IGF 2021 – Day 2 – WS #187 Exploring Neutrality:A Multistakeholder Cyber Norms Dialogue

The following are the outputs of the captioning taken during an IGF virtual intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.



>> LOUISE MARIE HUREL: Hi, everyone. Welcome. That was a nice introduction.

    It is a pleasure to start this discussion. For those of you wondering, might have gotten the link, this is the session called: Exploring Neutrality: A multistakeholder cyber norms dialogue.

    So welcome, all.

    I'm Louise Marie Hurel. I'm a Ph.D. researcher over at the Lennox School of Economics. I'm also a digital policy advisory at the security program.

    I will be the moderator of the session. With me, I have a stellar line‑up of panelist speakers. The way this is going to go, we're going to have two rounds of discussions and interventions from the panelists, which will be provided by a presentation from Sean, which I will introduce very quickly, just to set the scene of what neutrality means in the context of cyberspace. I think those more from an international law background might be wondering how can we connect or what are the gaps of thinking in responsible, safe behavior in cyberspace and the existing norms that have been agreed upon ‑‑

      (Captioner has no audio)

   >> LOUISE MARIE HUREL: ‑‑ those of you what are practitioners in the field and curious about the topic, I think it's undeniable that we have been seeing a rise in multiple state‑sponsored cyberattacks. Not only that but just a realization as a society to the vulnerabilities we're exposed to every day.

    Together with me, I would like to give a shout‑out to the co‑organizers here with me, which is Jakob Bund, project lead for the cyber defense project within the CSS, which it is centre for Security Studies at Zurich.

    Sean Cordey as well as Kevin Kohler.

    Beyond that, the organizers, I would like to welcome our cyber operations officer at the Institute.

    We have Anastazia Kazakova, Koichiro Komiyama, Maurice Eglin.

    Koichiro, if you will allow me to say "Sparky" as well.

    Maurice Eglin is deputy chief at the Swiss OMD.

    I will pass it to Sean to give us this scene‑setter.

    Eight minutes, Sean. I will be strict with the time here. Then we'll go for a second round of discussions and then third round, and then we'll open up for debate here.

   >> SEAN CORDEY: Thanks, Louise. I'm Sean.

    I will provide a bit of context to set the scene.

    As she mentioned, the general premise behind our discussion is that as you are all well aware, different trend in cyberspace is one of the threats and (?) ‑‑


   >> SEAN CORDEY: As our society continues to digitalize with COVID‑19 we're increasing the dependent on ICTs.

    We have a need to have a continuous discussions on ways to stabilize the space. This includes discussing certain mechanisms regarding norms and behaviors and initiatives.

    It includes reevaluating or discussing (?) Before discussing neutrality and discussing it further, it's important to define it. It's a very complex, multifaceted concept that has evolved over (?) Context.

    In practice, it can apply a set of legal principles, rights, duties, and also behavioral traits, practices, reputations. We have state policies. Traditionally, neutrality is linked to expectations of non‑participation, impartiality, and some form of due diligence, in exchange for protections from harm and guarantee of independence.

    Again, historically, it's served many other functions, such as training international commerce or promoting and fostering international peace and security. It's also been used to mitigate escalation.

    One of the things of neutrality is the legal core. This is something we examine in detail in our recent publications that highlights the debates regarding the application of the law in cyberspace.

    We posted in the chat. So I invite you to check, if you're interested.

    The regulation between the belligerent and neutral space. It was codified in 1977. I had a nice table that summarized the different rights and duties, but it's mainly summarized in abstaining from conflict and providing (?) With assistance. Most also terminates or violates neutrality happening in its territory. Do not use it for hostile content nor to attack the infrastructure.

    As for the law in cyberspace.

    It's noted that it's applicable to all international armed conflict, whatever the type of weapon might be used.

    However, neutrality in cyber space remains a niche topic. Only several states have discussed it in their legal opinion. Switzerland, U.S., Romania, and France.

    There's also rules for net neutrality for cyberspace.

    As we can see, there's a lot of different states that covered different aspects regarding rights and duties of neutrality in cyberspace. What we notice is some of these rules are disputed, such as conduct ing (?) There still needs to be further discussions. This includes prevention and cyberstructure.

    Generally speaking, there's many questions that remains regarding scope of the rules, including the larger duties or rights for other actors involved in cyberspace.

    Neutrality is not limited to its legal aspect. It can take other forms. For instance, neutrality can be leveraged as part of the (?) Here we can underline different examples and initiatives such as the actors provided, such as facilitating dialogue or providing some (?) Offices. Question also think about supporting capacity building or legal or capacity building. Providing neutral fact‑finding forensic analysis.

    What kind of partnerships in the digital space are allowed? Can an actor participate in sanctions?

    It's a humanitarian principle to provide assistance or administration.

    (?) Rests on its neutrality and independence and (?) Actions in the field. But some challenges have been created. Now it's at risk for cyber espionage, et cetera.

    Neutrality can also be claimed by private actors. Commercial neutrality, whether private or technical actors provide goods or services that reduce cyberthreats.

    For instance, mitigating attacks or malicious traffic without considering the origin.

    Finally, we can also envision neutrality as being an infrastructure. This is about not discriminating between different types of data. As such, we will not cover this here, as there are enough panels on this at the IGF.

    What you might also want to consider is the future (?) Of the Internet as a public good and a way to protect it from attacks and protect its organization.

    On that note, I will pass it back to you, Louise.


   >> LOUISE MARIE HUREL: Thank you. You've touched on elements that we'll come back to again and again in our discussion. My perception is it a question of territory and actors and how do we interpret law and the scope of norms.

    Coming from international relations, I'm always questioning who is neutral, who gets to say what becomes neutralized, be it a territory, a network, a core, or a particular function.

