IGF 2020 – Day 12 – WS346 A Recipe for Deterrence in Cyberspace

The following are the outputs of the real-time captioning taken during the virtual Fifteenth Annual Meeting of the Internet Governance Forum (IGF), from 2 to 17 November 2020. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 




>> Hello.  So we'll be starting the Livestream service in three minutes.  So we can start on time.  Is that okay?

>> JOHN HERING: Welcome to the IGF 2020 session, a Recipe for Deterrence in Cyberspace for what should be a rich discussion over the next hour and a half.  My name is John Hering.  I'm on the digital diplomacy team at Microsoft.  And I'll be moderating the discussion today.  We're joined by a wonderful panel but with scene setting remarks to get us going and talk about motivation for the discussion we're going to be having here today, effectively after a decade of escalating cyberspace increasing numbers of sophisticated hacks on a geometric scale year‑over‑year, cyberspace has emerged as a new domain of conflict often referred to as 5th domain of conflict.  And over that same period of time we've come to rely on cyberspace more and more for everything in our dailys of lives.  Underpins out critical infrastructure.  It underpins consumer products and everything we now use to engage and ‑‑ of course this is never more true than during the pandemic and time of COVID that we're all navigating and which has brought us together in this virtual format today.  And this sort of twin pressures that are escalating conflict and usage of this digital space are forcing us to rethink the top box of statecraft is to meet some challenges, unlike other domains there are overlapping responsibilities in cyberspace that don't exist in air, land, sea, and space.  So this is why IGF is so important for facilitateing this critical multistakeholder conversation and why we pulled together experts from government, from policy, academia, and from the private sector to share their perspectives on this escalating and challenging space and what a way forward might be. Before we go further, I'd like to turn it over to our panelists to each introduce themselves and which organization they're here representing.  And then we'll dive into questions.

Maybe Joanna, I can go first.

>> Joanna Swiatkowska:  I'm director of cybersecurity specialist at UBS.  But prior to joining the company and private sector as such, I spent 10 years being a member of a think tank and be community.  I worked as Assistant Professor University of Science and Technology in access information being responsible for critical research.  And as for the think tank involvement, I initiated and served as program director of cybersec being organized by the institute Polish.  So just to also speak a little bit about the substance of my professional involvement currently I'm mainly focusing concentrating on the risk management from cybersecurity perspective but in general I analyze the influence of emerging technologies on geopolitics and national security.  Happy to contribute to this very important discussion.  Thanks.

>> Jon Nevett:  Chris, over to you.

 >> CHRIS INGLIS: Thank you, John.  Thank you for the venue.  I'm Chris Inglis.  I represent the United States Solarium Commission today that was a Congressionally authorized or established commission that worked over the last year and a half to develop a strategy for the United States to achieve deterrence in cyberspace about which we'll talk about today.  I'm also a professor and the Naval Academy in cyber operations, cyber science.  It's a field of study for us at baccalaureate level.  And I worked for NSA where I was chief operations officer in charge of day‑to‑day strategy and operations.  Pleasure to be with you.

>> Katherine.

 >> KATHERINE FOX: Thank you.  I'm Katherine Fox.  I work at U.K. Foreign Commonwealth and Development Office that's Ministry of Foreign Affairs.  I spend a lot of role talking to other governments so I'm pleased to be able to speak at multistakeholder events today and cyber colleagues who come from different backgrounds to mine.  I think we'll gain a lot from hearing different perspectives A.nd so I am a diplomate. 

And you might wonder why is a diplomate speaking at a event like this?  I've not worked on cybersecurity or policy issues at all.  We take the approach that if states are caring out activity against other states it's what we would call international relations so I spend a lot of my role explaining about how cyberspace same principles apply as any other sphere of international are lations I led the development of the U.K. cyber deterrence approach if you're talking about classic deterrence perspective it's about punishment. 

National Cybersecurity Center is a lot of work, and we apply government approach on Internet cyberspace and recognizing that no matter how good our defenses are some cyber attacks are going to get through and this is an international problem.

So our solutions also need to be international.

>> JOHN HERING:  Thank you, Elonnai.  Over to you.

>> I'm Elonna Isabella Henriques Hickok:  And I'm from Carnegie.  I was COO of the Center for Internet and Society which is research organization based on I think you know the topic of cyber at the time convenience very complex and evolving.  And I'm really looking forward to engaging with the panelists today and finding ways to do discussion.

>> Frederick.

>> I'm Douzet at the French Institute of Geopolitics at the University Paris in France.  I'm also director of G0 politics of the data sphere, a research information accessibility center within the Paris 8 that is one of the label of Center of Excellence by Minister of Defense.  And I was part of the global commission on stability of cyberspace which made recommendation for norms for responsible behavior for states and non‑state actors.  And I was involved in the drafting committee of the strategic review of defense and security.  And I'm now sitting in defense ethics committee.

>> JOHN HERING:  Thank you again.  It's a privilege to have you here for this important and exciting discussion.  Before we dive in, I want to remind us the format is going to be structured in equal parts as a moderated panel discussion.  With our speakers and then also healthy dose of Q&A.  So throughout please identify who you are and use that Q&A box and function in the Zoom platform to ask questions.  I'll be curating those and circling back to them in the latter half of the discussion and get to as many of them as we can.  We certainly want to take advantage of all the expertise in the room not just those on screen.  To our panelists this is ‑‑ I have a set of questions we'll be running through at the outset here.  Directing some of those at some of you individually, some open to anyone.  But all of the questions are intended for all of you to speak to as you see fit.  Please don't lean on the mute button too much.  And we'd love to hear from all of you on of it.  As we dive in, I think it's probably best to start with proposals and begin with level setting conversation when we mean when we say deterrence.  This is a loaded term and has meaning for a lot of folks without a grounding of what it tends to suggest as it it's developed over the previous generations.  We're going to be talking about deterrence in cyberspace but does the term deterrence mean in geopolitics.  And I might ask you, Frederick and Elonna Isabella Henriques, to jump in first.

