From supporting Ukraine in its defense against Russia’s use of cyber operations in the war in Ukraine to helping ensure governments do not use digital surveillance to silence dissent, cyber diplomacy is playing a growing role in advancing security, defending democratic institutions, and protecting digital freedom. Join us for a conversation with cyber envoys from the Netherlands and the United States, as well as representatives from the private sector, to explore how international collaboration can help set and enforce limits on state behavior in cyberspace and how it can contribute to effective Internet governance.
>> ANNOUNCER: Please welcome panel moderator Niloofar Razi Howe.
>> NILOOFAR RAZI HOWE: Good afternoon, everyone. I really want to thank the RSA conference for letting us have this important conversation about cyber-diplomacy. And I'm thrilled to be joined on stage by four experts in the cyber realm and with respect to cyber-policy starting with Ambassador Nathaniel Fick who is the ambassador at large for the Bureau of Cyberspace and Digital Policy in the United States. Sitting next to Nate is Her Excellency, Ambassador Nathalie Jaarsma, Ambassador at large for security policy in cyber at the Ministry of Foreign Affairs for the Netherlands. Sitting next to her is Wendi Whitmore who is the senior vice president of Unit 42 at Palo Alto Networks, who does all the incredible threat intel there. And sitting at the end is Kevin Mandia, CEO of Mandiant. So thank you all for joining us today on stage.
I want to just start by setting the scene little bit and the context for this. The original vision for the Internet was that it was going to be free and open and promote Democratic values. The way that has played out in a real time has been a little bit different. Can you – Ambassador Fick, starting with you – can you set the context for the reality of the Internet today and maybe get into the threat landscape a little bit?
>> NATHANIEL FICK: Happy to and thanks Niloo, and it’s great to be back at RSA. Thank you all for being here. So I came of age – if you are between, I don't know, 40 and 60, all of us generally came of age at a time when we were reading books like the world is flat or the end of history. And it turns out now 20 years later the world is not flat and history didn't end. And this vision of a global Internet, a unified global Internet that's free and open and reliable and secure is an aspiration I think but not yet a reality. And I'm happy to give a couple of examples. I mean obviously we have adversaries in the world that have a very different conception than we do in the United States, or among our likeminded partners about what the role of technology ought to be in all of our lives. And they're actively fighting against an Internet that's free and open.
So I think what that means for us is we ought to anchor all of our policies in this area in a positive, affirmative vision. We shouldn't walk away from that aspiration for a free and open global Internet. And everything that we do should be focused on building as big a coalition as possible around that vision. But at the same time, we have to be clear eyed about the way our advisories see the world. So I think this gets to the role of diplomacy, 20 years of ground game diplomacy at the United Nations. You know, one yard and a cloud of dust work resulted in the framework for responsible state behavior in cyberspace. Which is really three things, it is a commitment that human rights law in the real world extends in to the digital world. It's a set of principles, governing state behavior and a set of confidence building measures. That framework has been affirmed unanimously and repeatedly every UN Member State. I would challenge us to identify any topic today, it today’s geopolitical environment where we could get unanimous UN Member State endorsement. So that's the principle, that's the aspiration, for what we are trying to do and then making it real requires, you know, similar kind of ground game diplomacy every day.
>> NILOOFAR RAZI HOWE: Ambassador Jaarsma how aligned are we from a diplomatic perspective, globally, US with the Dutch more broadly, and did Nate accurately describe the reality of the Internet?
>> NATHALIE JAARSMA: Absolutely, and fantastic to be here. Thank you. Just to add a couple of perspectives to what Nate just described, I think indeed the UN normative framework is really essential and it is about responsible state behavior. I think the majority of the countries around the world want to behave in a responsible way. But they're not always capable of leap frogging in to the Digital Age. They want to do that and they want to do it in a responsible way, and we need make sure that countries are capable of doing that. And doing that in a way that cybersecurity is part of the mix. And if we don't do that, of course we all understand here in this room what the cybersecurity consequences could be. But also, the level of trust in digital products in those countries will dramatically reduce. The other concern about these countries that are still to leapfrog in to the Digital Age is that with new technologies being developed, the differences between sort of poor and rich can actually become bigger. And that could have real live consequences in terms of people starting to move and poverty. So that's something also to keep in mind.
>> NILOOFAR RAZI HOWE: Great, thank you. Wendi and Kevin, you guys are alternative, the alternatively the special forces in cyber, the Red Cross of cyber. The, you know, the first responders, the ER docs of cyber. As we sort of move forward this Aspirational world in cyberspace, there is still a reality that there is a lot of adversarial activity and we are not necessarily aligned in terms of what uses we can use cyberspace for. So Wendi, starting with, from a private sector perspective how do you see the threat landscape evolving in cyber?
