 Good morning, and welcome to our panel on Fighting Shadows. My name is Jonathan Zittrin. I teach on internet and law at Harvard University. I want to first alert and warn you all that we are as on the record as on the record could be. If our stage did not already convey that impression, we are even live streaming. So anything you say will be tweeted and the Chatham House rule is firmly broken. And I wanted to introduce each of our panelists through conversation. And then as quickly as possible, open it up to the full room for discussion. So I wanted to open with Jean Kaspersky. Jean, 1989, you wrote an antidote to the cascade virus, and you have not looked back. I'm curious, the current tactical state of affairs for an individual member of this audience, what are the odds, for example, that that person's primary means of digital communication, telephone or laptop, is in fact compromised? Well, you mentioned the story which happened 25 years ago when my computer was infected. Actually, it's a big difference with the present situation. Those times there was MS-DOS. If you remember, Microsoft Disk Operating System. I'm sure Brad remembers that. I remember. So actually, that was quite a primitive thing. That was before internet, by the way. The computer malware was traveling with the floppy disks. Floppy disks. OK, now the situation is completely different than telecommunication devices. Internet of things, as you name it, internet of threats, as I do. Internet of threats, you say? Internet of threats. So you're saying things have gotten a little worse on the security front? Unfortunately, it's getting more complicated. I don't want to say worse, because at the same time, the cybersecurity is getting better and better. But unfortunately, we have much more work to do, because in the past, it was only consumer devices, consumer computers to protect now, mobile phones, tablets. Next, I'm afraid, smart TV. We also need to protect the enterprise networks, the industrial systems, SCADA. So this is another way of saying business is good if you're the head and founder of one of the largest computer security companies in the world. But I just want to hear, are you keeping up? Yes, unfortunately, my business is very good. Yes. But I don't mean are you keeping up with orders. I mean, are you keeping up with the threats? If I've got Kaspersky installed on my machine, can I rest easy? And I realize this sounds like a softball question, but I mean, for real, are you able to program the definitions as quickly as the bad folks are programming the viruses? Definitely, yes. I use my product on my PC, so I'm absolutely protected. To be serious, of course, it's not enough to have systems really protected, the consumer systems. There have to be a few things done. First of all, you have to have good enough security. And second, you have to have your mind, your brain switched on all the time you're connected to the internet. Well, that sounds not like a good, I mean, that's worrisome for most of us. Well, actually, the reality is if you visit just few websites which are well trusted, if you exchange the data with a few people and you have the security installed on your computer, that's you're absolutely almost 100% protected. And almost none of those conditions. But if it is never the case that all of those conditions are met. But there are many people, they don't do that. Of course, there are journalists. They travel through the internet. Of course, they visit many sites. So the right behavior is. You make it sound like Marco Polo. All of us visit many sites. So you have to have better security installed. Uh-huh. Come to me. Well, that leads to a follow-up question. If I have Symantec antivirus installed on my machine, have I installed the United States government along with it? And if I have Kaspersky installed on my machine, have I installed President Putin along with it? Definitely not. I'm absolutely sure that we are not internet company. We don't collect any private information from the computers. Is there any way for an outsider with respect to any of the antivirus software that, of course, to do its work needs to be installed at the fundamental levels of the operating system in the Bios? So it's got the keys to the kingdom. Is there any external way for somebody who's feeling paranoid to validate that it's only doing what it's supposed to do? Definitely, yes. And actually, if you're individual, you can check the traffic, which is coming from the software. If you're state, welcome to my company, we will show the source code. So actually, we as a security company, we must be very 100% transparent. Yes. That's all well, welcome. Yes. Welcome to check it. OK, so we'll offer tours of Kaspersky labs to anybody who... Well, actually, one... Kind of like the Ben and Jerry's tour in America. You get a full free ice cream. Well, we are not internet company. We're security company. So we don't have access to all the data which is in the internet. Last question for our introduction. In the enterprise space, of course, in the past few months, we've seen the American company, Sony, treated to many of its secrets, spilled out over the internet. Is this an example of a company that simply failed to install software like yours in a consistent way? Or is it more demonstrative of it's really hard at the enterprise level to secure your stuff? I think it's both are true. Well, actually, as far as I understand, as far as I know, the attack wasn't really complicated. It seems that the enterprise wasn't protected in a right way. It was protected, but it seemed that they didn't pay enough attention to the IT security. But at the same time, there are incidents with many well, very well-protected organizations like banks, which are badly hacked. They invest a lot into IT security. They have perfect engineers, but anyway, from time to time, they're victims of a very complicated... Well, the reality is that the cyber criminals, like in the past 10, 15 years ago, they were just individuals developing some... Well, some kind of malware, not really complicated, and they were attacking victims which were consumers. And a few years ago, I was talking about the level of the complexity, and I was talking like, okay, so there is a criminal malware, and there is a state-sponsored malware. And the difference, like a car is a space shuttle. And now I say that... Now they've converged on to a helicopter. Many criminals, unfortunately, the evolutionists of the crime came to this situation when they are very professional. And they developed extremely complicated, high-professional attacks, and that makes my work more difficult. Yes, very good. President Ilvas, anything surprising so far in what Gene has said? No. And as a... Which is good, it would be good that