>> What it means in the general definition is the ability to dissuade subsomeone from doing something from taking action by making them believe that the cost to them will be more important than the potential benefits that they might get from this action.

But it's ‑‑ so it's a psychological process that rests on the perception of actors and what it means for different actors might vary.  The problem we have with the concept is that it's understanding is really closely associated with nuclear disswayings and security pairings of the Cold War.  And, if you look at what's happening in France, we don't even use the term ‑‑ we only have one word which is dissuasion.  We don't have the word deterrence.  And this is exclusively used for nuclear.  So we don't actually use it for cyberspace so we don't really have a word that conveys that meaning applied to cyberspace.  And in fact, there are recently the director of the Acts of Cybersecurity restated on a message that best defense is defense.

So we have the classic work and we talk about Thomas Schilling argues in the nuclear capacity the capacity to harm another state can be used to influence another state's behavior so you prevent state action by the fear of the consequences.  So to be successful, classical deterrence here rests upon the threat of punishment of an action and also the denial of gains.

Marketing says deterrence meets two criterias.  First is that punishment needs to be sufficiently painful so attackers actually believe that they will be worse off after punishment which means the higher benefits of the attack, then the most difficult it's going to be to deter the adversary.  But the higher the cost the more likely the adversary is to be deterred.

Second criteria is that it needs to be credible, credibility of the threat is probably the thorniest issue for strategies.  So this understanding inherited from the Cold War tends to remain prevalent among actors.  But it is ill‑suited for cyberspace.  It has a number of takes, and I'm not going to mention them all.  I think we will talk about it during the session.  I will underline two main reasons.  First is that it requires attribution capabilities and we know that attribution in cyberspace is not always possible and not always fully reliable. 

And the second reason is that there is a great uncertainty associated with cyber attacks and thus, great difficulty, making the threat dissuasive.  This process can be slowly and ethics are hard to predict with certainty.  All this led to a broader understanding of the concept of deterrence beyond this whole threat of punishment. In the broader sense deterrance is a total cost gain expectations of the party to be deterred, which means that what is likely to deter an adversary is not only punishment but possibly it would be a reward.  It could be the prospect of losing moral standing.  And, therefore, losing political clout in the international community or within its own country.  It could be economic or political costs, which includes of course the risk of punishment.  But other political costs possibly.  Pdf in the states.  And we all know also that technology, the cost is cheap.  The barrier of entry in cyberspace is not the same as in nuclear weapons, but that doesn't mean that this cost cannot be raised to deter attacks.  So that's the idea of defense by denial that will most likely deter not deter the most advanced states but possibly others.

So this understanding of deterrence means that the use of force is not the only deterrent we can be more creative in a potentially less way.

Another couple points rapidly is that I mentioned that it's a cycle process that rests upon perceptions and there is no silver bullet as a result.  There's no single recipe of deterrence because it's very context dependent because geopolitics matters which means that what will deter a specific add share might not work with another adversary and depending what behavior you want to deter, the recipe might be different and then also there are state actors but also many non‑state actors in this field for better and worse.

And then second and last point is that it's important to think more broadly about deterrence than just threat by punishment because there are a number of risks associated to threats by punishment and this approach to deterrents and encouragings proliferation in cyberspace of offensive tool and that raises what I think a systemic risk and this systemic risk is in some aspects nuclear deterrents risks and some aspects a difference because we have independencies in cyberpace space.  Interconnection and interactions between different domains.  And the proliferation of offensive tools I believe can hurt the stability of cyberspace and can pose great damage to the Internet and we have to notice that we have a lot less control over offensive tools than we may have had over nuclear weapons since offensive tools in cyberspace can be lost, stolen, copied, reengineered and reused because now our society is rely in many as inspection on cyberspace space whether it is for development of our economies.  But we've seen the context of the pandemic hospitals and all kinds of infrastructures.  So what happens in cyberspace doesn't stay in cyberspace.  It can destabilize and try societies.  So for these reasons they've proposed multidimensional approaches to the deterrence and I'll let Joanna explain.

>> If you wouldn't mind telling us about deterrence. And what are ways that actors can be deterred in general non‑specific to cyberspace?

>> Yeah, sure.  Let me start by saying that even from what we've already had Frederick we can clearly see that the debate and especially on deterrence is assumely important and challenging, as we can clearly see we cannot even often agree on a commonly accepted term what it means or what that is all about.

And I guess that I think it's really important to understand why it is like that and I guess that the complexity of the problem andambiguity is the problem itself.  We're not talking about one tool.  We're talking about multi dimensional tools.  And I'll gladly elaborate on that further on.  But it's important to understand also that the debate on cyber deterrance involves many stakeholders.  And they're bringing their own stakeholders and agendas meaninging that if we're talking through the representatives of the national security environment, when we're talking about private sector we will have different perspectives on what cyber deterrence really means and last, but not least as Frederick mentioned we in a way tried to transplant old‑fashioned ideas come from the colds war era into a new reality without keeping in tools would be valid but we need to adjust them to completely new reality.  So I guess that I mean we have to agree that cyber deterrence brings lots of promises and really beneficial when we're talking about how to maintain stability?  Cyberspace but we need to out a little bit be a little more pragmatic.  Maybe for a seconds leave aside our semantic differences because we should focus in my opinion at the goal deterrence and we need to be pragmatic in order to discuss how to actually make it work.

So coming back for a second to the definition that Frederick mentioned main goal of cyber deterrence is to reduce or prevent ‑‑ in cyberspace by cost allocation of aggressor.  I think despite what we tend to think.  And this is exactly what we inherited from the cold era.  We can alter behavior by not only increasing costs but not punishing the right but also we can impact the reward part of the equation.

