 If I could ask everyone to take their seats, we'll go ahead and get started. Good morning. My name is Jim Lewis. Welcome to CSIS for our first annual hackathon. Let me tell you a little bit about the genesis of this. In 2011, then-Ford Minister William Hague gave a speech at the Munich Security Conference, still one of the best speeches on international cooperation and cybersecurity. One of the things he said is that it would be useful for the international community to come together and agree on common understandings about cybersecurity norms, common approach. Out of that speech grew an effort created by the UK for an international conference and what turns into a series of international conferences. There have been three that were coming up on the fourth. The first was in London. The most notable outcome of the London conference was there was a debate. Do we do like-minded nations or do we try and do global and fit everybody in? The UK decided to do a global approach, which means people aren't like-minded. That's always been a dilemma for these conferences. The Russians and the Chinese were concerned that the first London conference would be used to beat up on them for their behavior. They created the Code of Conduct, which has recently been revised. The Code of Conduct is one of my favorite documents. What it does is try and redefine international law in ways that devalue universal values and increase the role of the state. My favorite line, some of you have heard me say this, is the one that says freedom of speech is guaranteed, subject to national law. So a little bit of work here on the old code. And the Chinese have done a good job of trying to make it a little more user-friendly. The second conference was in Budapest. The Hungarians were hoping they could be the bridge between East and West, if we're allowed to say that anymore. But the gap is so difficult that they were unable to really come up with a final document. So there was no document emerging out of either London or Budapest. In Seoul, the Koreans knew that. The third conference, they wanted to have a document. And so they did come up with an agreed document. But it was a pastiche of other documents that had been agreed to in other fora. And I remember they gave me an advance copy. And as I was reading it, I think I got to page three. And I thought, this looks really familiar. It was my stuff that they had just taken and posted in, right? And so that, you got an agreed document. It didn't move the ball in terms of text or substance, but it did move the idea, the ball in terms of the idea of getting some sort of tangible product out of the conference. Now we have the Hague in April. What people don't realize sometimes is there's an immense amount of effort that goes into these things. So the Netherlands government has a huge team working on it. They've had preparatory meetings in Europe, in Asia, with many, many different organizations. Those meetings have largely taken the traditional format that you get at think tanks, where you have a panel. The panel would be facing you, right, instead of the screen. And then the panel would do their thing. And when the Netherlands Embassy came to us and said, would we like to do something in Washington, we thought, maybe we should offer something different. The genesis for that was Denise Zhang, who stands here, came from DARPA, right? And at DARPA, they do hackathons. We had to scale Denise's expectations down a little. At DARPA, it's two weeks and over a million dollars. It's not two weeks and over a million dollars at CSIS. But we thought, what if, and this is with HP, my friend from the Netherlands, what if we did something a little different? What if we didn't have talking heads? What if we had a hackathon where we brought teams together and had them work on a policy problem? And we told the teams yesterday, it's a little artificial. Maybe they only have a day to come up with a policy on a big event. But as many of you in the room know, that's how it happens sometimes in real life. That's what you could expect to have to do in the government where you will get a problem and be told you need to have a solution the next morning, right? Or at least a proposal the next morning. We have had very strong teams, right? The two subjects they're working on, as you'll see in the presentations, are both capacity building and cybersecurity, which are the themes of the Hague conference, which will be in about three weeks, right? So this fits in very much to the conference. Video of the teams and their work will appear at the conference. Their products, which you'll see, will be on the conference website available for people to look at. How's this going to work? And Denise will explain it in a little more detail to you. But basically, you, the audience, are funders. And you're receiving a pitch from six different teams who are going to say, here's a scenario of a troubling cyber event in a developing country that needs help. And we have proposals both for how to improve its cybersecurity, how to build its capacity. So in some ways, you'll make the decision along with our judges. And I have no idea, yesterday, what the impression I came away with was this is going to be really hard because all of these teams are great. But it's something to look forward to. And with that, I think we'll get started, HP. Thank you, Jim. Good morning, everyone. Also, on behalf of Ambassador Rudolf Baking of the Netherlands, I would like to welcome you all to this cyber policy hackathon. It's an official pre-event to the GCCS 2015 because we wanted to spread the word already in advance of the actual conference. And we thought this would be a great way to do that. The Netherlands is honored to host the Global Conference on Cyberspace, a fourth one, as Jim indicated. And it's only apt that it is going to take place in the city of The Hague. The city of The Hague is the international city of peace and justice. It hosts almost 200 international courts, tribunals, and international organizations. But that's not the only reason. The other is that it also hosts The Hague Security Delta. The Hague Security Delta is what we call a triple helix organization, cooperation between private sector, public sector, and academia. A lot of research is going on. There's a lot of companies and public and private organizations cooperating there. And that makes The Hague the largest cybersecurity hub of Europe. So there's a lot of reasons why the Global Conference on Cyberspace should be held in The Hague. But it is also, cybersecurity has been something that has been dear to our hearts for a long time. And there is no other way to express that than by having our new deputy minister saying a few words to us as well. The deputy minister is Mr. Dijkhoff. He's only been in the job less than a week. He got appointed one week ago. And he is the deputy minister of security and justice in the Netherlands. So he combines the portfolio of the deputy attorney general and the deputy secretary of Homeland Security. And despite that, in the first week in his job, he said, I want to take some time out of my busy schedule to address you. So please let me introduce to you Mr. Deputy Minister Dijkhoff. Good morning to everyone in the United States and good afternoon to our European participants. I want to begin by saying how wonderful it is that you are here at this pre-event to the Global Conference on Cyberspace 2015, the GCCS. And this event is yet another example of the great collaboration between the Netherlands and the United States. Together we have long been on the forefront when it comes to ensuring free, open and secure internet. And as many people know, the internet was born in the United States. But not many know that the Netherlands was the first country outside the U.S. that got connected. And by now the Netherlands has become the gateway and laboratory for internet innovations. And we are proud of that. Together, we all bear the responsibility for keeping the internet a free and open source of information. The aim of the Global Conference on Cyberspace will be to ensure exactly that. That is why we bring together stakeholders from a broad variety of backgrounds to discuss the challenges the internet faces today. And let's be honest, what the world needs today is not just another conference on cybersecurity. We need tangible and concrete plans to tackle cybersecurity challenges. And this is exactly why an important initiative will be launched during the GCCS and the Hague, the Global Forum on Cyber Expertise. And it will aim to strengthen the existing framework of international cooperation and build new partnerships where they are most needed. This is also where events like DiploHack come in. To achieve true progress, we need the help of young creative minds like all of you here in the room. And by the way, I've given it some thought and I guess it's also the reason why the responsibility for cybersecurity was given to me as the youngest member of the Dutch Cabinet. And I'm sure that it has been hard work for the student teams to come up with proposals. And I'm looking forward to hearing about the results. Let me finish by thanking the speakers, judges, organizers, and most importantly the students for their efforts in this Cyber DiploHack 2015. I hope to welcome the winning team to the Hague in April. Thanks for joining us today. My name is Denise Jung. I'm the Deputy Director here at CSIS for the Strategic Technologies Program. And I just want to take a couple minutes to explain the hackathon goals and the process. So most of the people here are probably familiar with technical hackathons, which is an event where computer programmers, developers, designers get together and collaborate on a software project. They build a new feature or a new product or solve a particular problem. They're given a set of tools and parameters and they work intensively, often around the clock, to develop a new capability. Well, instead of developing software, what we did at this hackathon was develop a new approach, new approaches to solving a policy problem. Yesterday, we gave six teams of graduate students three based in the United States, three based in Europe, a scenario and a two-part challenge. The scenario involved a national level cyber incident affecting the banking infrastructure of a developing country. In this case, the kingdom of Zambonia, which is a fictional country we created based on an actual Southeast Asian country that happens to share a similar sounding name. In the scenario, hackers manipulated the balances of Zambonia's reserve accounts and destroyed network infrastructure used to manage the country's currency transactions. Terabytes of sensitive data were erased, personal data for millions of Zambonians was lost, and the operations of commercial banks experienced major disruptions. Circumstantial evidence suggests that the People's Republic of North Gogorio is the source of the attack and that it was an act of retribution for Zambonia's decision not to prohibit the showing of the movie The Consultation. With limited capacity and resources to respond to the incident, Zambonia has reached out to the international community asking for assistance. They've asked for help to develop a national strategy, a national cyber strategy, and a assistance in developing its cyber capacity to prevent and mitigate future attacks. So the teams were given a two-part challenge. The first part was to identify the elements of a national cyber strategy to respond, mitigate, and prevent such attacks in the future. The second part was to develop new approaches to cyber capacity to build the capacity needed to implement the most critical elements of the national strategy. The teams used a creative ideation process that's commonly used in technology design to brainstorm and prioritize their ideas and concepts and to refine their proposals. They spent all night working on their pitch, which are judges and you as members of the audience will get to vote on. So the evaluation criteria is outlined in a handout that you received. It should have been placed on your chair. You'll be assessing the presentations, these pitches based on five criteria. And they are, one, novelty. Is the proposal innovative? Does it offer a new perspective? Two, sustainability. Does the proposal contribute to a lasting cyber capability for Zambonia? Or is it a one-off? How practical is it under resource constraints? Three, acceptance. Does it make a compelling case for international donors to support capacity building in Zambonia? Does it conform to international norms for cyber security and for internet governance? Four, positive externalities. Does it have non-cyber security benefits? Will the proposal enhance political pluralism or economic inclusion, social stability in Zambonia? And five, scalability. Can it be easily expanded upon to be more comprehensive, create a more comprehensive cyber security regime? So we want you to bear in mind the five criteria when you evaluate these presentations. We have six teams. They're presented on the PowerPoint slides over there. There are three based in Europe and they are the Castex Chair of Cyber Security with the Institute for Higher Education and National Defense based in Paris. Oxford University and the Technical University Delft University and the University of Leiden, they are based in The Hague. They're one team. In the United States, we have Georgetown University, University of Maryland University College, and George Washington University. Each team will have eight minutes to present their pitch to you and to the judges. After the eight minutes is over, they will have eight minutes of Q&A with the judges. We ask that as a judge, you just quickly introduce yourself before you ask the question so that folks on the line know who's asking the question. We're gonna rotate back and forth between a US team and a European team because our European teams are going to be participating through VTC. So bear with us if there are technical difficulties. The overall winning team will be invited to participate in the Global Conference on Cyberspace in April in The Hague and they will also be awarded a stipend to cover travel and accommodations. This has been a pretty good incentive for the teams. We will also recognize a team for best in the category of national cyber strategy and best in the category of capacity building. So with that, I wanted to thank everyone and best of luck to the teams. I also wanted to note for those in the audience that have clickers, during the eight minute Q&A session with the judges, you have time to vote on the presentation from A to E. We will have the criteria listed on the PowerPoint. Just look over and you'll see corresponding sort of levels for each letter. One that you can change your vote multiple times if you'd like. But once that eight minute session is over, your final selection will be your final vote. The audience results will help inform the judges final decision. So with that, we wanted to start with Georgetown University. Then we'll go to Paris, then George Washington. Then to The Hague and then University of Maryland. Finally, we'll have Oxford. Thank you. Oh, I should also introduce the panel, our judges. Jordana Siegel, she is the director for International Strategic Affairs at the Office of Cybersecurity and Communications at the Department of Homeland Security. Mr. Tom Dukes, who is deputy coordinator for Cyber Issues at the US Department of State. Angela McKay, director for Cyber Security Strategy and Diplomacy at Microsoft. Bellisario Conturus, Cyber Security Program Manager at the Organization of American States. And Sherry McGuire, Vice President, Global Government Relations, Cyber Security Policy at Symantec Corporation. Thank you. Good morning, my name is Elizabeth Irwin and I will be presenting the proposal on behalf of the team from Georgetown University. So to start with, I'd like to take us on a time traveling journey. The year is 1997, the place is Thailand. Thailand removes its currency from its peg to the US dollar. Indonesia, South Korea soon follow. What happens is a mass devaluation. The four largest states in ASEAN all use a collective $220 billion in GDP in the following months. Millions plunged below the poverty line. The Hong Kong stock exchange loses 40% of its value and it requires a $40 billion rescue package from the international community to stabilize the situation. The year is now 2008, the place, the United States. On September 29th, the Dow Jones Industrial Average plummet 777 points, its largest single day drop. In the ensuing months, the Dow would drop to 6,600 from its earlier all-time high of 14,000, a loss in value of 54% only previously seen during the Great Depression. US household wealth, the losses exceed $8.3 trillion to say nothing of the global economy elsewhere. The year is now 2015, the place, Zambonia. In fact, two days ago, the cyber attack has hit the Zambonian Financial Sectors Network. The commercial banks' deposits have disappeared instantaneously. The central bank of Zambonia cannot lend. We have a crisis of liquidity. We have a crisis of conscience. Now is the time, now is the opportunity to make some substantive changes, to look at this as a chance to truly introduce some change going forward. What I laid out for you is the past. It is Zambonia's present, but it need not be the