they're on the same page so far. But given that you've put Estonia at the forefront of the digital world, you've tried to integrate digital within the state, and you've got your own pedigree of having started programming at age 13, what's the sense of defending the state? And the state systems, we have consumer enterprise state. How is it up at that third tier? Harder, easier, same? Well, some things are easier, some are more difficult. I would say that it really depends on the degree of IT integration in your country. Okay, I mean, jump ahead, you didn't ask me, but 2007 Estonia went through these... You knew I was about to... Distributed denial of service or DDoS attacks. At the time, I did say that there are countries where if this happened, they would never know because they aren't simply using things, and we had by that time a fair degree of use of IT for government services and so on. But the thing that people don't understand, it is a very primitive low-level kind of attack. It basically means that you swamp a server. No one has the key to get into your door, they're just all in front of you when you can't get to the door to go in here. That's the phrase denial of service. Right, and so it's... It's like a long line outside the Congress Center. Yeah, one of those, right. Though you don't necessarily get in at the end. But anyway, so that was... I mean, the interesting thing about it, which is an aspect we should consider is that these are run by organized crime. They are basically, it's your Viagra spam in reverse. The same companies that send millions and millions of spam out, you can pay them and they will direct it all towards one. And so in the other interesting thing about it, aside from the fact that it was at scale at the time, was that it was for political reasons. I mean, DDoS attacks generally are done for... I mean, some of them are for political reasons. But also, I mean, to extort small or medium-sized companies, we're gonna, your business, you have a business based on the internet, selling stuff. None of your customers can buy your products because we've blocked your site. But that is really, I mean, what we're looking at today and more generally what is far more sophisticated and that's getting in. Now, I don't know about the details of the Sony case, but I mean, I know of other cases where you have a secretary and she has a file that has all of the passwords of the executives and it says passwords. Maybe that's not a smart idea. Newsweek and news, yes. And other things, for example, I mean, one thing, my domestic newspapers laughed at and made me look like an idiot. I said, you know, tape over the camera on your computer. I said that. It's like, yeah, wow. Gene, do you tape over the camera on your computer? I have my software to protect it and it's, we have a special functionality in the product to check that the camera is really off. So you don't tape over the camera. He depends on, Brad, do you tape over the camera? Why don't, tape. I smile, I smile to the camera. I'm with President Ilvis, I tape over the camera on my computer. I just, huh. I mean, well, I mean, there's elementary hygiene that you can do. I mean, one of them is, you know, you don't, there's things you don't do. You don't put your store, your passwords in a file that says password. Right, right, right. But I wanted to go back to the denial of service and the attacks for a moment of 2007, they lasted exactly 24 hours, as you've said. And you had hypothesized, maybe it's cause the money ran out, whoever was paying the bad folks to engage in the attacks. Well, it was interesting because basic, okay, there was a low level of attacks, but then it sort of peaked on 0000 GMT on the 9th of May. So then it was like, it's up here and then it continues like this. And then at 2400, it drops down. And I said, well, why is it not a normal or Gaussian curve? And so the head of the cert, which is the response team that does these things, if you don't know what that, every country, every county should have a cert. And he said, the money ran out. I said, what do you mean the money ran out? He said, well, you know, I mean it's, you rent it for, they rented it for 24 hours. So I'm just saying, if the bad folks happened to have 365 times as much money as they had, would you have a year-long denial of service attack? Yeah, well, I mean, you would then find all kinds of ways to get around it. In fact, when Georgia, a year later, was subjected to similar attacks because we already had sort of done things. We had mirror sites, so they were, it lessened considerably the, and of course, then you can go get the people. If they could do it for too long, you can figure out where it's moving. So that's, it's probably, you know. Got it. It's like hanging around the bank for too long a time after you've robbed it. Got it. So I hear then, so far in half our panel, a tone of not much to see here folks in 2015. If you install the right software, do the right hygiene. I just haven't gotten to the other problems. Ah, we should be quick. Tell us about the other problems. Well, I think a large part of it is really is, there are things you need to do, and I'm sure Eugene knows more, he knows far more about this, but I mean, if you have legacy technology, if you have Windows 6B and you haven't replaced it, you're in trouble, right? I mean, holes, Swiss cheese, holes all over the place. So you need to keep- And you're not calling out Windows XP specifically, you just mean old software. Yeah, yeah. Well, we've even said it's, if you have Windows XP, which came out in 2001, it's 14 years old. Brad is calling out Windows XP. It's time to update. It's time to update specifically. Well, he wants to sell, he wants to sell new software, right? I mean, I would say so. I get my cut later. No, but my point is that you know, you have, I mean, this is a serious problem, especially in infrastructure, in critical infrastructure, countries maintain legacy technology. They always, we'll do it next year, we don't have enough money. And so that's really dumb. Well, it's so fascinating, by the way, talk about a Gaussian curve you have at the historic end, a bunch of old stuff that if you don't replace it remains vulnerable. And then you had Gene referring to the internet of things being the internet of threats, which is to say all the new stuff can be a problem and embedded, I guess it's much harder to replace the firmware on my T-Kettle, if my T-Kettle is internet aware. How do we think about that? Not only that this there, also there's somewhere a firmware under the water at the oil stations and also the firmware in the space. You're worried about that? Well, actually this is one of the major security issues in the modern world, security for the critical infrastructure, security