Meaning that we can do it again in a couple of ways, we can diminish the reward coming from aggressive actions or we can increase the reward for not doing something.  Right?  What I'm trying to say is who have flavors of cyber deterrence.  And we'll be successful only if we use the full menu of options.  Now coming back to your question about what types of instruments do we have at our disposal.   Let me please refer to the concept that is presented by Professor May mentioned by Frederick also because he speaks about at least four strategies that we can use in order to when it comes to cyber deterrence.  First strategy this is something we mentioned already.  This is threat of punishment.  But by contacting retaliatory offenses and different nature.  Kinetic operations but also of course put dipllmatic actions so on and so forth.  Again, this is something that comes to mind when you're speaking about deterrence as such.  And indeed to my face when you're talking about cyberspace this is very important instrument because one of the problems that I see in cyberspace is the existence.  So we do need to explore this strategy and to be honest, it's quite interesting it's been only recently to put in practice but we were speaking about it later on. 

Second is the denial by defense.  And to my taste, this is truly underestimated strategy.  I know that is tempting to speak about punishment capabilities but really like the essence of truly working cyber deterrence is really connected with we will develop our capabilities and increase our security posture, how to build resilience and also how our ability to recover from cyber incidents because at end of day if day if we're talking about calculation by increasing defense we can convince our adversaries that it's going to be too difficult for you to go after us, right?  So we are both increasing costs but also diminishing reward.  To be honest for many years it was just easy to attack this.  I think really forgot about basics, building security.  And you know it's like there are many tools that we can use and discuss And I'm happy to do it later on because we speak about regulations and bottom‑up initiatives also conducted by private sector.  We can talk about initiatives that are truly designed to do exactly that, to increase our security.  So that strategy is related request norms and responsible behavior and we are having great specialists who I believe will be able to speak in it a way about this particular strategy.  Nevertheless the essence is that we are establishing rules of responsible behavior and we're stigmatization and punishing those who are not following.  So this is the strategy and very last one.  Strategy related with entanglement and it boils down to the fact that we're all interconnected and interdependent and especially true as we're moving to digital economy and so on and so forth.  So the idea is to attack simultaneously will impose not only on victim but on hostile side, too.  So it's only rational to self ‑‑ in the self‑interest to self‑restrain from connectivities.  To be honest, this is an interesting strategy but I have to be very frank.  I'm a little skeptical recently if it's going to work because I mean a few years ago it would be ‑‑ unimaginable to think that we can let and allow Internet fragmentation to aoccur.  And yet we're doing that and even political decisions coming from various sites actually that are pushing us towards this scenario.  So I guess this is another important element that can be discussed.

>> Thank you both so much for giving us a rich foundation and having deterrence to think about dissuasions and that balance between cost and benefit I think underpins. 

Broadening to our other panelists, I might just ask a question I think was alluded to already.  Do we need this in cyberspace and as an add‑on to that and something I was thinking while Frederick was speaking who are the actors we're talking about here?  Are they the same as actors as we refer to them in other domains of conflicts and previous versions or iterations of deterrence strategy?  And so either to Ellonai or Chris.

>> CHRIS INGLIS: So I'll answer your questions in reverse order.  So who are the actors in cyberspace that we care about when a deterrence strategy?  Everyone who is in cyberspace whether that's an individual user or actor who is in a nation state all of them because if it is about influencing behavior then every collective behavior matters.  In the United States we like to talk in slightly different terms but mean the same thing like to talk in terms of using market forces to influence behavior in the various activities that humans undertake.  So, if individuals understand there are benefits that are the consequences of good behavior and cyberspace, they will behave well.  If all entities believe there are negative consequences, they'll behave well.  Education and influence needs to be applied to everyone and to the few who actually have cyber in their job title.  As to whether deterrence is useful, I think the answer is by default yes.  Because what we're doing is influencing human behavior we're, therefore, trying to create full benefits and promise of cyberspace and because human being still still remains the point and most consequenceal element, it is therefore, not worthy but necessary.

>> I considered myself a practitioner.  Someone making a decision as colleagues have already said how to use a toolbox and practice.  So I just found a descriptions we've had so far really helpful because though match completely my experiences of working conceptions of deterrents don't match and thinking about it in terms of that at risk calculus, often summarize it for internal audience as explaining it as a bureaucrat, I have sympathy with other hard‑pressed bureaucrats.  They have tools available that if you look back to 2017 is the high point. And perception was that you can use tools to achieve your political objectives and very little down side to using them.  I see my job as trying to give more reasons why you wouldn't.  To those who decided to use those at one point you talk to remarks about conception we have of modern deterrents.  We identify seven components.  Capability, agility, coherence, resilience, resolve and I see in the chat box already we're having attribution being the heart of it.  I want to challenge this.  Kind of you view attribution that is hard.  Some of the work I've done we'll talk about later.  There's actually a lot of information out there you can source that you can pull together.  And I kind of think it's cyber attribution is like a jigsaw.  A lot of people who see it will be like children with big wooden pieces.  It was easy to fit in.  It's a big jigsaw, loss of pieces.  Picture is the sky and clouds and something tricky.  You have to know what you're doing.  It isn't impossibility.  You can build up that picture and do through all sorts of information as I hope the U.K. government in particular has shown we're making more and more of that information available.  We're publicly attributing where we think it's in our interest to do so and one of the reasons is to demonstrate that it is quite hard as people think.  Yes, I've had to learn a lot of technical things in the process but it is possible even for a diplomate like me to get there.  Last thing I wanted to flag up is something we haven't touched on yet but I think is more important is actually solarium commission dater and resolve and your willingness to do something to try and change that calculus.  Cyber actives have and your ability to do that with others and your ability within your own government to be able to come to to that decision‑making process.  And I'll touch on those more with those concepts.

>> I would just add on to what Chris said when he said that stakeholders and actors are important.  I think it's really important to when you're crafting a deterrent structure to recognize that.  Map out your ecosystem.  And really think strategically about what role each actor could play towards building and making a different strategy effective.  And I would also say that something that I really like about deterrence is that it is proactive measure.  It is trying to prevent the harm before it actually happens whereby then as a state you would have to react and danger with reacting measures is sometimes they can be heavy handed and result in consequences and I think cyber deterrence can help to avoid those two things.

>> Finish out level setting whether we talk about deterrence in cyberspace or deterrence I would love if we could clarify for those in attendance do we mean that I am deterring this behavior in cyberspace or that I am deterring my cyber tools or some mixture of the two if you have a clarifying nose before, Chris, please pick up on the last comment and move on from there.

