Webinar: Can Responsible Behaviour in Cyberspace Be Achieved?

Joyce Hakmeh

Good afternoon, everyone, and welcome to this webinar on Can Responsible Behaviour in Cyberspace Be Achieved? My name is Joyce Hakmeh. I’m a Senior Researcher with the International Security Programme at Chatham House, and Co-Editor of the Journal of Cyber Policy. “Digital technology is shaping history, unfolding at a speed with no parallel in human history. We have a collective responsibility to give direction to these technologies, so that we maximise benefits and curtail unintended consequences and malicious use.” These were the words of the UN Secretary-General at the last Internet Governance Forum in 2019, calling for the importance of behaving responsibly in cyberspace.

As we know, the economic and social benefits of digital technology have transformed the world as we know it, but have also introduced, at the same time, high risks during – due to the malicious use of this technology by state and non-state actors alike. These risks are affecting economies, societies, and livelihoods, and are threatening international peace and security. Today, cyberthreats are considered a global risk that governments, the private sector, non-governmental organisations, and the global community as a whole must deal with. In the context of the ongoing pandemic, COVID-19, we have seen this risk increase with several attacks against health sector [audio cuts out – 03:10].

Apologies for this technical complication, we’re back online. Sorry about that. Okay. So, introducing the topic to all of you, we’re talking about the increasing economic and political importance of cyberspace, which has made the space an arena of intense international competition and geopolitical rivalry. And, despite a number of efforts and some progress in the United Nations and other forms, there are still disagreements on key issues between major powers on how to achieve responsible behaviour in cyberspace.

The current crisis, COVID-19, is presenting serious challenges to these efforts, but also potential opportunities. This panel will explore how state and non-state actors can work together to encourage responsible behaviour in cyberspace. What are the challenges? What are the opportunities? We’ll talk about all of this together today.

It gives me great pleasure to welcome to this panel today three key speakers who will be covering this topic from different perspectives. We’ve got with us Nick Coleman, who is the Global Leader Cyber Security Intelligence and Risk at IBM, Carmen Gonsalves, Head of International Cyber Policy from the Ministry of Foreign Affairs in the Netherlands, the Co-Chair of the Global Forum on Cyber Expertise, and also a member of the group of governmental experts at the UN, one of the two initiatives that is negotiating how states should deal with each other in cyberspace responsibly. So, extremely relevant to expertise, very relevant to our conversation today, and, finally, we’ve got with us Suzanne [audio cuts out – 06:42] at Center for Strategic and International Studies, a Solarium Commission, a commission which was established to develop a consensus on a strategic approach to defending the United States in cyberspace against cyberattacks of significant consequences.

This event is on the record and will be recorded, and we ask you please to submit your questions throughout the event using the Q&A function. We will allocate some time towards the end of the event to answer your questions, so please do put them there. What we will do is we will start with our speakers. I’ll give them few minutes to make their key points. I’ll ask them few questions and then we’ll turn to you. So, why don’t I start with you, Nick? So, Nick, given your position at IBM, and, you know, given that you cover the, sort of, global cybersecurity intelligence and risk, can you walk us through the threat landscape that you have been seeing and dealing with recently and what are, in your opinion, from the private sector, the existing mechanisms to dealing with these threats?

Nick Coleman

Yes, great. Thank you, and I’m delighted to be with you, and thank you to Chatham House for sharing this great panel and this important topic today. I’m delighted to be with you. I think if I think about the last couple of months and the question, I guess we’ve all been set today, which is can responsible behaviour be achieved in cyberspace? For me, looking at the threat landscape, you know, just two simple statistics perhaps to start us off. Since 1st of March, there has been a 5,000% increase in COVID-19-related spam, just in terms of volumes, and that. At the same time, we’ve also seen 50-plus unique malware campaigns. So, what does that really tell us? I think that what we see is that cyberattacks have not gone away; they continue to be a challenge for every organisation in the public and private sector.

I’ve formerly been in public sectors, national data security for the UK Government, so I’ve seen this both from the private sector and the public sector, and the challenges. And I continue to see, across the board, in both public and private sector, the challenge that it’s both organised criminals, it’s also people who are opportunist, opportunistic attacks, if you like, and then we also have the nation state element, as well. So, we have a complex threat perspective, which continues to be active and continues to be innovative, so I think the bit the why I say the new malware campaigns and the new campaigns is, this is lot of existing things being tried again, but there is also evolution of technique which comes.