for the physical systems, everywhere around us. And would it be helpful if all of that infrastructure ran on a common platform so that it could be secured in a common way, or is that a form of monoculture that better to have the stuff in space running on systems that are utterly distinct from what we do? There's no difference because if someone really wants to damage, say, power plant, doesn't matter which system is installed there. Is it there, some specific system or is it just someone one? But for the critical infrastructure, I think that the concept of security must be changed because we have the standard operating systems and the security on the top of that. Yes. Like the endpoint security or any other kind of encryption and et cetera, et cetera. It's on the top. I think that the critical infrastructure must be protected based on the secure platform so the security as a platform for the applications which run power plants. Got it. Regardless of what's underneath, you're either equally secure or equally insecure, as it were. Before we move on, President Dibbles, I wanted to let you finish on the threats we haven't thought about. Well, a couple of things. One is there are basic things you can do, not just updating your software, but hygienic behaviors that you can follow. I mean, I would say that two-factor authentication, which we offer all of our residents in the center. So you've got your password and then you've got another object like your phone and they send the separate code. Right. I mean, that is kind of, I would say, that's a sine qua non. If you're just using regular email, which I do. But I mean, I figure, well, someone's reading it. Yes. But you don't put, I mean, sort of basic. If there's anything sensitive, at least you need to have something like this. And the other thing is just basically, as Eugene said, basically nothing is really safe. But again, we need more awareness. I mean, after 2013, June 6th, everyone is very, very upset about privacy, which is rightfully so. You're referring to the date that Snowden's first revelations came out? Yeah. Right. Or he showed up, I don't know. Anyway. Showed up in Moscow, I don't know. I don't know why we're looking at Jean, as if he's responsible for it. I'm not looking at Jean, I think. I know, but I mean, what people have forgotten is that we're rightfully obsessed with privacy. But consider now that this is another side that's even more important. I mean, it's the privacy versus integrity of data. And that's a technical term, perhaps. But what it means is, privacy is, I know what your blood type is. And your RH negative. I can see that from some medical records. Integrity is if I go change it to RH positive. And that's the problem that people should worry much more about. The folks at Sony should worry less about the documents going out, and worry more about, I wonder if all of our spreadsheets say what we thought they said. And how would you possibly go in and validate that? As we say, I don't want people to see my bank account. But on the other hand, I don't want them to change my bank account at least in the wrong direction. Unless it's in the right direction. And what do you, I mean, just last question on that front to both of you. If you're Sony, the gate has been opened, you're doing your assessment. It looks like a number of your systems have been compromised. And Sony is a stand in for nearly anybody, consumer, firm or state. How do you check the integrity of all of the stuff? There's actually software that goes with it. I mean, there's an Estonian company that hasn't used all over the world, but I won't do it. It's a great form of native advertising. We've got these other people doing Microsoft, Kuspersky Labs. I might as well say our company, sort of in Estonia, I mean, it's kind of like a telemer. Every data point has a signature on it, small signature. But you know that it has not been temporary. Kind of like on a Wikipedia page, you can go to the history and see the changes made successively to an article. So Jonathan, I think the 401 goes beyond that. It's worth underscoring the importance of this point about two-factor or multi-factor authentication, because I think it's one of these things that's well understood technically within the industry. But the rest of the world probably hasn't had the opportunity to appreciate it yet. Because before you get to the file that has the spreadsheet that has all the passwords, which perhaps shouldn't exist, you've got to get into the network itself. And I think all of us as users have gotten very comfortable with this notion of course you can't access your email without a password. And we've gone through this sequence in our lives where we were told to develop stronger passwords. We were told to change our passwords periodically. But what you often see in these attacks is this common origin, which is different techniques to separate people from their passwords. And you get an email, you click on a link, it looks real, et cetera. So I think over the next few years, every institution, every individual will become comfortable with this notion of two-factor authentication, meaning, OK, I have a password. But if I sign on, even with my password from a device that I've never accessed that service from before, the service is going to send me something, yes. And it's the code to your phone. And the thing that's worth everybody knowing, look, if you're using LinkedIn or Facebook or Twitter or Outlook.com, these exist today. You just go to the service, do a quick search for two-factor authentication. And it will tell you how to install it. And I think you can safely bet that if we're back here in three years, if you work for a government, if you work for a company, this is how you're going to be accessing your content. And it will at least be the next layer of protection. And then we'll deal with the next challenge after that. Got it. Now there are two ways in which we might take our title of Fighting Shadows. I've been talking about one of them, which is defending our infrastructure against attackers that are often hard to identify. I want to shift to a second possible definition, which has to do with the use of the internet by those who operate on the margins and are often up to no good and want to exact physical harm. And for that, Director LeBord, it seems great to turn to you. You're the director of the counter-terrorism section for the United Nations. And you've been a Supreme Court judge in France and are trying to think about a strategy that may involve a legal or policy response among nations rather than the tactical technical responses we've been talking about for the first kind of threat. So maybe you can tell us a little bit about that. Well, there are two aspects in this