IGF 2019 – Day 2 – Saal Europa – WS #131 Quantifying Peace and Conflict in Cyberspace

The following are the outputs of the real-time captioning taken during the Fourteenth Annual Meeting of the Internet Governance Forum (IGF) in Berlin, Germany, from 25 to 29 November 2019. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 



>> MODERATOR:  Is this working?  Good afternoon.  I would advise you to come to the table.  As you see there is enough room at the table and come close to us also so it is cozy and we can have a nice discussion just in a small group.  Usually when you do the later session of the day, it's only the super‑interested persons and die‑hards in the group so thank you for staying with us.  We will start in a couple of minutes.  Thank you.

>> MODERATOR:  Good afternoon, thank you very much for staying with us and participating in this session on quantifying peace and conflict in cyberspace.

My name is Serge Stroobants, Director for Economics and Peace in Europe, Middle East, and Africa.  I'm joined on the panel today in a very distinguished and diverse panel today by Ms. Liga Rozentale, Microsoft, Security of Emerging Technologies.  Co‑chair of the Global Commission on the Stability of cyberspace and former Deputy National Security Advisor of India, Izabela, and Marilia Maciel and online Ms. Izabela Albrycht from Institute in Poland.

What I will do first is introduce in more detail the panelists and then I will give you an introduction about the Institute for Economics and Peace and our work in measuring quantifying peace and the global peace that we have every year and then shift to the presentation on the panel about I would say peace in Cyberspace, and we will finish with the floor and your questions and try to give the best answers to your questions.

So, we start with Ms. Liga Rozentale from Microsoft together with the Institution for Economics and Peace presenting and proposing this session to you.  The is Microsoft Director on EU Policy on cybersecurity and security of emerging technologies and you lead a team focusing on topics ranging from digital legislation and sovereignty to global cybernorms and multistakeholderrism.  You also currently serve as a special advisor to the larger mission to the UN.  You are a delegate for the open‑ended Working Group on Information and Telecommunications in the Context of International Security and you're also engaged in Woman First Cyber and named by SM Magazine UK as top women in cybersecurity for 2015 so congratulations for that.

You also bring to the role your experience as a counselor on the cybersecurity policy to the larger and permanent representations to both the EU and NATO in Brussels and you Chair the Council of the EU Working Parties on both Telecommunications and Cybersecurity.  You're also very enthusiastic about enhancing and energizing public and private partnerships of PPTs and facilitating Microsoft in Europe and driving cybersecurity policy in the EU and globally, we're really pleased to have you on the panel, Ms. Rozentale.  Former National Security Advisor of India where you were responsible for cybersecurity and other critical internal and external issues.  Served on commission of Internet Governance, served the Indian Foreign Services until 2011, and this brought you to cities of Lisbon and I just heard your fluency in Portuguese.  Brasilia, there again, and Bangkok and after this brilliant academic ‑‑ I'm sorry, the diplomatic career you were India Security Advisor in the Prime Minister office from 2011 to 013 and extensive experience in foreign policy and bilateral regional and multilateral negotiations, and in addition expertise on strategic issues and worked on strategic technology policies, particularly on cyberissues relating to cybersecurity policy, international cybercooperation and Internet Governance.

Third person on the panel today would be Marilia Maciel, Digital Policy Senior Researcher.  Previously you were researcher and coordinator of Centre for Technology and Society of the barriers Foundation in Rio and served as counselor at ICANN generic name supporting organizations representing non‑commercial stakeholder group and you are a former member of the Working Groups of improvements to the Internet Governance forum of 2011 and 12 and member of the multi‑stakeholder executive committee.  You are PhD candidate at University of Baltimore Tenure on information and communication sciences.  Welcome also on the panel.

And then virtually through the net and connected to us we have Ms. Izabela Albrycht, Chair, and Organizing Chair of the European Committee Cybersecurity Forum, and since 2010, a Member of the Council for Digitization which is now in the third term and she also chaired this committee in a second term between 2016 and 18.  She is also the Associate Editor of the European Cybersecurity Journal and also been listed amongst the 100 Europe's Emerging Technology Stars announced by the Financial Time and New Europe 100, and in 2019 became a founding member of the Woman for Cyber Initiative by the European Cybersecurity Organization an alumni, just as I am of the International Leadership Program of the U.S. State Department in a scope of NGO Management, so we are really pleased to have this panel around us.

We start to introduce in this Institute for Economics and peace, and so we are a not‑for‑profit, independent think tank based in Sidney, Australia.  We do have representations throughout the world.  I'm directing the one in Brussels, another presentation in New York City close to the UN.  And then I would say linked to the regional offices, offices in Mexico City where we also produce a Mexico Peace Index and in Zimbabwe where we're advising the local government.

What we do is measure and quantify peace and also the economic benefits and drivers of peace and also the economic benefits linked to a more peaceful situation.

So next to the research, what we produce is an Open Source for about peace.  We also do consultancy for international organizations, and we also try to promote the best we can, our work, and so that's why we have global outreach, reaching between 7‑10 billion a year and 1 billion of this is online.  We are read in 150 countries, produced reports per year and also very active in the academic environment.

