Second Cyber Security Summit
Confidence-building in the cyber-space: The NSA espionage controversy was the central topic on the second Cyber Security Summit in Bonn
By Oliver Rolofs
On 11 November 2013, the Munich Security Conference and the Deutsche Telekom hosted for the second time the Security Summit in Bonn. Before the background of the increasing number of attacks from the Internet and the disclosure of the mass monitoring programs by foreign intelligence services, top managers of German multi-corporate enterprises and leading politicians met in Bonn to discuss the hazardous situation for economy, politics and society. The key message of the summit: Cyber security may only be reached by trust, international cooperation and transparency.
The 2nd Cyber Security Summit organized on 11 November 2013 by the Munich Security Conference and the Deutsche Telekom could not have taken place at a better time. The headlines on the extent of the large-scale spying out by American and British intelligence services, the growing number of attacks against the security of computer networks and, in general, the resulting loss of confidence in the Internet had the cyber-security issue gain center stage on the summit. So, aside from the prospering cyber-crimes, particularly the case of Edward Snowden stimulated the discussions among the more than 150 top executives of German enterprises and top-level politicians.
In his opening address, Telekom CEO René Obermann criticized the Internet monitoring by foreign secret services as counterproductive to freedom. "Freedom also means tolerating a certain degree of insecurity", he expressed his indignation at the disclosures in the recent months. "The obvious extent of government monitoring – possibly bordering on industrial espionage – pushes the boundaries beyond everything what we have considered possible." So the balance between freedom and security has dwindled away, the Telekom CEO explained.
As a response to the monitoring by secret services, Obermann announced intensified activities of his enterprise to guarantee secure communication in Germany. One solution would be the introduction of a so called "Schengen Routing"; like in the unrestricted European border traffic, data packets on data links within Europe would not be routed through other countries. The "Schengen Routing" would be accompanied by a "Schengen Cloud" so that data would not have to be stored in computer centers of U.S. providers. "This is not a question of a nationalization of the Internet", Obermann pointed out. It would rather be a first effective and cost-efficient step to prevent the unfounded storage of many data. The Telekom CEO also advocated a quick implementation of a European Data Protection Guideline which would also apply to non-European companies.
From "Government" towards "Googlement"
Also Ambassador Wolfgang Ischinger, chairman of the Munich Security conference and co-host of the Cyber Security Summit, called for such guideline in order to create the basis for an international "Code of Conduct" for the cyber-space. "Data security and protection of privacy in the cyber-space are digital fundamental rights which are as vital as environmental protection."
The basic EU data protection guideline was therefore past due, he explained. "At the same time we are moving from ‘Government’ towards ‘Googlement’ enabling not only the NSA but also large enterprises to collect big data.“ Here it was not clear, so Ischinger, which protection rules would apply and who were to control them. One was still a far cry away from sustainable international cyber-security agreements whose conclusion would require not only mutual trust but also uniform standards and definitions, Ischinger criticized. Only on the basis of a clear EU guideline a reasonable transatlantic or global dialogue on a kind of "Code of Conduct" was conceivable. With a view to the transatlantic relations which are stressed by the espionage controvery Ischinger emphasized that confidence-building measures were now decisive which would additionally have to be followed by an improved supervision of secret service activities. According to Ischinger, there was an increasing awareness among the Americans of the indignations abroad, and politicians like the U.S. Senator John McCain saw an urgent lot of catching-up to do concerning the parliamentary supervision of secret services. Yet the hopes for a "No-Spy-Agreement" should not be pitched too high. Here the former German ambassador to the U.S.A. called to mind in his speech that espionage as such has attained an international dimension. "Should we not assume that anything technically possible for the U.S.A. would also be feasible for quite different states?" he asked.
This was underlined by the former Israeli Prime Minister Ehud Barak in his subsequent input who said that the heads of states knew since long that they had been tapped. American participants showed their understanding for the outrage in Europe. Howard A. Schmidt, the former Cyber Security Coordinator of U.S. President Barack Obama, declared: "If something is technically possible it does not mean that we should do it." The German Federal Minister of Justice, Sabine Leutheusser-Schnarrenberger, was promptly inspired to declare that she was happy to hear that the Americans "have discovered the protection of data."