    So I'm hoping that we can further unpack this as we go.

    Now kind of to our first round.

    I would like to push us all ‑‑ or put us all into a particular part of the discussion right now to all the panelists. So we heard about this research that was published by HTH Zurich, and Sean provided this overview of the concept/principle of neutrality. But does it make sense to think about neutrality in the context of growing tensions of state‑sponsored cyberattacks?

    How have you, in your own kind of everyday work, be it as a scholar, as a practitioner, how do you conceptualize, how do you see the concept of neutrality? And what activities is it actually useful for thinking?

    So if you're coming from a Civil Society organization, what does that mean?

    So I would like to provoke you all to think about the nexus between what it means, the concept that was just presented, and the activities that you have to regularly do.

    So let's go on the following order.

    We'll go and start with Jan.

   >> Jan: I want to talk about the due diligence norm, which is going to be the most relative part from the norms of neutrality.

    One thing to say at the beginning, just because these rules are old does not mean they are not applicable because states have made deliberate decisions not to develop these rules over time and states tend no not give themselves to diligence rules was develop them in periods on conflicts and crisis when they frame their expectations.

    This is directly applicable. I would like to throw a couple of examples out here.

    Usually, states will sue for compensation after something has happened and demand compensation for due diligence violations. So a classic case here is the first ICJ case which shows that these normals are designed for the gray zone. That is an important part here because we always complain that there's this gray zone of cyber conflict that classic laws cannot quite catch.

    The channel is about (?) And Albania suing each other. They we are not at war. They're applying the laws of due diligence and neutrality, but they had friendly relations at the time. So it shows these concepts can actually be applied in this context.

    But the fringes of the Greek civil war but not directly involved around it.

    The decision in the case over the minds that damaged the British wrestles has another important feature for cyber. It shows the due diligence norm does not require attribution. In the entire case, it was never determined who left the mines in British waters. It was enough that they were there, and the court concluded that Albania should have known about their existence and warned the British vessels.

    So we can extrapolate. Is there a duty to monitor certain networks to make sure that, for example, government‑owned critical infrastructure is not used to start cyberattacks by third states against other states.

    Another interesting case to look at is the Alabama Tribunal which is about the U.S. receiving compensation from Britain regarding the duties during the U.S. Civil War which shows that even though it may not be clear in writing in development laws at the time, states expect certain levels of bureaucratic capability from each other and are not afraid to demand compensation if they're not met.

    In this case, Britain had to pay because it did not act quickly enough for American request for action, and we could then ask: Does this require a duty to prepare for dealing with cyber incidents? What level of competence is reasonable for any state to have in 2021 and beyond? Can states get away as the state of the law was not preparing at all?

    It also shows that states expect neutrals not to allow rebel groups being equipped with weaponry that has the potential to change the conflict, even if it is provided by a company acting from the territory of a neutral.

    This relates to debates. We can see quite interesting state practice moving in this direction.

    So I'm happy to discuss all of this in a lot more detail. What I would like to end on is to say all of the potential norms slowing from these cases I suggested today are discussed in the talent manual and explicitly rejected as present international law and state duties, but what the precedence shows us is that even in the case of unsettled law, such judgments, if in the particular case, the tribunals decides that states have affected unreasonably and violated due diligence, they can find themselves paying out compensation even though they have not violated written rules at the time.

    They develop in crisis situations, and this is where we need to look out for the development of due diligence duties and the laws of neutrality in cyberspace.

    Thank you.

   >> LOUISE MARIE HUREL: Very good. Thank you, Jan. I think that is a very thought‑provoking way to start. Really trying to contain myself and not derail the conversation and go deep into due diligence.

    So let's go ahead and pass it over to Maurice.

   >> MAURICE EGLIN: Hello, everybody. Sorry for joining late.

    I'm talking about conceptualization and activities. We have part of the strategic level at Switzerland. We have to think about the impact of neutrality in the cyber world and security policy. We have to think about it as a state and in general. We have to translate what it means according to right and duties.

    Internally, in our own country and administration, according to the fact that we are neutral and should benefit from the conditions of this status, focus on what it means in terms of type of security, scope of defense, stakeholders, partners, prioritization. Generally, I'm speaking about critical infrastructure.

    We have to take into consideration the fuzzy borders of both concepts of cyberspace and neutrality. This leads to principles that we all know are not globally fully fixed or commonly understood, and the duty is to precise the way that all the organization from all their barriers' different point of view have to understand the main view on neutrality and cyberspace, for instance, cybersecurity, which is about, I would say, the economic word, the main functions of our countries.

    The second thing is the cyber diplomacy. This is very important because neutrality is not only a status but promotion. And cyber defense, which is about the sovereignty and the rules about how to behave with cyber war being below a certain threshold.

    Of course, we do not have to forget fighting cybercrime and what is the meaning of neutrality regarding fighting cybercrime.

    So there is a continuous effort to understand the ever‑changing context between the balance and the use. I wanted to emphasize this in the beginning.

    Now, externally, considering relationships with foreign countries ‑‑ because we are talk about neutrality and about states ‑‑ in order to share experience best practices to train or even exercise together, here, also, there is a strategic view on neutrality.

    We must define thresholds above which we cannot go. I mean, in general, active and passive measures. Now, in fact, neutrality is also about cooperation in peacetime and below the threshold of armed conflict, of armed cyber conflict or conflict through cyberspace. Because of a global openness aspect of the Internet, which is the dimension of the cyberspace, the challenge is about guaranteeing interoperability.

    So Switzerland is not a part of NATO or EU, but it's a partner of peace. And Switzerland is a part of OCD. So these are the concepts that we are dealing with and trying to focus on. I would like to go further.