Global Peace Index, the flagship research production of what we produce, is based around 23 different indicators.  So, it's a very complex index.  These 23 indicators are divided into three families.  One family is going to have a closer look on ongoing domestic and international conflict and the implication of countries in those conflicts.

A second family will look at safety and security within societies, and a last category, a last family will look at levels of militarization when we look at the GDP invested for defense, the percentage of GDP, we look at arms, exports and imports, and we would also look at the number of people working in the security services.  There is also one positive indicator there, and this is the investment in UN peace‑keeping operations.

When we look at results for a Global Peace Index 2019, we globally see a improve by 0.09% of peace.  This might seem marginal but in the last 11 years it's only the third time the world basically became more peaceful.  Over the last decade we have regression by almost 4% of the levels of peacefulness globally, and the post peaceful region being still Europe and the least peaceful region being the Middle East and Northern Africa.  We rank 160 countries and this for a 13th time the countries reaching from Iceland is number one until Afghanistan who became last on our index this year.  Unfortunately, Afghanistan is now at the bot amount of all the indexes we produce to global peace and expositive peace but also the global terrorism index that we have been launching last week.

What we also see is a widening gap between the most and the least peaceful countries in the world.  We have produced specific research also on, for example, climate change where we see that 1 billion people are living in areas that are already affected or soon will be affected by climate change and we see that out of the billion, about 40%, so 400 million people are also living in a country that is ranked in the bottom 20‑25 of our index, so we clearly see that in some geographical areas of the world, the factors influencing peace and security are just combined and influencing or exacerbating the impact on those countries.

What we also do at Institute for Economics and Peace is quantify the cost of violence, and we identified a figure of 14.1 trillion U.S. dollars last year, and about in the 14.1 trillion, 75% are invested either in the military or in the internal security so to speak police services.  So just imagine, only the figure of 14.1 trillion, it's a very conservative figure, so I guess the reality is that it would be much higher.  But just imagine 14.1 trillion.  This is already mind blowing.  1% of this amount represents the entire foreign aid or foreign development budget globally, so if you would save 1% of the cost of violence, you double your budget on development, so I think that's a very interesting figure.  If you open that window to 10%, 10% of the cost of violence represents global foreign investment.

So next to this, next to identify the levels of peace, we also wanted to create a concept that would allow countries, that would allow organizations to create peace to maintain it and to sustain and development and eventually get the economic benefits, and we're able to also quantify the economic benefits that are linked to most ‑‑ to a more peaceful society.

This concept is called positive peace, it's based on a systemic approach to peace, so we see peace as a system and we don't really look at the causal effects in our approach.

What we have seen is that countries having a high level of positive peace will also get faster and stronger, economic, social, and governments returns of that, but also economic resilience, and so basically high levels of positive peace equals a more resilient and strong and inclusive society.

So, that's about the introduction about all the institute for economics for peace quantifying peace and I think it will be interesting later in the debate to see how we could include what's happening in Cyberspace into what we are measuring and what we are classifying or ranking at it as such.

There is an approach, either you can create a completely new peace index and identify new indicators and our panelists will talk about this, or you can just adapt the existing peace index that is already measuring the effects and impacts of what's happening in cyberspace in I would say the offline society, so I guess this would be the result of future discussions of our panelists.

We have asked three questions to our panelists and I will just read those questions before opening the floor to you, Ms. ‑‑ your excellency if you are able to speak as the first speaker.  The first questions to ask are what are the current trends in cyberconflict today.  When I read this question, one thing came to my mind, and is the U.S. cyberattack on Iran that has been decided, I would say 10 minutes before kinetic effects would strike, strike the country, and I guess what we could think about is that, aren't we considering the cyberattack as the lesser evil in conflict today and that would replace a kinetic effect?

The second question that we would ask ourselves is what data indicators are there for cyberconflict?  Which ones are also relating to cybercrime, the development of cyberweapons and what is the legal framework for the use of cyberspace and incumbents?  So we have seen, I can take the example of NATO where since 2014, we have seen that NATO has been identifying acts in Cyberspace, cyberattacks as potential APRALO 5, so corrective defense.  2016 they have identified Cyberspace as the next battle space so my question is what is the legal framework around this?  Are we going to applies the laws of armed conflicts and discrimination and proportionality in the response, or do we need to develop a new set of rules?  I think that's a very interesting question for the panel today.

And then the third question, what is the role of Civil Society SMEs and tech industry that have on creating peace in Cyberspace, and I guess this is where we'll talk about those private/public partnerships and where we could maybe think about which sector is most, or has been most impacted by cyberattacks in the pasts, the private sector and private companies or the public sector?  And who has developed the experience that we could use now to provide an answer to the existing situation in Cyberspace?  So enough of me, and I will come back for the Q&A and leading this session, and I will give the floor now to our Excellency, Mr. Latha Reddy.