future. So let's seize this opportunity. Let's finally recognize in the international community that cyber insecurity is an operational risk. The entire global financial system is predicated upon a strong cyber infrastructure, so we need to take steps to make it safer and more secure, build a more trust environment in which to conduct business and move global financial flows. So what we are proposing is a three-pronged investment from you today, an investment in capital in three different forms. We need your political capital. We need technological capital, as we traditionally think of it in the economic sense. We need, finally, human capital. So if we can go to the next slide, please, and I'd like to talk to you about that first investment. The goal here is to save time and save money. We will ask you to spend that time and spend that money now. Our first suggested investment is to create international standards and international compliance code, if you will, for cybersecurity as it specifically relates to financial institutions. There needs to be a minimum threshold of cyber security compliance for institutional participants in global finance. Things like standard encryption practices on end-to-end so that financial terminals have trusted connections to do trade. Data redundancy and recovery processes so that there's actual backup in the event that something like this should happen again, that we can rebuild a financial system within a country or within a region. Perhaps a disclosure policy, right? To do sharing about vulnerabilities and incidences they've occurred so we can learn from them and better protect. We want to leverage institutional frameworks, particularly the IMF, to move forward, to use this as an opportunity. The IMF already has standard compliance mechanisms for other aspects of global financial trade. Let's use this to introduce a cybersecurity focused mechanism because we need to really secure our financial soundness. We can move to the next slide, please. Talk about the second investment. Zambonia specifically. Let's reinforce Zambonia's financial sector and its mobile networks. This is critical infrastructure in Zambonia, a country where over 50% use mobile phones. They're walking through the capital of Chenyia with a bank in their hand. They need to have confidence that they complete transactions securely. So let's follow best practices of securing confidentiality, integrity, and availability of data through enhanced technology. Let's help Zambonia with you, the donors, to give better hardware, better software, stronger encryption algorithms, more robust servers to better handle traffic, or to reroute that traffic in the event of a distributed denial of service attack, which is a common tactic against the financial sector. Let's create stability through a surge capacity in that regard, right? Build in redundancy, build in a spillover mechanism, a tripwire that can surge in the event of an incident so that the entire network does not crash. We are looking for things to do this, right, to create a stronger network. And that, again, encryption. This does not currently exist in Zambonia. There is no backup. It's really hard to figure out who had what in their account just three days ago when there is no ledger. Some possible suggestion. Build a backup, perhaps one in the capital, one in the Western part of the country. Maybe move the backup to the cloud. These are all best practices. We will identify in a multilateral way, through our donors, the best approach to identify the best possible solutions for Zambonia. Next slide, please. Again, here's just an example of what we're talking about. And to an encryption, it's not drastic. It's not unusual, but it's a common best practice that we need to level the playing field as it were. We need to create a minimum standard. Zambonia is right here. We need to get it up here, and we do that through technology, and it can't do it on its own. That will take time, that will take money, that will take your help. Next slide, please. Finally, we want to talk about our third investment. This is an investment in human capital, okay? It's not enough to give Zambonia the technology it needs. We need to give it the talent. We need to build the skills. We need to build those capabilities among the Zambonian IT professionals. Now, Zambonia cert has made a valiant effort in the last several days, but it is only four people. We need more people to better able handle this, and we need to tap it in to the regional and the international network of certs, right? Because this is something where you reach a critical mass and the more the merrier. Right now, what we need to address are two critical things. Incident response with Zambonia and information sharing. So the first speaks to that cert responsibility of doing incident triage, mitigating the effects, containing attacks, and better able to respond, rebound and recover in the event of a future incident. The other part is tapping Zambonia into a cert. It's not connected currently to AP cert or its neighbors in Thailand, its neighbors in Malaysia, but really valuable information to share. In cybersecurity, information is the coin of the realm, and we need to make sure that currency is free-flowing. So what we are suggesting is that we tap Zambonia cert into the larger cert infrastructure to better protect, prevent, predict threats and vulnerabilities, because that is the key to a faster response to save time and money and future. Future instance, that $40 billion I mentioned at the beginning, that will seem like a bargain to us if we don't make some substantive steps moving forward to create a stronger, more secure environment for us all. So the last slide, please. Just finally, to conclude, we're talking about three investments here. We need your political capital. We need your money, we need your motivation, we need your help to mobilize the public, the private sector, your governments and civil society. We need to build in technological capital for more robust infrastructure and finally human capital to make this all happen in the future. Thank you for your time, and we're happy to answer some questions with the Georgetown University team if you could please come up. All right, well I'll go ahead and get started. So good morning, this is Sherry McGuire representing Symantec this morning. First off, very nice presentation. Thanks for all the great work on it. I did have one question for you though and that's related to the urgency associated with what Zamboni is dealing with right now. You laid out a series of three investment areas but many of those are long term. What is your recommendation for the Zambonian government to help in the immediacy deal with the current crisis that they're under? Hello? So most of these investments really are long term but they all have components that are medium to short term. So the third investment in particular can get moving particularly fast. Integration with other certs can start with inviting regional certs or AP cert to Zambonia at this time to address the crisis that is ongoing. So any partnership has to have a starting point and this is the best starting point you can have, right? This could be the beginning of a long-standing relationship between Zambonia cert and regional certs. I will also add that we have one place where we can have a higher payoff quickly. In Zambonia we realize that the cell phones are highly used. What else we don't know how the malware got into the bank? We know that people use it a lot. So we know that there is an infrastructure of mobile phones. We just need to make this resilient. And when it comes to handpoint encryption you have different levels. One size doesn't fit all, fit all. But we know that some encryption, some handpoint encryption at the mobile phone level is gonna be quick and at some point can be cheap also depending on the encryption and can save any malware to get into banks. Good morning everyone. Angela McKay, director of cybersecurity policy and strategy at Microsoft. I'd like to reiterate Sherry's comments. This is a great presentation and pretty well thought out. Quick question for you guys. I heard a lot, I heard the three element component but I'm wondering what are your thoughts on how you get the community basically to trust the banking system again. While there are certain actions in this strategy I didn't necessarily hear something that's going to ultimately help people trust a system that has lost their money. So resubstituting confidence in banks is always a big problem when you have a financial crisis. In this case in particular when you have an underdeveloped and rapidly developing financial system you already have a problem of established confidence confidence in the first place. A lot of people don't have bank accounts and are now less likely to establish them. Why would I trust you with my money when I can just put it under the mattress? That's one of the reasons why we want to establish global standards because we have the same problems in a lot of countries that are establishing banking systems. A lot of people don't want to have credit cards because they don't know how they work. They know how cash works. They don't know they want to have bank accounts. So having clear regulations especially when it comes to cyber is one of those ways. One of the things that international institutions do is establish clear signals that can signal not only to national consumers but also international investors, trading partners and so on. So it's not just about the confidence of the common citizen in Zambonia that is being affected right now. It's also the trading partners they rely on for exports and imports. It's also the investors they rely on for a lot of their currency. Half of Zambonia's government budget comes from international donor agencies. So it's their confidence that we're really trying to re-establish short-term and long-term by bringing Zambonia up to a higher standard of cyber security in the financial sector. Good morning, I'm Jordana Siegel from DHS and again echo the comments of my colleagues. It was a great presentation and obviously reflects a lot of work over the past 24 hours. My question is regarding the sustainability of the proposals that you've outlined particularly for Zambonia because I didn't hear anything and I may have missed it but I didn't hear anything in your presentation about governmental strategy or something to kind of bring these efforts together domestically within Zambonia. So I'm wondering if you had some thoughts about how that would go forward from the suggestions that you outlined. Do you want, so there's three elements to this and each one has a different component to national strategy. Is there any specific one, the one, two or three that you want to address because we have, I think, different national responses when it comes? Hi, this is Tom Dukes from the State Department. Let me follow up a little bit on Jordana's question which was largely what I was going to ask and that is how do you expect these Zambonian government to move ahead in terms of addressing the cyber security needs, the financial sector needs? Is there, you have political capital is one of the core elements of your response but I'm also curious as to how Zambonia is going, how you expect it to reorganize itself, what parts of the government you expect it to utilize, et cetera. I'll just talk loudly. Oh, sorry. Can you guys hear me? Okay, great. So in terms of sustainability, right? And we are suggesting a substantial amount of change within the Zambonian government. So there's a couple of things. Terms of, for instance, that infrastructure that we talked about, right, that's going to cost money. How do you sustain that in the long term once you have to wean off the donor money? We're hoping is that it creates a self-sustaining incentive amongst the Zambonian partners within the financial security network, right? So in terms of commercial banks, there should be an incentive there once they're locked into this system that if you don't comply with it, then you don't have access to global financial flows, right? Everyone needs to have a minimum standard of fitness, if you will, that they are reaching in cyber security to be a trusted entity that we can trust you with sending you money, whether that's the US Treasury, whether it's the IMF, whether it's just a trading partner. So we're hoping it's a self-sustaining incentive there that if everyone else is doing it, right, we're gonna have to play by that role too. In terms of changing the Zambonian government, this will not happen overnight. We recognize that, we understand that. But again, whether it's through public and private partnerships that help the Zambonian government identify those good governance practices and identify a good economic mechanism to do this, again, they can't be dependent on us forever, us, the international community. We need to create a way that they can institutionalize these good governance practices and create a way that inspires confidence in foreign direct investors and inspires confidence in its own people to the earlier point, right? The people right now in Zambonia don't have a reason to trust the central banking system. We need to show, we need to do demonstrable evidence that we have made changes to make it more secure. Perhaps that means instituting a type of FDIC policy with the Zambonian government, finding a way to ensure certain deposits and create that level of confidence. Things like that, other practices that have worked in other areas of the world may not be immediately able to graft that onto Zambonia, but let's get the conversation started because it's not happening. Thank you, Felizario Contreras from the OAS. So most of the facts were targeted to the financial system. You mentioned public-private partnership and most of the changes need to, will it affect the private sector? You mentioned international standards and that actually will need a substantial change of legislation and regulations and that takes time. What will be the strategy to make all those changes? Actually, all the strategies probably focus on the financial system, so I'm not sure if are you actually looking at other factors of the national cybersecurity strategy? So we're almost out of time, so I'm gonna make a very quick response. I'm sorry I can't address, because that's a very good comment, so I'm sorry I can't address it entirely, but so the reason we are focusing almost exclusively and the first point especially on financial sectors because it's one of the most crucial sectors, one for the most potential for contagion and for disaster, but there are a lot of critical infrastructure that can build on the minimum standards that are set by financial systems and we've seen this happening with regards to data disclosure in other sectors that other sectors adopt practices from the financial sector, but you're right that it requires a massive amount of time and investment and legislation changes, but we've seen this happen also after the financial crisis and it took time and we're still in the process of re-establishing the Basel process, but it's not a quick solution, but it is right necessary because it is a massive operational systemic risk and we can talk more about this after the Q and A, but I'm sorry I can't. Thank you, Georgetown. Great presentation. Next we will go to our team in Paris, the Castex Chair for Cybersecurity Strategy. We dim the lights please. We can see and hear you. We can see and hear you. Okay, thank you. Can we see the slides? Just a question before starting. Will we see the slides? Just let us know when you want to advance to the first slide and to subsequent slides. We will advance them here. Okay. Well, good morning everybody. First of all, the Castex Chair would like to thank the CSIS and the RBC for having invited us to the Diplomax 2015. We based our approach on the priorities of the stability of the country and the attack since the attack was really about destabilization. Second, the economic and social development of Zambunia and third, the stability of the region. Next slide please. As you can see on the map, the main security threats in the region according to CSIS study are escalation of territorial conflicts or historical disputes and economic and financial crisis. So we decided that attribution and countermeasures were not a priority. Indeed, the risk associated with conflict escalations were too great compared to the potential benefits of attribution and response. Therefore, we made the choice of deterrence by denial and strategic partnerships with trusted countries. Our first priority, reinforcing the banking system. Next slide please. Now, the systemic risk is important in the region because there are strong economic interdependencies in Asia. We map the top three countries of exploitation for each Asian countries and as you can see, there is a very high risk of contagion. Now, trust in the banking system is essential to attract and retain investors, especially in Zambunia, where the majority of banks share holders are for reign. Trust is also critical to the economic development of the country and the ICT sector. But reinforcing the banking system will facilitate the diversifications of financement sources and it will be also critical to enter the Asian economic community by the end of 2015. Now, the attack