conversation, I think. The first one is, of course, the attacks that we just spoke about. And I was just thinking, Steve, to close this chapter, that we have also to have a, we should have in the Security Council, since I work in the Security Council of the UN, we should have an answer to bring these terrorist organizations or criminal organizations that you mentioned, President, to justice somewhere. Because I think that there is a point of impunity there. Because if we continue to have impunity, OK, you have security, but you have to have impunity. At the moment, there is a lot, I would like to say, of impunity for the hackers, whatever. I mean, the people who are breaking the system. So there is something here that should be done, very difficult, very complicated, because you have issues of jurisdiction, what kind of jurisdiction, et cetera. And in the same time, also, if we go against impunity, we have also to protect the freedom of speech, freedom of expression, et cetera. But still, I mean, this issue has to be somewhere. And how would you rate how we're doing on that so far? It's something that we have to bring to the international community. Because you cannot do that without an international cooperation. Otherwise, it doesn't mean anything. So it's not easy. It's even more than what I said. It's extremely difficult. But somewhere, I mean, somebody on an organization has to be brought to justice and accountable for what they do. That's something that I feel is important. But the problem here is that you have to get countries to agree. And we, in fact, have the Budapest Convention, which is a convention on bringing cybercriminals to justice. It's just that two countries that do most are the home of, I'm not saying the countries do it. No, no, no. That's a good point. But the home of two of the biggest of the most or greatest sources, cybercrime, cyberattacks, refused to sign the convention or ratified, which means the. Which two countries are those? No, no, no. Well. Russia and China. Well, it's. Why do you ask me? You know that. Well, I was thinking of the benefit of those on the live stream. No, wait. What about Brazil? What about Ukraine? Well, no, they should. I mean, the point is that they are immediate, I'm just saying, but they're not the largest source. There is still one point. President, you said two countries. I was thinking two out of five, which were two out of five. Well, our cup runneth over. But Director Lagarde, yes. I mean, since I had the privilege to be a judge in my country in the judicial Supreme Court, I would like to say still we can still institutionalize somewhere something around the universal jurisdiction. So you don't have in this case to go to the jurisdiction of the country. So let's discuss that. No, but I wanted to have something which is for the people can be clear, open, transparent, and also involving the civil society, which is also a component of what we are speaking about. Coming to the second point, because it is a very difficult one, but still I wanted to mention it. The second point is I would like to say the use of internet by terrorist organizations. I don't even say by terrorist now. So for example, Daesh is promoting its own, let's say, actions, and very well, let's say, asking the so-called foreign terrorist fighters to come and to be part of, let's say, something very nice, actions which can really be not only an adventure, but glory, et cetera. First, we are very bad in countering this type of narrative. The counter narrative is not done well, either at the state level or the media level or the civil society level. That's something which has to be done. And the phenomenon, it's extremely important. You have actually more than 15,000 people as foreign terrorist fighters in these areas, and 3,000 coming from Europe, others coming from Russia, and wherever. And from the vantage of your office, what do you see as steps that can be taken? The steps is first to work more with, let's say, the private companies too. And we will have something in the very soon seminar in the New York University plus a seminar in Miami with Microsoft on these issues in order to see how we can really elaborate the counter narrative on that. But there is a second point also. I see it is very difficult to criminalize, again, on the legal issues. It's very difficult to trigger international cooperation in criminal matters with these issues. And finally, it's also we are not good at all, as I said from the very beginning in the counter narrative. That's probably the most important. For example, to show to these young people who are, let's say, lack of employment, lack of perspective in life, et cetera, to show that there is nothing good there. I mean, the first acts that they are requested to do is, for example, barbarian acts in order to put them completely under the authority of these organizations. So this is something that we have really to take into consideration. Now, second point to come back to the issue of security. They even attack now. We have seen that in a very low key way. But still, we have seen that they even attack now the police infrastructures in order to block the police action against them when they are performing their terrorist actions outside of their territories. So this is what I wanted to underline. One of the things I should also point out is that it's not just criminals. It's not just states. It's also in between. I mean, the unique public-private partnership form that we see where states will pay criminal groups. I also would call it the little green menization of the cyberspace, right? I mean, oh, we don't know who they are. They just bought their, you know. Which might complicate the desire to bring to justice, because whether it's a law enforcement issue for subject international cooperation or whether it's a state-to-state issue, you're saying is somewhere in the middle. Well, I mean, go back to the Barbary pirates, right? I mean, they had the Sultan sort of got his take. And he said, you know, stay away from the Barbary coast. And finally, so many people had been. Has the international order improved since then? Or are we still? I think we're, I mean, every time you get a new area like that, I mean, then you find there is no order. And what happened with the Barbary pirates, you know, from the halls of Montezuma to the shores of Tripoli? I mean, the shores of Tripoli, this went and shot them up. So, I mean, which is the thing I just think we should mention somewhere here is that the offensive side against people who have attacked you. And I think that- Does Estonia have a policy on that? Will Estonia- We all have a policy that we don't do those things, but how do you define it? Is something which is defending you offensive or not? And it's hard