>> LATHA REDDY:  Thank you for the very comprehensive introduction.  You know, how do you measure peace and what are the current trends in cyberconflict.  In a sense I'm going to inflate my answer by combining these two.  Why it's difficult to measure peace in Cyberspace is because of issues that don't have much to do with cyber at all, you know, because you have a lack of trust, you have a breakdown of trust between nations, you have a breakdown of trust between stakeholders, whether it's government and private industry.  You have geopolitical tensions that don't have really very much to do with cyber at times, but which then, in a sense, create a situation where one party is portrayed as the villain who is attacking and the other is portrayed as an innocent victim.

The interesting thing is that all countries portray themselves in this light.

The 2030, the mandate estimations vary of countries that have cyberweapon capability, and would all argue that they have been victims of attacks.  You know, there is no one country that says I only attack.  They would all argue, and I have heard every single country say my businesses are being attacked, my Civil Society users are being attacked, my public sector was attacked, websites of the government have been attacked.

Frankly, I think in a situation like that, it's very difficult to talk about trends in cyberconflict without talking about what's happening offline.  There I agree with Serge that we would need to talk about offline and online together to a certain extent.

I think that cybercrime and weapons, which was another area that you mentioned ‑‑ cybercrime again, some people would argue that some cybercrime is state inspired, some would argue that it's by organized criminal gangs.  You also have the problem of the deep‑dark web, and you have non‑state actors obviously carrying out a lot of cybercriminal attacks.

The you have the use of cyberspace by terror group, by extremist groups.  You have the need for countering violent extremism online, and of course, you have the most recent phenomenon which is misinformation, fake news and influence operations.

I think, basically, from my point of view, I see it as both a national problem and an international problem.

For instance, I've seen in many countries where there is acute polarization between political groups or groups that support different points of view.  The attacks are within your own country, you don't have to look outside for cyberconflict.  There is cyberconflict within the country; and therefore, how are you going to measure the peace within a national context?  It's easier to compare two countries, but how would you then create an index that also looks at how peaceful a country is in cyberspace in their own territory or among users in their own space?

Attribution is one of the big problems because you can't always prove who has launched the attack or who has launched the misinformation.  We're getting there.  There is now reasonably certain attribution possible by certain advanced systems, but I don't think we've received really a 100% convincing proof, and so everybody who claims to have attributed an attack has not very often actually proved conclusively where the attack has originated from.

And I think for data indicators that you would use, one, you would have to quantify the number of attacks.  The problem there is going to be that a lot of attacks are not disclosed.  In the case of companies, they are worried about the bottom line, about the reputation of the company, they may not really want to reveal that so much information has been hacked.  Usually it comes about because there is a whistleblower or that there is a feeling of responsibility towards the users of that company's products that people would come out with it.

Governments would not want the loss of confidence in their own government structure.  They may conceal the fact that they've come under attack.

I think the question is also that you would have to examine the resilience of each country to cyberattacks, and by that, I mean the ability to protect and the ability to bounce back after an attack.  Firstly, do you prevent attacks?  How good is your system for preventing attacks?  Secondly, how good is your system for reacting to an attack?  These were the questions that we grappled with all the time in national security, and what are your organizations and mechanisms which actually exist within that country and globally for measuring data in cyberspace?

And, I think government data and industry data is certainly incomplete.  I think that a lot of people who are subject to cyberattacks, very minor ones maybe, where you're swindled out of a few thousand rupees or a few hundred dollars online, are just embarrassed to report it because they realized they shouldn't have done what they did, whether it was clicking or answering a mysterious letter if you only share your account details, and I think people were embarrassed to say that they were gullible enough to fall for that, and you have the problem in developing countries like mine, where, you know, people don't see the danger in sharing pin numbers, they don't see the danger in having one ATM card to service a whole family, and they don't know really that they need to have a password.  The most common password, and this I must say is not just people who have not been educated.  The most common password is 1234, or 0000 and you would be able to crack most accounts just using those combinations.  So, it's a question of how are you going to educate people on cybersafety to prevent cyberattacks and so you've got every level.  You know, you've got the level of the average user with, you know, what happens when they get attacked, what happens to private companies, what happens to public‑seconder companies, and finally, what happens to governments itself when they get attacked?

I think the argument about a cyberattack being less physically damaging than a kinetic attack is not really very convincing to my mind because it depends on what you attack.  If you attack a hospital and destroy health data, you can actually cause harm, physical harm to a great number of people.  If you attack the national grid or you attack transport, imagine if all the air traffic controllers in the world were attacked.  You would have complete chaos with planes smashing into each other mid‑air, so just because it hasn't happened doesn't mean the potential for attacking systems will not have disastrous consequences.

Unfortunately, or fortunately, we haven't faced the terrible cyberincident that has been forecast for so many years and which people felt would frighten people into regulating this space, but it does not mean that the potential does not exist.  And I think the role of Civil Society is very big, and that's why we're here at the Internet Governance Forum because we understand that cyber is essential low a multi‑stakeholder model, that it cannot be governed by just governments, but we need every kind of stakeholder to come into talk about this.

