"Governmental Silos Won't Work" – From the Debates at the MSC Cyber Security Summit in Stanford
Could the US presidential election be affected by cyberattacks? How can our critical infrastructures be better protected? How can digital growth be safeguarded? And what steps can and should governments and companies take to fight online jihadism? These were some of the key questions leaders from politics, business, the military and academia debated at the MSC Cyber Security Summit (September 19/20), which the Munich Security Conference organized together with Deutsche Telekom in Silicon Valley. The conference was hosted by the Center for International Security and Cooperation at the Freeman Spogli Institute for International Studies at Stanford University.
*Videos of the debates, highlight recaps as well as photo impressions from Stanford are available here.*
"In 2011, when I opened the very first session on cybersecurity at the Munich Security Conference, I introduced it by saying that cyberspace amounted to a new 'wild west' in security affairs," MSC Chairman Wolfgang Ischinger said as he opened the summit. "In the five years since, that West has only become wilder – and the stakes much greater. That is why a close exchange between experts, policy-makers, and industry and military leaders is more critical than ever."
The impact of cyberattacks on the US elections
Discussions kicked off with a debate on the issue of cyber security and the US elections on November 8. The discussants assessed that the evidence clearly pointed to Russian secret services as the perpetrators of the DNC leaks. As one speaker noted, the operation followed a script that had been tried before in Ukraine and was now applied to the US elections. One participant emphasized that Russia or other foreign agents could not "steal" the election, but that they were able to raise significant doubts about its legitimacy. Others remarked that the structure of the US system made it quite vulnerable to foreign attacks because opponents could specifically target voting machines or voter registration files in a limited number of swing states to great effect.
One participant argued that what was really new about the situation was different: "We have had hacks and information operations before. But a candidate basically inviting a foreign power to meddle in the election – that’s new." In the Night Cap Session, taking place at the Computer History Museum, a participant later asked what would count as an operation triggering Article 5, the collective defense clause of NATO, if the operations targeting the core of the democratic system in the US did not. This question only underlined the importance of the debate that has only begun. As one participant put it: "How should we respond to information operations? Tit for tat? Or what can we do to get the truth out there?"
Cybercrime and its consequences
The participants also discussed the economics of cyber security and ways to safeguard digital growth. Walter Kuemmerle, the moderator of the session, underlined that the value of the cyber security market still amounted to only about a fifth of the known damages, with a high number of unreported damages on top. Marc Goodman, the Chair for Policy, Law and Ethics at Singularity University, emphasized that a cyber crime was usually different from a stolen car: "Most people have no idea that they have been the victim of a cyber crime or data breach." And the risk of punishment was extremely slim. As he put it, "the chances of ending up in a courtroom after committing a cyber crime is one in a million or higher." Speaking from the perspective of a service provider, Deutsche Telekom's Senior Vice President Thomas Tschersich noted that companies had to fight thousands of attackers at the same time while the attackers had to be successful only once: "This is not a level playing field." Tschersich and others also stressed the importance of usability and product design that made it easy for customers to protect their data.
Raising resilience through better cooperation across sectors and actors
In a panel discussion on the protection of critical infrastructures, speakers from different sectors provided their perspectives. Gundbert Scherf, the Commissioner for Strategic Management of Armament Activities in the German Ministry of Defense, stressed that cyber was becoming ever more important for the German armed forces and argued that different ministries and sectors had to work together: "Governmental silos won't work when battling cyber vulnerabilities." In his remarks, Deutsche Telekom’s Thomas Kremer had also emphasized that "our chances to fight cyber crime are far greater when we collaborate" and argued that our "responses to cyber threats have to become smarter." For instance, Kremer pointed to self-healing systems that would automatically try to detect weak spots in the respective system and develop patches. Elisabeth Paté-Cornell, Professor of Engineering at Stanford University and an expert in risk analysis, argued that while organizations were indeed becoming better prepared to fight crimes, adversaries were also becoming stronger and developing increasingly sophisticated tools. Given limited budgets, risk management was crucial.
The participants also agreed that education was crucial. Several speakers pointed out that there was a huge demand for well-educated cyber security experts but still a dearth of university programs trying to fill this gap. The importance of knowledge for cyber security was also stressed in the Night Cap session under Chatham House Rule, which asked whether the soldiers of the future would come from West Point or rather from the West Coast. The panelists noted that technological change would lead to continuous adaption of the military, which also had to open up itself to other sectors and careers in order to become and remain attractive to the people they needed.
The quest for international cyberspace norms
Day two of the Cyber Security Summit featured debates on the quest for international cyberspace norms as well as on terrorist and criminal uses of the internet.
The panelists of the first discussion session unanimously agreed that there had been remarkable progress in developing norms for cyberspace within a very short time. Yet, they also noted that the world was still far from having a comprehensive and binding framework for accepted behavior in cyberspace. According to Latha Reddy, a member of the Global Commission on Internet Governance and former Deputy National Security Advisor of India, governments could provide leadership in the development of norms and rules, but in the end, a multi-stakeholder approach would be crucial. According to Microsoft’s Scott Charney, industry representatives, in particular, needed a seat at the table when discussing new norms. Referring to a recent debate at the Munich Security Conference, however, Chris Painter, Cyber Security Coordinator at the US State Department, noted that different companies often had very different views on necessary norms. Elaine Korzak, Cybersecurity Fellow at Monterey’s Middlebury Institute of International Studies, stressed the need to move beyond the creation of norms towards their implementation.
Balancing security and civil liberties: the encryption debate
The final conference discussed the fight against terrorism, online and offline. According to Peter Neumann, Professor at King’s College London, galvanizing the bottom-up power of the Internet would be crucial in order to effectively fight groups such as ISIS: "The US can set up a few Twitter accounts, but it’s a drop in the ocean compared to what ISIS collectively can mobilize." Neumann cautioned against hopes that a defeat of ISIS in Iraq and Syria would mean the end of the terrorist threat.
This discussion also focused on the tensions between civil liberties and the demands of law enforcement. FBI Deputy General Counsel Gregory Brower argued that encryption was a good thing, but that it also came with certain costs. It would be up to the people to decide about the best possible balance between liberty and security. The answer would only come after an intensive debate. Martin Hellman, Professor Emeritus at Stanford University and one of the founding fathers of public key cryptography, quoted former NSA directors – who had argued themselves that end-to-end encryption would be a good thing for America. Hellman said that, instead of a debate, a conversation was needed, because both sides had to overcome their misperceptions of the other. "You have to be curious, not furious!" Only then would a good balance between security and liberty become possible.
The 24 hours of discussion at the MSC Cyber Security Summit in Stanford certainly featured both: debates, but in particular intense conversations on current and future cyber security challenges.
The Munich Security Conference Cyber Security Series continues with a roundtable at our flagship conference in Munich (17 to 19 February 2017).