showed that there is a great need to improve the resilience and the protection of the networks and also to train the workforce. We therefore proposed to use the political leverage of the attacks to create a center of excellence for banking cybersecurity in Zambunia. In order to do so, we would organize an international forum with trusted partners for an experienced feedback of the crisis. Now, the goals of this international forum would be to identify points of vulnerability, to identify the needs to enforce the information systems and finally to update international and national norms and regulations for banks with a spatial focus on cybersecurity, mission assurance and risk transfers. Next slide, please. Now, because of development opportunities, we can convince private partner who seek a strategic positioning in an emerging market with huge potential. The GDP annual growth was 7% over the past three years. As you can see, next slide, please. For example, the mobile internet operators. Now, 3G coverage is still limited, as you can see on the map, but there are great opportunities of development specifically with the mobile payment systems. Next slide, please. Now, also because of the systemic risk, we would convince partners such as the World Bank and the Asian Development Bank to integrate such initiative. Next slide, please. Our second priority is to create a national agency for security of systems under the authority of the Prime Minister, multi-stakeholder advisory board for greater legitimacy. Zambania's structure of power is very pyramidal and the agency requires strong political endorsements. ZAMSERT will be located in the agency and will have an impact and APSERT. It will enable quick decision-making in case of an attack. And it will be key to capacity building with the coordination of cybersecurity policies across ministries and stakeholders, coordination with the private sectors for PPP and coordination with universities for education and research. This will help improve the resiliency of the networks, raise awareness and develop best practices in partnerships with stakeholders. Next slide, please. The burden would rest on the Zambian government, which could benefit from the expertise and support of impact, the World Bank, the UN Office for Drugs and Crimes and Eneza. Funds could also come from official Development Aid from Asian partners, as you can see on the map. Next slide, please. Finally, our third investment is reinforcing international cooperation. Zambonia has to build everything from the scratch since it has the lowest level of cyber maturity in the region, as you can see on the map. Zambonia needs the help, the experience and the expertise of developed countries. There is a need for Zambonia to level up in order to improve the resilience of networks for the entire region. Next slide, please. The priorities are, first, Zambonia needs to develop strategic security partnerships with diverse Asian countries in order to avoid getting caught in the U.S.-China rivalry. Too close to China would raise trust issues in the region and too close to the U.S. would upset China. And data protection laws in cooperation with Asian countries and regional organizations. Harmonization is critical to the Budapest network for Asian countries. The Europe, the EU and the ARF could be asked. Third, Zambonia needs to increase partnerships in education and research, as well as training for the military and the workforce. Finally, Zambonia should lobby for the creation of rapid response teams within AP certs and the strategy could be built on existing partnerships such as China, Japan, South Korea, the Asian Cyber University, and also add new ones such as the IZO Academy. Now, cybersecurity is a transnational threat and Zambonia can't fight on its own. Asia needs all countries to build up capabilities in partnership, sorry, with the private sector to enter the security, the economy prosperity and the stability of the region. In that perspective, Zambonia participation to the HAY conference would be a constructive first step. Thank you very much. Next slide. Next slide, please, Emily. Good afternoon, I'm here in Paris. Sherry McGuire with Symantec. Question regarding, first thanks for your presentation. A question around prioritization. You laid out three priorities, however given very limited resources of Zambonia, what do you think is the number one priority that they should address first? Well, the very first priority would be stabilizing the banking system and restore the trust of the users of the Zambonian people in the banking and in the banks, commercial banks and the central banks. That would be necessary. And I think crisis communication made possible with the use of mobile phones since there is a huge penetration of mobile systems in Zambonia. Communicating directly on mobile phones would help the Zambonian people to understand the true nature of the crisis and prevent any escalation within the country, within the users to try to attempt immediate and non-softful actions. Good afternoon, Angela McKay with Microsoft. In a bit of a related question I heard in the beginning that you guys decided to go with no attribution and I feel like I heard no response, immediate response to the attacks, but rather a strategy of deterrence by denial. Could you please elaborate on the deterrence by denial and how it actually aligns with priority one that you said, which is restoring trust in the financial system? Absolutely. Deterrence by denial in Zambonia would actually mean a global resilience for the information systems in Zambonia. Now, the banking system would be the top priority since the attacks directly affected the banking systems, the banking information systems. But then afterwards a dialogue with, well, you could say strategic and historical partners in the region, like China, and that, you know, maybe Gagoria would help fight and avoid any violence escalation in the region. So the horrible resilience and deterrence by denial would come as a consequence of both communicating with strategic partners and leveling up the overall security in Zambonia, starting with the bank information systems. Hi, Feliciano Contreras from the OIS. In terms of prioritization, I saw that you decided to establish a national security agency as priority number three, you include the Reforcing International Cooperation. In those areas, you included legislation, education, so you included different areas that you can do national, the national level. Is there any reason that you decide to do it at the international, with the international cooperation or with the international perspective? It was our first point. In fact, we decided to create... It was our first point. In fact, we decided to create an international center of excellence for banking security in Zambonia, and here we would do information sharing and in order to update international and national norms. So that would be done at the national, the Zambonian level with the creation of the agency and at the international level with the creation of the center of excellence. And the point here is that we need to make the international system more secure and the center of excellence would help in doing so. This is Jordan Assigl from DHS. Sounds like a good idea, but it's going to take time to get all of the different entities aligned that you outlined. What do you think is aligned that you outlined? What do you think that the government of Zambonia could do, leveraging ZAM search or other entities that do exist, even though they have limited capability in the short term? Well, in the very short term, Zambonia would obviously need to get closer to AP cert and with the impact program of the United Nations, it would provide in the very short term the necessary capabilities, technical and humans, to address the crisis and also to provide the first elements of building up this ZAM search, the Zambonia search in order to think over the long term. But yes, in the very short term, Zambonia imperatively needs to ask for international help through international cooperation, a regional, whether it's AP cert or yeah, impact in the UN. Hello, this is Tom Dukes from the State Department. So my question is, what you've described is a fairly comprehensive and fairly sophisticated approach, especially with the cybersecurity agency. In fact, 20 countries would love to have something that well-developed and implemented. So my question is essentially, if you look at a country like Zambonia that is extremely poor, very low on relying largely on international assistance to meet even, and it is not yet meeting even its most basic needs of electricity and the like, how would you propose, taking a case like that, how would you propose bridging from sort of its current state to the much more advanced state that you laid out for us and how would you look at leveraging its existing international, the ongoing basic infrastructure development that it's obviously, the ongoing sort of base obviously focused on right now. Well, there are several elements in terms of, you know, physical capacity, physical infrastructure. The mobile market can bring massive investments from the operators and the infrastructure providers, whether it's from China or the countries in the region or internationally. Now, afterwards, you can immediately design to provide, as well as the infrastructure, the information and the knowledge necessary to develop the infrastructure, train the people, train the specialists, and you can also rely on existing programs in place. I mean, Japan and South Korea already found the ICT development with two different programs in Zambia. You can rely on that and the development of such programs and also the Asian Cyber University, which provides training information for experts. So there are several existing and you could actually increase and with the help of the United Nations, you could add another provider of knowledge or resources. So I think it's actually quite, you know, awesome. Great, thank you very much. Thank you. Next, we will have George Washington University present. Please come to the stage. Lighten, can we turn on the lights, please? Good morning, everyone. Thank you for that. My name is Hulissa Rogers. I'm from the George Washington University School of Business and I'm going to present our strategy for you today. Can you go to the next slide, please? So as with any strategy, it needs a good kind of marketing tagline, campaign plans title. We're going to call ours Cyber Zambonia. Next slide, please. Now with any investment decisions, I think that you need to need a kind of some sort of faith, a good faith call from the government of Zambonia. You need to know that they're going to have a strategy from which they're going to promote capacity building measures. There is a pretty extensive strategy you can build for in cybersecurity. Zambonia has a lot of work to do. Now what we were able to do is just kind of in our session put a matrix together that shows what are the capacity building measures that span across the respond, mitigate, and prevention requirements that fall within a cybersecurity strategy. Within those, we chose three capacity building measures. And we're going to go through them here today. Governance and institutions, infrastructure modernization, and digital economy expansion. And the idea here is as we're walking through this, we want to secure a landscape for business and customers in Zambonia and bring in international partners to help us do that. Next slide, please. For the governance and institutions, there's a proposal to bolster Zambonia's ability to communicate across governments, across private sectors, and to their public. With the banking sector, they were hit and their systems were compromised. There was no process in which they could communicate to the government that they were in trouble. So we proposed to start a Ministry of Information Security, embed ZAM search within that, and also add a cyber threat task force, but a cyber crime task force, to be able to be the lead for evidentiary collection in the event of a cyber attack. And they would be the lead for working with international organizations, such as the UN Security Council, and their rapid response team in cyber events. Now, with the Ministry of Information Security, that is kind of a long-term goal. But we suggest that you start with a cyber security task force. So it's going to be a small team of people. They're going to bring in members of the international community and from the regional Asian community as well. And that's a way that we can go from short-term to medium and long-term goals in terms of organizational structure that will implement cyber security, as we laid out in the previous slide. And the thing is, doom and gloom, you have the attention of the world and of the Zambonian citizens. Now is the time there's political will, I would guess, right now to implement some pretty bold ideas. Because if you wait too long, people are going to start to forget once the banking sector recovers whenever that is. Now is the time to put forward some bold approaches. Next slide, please. And we would also offer, we want to uplift the public, bring them into the digital economy, develop their information society. We propose to start a capacity-building measure to expand their mobile coverage and access to the internet through broadband. So governments can use this, Zambonian government, can use this to improve service delivery to their citizens and also be able to communicate cyber awareness campaigns much more efficiently. So this is kind of breaking down a progressive approach to building that capacity out. But it's going to take some time and resources from the international community. Zambonia will not be able to do this on their own. Next slide, please. Now I wanted to talk you through kind of the highest priority in terms of what we need to prevent a cyber security attack in the future. We're going to have to build a data exchange later, a type of play on what the Estonians call the X-Road. We're calling it the Z-Road for Zambonia. It's a secure information sharing backbone. Without this, you're not going to be able to take Zambonia into the future. You're just going to stick with the status quo, which is to rely on informal relationships between information security officers within banks to communicate that their banks attacked. And in this case, what happened is that the banks weren't able to communicate with each other. They don't want to because that has implications in the marketplace. They don't want to tell each other that, oh, yes, my data was hacked six months ago and potentially show their hand that there's a vulnerability in their information security system. So I would propose to use Zambonia as a pilot to build a security data exchange layer. It would be one of the first of its kind in Southeast Asia. Estonians in Singapore would be excellent partners in this and would suggest starting with a discussion on how to bring this to be. The government would have the authentication service and identity management to start with. So next slide, please. I've ran through the opportunities and the idea, the vision is really to bring Zambonia into the advanced world in terms of bringing it into an information society where the public and international partners, Zambonia, can be a part of something that takes them into the future of data security. And with this, we'll bring those kinds of positive externalities of uplifting their economy as well. And with that, I will have our team come up for questions, thank you. So I guess I'll go first again. Sherry McGuire with Symantec, thanks GW School of Business. I'm an alumni, so good to see you here. First question was on governance and institutions. You specifically called out four areas, one of them being the private sector. Can you expound on how you would plan to utilize the private sector on the governance and institutions part of your proposal? Hi. So we actually wanted to leverage a newly formed trust fund by the World Bank to build up cyber capabilities. So that would be our mechanism for bringing in regulatory framework. It would be, we would leverage the World Bank's group new, we have a new operating model, so IFC's part of our whole group. So we would leverage IFC to bringing private industry. And obviously because Zambonia is a developing nation, we would use MIGA to guarantee whatever projects we would do and in true bank fashion, obviously our initial project would be a pilot. So we would be able to test it and use bank standards and safeguards to then see what sort of gaps we would need to fill and then that's how we would scale. So it would be a blend between having the government and the initial financial industry, something similar to what we have here in the States with the Financial Services Working Group. And I think when we look at the governance being established and the banking system being restored, companies like Microsoft would see an obvious opportunity for rapid expansion in Microsoft phones, getting their public into that digital economy with rich content, training, as we talked about communication and moving the country forward. So obviously companies like Symantec as well would be a very key partner to making sure that the standards are deployed in every facet of their economy, the sectors and the public as well. Good morning