And my professional background, as you heard, was diplomacy and I would argue that without dialogues, without sharing of information, without sharing of best practices, we cannot really make cyberspace more peaceful because, ultimately, what is the goal of having a peace index?  The goal of having a peace index is to show where best practices have prevailed, who has been more successful at creating an atmosphere of peace in cyberspace, and how do we ensure that that same model is followed?

So, my own feeling is that efforts ‑‑ you know, one of the things I've been very busy with recently is working as Co‑chair of the Global Commission on Cyberstability and we have come up with specific norms, recommendations, and our recommendations talk about the need for both restraint and for action.  Restraint from doing the bad things, take action to do the good things.  Respond to violations and make people face the consequences.  And capacity‑building for cyberstability, informs sharing of impact, build communities of interest around ways of implements cyberpeace and having a standing multi‑stakeholder engagement mechanism.  We put out specific norms saying the infrastructure of cyberspace should not be interfered with, and our goal, as it is your goal, is how do we create a path forward to lasting cyberpeace?  So, I'm talking to you as a diplomat and not as a technical person.  We don't create indexes in the position.  We simply make suggestions to bring more peace into the sphere, but I look forward to a very active interaction because we have technical experts from industry and other agencies from the DIPLO Foundation which in many ways, I think, Marilia you and I will talk about the same things but perhaps in a different language.  And I will leave it there for now and I'm happy to talk to you more about some of the ideas I've developed.  It's hard to create peace offline, and it's hard to create peace online is all I can end with.  Thank you.

>> SERGE STROOBANTS:  Your Excellency, thank you very much for this very interesting statement.  I think you spoke about the difficulties to measure the influence between offline and online communities, so it seems offline and the online world.  You spoke about different types of crimes using Cyberspace for activities.  I would say terrible terrorism, cyberterrorism being one of those crimes really at the heart of the debate today.  You spoke about difficulty to attribute, but also the secrecy and the silence about from those being attacked, and so sometimes being ashamed of having been a victim of cybercrime or cyberattack.

You also spoke ‑‑ you compared it a bit, of a kinetic attack and a cyberattack and in the examples, I think when you spoke about the transportation, you spoke about the airports and the air traffic, but I think we all know that a company has been attacked on their lines and attacked a couple of weeks ago and the national services in the UK has also been targeted and so we saw the results of these type of attacks.

You also pointed out that the solution feature won't come from government alone, so a multi‑stakeholder approach and so an ordinance today where states were holding all the power to solve all the problems of our societies and, you I think, you're right to point out that this one is a potential solution, a potential situation for cyberspace, and you finished, of course, by talking about your organization with your commission and the actions that you are taking.

I guess the last point that you made about cyberspace there is only one form of peace that you will find in the bigger system called peace.

I would like to pass the floor now to the second panelists, and if that's okay with you, Marilia Maciel, I will give you the floor.

>> MARILIA MACIEL:  Thank you very much, Serge and thank you very much for the invitation to be in the panel.  L and you are right that we're going to go in a similar approach.  The first is about trends we see now in sub‑security and when we talk about peace in Cyberspace, and I think the first complication to achieve peace in Cyberspace is that we have a situation of multipolar distribution of capabilities, and although we do emphasize a lot the capabilities that the U.S. and China have when it comes to Cyberspace, we conducted a research on states that openly say that they have offensive capabilities to conduct and we counted more than 50 states today that openly affirm that so we have a situation in which capabilities are distributed, and of course that creates a situation of instability in the whole system.

The second trend is the dissemination of the technology, not only states with technologies to conduct a text, but we see that non‑state actors more and more have access to the technologies because the prices have come down immensely, so they are available in the dark web and other spaces if you want to conduct.  And you can rent a bot net for 200 or 300 Euros and it's simple to do that so there is a dissemination of capabilities to non‑state actors as well.

The other trend is that we still aren't clear about applicability of international law.  We know that international law applies to Cyberspace that has been internationally recognized, although we're still building consensus on the international arena of how international law actually applies to Cyberspace, what are the controls, what are the limitations, so we are in a situation in which the legal framework in which we operate is still gaining shape.

Another trend that I think is a very important one, that we have a blurring of lines that separate the traditional and cyberoperations, so we have seen concrete examples in which states have responded to cyberattacks with kinetic attacks, and it's why I responded to cyberattack coming from the Hamas with showing a bombarding of a building where the suspected cyberattack it was located.

On the other hand, the U.S. launched a cyberattack to respond to the fact that Iran has shot a drone down, so we see a blurring of lines and this can lead to a situation of escalation of tensions, so that complicates the problem as well and creates a situation of more cyberinsecurity, so these are some of the trends in which we operate when we talk about cybersecurity and cyberpeace.  In this situation, it's very important that we have measurements because I think that Latha was really correct when she points out that when we have measurements and we're encouraging countries and actors to follow a positive path feature they have a framework and model and something this they can follow adjusting to their own realities.

The problem is what is publicly available for us to develop metrics of peace in cyberspace.