    I try to introduce a model regarding the activities we have to focus on with consideration neutrality. It's a model I would call five Ps. It's part, prevent, protect, principles.

    Let's have a look at partners. Partners, or partners and prevention, can lead to digital supply chain. So what does it mean, neutrality, according to digital supply chain below or above the threshold we addressed before? Are they some neutral zones? So it's about risk mitigation. It's about digitalization, independence, autonomy. Neutrality is not above this threshold. It has to be understood, also, before we go to where neutrality is inactive.

   >> LOUISE MARIE HUREL: Thank you. I was reminded of one of our leading discussions to this panel, which you mentioned, the Access of Complexity; right? Thinking neutrality as this encounter, as we said previously, of considering the actors, the processes, the territory, and, as you said, the activities that might most of the times be below the thresholds of armed conflict, and what does it mean to pinpoint when neutrality is kind of incorporated in that sense?

    I think Sean presented some elements there. We'll differential return to that discussion in such a short moment. So now we heard about a historical perspective, kind of a state's perspective, and now going to Octavia for a perspective on Civil Society perspectives and incidents that are happening on the frontline as well.

   >> Octavia: Thank you. It's a pleasure to be here today.

    As Louise mentioned, I'm going to talk about the humanitarian values. I'm going to bring a different perspective to the table, I guess.

    I want to start with the idea that protection of humanitarian freedoms (?) The challenge is it is just very hard to apply completely. So I'm just going to try to tell you a bit how we do that at the Institute. I would like to start from the idea that the Institute, it's a core principle. As an organization, we are a neutral governmental organization with securing the rights of people to security, equity, in cyberspace.

    As you can imagine, we try to have the principle of neutrality embedded in what we do because we see it as a cornerstone in everything we do.

    Supporting the security in cyberspace rather than the interest of individual actors. So neutrality is not only a behavioral trait of the organization itself, but it becomes a principle, right, and duty to, on the one side, protect targets regardless of their location, beliefs, or identity. But on the other side, neutrality is treating all parties equally and impartially. We do that by providing evidence‑led data that shines light on what is a cyberattack and who. That's very hard.

    If you look at neutrality as a behavioral trait, cyberspace could be defined as a neutral space, in a way. It has been conceived as an open, free Internet; right? So we look at cyberspace as an environment where people have the opportunity to be connected all around the world, to access new resources, and to seek help and assistance.

    So, operationally speaking, this becomes the access to knowledge as well as the access to protection. We believe this is very important because it's stated that there's an obligation to promote the right to freedom of expression regardless of frontiers to any media.

    We stand by this. It is our mission to protect cyberspace for the neutral space we think it can and should be.

    To give you a practical example, for many of our beneficiaries, this is a place to build trust. So the principle of neutrality applies in our everyday work in protecting vulnerable community business providing free cybersecurity support into some monetary IGOs that provide support.

      (Static on the audio connection)

   >> Octavia: With the builders, we aim for self‑defense and (?) Infrastructure targeted by attacks. We believe NGOs should be considered critical infrastructure because in many parts of the world, populations rely on these NGOs to get food, clean water, health care services, and education. These may be realities very far from us, but it is still a reality out there.

    On top of this, other ways we look at neutrality is more on the accountability in cyberspace because this has a lot of meaning. There's an important role in holding malicious actors accountable. So, for example, at the Institute, neutrality functions also by analyzing the impact of cyberattacks not only from a financial point of view, impact, but also have a societal and human point of view.

    We launched the cyber incident tracer that provides an understanding of the cyberattacks on the organizations. All this data is out there available to everybody. For us, this is a way of applying the principle of net neutrality once again.

    And, finally, these human‑centric approach to analyze cyberattacks and get people justice and have their case heard by a committee.

    Thank you.

   >> LOUISE MARIE HUREL: Thanks very much. That was perfect timing, Octavia. Thanks for that.

    So I guess now we're transitioning to a kind of very practiced, oriented ‑‑ activities‑oriented kind of perspective. It's really interesting to see, Octavia, from your intervention how neutrality takes on kind of this also multifaceted perspective from the NGOs side, not only in providing some kind of assistance in being there but also NGOs working with other NGOs that might be working frontline, kind of humanitarian environments, let's say, or even in situations where there's just a need to provide some kind of assistance to people in specific communities.

    How do we think about neutrality not as this out‑there, very high‑level discussion. It's a needed practice of protecting not only human rights but protecting specific communities. So thanks for that. Now we're continuing, perhaps, on a similar kind of pathway on going into the private sector.

    So, Anastazia, over to you.

   >> ANASTAZIA KAZAKOVA: Thank you so much. In answer to the question: Does it make sense to think about net neutrality in the context of growing nations, yes, it does make a lot of sense, especially right now. And with the growing militarization of cyberspace, which many experts have been living already, it's a timely topic.

    It's hard for me, of course, to preface in terms of the terminology, but, in essence, to have a neutral status for incident responders, for cybersecurity researchers about whom, I think, first of all, those are my colleagues who track advance actors that are provided for the intelligence report.

    But also in human organizations, which I think Octavia represents here, it will be absolutely great and helpful to have this neutral status. Why? Well, because I think even though 100% neutrality cannot exist ‑‑ and I think we should be realistic about this ‑‑ everyone has a customer user base. Even in the event of a cyber incident, we'll all first help our users. Still, it's important to focus on the fact that the role is to help. This role should stay no matter what political context.

    This is very important for them. It doesn't matter what political context exists.

    And, of course, this is for states to define how the law of neutrality applies, what it applies, what it means, and especially given the unusual roles of private sectors in cyberspace, I think (?) International organizations. I'm a bit skeptical that pragmatically speaking, we would have sort of structuring from states, ABC, how it is applied, and how it is precise ly, but, still, I don't think it should discourage us from developing international framework that might help raise awareness of the fact.