And I think that, if I translate that into what does that mean in practice for each and every one of us in public and private sector organisations? I think it means that we have to think about the laws and the regulations, which I think have been really helpful in many places to start evolving. I personally was involved in helping the European Union and other governments shape their cyber legislation packages, the NIS Directive we saw in Europe, and I think that was truly welcome. It allowed across countries to start building really a regulatory response, which could raise the bar and so, I think we have the law, the legal structure, if you like.

And, in parallel, what we’ve seen and can responsible behaviour, again, answer some questions specifically? What I’ve seen is, in the private sector, and something we’ve been involved with personally, is something called the Charter of Trust, and the Charter of Trust is a number of organisations, so IBM, Siemens, Atos, Airbus, and a number of others, NTT, Mitsubishi, and many more, have come together to actually build capacity across the globe. And what do I mean by that? We’ve really embraced the model of sharing best practice between us, understanding how we can actually, from education, from security by default, from supply chain security, start building these mechanisms so that we can, between us, cover more small medium enterprises in our supply chains, help them simplify the security of working with multiple organisations, but also raise the capacity quicker and more efficiently.

‘Cause I think what I probably would, sort of, conclude with is that it’s the coalition of the good guys who’ve got to continually make sure that they come together and we do have responsible behaviours and we have – we go further, we actually co-operate across organisational boundaries to create capacity, which can then allow that responsible behaviour really be globalised, if you like, across all those things. So, I think you’ve got both the regulatory geopolitical pieces, but you’ve also got this positive dimension for me, which is where we’re really building capacity out, helping each other do good, and help this digital innovation.

And that – it celebrated its second year, I was at the Munich Security Conference this year celebrating its second anniversary with fellow leaders in cyber, and it was just before the lockdown, so we were fine. And it was really lovely to come together and share how, actually, together we had done something wider, the German Government, the BSI, have become associate members, so it’s not just the companies, it’s actually meeting the ecosystems, we’ve got universities coming onboard. So, I, kind of, start with the threats perspective and think it’s – you know, there are challenges, and they’ve continued to grow, and we must all be innovative and apply security hygiene, apply the threat intelligence, do the risk quantification, the things that many of us lead in our own organisations day-to-day.

But I also look at this positive energy, where we can actually come together and do really good in two years, really build something quite special, and we’re really still on the early stages of those journeys because it’s shown that companies and governments can really build this public private co-operation. So, can we respond – be responsible? I guess the answer is absolutely, but not everybody will behave in the way we hope, so we have to continue to be attentive to the threat and build capacity.

Joyce Hakmeh

Thank you very much, Nick, for that, and just a follow-up question. It’s – you know, like, I quite enjoy yes, the fact, the positive, stuff like vibes that your message is sending, the public private partnership actually works and have been doing good work, have been sharing this – you know, the information amongst us and with this coalition. Do you think that this is – you – and you also said that you’re still at the beginning of this journey. Where would you like to take that effort and how can you operationalise these principles that you are pushing for?

Nick Coleman

Yeah, and I – so, I think there’s two things. One is that, when we created the principles, it wasn’t that people would just sign up to principles; they had to agree to implement them. So, when we talked about having security by default and security in the supply chain, it wasn’t that you were just going to say, “Yeah, I believe in it,” you were going to actually have to walk the walk and apply it to your – all your supply chains. So, all the people who’ve signed the, sort of, the Charter of Trust, the leadership have actually signed on behalf of their organisation, so it’s gone to the very top, and they have signed that they will deliver that. So, this is actually executing and delivering, and I think the number is up to roughly a million supply chain partners are now covered through the supply – through the various companies and their supply chain networks. You get security by the supply chain in now roughly up to a million companies, so that’s a global scale in two years, creating minimum baselines, and building on top of that where you want to.

Where would I like to see it go? I think that what’s happening is we deliberately started to design this cross-sector. So, you have energy sector represented, you have industrial manufacturing, you have chip manufacturing, as well as other parts of the IT industry. So, what I’d love to do is to see that, which is the plan, to broaden it across sectors so we have full spectrum of sectors, which we’re on the journey to. And the other piece to do is to make sure that that geographically continues to spread, so we’ve brought more people in from Asia and other parts of North America, and just to – continually to grow that capacity.