>> WENDI WHITMORE: Well, I think I would take that to just a more tactical example of how it actually plays out between – and I’ll give an example of a case that our team ran that ultimately involved foreign governments as well as international law enforcement. So over the course of the past year our team was called upon to investigate a case in Denmark. The organization was headquartered there. And what we identified was it was, you know, the early hours of a ransomware attack and they were receiving a threat. So we worked pretty quickly to take the information they had to then determine what's next, right? Where does the data point us next? It pointed us to four servers that were located in Lithuania. Unfortunately for the attackers but very fortunately for us we had a very strong relationship with the Lithuanian SIRT. So we were able to work with them closely and within an hour, we were able to take those four servers offline. We got images of those, started burning through the forensics and we identified that there were actually 30 other victims of this same ransomware group. And we noticed, you know, we wanted to confirm but we thought it doesn't look like the attackers likely have – it looks like they stored all the data that they extricated from these organizations here.
So sure enough the attackers got in contact with us, asked us, you know, hey our demanding – they’re initial demand was $12 million, US dollars. And so we said well hey, you know, we're happy to talk to you but we would like to have proof that you have the data that you said you extorted us on. Because we weren’t sure that they had it and we thought for sure they didn’t know that we were already working with Europol and Interpol to take that data offline from those servers and we had them actually stored in an evidence locker. So sure enough, these attackers came back and forth, started making a lot of excuses trying to buy time. Turned out that they didn’t have access to the data.
So while we were working through that with our primary victim we were also able to work with law enforcement to do notifications of over thirty victims. We were able to have access to the encryption keys to be able to decrypt all the data they had, you know, attempted to extort from these organizations. And so not only did we enabled our victim to not have to pay this massive ransom but we actually prevented them from being successful in 30 other organizations. And then we were able to give that information to law enforcement and officials abroad to be able track down people responsible for this actually attack. So I think, you know, it is one thing for us to broadly state I'm a huge proponent of public and private partnerships. Palo Alto Networks is, I’m sure all of us here can agree on that but when it gets down to the tactical differentiators of here is the work, we can do to make a true impact on cybercrime when we have that whole flow working, I think it really can be pretty empowering.
>> NILOOFAR RAZI HOWE: So let's pull the thread a little bit on public/private partnerships. Kevin, you have been at the forefront of so many incidents not just domestically but internationally. What are the lessons from recent incidents, whether it’s Ukraine, Costa Rica, Albania – with respect to the role of the private sector, the role of public sector, and what role diplomacy can play?
>> KEVIN MANDIA: Got it. Yeah, so much. We've got 40 minutes and I'm going to need 50. The – very quickly – just the role of the private sector in the cyber domain and the role of public sector, it is the domain that's shared by both to secure, period. So you have to play the infamous team ball. If you were in the security business in the private sector you better be working with governments because governments were formed to secure nations for the safety of their citizens. So that's kind of fundamental to what governments do.
When Ukraine is a great example because everyone worked together. Palo Alto Networks, the private sector Microsoft wrote a great report. Mandiant had people on the ground there responding. At the time of impact, preinvasion, post invasion and you want to be at the center of the cybersecurity universe. And at the time last February and March, and even prior to that, Ukraine was. You saw in the United States CISA set up really a means to communicate all TTPs and threat Intel in a live feed to a bunch of different organizations that are critical to detecting new and novel attacks as well as what do you do about those new and novel attacks.
What's interesting to me and why this panel is so important though is tools, technology, and people will not solve the cybersecurity problem. You still have to have diplomacy. On any given day we will wake up and there might be hey it is a great day for the cyber domain, there was no new zero days; everyone is good to go. We are not seeing any fires. You get a respite. But it’s an ecosystem that can get vulnerable or fragile very quickly. Hence, you need to have a deterrence during times of peace period, and we don't always know the impact of any modern cyber-attack, there can be collateral damage. It is hard to govern downrange the impact of some of the things that people do. And because of that for years, everyone inside baseball as we say have recognized how critical diplomacy is kind of the final leg of the journey. Without diplomacy, both on offense rules of engagement, how should be behave. And diplomacy and partnerships to create RISA repercussions, you are going to be constantly playing goalie in cyber domains and goalies give up goals.