First of all, we don't have a clear definition of what are the relevant data sources.  This is something that we're still building consensus about because when we talk about cybersecurity, we do have some metrics for cybersecurity that have been developed by different organizations.  The ITU, for example, publishes the Global Cybersecurity Index and they have some indicators that include the presence of cybercrime law, the presence of CERTs, presence of cybersecurity in the country, awareness‑raising initiatives, narratives of professional development, participation in international fora, and partnerships between the public and private sector, but this is very specific to cybersecurity.  If we enlarge the analysis of cyberpeace, it is much more in comparison and we need to take into account the societal elements that would need to be identified so we have the correct indicators, and I think the work that has been developed by institutes ‑‑ the Institute for Economics and Peace is very good to point us perhaps in a direction that we could take inspiration from and adopt to a situation of peace in cyberspace.

One of the elements that you develop in your metrics is to take into account freedom of information, and this is something unfortunately, we don't have yet clear answers in international law.  You asked us about what are the legal frameworks in what we operate in when we talk about cyberpeace and we do have some legal frameworks present.  We have one in which says a situation when countries have self-defense when authorized by humanitarian council.  Humanitarian laws apply to Cyberspace but when 2 comes to freedom of information, perhaps we're operating in a more complicated area because now we have the problem of misinformation and we don't have today clear international laws that would apply to disinformation, and more particularly to the problem we have very acute today of interference in elections.

So we had a session in this very room in the morning and we were trying to understand what are the applicable legal frameworks and we do have principles that relate to misinformation, such as sovereignty and non‑interference in internal affairs of states, however, they do not necessarily completely adjust to the situation of misinformation, so we are operating in a field in which we don't have a clear legal framework, so I think that is another point that brings complexity.

Your question about the role of different actors is a very important one.  I think that the first thing to bear in mind is that cybersecurity is a joint responsibility.  We have, fortunately, started to move away from the assumption that security is the prerogative of states.  This is not possible.  When we think about cybersecurity, it's not the states that control, and first of all, much of the infrastructure that allows the Internet to function from the cables that interconnect continents to the applications that we use to communicate, therefore, it would be impossible to talk about cybersecurity and cyberpeace without involving on state actors, including companies, so I believe that the tech industry has a very important role to play in the scenario by raising security standards, as some security standards are still low.  When we think about Internet of Things, when we think about the needs to rush and put products in the market sometimes without the due care, with a system of pass and play, we put a product out there and if there is a problem we patch afterwards but sometimes the problem already happened and the damage is done.  So, there is a duty of care that needs to be observed, but I think that the tech industry has also taken a lot of the responsibility of trying to push the international discussion forward.

Some years ago, when we talked about the industry, they were really adamant against governmental regulation in many areas in the Internet, and now we see that different companies are calling for regulation areas in which regulation is necessary to suggest misinformation or facial recognition, so there is a call for more partnership between this initiative from the private sector and government regulation.

And I think small and medium‑sized companies are not really mentioned in this debate, but they are an important key of the chain or element of the chain.  First of all, we need to help them to have more access to security tools because they compose more than 90% of companies in many of our countries.  I heard someone from Germany saying that 99% of the scenario of companies in Germany are small and medium‑sized companies so we really need to invest in security for these companies and they need help and assistance and to have access to good practices, so we cannot only focus on the big ones but make sure that we include smaller ones as well, and of course, Civil Society has a big role to play, not only in taking responsibility for their own cyberhygiene but also demanding higher standards of security, demanding certification from governments, and offering capacity building, which I think that Civil Society has played a very important role in developing in this field.  Thank you.

>> SERGE STROOBANTS:  Thank you very much for a very extensive introduction, I would say.  You clearly spoke about the distribution of capabilities and dissemination and easy access and financially accessible technology.  You also spoke about the quality of international law, okay it applies, but how do you apply it to Cyberspace, who will be responsible.  Just to give an example about NATO when they declare APRALO 5 when you take the Treaty of Washington you T says the defense after an armed attack, so the cyber ‑‑ what's happening doesn't fit this definition of 1949, for example.

You also spoke about the separation between different tactics and cyber can be identified as a add or forced multiplier as it is called, is it shaping the physical battle space before the physical battlespace is going to be used, and what will be the role then of those different stakeholders, normally the state that you have seen having the prerogative of security in this physical battlespace in which properly aligns cybertechnology will be used also.

I think ‑‑ I do have to agree doing a measurement will be difficult, but that's what we're working on so of course we need a clear definition that would allow us to collect data and also to identify the indicators that we will feed with this data, and then I think a good exercise would be to look at, you know, the three families of indicators that I spoke of before where we take the positive peace and looking at creating a better resilient society.  And how would Cyberspace interact with the 8 pillars of positive peace that we have identified where free flow of information is one of those.

You spoke about the tech industry and they are the big ones but also the SMEs and their roles and responsibilities, and of course, the evolution of their position from opposing any governmental, I would say, rules in cooperating today and I would think that the initiative last year from the Paris Peace Forum calling for more multistakeholderism and tech companies as first potential responders in conflict was one of the first steps in this direction.

So, I don't know if we have a connection now with Mrs. Albrycht in Poland, they could have her as a third person intervening in this panel through Zoom.  Is this possible?



>> SERGE STROOBANTS:  I can hear you.