And the reason I think, both regionally and sectorally, it makes sense to grow that is because the challenges you face as a chip manufacturer are different if you’re an aviation or are different if you’re a cloud provider. And what we’ve learnt is, actually, you can create this commonality of security principles, which actually cross-sector because that really helps, but we – what we do in the process is learn what it’s like to be in the other sectors. ‘Cause what we’re not saying is you have to have one model; we’re actually co-creating and sharing what we do in our own organisations and agreeing these principles between us, and then rolling it out. So, I think that the two things, really, are more governments and more universities and other people joining as associate members to help understand and collaborate, and the partners really continuing to just grow and learn from each other, both geographically and sectorally, ‘cause I think we still have to see the differences in organisations, ‘cause no one fit – solution fits all, but the principles have shown that they can be scoped.

Joyce Hakmeh

Right, thank you very much for that. Suzanne, you’ve been doing similar work, although just within the context of the US, looking at existing practices and trying to identify a set of recommendations of how the strategic response can be improved. You have launched your report in March with a set of recommendations, including on cyber norms and non-military tools of state power. Can you walk us a little bit through these key recommendations and what do you think will happen with those recommendations?

Suzanne Spaulding

Great. Happy to do that, and let me start by saying thank you to the sponsors for including me in this really interesting and important conversation, and I also want to thank both Nick and Carmen for what they’re doing and what they have done on – you know, both in government and out of government, and with governments, and with the private sector, really important work, so thank you for that.

I, most recently, was the Undersecretary at the Department of Homeland Security responsible for the strength and resilience of our critical infrastructure from all hazards including cybersecurity, and that was the, you know, important experience that I brought to the Cyberspace Solarium Commission. And the – people sometimes wonder about that name, Cyberspace Solarium Commission. The solarium name actually comes from a room in the White House. It was a – it’s a sunroom, solarium room, in the White House, where President Eisenhower used to have meetings occasionally, and he had a meeting in particular with his national security team in the months after Stalin’s death in which he said, “We need a new strategic approach to our relationship with Russia, the Soviet Union,” and he tasked them to go and develop the strategic approach.

And so, what we were tasked by Congress in 2019 to do was to develop a strategic approach for protecting the United States against cyber incidents of significant consequence, and so, the Commission was made up of four members of Congress, both from the House and the Senate, and Republicans and Democrats. It was a bipartisan leadership team of a Republican and an independent who generally meets with the Democrats, that was Mike Gallagher and Angus King. But also, really interestingly, four members from the administration, from the Executive Branch, which is highly unusual. I’ve been involved with lots of commissions, this is very unusual, but the four Deputies really are the key national security agencies across our government, and then six of us from outside government, outside experts.

So, the report was filed in March, as you said, and we started with this fundamental question that this panel is asking, can – you know, can we – in – the way we phrased it and it was phrased to us is can – is deterrence possible in cyberspace? And, as you know, there’s a robust debate about that, and I will say the Commission came down very firmly on the side of yes, deterrence is possible, shaping bad actors’ behaviour is possible. Not deterrence in the sense that our traditional National Security Committee has grown up thinking about this in the nuclear context. This is really very different to that. Nuclear deterrence is – you know, among other things, is a binary world. You either have deterred use of a nuclear weapon or you haven’t, and that’s pretty stark.

And, clearly, what we’re talking about in cyber is reducing the level of malicious cyber activity, reducing consequences, and, in the context of looking at adversaries’ behaviour, altering their cost benefit analysis. Not with any – as Nick made this point, not with any pretence that you are going to get someone to give up all malicious cyber activity, state or non-state actors, but there – but that there are things you can do to alter that cost benefit analysis. So, we came up with our strategic approach called layers – layered cyber deterrence, which says you can’t just go for one aspect of deterrence such as imposing consequences, but you’ve really got to look across the board.

You’ve got to start with shaping behaviour, and that’s what we’ll talk about mostly here today, and the development of norms and standards, and then that is a prerequisite to your imposing consequences, I think. You’ve got to – right, you’ve got to have some of these clear norms and standards of behaviour that will strengthen your ability, particularly on a multilateral, international level to then jointly impose consequences, which is going to be much more effective. But, importantly, very important to the Commission, was the recognition that you can’t just alter the cost side of the equation, you’ve also got to alter the benefits aside, and so you’ve got to deny benefits. You’ve got to make that both in raising the cost, and then the payoff is not as great. And a key way of doing that, of course, is to build your resilience so that you reduce the consequences of a successful penetration, say, of your network, and I – and that’s, you know, a part that I think is really critically important and often underappreciated in the cyber context.

But I’m going to focus really quickly on some of the key recommendations under that strengthening norms and standards, and non-military tools of behaviour. One of the things we thought was most important was acknowledging the important role of our State Department in that, and elevating those efforts, consolidating and elevating those efforts, creating a Cybersecurity and Emerging Technologies Bureau at the State Department, led by an Assistant Secretary of State, so, again, signalling how important that is.