>> CHRIS INGLIS: So I'm going to try to build on what Katherine said which I completely agree with which is we wring our hands about attribution which is once more solvable than we would imagine and some case more important than we would imagine.  If we practice deterrence by denial, we're resilient and robust.  We don't need to know who it was that would have tried to work and do something that they would not do.  If efforts fall by way side, attribution of that did not happen.  That's less important.  If someone takes action inside your spaces and you have men's to protect that and knock it down, again, you're not as worried at that moment about attribution, maybe later to kind of render consequence you would be but you're not as worried.  And finally you can improve attribution if you do the prework that's there's better tracking and behaviors are and we can align those to those activities that are most critical while at the same time allowing for free play in areas where it's less critical but I don't think we constructed the system in a way where attribution works in our favor.  We let that .

>> I agree with what Chris and Katherine just said.  I would say because you asked whether it impacted our own action as well and I want to point out that no state so far has used its full power in cyberspace.  So so I think that's something to be noted.  And if and most states understand that there could be a real adverse consequences to cyber operations.  So that's the first point.  Second point is you mention misbehavior and I just want to react on this term because misbehavior could be a question of perceptions like what's a good behavior, what's a bad behavior.  And I think that's where the idea of norms and discussions become international really matter in cyberspace.  Where we're talking about good actors, bad actors, good behavior, we want to talk about common expectations of national community in terms of what is acceptable and what is not acceptable.  What is responsible and not responsible.  I think that's where norm are very useful in creating a consensus and creating a body of common expectations from the international community which create an incentive to respect expectations and therefore, be able to point to what is actually a misbehavior.  I think that's the very important step to building deterrence.

>> I think it's a critical point.  And thank you for highlighting.  Before we sort of get off distinction over what makes cyber deterrence unique, Chris, if we come back to you it's been alluded to a couple times when most people are thinking about deterrence in any space, what they jump to is usually a destruction that really wonderfully simple elegant and nuclear deterrence model that is characterized 60 some‑odd years of policy, in fact, cyberspace Solarium Commission you're part of I believe gets its name from Eisenhower era president in the U.S. in 1950s, a working group focused in ‑‑ Eisenhower, focused in nuclear age, how is deterrence in cyberspace meaningfully different.  From that jump to shared destruction that's what deterrence means, can you demystify that and formally frame us in cyber deterrence space?

>> CHRIS INGLIS: First Frederick would say wonderful template.  I wholeheartedly agree.  I would add to that that that mutual destruction is an extreme form of deterrence because of the unique conditions that the nuclear era gave us.  What is common in nuclear deterrence and other form of deterrence is that a central focus on a human being trying to influence influences, choices made by human beings.  But, whereas, in the nuclear worlds the weapon we're trying to manage human use of it is dominant when it showed up.  It was significant of loss.  It was game over.  That dominant weapon and high cost of entry and few players made it such that mutually assured destruction was rational and irrational strategy but it worked.  There were very few players.  Weapon can persistent.  The weapon cannot be kept off the field.  Constant presence is low cost of entry and many players and we have to apply a different set of entries to ‑‑ a constant skirmish in that space.  I won't say there will be no bad things happening in cyberspace but I don't hold out a lot of hope.  What we need need to do is use instruments of power available to us to have benefits and consequences to do this on international collaborative action such that if you're an in this space you have to challenge all of us to be one of us.  We've not done that in the past where we've had champions whether that's the United States.  We hold at risk that no longer works.  We need to collaborate through international action using that's the principle difference between how to work in cyberspace.  Please Frederick.

>> Yes, I fully agree.  I wanted to answer the question because I thought it was interesting.  Is that the right time?

>> Because he made a comment about the fact that if we want to pure security if I understand the question well, then you have to make it more costly everywhere therefore, cooperate in order to improve deterrence by denial by making it more difficult if not impossible.  That's true and the aim and if we were taking cyber security seriously that's what we'd be doing.  If they want to conduct operations not just in the context of military action but also in the Congress text of intelligence as everybody wants to reserve that's why it's true ‑‑ pivoting now to talking a bit this is metaphorically with clear signage about what you should and should not do.  Other meeting understanding of hot stove.  This is instance of cyber attacks in response to kinetic strikes in response to cyber attacks.  These this is common place and other forms of conflict this is expectations and Frederick jump in first.  This is something where we can benefit from a lot of different perspectives.

>> If you want, I don't know whether we have set of expectations.  There are great disparities across the world in cyber capabilities.  So it's not like you can expect some of the states that have limited capabilities to act as super powers in terms of what they're going to be able to do, what is clear is that among the states that have developed the most advanced capabilities, cyberspace is regarded as a new field, a new military domain.  And a lot of states, including France, have stated that they are developing cyber weapons and they'd not be shy to use them.  Alone or in combination with other means of action if it you're talking about expect aces of military action, we can expects all the states that have developed capabilities to use them in combination with other means of action in the context of military action and it obviously, revelations I've shown they have means to use.  I think this is in the process of being constructed.  And states recognized that international law and cyberspace, I think the consensus report of the governmental experts in 2015 has also create advanced in terms of a number of behaviors off limit.  There's still and your own building measures.

And red lines and responsible behavior in cyberspace.  We're also seeing that the geopolitical strategy competition between powers is also happening at the United Nations with competition for starting is quite complicated right now but I think that should be a goal. 

>> ELLONAI:  Just to add on to that, you have an evolving set of norms ant international left and at a national level different states starting to take different steps at defining red lines and the question about red lines lines can be controversial.  Sometimes there's an advantage to not having that clear mind in cyberspace.  Really important that states really out that sharing of expectations it makes the whole idea of deterrence and deterrent strategy difficult to implement comprehensively.

>> Build us into the next part of the conversation. But Joanna if you have a response.