    Organizations need to be able to (?) And they should not be involved in a political context. Again, if there's a cyber incident taking place, their continuing job to help people is to continue to deal with the cyber incident.

    Another challenge, of course, is to draw the lines between peace and war times. This is what we specifically discuss before this session with my colleagues. I really want to hear their views, how they see. Actually, it's a really important question: How to define between the normal and conflict times?

    It would require a lot of discussions and agreement, but what constitutes normal? I think it's tricky and difficult to define it because the capabilities of the cyber world make distinction s that are more clear. One of the challenges is to understand what's happening and who can actually have this neutral status.

    Most of the operations taking place below the thresholds, I think this has been brilliantly highlighted in the research before the roundtable discussion. A lot is taken place in secrecy. We may only know about them after it's actually been public.

    Being pragmatic, practical here, if we speak about how to make those neutral status operationalized, I think it would be really great if we speak about rights. I agree with (?) On that. A greater transparency from these organization individuals, their activities, for instance, what they produce and who they produced this intelligence report, how they operate globally. Then due diligence, if they are aware of any vulnerabilities exploited already, if they're aware of significant vulnerabilities that might be exploited, or they have knowledge of incidents that have already taken place.

    I think these points and we have other points that might be in the scope of those neutrality responsibilities of the organizations going to have them during the cyber incident.

    At (?) We try to improvise how much we can be transparent here. Just to give some examples, sometimes a different part of cybercrime investigations, regardless of what place they occur, there's a network of private partners. One of the steps that we decided to do is to be transparent about how many requests we actually receive from the local law enforcement agencies and from the international organizations. We first published it earlier this year. It highlights which requests come from the user data and the which come from the technical expertise or challenges. We would like to be helpful.

    So we try to do this, but, of course ‑‑

   >> LOUISE MARIE HUREL: 30 seconds.

   >> ANASTAZIA KAZAKOVA: ‑‑ having more clarity what those organizations do might be very help.

    Thank you.

   >> LOUISE MARIE HUREL: Perfect. Thanks so much, Anastazia.

    I will do the overall thread that we're constructing here, but before I do that, let me just pass it on directly to Koichiro to talk to us about the incident response kind of perspective of that.

   >> KOICHIRO KOMIYAMA: Thank you very much. My name is Koichiro.

    It's common that our response work involves more than three countries. I will give you a few examples. When the attack was launched, the program was distributed by a website hosted in Japan and Malaysia. When the emails of the campaign were leaked during the French presidential election, some of them were hosted in the U.S. some were hosted in Japanese online forums.

    So one of the mission of (?) Is to take down inappropriate or malicious content from the Internet. Such responses should be carried out in a timely manner, especially regarding neutral state.

    So this is a significant task during peacetime or in this threshold situation. In this sense, I think the existence and fully functional (?) Is a cornerstone.

    Now, when applying neutral role to cyberspace, my biggest question is how to deal with tech giants. They may be out of neutral scope, however, they are, in fact, the ruler of space, jeopardizing the sovereignty of states. When the concept of (?) Was proposed years ago, Internet was a shared asset.

    Turning to 2021, few tech giants dominate the Internet. They are laying undersea cables and providing data services to the world using semiconductor parts that they themselves designed. So the autonomous and (?) Nature of the Internet is rapidly disappearing.

    And the spirit of neutral and non‑neutral coexists within each tech giants. Tech giants have made it clear that they are eQuidistance ‑‑ equidistance (?) In growing their overall businesses.

    So they like to be neutral, in one sense, however, the tech giants are not neutral in some respects. If a tech giant in one country builds and operates a dedicated data center for the use by another country's military or defense department, it is not appropriate to describe that tech giant as neutral.

    The U.S. Ministry of Defense Cloud Data Center, Microsoft is preparing the center, and it's more a military object as defined by the protocol to the Geneva Convention.

    So the tech giants are weighing the benefit of remaining neutral and closing up to a particular government. Their next step has more influence than any single government intention or their interpretation of international role.

    I would like to stop here.

    Thank you.

   >> LOUISE MARIE HUREL: Thanks, Koichiro.

    I think that gives us an overall, multistakeholder vision of what neutrality can mean for each actor. So we went from a, as I said, historical perspective, where Jan took us through the lessons learned throughout the years. So how could we think now, in this context, thinking about the manual and other resources as well, of how due diligence can help beyond the attribution ‑‑ let's say bottleneck ‑‑ to protect networks.

    Then comes the question of capacity. Who is capable? Whether a state is capable of protecting their own infrastructure. So that is one food for thought there beyond the monitoring, which could also mean how are these states monitoring and going beyond the scope of what they should be doing. Then comes the discussion around active cyber defense that question further discuss here.

    Then we went through what Maurice said, thinking about net neutrality and something that Jan touched upon, saying that we need to define the thresholds but then, obviously, another question, just to provoke our discussion here, is that of whenever a state publishes their views on the applicability of international law, depending on how they do it or other mechanisms that they're doing it, are they just being kind of ‑‑ the more transparent they are, the easier it is for other actors, malicious actors, to know where the threshold is and play around with that, if we stick to that.

    So just bringing a provocation there.

    On the CVS said, we went through the neutrality as a status, as kind of a protection of the status of NGOs working on frontline but also the continuation of their services in these kind of humanitarian contexts, let's say, just for the sake of kind of tailoring and bringing a wraparound with that.

    Then we went to a private sector side, Anastazia, I'm glad you said no actor is neutral. I'm glad you said that. When it comes to relationship, there's different stakeholders, but with different States and different organizations, it can be tied to different funding, where you're getting your funding from. From the states, it could be the different things you're engaging in, the operations you're engaging in beyond what would be considered neutral.