>> IZABELA ALBRYCHT:  You can hear me.  Very good.

>> SERGE STROOBANTS:  Okay.  Please go ahead with your intervention.

>> IZABELA ALBRYCHT:  All right.  Thank you so much.  First of all, for inviting me.  I actually spent the last couple of days in Canada and this is one of the reasons why I was not able to join you today in Berlin.

I will start by saying that it is great to continue the discussion which we also held during all cyber 2018 on the positive peace in cyberspace.

Ladies and gentlemen, conflicts between states have taken now new forms with digital technologies, and that are being used in Cyberspace.  The Ukrainian Minister of Defense said at the Halifax International Security Forum said last year Ukraine spaced a large number of cyberattacks which affected the economy and well‑being of the citizens, so the history he said is being written every day with cyberattacks taking place every day without naming and shaming here.

He said that we cannot ignore it because there are attacks on critical infrastructure and information attacks on people's minds, opinion, perception, and this way the cause is created and is far away from this.

And it is into something which should be also reflected in the Global Peace Index results, so I would probably support this notion to adopt the indicators that you are using to assess the peace around the globe.

So, and it might be confusing to see that Ukraine is one of the countries which you presented as a major ‑‑ as a country with major increase in peace, where in fact, the battles that we cannot see are happening.  So, index now, ships, planes, soldiers being active, but it doesn't see the battles that are happening in cyber and in information space in the Ukraine, for instance.

But they are also taking place all around the world as we speak.  And, I'm saying that because we should not only talk today in reference to the Global Peace Index on how to measure the positive peace in Cyberspace, but also, we should talk about the way of how to see the impact of cyberbattles and potential cyberwar on global peace.

And indeed, we should talk about updating properly and upgrading the GPI with cyber dimension, and according to the book New Rules of War and I will now answer the question about how the conflicts of cyberconflicts look, and today what I will address, and so according to the book, “New Rules of War” by Sean McFate, modern war is more and more about political warfare, strategic influence, economic might, deception, and propaganda and less about conventional company and military deterrence.

McFate is saying that in the information age, possible (?) is more important than firepower and is calling these new types of wars shadow wars.

And cyberattacks with different magnitudes and proxy cyberwarfare are all about possible deniable as they are hard to attribute, as we already said also at this session.

And so, maybe we should try to find the right indicators, both qualitative and quantitative as well as weights to be added to their GPI methodology.  Because cyberattacks on critical infrastructure, even though they are classified as being below the threshold of war, for example on transportation systems, waterworks, hospitals, and power plants, can lead to consequences and especially the economic effects which would be just as devastating as conventional weapons that suddenly change or the transportation system would break down.

And in terms of on how to quantify it, James from CIS says questions assist to the appropriate framework for considering this new mode of conflict, but to a degree, discretions results from (?) imprecise terminology and a certain reluctance to abandon the notion that cyberconflict is unique and generally rather than being just another new technology applied to warfare.

And it is correct that there is a need to identify precise indicators.  It is also correct to know and to call every battle that happens on the Internet a war.

So, thresholds for war or attacks should not be very different in Cyberspace than they are for physical activity.  We can also focus dimensions by defining cyberwar as the use of force to cause much distraction or casualties for political affected by state or political groups.

So, a cyberattack would be an individual act intended to cause damage, destruction, or cause casualties.  There is also a gray area since when we think about disruption, particularly the disruption of services and data, and when this disruption is raises the level of use of force.

So, the threshold should be very high for holding disruptive activity and act of war ‑‑ or attack.

So, what would be hard work to do for researchers, experts and stakeholders to work on those, but it is necessary to do it.  Up until now, we haven't observed any full-blown cyberwar and the actual casualty but quite a few cyberattacks launched since 2007 and you also mentioned one quite recent example.

And those effects have objectives and magnitudes and should be perceived as disruptive for the global peace.

So, as we cannot ignore the fact that cyberweapons are in many ways as dangerous and inhuman as chemical biological companies, we can observe militarization of Cyberspace with new technologies that have a potential to become hard power for state actors, but also can be used by non‑state actors as was also mentioned today.

So, we can see also still imposed on cybercontrol and we can also the subverting strains of total and physical spheres which some will make all of our work even more honorable to connectivity.

This trend includes also the convergence of Cyberspace and auto‑space, auto‑space is vulnerable to cyberincidents too and it is one of the concerns which is quite highlighted by cybersecurity experts.

Both outerspace and Cyberspace are now becoming new dimensions of military actions also for NATO.  And as for today, one is for sure crystal clear that there are cyberthreats and misinformation and manipulation and amplify the risk of socioeconomic military and peace.

We should work on GPI methodology to make us prepare to see those emerging threats.  We need to update and upgrade the indicators because peace is also better in mind by Cyberspace and maybe I can add to some proposals already but by Ms. Latha Reddy, so apart from number of incidents we also measure number of cybercriming, cyberattacks, number of Internet shutdowns that the country experience, and then we should also think about the indicators to measure gravity of cyberattacks.  Then we can measure a number of data breaches, and I would separate that category because data is now the most valuable resource and we should take a closer look on it, also on the gravity of data breaches.

