Dropping Cyber Norms: What They are & How They Will Shape the Internet

besides DC would like to thank all of our sponsors and a special thank you to all of our speakers volunteers and organizers for making 2018 a success good afternoon everyone thanks for coming on an early Saturday afternoon to this I'll be talking about cyber norms which is what everyone loves to talk about so it'll be exciting part of the title this I'm sure you've heard in mass media we see a lot of you and dropping cyber bombs it's kind of thing that we hear a lot so kind of taking the inverse of that and talking about norms and how we actually can create some guardrails and some some rules of the road for how to behave in cyberspace so I'll be

walking through both what's going on in the in the world right now but also taking a step back and actually walking through some of the methodologies for norm diffusion which is very much - so has roots in social science literature so we'll get a little bit walking on the social science side for a little bit so to all of you as you as you leave and go back and hear some of Teck discussions on on norms you have that in green and some more of a methodological rigor in that area so first let's talk about you know what is appropriate behavior in cyberspace so right now as far as the targets basically anything is fair game

we've seen intellectual property stolen across the world across the globe privacy and civil liberties certainly art don't seem to be off limits by the wide range of attackers a critical infrastructure we're increasingly hearing about various kinds of malware and apt groups that are in certain kinds of critical infrastructure we saw after the hurricane the others ransom we were hitting a town in North Carolina the water utility so that's certainly not off limits these days it seems and then obviously elections something that we've been hearing a lot about and there was just another indictment yet again this past week for interference in the 2018 election so given this you know basically the Wild West we've heard

presidents other kinds of leaders basically use the analogy of cyberspace as the Wild West and so when it comes it's kind of digital behavior you know what are those rules of the road and for the most part they just don't exist right now and so those rules the road and more formalized terms are what norms are and so the key thing to even just start off on I think when we hear people talk about norms there isn't an agreed-upon - you know especially within the security community you know what really what we even mean by norms and so linking back to social scientists which has followed norms and we researched them and review them for decades norms are the most basic our

shared expectations of appropriate behavior and so they are those guardrails there are the rules of the road that everyone agrees upon the Greeks hum that are formal like in legal aspects like legislation that gets passed to formalize some of those rules of the road but there also are a lot that are informal and so I'll talk about some of those as well when it comes to cyber space right now and again I know that we generally as a community hate using you know the word cyber for cyber norms cyberspace cyber sovereignty but at the end of the day it's what's in doctrine right now in a lot of discussions and it's what the more of the popular audience tends to

understand and so it's a way for us to communicate with a broader community as far as what's at stake here and so there will be you know way more cyber used in this talk than normal so I apologize for that ahead of time yeah yeah you guys I would not recommend doing that as a drinking game for this talk so we have two competing visions right now so you know we talk about nature abhors a vacuum and so because there's this absence of cyber norms that are out there there are different visions right now for crafting those and so on the one hand we've got cyber sovereignty which more or less is every state has control

over the internet within their borders to various degrees and then at the other extreme of the spectrum is the multi-stakeholder model which is much more so in lines of you more the Autopia envision for what how the internet was actually created for a free and open and secure internet that helps preserve data privacy and security and one thing to note as I talk about these these are two ends of a spectrum right and so the realities are always going to be a little bit off but these are sort of the divisions that are really driving various policies that we see going forth right now I'll go through each of these and much more detail but before we do

that we're gonna level the playing field and we're all gonna have an understanding of what norms are and so part of the reason why we don't have norms right now is because they're actually really extraordinarily hard to do especially at the global level and so this is known as the s-curve and so for how norm diffusion and Nord norm cascading and emergence actually occur and so for norms to actually you know accrue it with mean really within an organization anywhere where there's a group of people you know there gonna be some kind of norms that evolve and so at the global level you can imagine how hard they are but first there asked me some sort of Norma merchants then

there's gonna be some tipping point where they really start to take off and then they have to be entrenched and there there are challenges that every single one of these steps it's not just you make it through one step and it's gonna happen and so each one especially when it comes to cyber norms has some very very distinct challenges and so looking at an analogy to show first how hard this can be we look at the seatbelt legislation and so most people in the United States nowadays do actually use seatbelts and so for when when seatbelts were first created though almost no-one used them and so in 68 and they they required lap belts actually you know within the cars