    And then, particularly interesting, the private sector has been developing these norms, but at the end of the day, what happens when you're actually engaging in the services that are related to the military objectives of a particular country? And is that okay when we're thinking about neutrality beyond the state's defined perspective regarding international law.

    I think one of the papers Sean presented ‑‑ and that's over there ‑‑ is neutrality according to international law. It's not ‑‑ it's a states thing. It's restricted to states and has to do with the territory, which we can discuss more. Was what happens when we look at on‑state actors? It's blurry.

    Great. I just wanted to give us a vision of this overall discussion. I think we're set up for a very complex mapping exercise here. Now, just to bring us down to a concrete element that we can dive deep into, I just wanted to go to the second round. I'm going to ask you for four‑minute intervention each, just to remind you of our plan.

    Testing international norms, we have different sets of norms that have been agreed upon. So how can we operationalize neutrality in the context of these norms, and what are the promises and shortcomings of doing so?

    So let's do the same round.

    Jan, you first.

   >> Jan: Well, I think pointing out that at one point, due diligence is the key neutrality in cyberspace, in my view. It was included in the so‑called zero draft of the open‑ended working group at the United Nations. It was dropped from the final draft. So, interestingly, the DGE includes due diligence as a duty in cyberspace, but the working group does not. That shows it's controversial. From what I've heard, it's been a couple of powerful states that did not want due diligence in this report because they feared it might be operationalized to include certain duties that they might not want to see widely applied or applied to them.

    So let's take a look at what that might have been that they were afraid of and concerned about.

    If we look at norm seven, state should stake appropriate measures to protect the state from ICT threats.

    If, for example, your critical infrastructure, say your electricity networks, are used to launch a cyberattack against another state, what is your due diligence duty? What should you have done beforehand to protect it? What protections should you have had in place reasonably? Should you have had systems in place to spot the intrusion early on? And what is an appropriate response to, say, the targets they're informing you about and are taking place?

    It says that states have to respond to appropriate notices and then take appropriate measures. The really interesting question is: What does that mean? And what happens if this duty is violated? Are states then liable for compensation to the target state because they have not protected their critical infrastructure which was then abused to ‑‑ used to launch a devastating cyberstrike that's ultimately never identified. So it's identified even if the attack is never attributed.

    Next, what does this mean in detail. When can you reject the question as saying this is not appropriate? What is the level? And what kind of assistance do you have to allow in if you don't have the capability to deal with something yourself? Does it mean allowing teams from a foreign state? Maybe a target state or another friendly state of your choice? In particular, with an attacker abusing your networks? Does it mean allows private companies in on your state networks perpetrated by a state actor from another country? What are the implications here? How can that framework be organized?

    At what point does not going along with a request or not going on with an offer of assistance appear unreasonable in the eyes of international law? So if you've acted unreasonably, then you're inviting complaints for compensation.

    So these are all things to think about. Also, especially when it comes to neutrality, we talk a lot about critical infrastructure. That's a term that pops up again and again in the relevant cybernorm debates and in national legislation and in European legislation quite a lot. But it is not defined internationally. There's no clear rule what exactly is critical infrastructure, what is the scope.

    So you could have a situation where a state claims, say, everything connected to its military is critical infrastructure, which includes private companies owned by the military, and, therefore, they should be immune from the attack, for example, and demand assistance if something happens.

    So there are great complexities here that we will have to deal with, but the fact that this debate is going on in such detail ‑‑ I mean, everything I've cited here has been either in the text or the footnotes of the Tallin manual or on the fringes of some of the dig cybernorm debates going on. So this is not completely unrealistic or legal discussion. This is something that people expect to happen at some point, and it would be a good idea to have the relevant legal framework in place before crisis happens and not trying to figure out while states from threatened with escalated violence due to an ongoing cyberattack.

   >> LOUISE MARIE HUREL: That's great. Let's go to Maurice.

    I think you're on mute. I'm not sure if I'm the only one who cannot hear you.

   >> MAURICE EGLIN: Sorry.

    Operational neutrality, I wanted to come with the mention of the access of complexity. I wanted to address it but in the second part.

    Well, we could consider that norms could cover access of complexity or a group of norms. I think it's a good way to do it. I would start, for instance, with norm three where states should not knowingly allow their territory to be used for, I would say, cyber passages.

    Coming to the use of (?) No vacuum and Koichiro Komiyama said it well. This is about states with players that are dealing with ICT and data ‑‑ and data. And this is something we have to understand. It's not only the tool. It's the role (?) Which is data. So if we are able to understand the relays, the proxies, make inventories, catalog, mapping, then we will operationalize neutrality because we'll be able to build a context and to define some borders.

    Having norms, I would group them six, seven, eight, which are dealing with critical infrastructure. I would say the first is, as I mentioned before, there is this information sharing to help the maturity of this critical infrastructure to be hardened so that cyberthreats, cyberattacks will not harm them at a level where this has to be considered.

    I think it's interesting to see, depending on your definition of critical infrastructure, norm 11, that says you don't have to hurt cert, there's no specificity of this norm 11.

    Now, regarding the operationalizing of protection of this neutrality, it's generally done ‑‑ if I have a look at cyber defense, intergovernmental agreements, focused on training and information exchange, having a look at training, there's an interesting example with cyber training ranges because cyber training ranges both can be used as training instruments and also for weaponry.

    So if we define clear rules, if we define clear inventories on what has to be considered, as, for instance, a training purpose and what not, then we will help neutrality being able to be described.

    And, of course, this leads to policy application. I think the context helps to understand the terms of neutrality to be operationalized in terms of scenarios. So defining scenarios that help to understand inventory and illustrate the considerations necessary to address neutrality in a specific context on cyber tension on conflicts.