to find where it is. How do you define that? What I wanted to get to, to the law professor, my point was to get to that, which is that where it becomes interesting is, I mean, first of all, attribution and in what is- And by attribution, you mean figuring out who's behind. Right, and it is, I mean, is it an act of war or not? This is one of the things that we grapple with in the NATO Center at Tallinn, is what is an act of war? I mean, if you have a missile and you can track it, it comes in, it hits a power plant and it came from over there. That's the easy case. And then you say, well, then, and then the NATO or some, or national, whatever. We think that's- Well, you say a proportion, you don't start a nuclear war over a missile, but if it's a nuclear missile, then you start a nuclear war proportion. Right, so it's proportion and attribution. Now, the same effect can be achieved via a cyber missile that takes out the plant. Now, who did it? First of all, you don't know what who did it. In general, cyber forensics, you can finally figure out who did it. I mean, it takes a long time. And then what is the appropriate response? And for the question of how do you respond in a cyber way? Well, the U.S. Department of Defense that I think already three, four years ago, we need not answer a cyber attack with a cyber realm. We can use what is now known as a kinetic attack. Or you could expel a diplomat. There's all sorts of ranges. Well, I mean, if you're doing damage, real damage, then, I mean, the point is- Expel two diplomats. Yes, but the point is what is the response and where is an act of war? What is an act of terrorism? Who is responsible? What do you do back? What we can do also, this is the final point I want to make in connection with what was said, is now more and more connection, and we had a discussion in the Security Council in December on that, more and more connection between organized crime and terrorist organizations. Because if I come back to territories which are under the authority of terrorist organizations like Daesh or Bokora, now you have a lot of connections between organized crime and terrorist organizations, which was not the case in the past. Now it is quite clear. So what you said about the state's connections with organized crime can also be reported to these, let's say, non-state actors, which are really organized crime on one side and terrorist organization on the other side. Well, it certainly gets back to President Ilves' point of a spectrum of actors that can be from organized crime to state motivated by very different things, ideology or money. Because if you're talking about actors, don't forget about traditional crime. It's used and the traditional crime is entering cyber space. They are not cyber criminals. Cyber criminals, they steal data. Traditional crime, they do traditional crime with the help of cyber systems. They hack, for example, industrial system, they hack transportation. Two, well, there was one example. The Latin American drug cartels, they hacked Antwerp's seaport and they were unloading containers with coca-e into the safe space. This is example of the traditional crime. So it's a cyber crime, traditional crime, terrorists in states. Let me bring Brad Smith into our conversation. Brad, you've been thinking a lot about how new legal regimes might apply to this digital space to solve both sides of the fighting shadows equation we've been talking about and I wanted to invite you to talk about it. I think there's three things, Jonathan, that are worth thinking about. First, I think it's just worth reflecting on the multifaceted role that the internet is playing in this context. Think about the Sony entertainment issue. The internet was, in effect, the weapon that was used to attack free expression by attacking Sony's network. It was also the tool that was used to defend free expression. When Google and Microsoft and Sony together agreed that we'd distribute the film online. Think about these issues that we've seen in France. The internet is being used to recruit terrorists. The internet is also used lawfully by the French authorities to go obtain the evidence needed to identify where the suspects were. Think about the role social media played in enabling the people of France to come together and put an unprecedented number of people standing together on the streets to defend free expression. So this is something that is precious. It is a threat and it is one of our greatest assets. And now Director LeBord has, I think, hinted at the idea that there might need to be or there's desired to be some work with the companies to try to ferret out some of the bad stuff that's going on. That video that might be distributed that's a recruitment video and it contains terrible acts within it that the companies, he might say, I don't wanna put words in your mouth, but he might say shouldn't be allowing to propagate over their platforms versus we're so glad we have these distributed platforms so that if Sony gets attacked it can distribute it. Do you see that the law is going to be able to distinguish safely between the two? It's a challenge, but I think the first thing we should recognize is that we are dealing with a situation where you have fundamental societal values in tension with each other. We have keeping the public safe, that's critical. We have freedom of expression that fundamentally defines societies across the Atlantic. We have personal privacy. And so we need solutions to strike the balance. Now in a sense, I think the first question one needs to ask is who should strike that balance? When government officials exhort through speeches, technology companies asking them to do more, it makes me nervous because people are asking us to draw a line between these values. We're just a country software maker. It's the rule of governments to say. Exactly, no one elected us. Isn't this the kind of decision that the members of the United States Congress or the French National Assembly are elected to make? So when new lines need to be drawn, I think the first approach should be for governments to draw them. For people in the private sector to have a voice, we'll have an opinion, and then we'll comply with the law. But to put us in the line drawing business independent of the law, I think is a very difficult proposition. Now I know you've got two other points you wanna make. I already made the second one. Oh, wonderful. You wanna put the third one on the table and then I also wanna make sure we open it up to broader discussion. Yeah, and the last one very briefly is then what this means is we do need new law. And at times it's gonna mean new domestic law, but it really goes to the question you heard. We need new international norms. And in part, this requires that we