>> NILOOFAR RAZI HOWE: Before we turn to our next question, I just want to let the audience know that we will open up to Q&A toward the end of the discussion. And if you want to prefer to Tweet questions to me, that's all I'm checking on my phone. My handle is @Niloohowe. So feel free to Tweet questions and I’ll go through them and ask ones that might be relevant to the conversation.
So I want to open this question up, Kevin, you bring up cyber diplomacy and the importance of cyber diplomacy. How can cyber diplomacy – do we have concrete examples of how cyber diplomacy has actually reduced the threat and driven outcomes? Or are we too early days so far? Who wants to take this?
>> NATHALIE JAARSMA: yeah, sure. I think cyber diplomacy, like sort of the result – it’s a mixed bag. As Nate was saying we’ve had 20 years of negotiations about normative framework. That's cyber diplomacy, it’s nations coming together and agreeing on what is responsible state behavior. So we build a very clear yardstick to measure responsible and not responsible state behavior. In the recent years we have made I think great effort in terms of calling malicious behavior out. I think we need to do better in terms of getting feedback loops on that. But we do know that statements have led to discussions in those countries. I think another result is that we are still talking also to countries that are actually having an active cyber program against us.
And also, within the UN we're still talking. So that is – that's a good thing. But indeed, we also need to do better and we were discussing this previously. I mean within four Ministries but I think in general, in bureaucracies you see that cyber is sort of a separate silo somehow. And we need to be better at integrating it in to our overall foreign policy. And our minister has just signed off a new international cyber strategy, it's still going through our interagency so hopefully we can adopt it like next week or so. And there we actually made a decision to be much more proactive and use all foreign policy instruments that are at our disposal. So economic, security, development aids, and ultimately, the military to actually address these cyber challenges.
>> NILOOFAR RAZI HOWE: One of the things that you just mentioned is calling malicious actors out. And I want to turn in to a specific incident that everyone here will be familiar with which is the Viasat attack a few hours before the invasion of the Ukraine. We knew pretty fast certainly in the private sector that Russia was behind this attack. And yet it took two and a half months for us to attribute this attack to Russia through a coalition. No one did it alone, it was the US, UK, EU coming together to do a joint attribution. Two and a half months to attribute during time of war is a long time. Why did it take this long and how can we improve it? Nate, you want to start that with that?
>> NATHANIEL FICK: I don't want to but since you are naming me I will. Look, I think a certain reality is that attribution over the last decade or so has evolved from being primarily a technical challenge to being primarily a political challenge. It is technically feasible – much more technically feasible to do quick attribution now than it ever has been. In the case that you are talking about, let's just hypnotize a little bit and think about newspaper stories about it. We are dealing with the largest shooting war in Europe since 1945 in the context of a NATO alliance of 30 countries that have their own domestic points of view and political systems and perspectives.
And a bedrock is central in everything that we do is that the alliance speaks with one voice. So you might imagine in the wake of the Viasat attack that some NATO Member States, particularly along the Eastern flank were more assertive. Wanted to be more assertive in their response. I don't think that anyone was in a hurry, certainly the United States was not in a hurry to invoke Article 5. The collective defense article in the wake of that attack.
>> NILOOFAR RAZI HOWE: We'll get to Article 5.
>> NATHANIEL FICK: Okay. You can send that one to somebody else. And there some other states, you can imagine, that were not interested in attributing the attack to Russia. So I think that two and a half months, Niloo, reflects the political reality of attribution and the need to get 30 governments speaking with one voice, which is ultimately the kind of unity that we need to maintain to ensure that to the further invasion of Ukraine results in a strategic defeat for Russia.
>> NILOOFAR RAZI HOWE: But will it take two and a half months the next time? Because in an act of war, it’s still a long time to do attribution. Or have we changed the mechanisms and are we building trust? Kevin, I think –
>> KEVIN MANDIA: Well, I think there is public attribution and then there is attribution. And so that’s – there’re different. But I was thinking about the history of it because I remember when in 2014 Sony Pictures was breached and the president of the United States got on the TV and said that North Korea hacked Sony Pictures. That’s pretty clear attribution, unless you thought it was wag the dog. But then you go to maybe it was 2016, Anthem is breached and to us it was really obvious that breach was Chinese cyber espionage and there not a peep. So it is obviously a tool in the toolbox for politicking and timing and many other factors will go in to a government publicly attributing an attack to another nation and it is probably a lot more considerations beyond my cybersecurity expertise that go in to that. But I think, you’ll probably never get a predictable rate depending on other events that are going on at the time. But privately I don’t think there was any doubt among all the folks that were doing cyber defense who would advise that.