That bureau would have the responsibility for building coalitions of partners and allies to shape that behaviour. So, this is where the work on norms, development of norms, but also, not just norms and behaviour, but – in diplomacy terms, but also, in technology terms, so the ICT standards, which we have candidly, as a country, neglected. We have not been as active and involved in bringing in the kind of expertise and presence to those standards bodies as we need to and we talk about that in the report, the need to beat that out. Because, ultimately, what we’re aiming for is to ensure that we do have an open interoperable and secure internet, and we know there are competing visions out there.

Important to this international effort is capacity-building. So, building capacity within our own country, that I – as I just talked about, and really across the board, but also making sure that we are doing everything we can to build capacity across the board internationally. And so, that is everything from consolidating the kinds of financial help that we currently provide within State Department, and under this bureau for cybersecurity, and making it a line item for Congress to appropriate funds for that – specifically for that effort.

Also, enhancing our – again, under that, collaboration and joint cost imposition. So, figuring out how we can work more closely together and that is going to be law enforcement. So, that may involve some law enforcement training, and that goes back to that capacity-building, but also, joint law enforcement efforts along the lines, and I’m sure Carmen can speak to this, of the work that the US Secret Service, which is part of my old department at Homeland Security, does with the Dutch National Hi-Tech Crime Unit. So, bilateral, as well as multilateral international crime efforts. But also, in the way that we can come together, you know, maybe in areas where we can’t reach broad agreement, looking at sector-specific efforts, for example, might be some of the ways. And I think back to the CT context, where we couldn’t arrive at a definition of counterterrorism, but we could agree that hijacking should – is something we could all agree should not – you know, and therefore enter into a treaty or agreements with regard to a specific activity. Elections, financial services sector, might be some of those.

I – and then, finally, I will say one of the things we emphasise is that, as we think about joint approaches, both in the US and internationally, getting very actor-specific can often be really important, understanding the countervalue proposition, actor-by-actor, state and non-state. So, those were some of the areas in which we made recommendations on the Commission report, and we can go into greater detail on the Q&A.

Joyce Hakmeh

Thank you very much. I definitely was interested in the points you made on standard, which stood out for me in the report, but I – and hopefully we’ll get to that, we’ll have time to get to that later in the conversation. I just wanted to ask you, because one of the – like, under that taskforce, or under that pillar, you talk a lot about the importance of coalition-building, you talk a lot about how, when you bring likeminded states together and agree on things, that makes the enforcement of those norms easier. And we know that US and the Netherlands, the UK, etc., they are together and they’ve been working and aligning together relatively easily, and have improved the way they do attribution and so on, but how do you think the US and its allies can expand this coalition to include a broader number of states? What do you think some concrete and achievable measures can look like?

Suzanne Spaulding

Yeah, Joyce, it’s a terrific point, and it’s one that the Commission addresses head-on to say, yes, we can go deep with our traditional allies and partners, but we also need to go wide, and we need to be willing to participate in fora that maybe make us a little uncomfortable, right? So, the open-ended working group, you know, we can’t pretend those things don’t exist or aren’t happening. We’ve got to be willing to engage in a broader membership kinds of organisations and multi-stakeholder, and derive the benefit that we can from multi-stakeholder efforts like the Paris Call, you know, they’re, again, bringing in the private sector to share its – their insights, and their resources and capabilities, and what they can do is an important part. It may not be appropriate for that kind of a forum to bind nation states, but it’s certainly important efforts and important for us to be engaged and involved in those.

And, again, I think finding those broadest areas of agreement, right? So, you might not be able to reach agreement on non-interference in elections broadly, writ large, but you might be able to get agreement on not using cyber means to get into election infrastructure, as we call it, and, you know, change votes, right? Those kinds of very specific kinds of things that – and the financial services sector, which, again, is a – something that, globally, folks rely upon. You may not be able to get North Korea to agree on this, but I think, you know, you could get a very wide coalition of folks around protection of the financial services sector.

Joyce Hakmeh

Right. So, look at the low-hanging fruits, in a way, and be willing to engage with a different set of actors. Thank you for that, Suzanne. Just before I turn to Carmen, just like to remind the audience to submit the questions using the Q&A function. Carmen, you’ve been working quite a lot on, you know, state negotiations and on this cyber diplomacy. You’ve taken part in very important initiatives, and you are still now one of the members of the group of governmental experts who are looking into agreeing on how we should go forward with the cyber governance debate. What do you – I’m interested in your views as to what do you think have changed in the last few years? How is this strategy different, and how’s the Netherland approaching the set of agreed-upon norms that ha – that countries have agreed on in 2015? What is the Netherlands’ approach towards implementing this agreed-upon points? You are muted, Carmen. Yes.