but no one was doing it and some of the major reasons why people push back on it were because of civil liberty infringement and just over-regulation so they didn't like the government coming in and telling them you know what they should be doing in their car however given that that there was that emerges that came from the you know from the government as far as requiring the lap belts that actually led to a bunch of research that came about and so you know about 15 years later over a course of 15 years there was a lot of research that went into the value of wearing seatbelts and the lives that can be saved and so

all that research started to permeate as far as the safety benefits of it and so it started to lead to a cascade so that research then also forced or encouraged a lot of other states that start doing that the seatbelt policies as well and so between 83 and 89 you additional 34 states required mandatory use usage and so by now something like 87 percent roughly depends on new stats of adults wear seatbelts with the United States even though for about a third of the states it's actually only a secondary offense it's not really that that much of a penalty and the big reason is that the norms have evolved over time I think anyways who have kids now for them it's

just second nature to be putting a seatbelt on Rosine when I was growing up you know that was kind of questionable whether we would be wearing them or not but basically it's it's a formal it's an informal norm in many ways that is just something that's done and so that's how you can think about norms occurring in different areas there's some very similar anything about norms as far as against weapons of mass destruction and it gets chemical weapons and you know those could be hold talks on their own so let's return back to security and so norm propagation you're starting with norms emergence the biggest problem we're seeing right now in the cybersecurity area is leadership and so

there is a very big leadership gap as far as shaping the digital norms and I will walk through the various leaders that are starting to step up to fill in the vacuum but it's really requires some sort of norm on entrepreneurship to actually force these these these norms to start to elevate and become more of a discussion we're currently in place like I said with put inside their sovereignty divisions and multi-stakeholder models and there isn't a universally accepted norms now no one handing everyone says the oh well it's still early you know we I really haven't had the internet all that long but you know it's been a couple of decades and you know the

impact that we're seeing just keeps to elevate you more and more and more more countries are leading to view I have very very new the the use of Internet has permeated enough states now where there should be some sort of norms but here's one of the big challenges right here is in the leadership but even if we did have the leadership at the global level to push forth the appropriate behavior in cyberspace we have a major collective action problem and this again I think you know we hear all about all this all the various actors that are out there doing to various things online but then today you know it is it is that does contribute to a lot of the

challenges that are out there so not only do we have new roughly 200 nation-states depending on what group is categorizing them we also have plenty of criminal groups we've got the mercenaries who may or may not be you know State affiliated corporations are even getting into the game as far as various kinds of behavior online now and in that way especially you know at the offensive behavior and then you know terrorist groups activist lone Wolf's and I'm sure there's some other major groups out there but in general this look is to a major collective action problem to get these various groups together to help formulate what the proper rules of the road are and so you

know the most basic level if we even could just with the nation states to agree that wouldn't help us go a long way and then even if we were able to go past the cascade problem in the collective action problem getting into entrenchment and so for norms really become fully entrenched like we saw the seatbelt uses were just becomes second nature to you to everyone understands what the proper rules are the entrenchment really is hard due to compliance this is probably something that is not terribly Newton you and he that the challenges with compliance how do we know the actors are actually even adhering to these norms right it's pretty easy to office obfuscate their

behavior do all time as far as figuring out how long someone's actually you've been in the network so even though an organization may say they're adhering to the norms maybe they're not just have been caught yet so along with that with attribution then obviously you think about incentives at the nation-state level many states don't want to show their hand right and that's actually been one of the discussions we've been seeing a lot this year as far as for the government is how much did the US government show its hand as far as their offensive capabilities and on the politics side there's actually been a lot of interesting back-and-forth in that area as far as how much do you

reveal how much because if you can reveal enough it may help deter and so that's again he is in another area of discussion but at the end of the day when you have you in 200 different countries are trying to figure out what to show for their hand and help us with deterrence it makes it incredibly hard for norms to to proliferate and so look at look at the collapse of global norms because I'm we've got a cyber sovereignty we've got the multi-stakeholder model but there actually have been some efforts to trying to push forth unfortunately many of those efforts over the last year have basically fallen apart and so I will talk about some of those and which many