>> NILOOFAR RAZI HOWE: What’s interesting about the 2014 Sony attack is when President Obama attributed it North Korea, it created a whole bunch of doubt that it was actually North Korea because we did it alone. And so this change in policy which is we will not do attribution alone which Ambassador Fick, you just talked about, I think is an important change in policy as well. Kevin or Wendi, can you guys talk a little bit about how the private sector can support this process of confirming attribution from a technical perspective? And again, whether politically we make the attribution, I agree is a more complicated question.
>> WENDI WHITMORE: Sure, I will start and turn it to Kevin. But you know I think the reality that if there was ever one single source of truth, if that ever existed in the cyber domain I'm not sure that it did, but it certainly doesn't today, right? And so what it requires is triangulation across such a wide variety of data sources and the insights that Kevin's team has telemetry into are going to be different and I think quite complimentary to the insights that our teams might have with access to network, cloud, and endpoints. And then different then what – what FBI might have; what the NSA might see; what CISA might see. But the reality is that all of those data sources being aligned and being able to, you know pull in the artifacts to get to decisions is really what’s key. And us being able to do that at speed from an information sharing perspective will get us to those answers sooner and, you know, maybe to help Nate out, be able to get those answers quicker so the next time it doesn't take two and a half months.
>> NATHALIE JAARSMA: I would like to add something on the information sharing because I think that's crucial. I mean, you mentioned three entities coming on board on the attribution. But the reality of that third entity is the EU and that's 27 countries. So these 27 countries need to negotiate among themselves on the exact language and based on the information they have. There, of course, we rely heavily on intelligence. And I think here we really welcome the information that is shared by the private sector. Sometimes behind closed doors, sometimes out in the open. And actually, when it is shared openly, I think it also helps to make sort of society's more aware of what's going on. So we really welcome that. And it certainly helps to speed up our processes.
>> NILOOFAR RAZI HOWE: One question, how has the role of the private sector changed in active conflict? And in what ways is that supporting cyber diplomacy and in what ways does it complicate cyber diplomacy? Kevin or Wendi, do you want to talk about how the role –
>> KEVIN MANDIA: I would love to hear how Nathaniel thinks about that. First, before I reply and then I’d love to hear that.
>> NATHANIEL FICK: I’m happy to share a point of view. I think that every – most dark clouds have a silver lining, maybe not every. The cloud of Ukraine war is certainly dark. But if there is a silver lining it’s that in my view it accelerated public/private collaboration in a way that was extraordinary. Look I spent ten years as a CEO in the cybersecurity space. And when I would get hauled in to a government meeting my eyes tended to glaze over because public/private partnership usually didn't mean much. In this case it really has, so whether it’s migration of the Ukrainian government enterprise to the cloud of the proliferation of satellite communications, or the incredible threat intelligence feedback Ooda Loop that has really helped in blunting Russian attacks inside Ukraine. This has been a seismic shift I think in how and industry collaborate and there are some lessons here that I know all of us are working to capture and hope that we can apply in future cases.
>> NILOOFAR RAZI HOWE: What would those lessons be?
>> KEVIN MANDIA: So things have changed because I remember in the ‘90’s the risk and repercussions to a breach were few but the impact wasn’t as big. But you know we all depend on technology now where our lives – everything we buy, how businesses run – when businesses come off the grid they can’t even operate. And now cyber domain has national security implications when there is attacks. And so obviously the government and the private sector have to work better together and it does. You know, at Mandiant and at MOS and at PAN and most security companies, maybe we compete on the surface. But every time we see new and novel, phones are getting picked up and people are getting called, have you seen this before. And it doesn't betray the privacy of the victims, it doesn't do anything other than help us protect nations from the attack organizations from the attack. And that's happening faster and faster.
We even see it this year, you know for the last 15 years we have tracked the thing called dwell time at Mandiant and we have responded to 1100 breaches in the last year. And dwell time is down to 16 days, meaning from the moment something is compromised to the moment they know. When you go to zero-day development it has rocket shipped up to 55 zero days in the last 12 months after nearly two decades of averaging somewhere around a dozen. And it’s because we’re getting better at shutting the window of exposure and that’s done by the private sector sharing amongst each other regardless of competition. As well as sharing it with the amplifier which is now in the United States primarily CISA going to the cybersecurity and infrastructure security agency. So everyone stumbles through that one. And so the bottom like, that's my way of saying the whole darn thing is compressing the window of exposure for organizations. And that's a good thing.