Carmen Gonsalves

Thank you very much, Joyce. Thank you for having me in this wonderful company of Suzanne and Nick and others, and your audience. Suzanne and Nick have brought already a lot of relevant prerequisites for the open, free, and secure and stable cyberspace to the table. But from my point of view, what I can add is that – and you asked me about the relevance of what’s happening in the UN, but I can – what I can bring to the table in that regard is the following.

Well, I think we’ve never had such a vibrant discussion in UN. We have two processes ongoing. Last Friday, there was even a – and it was a first, a Security Council discussion dedicated to cyber stability, thanks to the Estonian Chair of the Security Council at this moment. And these discussions also are not starting from scratch, we have already a lot that we can build upon that has been constructed in the UN. We have various reports by subsequent UN groups of governmental experts, providing us a lot of recommendations on norms for responsible state behaviour, capacity-building CBMs, and, last but not least, a very important acknowledgment of the applicability of international law to cyberspace.

That is, for the Netherlands at least, really the foundation for our approach to responsible state behaviour in cyberspace, and we really attach great value to that, and we – and our Minister dedicated a letter to Parliament to that particular matter on how we see the in – the applicability of international law in cyberspace, and we also hope that others – other countries will also do that because that’s the start of bringing this discussion to a higher level. Because, although we have all these wonderful reports and recommendations, I think we’re all agreed that, over the last couple of years, we’ve seen an increase in instability, in – and in challenges of that open, free, and stable cyberspace that we all aspire at.

And I think we also agree that, lately, most recently, when we witnessed that even health institutions, medical institutions, and research facilities, and international organisations, so important at this moment, like the World Health Organization, are not off limits to those that might also be state actors involved that are preying on information or on – or trying to destabilise others. That’s definitely a matter of huge concern, and that makes us also wonder whether all these – all this work in the UN has, well, brought us concrete results, and, well, I will talk about that later.

I do think that they have brought us results, but what is obvious is that there’s much – too much lip service at the moment to those norms that have been agreed to the UN, and there’s too little compliance. That’s a big challenge and that’s not a matter of lack of capacity, although there are countries that are in the world that have the deeds but are struggling to get on in cyberspace. I think that those who are breaking – for those who are breaking the rules, that’s not a matter of lack of capacity, that’s a lack of commitment, and we should do something about that. And, in relation to that, it’s very important that we try to work on enhancing accountability within the UN framework, and, if we cannot achieve it there, we also have to do that outside the UN framework, with the view to – with the aim of ultimately ensuring that we can indeed ensure that accountability is taking shape within our multilateral structures.

And, okay, thirdly, in order to ensure accountability, of course we need to enhance capacity. Capacity to defend ourselves worldwide against attacks, so last they had deterrence by denial, but also, capacity to track and trace capacity in the area of cyber forensics that will ultimately help us to attribute. So, what can we do in the UN, in that regard? I think, first of all, in UN now, we have to, and that’s what we aim at, demonstrate that the UN norms are relevant, and are relevant for the purpose that we have at hand today. So, we have to provide more guidance to those norms that were thought – that were brought together and presented in 15. We don’t need negotiations, long negotiations about new treaties, that’s not at all what is relevant now. What’s relevant is implement what we have.

For example, the norm on the protection of critical infrastructure. It is obvious, for us, that that also means that essential services like health services should be protected, and we should make that clear in our reports when we represent ‘em to the UN General Assembly, but also, that also applies to other important issues like protection of election infrastructure. Suzanne also referred to that. We think that the report should explicitly mention that, under the heading of infrastructure and the protection of intellect – of critical infrastructure, electoral infrastructure has to be safeguarded, as well.

And, last but not least, we also feel that the public core of the internet, the whole structure that keeps the internet ongoing, should be much more protected, and if there is a time when we realise that the importance of digital connectivity and also of the public core of the internet ensuring that, that time is now. So, these issues we want to bring to the table in UN and we want to see them acknowledged in the reports, and, by the way, these proposals have also been inspired by other stakeholders, and the private sector, civil society, for example, the norm on – the proposal for a norm to protect critical and expert infrastructure was coined by the Global Commission on Stability of Cyberspace that issued a report last year, a multi-stakeholder commission. The same applies to the call for the protection of public core of the internet, so definitely we were inspired by other stakeholders because their voice has to be heard, even though they’re not at the table in New York, but they should – their influence should be notable.