create new mechanisms so governments can work across together, across borders, without unilaterally stepping on each other's sovereignty. We need to improve processes. We're gonna need some new agreements, whether it's an expansion of what exists today or new instruments altogether. So if people who want to get in can raise hands and we can get a microphone over to you, while that happens, let me ask President Ilves, how sanguine are you about the prospect of international agreements of the sort Brad just described? I think these are possible. My worry is that on a lot of issues, our lawmakers, legislators are often people who are not that up to speed on the level of, I mean, what is possible good and bad when it comes to the digital world. And I've had some pretty strange experiences talking to people that don't really get it at all, who are in a position to make major changes in the legislation even at the European level. So where should we place the hot potato? Well, I think that we ought to mash it up and distribute it evenly, but... Good extended metaphor. But block that metaphor, right? I mean, when people say don't get it at all and then they start, I mean, we saw this after Snowden, there were some pretty ridiculous things by people who don't understand the digital world at all, saying we ought to do this, we ought to do that, and you can go, wait a minute, I mean, this is, let's educate ourselves a little bit. We need, we have gotten beyond Aristotelian physics when it comes to most countries and most legislators and do believe at least Newton. But, you know, when it comes to cyber, it's often that people have no clue whatsoever. And I would, for example, I mean, just to keep it a little less abstract. I mean, there are, people wanna stay in a paper world with just a metal lock and key because of cyber. But in fact, you have far better security than paper if you do it right. Using digital. But this sounds like a somewhat of a pay-on to abstention at the legislative level. Don't hasten in with ill-advised agreements. Well, I thought a lot of the stuff that came out after Snowden was fairly ill-advised. And it has concrete ramifications for all kinds of things, including the future of the internet. Very silly things saying, oh, regarding the cloud, for example, very bad protectionist attitudes that develop that have nothing to do with reality but have to do with a visceral reaction to, you know, they did, you know, the bad Americans did this. And then we're gonna keep them out. Well, okay, so what are you gonna do? Like stay in the 19th century? I mean, so I think one of the problems I mean is that the executive level of people are sophisticated enough to get it or at least read a book. But it is interesting too that it points out there could be legal agreements about restrictions and cyber crime and sort of enforcement, but there could also be legal agreements that are facilitating cross-border data trade. But I actually think, Jonathan, that the president is raising an issue that is even more fundamental than that. Yes. All the time you hear, sometimes in the tech sector, sometimes you hear it elsewhere, oh, these people in government don't understand these issues. Well, look, we live in a complicated world that's changing rapidly. You know, we say to the students in our schools that they need to learn to code. So what do we do? We teach them to code. We don't take away their computers. People in government, frankly, I think are learning more every day. If they need to learn more, we should share the information with them, not eliminate their responsibility to enact new laws. We have a cyber boot camp we can do. Let me tell you how this international cooperation really works. Yes? I have an email to my lab from the cyber police from country A. Hey Eugene, do you have contact with the country B? I say, hey, guys, you're both country from the West. Why don't you call each other? Hey, Eugene, it's too bureaucratic. You're a very shortcut way. OK, guys, OK, this contact from country B, OK, work together. You can just conference column together. Yeah, that's exactly my point. So this is the way it really works from time to time. First of all, the responsibility of the people in charge at the governmental level and the discussion with, let's say, the private companies is essential. And then you can perhaps get the balance between freedom of expression and the action of the criminal justice system. What I want also to say, I am not dreaming about an international agreement which was not. What has to be done is to probably, and this is what you say, colleague, is that, I mean, the people who are in charge, exactly the law enforcement, the prosecutors, and the judges, have to be aware, if we want to avoid impunity, have to be aware how to work against these actions. And for that, they have to work with the private companies. This is why we organize this. With the speed of the internet. Yes, with the speed of the internet and also the legislator. At the end of the day, they have to know. They have to live in these words. Let me take it to whoever has managed to seize a microphone around the periphery. Has it found a home somewhere? Ah, here's, so who wants to speak, though? Question, comment, over here. You can get the microphone connected. Ah, there we are. And feel free to tell us who you are. Christian Momentaler from Switzerland, Switzerland. I was wondering, we have a lot of experts here, and we need to think about the risks, threats, and ours for the world, right, for society. And I was wondering, in your mind, in your head, what are the one or two biggest large-scale scenarios you're most worried about that would potentially include loss of life? So is it attack on hospital or power networks? And is this kind of like asking for a friend, or is this an insurance company saying, I'm going to take some notes? Don't worry, this is nothing, it's not insured, but I just wonder more as a citizen, right? What would be, what are the things you're most worried about, and it is a combination of probability and severity, yeah? Fair enough. So the worst of the worst, that's a scenarios of attacks on a critical infrastructure. First of all, it's a power plants and power grid. If you don't have power, the rest of the world doesn't work. Second, telecommunication. If you don't have telecommunication, the rest doesn't work, but the power plants still work. Then financial system. If the financial system is out of the order, telecommunication work, power plants, they work, but the rest... That's already, that's a good start, top three, but... And, yeah, top three, and the rest of everything. But for those top three, how would you assess the degree of risk? If President Ilva is purely hypothetically truly, we're to