>> WENDI WHITMORE: And I think just to add on what Kevin is saying there your question about what is the private sector how are we impacting it here. Well, he is talking about increasing the cost to the attackers, right? The more we force them to use more zero-days in a shorter period of time, it costs them time and money and skills to develop those. So it essentially is then forcing them to enact more to raise kind of their playbooks and ultimately I think putting pressure then from a diplomatic perspective we can decide how to leverage that.
>> NILOOFAR RAZI HOWE: I’d like to just point out that how private sector makes diplomacy more complicated hasn’t been addressed yet but I want to actually ground it some –
>> KEVIN MANDIA: Well, you got to 0 in the private sector we write reports all the time so to address that directly –
>> NILOOFAR RAZI HOWE: I was going to refer to one, yeah.
>> KEVIN MANDIA: You don't throw them out there. You really do have to have some kind of barometer for what the impact would be. You don't write reports for marketing purposes. You don't write reports just to get your name out there. You have to be intentional, you have to work with government partners and recognize that you are going to have the right impact when you do things like publicly attribute for something or even when you commute zero days and you are writing about those. You have to work with the venders and sometimes government partners that make you do it in the right way. So you know, there is probably a 20 page book on how to do it but the bottom line is you can't throw things out there. You do have to coordinate with the right folks.
>> NILOOFAR RAZI HOWE: And a really interesting point example there is Mandiant's APT1 report which came out in 2013-2014. Up until 20 – up until that point, our strategy with China was one of engagement. That was a wakeup call for a lot of folks that China was doing some things that weren't necessarily friendly with respect to the US. SO you want to talk about a little bit the impact of that report?
>> KEVIN MANDIA: When you are on the inside it is hard to tell because to be clear we wrote a report – I think it was like February 18th of 2013. So going back over a decade. But I remember working with David Sanger of the New York Times on this report and I just went to work the next day thinking no one was read the article so I misread the moment. But what we were trying to do at that time was there was a whole bunch of CEOs, really a worldwide, being compromised from China because there were no rules of engagement. There was no standard of behavior or expectations of behavior by nations going on offense. So you had frustrated CEOs, you had congressman Mike Rogers trying to say we needed an information sharing law in the United States. And so there was a lot – and by the way it was probably six other factors that kind of put us in the shoot to get something out. Plus we had been responding to the same exact extrusion set for seven straight years, 141 victims, and nobody seemed to be having dialog about it. So that was a clear opportunity to give the government a tool to start to dialogue about the issues. A lot of times it is easier for the private sector to say China is doing this or North Korea is doing this. Because it’s a little bit less pie in the face to a nation when a private sector does it. Because by the way every time we accuse China of anything we are irresponsible and wrong. We can handle that.
>> NILOOFAR RAZI HOWE: Does it create risk for the private sector to be this involved in driving policy? And Ambassador Fick, you used to be in the private sector and on the receiving end of it?
>> NATHANIEL FICK: Look, I think the APT1 report really changed everything. I mean, that was a watershed moment in how industry contributed to the public dialogue. And I can – I believe Kevin, that yeah, you had that conversation with David Sanger and I think in your shoes I would have been inclined to underestimate the effort t would have too. But I think it changed the game. It took what had been a conversation inside intelligence services and inside – to some extent inside companies and put it on the front page of the New York Times. And it changed it in the public dialogue in a way that I would – from my perspective has been incredibly helpful and healthy in getting us oriented and focused on a major strategic competition. And we see this continuing to play out across every technology area. If we had been sitting here 30 years ago having this conversation, one of the implicit beliefs that most of us in this room would have shared is that, collectively had what felt like an unassailable advantage in telecommunications technology say with Del Labs and Motorola, and Nokia, and Erikson and Samsung. We lost that advantage and now we're fighting from behind.
30 years of corporate inattention and government inattention and Chinese IP theft and government subsidies of Huawei have allowed Huawei to basically run the table across large portions of the world, deploring infrastructure that is fundamentally untrustworthy by our standards. And that playbook is being run against every other area of strategically important technology, from AI to Quantum science, and biotechnology. And thanks to the APT1 report we are much more clear eyed today about how that's all unfolded.
>> NILOOFAR RAZI HOWE: I want to turn to a topic that got Tweeted at me which has to do with commercial spyware. So in March the president signed an executive order on the use of commercial spyware, limiting and prohibiting the use in certain categories. Related a group of more 40 countries, endorsed the guiding principles of the government use of surveillance technology and 11 countries endorsed a joint statement committing to take similar steps as the executive order that the president put out. The question that came through is does the use of spyware by US agencies and allies make it difficult for officials to help stop it from being used by rogue actors and nation states or make its more use legitimate, broadly?