>> Yeah, I'm sorry, I guess this is like a discussion in the essence, this is a tricky business because I mean, rid lines I guess that is tempting to and when it happened, across them‑‑ let me refer to what why there is logic maintaining ambiguity on red lights.  And decided that cybersecurity is at the heart.  So basically they said we can activate article 5 as a response to cyberattack.  It was confirmed in 2016 during the NATO sum where we agreed that cyberspace we sent a clear message.  We're being serious about cyberspace and cyber stability.  But saying it will always be political.  Decision whether the read line has been crossed or not.  Whether it's the sake of being effective.  So stick to this ambiguities.  Response in a more flexible manner.  It then will allow us to pick and choose from the whole ‑‑ so...

>> FREDERICK:  Can I just react quickly.  

>> Red lines need to be pushed because politically we're not sure we want to go there.  More importantly, I think states are reluctant to say this is my red line but we've been encouraged to do U.N. processes for some of them is to publish their strategies to the way they apply international law and how they understand it and how they might react to a number of indications and that transparency effort is really important to have a boater understanding of the field and more common expectations.

>> John:  I know a number of states have had that.  Chris?

>> CHRIS INGLIS: I'm adding to the conversation which I agree with.  And activities or discrete lines but on behaviors.  Because in cyberspace the distance between a threat or a bad behavior and some negative consequence is sufficiently small and finite in time that you can actually manage the distance between those two.  So, if you had a nation state for example that has no control whatsoever over its citizenry and there's lawlessness insider space that is tacitly approved, that should be something we look at an impose a consequence that there be benefits or consequences that apply whether you're an individual or nation state regardless of crossed the line.

>> A question I had is maybe I'll ask this and have your thoughts on Chris's point and others.  I do want to start drilling down into what are the existing mechanisms and structures that are being deliberately built and we heard about a few multilateral level at U.N. or NATO.  I'd love to hear about the U.K. government's approach to this issue space as well as the broader work of the European Union's cyber deterrence toolkit.  I'm sure a lot of us heard through widespread reporting about cyber sanctions regime and efforts that have taken place but I understand the toolkit is more expansive and robust.

>> I won't say whether it was right or wrong but with the UK government at the moment, some cyber actives, sites are clear what we think about particular behavior.  We made that clear in public statements.  And I think it's fair to say I wanted to challenge focus and behaviors.  And perhaps we'll come back to it more when we talk about effectiveness, one of the issues I get challengeds with quite a lot is if you're defining behaviors sort of acting against a specific target, I think you can do that in a very responsible way.  You can do it in an irresponsible way.  If I don't know we were to pick electricity grids or TV broadcasters, there are instances where you could target that in accordance with international law in a proportionate way to achieve a legitimate objective and there are instances including real life ones which the U.K. government said, that activity we do not think was acceptable.  (Katherine) I just want to caution a bit discussion for behaviors but perhaps we'll leave that for now and come back to it which we talks about effectiveness.  We talked a let already about toolboxes.  Been helpful they've been put in context and flagged up how important they are.  U.K. has encouraged and introduced ourselves to introduce a cyber deterrence toolkit which we think consists of a on when to applicantly attribute and how to govern through processes within government to do so.  Policy nd procedure on responding so that you have a sense of how you will take decisions and how to factor them into account.  A menu of consequences so that you know what you have in your toolbox to deploy.

And to issue political statements on your deterrence approach on how international law applies in cyberspace before you already heard countries have done that.  U.K. was one of the first to do so.

The reason that we suggest all of those goes back to where we started at beginning of the conversation that it will involve a lot of different interests across the government.  So having a process for how you bring those together can help you have capability and the ability to take those decisions and the coherence to use the capabilities available to you.  But it also helps with international cooperation.  We've been encouraging countries to share those toolkits so we can do that and we've seen this activity and we think it's about responding in this way.  What do you think?  We're not quite sure nuts and bolts on how governments work but it is quite important as has already come up in conversation speed in which we do it, ability to respond.  The EU was one of the first to put its toolkit in place.  It is publicly available.  It isn't always that easy to see the way EU documents are written exactly what's available in the EU's toolkit but EUISS have provided helpful document which summarizes the approach.

There are coming sequences is that begins at statements and finishes the line of armed conflict threshold is in there.  And mutual defense clause, mutual responses are at the other end of the spectrum and in middle we have statements of capacity building, joint investigations, formal requests.  You also have cyber sanctions.  So I think it's really helpful for other countries where UK is no longer in the EU and for us to see how the EU might be responding so that we can have a talk about those collaborative approaches.  Also asked about the EU sanctions and UK is applying them at the moment to intend to continue applying them after that transition period.  At the end of this year we have that coming on.  EU introduced a package which shows focus on behaviors.  I think while it's perhaps no surprise if you do the material you're probably familiar with the names of people and entities involved, it does show solidarity and resolve.  These had to be agreed unanimously.  It's important to stress in one tool is going to have an impact and these need need to be part of AP10 Chinese intrusion set for example, governments including our own have raised private and kept on raising it in private.  Publicly attributed what has happened there haven have been advisory issues in establishing details this isage attack against service providers so using again a lot of interest generated by government statements is how if you're a service provider you can protect yourself against these attacks, there have been law enforcement responses and technical responses.  Day marches and in July of this year, the EU sanctioned.  So I think it shows how you can put together that package.  I'd flag up many, many people on this said it couldn't be done.  You can't find the evidence to support it.  But I think it's as much important the deterrence comes from it can be done.  We've got travel bans.