everyone, Angela McKay with Microsoft. Glad to hear you're gonna be using Windows phones in this environment. Definitely support that investment. I just had a quick question. Really thought that the idea of improving access to the citizenry is a great idea. But one of the things that comes along with access is a lot of risk. And then users don't necessarily always know how to leverage technology to their benefit. So could you expand a little bit on how you'd go from the investments and infrastructure to advancing the citizenry's use of it for a wide variety of purposes? So we plan massive education. We plan to use existing online content that's local to the region, that's best of class, that trains the Zambonians in their native language how to use these new technologies for their advantage, how to learn, how to build skills, how to build capacity, how to create companies, how to create jobs. So we see every facet of their society being able to educate themselves. And of course this has to be strongly communicated by the government. It has to be a public and a private partnership to empower their citizenry. And actually one thing you didn't mention actually, we're gonna start off with a MOOC on mobile security. So that's going to be the initial point of entry for Zambonian citizens. It's a massive open online course. So that would be the initial way for Zambonians to learn about these upgrades to their mobile phones. And then that would be the point of entry for education because we're gonna be improving the mobile access. We will do pilots on entrepreneurship training and really use mobile as a platform to upgrade the citizens. With this new 5G environment for the Zambonians, they would need to also move into the services economy. And I'd just also like to add to that, that in addition to the education and public awareness components that we'll have with the establishment of the new government ministry as well will be engineering into the new network's security from the start. So advanced encryption, end-to-end, multi-factor authentication, and all of the really modern necessary security implements that will help as we're bootstrapping the population up to the security. Tom Dukes from the State Department. So Zambonia has just been essentially attacked in a very aggressive, destabilizing way by a neighbor that appears very hostile. What are your proposals, and you've laid out some very sort of good long-term structural changes that you would recommend, but in terms of short-term sort of incident response, both technical, political policy, what would you recommend Zambonia do in terms of its priorities for trying to address the immediate situation it finds itself in? I think in the immediate timeframe, they said that Zambonia had reached out to the UN for assistance. That phone call probably kind of cascaded into a lot of different phone calls to kind of mobilize experts to go to Zambonia, go to the, it was multiple banks that were affected, go to the victim of the cyber attacks, and bring their forensic investigators to start to document the metadata, everything that they know about the attack. They have to do internal and external investigations to ensure that it wasn't an inside job within the banks. They have to find out where the vulnerability actually existed or set of vulnerabilities. That evidentiary package is going to be critical in building that case within the UN Security Council, especially if it's deemed a terrorist act, cyber terror, what is the cyber crime that was occurred? They need those facts to be able to make the case, and that's going to be a time-sensitive thing. Also, with the immediate response to the attack, that opens up opportunities to Zambonia to have bilateral, multilateral, regional cooperation with other organizations, with other countries, much like when Estonia was attacked that provided the leverage from them to build up their cyber infrastructure. This should provide the impetus for Zambonia to create the, I mean, it's a hotline now to create the relationships that they need with the certs in the AP cert, the other countries in the ASEAN network, and so on. And there's an opportunity for public appeal because we've seen that every time there's a natural disaster, tsunami, or earthquake, there's going to be a concert. We want to put on the first ever concert for a cyber attack, and have the public now rally to stand on the side of Zambonia to protect the freedom of speech and show the consultation movie. And actually, just one more thing that we also thought about was signing an MOU with AP cert so that they would actually start the rapid response requirements within Zambonia and employ a trained-to-trainer model so that they can build up the capacity of SAMHSA. Thank you very much, GW, great presentation. Next, we're going to transition to the Hague where we have the Technical University Delft, University of Leiden. Thank you. I believe you are muted. Can you hear us? Yes, we can hear you. Good morning to the judges. Thank you for having us. Thank you for taking the time. Thank you for having us. Thank you for taking the time to evaluate those pitches. And we had a great time. We want to thank you all for participating and giving us the chance to participate today. I will start with talking about our group's work, which is Pan-Asian Cyber Congress. Please proceed to the next slide. What we did is we kind of looked at it in an umbrella. So you have cyber crime coming in from the top and underneath the elements, which are infrastructure, knowledge, and convention. Those three elements will all together serve as the safety net that will help countries and states that are situated underneath with private organizations to be safe from cyber crime. And Jessica will take over. Thank you, Emma. Please proceed to the next slide. I will talk to you about infrastructural measures. We identified a number of critical infrastructural sectors. There are three that need special attention. These are divided into short-term and long-term measures. On the short-term side, we have the financial sector. The financial sector is very important as it was the biggest victim of the attack. Therefore, it needs stabilization to prevent spillover effects. These spillover effects are internally and externally. Internally, they can decrease the public safety, which I will return in a second to. And externally, they can, externally, they can spillover to other countries. This is also the incentive for other countries to provide help to secure the financial sector. On the long-term, in the long-term measures, we have public safety. The public safety is important because there can be spillover effects from the financial sector, which will decrease public safety. Therefore, it's important to train cyber inspectors and law enforcement, which is on an operational level. The second measure in the long-term perspective is the telecommunication sector. This, here, it's important to focus on strengthening this sector to increase resilience. We identified three key investors, which are the World Bank, the IMF, and the Asian Development Bank. Slide. The measures we identified is focusing on cyber resilience knowledge measures. These are also divided into short-term and long-term measures. On the short-term, we would like to fly in experts who can focus on damage control, which is important because of the effects it had on the Zambodian society. And the incentive here for other experts to help is also the spillover effects for other countries. This is more externally than internally. On the long-term side, we have education. This is divided into separate measures. This is focused on university partnerships, where student exchanges are important and focused on creating a double degree, where the focus will lay on ICT and policy combined. Another measure we identified in terms of education is joint ventures. We would like to open up the market for external companies to invest in Zambodia. And these companies can then train local actors. This is a two-way traffic approach, which will increase knowledge exchange and financial gains for the external investors. A second measure we identified is public commitment. This is focusing on the young generation who is known to use a lot of smartphones and social media to create resilience in the local population on a low level. Emma? Yes. Thank you, Jessica. Please proceed to the next slide, which is international prevention. This is the first element that we mentioned previously. And it's also divided into short-term and long-term, as you may see. The first being Pan-Asian Cyber Congress, short PAC. What we agreed upon is that we wanna open up a cooperation of privates and governments taking into consideration major powers, major private organizations, and NGOs, experienced actors like Estonia and regional, on a domestic level, actors that can also feed into that type of Congress. The purpose being to get all actors to seat at the table, to sharing of best practices and knowledges, which is what Jessica just mentioned previously, but also to develop a roadmap to increase cybersecurity by stabilizing infrastructure and sharing knowledge, also feeding back to Asia-specific cert. We have already some cert in place, but it's not sufficiently equipped to help the damages at the time. So I think it would be good to feed back into already existing corporations, such as Asia-specific cert. With the knowledge, we can create new markets and expand existing markets and create a coherent and sustainable forum, which is very, very important. On the long-term side, we have the International Court for Cybercrime, ICCC. The reason being is we can see the Congress, so PAC, as a stepping stone for establishing the ICCC. PAC will work on a proposal for an international conventional cybercrime, which will then lead towards universal jurisdiction ending in the proposal. We acknowledge and understand the challenges that are standing in the way of simply creating an international court of cybercrime, which has been faced by a lot of scholars and actually talked about by a lot of scholars already, but we also see that with the rapid growth of the cyber realm, the need for establishing an organ that can hold individual perpetrators responsible is definitely important, something we need to address. Also, furthermore, the universal jurisdiction will harmonize legal approach and increase judicule power and accountability. And lastly, I wanna talk about the investment. And what we need is for setting up PAC and also later establishing the ICCC is state engagement and also fallback on the ILC, which is now of the UN, UN body. And last but not least, private can lobby in their own domestic countries for states and race, state awareness to fund the ICCC as it will also be in the interest of privates to do so. Finally, this court and convention will have the aim to deter future cybercrimes and therefore improve the cybersecurity that we are now with today. Thank you for your time. And we're gonna move forward to the questions. Oh, I'm not. Such a work. I wish. And there's no audio. We can't listen. We have no audio. We don't have any. No audio. Go ahead, just turn on your microphone. Oh, yes. Yes. Wait, is everybody? Can you hear me? Yes, yes. Yes, okay, great. Thank you very much for your presentation. I have a question about the proposal for the International Convention on Cybercrime or the ICCC that you said should develop an international convention on cybercrime. And I know that Zambonia had been considering adopting the Budapest Convention and had had some issues perhaps with what they had put together related to that and there was some backlash. But I'm wondering why there's a departure from their previous engagement with the Budapest Convention and the suggestion for a new convention on cybercrime. Yes. Hello, my name is Adrian. Hello, my name is Adrian. And thank you for your question. The problem we were facing with the Budapest Convention is that Budapest Convention has a wide margin of appreciation for the states and so does not provide the required termination on this, in this domain. And therefore we propose a directly applicable international convention on cybercrimes such as state attacks, attacks directed against the whole state, destroying a whole bank. Good afternoon, Angela McKay with Microsoft. I'd like to first compliment the team on twice using the word incentivize action from different player sets, whether it is the other countries who may be coming in for the incentivizing private sector action. I thought that was a really good component. Past the initial response activities with damage control and a fly in team, what are your plans to work on helping to prevent future attacks? Recognize the component of deterrence through the cybercrime or the IEEE, actual actions you would want to do to prevent future attacks. Thank you for your question. My name is Stefan. Happy to answer it. As Jessica already told you, it's like a two way traffic. So both the experts which are flying in to do damage control, they also can bring their knowledge on the long-term and educate at universities in Zambonia. Hi, this is Belisario Contreras from the OIS. So besides the development of the Panacean Cyber Congress and the cyber resilient knowledge on the short and long-term steps, are you planning to develop like a strategy with concrete objectives, steps and any methodology for Zambonia or... Is it in Jessica? No, it's not, Emma. Certainly, good question. Thank you very much. To go back on that, I think if we, as I already mentioned earlier, was the development of PAC, so the Panacean Cyber Congress, which will be working on a domestic and an international level, but that will happen later. And at the first step would be just like looking at the best practice of Estonia, focusing on the domestic level. So go back to infrastructure and knowledge and through that solve the problem at hand. Anybody want to add anything? Thank you. Sherri McGuire with Symantec. You talked extensively about the international convention component regarding the international court for cyber crime and having international jurisdiction, but given Zambonia's lack of legal infrastructure today, what is your proposal to deal with the legal infrastructure around cyber crime within Zambonia? Well, first step, we consider to ratify the Budapest Convention, but as there is no public support for doing so in our country, we could not proceed to this ratification. Therefore, we propose this new body, which deals with this particular serious crime that attacked our country as Zambonia, as we are legal advisors of Zambonia in this case. Does this answer your question? I'm trying to get at more what is the proposal for dealing with the lack of legal frameworks inside the country, not just on the international front? So I think the way we approached it is, and I think I mentioned that earlier as well, is that yes, we definitely need to face the domestic issues as well and look at a legal framework, what we're gonna do that by sourcing the information that we already have. So use existing alliances and use the Asia Pacific search for help, and then come up with a legal framework. The domestic legal framework, even though there would be a domestic framework in this case, it would be inefficient because the attack obviously come from abroad, and our jurisdiction is only limited on the Zambonia territory. Hello, good afternoon. This is Tom Dukes from the State Department. So my question is you and teams before you have referenced this idea that there would be external experts who could fly in and provide assistance. I'm not really aware that such a capability exists in the international scene, but for purposes of this question, let's just assume that nobody comes to help Zambonia. How would you recommend, in that instance, or they're told perhaps APCERT or others can provide assistance, but it will take them six weeks, eight weeks to actually provide a few people to come in and on the ground and assist. So given the fairly dire nature of the scenario for Zambonia and it's particularly its financial system, what would you recommend Zambonia do in terms of leveraging its limited but existing capabilities to try to immediately and over the course of a month or so address the situation they find themselves in? Okay, hi, this is Sulep. Thanks for your question. Our private entity in this case, because the private entities will be more interested to help. First of all, because it will give them the chance to showcase to the world about their strength because that they are really able to capable of handling these kind of security attacks and open the door of new opportunities for them. And also we are trying to, it's like an incentive. We are opening our market so that they can set up and we can give the tax rebate and so that it can be addressed. So it was not just to involve the other countries but take the help from the private one. So yeah, the private parties will boost their reputation again and they can also learn of the best practices to the mistakes which are being made in Cambodia. Yeah. Thank you very much. Next I'd like to turn to the University of Maryland University College. Good morning. And for our European counterparts, good afternoon. My name is Nathaniel Davis. I am the speaker for the University of Maryland University College. 