of the reasons as you'll see are because of that s-curve and just how hard norms are to create so sort of on the two different ends of the spectrum from the United States the Department of State has for quite some time integrated the notion of norms and create and norms as constructed in a way along the lines of your spreading the internet for to help you promote democracy to help promote a free and open Internet and security along those lines given the state of you know cyber security at the State Department which has been pushed aside a little bit and has been redirected in many areas there are a lot people concerned without the State Department guiding cyber norms who

in the u.s. might be so it was a little bit of a relief I would say to see that with a new cyber strategy from about a month month and a half ago it does reiterate the notion of the norms it sounds either using very very similar language to what we've seen in previous cyber policies and so that's great to see so we're seeing it actually out there and one of reasons why that matters it's a does signal to the rest of the world that the u.s. still wants to please try and push for some leadership in the area of promoting a free and open Internet it is established in their dot and doctrine so

that new policy was great to see and so gateway we see several policies really calling out norms and if you look at the cyber policy and do just a search for norms you can Shin quite a few times and so that's why again why this isn't something that's just it's not just some theoretical exercise it's where policies are getting pushed and they're going to have real-world impacts on how we act as a community but also you know across the board on civil liberties and in conflict and so forth so on the other end we've got the International Strategy of cooperation cyberspace and that's the Chinese version which in many areas sounds very similar to the u.s. it's not

has a lot of similar language used within it but it really focuses much more so on empowering the state to control to control the data within their borders it's really framed as well and an area of self-defense that's reason why for the cyber sovereignty proponents they want to protect the data within their countries to help defend against you think the u.s. P quick whatever adversary they may have at the time to defend against them and so it's it's framed in a self defense notion but then today also has a lot of nationalistic aspects to justify access to data and so just a few years ago and it actually kind of seems like a lifetime ago now

and international relations China and the US did sign the sino-american agreement so what prompted this was in 2014 there was an indictment against a handful of PLA members for cyber espionage and so that then led to a series of processes where the US was talking very publicly about possibly sanctioning China and to avoid something like that going on new leaders got together and basically agreed against the use of cyber enabled espionage for government purposes and so and for commercial purposes as well so because there also was you know the perspective of the unlevel playing field by commercial ask me knowledge going to the corporations which in China are very closely State linked then today that

that was the agreement that was that happen in 2015 and again you're looking at the other trade wars and so forth going on now it's interesting to see this wasn't that long ago which also should give us hope that you perhaps return to that at some point so looking at it through the the s-curve of norms you look at the emergence so what really the event that kind of triggered it was the u.s. indictment and so we can look at that yeah there there could be some disagreement on that but I think as far as that if you were to point to one major trigger for it I'd say that really helped lead to that knew that the

process that led to and that and the threat of sanctions led to the emergence of this kind of agreement and so what was interesting after China the u.s. formed this agreement it then was trying to also then form so you know very similar agreements with other democratic states Australia Canada for instance also had very similar agreements signed with China and so you could start seeing that you know like that cascade starting to tip off where it got sticky I think is all of us know where this is going to go was in the entrenchment issue area and so what whether or not there was compliance and so for an update on where that went at first you know we thought

there was a diet desired effect I think in 2016 you know I saw I was singing on a talk I think a black hat where you saw the great graph showing how all the Chinese activity was going down so everyone pointed to this agreement as fluffy being of China has stopped doing the cyber-enabled commercial I picked that for commercial purposes I said they're within our community there was a lot discussion I quit well it worked you know what it changed behavior but then a sign started to emerge that maybe that didn't happen and so if anyone remembers from last year the ccleaner attack which you end up targeting a bunch of you know a couple hundred different companies

with one level that had an additional payload that targeted just at the very select handful of some the big tech giants and so that again was linked back to China's times behavior and then just earlier this year I think it's in March of 2018 the US Trade Representative Chinese beat new commercial behavior and commercial theft highlighted very much so that China was still continuing with cyber-enabled commercial espionage for commercial purposes and it was the they link back to Simon's Moody's and a solar power company as far as the continuation of this kind of behavior and so that really led to you know the the breakage of this kind of agreement and what's interesting just yesterday I was reading there's a new