That brings to me what can we do to ensure that these norms are not going to be paper tigers ‘cause that’s essential, in order to enhance accountability, an issue that you put on the table today for our discussion today. In order to avoid that paper tiger problem, we have to, first of all, think about incentives for countries to comply, and I think we can do that by indeed helping countries that behave properly when they are under attack. So, coalitions are important, but also capacity-building, much more increased capacity-building for those countries that are not as resilient as we are perhaps, and that – but that do want to up their resilience, not in order to protect – not only in order to protect themselves, but also to co-operate internationally.

And – but, secondly, we also have to implement other means to enhance our resilience, and that – those means will have to aim at changing the costs benefits calculus of those who are not – who have malintentions, like Suzanne also referred to. And then we talk about issues like naming and shaming, for example, but also, imposing sanctions, and travel bans, or other – or asset freezes on individuals and entities that are culpable of cyberthreats and attacks. That will hopefully change their calculus, and also increase the awareness about the fact that there is a framework for responsible behaviour in – available for all of us to apply to.

That must bring me nearly to the end of my brief comments. What have I forgotten to mention? That, when we want to enhance accountability, I think states, of course, will continue to underscore that the prerogative of political attribution is theirs and not for others. So, like others, we are not very keen on international accountability organisations that would – or attribution organisations that would decide upon when or not to attribute because we do want to maintain this prerogative.

However, we think it’s very important that we up our collective forensic capacity, and states cannot do that on their own, they need to co-operate with private sector and civil society. The report Suzanne has co-authored, the Solarium report, speaks about the importance of sharing intelligence and working together, public and privately. We also think that’s very important. Our Minister proposed accountability alliances between the public and the private sector at the end of last year, in order to collectively share information, and, in some instances, perhaps also, where we all agree collectively, expose malicious behaviour. I think I’d better end here. Sorry.

Joyce Hakmeh

No, thank you very much for this very – extremely interesting – Carmen. I just – like, you know, thinking about the negotiations at the level of the UN, you know, as a UN expert yourself, you know how complex they can be, and sometimes, you know, state representatives spends day – spend days and days trying to, like, you know, find, like, one word instead of the other. So, it is a – kind of, like, a complex exercise that they go through. Now we are – everything’s gone virtual, CND, online engagement of states, and, as you know very well yourself, a lot of these, let’s say, agreement happen in, like, you know, corridors and over, like, drinks receptions and such online. And, in addition, you know, there also will be an element, quite a, you know, challenge for a lot of countries. Do you – how do you think this will impact the progress? Do you think that we are – can we still, you know, think of a positive scenario for the next foreseeable future, or for the foreseeable future?

Carmen Gonsalves

Thank you, and it’s obvious that these processes are heavily impacted, and I’m afraid that the chances of having a conclusive meeting for the open-ended working group in July are very small, and I see that process extended for a longer period, and I don’t know how it will impact the GGE, it will also not be easy. The GGE sessions are closed sessions, how are we going to do that online? I don’t know, when – if we turn it onto online, so that would make the GGE much more public, perhaps that’s good. An interesting option, as well, for transparency’s sake, but I don’t know. But what I do notice is that there still is a lot going on and delegations are working very hard to draft very solid submissions to, for example, the Chair of the open-ended working group.

A lot of good ideas are being put together, a lot of co-operative efforts are there, as well. I mean, I mentioned our proposal to acknowledge in the report that the public health sector should be safeguarded under the umbrella of critical infrastructure. Australia and other countries have also embraced that idea and are also trying to rally a coalition as wide as possible behind that idea. Well, there are other initiatives like a group of countries, we are, as well, part of that, are saying – are proposing a repository of – from where countries can submit their examples of how they, indeed, implement all the UN recommendations and norms, in order to have a com – have a body of work that will enable everybody to see where the gaps are, where capacity gaps are, and how we can bridge them.

In the GUCE, I see a lot of interesting online webin – conversations going on, and, fortunately, we are making the most of online conversations at the moment, and I’ve seen a lot of work going on, and I think, in fact, we’re even more inspired now because we are so aware of our vulnerabilities and our dependency to digital communication. So, it might even give a huge boost to a discussion.

Joyce Hakmeh

So, there might be an opportunity, actually, in the…

Suzanne Spaulding

Yeah.