order his crack cyber team to take out that power plant, that telecommunications system, that kind of thing as a way of responding to some attack that he's experiencing, how readily could that be done? It's a very, very good question, and actually it's very difficult to answer the question. And this is the risk balance for the nation. It's a very complicated issue. Let's say that Mr. President locates one billion year for the cybersecurity to protect critical infrastructure, but the next 10 years, it never happens. So the citizens, they ask, hey, Mr. President, why did you spend such a big money to protect from the threats? Where's the disaster that was averted, yes. Oh, there's another case. Mr. President decides not to do that. And the next year, the country is spitting all the huge scale attack, and the citizens ask it, hey, Mr. President, why didn't you do that? So the balance, have to find this balance, I don't know. Yeah, the problem is that when you, those I agree with Eugene are the top level. But I mean, you can wreak havoc in all kinds of ways. I mean, a couple of years ago, software engineers or anything, saw people doing the software of the Los Angeles traffic system went on strike, but it wasn't enough to sort of strike. They sort of turned lights red. Los Angeles is paralyzed. And imagine if they'd done even more paralyzed. But imagine if they'd done the next thing, which is turn all of the lights at the same time green. Right, I mean, so then what do you have? Or imagine that in Manhattan. That's full. So if you have that, I mean, what is, this is an example of how. Which means that in a highly leveraged, tightly coupled technological environment, finding a point of vulnerability need not be at the very top level. It could be a very nice fulcrum point that you would get. And I was just wondering, as long as we're elucidating threats and modalities, there we had another session at the forum on Bitcoin. And I understand the enthusiasts there were not so much focusing on Bitcoin as a cryptocurrency, but it's underlying technology of the ledger as a form of providing for distributed contracts, for example, where you could say, if A happens, then B money will flow over to here and understand that the system will enforce that without needing anybody to actually change hands. Does that mean we could see a bounty simply appear online that says $100 million will flow at the moment that all those lights in Los Angeles turn green, and everybody is just waiting to see if that happens, at which point the money goes from one account to another. And we're left trying to figure out how to chase the people and hold them accountable. I mean, yes and no, because if you see that threat, then you go, aha, it's not. Now we know at least what they're going to attack. I mean, so they're not going to go attack the dam that's going to break and all the water is going to come down. They're going to go after that. He's probably not a good idea to warn ahead. I mean, let's be from a military tactical point of view. This is news for other people to use. Make your threat more nonspecific. So yes and no, but OK. I mean, we can come up with more and more scenarios on bad things that can happen. We need to focus on things as to how to protect yourself insofar as you can. And they begin with the individual's personal hygiene and then corporate hygiene and then national. And one last question to Jane. You pointed out how it can be hard to be incented properly to spend money on security because if the threat doesn't materialize, it looks like wasted money. Would you be supportive of government requiring people to have to take certain minimal steps to secure themselves? You would. Yes, well, I definitely, I'm still dreaming about even the book, Cyber Security Strategy for Dummies to explain it in a very simple words. If I were government, if I were some power on government, I will force them to split cybersecurity issues in the three categories. Individual, small businesses, enterprises and critical physical infrastructure and implement different policies. For individual, small businesses, very light policies. There is a list of them. And very strict regulation, government control on a critical infrastructure. Then what to do? The most important, the most critical is infrastructure. Start to redesign it in a safe way, in a secure way. Because of course, it's huge. It must be huge investment into redesigning the system if you wanted to have it next year. There is no nation in the world which has enough of resources. I don't mean money. I mean brains and hands. To redesign critical systems within a very short period of time. But at least start to design new systems in a safe way. Well, I would say a couple of things. I think about the private sector. Let's find the next question too. We'll get the mic from the subject. The private sector, especially if you're dealing with insurance and governments. Governments need to say, you are not allowed banks or whatever to deduct as a business expense something which is the result of poor hygiene hunts. I mean, so someone steals your money. So if you have to do cleanup after a cyber attack that you could well have prevented, don't expect to deduct the expenses of that cleanup. And the other thing which, I mean, in the US is called an act of God. In Europe we call it force majeure, being a little more atheist. Is it possibly a little more atheist? The point is that if you have a power plant, is taken out because of a cyber incident, then it doesn't go to the insurance company and say, look, we had this accident. Act of God, force majeure. The insurance company said, look at your money back because of that. That's how you incentivize from critical infrastructure to banks. So lighter regulation rather than sort of command and control. Well, it depends on your country. That's what I was thinking. From this discussion, what could perhaps do is to have a kind of a wise leadership or something like that with all of us, a kind of practical guide. That's much more what we should do. And you have almost designed the structure of the guide. So this is something which could come out of this. Well, I love it. It's like setting the agenda for the Global Agenda Council on Cybersecurity, for which most of you are members. I really feel that soft law is even more important than hard law on that. One last point from Brad, and then we'll go to Professor Jarvis. And the concept's not new. I mean, when your colleagues teach tort law, basically people owe a duty of care to their customers, to people who rely on them. It will reflect to some degree the nature of the risk. As you point out, you probably have a different duty of care for critical infrastructure than something for which the consequences of failure