 Good afternoon everybody, and welcome to this IEA lunchtime session. We have an interesting one, a very topical one this afternoon for you. This is on building European cyber resilience through defence and diplomacy. That alone is a topic, but it's an extremely dynamic and interesting aspect of international security policy at the moment. That is obviously of extreme interest to many people in Ireland, given recent events. My name is Richard Brown, I'm the acting director of the National Cyber Security Centre in Ireland. Many of you will know we have been involved in cyber security here for many years. We have a very interesting group of speakers today. To begin with, we have either, the order may change, we have Victor Senniecki, who is the deputy head of mission in the European external action service. Victor is going to speak to us about the European cyber security strategy and the developing work of the EAS around Europe's security and diplomatic posture on cyber matters. The EAS and the European Union indeed have developed a really interesting set of tools, including a cyber security toolbox, for use in proposing, pushing, developing a European consciousness and presence on the international stage around cyber security. It's been extremely useful and interesting for us as a state to engage with. But to begin with, and welcome Ambassador. We will have Ambassador Hailey Tirmac-Clare, who is the ambassador at large for cyber diplomacy in the Estonian Ministry of Foreign Affairs. Hailey has been centrally involved in Estonia's building its presence, indeed, the European presence at the Security Council and other levels across the European Union, in pushing and developing for a much more expansive, broader and deeper consideration of cyber security as a global security and geopolitical question. Now, Ambassador, I'm sorry to jump to you straight away, but what we're going to do this is, Ambassador is going to speak first for seven to ten minutes, followed by Victor, and then we're going to have a conversation. I have some questions of my own, we'll take questions from the audience. Obviously, and I'm sure everybody will be aware, both the initial address and the Q&A session are going to be recorded and on the record unless otherwise stated. Anybody who has a question, please feel free to submit it via the Q&A function on Zoom. When you're doing so, please identify yourself and your affiliation when you're asking a question. And of course, if anybody wants to engage with the conversation on social media, please feel free to tweet using the handle at IIEA as ever. And let's go, Ambassador, please. Yes, hello. Thank you, Richard. Hello, Victor. And hello, everyone in the call whom we cannot see. So I see 44 participants. I'll speak a bit why Estonia has been raising cyber issue in all international organisations and what it actually now looks like in terms of international awareness. And also then I'll talk about European cyber policies as they have evolved and what challenges we will face in the future. Yes, Estonia certainly was one of the first countries to start raising the cyber issues in different international organisations. I think the first for us was NATO. NATO came up with its first cyber defence policy as early as 2008 with a subsequent policy in 2011, 2014 and now in 2021. It's the latest NATO policy in force. Then the second organisation that was quite quickly taking up cyber issues was OSCE already as early as 2009. OSCE had put together the working group on cyber issues that started to discuss the regional confidence building measures. And it was also related with the United Nations Group of Color Mental Experts, which then convened and had its first, first confidence building measures discussion started in OSCE. And in 2013, the first set of the confidence building measures was adopted in OSCE. The European Union started a bit later with all these policy development issues with horizontal policies. The EU has been doing something on the cyber crime issues, a bit of critical infrastructure protection, bits and pieces here and there. Prior to the 2013 cyber security strategy of the European Union, which was the first horizontal EU strategy that has taken together all the free billers, as they were called before the Lisbon Treaty. The internal market had justice, home affairs and also security and defence policy. So the 2013 strategy was followed with the 2017 strategy and also the third strategy has been produced by the European Union in 2020. All in all, we see that in different major international organisations, there is now the cyber policy posture, which helps governments to talk to each other. There is now the cyber normative framework or international law applying in cyberspace, or it helps with the regional integration, like in the case of the European Union, or it helps with the preparations for cyber defence, as NATO has been doing. I think all the different elements of our global cyber normative framework are now in place. So we have the UN agreement that international law applies in cyberspace, that we all should implement the norms of responsible state behaviour. We have different regional organisations now having the confidence building measures and we have to implement the confidence building measures and have to follow those confidence building measures. And of course we have the whole set of rules and standards and different other elements in our international normative framework also on the technical side. And this I think the EU is quite good at setting the technical standards for its critical infrastructure protection and cyber resilience in all EU member states. So it's the NIS directive, network and information security directive and with other internal market related policy bits the EU has been able to really raise the overall resilience of all European Union member states. And of course also quite valuable in the EU cyber posture is Cyber Diplomacy Toolbox, which the EAS is leading in the European Union and of course Viktor will talk about this. So I will not elaborate on that one, because it shows also that the EU is not just an economic standard setting agency for its member states, but it also can negotiate a coordinated member states position with the third countries and also show response to malicious cyber activities. So it has raised the EU significance also to the political level in terms of global cyber politics or international cyber policy and international relations. But maybe I'll just spend one or two minutes telling us what are the challenges now. Because we have reached maybe the first maturity level or maybe second maturity level, it depends where you sit I think in overall cyber policy posture in Europe. But it still needs some