Joyce Hakmeh

…existing situation. So, the question maybe, like, came here to probably – maybe all of you, and this is something that you talked about, Suzanne, and maybe touched – you touched on, Carmen, a little bit, on the importance of dedicate, or having the, you know, like, five resources. Any international commitment needs resources, whether it’s financial or human. How do you see the COVID-19 impacting on those resources, on the international effort? I’d like also to hear from Nick, from the private sector perspective. Can, you know, anything be done from the private sector to chip in into this – these efforts and help support this – the needed resources? Maybe starting with you, Suzanne.

Suzanne Spaulding

Yeah, and, you know, I’d like to think it is, at best, a double-edged sword. You know, Carmen made the point that, you know, the, sort of, silver lining, if you will, or the, you know, opportunity presented by the pandemic is that it does reinforce our global interdependency, so an awareness of that, and so the need for the reality that we cannot simply act alone or protect ourselves alone, whether it’s, you know, transborder or cyberthreats, or biothreats, right? And so, an increasing appreciation of that, and then a very specific understanding of our cyber vulnerabilities that becomes more and more apparent as everything has to happen, at the moment, online, and in that environment. And so, you know, I think – and the flipside of that, of course, is – the downside is that the amount of resources that are having to be devoted to the, you know, medical countermeasures and contact tracing, and all of the things that need to be done to address the COVID, and the impact on the economy, on state and local governments, and certainly in the US, as well as the federal budget. So, the availability of resources, you know, ostensibly is not there.

On the other hand, Paris is cre – is passing these massive spending bills and there is some recognition of the cyber aspect of what we have to do. And even in the – again, in a very concrete, COVID context, the international co-operation at the scientific and research level that needs to happen, that there’s an understanding that that can be very sensitive information. So, there may be prospects for getting some funding for, you know, carefully structured international cyber capacity-building co-operative efforts on that front, but I think, you know, the budgetary pressures are huge.

Joyce Hakmeh

Thank you. Nick.

Nick Coleman

Yeah, I mean, I think that, clearly, budgets in different sectors are really stressed right now in different parts of the industry, we’ve found that. I think I come to it, sort of, perhaps in three parts. I think that there was a need for speed, so what we’ve seen is a – is an escalation of those threats in healthcare sectors and things, and there’s been a need to respond and scale capacity quickly. So, I think the need for speed is the first bit.

The second bit is we therefore need to be more agile, and what I have seen, for example, which is really pleasing, is we led efforts to actually share the threat intelligence for COVID-related campaigns, put it into an – and what we call an enclave, and allow – I think now it’s over 100 organisations have accessed that, you know, for free. So that was really about getting the intelligence out there, which, coming to Suzanne and Carmen’s point, was making it so that the campaigns could be less effective, and the cost could go up, and therefore, you disrupt the activity. And that was really why we wanted to lead on that kind of stuff, to help organisations build that capacity quickly. So, the need for speed and the agility response was there.

I think the third bit for me is organisations have understood that cyberattacks are continuing to disrupt and continuing to be very significant, and cause real impact. So, I think that the other bit is, we have to just continually educate people on the need for resilience and the need to move it to actually making, in the public and private sector, those essential services really resilient.

And the final bit for me is, it’s probably, you know, these kind of sessions, where we actually talk about the issues and we share and we meet virtually, it’s not quite the same as meeting in-person, and I’m – I would like that opportunity, too. The thing for me is what I’ve discovered through the electronic is that digital experiences allowing us to create immediate connections, where sometimes you might have to wait for a meeting or an event, you can actually get things done faster. So, this, to me, is – sure, there’s budgetary pressures and people are feeling it in all parts, in different ways. Increasingly, by the way, some sectors have sought – seen an acceleration, so we’ve seen online shopping, different payment systems, actually get an increase in transactions, so there’s been a shift in some of these activities, and therefore, you know, it’s constantly evolving.

I think the agility is crucial, as we get to this, and certainly, you know, coming back to the core point, if we can disrupt faster, if we can make it more difficult, if we can, you know, work across boundaries, that, to me, is the crucial bit. What I’ve seen is things good in the – in this last few months, really accelerated some things. We’re also building, potentially, with the Charter of Trust members, an acceleration of that threat intelligence as part of the principles of actually getting that kind of – but, as I, kind of, said, you know, we’re two years into the journey and this is very early, and, you know, we’ve – you know, so the question is, can we come out of this pandemic period really understanding the need for speed, the need for agility, and the ability for us, as individuals, to actually reach out, beyond what you probably would have done before, to actually agree these – you know, that these things are really important and we all have a role in helping build them.