would be small. So societies worked through this many times before, and these are the kinds of tools that almost certainly we'll use again. Yes. Jeff Jarvis. Jeff Jarvis from City University of New York. I'm not a real professor, I teach journalism. After Edward Stodden's revelations of tapping into the main pipes of the net and taking stuff, encryption seems a very sane response. And encryption seems a very sane response. But there's a tension here, obviously. Here from Cameron a week ago trying to basically outlaw encryption by creating backdoors. From a consumer's perspective, it's not easy. It's still too hard. And then finally, there's a fear for us in media that if the web goes dark and entirely encrypted, then it's hard to do things that will benefit us and the users in terms of targeting content and advertising and so on and so forth. So I'd just like to hear your views on that tension around encryption as a good necessity or as something bad. I wonder, Brad, if you shouldn't be the first to take that up. Sure. Well, first of all, I think that encryption plays a fundamentally important role in keeping information secure. And that's secure from all kinds of actors who should not have easy or any access to it. And so you have seen across the industry widespread strengthening of end-to-end encryption. Now we're being asked again, does that make sense? We've been hearing these requests for backdoors and the like. Look, the path to hell starts at the backdoor. And that's your message to David Cameron. Yeah, you should not ask for backdoors. That compromises protection for everyone against everything. What we do need is to live in a world when governments pursuant the lawful process and protection of human rights can get access to the information they need. That's a more complicated question. But I think it's a more constructive conversation to have. But of course, Cameron's proposal is in response to some companies that are doing their best not to themselves be able to access their own customers' data. And that will be part of the conversation that will unfold. But I think we have to start by recognizing that encryption is a fundamental tool to keep information secure. I also think we need to think about another point that Jeff made, part of what led everyone to encrypt in the first place was this story in The Washington Post in October of 2013 that suggested that either the NSA or another agency had tapped into cables for Google or Yahoo without any legal process. And if we're going to live in a world where governments preserve for themselves the right to tap in without going through legal process without respecting the rule of law, then we're in a place where it becomes very difficult to have this dialogue. Because fundamentally, there's only two ways to keep people's information private, better laws or better technology. Well, if you don't want people to deploy technology, then let's get a consensus around what the law should be. Yes, yes. Trump power and then President Melviz? No, I fully agree with what Brad said. I have nothing to add. Really? It's really a beautiful thing for my ears. Made a couple of comments. Well, actually talking about cryptographic system, it's not easy to make them forbidden. Remember the PGP story? And the United States government was fighting with PGP? No way. And second, but what about France, for example? In France, the consumer's cryptographic systems, they must have very short key. So it makes them very easy to hack. Yes. So they have to increase the... Come on, it's in France, it's reality for years. I'm waiting for the demonstration in France for longer keys. Please, give us longer keys. Okay, that's a little bit... We have a completely different approach. We offer all residents, and now non-residents, a RSA 2048 binary key code, public key, private key, form of encryption. And we, in fact, say, who's this? And it's, I mean, this is with the authentication of every ID done by a consortium of banks and so forth. So, I mean... And just quickly, by implication then, this panel appears just to be an agreement that David Cameron is wrong. Well, I mean, it's fine if you're in the UK. I mean, it's a different country, but if you... He's free to be wrong is what you're saying. But I think we offer it because we think that is a service the government can provide and should provide to its citizens and everyone who, not only any resident, and soon you'll be able to be a resident without being a resident. Even if it reduces the surveillance services that you can provide. In what sense? That we don't offer a surveillance service. Encryption services. And the point is that... Surveillance as a service, yes. That's right. And I wanted to... And the cost to you is nothing. The reason I mentioned RSA 2048 is that RSA 512, which was offered by LavaBit, could not be broken by NSA. So, you know, and we're sort of, you know, this 1024, 2048, we're up there. It can't be broken, so I often make a joke. You could store your data on NSA servers and they couldn't get in. We don't really offer that service. But the point is that... Has a bring it on quality. Instead of having this paranoid view of, oh my God, they're always looking at it and say, well, in fact, maybe you can reverse the whole view and say government today should offer citizens the... I mean, should offer citizens the ability to have encrypted communication. And that's part of a modern day society, is that that's one of the... It is better to have the government offer that than privacers. Now, you could say, well, the government's gonna go in there. Well, at least you have the guarantee that if a government is doing it, it can only go in there with a court order. Whereas if it's a commercial thing, well, who knows, right? Well, this really has had a theme emerge from our hour together, which is historically speaking, possibly back to the Barbary pirates, we've had technology as one of our main means of defense against a technological enemy and have had merchants trying to help those who wanna protect themselves in various ways. Technologists and knowledge. And knowledge, exactly, education. But we've also seen among the panel discussions of the ways in which law and legislation and international cooperation may be trying to set a framework of some kind over the next interval, so that we have front doors rather than back doors. And when they're opened, we know and it's done under the rule of law. This is an aspiration, at least within this panel. And it also sounds like some homework for the Global Agenda Council on Cybersecurity. I'd like to just ask people to please thank our panelists for a very spirited and interesting discussion. And of course, thank the panel leader for wise leadership. Yeah, yeah, yeah. Thank you.