report that came out from a Naval War College and in production with I think it's Tel Aviv University showing that what China had done immediately following after this agreement was actually using different ways to redirect traffic that was coming from the US and redirect it through China first especially I think was going to South Korea they were redirecting that traffic to to analyze it and so what you see with a lot of when you get to the compliance issue with it yeah perhaps the tactics at the very tactical level stas you know changed and so the overarching behavior does jiju behavior didn't change their tactic did and so that you know so that was one does more

the bilateral aspect of how bilateral of how norms can go at more of a global level the the UN group of governmental experts has also been trying to push forth these norms at a global level and so in 2004 sand we're looking at you know almost 15 years worth of you know of trying to push forth these kind of agreements what they really wanted to focus on was was those low you know the low-hanging fruit real label what can we use what's the lowest level that we can use to stop this kind of behavior and so what they really focus on they focus on areas that they thought most most people are most countries would agree upon and

so it's let's let's not let's not interfere and emergency response groups right I thought that seems like a pretty low level let's not let's not interfere in critical infrastructure turn up be a harder one and so they were really committed some of those that may or may not have been viewed as either little level or low-hanging fruit but unfortunately by 2017 and even so they had five different group view meetings every couple years on this by 2017 basically a collapse this is the last summer that the the group of government has experts collapse and part of the big disagreement was on this right to self-defense and so you had which again is the framing of it is

what matters a lot because the right to self-defense seems like you you can see the countries arguing on both sides those they're arguing for the right to self-defense we're trying to protect against the onslaught attacks that were going on to their companies whereas many of the people who are me the groups that were doing some of these attacks thought that they were militarizing that by you talking about self the militarization of the Internet in a way that they did not want and so the major disagreement they just couldn't come to agreement on there and there also was a notion of whether the law of armed conflict which is it's been around you know in some ways for almost a

millennia depending on how you look at it you they do previously agreed upon that the law of armed complic had just applied then to cyberspace as far as the impact you can think about when hospitals look you know when hospitals are attacked through cyber means and brought down during wartime which has actually happened you know is that actually should that be considered a war crime and so those are kind of the sessions that actually are already going on across the globe and we still have no clear understanding of where that where that line is and so the UN sort of the biggest the biggest hope for actually starting to create what's off-limits and actually identify some those things that

are off-limits for attacking has basically collapsed and so part of the reason for that I great disagreement is the collective action and the dueling visions so I'll go a little bit deeper into what those dueling visions are so on one hand we've got the multi-stakeholder model and so again this is the the utopian vision and it's aspirational of how to build an open secure and resilient internet through that kind of consensus among like my states and corporations and so that they the key tenants on it they want internet freedoms privacy and security really identifying what is off-limits versus what can be done and anything it's one of things even if you know for people who might be a little bit more skeptical

that we could actually achieve this kind of global vision it's one of the things that without that current without sort of that vision to look towards the you know that vacuum gets filled by we could pretty much all you know opposing forces that may not have more of that aspirational vision so having leaders pushed forth something in the realm of an open secure Internet has huge implications for security and privacy which is something that you really that the at the core of what we're doing within this community and so these kind of discussions are really really relevant really impactful and something that I wish you more on this community would get involved in and I think then

there are a lot that the challenge is that either the policy makers don't always engage as well this way so hopefully down the road we can see a bit more collaboration between the two so while it is aspirational there actually are some formal signs we've seen from the US as far as you know what what is off-limits and so we hear a lot about you and there's been a steady stream of indictments really since 2014 they picked up a lot over the last year or two you and I hear all the time and discussions with those like why are we even doing that one we're never even gonna get the the perpetrators they're gonna stay in their country and nothing

will ever happen to them and so sometimes that it's true and we also probably a lot of times that's true but actually having a fair amount of arrests as well and so there are some reasons for that as far as the perpetrators actually can be brought to justice there are other benefits though in addition to that and now that so I was just in Chile and there that the department under separate Department offense actually point to the u.s. doing indictments and sanctions for justifying why they also made two indictments and sanctions but in case they had just had their their major bank had been attacked over the summer and so what happens in the United States getting back to the