Another indicator might be the likelihood of being country of origin of cyberattack, of course after the public attribute are at different levels of certainty that it happened.  And then another indicator might be number of conventional reactions to cyberattacks, for instance, economic sanctions or diplomatic measures, and then maybe cybermilitary expenditure as percentage of GDP.

Again, maybe number of misinformation articles, campaign, websites, fake accounts identifies, and the outreach of disinformation articles contains websites, fakes, takes accounts identified.

It's gravity, and the importance of the subjects for economic, social, stability and then livelihood of being the country of the origins of disinformation after the public attribute again or the different levels of certainty or number of both identified and the financial links.

So, basically, I think that we can divide those ‑‑ those categories into like, for instance, three which is economic, technical, and political.  We should also start with some taxonomy and clear definitions.

And if I may add something, I should maybe finish and just let me know, but I have like probably a few more points to add in terms of the role of stakeholders.

>> SERGE STROOBANTS:  Excuse me.  Can you maybe just like name the points but not elaborate on them would be fine.  Thank you.

>> IZABELA ALBRYCHT:  Yeah.  Those are my points.  Thank you very much.

>> SERGE STROOBANTS:  You are done?  Did you finish?  I guess so.  All right.  Thank you very much for your presentation.  You clearly spoke about new rules of conflict in which of course Cyberspace and cybercapabilities were used.  You spoke about political warfare, new type of warfare, you spoke about definition and potential indicators, militarization of Cyberspace, you identified as hard power for state actors and non‑state actors and you even spoke about arms controlling in Cyberspace.  You clearly make a link, and I think that's very important also with outerspace or space as being another battle field, a recognized battle field and Cyberspace is really almost easy to understand.

And then you elaborated, eventually, on the potential indicators that could be used in digital peace index, which is the peace index with the digital focus.

We will now close the session and give the floor to Ms. Liga Rozentale from Microsoft the other organizer will wrap up the session and also provide us with the remarks.  The floor is yours, thank you very much.

>> LIGA ROZENTALE:  Thank you.  So many very in‑depth remarks and I think that I can shortly conclude this session with just some thoughts that I had in preparation for the session and to see where we would end up when I actually get a word in edgewise, but that's one marker of a successful panel, when there is too much to say.

In any case I looked at the Global Peace  index and thought about how it could be elaborated to include elements of technology, elements that definitely impact peace because it's easy to count tank, but it's not necessarily so easy to understand what affects peace when you look at the technology and developments of e‑government and cyber e‑offensive capabilities as well.

I represent Microsoft and I look at what they do and we are a global company and have a far reach in looking at threat, we detect 5 billion cybersecurity threats a month and assess 6.5 trillion signals dailies, does this statistic tell you if there is more peace in the world?  Not particularly, but over the course of years you can say there are more attacks, detect more signal, try to do more to avert the attacks but doesn't necessarily indicate to what happens to peace.

One great thing about the IGF is that you can get your hands on to the report, so I've got all sorts of reports here and I looked through them to see if I could find statistics that also give us an indication of technology influences on peace.  The global state of democracy report tries to quantify peace with a different measurement, and it becomes in my quick evaluation, looking at how new technologies influence democracy, it's inconclusive.  It provides opportunities, but it also provides threats and brings up vulnerability so that didn't get me far.

I looked into a website I heard about this morning called EU‑versus‑disinformation.eu which is an online report that has running numbers about disinformation.  For instance, 6, 500 foreign Twitter accounts promoted the labor committee in the last UK elections, that's interesting and clearly, we could draw implications about that.

And also, for instance, the Russian Federal Budget for 2020 shows that state‑owned media will receive 1.3 billion Euros next year which is a big jump from current funding.  Some of us may have opinions about government‑funded Russian media, and will this influence peace, I'm not sure.  This tells us that influenced campaigns are definitely taking place, but how do they ‑‑ how do they influence peace?  Also, military numbers might tell us something like approximately 10 countries have been developing ways to use the Internet as a weapon, but have they been successful in increasing or reducing peace?

Any case, these are various numbers that we can go on and look at the new UN Resolution on Cybercrime that received the majority support, but also many argue that such a measure will just influence state‑backed Internet control.

One thing that we are very passionate about is the Paris Call for Trust and Stability in cyberspace and why we have enthusiastically counted the number of endorsers which reaches over 1,000 endorsers from governments, Civil Society, and industry, the number alone is not what will influence peace.  It will be the actions taken to implement the nine principals of the Paris Call that I think will bring about peace that is unfortunately not so easily quantifiable, so I suggest that you look at quantitative measures for your next global peace index that will influence peace and how technology feeds into that.

So, I'll quickly close my remarks and I really appreciate having the opportunity to even briefly touch on these points.  Thank you.

>> SERGE STROOBANTS:  Thank you very much for being brief.  I think it's appreciated.  I mean, of course, we presented to you a complex index of 23 indicators and 23 families so much more than just think tank although a part in the family called to militarization and maybe an answer as you just said and of course about the remark about Ukraine being one of the largest improvements last year, but being if what's happening in Cyberspace today will have an impact but maybe not a direct impact, but this will be measured I would say on the more mid and longer term where levels of peace will go down.

