So, yeah, lots of interesting and somewhat related topics today. So what do you think maybe the next evolution is in terms of cyber warfare capabilities and what kind of policy planning can we do to help abate that?
That's a very broad question. I promise you all, this is the last time you hear me and see me today. So, so I think what, what I have observed and kind of the policy discussion, and, and now I, I moved back to Europe from DC four or five months ago. So I can still share a little bit of what some of those conversations in, in Washington, which is, you know, you look at actors like North Korea, which is a threat actor that is probably the most sophisticated from all the other nation state actors, because they are the ones who manage, you know, SPN disruption. They are using cyber attacks for financial gains of the regime. You know, there's so much mixing of the criminal and state tools. And so I think that the threat is these threat actors who really deploy the full spectrum of capabilities and they are completely resistant to it's arguable, but they're completely resistant to any external pressure to stop their activities. So, you know, you think sanctions or, you know, cyber attacks on, on, on their infrastructure. So, so I think that is the, that is what should be taking into consideration. I dunno if someone else wants to talk about what, what they think it's kind of the evolution. And then we talk about where we think the policy should go.
Yeah, yeah. About threat a thesis system. I would like to say that usually we always blame one country in all cybersecurity attacks against conducted against Georgia. There's only one country. Everybody blames it, but it's not true because the last time we had quite, quite huge attack in 2015, it was not Russia, but all the, but all the time, everybody talks about Russia. It's the same about Armenia and Daija. They both blame each other, it's you it's you, but it's not. So we had another case when we attribute attack to our key partner. So it's not easy to define who attacks attribution is extremely, extremely difficult in this case. So I dunno, what's saying
Well to my mind, it's very important to be a little bit more proactive from a state perspective because we in Germany are quite good at making decisions. Like if you trash your old car, you get a 5,000 Euro bonus and we can, we can get that done within one month, but we are not so good when it comes to please teach people at school, young guys at school and people at school, what cybersecurity is, which could also be amended quite quickly. So to begin with the next generation that hopefully saves us would, would be my first decision because looking at the attacker is, is reactive, but we really need to leave like more opportunistic here and, and look at what's happening at, on our defense side,
Didn't realize had Mike. So, so I'll just actually build on that. So looking at attacker doesn't really matter. I'll, I'll simplify it. I actually agree with it because for most organizations, attribution doesn't really matter. It doesn't really matter who has done it if you have material impact on your company. So I think it's actually moving beyond the attribution conversation and really build, you know, it's focusing on resilience in terms of response, because if you have a state actor like North Korea, who's gonna go, you know, after the range, you know, from they're gonna do financial crime, they're going to, you know, they're going to go after your military technology, they're going to go after your democracy because they are doing, you know, north Koreans are pretty good at false flag operations now. So if you're going to look at the threat actor like that, it doesn't really matter if it's them or Russia.
But if you build the resilience in all these aspects against financial crime nation, state crime, et cetera, then you know, that is for me, the, the policy response. Now I will contradict myself just in the next sentence, in terms of attribution. You know, I actually disagree attribution on a technical level is not hard. I think we've been saying that attribution is hard for, you know, 10 years and we've proven that it's not, what is hard is political attribution and is for the countries to understand that their cyber capabilities and attribution is a way to use the further their national security and foreign policy goals and country let's say Germany, or I'll pick on my own country. Slovakia can use the attribution in their own calculations and calculus about geopolitics economy and foreign relations.
Okay, well, you know, many have compared cyber war with, with nuclear war. Of course that's probably a stretch in some cases, but maybe some of the effects are similar, you know, and obviously there's a lot of geopolitical associations and alliances that have been built over the years. Can you foresee any, anything different than what we've already seen in terms of alliances between countries or maybe even going beyond that with alliances between countries and criminal groups or security vendors is a way to confront and deal with these cyber attacks?
I guess it, it cannot be compared like both, both might have significant impact, but in my opinion, cyber is much more difficult and it, it might be much more devastating in current days, especially for those countries who are dependent on, I mean, developed countries who are more, more dependent on the well functioning of internet and computer networks.