leadership issue by the US having these indictments by doing sanctions by doing persona non-grata for that series of steps so far that on the one hand are very very minimal they're starting to establish what some of those red lines are where it's so that like-minded countries are more likely going to follow suit to what we're doing and that's just one of those aspects that happens new by naturally mean the United States yeah question

right so so yeah ya know so on one hand you know 100% really their challenge was going on the United States right now and that though they put the point with along those lines that we can even get our own act together many countries can't get their act together right now so there's a lot of changes going on in their national environment right now so even with even with the challenge that we have going on in protecting our own democracy with being able to protect our own corporations absolutely we're we're you know we're struggling very much so to try and do those kind of things but then there today if if we don't do something you know not doing anything is

not the solution either right and so while we could sit back and just kind of let it happen within the United States that that's not gonna make anything better and so again aspirationally we need to be doing these things to set that red line so that other you know the adversaries attackers start to understand what you know one what's not fair game what you know what's off-limits and then to that there will be repercussions for and I think this this whole yeah so this slide is actually intentionally full of tons of words so I think so much because so much we've seen the media said well the US is just getting attacked left and right we

and we see all the different articles that are out there as far as how many millions of dollars how many corporations how long the breach time is that's all we hear about and then basically that the overwhelming sentiment is that the the government's doing nothing and so this is just to highlight a little bit there are some things and on the one hand you know it's a little late this has been going on for a while but getting better way than ever because of these other externalities that come along with it by doing the indictments by doing sanctions by doing that especially in response to various aspects and so it's not just that it's not just the 2016 elections were we've

seen a handful of indictments sanction persona non-grata financial system for the Iranian campaign that was going on critical infrastructure with not petia that's an interesting with one of the election indictments you know not petty was actually hidden within that Louis I thought it was hitting had a really read deeply into it whereas for us and the community that's one of the biggest you know attacks that we've seen so it didn't grab the headlines because it's not as sensational as the election interference but there was some response for that and the same for any other finally was some response for for one cry as well and so these are just some of different categories that we're

starting to see some formal norms and this stuff takes time and that that's the mean look at that the s-curve is intentionally there to show just how hard it is and you know technology as we all know will continue to go you know expedite and and innovate extremely fast law and policy does not very much so know and so these are just a handful I want to show that there are some steps showing as far as that emergence stage as far as highlighting what is off-limits for more of the democratic countries and the REIT and looking at how what we do in the u.s. in this area again whether or not it has a you know

an explicit impact on that specific attacker may not necessarily be the goal when you look at the higher level with with what signals ascends what's of a broader strategy and how do other countries perceive that so on the other end is cyber sovereignty and so this is the complete Montgomery control of Internet within our borders it's really looking at control economic data social data political data and so forth and again it's a lot of the language around it though sounds very very similar to what we hear from the multi-stakeholder model which you know we're different I when you talk about some of the new the disinformation and and so forth that that that could go along with that but

the end of the day you know it's it's under the auspices of of you know sovereignty and not allowing others intervene in your own country but really what it is is it's an argument justification for you know a greater state surveillance greater access to all data of people within there within their country doing things like astroturfing as wages flooding you know the social media with data so that it which turns out to be a form of censorship because people can't find the app other kinds of data besides what the propaganda thrown at it and then it gets into you various kinds of spyware and so forth used by governments as well helps justify all those kinds of

behaviors that we see and just to highlight just you know how how much it sounds similar to the multi-stakeholder model and we want to hear leaders talking at a global forums and this again talking looking at new leaders actually going out there and the importance of leadership I'm G Jinping you talked here but you also just a few years ago talked to Davos is for one of the first times at the World Economic Forum and gave a speech that sounded very much so like parts that could come out of a previous American administrations and so there is a bit of the using the same language for very different purposes that we need to be aware of here but the

same timing because I mean it does sound like sounds like a good notion not allowing other countries interfere but again you have to think about the government behind it and what their incentives are and what their motivations are that's again very similar to what we think about you know in our community as far as attribution and why it was like that you know a corporation government whomever may be attacked you have to look at the motivation and incentives of various various attackers or whoever's doing the activity and so I think I alluded to earlier on those are still two extremes the reality is always gonna be somewhere muddled and somewhere in between so looking at the multi-stakeholder model I