    Now, where goes support ‑‑ supporting partners? Supporting belligerence? Up to what kind of limit? Is it technical, organizational, political, and such linked to aspects to be taken into consideration? I would like to take an example from the modern cyber literature that modernizes a more classical saying. It is to attribute or not to attribute. To attribute or not to attribute. Being able to not to attribute is preserving your neutrality. And this is the real challenge for a neutral state. Can an attribution be considered an (?) ‑‑

      (Overlapping speakers)

   >> LOUISE MARIE HUREL: In thinking about not attributing as part of that process but also thinking about another thing that I'm not sure whether it was you or another speaker that brought this, was also thinking about attribution as this delegation or perhaps that whole discussion around having an independent body that focuses on attribution or having a group that focuses on (?).

    Let's go to Octavia.

   >> Octavia: In full disclosure, in order to reply to this question, I have to ask support to my colleague who is way more expert at international norm than I am. So thanks to her.

    I want to start with a quick reflection on (?) Written by Sean Cordey. Thanks to you as well.

    You referenced the five political functions of neutrality according to Ridley. Looking at that, I started thinking about what functions we follow at the (?) To operationalize neutrality or at least trying to do so. I think that integration is one of the main functions we follow. This is because we work to ‑‑ we see to apply the integration by convening a diverse range of stakeholders to act on issues that protect the issue of human rights in cyberspace but also to act on pressuring cyberthreats targeting vulnerable communities.

We manage to convene a wide range of stakeholders, like the one I represented here today, because I know we have the shared mission of protecting cyberspace.

    Together with industry partners, the multistakeholder manifesto ensures that (?) Upholds basic human rights and freedoms. This manifesto (?) Looking at all these principles, it's regarding rights and liberties in terms of cybersecurity.

    I want to ask the question on how the principle of neutrality (?) International discussions. I think it is. Once again, as we all say, it's very challenging. The fact that all the challenges we might face doesn't mean that we should not look at all the humans reached, for example, in OWG or OGG for us. Specifically, they're related reports that lately have provided clear guidelines on how to implement the 2015digi norms because that's where everything kind of started; right?

    We base a lot of our work on the critical infrastructure like health care facilities should be off limits for cyberattacks. I think an important point to stress here is the norms only apply to states. These norms are important, but we still need to push for multistakeholder effort. We believe that efforts like activities we do at the Institute but also done by many other organizations out there are important mechanism to support these norms.

    I just saw, as an exercise, I look at one of the norms ‑‑ because I'm not an answer ‑‑ but looking at number seven that I think we all kind of mentioned, in a way, I see neutrality there in two ways potentially. One is like a state approach to infrastructure protection as positive obligation to protect critical infrastructure but, also, again as cooperation efforts.

    Just so conclude, there's (?) It's just a long way, and we just need to work together to do it. Bottom line.

   >> LOUISE MARIE HUREL: That's great. Thanks so much, Octavia.


   >> ANASTAZIA KAZAKOVA: Thank you. I would agree to highlight that those norms about this responsible state behavior, it would be, I think, also good to understand how those norms coexist with international law. It would be quite interesting to hear some further states that would be more vocal about how the application of the (?) Could also be more specific about this.

    I think it's also important to understand how to use this and to define their roles and the activity in this regard.

    The other aspect that I wanted to highlight, many of those norms, actually, have been already operationalized by both states and the state actors. We really did a good and interesting research. I see some people from the (?) Cybersecurity here, but how the security incidents have triggered if norm application.

    I had the specific case of (?) Vulnerability and I did the case on (?) Most of the questions were did you know about the specific norms to responsibly report vulnerability? No. Of course, I wasn't very aware of this. Did you implement this? I did. These norms were operationalized in day‑to‑day.

    This would be helpful. I know about the deals between (?) And Australia. Definitely this would be a practical solution in this regard.

    One of the norms I think is missing here, again, based on the previous communications with the security researchers mostly is to have the security researchers despite the political context, despite the sanctions, to be able to exchange the vulnerability information with each other. We know that because of this political context, some of the communities can cooperate with each other, be they in Russia, China, Iran. Still, there are victims that could need this help. I think having some neutral er into immediate area, an organization to help decide the situation would be helpful to those who need to do their job.

    So that's all from my side.

    Thank you.

   >> LOUISE MARIE HUREL: Thanks, Anastazia.

    I think that transitions nicely to Koichiro.

   >> KOICHIRO KOMIYAMA: Even national certs within the government will allow a certain degree of independence with certain cases being set up within the military agencies.

    Now, 2021, national certs has been tightly incorporated. The positive effect is we have certs in almost all countries. It's losing its character as a global community. The protection can be reconsidered because the boundary between certs and military agency was not clear from the beginning and becoming less unclear to the state. If national cert works more and more for national interest, global network of security experts (?) They work more for global good.

    My last point is it is precisely because of this, as described in Sean and Kevin's report, the idea of prominent, neutral countries supporting the global community first as an incident response team, is an excellent idea. Cybersecurity professionals from all over the world have joined this group to develop industry standards, such as a scoring system or TLP, and to establish a Code of Conduct for security engineers.

    But, as an organization, first, is a 501(c)(6) IPO registered in the United States. Some of these activities are restricted by regression in certain countries.

    So I really welcome (?). Thank you very much.

   >> LOUISE MARIE HUREL: Thanks, Koichiro. That's an interesting point. I remember just a couple of years ago, the IGF having discussions around the protection of support activity or harm related to certs or the norm 7, which is request for assistance or another one which is related to request for assistance.

    It's so interesting that you mentioned that maybe the format of national certs have been changing, and that changes the possibility of neutrality in that sense or protection, right, which is a very close word to what we have been discussing.