>> That's one of the ominous suggestion of the cyber age, "That can't be done" for good or ill.  Chris, picking up on what Katherine just pointed out which is this past July that EU as part of its sanctions sanctioned six individuals and a ‑‑ six individuals and have not petty attack.  But as an aspect of deterrence and sort of on the other side of the coin last fall in 2019 the U.S. State Department releaseds a joint statement on advancing responsible state behavior in cyberspace, this was signed by some 30 countries and includes language seems fairly heavy handed but deterring that role by action.  Can you shed light on the thinking that you suspect or know that the U.S. has been pursuing and spearheading this effort and what it comes.  It was signed by upwards of 29 or 30 countries.  But I'll give a slightly contrarian view.  When you read the document even its title starts out with leading with promise and talks about how we leverage the positive benefits and it talks about bias to defense stability order.  And free open and secure Internet.  Human rights perhaps being sell rated and defended before.  This is in contrast to what the Russians have been arguing for which is disconnect and we create isolation as a means of defense and this may be a strategy that's unsuccessful but deny benefits to populations of free open and connected Internet and a fragile solution.  This is a positive move that says let's gather together to create an international consortium and focus on benefits to align consequences both negative and positive.  The four end points of deterrents have been described include deterrents by denial.  Cost and position and entanglement, all of those show up in  this document.  And if it's anything, it's a positive view of what we can achieve of benefits with cyberspace we align benefits with actions.

>> Actually sticking with you, Chris, and going from the theoretical and talking about the work of the Cyberspace Solarium Commission, you state a fairly comprehensive and summative report I believe last spring it hasn't been posted in the chat but we should share it with folks in attendance and that's an outline of approach that's called learned deterrence which you've been encouraging the U.S. to don't and share the key tenets of that program and how it's envisioned to work and how what we've seen pursued in the past.

>> It is largely consistent with the conversation that's taken place thus far in this forum.  The Solarium Commission was chartered by the U.S. president so as a matter of law was supposed to develop a strategy for the United States in cyberspace and the goal was to prevent attacks of significant consequence.  We had realized.  Think weren't, 2017, 2018.  And we determined deterrence was not working, but we believe it can work.  It's built along the lines of what we discussed  in this discussion.  The three layers that are described from this strategy section are to reshape the ecosystem to describe what those norms are and what the roles and responsibilities of individuals, collections of individuals, private sector T government sector, governments plural.  Set expectations, practice denial.  And be prepared to impose costs on actors who transgress those norms.  Use all remedies and instrument of power.  We think in in realm of something bad happens in cyberspace we use a tool as has been indicated earlier that's not the best tool.  It's certainly not the only tool so we need to use all of them.

I would caution that this set of actions would turn out 80 actions many of which require legislative remedies within the United States but significant proportion of which will be created and installed this year.  Dependent on the concurrent and overlapping application of these.  In the chat section norms without consequences have no consequence whatever.  I agree.  They must be concurrently applied.  They must be married to the consequences, must be done in international context because we're not depending individual patches of cyberspace.  We're not defending individual domains, this is hugely connected enterprise not as a public/private international collaboration, we will surely fail as World Economic Forum done before.

>> I want to ask someone a question that I think links well to what Chris was just saying.  Moving conversation forward.  We're running short of time and I want to make sure we have enough time for Q&A.

  I want to pivot off the conversation of what governments can do on their own and what structures are and talk about what cooperation is needed in cyberspace to bring systems and structures of deterrence to bear.  What types of collaboration are responsible for structures that underpin cyberspace and where do we see partnerships currently existing and where do we need to build them more robustly and even well beyond civil society.  I put that question out there, I will go to you first, Frederick and respond to Chris and follow up and anyone else who would like to jump in.

>> I think I can mix the two because I think what's interesting is that the Paris that was launched by France in 2018 aims at exactly doing that and encourages cooperation at the international level.  So also with the private sector in order to improve the security and stability of the field promotes a number of principles.  These stability of cyber stability and public core of the Internet or the fact that operations by non‑state actors had back should be forbidden or protection of electoral infrastructure.  Because it's a domain shared between civil society and private sector and military, we have to work all together in order to protect the security and the stability of cyberspace so it has to be felt in terms of multistakeholder governments but also security.  I don't think we can do that alone.  One point I'd like to ‑‑ and by the way, it would be great in the United States signed the Paris call as well.  I wanted to react about US strategy because there's something I found troubling because I think we talk about the fact that we talk about credibility and I think it's also important to understand reciprocity and this environment and that is do promote norms are also strong on respecting them.  For the United States for persistent engagement that I find dangerous and particularly with regards to the respect of the norm about not causing damage to critical infrastructure and idea of persistent engagement and cost structures in order to be able to strike.  And we can do it too.  I think the actions that states can have can turn behavior of other states.  And we know that for example and we've learned something from this attack.  And my point is that it's important to and set an example and if we want these actors to respect those norms.

>> And this is a model that we practiced as an alliance for quite some time.  And perhaps to our east.  To defend forward is not about imposing some provocation or chaos without justification.  What if is early discernment and early action against a true threat.  And if it is anything other than that it is a provocation.  It is an offensive action.  The analogy that's often used within the United States is (Chris) the concept of an archer who holds innocent parties at risker by firing arrows at them.  The choice is to either catch the arrows, which is difficult, or to knock the bow out of the archer's hand.  Defend forward process says we reserve the right to knock the ‑‑ out of the archer's hand.  Whether you go further to do punitive action on point of archer that's proportionality but whether you choose to catch the errors owes or knock the bow depends on the archer.  Defend forward is just that.  A defensive mechanism that tries to arrest a provocation at the earliest possible moment.  To do anything else is, as you would suggest, provocative and aunhelpful in the coalition of nations.

>> We talk about what is the necessary partnerships if any, what role does industry, does civil society, do other organizations that are non‑government play either in some of the methods of deterrents we've been discussing here or some deterrence by not the benefits of other types of deterrent methods.

>> Joanna:  I will try to take this one.  I cannot think of different ways of speccing from perspective of private sector but to see security as a part of our business strategy, this is our responsibility to our customers.  This is our commitment and only to them.  This is actually sectors, businesses which I'm not only responsible responsible for the environment to be honest, this is always a job that must be done by the company and also a responsibility to work together to make the whole ecosystem and things that have been probably leader here and there through the whole conference but very basic means of information sharing.  Like exchanging best practices and recommendation this is something that must be put in place.  There is also another angle I'd like to highlight.  Also the responsibility of the vendors.  We are all consuming digital tools that are being delivered and I guess that if we're talking about effective deterrents we must acknowledge one simple effect.  Security by design.  Security by default.  Being emedded from the beginning might significantly help to establish much more better security posture meaning to translate into well working strategy meaning defense.  So I guess seriously remembering about very basic elements must and should be spectacular.