showed some of the examples what the US is doing but there's also the gdpr which is Europe's new data protection I've heard you know the corporation's find it very tedious it's hard some are some are embracing it some are not so that I mean that's again come some would discuss after but then today with the GDP are exposed to you know one of the key intents was to empower individuals to have control over their data and so while it's not perfect and I'm sure it will evolve over time it's probably one that it's one of the first major agreements that we've seen globally to help put the power back into the individuals hands for control of their

data and still going absent something like that going on we're gonna see the other models to diffuse more and more your NATO's Article five has a attack on what so it's collect that's the collective security component of native sown attack on one is an attack on all they've now added the cyber component on to it part of challenge with that is that basically that's all that's been done there hasn't been greater definition as far as what what actually is an attack so you imagine a law that stemmed from the various you know tax interference that went on you know with in Estonia Georgia in our continued on across the entire former Soviet Union and so some of those I mean even those

aren't you aren't you know hundred percent under the multi-stakeholder model but they're sort of the best versions of what we're seeing right now going on that area okay more of the limit intervention and some some pushback that's going on I think the UK Investigatory Powers Act is probably the one that we see most in the news I think people talk about it also as a surveillance act but the interesting thing with that is after it came into play it was basically a vinegar Murray was giving greater access to data through was a lot of pushback within the UK on that so that they're actually being forced to up you know to update and evolve the policy to still

take some baby steps and start protecting people more so individual data more so and so that's where a lot of plays that it's important to have the aspirational version so that when some of these other policies pop up you can point to those and also say well this is where we need to be going we understand the government has a security needs but individuals have their individual rights to protect as well u.s. rule 41 as well as the one where you know the government asked me I could get access to data outside their jurisdiction by remote access so that again is one that's been there's been a lot of pushback there's again within the United States and so

none of these are treat it like none these are finalized right as far as you know that the conversations over and so while they've been passed there's still plenty of agreement that's really trying to push that and you know trying to once things are trying to appease a different interest groups that are going on and say Oh something just to keep an eye on the other one you know from within the more of it the group of democracies so Australia has now recent proposed legislation allowing basically requiring some sort of backdoor and so basically enabling some sort of encryption to be frightened means for government to access even with an encrypted software and so on the one

hand so that that actually stemmed from the five eyes which are the the group of like mine states Norman New Zealand Australia UK US Canada and all five all of those groups agreed to this kind of policy so seeing Australia as a first mover in this something we should actually also keep an eye on because we still have encouraged and the encryption battles are not over as much as we'd like to think that they are they're not going away anytime soon then finally on the other end we've got the cyber sovereignty the Shanghai Cooperation organisation which is a another political and economic global group of states very much so it's pushed forth that the proper behavior and their their

guidelines for how to behave I think I've accessed aspects like the Great Firewall Maranon has a national Internet it's the various means of data censorship and manipulation were seeing across the globe censorship has been on the rise for I think at least the last six years across the globe and all that gets linked back to these broader policies and so given that we have always Princeton countries doing all these different policies whereas you know the internet emerged first says you know that this global you know one global internet one worldwide web what the reality of our moving more and more towards and have to start being more prepared for this notion of data localization and so it's also considered

splinter net balkanization however you want to talk about it as far as you know more government policies breaking up and having different different requirements for how data is stored and accessed and so currently we have over about a hundred different countries have some poor of data localization and so again depending on its we're you know how you actually think about it depends on where you're actually sitting and so from the countries that are enacting a lot of this data localization new there they dirt right there their argument is that we're protecting data and whether they're protecting data for the individuals or for government access or things to to keep in mind something questions to always be asking so at

least 100 of them have heavy to propose or have enacted some these legislations Vietnam has one that very much sounds like it's copying the the China playbook in many ways and so requiring tech companies to store data on be enemy citizens in country and so again the justification for that is that we've seen the breaches that go on here it's it's either lack of faith and the companies to store and protect the data elsewhere but also is adjust its also an under the auspices of having government have access to that data as well when they want to India Samoa has passed legislation requiring local storage of data on transactional data and you can start think about how hard that's going