Joyce Hakmeh

Right. Try and find the opportunity in the crisis. Carmen, question that was sent to you. Where, concretely, do you see the added value of the EU working together, both in the GGE and the open-ended working group process, given the difference in positions that exist among the member states? So, what is the – I guess, the EU’s added value in the UN negotiations?

Carmen Gonsalves

Sorry, sorry, sorry, could you please repeat, because I have not been able to look at the question. Sorry, and it was my fault.

Joyce Hakmeh

No, no problem. So, the question is where, concretely, do you see the added value of the EU working together, both in the GGE and the open-ended working group? What can the EU, as a regional organisation, do? What is the added value of it in the – in this process?

Carmen Gonsalves

Yeah, no, thank you very much. Now, of course, the EU, for us, for the Netherlands, is a very important community of likeminded countries. I mean, we share very, very fundamental principles and points of departure in relation to international law and normative behaviour. So, it is – and the EU is also, as an organisation, an important actor in capacity-building. For us, it’s therefore important to try to align and to co-operate as much as possible. Within the open-ended working group, by the way, that is – that has a slightly different dynamic than in the GGE. Of course, in the open-ended working group, all EU member states are represented, and that also makes it much more easy to visibly act in unison, and in the – whereas, in the UN GGE, only a couple of EU members are represented.

But we, as members, as experts in the GGE, try to do is to regularly brief all the non-represented member states in Brussels and to maintain all channels open and to have a – to ensure that we can also take their ideas if – onboard, although we are there, as – of course, as individual experts, but, nevertheless, we don’t live in a vacuum. And I think that the EU do – so, you know, the EU is one of those communities of likeminded, of coalitions, of likeminded, you might say, that also, co-operating with other likeminded countries in the world, will be an important building block to increase the geographical remit of countries that have the same ideas and – in mind, and want to work in the same – and are all committed to implementing those norms. So, yeah, US engine as one of the engines, yes, definitely.

Joyce Hakmeh

Right, right, right, thank you, and that’s obviously to the point of, like, imposed coalition and, like, you know, different states coming together and highlighting common positions. The question to you, Suzanne, from the audience, given the U – current US lack of engagement with multilateral institutions, what is the actual ability to collaborate?

Suzanne Spaulding

Yeah, so, I think this is actually one of the reasons that we have seen our private sector players get so – become so engaged in these international multilateral conversations, and I think, unless we make the changes that the Commission is recommending, I – you know, I’m not sure we’re going to be able to effectively engage. We really have to prioritise that. We have to prioritise that international engagement at the state level. Again, if we fail to do that, NGOs in the private sector are going to have to continue to do what they can to advance the conversations that build consensus, but they are never going to be a substitute for nation states at the very most senior levels in organisations like the G20 and, you know, coming together and finding common paths forward. So, we really do, we need to prioritise it, and that starts with our state department funding those efforts and lifting them up in the bureaucracy.

There is – I will say, not to undercut, the amount of work that is being done every day below the radar at the working level, my team of cyber ninjas, as I call them, at the Department of Homeland Security, in the Computer Emergency Readiness and the Computer Emergency Response Teams, you know, working every single day with their partners, and not just in the traditional allies and partners, but really across the board, and I know that that work continues to this day. So, it’s similar, again, to the pandemic, where we sometimes think there – that the international co-operation isn’t happening. At the working level, there is a tremendous amount of international co-operation, and the same is true in cyber…

Joyce Hakmeh

Right, and this build-up is extremely important to achieve results at that level. Well, unfortunately, we’ve reached the end of our session. There are so many things that we could discuss, and we could go on for, like, you know, like, a good few hours. I think what I – like, the main takeaways that I got from this conversation is – and this is – your points wasn’t only on standards and the importance of understanding the intersection between policy, technology and standards, if we wanted to agree on, like, a cyberspace that we all want to reap the benefits of. And I think the – another takeaway is that there isn’t, like, one solution, you have to think about coalition-building, about capacity-building, about dedicating the right resources, the importance of information-sharing, the public private partnership aspect, but also, I would add to that the importance of the civil society, academia, etc., in this, and to, kind of, make it less attractive for perpetrators in cyberspace to attack. Just agree on common positions and reinforce what is there, because there’s already a lot of solid grounds for advancing in cyberspace and this session.

Thank you very much for your time. It has been a fascinating discussion, and I look forward to continuing this conversation because this conversation is definitely not ending anytime soon. So, thank you very much. Thank you for all the members who joined us, and keep safe, and hopefully we’ll see you again soon. Thank you.

Suzanne Spaulding

Thank you, Joyce.