"The Internet is Less and Less Spotify and More and More WannaCry" – From the MSC Cyber Security Summit Tel Aviv
Can we establish rules for conflict in cyberspace at all? What are the lessons states, companies and citizens must learn from WannaCry and Petya? These were some of the questions which senior leaders from politics, business, academia, and the intelligence sector debated at the MSC Cyber Security Summit 2017 on June 28. Building on the success of last year’s summit in Silicon Valley, the 2017 sequel was featured at yet another global cyber hot spot – Tel Aviv, Israel. Together with Deutsche Telekom, the Munich Security Conference partnered with the Israeli National Cyber Directorate and the Blavatnik Interdisciplinary Cyber Research Center to host this summit at Tel Aviv University.
** A highlight video and photo impressions from the summit are available here.**
MSC Chairman Ambassador Wolfgang Ischinger opened the Cyber Security Summit (CSS) with the grim assessment that "we are permanently under attack." Indeed, the recent malware strike in Ukraine had yet again exposed the lack of adequate cyber defense mechanisms throughout the world. Isaac Ben-Israel, Director of the Blavatnik Center, reiterated Ischinger’s sense of urgency and welcomed the participants not only to the CSS but also to the Cyber Week – a series of cyber-related events that were held in parallel to the CSS. Thomas Kremer of Deutsche Telekom warned that societies must not wait until an actual digital catastrophe happens before taking decisive steps. He called for a committed international effort as "cyberattacks do not stop at national borders." Eviatar Matania, Director General at Israel’s National Cyber Directorate, drew a comparison between the industrial revolution and the digital revolution and reminded participants that the cyber security challenge must be met whilst also upholding human rights and democratic principles.
Updating grand strategies
The first session featured an in-depth discussion on how governments could adjust their security strategies in the cyber age. Panelists agreed that the logic of deterrence was significantly affected by the cyber age and that "cyber-only" deterrence was almost impossible. Journalist Georg Mascolo expressed his concern that "the internet is less and less Spotify and more and more WannaCry," stressing that deterrence was hardly possible when it was unclear how destructive cyber weapons actually are. Participants also mentioned that the impact of low-level, continuous attacks on relations between states was still not sufficiently understood. Frédérick Douzet, professor at the French Institute for Geopolitics, noted that the systemic risk in cyber space was significant – and that it constituted a global challenge as fundamental as climate change. Panelists agreed with NATO representative Sorin Ducaru, who pointed out that maintaining basic cyber hygiene would prevent a significant amount of current cyberattacks. Accordingly, he urged that much more awareness, training and international standards were necessary. On this issue of legal norms, Oleg Khramov, Deputy Secretary at Russia’s National Security Council, told the participants that Russia had repeatedly been trying to establish international standards in cyber space. However, these efforts had fallen on "deaf ears" with Western governments, he argued. Khramov cautioned that this inactivity played into the hands of cyber terrorists and that the international community "should stop playing games" and act together.
Protecting critical infrastructure in an interconnected world
The following panel focused on infrastructure vulnerabilities. Gundbert Scherf of McKinsey gave a brief presentation on the exponential growth of devices connected to the internet. With this in mind, he emphasized that a staggering 84 percent of companies felt ill-prepared for the increasing challenges of cyber security according to a recent McKinsey survey. During the subsequent discussion, Thomas Kremer of Deutsche Telekom stressed that in order to meet cyber security challenges, companies had to be fully transparent on vulnerabilities, breaches, and hacks – but states had the responsibility to do the same. Joshua Corman from the Atlantic Council endorsed Kremer’s remarks and noted that infrastructure protection had to be prioritized based on how dependent societies are on a particular infrastructure. In this regard, Corman emphasized that the health care sector that was least protected and most vulnerable at the moment because most hospitals or clinics currently do not even employ a single security expert for digital protection. However, additional resources alone will not solve the challenge. Alberto Hasson, Executive Director of Israel’s Cyber Emergency Response Team, argued that a mindset change among executives and employees could significantly improve the protection of critical infrastructure.
Confronting cyber norms with reality
The previous two sessions had made clear that the development of common international rules was urgent and imperative. The last panel of the afternoon featured a discussion on who should develop and determine such norms. Michael Sulmeyer of Harvard University argued that private companies played a crucial role as intermediators to reduce the frequency of retaliatory cyberattacks. Microsoft’s John Frank agreed and stressed that tech companies had no interest in conducting "offensive" cyber operations. In fact, he noted that there was a new momentum among cyber technology companies to cooperate on making devices safer. He announced that Microsoft was optimistic to present additional proposals for cyber norms in the near future. Focusing on the responsibility of states, cyber policy experts Chris Painter, Karsten Geier, Sven Sakkov, and Iddo Moed discussed the development of cyber norms on a global level. Coordinating these efforts for the U.S. and German foreign ministries respectively, Painter and Geier noted that a United Nations Group of Governmental Experts had made important progress already but that some crucial issues remained on the agenda. According to Painter, some states just did not want to be bound by cyber norms. The decisive question was how to sanction such perpetrators and impose costs for their malicious behavior. In the absence of a global consensus, like-minded states should go ahead and develop ideas.
Cyber challenges for intelligence agencies and the future of warfare
In addition to these three publicly broadcasted discussion sessions, the CSS also featured off-the-record events. Ahead of the summit, an intelligence roundtable, held in cooperation with the Institute for National Security Studies, dealt with the question on how change in the cyber domain affected both terrorist activities and the work of intelligence agencies. The participants agreed that terrorist actors used sophisticated cyber technologies for propaganda and recruitment but had yet failed to acquire serious cyber capabilities in order to hack critical infrastructure or government servers. However, many believed that this could change in the future. The participants also discussed what kind of access to private data was necessary in order to prevent terrorist attacks and which kind of public scrutiny and political oversights was essential. A second off-the-record night cap panel debate, co-hosted with the Herzliya Conference, dealt with the future of warfare. The speakers and participants discussed the most important disruptive innovations and broader developments for warfare in the digital age and how they affect strategic thinking. For instance, the debate covered generational changes and attempts to ensure the applicability and implementation of international humanitarian law in modern conflicts with a strong cyber component. Finally, a lunch session, hosted by the German Foreign Office, featured a discussion on how to defend democratic processes and the integrity of public discourse against digital threats.
Outlook: Cyber Security Summit 2018 in Tallinn, Estonia on May 29
The strong public interest and high-level participation at the summit underscored the significance of cyber security. The Munich Security Conference is committed to continue its cyber security series at another important global hub for cyber security next year: Estonia’s foreign minister Sven Mikser announced during the summit that the dialogue will continue next year in Tallinn with the MSC Cyber Security Summit 2018 on May 29.
Learn more about the MSC Cyber Security Series here…