to be to actually keep track of all of that and then the US FDA which formerly known as NAFTA actually had this is the u.s. New Mexico Canadian new free trade agreement there's a chapter on that on e-commerce that people actually interested in this area I may want to take a look at because within that within however you want to pronounce this horrible new acronym within it there's a chapter on how to craft policy safeguards and so there are some implications and they that and some concerns that the way that they've crafted it is going to make it much harder for those in the u.s. especially we or Mexico or Canada to provide additional privacy safeguards on

data and so we need to keep an eye on that and see where that may evolve into you bets it skins one of the things where all this kind of different legislation and proposals aren't just in new security legislation they're also in trade legislation other areas where data access and data protection is a high priority and this is again as just one graph of it again why I like showing this it's one it's super non-intuitive for how we would think about as far as you know data protection or data localization and so it's it's all where you stand on it depends on where you sit you know do we want data protection laws you know in certain countries are gonna

even if they're very similar then the day the impact may be very very different based upon what government is in charge and so a lot of it goes back to you very some more fundamentals of democracies or support Arian what government access is and then ongoing battles between individual control data versus government access to it but this is just one side the shows the the the variation that starts that's starting to go on they've named and obviously they didn't even analyze the entire globe but those are just some of them and so it's interesting that's also going on as you as the countries are kind of flailing around a bit trying to figure out any

other own path for helping shape what the appropriate behavior and cyberspace is you're corporations who are the ones many cases under attack a lot are starting to take over as far as providing their own means to shape the norms and so just a few years ago Jeff Moss you talked about norms against as well as things where you think about you norms may not necessarily how to place you within more on the tech side but it does because it all becomes very very integrated as far as looking back to security and privacy but what always you kind of makes me laugh about this is they you can just be a norm like it's like it's you know very easy to do and

it's not it's very very very very difficult it'd be great if we could just say let's let's be on the easy button too and make you know these norms what's off-limits occur but not you know it's easier said than done so these are three of the major efforts that are going on right now there are some other ones like Carnegie and has created a group of norms for the financial industry but these three that I want to talk about just really briefly there's a tech Accord and if anyone has been following that at all so think a year I think RSA perhaps in 2016 is when Brad Smith from Microsoft first talked about a Geneva Convention for for cyber security

that has over time has evolved into going into the you know what into a broader group where something like 60 global companies now I think initially even just in April when it was this is actually a release was maybe 30 ish country our companies so it's now doubled and there's some of the major companies that are out there and basically what they're doing is they're identifying the rules of engagement they're identifying that but whether or not there will give access to government's whichever government and so they're looking at it very much so as all countries are created equal and so because they are these are global corporations that have that are working across the globe and so they're not

going to allow access to certain kinds of data they're agreeing not to act off on the offense on behalf of anyone and so there's a list out there of you know sort of like that shalt not within this tech accord and so that's probably the most prominent one that's out there about a month or two after the tech accord was released the charter of trust was put out by Siemens and so if you remember I talked back earlier about Siemens was one of the group's was under attack a lot and was written in the US trade rep document for that the breach from that's been a link back to China so Siemens now has brought together about

eight additional members and what they're focused on is a little bit different for the tech Accord they're really focusing on security throughout the supply chain and in providing sort of the framework for all companies that are part of this Agreement must all adhere to these various levels of cyber security so if you think about the tech Accord is more along the lines of you know what the rules of engagement are and how they're gonna interact with governments and how they're gonna protecting the data Charak Trust is a little bit more of a cyber hygiene you which is again one of awful terms that's out there it's more along those lines and especially takes a it approaches the

supply chain issue as well which we don't see as much elsewhere now finally there's the global Commission on Sibelius cyberspace and so this is an interesting one and Jeff Moss is part of this one so it's got people from the tech community it's a Joseph 9 who's one of the major international Asian scholars on norms also has some government people and it has representatives from all the major regions it's not Western dominant it's really getting a global perspective as far as all the commissioners that are on it and what they're doing is that they're gathering it's almost like they're trying to recreate what the UN couldn't do by bringing in all the different groups and all different

interests together and provide those recommendations over the next few years and so that's one that I think I'll be interesting to see what comes up what they come up with again they're that they're they're interesting as far as they're more of a fusion of both government and private sector and if anyone was following you know Tim Cook was in the news fair amount this week for some discussions on privacy and so and we're getting and how corporations are starting to step up and be much more vocal in this area for setting the rules of the road for what what should be done and what should not be done and so in his presentation and in Brussels is just