We have seen in the past decade that the only family of indicators that where we see ‑‑ where we saw a clear decrease was the family militarization, so even if you have this idea, especially in the world that we are weaponizing, 2% debate with NATO and the, yeah, militarization again or creating European Army, globally we're going down with these figures.

Clearly we have seen that Cyberspace is potential to destabilize because of the forced racial and maybe balance and deterrence can be a problem with capabilities in Cyberspace, and the think from IAP or peace perspective is that we are actively continuing the research and trying to find those indicators and datasets, the definitions that we need to develop a peace index that has a focus on Cyberspace, and we were the first ones to sign the first Paris Call in there so we will always remember that also.

We're quite late after, but I think that the interventions were quite extensive and really went into the details of whether a we wanted to discuss before, so if there is like one question that I really need to ask, please feel free to do so, otherwise I would also be pleased to close this very interesting session and thank, as I said in my opening remarks, this very distinguished and diverse panel.  It was really an honor and privilege to moderate this intervention.  Thank you very much.

Any incredible questions we need to answer?  Yeah.  There is one volunteer.  We take one question and then we go from there.  Yes?

>> AUDIENCE MEMBER:  Hello, everyone.  First of all, thank you so much for your remarks.  My name is Kyle.  I am a cybersecurity researcher at University of California San Diego, and I would like to make a very provocative thought right now, and one of the problems that we usually face when we are trying to understand cyber and how cyber will actually affect political science and because we're actually at the intersection between these two major scholarships, is the definition of outcomes.

What I'm trying to say is that, basically, when we see, for example, an economic intervention, we can see, we can measure, and we can actually touch the outcomes and that's why there are 1,000 papers on different kinds of interventions.  One of the biggest problems that we see in cyber is that, and this is our discussion there, which is the outcome for cyber is not clearly defined.

For example, some states like, for example the United States, actually considers a scan, a simple scan as a cyberattack.  Others don't.  And my question to you is basically the following.  Do you really believe that this is one of the problems that we are facing when we're trying to tackle like, for example, measures or reliable measures when it comes to cyber, or do you think this is just academics trying to be perfect and at the end of the day, they're looking for stars.  Thank you very much.

>> (Speaking off mic)

>> SERGE STROOBANTS:  Yeah.  Free to engage with us after the session.  We will still be around, but we need to close the session because there are more sessions to come or activities afterwards.  We will answer this question and then wrap up this discussion.  Who wants to go first on the question we received?

I think the question was that all attacks can't be classified equally, like some countries are saying that even a very simple scan is an attack, right?  Is that what you're saying?

>> AUDIENCE MEMBER:  What I'm saying is basically that since there is not a consensus on what kind of outcome we're looking for, we're still ‑‑ we have problems trying to understand what the problems are, in essence, like for example, are we looking at hack, are we looking at data breaches, how are we going to measure data breaches, how are we going to measure hack, how are we going to look at all of these things that are going on, and how can we translate that into policy, into action, basically?

>> SERGE STROOBANTS:  So, basically, if it hasn't caused substantial harm, can it be classified as a cyberattack.  Right?  Like is there a definition of what constitutes an actual cyberattack is what you're saying?

Well, I don't think there is a definition.  What do you think, Liga?

>> LIGA ROZENTALE:  I'll quickly comment on the view from Brussels since I work in Brussels and look at EU legislation on cybersecurity and this is a bit of a ‑‑ we have an easier framework to look at since we have EU legislation on cybersecurity through the Network Information Security Directive, and that assigns all EU member states to define what an attack of significant impact is.  Then 28 member states had to impose this legislation and define for themselves what is an attack of significant impact that digital service providers need to report to a competent authority on.

And this is, I mean, it only supports your point that it's difficult to determine what we're even looking at because even with legislation and definitions of an attack of significant impact, it's still difficult to determine what meets this criteria and what doesn't because if you put financial indicators on it, what are you counting?  And if you put a scope of users, what kind of users and how do you define the user, how many people you're looking at, within what geographic location?  It's quite difficult.  I don't have an answer to your question.  I know in the EU, we try to define these things through legislation, but it's quite difficult.

>> SERGE STROOBANTS:  I think the easy answer to your difficult question is what's happening with cybersecurity, let's call it like this, is a global problem that needs global solutions, and therefore I think it would be a good idea to create a global digital peace index, at least, to identify a definition, indicators, and datasets that we could use to feed the indicators.

And by saying so, I wish you all a good evening.  I think there is one more day tomorrow for this forum, or even two more days I guess, so I will have to leave Berlin tonight and I guess some of us will have to leave Berlin tonight also, so we need to go and take the Uber back to the airport also.  But we will be around for a couple of minutes more, so you have if you have any burning questions, please come visit us.  Thank you again to the panelists and thank you to the audience, and I would say fight for peace anywhere, not only in Cyberspace.  Thank you very much.