>> NATHANIEL FICK: I don't want to dominate the conversation. I will answer very briefly only because I, in this capacity, had a role in that process. So I think the intent of the EO is precisely that. To ensure that the United States is leading in this area from a position of moral authority where we are living by the same rules that we are asking others to live by. What makes the EO in my mind particularly compelling it is that it’s not just a static list of companies or of technologies. It is factor based, and so the hope is that it will be more dynamic and more flexible and more able to be effective over time. But the intent is precisely that to make sure that we're leading from a position – leading by example, from a position of moral authority.
>> NATHALIE JAARSMA: From our perspective, we very much welcomed the executive order. And I think it is very interesting to see that human rights and national security are being combined. And so, to sort of limit ourselves to buy these kinds of products. In the Netherlands we have very strict export control rules, that's another way to legislate. But I think when it’s about spyware, we have seen that NGOs are at the forefront of this fight. And that also we initially saw that a lot of the human rights defenders, journalists, NGOs were being targeted than actually because of – well, continued use and actually not really reacting to that. Then more of the higher political leaders were actually being targeted and that's created a lot of political turmoil. I think we see that part of the industry are not so responsible in that regard. And I think it would be great if industry could be part of the solution rather than just having NGOs working on this.
And getting more engaged, like helping these NGOs, perhaps setting up own initiatives to address these ethical issues. I mean in the Netherlands we have, for example, focus IT. Of course, they are bound by export control rules but they have their own stricter rules that are based on higher ethical standards. I think that's the way to go.
>> NILOOFAR RAZI HOWE: Wendi or Kevin any thoughts on –
>> KEVIN MANDIA: I don't.
>> WENDI WHITMORE: No.
>> NILOOFAR RAZI HOWE: If not, I want to go back to a topic, Nate, that you raised in your opening comments, around Article 5. Article 5 was created over 70 years ago with the threat of Soviet invasion of Western Europe. And the idea is collective defense is at the heart of European security and NATO allies see armed against one or more in them Europe or North America shall be considered an attack against all. It has only been invoked once in support of the United States following the attacks – the 9/11 terrorist attacks. But there is a lot of discussion right now about Article 5 post Russia's invasion of Ukraine. Especially as we consider cyber effects. Because it is certainly – it's only been invoked once but the idea it would be invoked in the context of a cyber-attack is a question that's on a lot of country's minds that have been on the receiving end of multiple cyber-attacks.
From your perspective, anyone sitting here, how does Article 5, what are the steps necessary for Article 5 to start taking cyber effects in to account? And how do we develop the right escalation policy, and then defines how it could be invoked? Who wants to take that question on?
>> NATHALIE JAARSMA: Well, first of all, article 5 is about the impact and not the tool that has been used. So it's always case by case. And as the Netherlands we pushed really hard because we realized that with cyber-attacks the malicious actor is always or well usually, staying below the level of armed conflict. That's what we see. And that's, of course, we're being challenged all the time. So NATO has made a decision, and as the Netherlands we pushed hard for this, to actually make it possible that an accumulation of cyber-attacks actually also could result in an Article 5 situation. But then again, that's – it's case by case. It is the impact and it's really a matter of the decision making within the alliance. I think what would be good for allies to do is to have the internal discussions about what do we see as sort of thresholds for our potential reactions and not necessarily like Article 5 related but more sort of doing this thinking exercise. And including the political leadership in these thinking exercises. And then, of course, that is needed to perhaps then follow up at NATO level.
>> NATHANIEL FICK: If I can just add to that and I agree with everything that Nathalie said. I think it seems pretty clear that we are in a deterrent hole in many ways, where our adversaries seek to do to thing to us using digital means that they would never do to us using kinetic means because the clarity of the response policies. And so, it is to our collective advantage to clarify and then enforce how we respond to what. As Nathalie said we're really talking about activity below the threshold of the use of force. Above the threshold you trigger all those other things that we're familiar with.
All the way at the lower end of the spectrum you have this sort of nuisance attacks that obviously are not going to trigger any sort of military response and the interesting conversation is there in the middle. And we see real world examples of it all the time. Iran launched a major attack, cyber-attack on Albania last summer and it continued in to the fall and to some extent continued even more recently. I want to Toronto with our ambassador to the United Nations, Linda Thomas-Greenfield and stood alongside our ambassador there to publicly send a message that Albania is a NATO country. And this alliance, this means something.
But kind of coming back to the heart of it, I do agree with the I think the implicit assumption that we need to extend the full power of deterrence in to the digital world using not only cyber means but every ounce of economic and informational and diplomatic, and where necessary, military power.