Well, I believe that what we need to see is that people really dig into basic matter of what a tech surfaces are. Like. I mean, I would say that 99% of people that I ask on the street don't know what DNS is, and it's an attack surface that is simply there and it's pretty basic, but I'm, I'm pretty sure if I go to the Bunda talk and ask all major politicians, hopefully they are all there. They don't know what is going on. I mean, we are talking about like sticks and candles, but it is a major attack surface. And where is our like, resiliency here? So this is basic stuff we really need to dig into because
Say actually in terms of threat, just build on is, I mean, we've seen the threat of Dean's hijacking as, as an upcoming threat. And so I think in terms of what, you know, the policy sponsor policy makers should be looking at is actually, you know, still the fundamental backbone of the internet. I mean, it's your overseas cables, it's DNS. I mean, you know, routing security, there's a lot of organization pushing manners, which is routing security protocols. I mean, it's not in the mainstream and I don't know why it's not in the mainstream because you can't do all the things you're promising to do with technology. If your DNA, if your backbone is not, you know, not secure in terms of alliances.
You know, I think we actually have too many alliances, you know, whether in the private sector, but I actually do think that the trend is, you know, coming together to address some of these issues. I think everyone now understand in terms of the providers and the private industry, that there is enough business for everyone. And I think the future is just like our Alliance is to look at, you know, can we come together and solve one of these two or three or four or five issues together as an industry and as an ecosystem, because again, like the DNS security is not gonna be solved by one organization. It's not also going to be solved by, you know, the UN or internet society or other organization where politics plays so heavily. So, I mean, you know, indu industry has really stepped up, I think in the last three or four years. I mean, I just quote Siemens again, because I just spoke to them last week about something. So they're really in mind. I mean, if you look at Siemens, Microsoft and others who drive these larger norm building initiatives and they're implementing it with their partners, I mean, I, I think that's where the future is going in terms of alliances
Question. Thanks question for Phillip I'm. I'm curious about the formal in terms of incident response, maybe what was the official statement from the government once they got aware of the hacking of their system, and also if they maybe claim they had compensating controls for what they discover that could happen. I mean, it wasn't exploited, but what, what was the, the reaction to that?
Well, the main reaction was like, we are looking into it like very well trained and, and realizing that, that old systems that simply have been like running like a Beamer at the ceiling, or like air condition at the wall. It it's, it's different technology. You cannot treat it like a kitchen machine or, or, or a video recorder or something. And it's, it's just not in the head of the people. I mean, we've just had big issues. The last big issue that I can really relate to and, and remember is that the passwords were like six characters and it was no problem to take your first name. So, I mean, excuse me, how basic do we have to get that your own name cannot be as part of a secret phrase if you are representing a country. So this must be a top priority to at least come down to a baseline. I, I don't know is Bundu ISO 27, 0 0 1 certified. You get it. So maybe just do what a standard, at least
Different different question, going back to something we've heard in earlier in the panel discussion, we've heard about attribution. And I would like to hear the views of the panel on retaliation when attribution can be reasonably established,
I'm, I'm happy. I'm happy to get started. So, so the way I see it is that, you know, I'll put on my lawyer hat for a very brief second. I, I thought I put it away for good, but, you know, so if you look at the international law, countermeasures are allowed under international law, they have to be proportionate imminent. I mean, there are conditions, so response is legal there, you know, so there is a room to respond. I think the important thing to also realize is you can respond in kind, but you can also respond by other means. So if you look at a lot of things that are happening in a policy space in du, you just publish their new sanctions regime, you know, so I think there, the, there is a room to respond in law. There is a room to respond. You have policy tools to respond at the end of the day.
It's always a policymaker decisions decision to say whether they're gonna respond and how they're gonna respond. You know, I think the, if, if you read a little bit about, for me, the best example I can think of right now is when the us government was thinking about how to respond to Sony attack from North Korea, right? I mean, you can find it online and just look at some of the considerations they were waiting, you know, waiting against and some of the options. So I think a response is appropriate. I think technology and capabilities are good enough to even respond in kind, which means in cyber means it happens actually every day. We don't even thankfully realize it, but I think it's a very, you know, the, the policy tools are there. The law is there. I think in, in most countries there is oversight. There is interagency processes to, to manage this response.