    I just wanted to pass it over and check if Sean would like to chime in one minute. We're short on time, and I want to open up the discussion. If you would like to add something, circling back to the whole research.

   >> SEAN CORDEY: Lots of things everybody said and finding links between the norms and the actual principles described in the law, I would just add something more related to norm 6, like norm 3 and 7 have been discussed, but norm 6, not that much.

    States must not conduct or knowingly support ICT activity. It internationally damages critical infrastructures. It's the whole concept of what support can actually mean in terms of cyber. We might want to look back at the log and see that support can mean, for example, (?) Engaging and provision of different materials.

    In the cybercontext, this could also been targets, et cetera. These are things to keep in mind. It could mean provision of software or cyber weapons, even though that's a debated term itself. It also raises general questions about what can be done with regards to these issues of support. One potential answer that I want to highlight, that Jan has already highlighted, is the regimes (?) That I think and other people think, too, is going to be addressed at some point, either through the lens of neutrality or other ‑‑ (speaking softly to self).

   >> LOUISE MARIE HUREL: Right now, I want to open up the discussion to all of our audience here or over at the IGF in Poland physically.

    I wanted to give the opportunity, also ‑‑ because I don't know how many people are in the room. If someone is in the room and would like to chime in and ask the question, please feel free to do so.

    I guess the IGF supporting staff will help you through that. In this moment, I noted that Craig Jones made a couple of remarks here over in the chat.

    So I was wondering: Are there any questions?

    Craig, would you like to jump in and make your comment over here?

    I'm not sure ‑‑

   >> LOUISE MARIE HUREL: Great. Perfect.

   >> CRAIG: Thank you very much. I put a few comments in the chat as well. It's about sort of roles, responsibilities, and organizations, and having very clear mandates. As I'm saying I'm a director of cybercrime. I lead the global program for 105 member countries. I've been wrestling for years on what that looks like and where we can add that value.

    So now developing a new strategy. We're involved in the new ad hoc convention, but with seeing the politicalization of cybercrime, we can see where is our common denominator. We try to keep it at that level, but I think what we can see now is the countries coming on and using a cybercrime as a national security issue as well. That's going to make it a lot more difficult, certainly for law enforcement when we try and facilitate those cross‑border investigations.

    So drawing it down into the lowest common denominators about what regions and countries can work together and those geopolitical groups and looking at using Interpol as an interlocker to bring those operations together. Again, we can only do it in the crime area. That's moving forward with relation to cybercrime.

    That's all I wanted to say.

    Thank you.

   >> LOUISE MARIE HUREL: Excellent.

    Would any of the speakers like to comment on the comment that was raised by Craig?

    If not, I'm just going to comment on your comment ‑‑ okay. I see Jan.

    Jan, please go ahead.

   >> Jan: It's quite instructive to look at the history of the Red Cross. It's a deliberate inversion of the Swiss flag. It had no legal position to claim permanent neutrality as a newly founded organization. So that's the closest thing possible, by inverting this flag and sort of trying to get this status. It's quite destructive to look at the struggle the organization has faced through the decades and world wars to maintain that status. It could be quite instructive to look at that from the perspective of certs. You have the Red Cross as a deliberately neutral organization that will work with anyone in the interest of humanity. You have the medical services of any Armed Forces who then go into the battlefield and demand certain privileges and rights not to be target based on that symbol.

    So there's an interesting analogy here that I have not thought of that could be very interesting.

   >> LOUISE MARIE HUREL: Yes, and I think Anastazia very rightfully, spot on shared here, (?) From the CRC that talks about marking (?) Off limits. That goes back to that discussion that we started to have around what could be considered the Article XV of the Geneva Conventions and safety zones. Obviously, we need to speak about peace times and this discussion around protecting health care from cyberattacks and having a common understanding that this is a no‑go. So states cannot kind of do that.

    But what happens when we're looking at potentially kind of cyber espionage operations that, as we know, fall below the threshold that, you know, are very blurry, and it's very difficult to understand what is being done there. It can be just a reconnaissance operation.

    You know, how can we deal with the concept of neutrality in that context; right? So I'm waiting for more questions, but from the audience, I hope we have triggered that. I really want to have this burning question around the protection of health care because I think this is something that we've been discussing a lot in this past ‑‑ you know, since the start of the pandemic.

    So how have ‑‑ just whoever wants to jump in and talk about that, how can we think about the concept of neutrality in that context, given even cyber espionage using those networks even if only to leverage to get into another system? How can we deal with that?


   >> MAURICE EGLIN: Thank you. First of all, I would like to emphasize on an initiative that Switzerland took on law that we tried to apply to the cyberspace but in a very systematic way. Of course, we made it within the federal administration or Department of Foreign Affairs and international affairs and cybersecurity center. Then we checked it because we thought it was very interesting.

    Now, coming to the point you mentioned, I think there are two main aspects, again, related to complexity.

    And the first aspect is the indirection. So the problem is if you consider that health is a human ‑‑ having benefit from the health system is a human right, then there's a parameter of neutral zone that you can define. The problem is the indirection and how to hit things.

    For instance, I mean, affecting hospital or transfer systems would be very clearly visible, and it's quite, I would say, easy to try to transfer some rules to these domains and also to see the threshold of violations.

    But, now, if you go into data integrity, something some attacks on the long run that will effect the efficiency but it's not clearly visible ‑‑ and then, of course, there's the time that has to be taken into consideration. It's very, very difficult to have a clear model.

    I think the first suggestions we did is we considered that some sectors that can be considered as vital sectors, not critical but vital sectors, have to be considered on the way they can be directly impacted by cyber threats. And this should be part of what could be defined and neutral on non‑threatable zone.

   >> LOUISE MARIE HUREL: Very interesting.

    Any other speaker that would like to chime in and respond to that question as well?