Other speakers at the conference in Bonn showed less optimism whether or not a change of awareness would occur on the other side of the Atlantic. So Timotheus Höttges, Chief Financial Officer and designated Telekom CEO, inferred from a meeting with the former U.S. Secretary of State Condoleezza Rice that the U.S. Administration was in fact concerned about collecting too little information.
The Vice-President of the European Commission, Neelie Kroes, who is in charge of the digital agenda of the EU, considered the NSA affair to be a clarion for Europe to start tackling the data security issue. She urged the Europeans to intensify their efforts for more security. Yet she approached Obermann’s suggestion of installing a "Schengen Network" with skepticism. "We should no attempt to keep the data within national borders. If we build nothing but separate national fortresses with different systems in different countries, we will dissect the single market", Kroes said on the Cyber Security Summit in Bonn. Also the Austrian Minister of the Interior Johanna Mikl-Leitner postulated a common European data space which she called an "EU single market for cloud services".
Wikileaks activist Jacob Appelbaum created ripples with his request to the Europeans to grant asylum to the NSA whistleblower Snowden in order to learn more about the U.S. spy programs. EU Commissioner Kroes however saw no need to do so: "We know already enough", she said. The European secret services had meanwhile collected sufficient findings to be able to counter the attacks of foreign secret services. "We have now woken up", Kroes corroborated her position.
Yet the debate on the disclosures of secret service mass monitoring programs, so the unanimous purport in Bonn, should not result in neglecting the necessary attention for other important aspects of cyber-security. This primarily concerned the increasing number of cyber-crimes which had caused damage to the amount of over 750 bio. Euro in the past year alone, according to estimates of Europol. The former Israeli Prime Minister Ehud Barak warned that the attackers were by light-years ahead of the defenders and would continue to be also in the future. The data security problem would become still worse.
Summit paper with postulations
There was consensus in Bonn that the dimension of cyber-security has meanwhile presented crucial challenges to economy, politics and society. The final communiqué of the 2nd Cyber Security Summit gave a summary of major fields of action for achieving a secure digital environment. The basic condition for accepting and using the Internet was to restore comprehensive trust right now in the aftermath of the espionage controversy. Therefore, the extent of governmental cyber-space monitoring would have to be uncovered as fast and comprehensively as possible. Concurrently, a binding international framework for the cyber-space should be initiated based on trust, transparency and cooperation. Such an agreement which would also include the right to informational self-determination and the protection of personal data was to form the fundament of a digital security culture, so a central postulation in the summit paper. Morale, ethics and respect for the right to informational self-determination would have to be firmly anchored in the digital society. Considering a sound balance between freedom and security an area-covering monitoring of electronic communication irrespective of the existence of suspicions would have to be rejected even in the context of anti-terror defense. Freedom without risks is as unattainable as absolute security.
To tighten cyber-security measures three central fields of action were outlined: awareness raising, cyber-security and cyber-commercial policies, and information exchange. So the public awareness for the dangers in the cyber-space which had been increased by the spying affair could now be consequently exploited to raise further the awareness of enterprises, public authorities and private end-users for risks and prevention but as well for the opportunities offered by cyber-security. In this respect, the security of information technology was, on the one hand, an important strategic success factor for enterprises. On the other hand, cyber-security policy was at once commercial policy because high data protection and data security levels would lead to a locational advantage in the globalized world in which technological sovereignty would turn out economically profitable. This required, so another conclusion in the summit paper, an overlapping cooperation and a comprehensive information exchange between government, economy and society about cyber-risks and cyber-attacks.
The Cyber Security Summit in Bonn has once more made clear that cyber-security and data security and the right to informational self-determination have become the most important issues in the international security-political debate. The need for action for the digital society and its economies is increasing, in particular to counter the growing damage caused by cyber-crimes and cyber-spies and the undermining of civil rights and liberties. A fundament of more cyber-security could be built up by international rules and confidence-building measures. This required the necessary raising of awareness, mutual trust and the political will of comprehending cyber-security as a global mission. At the end of the 2nd Cyber Security Summit, the designated Telekom CEO Timotheus Höttges put that straight: "Without trust no security."