So I, I, I think it's just a natural evolution of cyber being a, a tool that countries have. And, and that tool goes both ways. But I will say that what's the saying that I wish I could say in German that those who live in glass stones shouldn't be throwing rocks. So, you know, as, as, as you mentioned, you know, if a country like United States, what they gonna be doing, I mean, they probably, Russia hits us power grid. It's probably gonna be worse than if us hits the Russian power grid because of the interconnectivity in some of the systems. So I think there are so many considerations, you know, to, to, to, to take into that, that play into those decisions.
I'm not a lawyer, but as far as I know, you can attack back attack should be attack, should be imminent and proportional proportional. For example, if one country attacks, sorry, if one country attacks another country, critical infrastructure that country affected country can, the affected country can attack imminently and proportionally. So it cannot go there and throw bombs into that country. But as far as this attribution problem can, is time consuming and really it needs involvement of the state of origin. It's very difficult and complicated,
Nothing to add for my son,
Other questions. Hi, I have a question to all of you. It goes a little in a different direction. How would you command on Russia's effort to separate its part of the internet from the rest? Would you say that's an approach our nation could adapt or is this just something they'll try and with which they'll fail?
I don't, I don't think, sorry if I understood correctly, you said they will fail. They will not fail.
I ask you, I ask you for your opinion on that if this approach has future, and if other nations will adapt this approach,
I, I'm not sure other other nations will go on that way, but Russia has huge, huge cybersecurity capabilities. It has very, very well organized system inside the country. It has cyber police, cyber, cyber police, cyber, military cyber part. And it is really very, they are really good and they can do anything in their country, what they want because it's like authoritarian regime. And I'm not sure, sure that other democratic country would do that
Well to my mind, it's, it's a first step into a future direction, which will be discussed on the level of, of many administrations. I mean, if we look at like internet browser based, then we have mobile internet. Now we have IOT age where like, everything is connected and even stuff is connected that you don't see can touch or there is a display at it. So the, the thought of being like self sovereign or do we really have to connect everything to everything is I, I, I, I guess normal, we lock our houses, we lock our cars and we have pin codes and other credit cards like basic security across borders of states that maybe not have the same interest. Why not? And when it comes to self sovereignty and maybe not secure domain name servers with like the whole world all the time, it's at least the concept we need to look into because we don't know what we are thinking right now. So I think the idea is pretty, pretty good. Not saying that I've looked deeply into it and that it doesn't have any downsides. Of course not.
Yeah. I think we'll see that, you know, I think for Russia, it's a self preservation mechanism. I think for them it's more about, it's less, thank you. It's less about national security and more about access to information of the population. I think everyone knows that Russia is doing very badly economically. And I think nothing, the regime fear is nothing more than the uprising of its own people. And I mean, I think we have seen, you know, there's, there's examples from other countries in the middle east and elsewhere. I mean, even in, in the Western democracies, the power of information, the power of truth, the power of, you know, to gather with like-minded people. So I actually, I mean, it's already happening in China and others where you can't, you know, you have your own Twitter and Facebook and whatnot. So I think it's a trend we're going to see.
And, you know, I don't, I don't think the Western democracies are going to go on that route. I actually do believe we will see an insecurity. This is a, a well established practice. I think we will see more, there is a word for it, which just escapes me now. There is, you know, more, it's not fragmentation, but you know, it's, you're gonna, I think countries are going to build little enclaves within themselves for certain critical systems. Not everything has to be, it's really bothering me that I can't think of the word, you know, countries are going to build their little enclaves to, for their critical infrastructure. And maybe, yeah, I, I think there's gonna be more thinking about what we connect to the internet and what we, what we don't, you know, we talk a lot about individual IOT security, where we're really talking about individual devices, but there's no thinking about, you know, the ecosystem we're connecting it to, or thinking about the interactions between devices. You know, do we even know that our networks are going to be able to withstand it? If we plug it all in, if you look at 25 million devices, all these predictions. So yeah. Authoritarian countries. Yes. I think the rest of the world may do some, some of it internally to just isolate some of the systems.
Speaker 10 00:19:47 Thank you.