    I was looking at Octavia to perhaps see, but, please, feel free.

    I see Anastazia.

   >> ANASTAZIA KAZAKOVA: Just very quickly, I don't have an answer because it's a really quite difficult question to have a black‑and‑white answer.

    One of the things we're dealing with and theoretically keeping in mind, those threat intelligence that our colleagues produce publicly and actually provide information about the vulnerability analysis and technical information about the (?) Has been investigated could potentially and theoretically be abused by some states. That could be part of the cyber conflict. Even those who abuse this information are not our users and customers, but, still, without an intention of cause, without our knowledge, there's some of the risk that we need to take in mind. This leads to questions that we do not have the answer yet, how to deal with this.

    Just to add to the laws of the questions (?).

   >> LOUISE MARIE HUREL: Yes, that's absolutely true. I think this panel was definitely raising questions about the blurry lines of applicability of international law and humanitarian law.

    I see that a question was submitted here. Amir, would you like to unmute and just quickly ask your question? Then we'll go for a last round before we close up.

   >> Amir: Hello. Can you hear me?

   >> LOUISE MARIE HUREL: Yes, we can.

   >> Amir MOKABBERI: Hello, everyone, and distinguished panelists.

    I would like to ask one question here regarding application of neutrality. How can neutrality be applied without having (?) Framework?

      (Audio interference)

   >> Amir MOKABBERI: ‑‑ under the United Nations and (?) Needed for diligence and protection of critical infrastructure for all countries and also possibility of attribution and also with the respect to the phenomenon of attacks by other parties, with this condition, how can neutrality be applied?

    Thank you very much.

   >> LOUISE MARIE HUREL: Thank you, Amir.

    I see Jan has already raised his hand.


   >> Jan: I think this touches an important point on why there's complexity on the statute of these norms. If you, for example, consider that the official U.S. cyber strategy officially mentions that cyberattacks by U.S. forces will usually be routed through third‑party countries to make sure they're not tracked as easily.

    If you look at that from the angle of due diligence duties, you will then understand why the United States has not so far publicly commit ed to due diligence in cyberspace as a norm.

    That's where we're clearly hitting boundaries of state interest, that's where my argument comes from that I don't think we will clarify this around the table of an international meeting where states agree certain rules are now binding, but what is more likely is that we'll have some form of international conflict where these rules come into play, and states will clarify their expectations of each other, and then cyber experts and many defense ministries across the world will think about what that means for the strategy of using other people's networks to hide our tracks.

   >> LOUISE MARIE HUREL: Well, that is a grim scenario, but I do hope that we can find kind of a common ground before something kind of ‑‑ the doom cyber day kind of happens.

    Yes, Maurice?

   >> MAURICE EGLIN: Yes. A short addition to what has been said and to answer the question. I think there are two axis of answers. The first is to be able to define what is allowed or not. According to this, our view, our thoughts are linked to we must be able, according to a UN view, to define some parameters. Once again, in the end, it will depend on the context. It's not something that can be described in a generic way.

    The second thing, the second axis is being able to take measures. Here, once again, this is a very complex thing. It's according to security policies. Here, I think we're far away to find the solution.

   >> LOUISE MARIE HUREL: Thanks, Maurice. Any other comments from the speakers?

    Okay. If not, I am going to just ask either Jakob, Sean, or Kevin whether there are any other remarks you would like to make with regards to our discussion?

   >> Jakob Bund: I would like to thank you, Louise for this. I think it's been an immensely rich discussion. So a great thank you from my side to all of our speakers. I think we've had a lot of wealth of details in terms of how neutrality can be of value as we think about enhances stability in cyberspace and the different contributions that a multitude of stakeholder communities can offer.

    In that sense, I hope that this has been an interesting discussion for you and the audience. I know that neutrality at times can seem a rather abstract and daunting concept. We were hoping to show to you today with our discussion that there are a lot of steps and considerations that are already being made to see, really, how do we translate this into practice and really tease out the value of neutrality beyond just the discussions on norms.

    This is a conversation that definitely needs to continue going forward. I think we've seen it's an issue that is not only concerning states. There are interests and activities, a growing group of actors that are being touched on. We've heard from Craig Jones that it's not only a question of actors. It's actually, also, increasing an issue of increase in cybercrime. There's a lot to unpack there.

    Thank you, all, for being a part of this.

    Thank you for our effort.

    Back to you, Louise.

   >> LOUISE MARIE HUREL: Yes, absolutely. I would like to thank you all, all the speakers, the audience, both virtually and physically over there. I hope next year, we can continue this conversation somewhere face to face somewhere in the world.

    Yes, I think our expectation was to get to the end of this discussion with, like, very, very concrete takeaways.

    Although, I do think that we have them. I think this was a mapping exercise of different views around neutrality; right?

    I think we leave this discussion thinking about ‑‑ least I do, and I hope all of us do, is about, as Jakob already said, the geopolitical context that we're living in, OWD starts next week, of an ad hoc committee on cybercrime, starting a treaty on this and starting negotiations next year, processes that will kind of touch very concretely the blurred lines between cybersecurity and cybercrime.

    Many states have started discussing this.

    One thing I would highlight about this mapping exercise that we kind of got into here collectively, is definitely knowing that neutrality goes way beyond just thanking the states. It is something that many other state actors, non‑state actors kind of rely on or think critically about because whoever decides what is neutral or who is neutral or what gets to be neutral has political power; right?

    So I think at the end of the day, that is something that requires our attention. And I think Sean, Jakob specifically, and Kevin, thank you for the work you published. I would definitely recommend you read it. I definitely do feel it adds to this literature, first, to pin down what it means and the political implications and international law implications for these kinds of debates.

    So that is me. I've spoken enough. I would like to thank you all. I hope to see you next year.