48 hours ago, the financial infrastructure in Zambonia was attacked. I'm coming to you today to request your assistance in responding to this threat. We have a very short window in which we can respond. And that's why I need your help. Next slide please. The reason I'm here is to help Zambonia to develop a more secure structure by restoring the operation of the financial sector, enhancing their current cybersecurity capability and then developing the cybersecurity strategy for the kingdom. Next slide. We're looking at this in a three phase approach. We're gonna restore services, we're going to enhance our capabilities and then we're going to build that policy. Now, these are gonna happen in very short time frames. The restoration of service, we expect to take about a week. That's why I need your assistance because it's going to require all of us to actually accomplish this. I'm gonna need the activation of your response teams. Now, I wanna treat this like it is a natural disaster. However, it is a financial disaster instead. A lot of the infrastructure still exists. We do not have to worry about bringing in power or any of the other equipment. That equipment is already there. What I need is I need clean servers that we can bring in. I'm also looking at an immediate public relations response. We need to reassure the public that their information is in fact secure, that their money can be recovered. And part of that is going to be the incident response teams. We're looking to deploy a mobile forensic team. Again, that's why I'm asking you for your assistance to provide members of your team that can work on this. Part of that will be the restoration and recovery of data. I'm looking for forensic teams that can go in image drives and start removing and restoring the data that was there initially that has been erased. Now, I expect that we can get the equipment in on site within 48 hours. The public relations message has already been put out. That we should be able to get that out within the first day. Equipment we can get on site within 48 hours. What we're looking to do is establish a brand new network on the outside so that we no longer have to worry about anything that is persistent hiding on the old systems. We're gonna go in, image those, clean them out completely, and then bring them back into capacity. We are giving them an alternate network that they can work off of during this time frame. That's part of the restoration of banking services. We're looking at deploying a temporary data center solution. The other assistance we're gonna need from the Zambonian government is a location in which to actually put this. If it was a natural disaster, we would have no buildings, we would fly in trailers. Instead, I wanna bring in equipment overnight it, put it up in a building that has power and connectivity, and then we can actually work it from that angle. Now, initial part for restoration of services. We have the commercial banks that have stuck workstations and they have some of their data still available. It is the central banking system that has lost a large amount of its information. There are transaction logs between those two banks. There's always two sides to a log. You can use part of that log to recover some of that information. Some of it may be a little outdated, it may be a little old, but it is better than nothing that we, them, their current situation. Between that, as well as the information we're able to recover from the hard drives, we should be able to reconstitute the majority of the financial sector. The other thing we're trying to do with this, and not only are we establishing confidence in the citizenry, we're also trying to restore the rule of law on this aspect. The main thing here is there is talk of runs on the banks. We want to actually keep people away from that. We don't want them crowding the doors. We don't want them panicking, trying to get cash. Next slide. Now, that is the initial response. That's what we're trying to do very, very quickly. The longer term situation, and this is what we're looking at here, is enhancing their cybersecurity capability. In that structure, we're looking at about, somewhere in the neighborhood of like a six month response. So we're looking at giving them a top down model. This one is just a representative sample. It can be something that we have to have the inclusion of Zambian government to help develop this. This is just a talking point to get them started. But we want to have them inside and start establishing who owns particular resources, and that's going to be more important as we go on. Next slide. So once we have resource establishment, we know who owns and operates which particular parts. We're going to start doing some of the training. One of the things we want to do is we want to keep ZAMSERT involved in the forensic aspect of that. Let them supervise, not supervise, but let them shadow, be aware of what's going on. This will enhance their capability so in the future, if this happens, they know how to begin. We also want to partner with international organizations to provide certification for digital incident handling. We also want to take ZAMSERT and enhance that, build it up into a joint security operations center. We want to establish partnerships with international organizations and regal organizations so that there is this information sharing. So if they are aware of a potential attack, that they can get that and then Zambonia will be able to be better prepared to have respond to that. Next slide. We also want to develop a national cyber strategy. We want to develop a national cybersecurity framework and we want to use international standards that already exist. There's no need to reinvent the wheel when we already have these capabilities there. Another thing that I'm going to request your assistance on here is that I'm going to need some of your teams that have some expertise to help form an advisory board that we can present them and say, we have these experts that we can help you build this. Regulations and legislation. To be able to prevent this from happening in the future, the banking sector needs to have data backups that are offsite, that are isolated, that cannot be tampered with. So we need to implement business continuity regulations. We also want to incentivize them to participate in these programs. The next part we're also looking at is education, which also comes into some of the incentive programs. We want to provide awareness training for the local population, because they don't have a whole lot of awareness and that is a broad attack surface. Keeping them informed, giving them ideas on this helps reduce that attack surface. We also want to establish a center for cybersecurity excellence. And as far as incentives, we want to try and offer scholarships for high potential students that are inside the country to actually train at these. We want to facilitate partnerships with international universities to have them provide instructors or have them do telecommunications, like web-based classes. And we also want to repurpose the temporary data centers that we brought in at the beginning as physical hands-on training centers. So not only will they be getting classroom instruction, but they will be getting real-time hands-on. Next slide, please, okay? Well, anyway, it was just a wrap-up slide. It was a conclusion talking about how we're trying to scale this out. We're looking at sustainability because we are not going to be there long-term. We're going to hand it over to the Zambonian government and give them the opportunity to run with this, manage this, and establish themselves as a power in the area in cybersecurity. Thank you. My team, if you please come forward for questions and answers. I guess I'll go first. Sherry McGuire with Symantec. Thanks very much for the presentation. Appreciate the focus on the short-term and mid-term actions. But I'll ask you on the long-term. What is the plan for, once a strategy has been developed, once you've addressed restoring the financial services sector, all the pieces. What's the longer-term strategy then for building out the capabilities beyond that six-month window? So developing that strategy was part of our long-term plan. We recognized that it will take a very long term to actually get these regulations in place, to actually build out a lot of what is there in Zambonium. We had a couple of options that we were looking as well as enhancing the overall just access and availability for people there. But that was also a long-term strategy that we initially scrubbed because it was very, very costly, very time-consuming. It was just a YMAX solution that we, instead of using 3G access, we were looking at that as a proposal. So, yeah, it would definitely increase our tax surface on that one. But moving forward, the advisory council that I was talking about establishing, that would be part of their role was to help them advance this to go on and say, okay, now we've got this framework, now we're gonna actually start developing these individual policies that specifically address this sector, we wanna talk about segregating out these different networks, we wanna talk about how we have financial now secure, let's talk about securing the government side of it as well, because only one situation got attacked here, but if you've got that posture, that seems to be across the country, you need to establish this area is secure, we have this enclave, we have this particular enclave, and we need to isolate some of those and just have them so that it's a very restricted communication between them, but they are secure and safe. Also, just to add to that, part of the reason why we want people shadowing our forensics team in the beginning is so that they can kind of get more hands-on experience dealing with these kinds of situations so that when they take these frameworks that we give them, they can kind of apply some context to that framework and ultimately grow their own policy that works for them, which may not necessarily work for other countries. Good morning, Jordanice, you go from DHS. My question is about your first step with the initial response, which I totally agree with it, you need to restore services and I think you outlined some good points to take forward, but I didn't hear anything about the coordination with regional partners and the interdependence of the financial sector in Zambonia with the region, and so I'm wondering, a lot of what you mentioned sounded like domestic activity, what would you suggest for the broader international response activity in the immediate term? So, like Nathaniel was pointing out, every transaction in the banking industry has two sides to it, so we would definitely partner with the World Bank with the IMF to try and help restore back some of our financial data, especially since the commercial bank plus the central bank were both attacked, so both of them right now are, we don't have high confidentiality or integrity and availability, honestly, in them, so we definitely just wanna work with the outside banks, the regional banks, the international banks, to try and restore our availability of our data. Additionally, we look to bring in an external audit firm which would provide that level of integrity as it relates to the response, so the international community would trust that the investigation is independent of a kingdom nation at the same time, and additionally, most banks internationally do have a representative of international banks such as Barclay, Scotia, whatever, so they'll have their internal people as well to ensure that the integrity of the investigation and the restoration effort does comply with international standards and policies. Good morning, Angela McKay with Microsoft. I certainly appreciate the short, mid, and then after Sherry expanded on the kind of long-term aspects of this. The question I have is, you know, a little bit of, you guys are asking us for money, how, what part is Zambonia going to fund, and then why would the private sector or international community either wanna provide direct funding or even the type of expertise and fly-in that you guys have referenced? Why would we want to engage in that? So one of the benefits of what we see here, as far as getting them to partner with it, we're looking at it from a point where we believe that we could actually help develop them into more of a regional cyber hub, and so by asking for the investment in that when you can also gain good faith and good will with the kingdom, yes, the kingdom would be, they'd have to be involved in a lot of this. It is not, I'm requesting it for this here because they don't have it. We recognize that there's a lack in that aspect, but they will still be providing additional aspects on it because we will have their teams in place, we'll have a lot of that going on, but the return we're looking to get out of this is building that up into a more secure area, and then it's also with the incentivization from the Zambonian government, we're looking at it as a possibility where you can then bring in some of your location, some of your, you can turn it into a regional location so that you've got hubs in the area, you know that it's secure, you've been part of the group that's helped establish their policy, you know that it is a well-defined policy and is well-established, and it gives you an area that you can work from and you've been part of developing that out throughout the entire process, so you are actually confident in how that has been established. So when you combine that with incentives that we hope to convince the Zambonian government to provide, then it gives you an opportunity to bring in business and grow it from there. And additionally, United Nations, World Bank, they have initiatives in place to push for economic development, raising up women's standards, minority standards in countries. Now, since this is a kingdom nation, they're in need of funding to respond to this attack. So all those barriers that probably wasn't wearing that country before, you can announce, okay, in order to get the funding, you will need to give women more rights, cut down on freedom of information, reduce censorship. So you kind of have them, not necessarily, you will be able to get them to provide incentives to do that. So you're planning to use more international aid and funding, that national funding, to implement all these initiatives? That would be the strategy. The short term is actually look for organizations such as say the Bill Melendigate Foundation to help fund some of this and help develop Zamboni into the cyber hub in the Southeast Asia region. So we're looking at this from the short term aspect as from international partners, but from the long term, we want to step back away from that. We want them to be able to fund this on their own, to be able to run it on their own. It's just the initial response, the impetus to get them back, get them stabilized, and then provide them the tools and capabilities to run with this. Thank you very much. And that wraps up our Q&A session. Believe it or not, we're actually on schedule for the most part. Our final team is Oxford University. So let's do a quick sound check with them. Oxford? Great. Sage is yours. Hi, thank you. Sage is yours. Hi. So I'm a driver of the Oxford team, and am I ready to go? And am I ready to go? I'm ready. Just wait, you're frozen. Oh, I'm frozen. Just a sec. Ask whether you can hear me. Hello, can you hear me? No, they can hear me. So we're frozen on the Oxford end? Oh, yeah, a little bit, yeah. Let us just work out the technical issues. I think it moves now. It's working. It's working. So let me just give you. What's up? Sorry, I apologize for that. Now we've got our technical problems sorted. So I'd like to begin. So this is the Zambian opportunity. In the last 20 years, 2 billion people have come online. In the next five years, another 2 billion are going to join them, bringing both huge opportunities and challenges. This attack on Zambiania is an opportunity, an opportunity to rethink development, an opportunity for a productive cyberspace. We can harness the new possibilities that are secured upon third foundations using the Oxford Cyber Capacity Maturity Model. These are assessed through the embedding of national cybersecurity strategy in a wider cyber capacity building plan as a cohesive development strategy. Today, we are going to offer you new ways of considering cyberspace in a development framework involving international, national, and private partners in Zambiania inspired by desire to enhance cybersecurity. I'll take you through three core strategies. Firstly, it will be a cyber disaster relief but number two, a cyber reserve and three, digital burst, a long-term development cyberspace plan. These three strategies will provide Zambiania on immediate response to the attack to provide an opportunity that arises from leapfrogging technological development to sustain the transition into a safe and inclusive digital society. Next slide, please. However, we are too... To address the ongoing crisis, Zambiania can use its diplomatic network at the UN mission in New York to reach out for expert assistance in handling a national level cyber event. This could include requests for an emergency fund allowing the government to restore confidence by introducing a deposit protection. However, we are focusing