Other questions. So, Phillip, you mentioned an interesting word sovereignty, where do you think sovereignty in the cyber world begins and ends? Anybody can answer it? Well,
There
Speaker 11 00:20:08 Is no sovereignty cyber world. In my opinion,
It's super difficult because I mean, at the state that we are in, we know that the bad guys are smarter than the good guys. So when we are talking about self sovereignty, when it comes to my, my passport or something, this data set, if it would be purely electronically made, and given to me on my phone as a certificate, then I would simply know that it would be easy to spoof because the guys on the bad side get more money out of being bad than being good. So why don't we award the good people, the, the bad people to become good people. I mean, it's even, I mean, I'm head of legal and compliance at our company and I, I'm not getting unlimited money. I have to fight for security measures, which is where everybody is at. Who's working in security. Why is it so difficult for, for doing the good thing, getting the money for it, but then there is money when something goes wrong. I, I will never understand it, I guess.
Yeah. You know, I think maybe a different, different angle of the, of the issue is, you know, you, Sony attack just comes back to mind to me, you know, they said, well, it's a global company, but it's, you know, it's headquarters in the United States. And that's why the us government was dealing with it. So the notion that there are no borders, I don't fully agree that there are no borders. There are actually, you know, the territorial, the material, territorial consequences, if they manifest themselves in one country or the other, the same laws and rules apply as if you would, you know, shoot a bomb across the border, you know, but in terms of, in terms of responses and responding, you know, I think there is a lot of interesting work in terms of, you know, law enforcement is a sovereign privilege. But if you think about where international collaboration in law enforcement is when it comes to cyber crime, I think there that's a, there are some concepts where the, the collaboration is moving and where countries are willing to kind of pull back from their, you know, some of these sovereign privileges around law enforcement, et cetera, and collaborate more internationally.
Now, if that answers your question.
Yep. That's good
Speaker 12 00:22:37 About your last comment then, because I'm, I'm thinking if those areas like, like the, the one you are participating, if it's not gonna be ending up like the United nations, that they have always very nice words, but at the end is the, the states who really are gonna enforce what they think if it's good or bad, cuz you are saying now maybe the states will enforce the other ones, but yeah, they will enforce the other ones when it's good for them. And when it's bad for them, they're not gonna do it. So for example, I don't know now it seems that everybody's against China, right? Because of economical reasons, not nothing for else because they have been killing Tibet since I don't know how long and now everybody's against them, but maybe in the future, it's not gonna be China and it's gonna be, I don't know what Tamala right. Then, then, then they will not go against China. So I'm not sure if we are winning a lot there,
You know, the way, the way I look at it, it's, it's always a, a sum of different geopolitical economic considerations. And I think countries every day are decision makers that we elect for ourselves to represent us in the UN and elsewhere. They make very hard choices as to what they're going to, you know, what is going to outweigh? What are we gonna today? This is a horrible way to put it. Are we gonna care more about democracy today? Or are we gonna care more about economy? You know, I think part of the problem, the way I see it, actually, if from my perspective, a country should have a strategy, which says, this is our comprehensive cybersecurity strategy and it's not a military strategy. It's not your ministry for an affair strategy. It's not an economic strategy. It's to say how they see cyberspace to actually supporting the country and the community they're part of, because then you would have, in my opinion, less of these frictions, right?
Because right now there was a very interesting study of actually us cyber strategies. And if you look at well, one time, they'll say, well, we wanna free and open an internet. We wanna collaborate with our allies, but then there's a strategy of per, you know, persistent and engagement. I don't know if it was covered here in Germany, but basically persistent engagement means the us is really on offensive and cyberspace. How does the open free and secure internet and the persistent engagement mesh with their engagement to work with ally? So I don't think there is one answer. I think it is now that the decision makers are starting to realize that cyber is a tool in a toolbox, just like everything else they have, right? It's your diplomacy, it's your military, it's your civil society. It's your media, it's your NGOs that you deploy globally and fun to do certain some work. So I think that now the decision makers are trying to realize that, okay, this is one of the tools and we'll just have to kind of wait, wait it all together and decide what's the problem du, and then act accordingly very skeptical, but I think quite realistic problem.
Any final questions? Any final comments,
Keep up the good fight.