>> NILOOFAR RAZI HOWE: Kevin, where is the deterrence working today?
>> KEVIN MANDIA: Well, you know, listening to this conversation it's – I think there is some evidence at least out of Russia in 2022 that maybe they were trying to figure out what's the squirmish level below threshold of Article 5 in cyber because we didn’t see the new and novel innovation that they probably do have in Russia and Ukraine. And it stretches incredulity to think if they are not sitting on one to three to five zero days right now but they're not using them.
So maybe that is a diplomatic or a policy decision to say we're not sure about the collateral damage if we do these sorts of things. We're not sure what the reaction will be, meaning the Russians are not sure what the reaction of NATO would be. So we see the blunt force trauma attacks in Ukraine right now. And we're at over 30 organizations responding every day and watching it. And even I expected something new and novel. So I think there was a decision made we're not going to increment in cyber just yet for whatever reason. And maybe that was the ambiguity of the red line in cyber is still sort of unknown and probably would go to what the impact of the attack is. And cyber-attacks, if widespread if all you did today was I got a zero day and it works on this Windows box and you sprayed and prayed it, you have no idea what you are shutting down at that point. If you are irresponsible and you don't guardrails on what you execute in cyber, you have no idea what the butterfly affect might be on these things.
>> NILOOFAR RAZI HOWE: Wendi, from your perspective is the deterrence working?
>> WENDI WHITMORE: You know, I think – yes, deference is working. It’s sometimes hard to quantify, right, specifically where. But I think if we're tying this discussion taking out of the nation stats landscape and into cybercriminal landscape you can talk about certainly the national cybersecurity strategy that was released and there is whole wide variety of comments and topics in there. But one of them specifically talked about disruption to an attacker infrastructure. And that's an area where we certainly see in the cybercriminal landscape a fair amount of disruption activity that requires a great deal of public and private information sharing to enact. Now it is hard to quantify to your question, right? It is hard to quantify the specific impact because we see the tactics in near term right now where we’re saying okay, these groups are shifting, they are trading players more frequently than what happens in football season. But that said we're certainly increasing the cost when we do that. So kind of getting back to some earlier comments. So to that degree that deterrence for future actors I think that certainly to a degree part of it.
>> NILOOFAR RAZI HOWE: Great. So if folks have questions, there is a microphone right here. What I would ask is please go to the microphone. It is right in front of me. If anyone has a question. Otherwise, there is one, another one that's come in through the Metaverse.
>> KEVIN MANDIA: I had another angle because I felt – it is hard to measure if deterrence is working in my opinion. I go right to the risk side of it, I don't think we are imposing a lot of risk to the financial criminals or to cyber espionage out of China or cyber espionage out of Russia. So on the risk side of things you are not waking up every day going wow we just took digital evidence and we got to human and did something. You know it happens from time to time but another reason why international cooperation and diplomacy matters to much is the only actual deterrence to cyberattacks, quite frankly, is you go from digital evidence to a human and grab the person. You get the person and say that’s – you can’t so that. Everything else isn’t real risk. Naughty, naughty, don't do that is not going to stop it. So I went right to that, the risk of going on offense against most nations is low in reality. I mean, unless you are attacking your home nation, that's not a wise choice.
>> NILOOFAR RAZI HOWE: What kind of cost should we be imposing on bad actors that we're not imposing? And what's the most responsible way of –
>> KEVIN MANDIA: It is better instead of imposing cost is stopping them. You know what I mean, you get them. That’s why we have law enforcement, that’s why you have intelligence. The perfect end to that is quite frankly, you terminate the activity, you know? And that's getting at the source and getting attribution or getting rules that people follow and enforce as nations.
>> NILOOFAR RAZI HOWE: So as you look forward, what are the technologies on the horizon that you are most concerned about and we have the biggest opportunity with ensuring, safeguarding, using cyber diplomacy?
>> NATHANIEL FICK: So take a stab at that. My remit at the State Department includes not only cybersecurity but digital policy, the guts and underlying architecture of the Internet. And the emerging technology portfolio and we are making bets initially to focus our diplomatic engagement on artificial intelligence, quantum science, and biotechnology. As three emerging areas where the diplomatic landscape is still relatively undeveloped. We have a huge incentive that rights respecting Democracies act early and act together to set the rules of the road and establish the guardrails by which these technologies will be developed and deployed and used in the world.
>> NILOOFAR RAZI HOWE: The winner of the Innovation Sandbox this year is a company called HiddenLayers which protects the models – the AIML models from adversarial attack which I think is just an example of everyone is thinking about it and think about both the problem and how to solve the problem. Is the most likely answer going to come from policy and regulation? Or is it going to come from the technology sector? Who is going to move fast enough?
