery around attribution it's a stupid cartoon of the dog on the internet which people always quote we in fact attribution has gotten much more sophisticated you know what it when you have when it walks like a dog and talks like a dog it's a dog you know and the motivations of nation states for prolonged conduct are easier to figure out the question is then what do you do about it right so attribution by the bad guys use attribution like the little green men in the ukraine where they had the patches over their arms and say oh it wasn't us unless you have a hundred percent proof well you don't have a hundred percent proof of anything in life so it becomes I think a little bit of a cycle and we have to act and go through the accountability piece let me take your question quickly and then we'll just strap up with a panel because I know we're running out of time so I take notes otherwise I ask bad questions so the gentleman from USA mentioned trusted technologies do you have any confidence in the ability of the U.N. to regulate what the off-duty activities of a lot of cyber warfare members are so you know there's a proliferation of cyber warfare capability in countries that has a large number of trained persons who are ready and capable of doing a lot of these things and our moonlighting and moonlighting and is there a desire to try and regulate that on the U.N. cyber crime bill all right I'd ask anyone to address that and also any closing remarks you have just quickly as we go so I mean I'd say you know there are times when states are responsible for the activity of their citizens and they there also is an agreement even among these U.N. things that if there is malicious activity coming from your border and the country asks you for help you're supposed to help you know you have an obligation at least an expectation you'll either employ your search or law enforcement to help and when they don't that's a safe haven problem so there is an issue we've seen this in countries where moonlight these moonlight groups are doing things that the state doesn't want them to do and that is a problem but often they're also doing something that the state wants them to do we've seen that too so that's that's one thing I'd say about I don't know if Monty can do it. Yeah I know so I think that's a really good question would certainly echo what you mentioned Chris but one thing I wanted to say with regards to the previous exchange we were having is that more attribution leads to more accountability and I think at this point the conversation has in fact shifted to exactly that right like there are 11 norms of responsible state behavior online the conversation is no longer like do we need additional norms I know there's some countries that are negotiating this versus not but how can you actually apply the existing norms of responsible state behavior online and hold those that are actively violating the norms of responsible state behavior online accountable for that. And the problem is some of the international organizations we have are not incredibly well suited this so you know the UN is great in many ways because of the participation of legitimacy but you have the UN Security Council and if one of the bad actors is one of those members of the UN Security Council you're not going to get any consensus what they need resolution out of it they'll veto it and that's that's an issue. And so so there are limits that what could be done so I think we have to also see how you know what they call like-minded groups can achieve. Any other just closing comments down the line before we wrap up. Just really quick on doesn't have to be on that issue like I can't speak to USG's kind of interest or non-interest or position on wanting to investigate a regulator you know handle that sort of thing that's not in my I don't know kind of panorama but I think it is interesting you know that the situation with the Russian attack in Ukraine has kind of created a whole weird situation that kind of dials everything to find 11 but like to 13 like the amount of response from allied nations there and involvement of private sector and then demonstrating what USG can do in terms of response and partners and that sort of thing creates it's just a very unique case and I think fosters a lot of those questions and it's kind of forced all those things to the four so I appreciate your question. It's a global problem we need global solutions standards matter a lot. Well I think what the America's region has done for the last seven years you know to agree all the 35 member states in order to take these diplomatic procedures these routes that are very complex and agreed upon these CVMs for example. It's amazing as a region. I just want to highlight one of them is to encourage the leadership and participation of women in the ICT processes. So we are in the SICTE cybersecurity program we are working on a very specific project called closing the gender gap in the cybersecurity agenda in Latin America and the Caribbean. We are working with some nations for example working right now with Costa Rica in order to include the gender perspective in the national cybersecurity strategy so we are very proud of it and let's see how it goes. And last thing I'll say I agree that global problems require global solutions but they also require a multi-stakeholder inclusion and certainly as we're thinking about the ecosystem that is cyberspace every stakeholder has certainly has a role to play in speaking from somewhere in the private sector you know we primarily own maintain and operate a lot of the infrastructure that the internet runs on and of course government has a key role civil society has a key role so meaningful inclusion across different stakeholders and I know that's an OASCBM I know this is something that's been acknowledged across the different UN dialogues that we've been talking about not only in the ad hoc committee but also at the OEWG and so global problems global solutions but meaningful multi-stakeholder inclusion is what I'd add thank you. Look so I'll just say thank you guys for coming the point of this panel is to the extent you don't know these things are going on they're going on right and sometimes you think oh that UN stuff that diplomacy stuff it doesn't matter to me but it will matter to you and yeah sometimes you want to take your own life during these meetings they're like watching listening to paint dry almost but they do make progress and they do set some really important things that people aren't aware of and I think it's just important to be aware of it there's lots of stuff online you can find out about all these processes obviously you can visit the sites of my organization the gfce.org and the portal we have OAS lots online about them USAID similarly Microsoft similarly so there's lots of good material I also say I'll put in a plug I do a podcast with the Center for Security Internet or Security International Studies CSIS called Inside Cyber Diplomacy which I recommend to you but there's a lot of good material if you want to learn more about this but don't be either willfully or negligibly blind about the stuff that's going on because then you can't complain later on when things happen that make no sense and sometimes that happens if this community is not involved so thank you