I, I would, I would just hope that, I mean, being in Berlin was like the capital of Germany and well, the administration is I, I, I don't know how many representatives from the parties are here or the people that really have their say in this country. I would assume that it's close to 0%. And I, and I, I would, I would just ask what, what the real investment would be for politicians to, to spend two or three days at such a conference to get a, get a decent outlook and, and knowledge basis on what we need to talk about because I'm, I'm, I'm really scared. I don't have children. Otherwise I would be super scared, but I'm a little bit scared that, that we are really am like resting on all laurels.
Yeah. I'll just say one thing to that actually, because this is not just in Germany, you know, I, I'm part of a couple of groups in Brussels, we're doing a blueprint on the EU on the future of EU cyber diplomacy and cybersecurity policy. And you know, they do these exercises at the very high level of cyber exercises where you have a very high level national security crisis where you should be testing some basic concept of international relations. And the politicians just that don't even know they, they are completely paralyzed because they feel, this is something, this is a new thing, but I don't say it's a new thing. You need to have basic literacy. Right. And that's also part of all yours job to do, you know, try to impact the policy, the technical standards, you know, do the awareness, do the outreach, write those blogs, publish them, you know, talk about the issues in a way they understand it. But yeah, I mean, there, there is an absolute misunderstanding of how this is similar and how this is different, but yeah, I think, you know, having more of those engagements with the government, as you say, you know, they, they should be part of the conversation.
Absolutely.
Speaker 13 00:27:53 Okay. So I've seen that the Munich security conference has prequel, that's called the Munich cybersecurity conference and it seemed quite awkward to me that they kind of took this tool outside the main security conference. What do you think about that?
Well, I'm, I'm from Munich, so I'm yeah, I realized the only thing I said is yes, at least they are talking about cybersecurity. So didn't even realize like that it's a separate thing or a breakout session or something. But I know some people in my network on LinkedIn were, have been like reporting from there. And it was quite interesting people from, from cyber security and, and defense at large companies like Dodge Taylor comment systems. And, and to me, this was like actually a highlight. So that's the only thing I can say. So
I had the privilege of being at the conference the past four or five years. And I do have to say that, you know, for ambassador is sh I think it was a big step actually, including a summit before I am absolutely with you that it's a separate conversation. There is actually a small private dinner at the level. You know, that CEOs and ministers that happens. That's on a cyber topic every year. I know it because the Atlantic counselor where I used to work runs the dinner. And it's a very interesting conversation because it's off the record dinner and you would sit executives from social media platforms, cybersecurity companies with ministers. And I have to say there were dinners where you would say, I, I am. So the world is in, in the right place. And then there was some when I left and I said, oh my gosh, like if this minister doesn't even understand this, how can they actually be in their role?
So I would say that for me, it's very strange that it's separate. It should be part of the conversations. I think there are some, as I said, and as the colleague here said, you know, ambassador Shiner has made progress. You know, I think Munich security conference, it's such an old institution. It's been around for 60 plus years in the small hotel at the center of Munich. You know, it's very hard to also let go of the old guard who is still there. And, you know, I'm, I'm, I'm just speaking very, very openly. And honestly now they're actually making more efforts to include, you know, the next generation in it. But it's still a very exclusive event that doesn't, it's not always in touch with the real world. You know, I probably won't get invitation after this next year, but you know, I, but you know, it is, there is an evolution, but it's absolutely, you know, you're pointing out the right issue that it's, it's a separate summit two or three days before.
And there is nothing official they had last year, they had a big AI, they had a big AI part of the main conference, of course, but there were exactly, there's always like a hot topic, you know, the year before it was blockchain, you know, you just pick your issue, but even there, they were talking purely about ethics. It was a very ethics focused conversation, which actually, I'm not saying it's not important, but it wasn't a comprehensive conversation about, you know, artificial intelligence and what can it do to security, you know, economy like international development. But yeah, I, I think there are there's, there are good efforts. Maybe I'll get an,
At least we have the U ethical standards for AI baseline. Now since this year. Okay. To, to say something positive to the end, it's a baseline.
Okay. Well, thanks to the
Panel. Thank you. Thank you. Thank you.