work before we can say that yes, we have now built the proper cyber resilience and we can basically just sit back and not worry about cyber issues anymore. So because I think we are in an interesting juncture where mostly the government so far have done quite many efforts in order to first to agree to great consensus. The most recent consensus creation in the United Nations First Committee is quite remarkable. We have a right to the consensus with two reports this spring which is very unusual I think for cyber affairs globally and that suddenly there is consensus on both very sensitive working groups. So then of course Estonia has raised the cyber issue to the United Nations Security Council, which is I think now in a way like the last frontier in terms of raising cyber as an important political body. So now it's all done. But this is all very good. So the governments understand this is an issue. It's a strategic issue. It's part of foreign and security policy. We have to pay attention. There are actually also many other actors in cyberspace like the private sector critical, not just critical companies and infrastructure companies that are in charge of providing critical services, but also other companies. So, and now we see the non-state actors going after different companies where with recent ransomware attacks in the US and in Europe. We have seen also quite powerful impact on the citizen. And I think now we are facing the new and quite important challenge as well to make sure that we are collectively going to curb the phenomenon of global cybercrime and making sure that all the disruptions and non-state actor element in our cyber instability. It's going to be diminished. And I think this is also the niche where the European countries and European Union actually have a very great role because the capacity building that EU nations and also the EU as such as an organization can do globally in order to make sure that there is rule of law in all corners of the world. The cyber criminals have no safe heavens and we help the law enforcement. We help also the criminal justice system in all the countries in the world. I think this is also very important and of course also enhancing our own information sharing and cooperation to face cyber threats, which seem to be now proliferating. And we are still talking of course about the state sponsored or the state organized malicious activities, but I think increasingly we see the new actors in this field that can also create serious disruptions and those non-state actors also increasingly be concerned for us. So I'll stop here. Thank you. Ambassador, thank you for that. It was a very interesting introduction. We'll pass straight over to Victor and then we'll come back with questions immediately afterwards. Perfect. Many thanks. Thanks, Richard. And Kelly, it's always a great pleasure to be at the stage together with you. And I think that, you know, you built a sort of hope you've given me with you last part, especially a very nice segue to also build a little bit more on a sort of a context or geostrategic situation that we are in. And it's clear also from our perspective in the AS and from the European Union perspective is that, that, you know, the relation or international relations in cyberspace in a way is how to say mirror the challenges and opportunities of the real world, the multi-polar world and geopolitical tensions, including as well, unfortunately, attempts by some states to control and abuse technologies are leading to increased security threats, also a risk of fragmentation. And in the sense of real world also realizing effective multilateralism and these efforts to further control cyberspace. I think in our view very often also could be a catalyst in way to increase the likelihood of a conflict between the states. And some of these actors who are in cyberspace do so because it's largely reflects their domestic agendas, which centers around the authoritarian concept of cyber sovereignty, which should ensure the prerogative of individual governments to control cyberspace used by their citizens. And this authoritarian vision of fragmenting cyberspace and internet in particular, and favoring stricter government control over a cyberspace vis-à-vis other stakeholders that Haley has mentioned is getting a foothold as well in the multilateral system with more and more divisive proposals being put forward, and with a lesser focus on finding compromises. The more prominent examples of the shift to shift the trajectory of the global open, free stable and secure cyberspace are the push to launch legally binding instruments on both international security and cybercrime, to push restrictive standards, replace internet infrastructure and also bring this infrastructure under the multilateral policies. And these efforts oppose our vision of cyberspace, which is governed by multistakeholder model and respectful of human rights and fundamental freedoms supporting growth and ensuring international stability and security in cyberspace. As well, Haley mentioned that the cyberspace we see that it's increasingly misused to conduct malicious cyber activities, be it by state or non-state actors for various reasons for political, financial or economic gains in case of cyber espionage. And some sites are as well unfortunately not abiding by normative framework that has been agreed in the United Nations that Haley mentioned, which is the basis of recognition of the capability of international law and as well existence of norms for responsible state. As well, misuse of technologies for malicious purposes is, you know, are you unacceptable and also undermines international stability and security in cyberspace. And at the end of the day, creating really a lose-lose situation, whereas I think we are really working towards the win-win situations. Haley mentioned on several occasions how we as a European Union approach this. Since 2013, we have strengthened our cyber diplomacy policies through engagement both at the UN level, as well as through EU cyber diplomacy toolbox established in 2017 and our bilateral and regional engagements, notably, and Haley mentioned that as well, on cybercapacitability. And through cyber diplomacy efforts, the EU and our member states actively contribute to the rules-based order online and offline. Let me turn now into a very briefly into 2020 EU cybersecurity strategy, which has been the latest policy. And we have, through that, provided the new impetus to our cyber policies, both on the cyber diplomacy part, but also on the cyber defense and the internal resilience. Addressing different, you know, and I think that it should allow us to increase resilience of the European Union and our member states. And I think that the leadership