on the long run. There needs to be an institutionalized capacity that can aid a developing country in need. This is the idea of a cyber disaster relief fund. Even if the developing country, like Zambiania, implements all the capacity-building measures recommended, it is unlikely that it will be able to respond in five years' time to another attack. In case of a national-level cyber event where Zambiania's resources are exhausted, it would like to harness the international community support both politically and operationally in times of crisis. The tasks and responsibilities of a fund include serving as an emergency response enhancement to previous national efforts and also sending in expert teams to the response and recovery services that are made accessible within 24 to 48 hours. The fund could be managed by a multinational financial institution such as the World Bank. Donors would make contributions in kind by sending expert teams and by funding a secretariat. The World Bank would be interested as it already has a large ICT portfolio. While we understand that this is not currently in the remit of the World Bank, if it were to become focus, it would enable them to secure trust for cyber-building capacity in the future. Government countries would have an interest in sending their experts as both the country and the expert sent can see the profit and experience gained. Membership in the national cyber disaster relief team that is readily deployable could be seen as a sign of recognition in the information security community. This proposal requires a very small amount of funding to build a secretariat for the fund and relatively cheap in-kind contributions of donor countries. Next slide, please. So use of its little domestic capacities through a Zambian cyber reserve. A Zambian cyber reserve will be launched to develop a short-term rapid response, which uses domestic capacity to respond to future cyber attacks. This is a joint initiative that involves individuals, the private sector and the government, showing skills and knowledge, helping to forge a multiplier effect that spreads across the entire state. Aimed at technologists with a commitment of 20 days per year, they will be awarded internationally recognized qualifications and working to international standards, including ISO 27,000 and one. Yet we know Zambonia is not able to undertake this alone. There will be a focus on bilateral relationships in a bugging scheme. This enables an exchange of expertise with development countries involving... But it benefits all partners involved in the development of what we deserve, for individuals, number one, new skills that come into the state. Number two, for government, access technically literate individuals who do not need to be on a permanent payroll. And three, employers. Those employees who are reservists are able to develop useful security skills that can be brought back and lead to a professionalization of the cyber security community. Next slide, please. Digital first. This is a strategic development initiative to the opportunity of digitization in society to build a safe and inclusive environment. We start doing this by adopting a secure by default principle. We prioritize concepts of resiliency and secure by default when investing in critical national infrastructure. Thereby, we exploit with technological lead building on the experience of partner countries. For example, when investing in our backbone networks, we profit from the partnerships to integrate their lessons learned in our resilient design. Mobile banking. We use the opportunity of mobile phone penetration to build opportunities for social inclusion and development. Industry can make access to mobile banking a priority to increase the rate of the bank's population at a reduced cost. This proposal ties its Danboanian national efforts to increase social economic development and to reduce corruption in the delivery of government services through accountability. Finally, the Digital First Initiative includes a massive open online quarters program otherwise known as MECS. We harness the availability of mobile devices to deliver specialized trading to get people with information security skills certified. In this, we work with experts both domestic and partner from world leading universities in developing quarters in the local languages that people can understand. We also want to use our online cause platform to adopt the digital channel more broadly in education for all Danboanians in the 21st century. With Digital First, Danboanians use opportunity to reconsider its side casting to a long term initiative towards a safe and inclusive digital future. To conclude, I'll let's draw a close by answering the P questions. Is it novel? Yes. Part of a wider developmental strategy. Is it scalable? Yes. It involves civil society, private enterprise, international donors, and the Danboanian government. Three, does it facilitate acceptance? Yes. It is a broader international cooperation, a model for development that benefits all stakeholders. Four, does it enable positive externalities? Yes. It is an opportunity for the Danboanian state to leapfrog the digital divide and the development that has plagued them for many years. And is it scalable? Yes. This is a broader model of an international assistance through disaster relief and cyberspace capacity to enable developing countries globally to embrace and steer the digital revolution. Thank you. Thank you very much. I'm sorry. I'm sorry. Now we just need to change the camera so just bear with us for a couple of minutes. Thank you. Okay, we're ready. This is... Is he from LAAS? From LAAS? He's from LAAS. There is an echo. Okay. Let us just turn off the mic. Wait, we'll turn off the laptop. Great, thank you. Great, thank you. Just one sec. So, thank you for the presentation. So, you mentioned your three steps, the cyber-disaster, cyber-safes, cyber-reserve on the digital divide. The prime minister of Samsonia. And I ask you, what will you be your next steps for the... for the crisis? What will be the answer? What will be the strategy for the following weeks, months, and year? I just want to get a sense from you. I just want to get a sense from you. So, we tried to... in our opening statement that we understood the exercise basically to be more capability-building. But we would say that the ongoing... in the ongoing crisis, it's exactly... it manifests the absence of international institutions that we would like to build up to fill this gap. For right now, for assistive countries that are already heavily invested in Samsonia to help them with their crisis. Good afternoon. Angela McKay with Microsoft. So, a quick question. I heard a lot about kind of the coordination with the UN the coordination with the private sector and civil society. But I'm wondering a little bit about how we're going to build intra-governmental capacity. So, what is the role of SAMSERT and other departments and agencies in putting together this three-part strategy? And how are they going to work together? Okay, so the idea... we tried to touch on the SAMSERT with the idea of the reserve of how we can be enhanced by private sector and governmental cooperation. We basically believe that the institutions have to be built over the long run. We don't think that Samsonia will have the most effective SERT for tomorrow, also not in six months' time. But it's a gradual process of improvement. This is Jordana Siegel from DHS. I guess a follow-up question to that. I understand your point about SAMSERT's gradual process for improvement since it doesn't have a lot of capability at the moment. But I think, following on Angela's question, what about the rest of the government in Zambonia? And there's really a structure in place, as we understand it, for Zambonia to coordinate cybersecurity activities with SAMSERT and other entities, including the financial services sector. So what is the vision beyond SAMSERT for the rest of the government? I think in terms of government capability more broadly, that's where the cyber reserve really comes in. Obviously, the cyber reserves do join the SERT, and they learn their skills there, but they then go back to their employer, so they go back to the central banks, they go back to the national grid, etc. Not only do they go back and bring their expertise, but they teach their expertise, and it has a multiplier effect, and the cybersecurity skills get much broader. Sherry McGuire with Symantec. I wanted to dive a little bit deeper into the concept of the cyber reserve. It is clearly a long-term program that not only will take time to build very little technical capability within the country as it stands today. So my question is, how over the even midterm three to five-year range would a cyber reserve contribute to a higher or improved cybersecurity capacity amongst private sector, academia, and the government, given the lack of talent today that exists within the country? And then the professionalization of the cyber community as a longer-term goal, but in the midterm, I won't address the immediate term, from a capacity-building activity. How would this be really implemented given there's such a small population right in the buildings? I'd say three answers to your question. The first is that there aren't a huge amount of cybersecurity professionals in Cambodia. There are probably going to be some people that are technology literate that can code, etc. Three alternative cyber reserves. The actual numbers aren't that big. The UK one, for example, has only 500. So we would be bringing in people that maybe have technology skills and not cyber security and teach those security principles, such as ISO 2701. The second point is the buddying. This is maybe what you want to do to buddy with partnering states. And this has done a really great effect in the US and Estonia, whether annual exchanges of reservists, etc. And we would hope to partner with a partnering state that would have a much more advanced capability. And given the geopolitical situation there, I think there would be a ton of incentives for more developed states to get involved. And then finally, you're right in terms of the midterm. How would we get that rolled out faster? And that's why we would integrate into the cert. So there's not this whole new institution being built and whole new bodies, etc. It's something that we can go into the cert and we think that would make it a bit quicker. Tom Dukes from the State Department. You've laid out a number of three different sort of longer term ways to address the situation in Zambonia. But I'm curious, looking at its current capabilities, the current situation that it faces, somewhat of a crisis with its financial system, what priority steps that Zambonia can take right now, both to address its immediate situation, but also to lay the foundation for then moving forward with things such as the cyber reserve or the digital first. So in terms of priority, we've made it a political priority for Zambonia to reach out and to not be left alone with its problem. Basically, we started from the assumption that cyberspace is a shared domain and therefore also a shared responsibility. No one should be left alone with its attack, especially not one of our weakest members of the international community. Given that Zambonia is financed by 50% of foreign donors, I would assume that there's a strong incentive to help Zambonia in its current crisis. That's why we didn't prioritise the immediate concern because we felt that politically it should be possible for Zambonia to reach out and get help in this specific crisis. However, in the long run for the international community, it is absolutely crucial to have a capacity to respond to these types of scenarios. And that's where our cyber disaster relief fund really takes it to heart. That's not going to help Zambonia necessarily, since it might not be attacked again for the next five years. So that's where the reserve is a priority and the educational programs. Great. Thank you very much, Oxford. It was a round of applause for all six of our teams. At this point, we're going to take a very brief period of time to deliberate. The judges will review the voting results from the crowd and have a brief discussion. So please feel free to step out, grab a snack, refreshments, and we'll reconvene shortly. And so let's see what the results are. So I think the format is just you'll tell us what your decision was and give us a little bit of background on why you came out where you were. And then we'll take it from there. Great. Thanks, Jim. Actually, we're going to mix that up a little bit. And I think what we're going to do is first give our reactions to the presentations overall and then build up some drama and anticipation and then announce our decisions on the recognition and the overall winner at the end. Let me just start by saying thank you to all six of the teams. Excellent job overall. Very interesting. You know, this is a fairly unique kind of thing. I'm not sure anything like this has ever quite been done before. And certainly our reaction was there should be more of these. This is a great exercise. Very useful and we love to see it, you know, continued and done on a larger scale. So what I think we'll do is just allow each of the judges to provide whatever comments, reactions they would like to to the presentations overall. And then we'll make sure to announce the winners before Chris Painter then provides his keynote speech. So does anyone in particular want to start? Belly, do you want to go first? Thank you. So first of all, congratulations to all the teams. I think this was a lot of effort, particularly like how you presented and I think policymakers can learn a lot of you. Of course, there are many challenges on developing this capacity, building frameworks and these strategies. There should be many factors that need to be taken into consideration. Many policy, legal, regulatory, funding issues. We are very interested in how you presented your ideas and how creative you were in some aspects. So congratulations to all of you. And I know this is an excellent exercise and congratulations to CSIS as well for the organization of this event. So I'll just add on to the congratulatory remarks of my colleagues on the esteemed judges panel. I recognize how difficult an exercise like this is, especially when you're given a very short period of time to develop a comprehensive proposal. So big kudos to all of the teams. There's a lot of pressure associated with doing something like this in a very short time frame. I think what you'll find once the awards are given that some of the stronger presentations, while they were all strong and had positive aspects to them, the stronger presentations really provided more of a comprehensive approach that covered short-term, mid-term, and long-term strategies not only for dealing with the crisis at hand, but also developing those building blocks, if you will, to address longer-term capacity building and put structures in place within Zambonia. So you'll find I think once Tom gives you some more detail on the awards that those were some of the criteria that at least from a judging standpoint we all agreed were quite important. I think also something to think about is that there were some really creative sort of point programs for capacity building that we heard in each of the presentations. And a lot of those we can draw from, I think, not only in our work in industry, but also as government partners through public-private partnerships that are in existence today, can draw from some of those great ideas that you put forward to include those in some of the activities that are ongoing. So I know I'm looking forward to taking some of your ideas and taking them forward into some of the organizations that I work in as well. So thanks again for the opportunity today, and thanks to CSIS. Okay, now it's on. I would, of course, like to echo some of the comments of my colleagues. I feel like I have to congratulate, even though it's been said a few times each of the teams for the very hard work that you came up with in such short order, that was really a doozy of a scenario. And as I was reading in advance, I was just wondering which direction all of you might go in, and it was very exciting to see how you interpreted that and how you put that into a proposal in 24 hours. A lot of really great ideas that came forward. I think one of the things that I really keyed off of was the novelty, and Sherry mentioned this a bit, but it was one of the criteria that we had to evaluate with respect to the capacity-building ideas that you put forward. Because it's something that I think each of us struggle with in our day jobs, in terms of how we can contribute to that. A set of activities that the international community is working on. And there were some really great ideas and some things that I think, as Sherry said, we really need to take back and think more about in terms of how we can continue to work in a novel way going forward. So that was really encouraging for me. And I think it also really reinforced somebody in the international affairs, reinforced the importance of international cooperation and cybersecurity. And I think that, especially given how many challenges we have domestically in what we're trying to do with our cybersecurity programs, the importance of international