>> KEVIN MANDIA: I think it is going to be both. The shift change that I think we are all seeing this week is the AI coming. And I always likened it to the day my Tesla just updated and said it could self-drive and I didn't believe it. So the first day I gripped the wheel on the 280 out in California not believing it and day two I was – I think I was emailing while it drove me. And I think there will be advances in cybersecurity on defense and probably on offense that will surprise us as to the speed. Like identity security might get really, really good really fast. As an intelligence instantiates, that’s normal account used for 98% of your machines and that was abnormal. Do something about it. So I think the shift change will be machines that think and learn and can someday defend themselves in some ways. But at the same timeframe when you do that, offense traditionally adopts new technologies faster in defense so we’ll see.
>> NATHALIE JAARSMA: I think in terms of well, regulations and technology I think regulators always are later than the technology development and for the right reasons. I mean, we don't want to hamper innovation too much. And also you first need to know what the technology is about before you start regulating. That having said, I mean we are all aware of the different geopolitical landscape and new technology is not value free. So I think we need to do better when we develop new technology, to take human rights considerations and our values on board and have that as part of the development process.
Also, when there are like the standard setting bodies, human rights considerations should be taken onboard. As we do as legislators and like in the EU we have the DSA, the DMA, the AI act to come. It's being put on hold because of all the developments on AI. So that first needs to be digested before the law is finalized.
>> NILOOFAR RAZI HOWE: So with two and a half minutes to go on this panel, I'd love to end talking about priorities and whether we have a shared sense of priorities. Going – maybe we start with Kevin and come this way. What do we have to get right from a cyber diplomacy perspective? Cybersecurity perspective over the next 6-12-18 months?
>> KEVIN MANDIA: We may want to just at this point go into overcommunicate the norms. If we have an agreement on the norms, lets get the world to know what they are and then have nations hold other nations accountable. So get knowledge of norms and start looking at each other going are you abiding by them and we will figure out real fast do we need to start enforcing them somewhere and in some way. So I think at this point knowing the norms have existed and we agree to it. We should all amplify that so that the nations and the private sector is aware of them so we can even be on the front lines seeing maybe abuse to those norms. And impacting the enforcement of them.
>> WENDI WHITMORE: I think that technology and diplomacy working in alignment and not opposition. So, you know, some of your questions, right, really highlight the challenges between the two. But the more we can focus on that alignment and encourage the information sharing I think we're going to get closer towards the goals we're looking for.
>> NATHALIE JAARSMA: The same here, I mean I think we all know cyber is teamwork. So I think it's indeed public/private sector teamwork. There's also teamwork needed in between countries that are more digitally developed. And the ones that are still to jump in to the digital age and we need to help them. And we also need to team up sort of the ICT industry and the NGOs that are – the checks and balances in our democracies.
>> NATHANIEL FICK: I think two priorities from my perspective. One we have to sustain and maintain the broadest possible coalition around the world on a basis of shared values with respect to developing and deploying and using these technologies. We cannot afford to let relatively minor differences among and between our likeminded allies prevent us from winning the bigger game of presenting a unified front. Larger markets, more R&D dollars, bigger segments of GDP, we need to do this together. And second, we need to build capacity in our organizations, in our foreign ministries, in order to sustain a generational strategy. And we have couple dozen diplomats from around the world, technology diplomats around the world in the audience here today. We need more efforts like that.
>> NILOOFAR RAZI HOWE: Can you tell us how you are building that capability around the world?
>> NATHANIEL FICK: So we are trying to do it inside our own agency and we’re trying to do it with partners. Very quick examples, we're training diplomats at the State Department and putting them through a school – a training school in cyber and digital diplomacy. We will have a trained officer in every Embassy around the world by the end of next year. That’s a huge initiative on our part, a huge investment. And just this week the selection criteria to be a US ambassador for this year for posts around the world and I’m proud and gratified to say that there is a lot of language in that cable about recognizing the expertise and the importance of these topics and the fact that they are lateral, they influence every aspect of our foreign policy. They are not, as I think Nathalie said in the very beginning, not a vertical. We cannot afford to treat them that way. They effect everything.
>> NILOOFAR RAZI HOWE: Well, I hope you join me in a round of applause for this incredible panel of experts. Thank you.
Ambassador at Large for Cyberspace and Digital Policy, U.S. Department of State
Ambassador at-Large for Security Policy & Cyber, Ministry of Foreign Affairs of the Netherlands
Share With Your Community