>> Katherine and then Chris.

 >> KATHERINE FOX: I didn't want to start on this because my perspective is fair narrow, I've heard punishment as government perspective.  The more information that's out there in the public domain about what the threat is enormously helpful to our work.  We use a huge amount of industry reporting or what the threat is, where it's coming from to help countries understand that.  And increase the willingness and resolve that are often underpins EU sanctions which need to be based on information.  So given it's quite broad audience today, I just wanted to say huge thanks that is making a material difference.  No one seems to full together in an easy to understand way that if you haven't been following for 10 years means you sort of understand where this bit fits in with the background and anyone wants to help fill it we're trying to do it.  We really rely on partnerships with our industry and material to do government sharing.

>> Chris, over to you.

>> CHRIS INGLIS: I was just going to comment on the remark made about holding governments accountable.  Governments need to exhibit best practices blind rider they impose that on their citizens or industries and address what the government must do and also talk about a concept called holding final goods.  And that's complete for primary features and processes but for the security it's accountable across the life of warrant warranty.  We believe we should hold final guesses and establish that point of concentration accountable for security.  If a known patch comes up it's part of a whole, that's a useful place to inject that back in the system so you achieve leverage.

>> Those kind of protections having vulnerability, handling polities and places is UK and US pioneered as well.  Those are critically important pieces of that recipe as well.  Taking my moderator hat off for a moment there.  But to move the conversation forward and turn questions that we've had in the chat which are really robust and far ranging, I'm going to start with one that we had earlier on that picks up on this important discussion that is across the digital divide and bringing in more capacity building perspective and thinking about examples that are being set, most discussions are sort of framed sort of tensions and praises among big guys and 5 plus a few, precedence they make and how they handle situations.  Developing offensive capabilities are taken up by some of those.  In conflict where cyber escalations decisions made by cyber powers towards U.S. and U.K included.  When backlash being copied by developing countries and how do we think about that precedent setting goal and how it pans out downstream.

>> FREDERICK:  If I may, I don't think we think enough about it and think about something also the consequences and that is only one aspect which is the fact that the tools can be used or concept can be of tack can be copied but tools offensive and increasing and , therefore, the level of the entire field I think the question about the consequences of one's act and potentially also share of responsibility when a tool is lost or stolen, should be of consideration and why we should start thinking in terms of non‑proliferation in this field.  And again in France that's a concept that's strictly used in nuclear.  It will be also useful to start thinking in terms of how can we stop the arms ration.  And because I do believe that is arms race and multiplication of offensive operations does increase level of sophistication for all the players.

>> I agree.  I would say the bias defense and there are many speak generally about many government organizations whose purpose it is to scour the Internet looking for vulnerabilities.  And make use of that technology.  Sometimes vulnerabilities are in the context of use of that technology.  Former should always be handed over.  This should always be given to the technology provider so they can essentially act as a rising tide.  The latter finding weakness in context is often a matter for equities review discussion of should we turn that over because if there's a particular nation state that would use that as a tool in their arsenal they may be just deciding to hold that because the only vulnerable party in the world is a rogue nation.  Having said that, I know problematic that is but there are arsenals being create bid every nation represented on this conference and we need to have the equities discussion that Frederick offers.  And we need to have a huge bias to say we should not reserve those for use by nation states but turn those over to the rising tide .

>> KATHERINE FOX: Perhaps slightly different perspective on this question.  I agree governments need to be better explained how we're doing and why we're doing it.  I think we're often better explaining to other governments about that.

And when we're considering options we consider risker of escalation, and bilateral relationship.  I don't think we do a wider perception about where this leaves a broader discussion.  I've spoken about some issues already so I won't repeat them now but what I haven't touched on it is I think a lot of how we are responding, how we punishing from that language is rooted in our overall response to that country.  Our geopolitical relationship.  Our bilateral relationship with that country.  And I think perhaps we need to be doing more explaining how perhaps something we're calling out in cyberspace and responding with in cyberspace fits into that broader overall strategy so it can be seen in that context more.  I touched on it before.  And mention on focusing on behaviors.  We're becoming better and I think we talked about red lines earlier.  U.K. government has set out very clearly what it doesn't think is acceptable and some specific instances.  Including for example intellectual property theft.  Affecting ordinary people's ability to everyday lives and we're targeting hospitals treating COVID patients are just some of the ones that immediately spring to mind but I think we need to do that next bit sort of why when we're doing that it is qualitatively different to do those countries and might look similar.  That requires us being more confident in speaking out about we're never going to speak out on the specifics of what we're doing because that reduces the sort of value of the capabilities that we have.

But more about sort of why we're doing and what purpose and that sort of proportional legitimate consideration we have to go through for any intelligence operation and scrutiny that's there and checks and balances and protections how that applies in cyberspace as well.  On militarization, I just want to challenge a little bit.  I think it's very easy for people to say cyberspace is becoming militarized and often people with their own agenda are people who might be pushing for a new treaty or to look at things in a particular way.  It's in their interest to say the problem is one area.  I think it's more helpful to talk about hybrid threats at the moment and we're being tested around those around those thresholds and where do you put the red lines, we are being specifically targeted in ways where particular ways to ensure it's difficult for us or we won't respond or does it turn the threshold.  All these other factors that come into account.    And it's helpful to see the testing there as arms race we've seen in other domains.

>> Chris, go to you just a moment.  I want to introduce another question to make sure we're getting through as many as possible and over to you to respond as I know you wanted to.  This picks up on the conversation we were having earlier about the need for multistakeholder cooperation and in addition to thinking about the cooperative relationships that do exist, what organizations, institutions should exist that perhaps don't?  And the question is there's a lots of agreement that attribution can be done but especially in this age of miss and disinformation.  Unless there's trust in an independent mechanism does it get reduced to a political game which it comes to the question of attribution and having authority to conduct the times of deterrents people have been talking about.  I'm happy to you, Chris,, or respond to this new question.