cooperation cannot be understated, especially for developing nations. And so I think that that was a really strong theme throughout, and I'm just heartened to hear that. And finally, I'll just say that I think that this is a great feeder into the global forum for cyber expertise that will be launched next month. And I think that we'll have an opportunity to continue the conversation about how we take forward capacity building into the future. Thanks. Again, like my colleagues, such a great and exciting opportunity to be asked to be a judge in this kind of event. I find the kind of expertise and innovation that's coming out of people in education system to be super inspiring. And we really look forward to having you in industry or in government. There's such a workforce need. The skills and innovations that you're bringing to the table are really needed in the environment. So look forward to seeing you on the other side. Like my colleagues, I guess I would say, definitely thought some of the stronger presentations had the near and long-term and comprehensiveness, but I'll add maybe three other things that I saw across the presentations. First of all, there was a, the stronger presentations had a sense of connectedness. A connectedness across different parts of government. A connectedness between government and industry. And then also to what Jordana raised, a connectedness with the international community. That's part of the comprehensiveness, but bringing all those stakeholders together was some of the strengths. And then also that idea of buy-in. So why would society trust the banking system again? Why would the international community want to come to assistance? That kind of buy-in is really important. Second to last actually is the idea of prioritization. I think that there were definitely folks who talked near and long-term, but also what do we need to do first and what are the series of steps that need to be moved out on such that we can effectuate change in the greatest way. And then last but certainly not least is the idea of how to institutionalize this. Some of the ideas in capacity building looked to not only solve the challenges of today, but also prepare for the challenges of tomorrow. And that's where the ones that came across the strongest. Thank you all. Great. I would echo everything that my fellow judges have said. I'd also make the observation that given the time constraints, the presentations, what you all came up with and the way you organized your thinking into presentations including slides was quite impressive across the board. I would say that it's particularly, I think, appropriate that there are two kind of areas that we're especially focusing on in terms of evaluating this, the national strategy solution, the capacity building solution. Those are both areas where we know that those are things that are absolutely critical for individual countries to address and the broader international community at either a regional or international level to address. On the national strategy front, one of the things that the United States consistently preaches to the rest of the world is that if you're really going to be able to address the full range of cyber issues, challenges, policies, you've got to develop a national strategy. Then we're asked, well, how do you do that? And we immediately say, well, don't copy what the U.S. did, because it was really long and torturous and it's still work in progress. So that's only to say that there are great opportunities and lots of models of how to deal with national strategies. And there still are only 20-something countries really that have fairly comprehensive, broad national strategies in this area. The second issue of capacity building, again, we're sort of in a phase of letting a thousand flowers bloom in terms of there's incredible opportunity for different models at the highest U.N. level all the way down to local levels. They're open field for implementers and for partners, industry, civil society, governments, regional organizations, and the like to come in and work on capacity building solutions. There's so much that is yet to be done. And so on all these areas, I think the kinds of ideas that you came up with, the initiatives are things that, you know, certainly I found as someone who works on these issues for the State Department, I found a lot of food for thought that you presented to us, and I think we all did. So again, thank you for putting so much real commitment and energy and diligence into developing these ideas. But at this point, I think we want to hear what our decisions were on the awards. So we'll start first with the national strategy recognition. So, and again, the first two things are going to be, these are recognitions, that's the overall winner. So in terms of the best national strategy, we believed that the team from George Washington University did the best job of developing national strategy solutions. HP, are you going to wait? The flowers come out at the end? Okay. On the capacity building solutions, we felt that Castex provided the best overall capacity building answers. And then in terms of the overall winner, oh, I'm sorry. Thank you. Now I'm going to interrupt you and build a little bit of suspense here. That was all planned. Because I'm going to announce the real winner now. And the real winner is the Global Conference on Cyberspace. Of course it is. And not just because we've been able to advertise it even before the event takes place, but more importantly because of the great results that have come out of this Diplo hack. So we're really thankful for that. And especially when we're going to launch the Global Forum on Cyber Expertise during the conference, which is going to be one of the big deliverables, I think that Global Forum is going to really benefit from all the ideas that we gathered over the past two days. So thank you for that, the real winner, as I said is the Global Conference on Cyberspace. Then we also have some other announcements before we move on to the next phase. And that is that you voted too. And before we are going to announce who the overall winner is, we thought it would be good to at least announce who you thought that the overall winner was. Coming in at third place was, and I'm going to look at my nose because I don't want to Castex chair coming in at third. Proud to say that my alma mater, Leiden University together with Delft, came in second according to the audience. And according to the audience, winner would be UMUC. So that is what the audience thought. And before we move on to what the jury thinks, we're going to allow me a few words on what the actual prize is. What we mentioned is that and the Deputy Minister already said that he would like to welcome the winning team to the Hague. And indeed that is the winning team will be invited to the Hague with maybe not enough funding but some funding to help that process along. I will talk about that privately. And the great thing about winning a Diplo hack is in this case that you get to participate in another Diplo hack because the GCCS has decided to organize the GCCS unplugged. And that is going to be another Diplo hack taking place April 17 in the margins of the global conference on cyberspace. But as I said, the winning team will also be invited to actually participate in and have a look at what is going on during the conference itself. So we will have tickets to the conference April 16 and 17 in the Hague. And I think I turn it over to the jury right now. Thank you. Thank you, HB. Well, just in terms of methodology I'll start by saying we did not look at the audience voting results until after we had made our decision. But we agreed with the audience results and we also selected UMUC. And now that I have the floor anyway I would also like to take the opportunity to thank our judges and esteemed panel that took out of three and a half hours out of their busy days to comment on the presentations. And I've seen some of the deliberations and they took their task very seriously. But you expected no less of them, I know for sure. We have small presence because there are some people from the US government on the team. We had to really give them the opportunity. We had beautiful books of the Hague's International City of Peace and Justice but they were just too expensive to hand out to the jury. But again, thank you, a small gift one of which is the most cyber secure of all. It's I think a pet to ride on. But thank you again. And I would like to take the opportunity as well to thank our judges for cooperating with us to go to take this endeavor on. They didn't know what they got themselves into because a policy hackathon apparently is something really different than a technical hackathon. But I hear, I didn't know that before but Jim remarked that this was the first one of an annual cyber policy hackathon. And I'll give this more often. Thank you for Jim, Denise and the team and thanks to the audience as well and I'll give it over to Jim I guess or Denise. I'll give it over to Denise. I just wanted to thank everybody for participating in this and joining us for the final event. And I wanted to thank the teams especially the ones in Europe who bared through the technical experience and also a fire alarm at Oxford in the middle of the hackathon yesterday. So I just want to recognize that everybody did a tremendous job here. Everyone worked really hard and we really appreciated your participation and your ideas and your collaboration. So thank you. The next stage of this is we're going to have a keynote speech. We're going to have a keynote speech from Mr. Neil Hoppenstein, Executive Secretary Inter-American Committee Against Terrorism at the OAS. So thank you and I will hand it over to them. Thanks and it's great to be here today and I heard a little bit about the deliberations and certainly just heard the awards and I want to really thank everyone for their participation. As I've been doing these issues in some form for about 23 years now. So I started as a prosecutor doing cyber crime cases. I then was at the mothership of justice. I was at the White House working on the international strategy and also the cyberspace policy review and for the last four years I've been at state and if you told me five years ago people would be this interested in the policy aspects of this I wouldn't say it's great and so I want to thank all of you, winners and everyone else who participate in this and I just think it's great. And I certainly want to thank CSIS and the Royal Embassy of the Netherlands for putting this together. I think this Diplo hack is a really great idea. Certainly something I think should be as apparently Jim has promised in annual event. Did you know that you promised at the conference as well? You know, I want to talk about what my office says but I want to talk also reflect on some of the things I just heard here today and particularly focus on capacity building. And it's great to connect especially with people who are students. I'm far from being a student anymore. I'm a recovering lawyer as many of you know. So usually you tell a lawyer joke in these kind of my long experience that the problem with lawyer jokes is that lawyers don't think they're funny and non-lawyers don't think they're jokes. So instead I will tell something at the end but it became clear to me how far I was from being a student when all of you who are students, the moment you graduate if not before, your school will start asking you to donate money. This will happen. All of us who have already graduated know this and you know this happened. I went to law school at Stanford. I kept getting requests. I tried to give them what I could but I'm a government worker so there's only so much I can do. They finally and this is a sign that it was kind of depressing. They've changed tax now. They sent me a letter in the mailbox I looked at the other day and now they said hey, would you consider donating money to Stanford in your will? So I don't know if they know something I don't. It's kind of depressing. In any event when my office started four years ago we were the first ones who had a real focus on cyber diplomacy. Really the first cyber diplomacy lead in a foreign office and now there are over 20 of them including in the UK and the Netherlands and many other countries. That I think is a reflection of how important this issue has become. Not just it's a technical issue. I think people often think of this and it used to be that senior policy makers would think it's a technical issue. I don't get this. I don't understand it and I'll leave it to the technical guys. But now people really understand that this is a core issue of national security policy of economic policy of human rights policy and ultimately a foreign policy and that's really I think the change significant change I've seen in the last few years with more and more countries are really I think internalizing that and understanding that is an issue that we had a day before yesterday. We had all of our at the State Department we had all of our ambassadors from all over the world in town for the Chief Submission Conference and and I talked to these guys last year guys and gals last year but they also did what we call a 10 minute lightning talk this year. They mixed it up a bit and you know it was really interesting because all of them no matter where they are in the world whether it be a developing country all those countries have a stake in this issue and all these countries are trying to grapple with the threats that you talked about but also look to opportunities and I think for us and for all of us this is an opportunity to work with those countries and take advantage of protecting against those threats but also seeking those opportunities and certainly some of the things that were discussed by the judges and were discussed by all of you and putting this together in terms of how we can evolve like the private sector that you have national strategies which has been a core part of our policy that you that you have robust international cooperation you don't just think about the short-term response but you think about the short-term medium and long-term response I think are really important. The other thing that as my office has developed which has been increasingly clear that we need to focus on is the idea of capacity building. The capacity building is both an enabler to try to get countries up to speed on these issues to try to really help them deal with the threats but also again with the opportunities but also as a way to for them to understand the benefits of this technology and to understand that competing visions of the internet and computer networks, ones that want to draw sovereign boundaries around cyberspace because they're worried about what they call destabilizing speech who have a very different view of the future of the technology that we do that really for the developing world it's much better for them to be on the side of an open internet and a unified interconnected internet instead of a very segmented and divided one and part of that is the economic drivers but part of that is just understanding all the things we can do together and capacity building is a key part of that so I commend this exercise and the focus and certainly the global forum that will be launched at the Hague conference I wanted to talk a little bit about the pillars that guide what my office does and that is really the international strategy for cyberspace which is this fine document here available on the web not surprisingly and it came out of the White House three years ago or two and a half years ago and it really outlined for the first time I think for any country and I think other countries are now following suit what our international goals are in cyberspace and it wove together a number of different areas that some people have thought are distinct whether human rights issues economic issues cyber crime, cyber security and international security issues it wove them together in service of an overarching goal to promote and maintain an open, interoperable, secure and reliable communications and information infrastructure not just in the US but around the world for the good of everyone and it was based on norms of state and other behavior based on concepts of multi-stakeholder participation and that was a very good document because if you don't know what you stand for you can't really promote it very well and it was also a very good document with around the world and I think this came up in your deliberations it's often the case that perhaps even within governments they don't talk to each other very well that you have the people who do economic policy not really talking to people do security policy even within the security community might not be talking together you have human rights community is a distinct community and then often the golf between them and the private sector and civil society so we certainly in our government have had stovepipes of excellence before and part of this was to try to draw people together and this strategy really helped do that we started with 16 different agencies coming into a room took about a year and a half to kind of distill this but it really made people understand how they fit in and what the larger pictures and that goes back to the point about national strategies and how important they