is in favour of other global and open cyberspace. And let me hear on that element, as Haley mentioned, already worked also in the United Nations work. So there is a part of the 2020 EU cybersecurity strategy to establish a programme of action to advance responsible state behaviour strengthening and as well elements of strengthening the cyber diplomacy toolbox and our capacity building efforts and partnerships, which will directly contribute to international security and stability in cyberspace. I think I'll maybe stop here, Richard, in order to save us more time for interactive Q&A's and also Q&A's with the audience, but I'll be very happy to develop further a little bit on the cyber diplomacy toolbox elements and anything else you might want to ask. Victor, thank you very much. So first of all, let's keep the questions coming in. We have some already, but I have a few to begin with and I think I might take Victor up in his offer of some extrapolation on the effectiveness of the cyber diplomacy toolbox. I'll start with you, Ambassador, if you don't mind. Victor made reference to this as well. The idea of norms as a creating or developing a global picture of norms for as a means of constraining state behaviour and the responsible state behaviour is something that is very heavily embedded in global cybersecurity thinking, but you could be forgiven for thinking at this point in the process that there are some real limitations to that methodology. Would you agree with that statement? I think you're alluding to the question whether we need a binding treaty versus the non-binding politically agreed norms. Well, let me do this awareness-raising bit why we cannot have cyber warfare treaty. So at this stage, we cannot go on with any of the binding elements because we are talking about the dual use domain here. So if it was nuclear weapons, it would be easy to count all the weapons because we know which countries are enriching uranium and we certainly have an understanding which countries are developing nuclear weapons. So if there were conventional weapons, we could certainly count also tanks and artillery and soldiers in cyberspace, which is very dual use domain. We even if we had something binding and I think it's an element that many people who are not familiar with cyber issues are usually asking as a first question why we don't have a treaty. We cannot have a treaty. So that's a short answer because if we had a treaty, we would be fooling ourselves that this would be effective because we cannot verify it at this stage. How can we verify the treaty if we are going to verify then we have to be able to access all the laptops in the world and to see whether somebody has built cyber weapon with their laptop. This is one of the elements in cyber that is not comparable with conventional disarmament. The usual disarmament approach is not working in cyber. What works in cyber is the regulation of behavior. So because we cannot regulate arms, but we can regulate the behavior. And that's why we talk about the norms and implementing the norms and also making sure that we enforce the norms because if the norms are not enforced, so what's the use of the norms. And we know that many countries that have agreed to those 11 norms in 2015 already have broken those norms many times after the agreement on the norms. But some countries also have not followed the binding international law. There have been bombings of hospitals in Syria which is clearly strongly against any principle of the current international law. So therefore, instead of maybe the discussion whether we need a binding treaty or whether we can go on with the norms, we have to think of the ways how we can implement already agreed and existing international law in cyberspace. And this is something what Estonia has been trying to do. The Tallinn Center here, the NATO Center has put together few editions of academic analysis, what is called Tallinn Manual. The first manual was talking about implementation of the international law above the threshold of armed conflict or IHL or law of armed conflict. And the second edition talked about the international law below the threshold of armed conflict or international customary law. And now the NATO Center here is embarking on together the first edition of the Tallinn Manual which tries also to find together the existing state practice and to analyze how the existing international law and the principles of existing state practice. And the existing international law is binding. So we have the binding law already in cyberspace, which is the IHL, which is the customer international law we just have to implement. Thank you very much. Yes, Victor, I was actually going to jump in a little bit on that. Sorry, we were talking at the same time, but I think that you know I had made of course a very valid argument. I think we sort of augmented also with supporting a very kind of you know real political approach as well that if we launch negotiations in the current especially multilateral context where we have really very few areas where we can agree on as an international community on such a delicate and difficult topic as you know you and treaty on cyber, I think that we will be also creating a possible situation where some of the actors will use it as the excuse of saying precisely that since we are working on a new treaty, that existing international law does not apply. And there is a, you know, basically we have it gives us a no accountability for actions whatsoever. And I think that it heightens the risk of miscalculation and escalation in a way. So I think that this is very practical as well element of, you know, let's, let's rather focus on, as Sally said, as he said about promotion of norms about growing the awareness in the, within the international community of already existing commitments and and what those norms how they translate into practice and also building, building understanding and interpretation of how the international law applies in cyberspace this will you know time will help as well with a growing amount of sort of jurisprudence and and cases that that will be more and more often I think that will help to clarify but also actions such as darling manuals. So now the third edition, and we as the European Union we also committed to give interpretation of applicability of international law within the, within the last update of of strategy, many of our member states have done it. That was a part of the call of the group of government experts and the previous open ended working room to precisely entice and invite all the international actors, member states of the European Union to come up with national interpretations, because it will help to bring transparency and clarity as well to that topic.