>> I wanted to build on Katherine's remarks just to say we've not talked in this discussion.  And I think we didn't have this in scope about the damage that's being done to human perception by the techniques, capabilities that cyberspace employs and are leverages by bad actors.  We have even within the United States focused on damage to data to systems and dependent on that with a compliment to United Kingdom colleagues they've had a sector which talks about unwanted content, contacts and conduct.  We've struggled with that in the United States about how do we defend individuals whose perception is altered in ways they themselves don't realize.  The remedies for that are found in resilience and robustness and keep in mind critical thinking.  That's worthy of discussion in terms of how do we set norms and prepare populations to your question about what things don't exist or might or could benefit us if they would.  We're increasingly talking about shared norms.  Sharing data, techniques and tools and even collaborating episodically in applying these remedies to this world.  There are too few places where we stand side by side in a collaborative and we can surprise one another.  United Kingdom has international cybersecurity center which is an excellent exemplar of this, public and private sector stand side by side and mitigate together so they don't have an unholy decision to make of I have a very sensitive piece of information, how do I sanitize that and pass that across in transom that always takes time.  It's always late.  If I were to recommend something above all others where spaces, places surprise one another in discoveries, not merely our revelations.  We can surprise one another.

>> Frederick:  If you wanted an answer on the running question of whether we should have an independent NGO type or attribution I think right now I'm in a question.  Two limits, I think one is that a number of states, never accept you have an independent body attribution and it's a sovereign decision.  EU toolbox gives means but it's the responsibility of each state to attribute or not attacks.  I've had this considerings and Chris can probably confirm with U.S. diplomats who are not ready to give this power to a body outside the States.  So I think that would be a major difficulty.  The other difficulty would be who would be in this organization.  And if it's a private public kind of organization or if it benefits from the health companies, these private companies do we have some type of balance.  The question of legitimacy of a body would also be a major issue.

>> Over to you and we'll have a closing question.

>> Joanna:  I wanted to echo Frederick said.  The United States are being reluctant to let's say create such a body or support such a body and is also connected with one another issue that is important from that attribution point of view.  It goes to the fact that effective attribution in cyberspace goes beyond digital.  It requires all sorts of intelligence so we need to pull together information from various sources also from conventional ones and I cannot see a situation where the States would like to share information or involve tactics from conventional, let's say grants.  So I guess this is a very challenging idea.

>> Joanna:  I hate to stop us short, but I'll ask one closing question and ask everyone to be brief in response.  I kicked off the panel by recognizing escalating conflict in cyberspace, increasing numbers of sophisticated deterrent whether they be denial or punishment or turn tide against.  We look 5, 10 years down the road based on models and if deterrence is successful, what evidence would you be looking for and how might things be different?  And I will leave it to whoever wants to kick off there but as quickly as possible.

If no one wants to jump in.  Elonnai or Katherine, please.


My views in five years, 10 years time, what we need to see is actually evolution or not revolution.  I think if you compare how far we've come in three years, we need to be doing more of the same.  And we've already passed that big turning point where we've overcome that perception that it couldn't or wouldn't be done.  So the key things for me to get there are increasing the resolve of partners to act, increasing capabilities that are understanding of the threat that they got there and just to keep doing more of the same calling out what we see as irresponsible, explaining why, imposing a whole range of costs and continuing dialogue with other countries both as partners but also where we have concerns about these behaviors.

So I know that we ‑‑ it's clear we haven't deterred yet.  But I think we're on the right path, and it's certainly to create assessment colleagues who answer this question it's a great deal better than last year.

>> CHRIS INGLIS: Going back in the conversation, I don't think we should remove all cyber initiative from the field.  That's not the nature of the domain.  It's offense persistent domain.  Having said that, i'm with Katherine in that all the tools and remedies and methods that we can imagine are here.  They're on the street.  The problem is we've not married actions to consequences so we need to do that.  We need to close the gap on that, and we should do that and measure it in two years, three years, 5 years by saying to what degree do we apply all those remedies concurrently with a bias to collaboration and integration.  Former being a human endeavor.  Latter being technical.  If we're applying all those such that an adversary has to challenge all of us to beat one of us we'll be in a better place.

 >> DANILO DONEDO: I agree, but I think also that probably the most interesting deterrent we can use is that everybody is well aware of the systemic risk and how the irresponsible behavior can backfire on everybody because societies are dependent on cyberspace.  And I think that becoming much more aware of this can also help the conversation.  And I also want also to remind that what happens in cyberspace is actions by governments and actors that live in the real physical world.  And therefore, nothing that happens in cyberspace going to be disconnected from the geopolitical context and I think efforts should be made to restore confidence in multilateral institutions and strategic dialogue because as long as we move towards exacerbated strategy competition I don't think we're going to snake progress in cyberspace either.

>> Elonnai?

>> Yeah.  Building on that Frederick, on that awareness point, it will be interesting to see how cooperation between the different stakeholders evolves, how different trust building mechanisms involve and coordination between different stakeholders to build that awareness.  I think some trends that will be interesting to see how cyber debts rants strategies navigate are the increase of kind of a soft attack like influence operations attack target and sociological contracts of a society.  I think it will be interesting to see how this narrative that Joanna you pulled out in the beginning, that on one hand you had deterrent strategies moving forward international cooperation and strategic alliances but also a conflicting narrative of digital sovereignty.  And that will be interesting to see how it plays out in years.

>> Okay.  So only one sentence from my side.  We really need to understand that fact that cyber securities are a shared responsibility.  This is really key.  We need to take the problem seriously, invest attention, time, money, resources whether we're a nation state or private company or individuals, so I guess that acknowledging that this is our strategic challenge is the key and then everything what follows next is just a consequence of understanding how serious it is and how important it is to us. 

>> JOHN HERING:  As I could not say it better myself, I will add nothing aside from saying thank you so much to our wonderful panel.  It's a privilege to spend an early morning with you in Seattle, Washington.  And thank you to our participants in the world as to IGF for giving us platform and to our online moderator.  And we'll hope to see you at later sessions.

>> Thank you.