are because that really focuses attention on how you weave all these things together so we just hit on a couple of the key areas but all of them as I said are really undergirded by this idea that capacity building is going to be a topic that's going to be important for each of these pillars and for all stakeholders and that it is a foreign policy tool that all of us should be using and leveraging so what we call the six pillars of our international strategy and as I said often they are distinct but often they're overlapping the first is international security in cyberspace that's a shared understanding of the norms of acceptable state behavior in cyberspace what is acceptable in times of conflict and in times of peace what will enhance stability in the space and really lead to a more stable cyber environment for everyone a more peaceful cyber environment how do you avoid cyber conflict or cyber war which is often you often read about cyber warfare all the time in the press how do you avoid that and that work is really focused on two things one what are norms in cyberspace we had a landmark decision that our grouping of countries that came together and said that the same law that applies like the UN Charter and the law of armed conflict applies offline also applies online how we're still working out the that the and then this was not just in this group this group of governmental experts this is also in the recent NATO leaders declaration that came out so that was another group of countries that endorsed that and then we've also focused on this idea of confidence building measures something that has its roots in the nuclear world but we can apply one of the few things you can apply to cyberspace which is building trust and transparency in cooperation between countries to get along and also between frenemies how can you really build that greater understanding and because of issues with attribution because this is such a new technology because of the risk of cyber conflict building that kind of understanding and transparency among countries that may not trust each other is really critically important and we've done this in the Organization for Security and Cooperation in Europe where they came out with a measure based I don't know why they couldn't have 10 but it's like the spinal tab movie they can go to 11 but 11 really good ones that are foundational and ones that we're trying to expand so the second area and these are not any particular ranking is the area of internet governance and the key aspect of internet governance for us is that the way the internet has grown up and the approach that involves governments to be sure but also the private sector in civil society and academia is the model for the growth of the internet in the future and that we need to resist state controls where it's a state intergovernmental control of the internet and there's reasons why states want to do this they want to again go and restrict the free flow of information they're worried about destabilizing speech it sort of overlaps with the international government because some of the documents you see being floated by some of these regimes they call international security or even cyber security measures and they really aimed at curtailing speech so really promoting that and there's been a lot of work done in terms of the US and the IANA transition the signed names and numbers contract there's been work in what's called the internet governance forum but it is a big battle when you look out and you read the papers about all these hacks like the Sony hack which I think was really a clarion call something that woke up people in terms of saying hey this is an attack a destructive attack not against a critical infrastructure but still serious with a human rights dimension that was very important you have those technical threats but this is an example of a policy threat which are just as serious as the technical threats because if you change the way the internet works fundamentally it will hurt all of us so closely related to that is the idea of internet freedom and internet freedom simply goes to the free flow of information on the internet and again it goes to some countries viewing this free flow of information as a threat so it's linked to internet governance but it's also linked to security we've been advancing this as part of everything we do including in something called the freedom online coalition which I had its meeting last year in Estonia we'll meet again in Mongolia this year with over 26 member countries and trying to advance these principles but understanding how it fits in with everything else we also got a declaration from the UN human rights council that the same rights you have online are the ones you have offline not shocking to any of us here but actually a pretty big statement given some of the countries that were involved in cyber crime and this is something that Tom and I spent a lot of time dealing with when we were at the Justice Department and something that I think in many ways has preceded the focus on cyber security and the focus on other internet policies because people understood cyber crime probably a little earlier and the cooperative mechanisms that formed around that probably came a little earlier and here the real issue is how you make sure that you can effectively fight the threats. International security estate threats, cyber crime is dealing with the criminal threats how can you make sure you deal with them in really three ways one having good laws in place and we advocate the Budapest Convention as the the best means to really get countries to sign on and have a common understanding of what the base law is we try to make sure that we have trained officers around the world who understand how to investigate this international collaboration because these are always they're just always transnational cases and so one of the efforts that we spent a lot of time working on is to build a cooperative network the 24-7 network which Tom has over 60 countries on it 70, over 70 countries it's getting 72 now so it's really good it's a good cooperative mechanism and it's something that we really care quite a bit about and again this is something that's under a challenge there are some countries who want to have a new UN treaty one treaty to rule them all which sounds initially appealing but if you understand it took five years to get this Budapest Convention signed and many developing countries are now signing on to it we really can't lose another 10 years while we wait for another treaty to come down the pipe we really need to build that capacity it's been great work including work that's been done the OAS that I think Neil will talk about as well and certainly cyber crime was part of the Zambonia example that you guys all dealt with and one of the core efforts in terms of capacity building has really been focused on this going and training law enforcement officers doing legal training so that they understand how the legal structures work and updating their criminal laws developing incident management capability so those are all important the next area is the area of cyber security and we distinguish that from international security because international security is really the state on state conflict cyber security is what countries should do to protect themselves and that means having national strategies in place that means having the right kind of institutions it means having the public-private partnerships that they're dealing with other sectors of their economy it means building incident response plans as you talked about it means all of those things and again this provides a real opportunity for you for opportunity as well as dealing with this threat because countries increasingly are really worried about these issues and they're coming to us and to other developed countries saying look you have some experience with this can you work with us on these issues and so these strategies are critically important making sure they have this culture of cyber security and how they deal with it is critically important and that they have the right institutions in place and we've done a lot of our capacity building including a lot that in East Africa, West Africa and Southern Africa where we talk about cyber crime and cyber security in particular and that's all been very important and then the final pillar is ICTs for economic growth and this is really the enabler how do you promote innovation how do you promote connectivity and we've had a number of capacity building efforts in that space too including the Alliance for Affordable Internet which is an organization of government and the private sector and civil society trying to enable developed countries to get better connectivity and USAID initiatives that provide technical assistance and capacity building and using digital tools so it's really I think very important to us to work and try to find ways to work both with countries around the world but also with the private sector and others to work with organizations like the OAS and the African Union to do more capacity building this is foundational to all the rest of our efforts I think we've had great experience working with those organizations with the Council of Europe particularly on the cyber crime area and this is why it's so important that Dutch are launching and bringing leadership to capacity building as part of the conference in April and the global forum for cyber expertise is really I think going to be a real one that we should all support so I want to in closing just thank you for all your efforts I want to thank you for everything you do we this is great for all of us I look forward to iterations I look forward to the Dutch conference certainly I will close with apologies to my staff who's heard this joke many times in the Jim Lewis as well but this is my non-lawyer joke which is the Tom's already grimacing I see the so I'll convert it to a hacker joke hacker is walking down the beach finds a lamp and predictably enough a genie comes out and the the genie says look you get three wishes but because you're a hacker there's some strings attached and the hacker says okay what are they and the genie says for everything you wish for every other hacker gets twice as much of and the hacker says I can deal with that so he said okay what's your first wish and he says I want a million stolen credit card numbers so he gets a million stolen credit card numbers but every other hacker gets two million stolen credit card numbers you know hackers are kind of competitive people this really irks and really bothers it's just annoying and the genie says hurry up what's your second wish and the hacker says well I want a cray supercomputer a big supercomputer that hackers crave well he gets that but every other hacker gets a cray supercomputer and Watson the computer that won on Jeopardy and again this really gets to him just can't stand it and so the genie says hurry up I gotta get back in the bottle and watch Larry Hagman what's your third wish it's kind of a dated reference goes to my age and the hacker pauses he thinks about it and says I'd like to donate a kidney so the moral of that story is twofold one you know I've seen the threats evolve over the 23 years I've been doing this and become more sophisticated I've seen our responses get more sophisticated too but they really trail both policy and technical ways the challenges we're facing and it really is important for all of us to come together as we are to fight these threats the other thing it shows to me is I need new material so if you have any ideas please contribute so thanks very much and really appreciate talking to all of you thanks Chris I will be short I know I'm the last speaker between the conclusion of the conference and lunch so I will be brief and also there's not much to say after Chris's very comprehensive speech first of all I'd like to thank CS IS and the government of Netherlands for hosting this conference it's great to see all of you here and I just want to say congratulations as we wrap up as you all wrap up this very successful event over the past two days all of you have engaged in an intensive session to build solutions, strategies and new approaches to securing our cyber space throughout this event you have come face to face with the dilemma that policymakers deal with on a daily basis and that is how to build cybersecurity capacity respond to an incident and reduce the chance of future incidents all simultaneously while balancing economic social and political considerations governments often have no immediate answer to these problems attempts to resolve cyber space issues by applying traditional means of developing policies in the usual government way often fails cyber threats are evolving and they change rapidly which can make standard operating procedures irrelevant and obsolete very quickly the days are gone when governments can do it alone to survive today collaboration and cooperation among states as well as all national cyber actors including the private sector academia, NGOs and citizens must be part of the solution the trans-border nature of the internet requires a trans-national strategy to realize the benefits and prevent the threats associated with the use of the internet we must focus on three main areas and all of these areas I feel good about because Chris mentioned them already capacity building and exchange of information and experiences collaboration across borders to reduce cyber crime and mitigate against potential attacks and clearly established protocols to protect and open internet as well as secure at the national and international levels that same internet to achieve this and to successfully respond to cyber threats and to deal with the challenge of attributing incidents to specific actors, greater exchange of information and understanding is needed between the technical experts and the political and policy players technical experts often find it challenging to transfer their knowledge the knowledge of their technical concerns to political and policy discussions and in turn politicians and policy makers have only a very basic understanding of fundamental cyber security issues so to ensure effective national and international cooperation cross communication between the techies and the polls is essential at the OAS an important part of our cyber security program is to bridge the gap in our member states between technical experts and their politicians and their politicians and their cyber security policy makers as well as with other stakeholders an excellent example of how we have done that and successfully done that is our crisis management exercises which we facilitate through our mobile lab and indeed these exercises are very similar to the kinds of exercise and session that you had today technical experts policy makers from our member states are brought together to address a real life scenario in virtual space and then ask to resolve the issue by communicating with each other from my experience and our experience we have found that the technical experts are very good at resolving the situation however what we see the problem is the communication protocols across various stovepipes or various actors involved I remember distinctly I think it was the second session belly in Argentina you know we had representatives from the utilities the press the president's office the police among other actors they caught the perpetrator but then there was this big argument between the president's office and the police about who would actually go after it who would get the credit and everything else and so the key is that we've got to establish those protocols to really make things happen and so the one thing I hope you have gotten out of today is that you have all burnished your skills to talk across stovepipes and with your other actors I mean burnishing those skills is absolutely key to having success let me close by congratulating all of you for your creativeness and energy throughout this conference and again I commend the organizers for being so forward thinking and tackling this global issue and by actively engaging and challenging you the next generation of cyber policy makers so I've kept this short and you know lunch is beckoning so thank you very much well we'll take one minute to see if anyone has questions for Neil or Chris going once going twice well you've been very patient audience so let me thank Neil and Chris we're really grateful that they came and spoke these are two of the leaders in the field here and of course I've known them all for a long time I have a variant of Chris's joke but it's a bit lower down so I think he picked the right one let me thank HP and the Embassy of the Netherlands the Royal Netherlands government for their support in doing this let me thank the judges I'm not sure I would have come out where they came out but we appreciate all their work for what they've done that's right you know I am a well former diplomat the teams were great and they really deserve our thanks we will post their presentations for you to be able to look at you as the audience of course have done tremendous work both in staying here and in voting we will I should mention have certificates for the teams with a letter of appreciation from the Netherlands government so if they could come up afterwards we can hand them out we will