earlier this week you know the right to have personal day to minimize rights knowledge right to access the right to security these are some of the fundamentals that are their core to the debate that's going on between the two different stakeholders

yeah where does right so you think like in the GDP our has the requirement someone could you ping whatever company and they get their data back from them that's 100 or the right to be forgotten it's also part of the GDP our so it's a long it's a big more so umbrella term for those various kind of aspects for an individual data understanding of who's taking what and who has it and so you sort of the current state of where things are going given all these new the sort of you know cross-cutting issues all the different actors that are going on I'm really highlight that the way norms occur can stepping back to more of

the the formal frameworks and so forth there are traditional forums the I geo is international government organizations we've seen that with the UN she knows Ching hai Cooperation Organization EU and so forth the bilateral agreements we saw that with you that the sino-american agreement then non-governmental organizations and advocate groups and there are a lot of that those are the groups that we're looking to you know forcing and encouraging a lot of these other actors to push forth certain you know to advocate in many cases for the security and privacy but I think the addition you know what was different about now versus you know how norms used to do it you know occur it's really the role the tech

titans as well so they're really big corporations and that's why I want to talk through some efforts that corporations are doing right now they're having a much oversized play compared to how we used to see global norms crafted and shaped so they absolutely keep an eye on on what they're doing which also links back to you and we've seen all the big tech companies brought to the brought to the hill and so far I haven't seen much go on but may very well be you know just a matter of time before we see more pressure on those areas and we're also seeing sure that this this it's sort of that the cross-pollination going across different industries I talked

about it a little bit with the new NAFTA as far as having other area like commercial areas tithing in the privacy and security into it so you in treating on human rights is actually starting to look at creating binding ways are binding rules for how corporations behave which i think is really really interesting this isn't something that has been you know discussed a ton and so it's not scheduled for release until next year what they want to do is look at the traditionally the entry in human rights as it pertains the corporation is gonna look at you know workplace violence and condition conditions along those lines they're starting to look at how you should there be something along the

lines how corporations are protecting the the data and privacy of individuals and so where that in that sort of it's one of the things that's under debate right now there's the legislature there are draft legislation so you can certainly find those online and what then and turn for all the stuff you know the compliance issues that will corporations be held liable for you know if they fail to adhere to those you know to the rules of the road that are crafted and so again it's something that to keep an eye on for next year you know if you're interesting this area I'd recommend you're taking a look at what's drafted so far but it's one of the

things where you don't necessarily look at me a tree on human rights is something that might then have repercussions within the security community and we're really starting to see this that the cross-pollination across different areas that's because as we all know security does absolutely permeate all aspects of life and so one of the reason you was in the u.s. is what you're talking about new potential shifts going on in the legislation because there's more and more support so it's talking about the new NGOs and some of those groups within the US or there is more and more support for some sort of regulation going on on tech in the realms of preserving privacy and security and data protections and so

over I mean this is actually we don't normally ever see shifts this big on a topic over such a short period of time and so again that's just something that I would keep an eye on where Pope where public opinion is because in the public if no one you basically if you know if we give up and it's basically assumed all of our data is out there everywhere there'll be no legend that nothing will change and so against something to to push forth and really help encourage and make sure that's done the right way which is the other thing as well now your regulations could also go go badly so looking at heart looking ahead I'm

gonna leave a few minutes for Q&A if you have any so it is hard we've always different interest going on it's you know it's really difficult to actually you need to get to the entrenchment and there really is there isn't really a common consensus on what should you know where the boundaries for offense where the boundaries for privacy who's responsible all those kind of things so if it's so so hard why does it matter and so I think that we're very much so at an inflection point between these two and again you know it's not gonna look at you know like you specifically like one of these they'll be some variation of it depending on you know what model

prevails but the cyber sovereignty model for sure is starting to permeate much more so over the last few years and it's not minion it's not all aspects of it but the different aspects of its if you think of like Brazil blocking whatsapp for a little while we see some that she's going on in Turkey you see no Viet Nam's new policy and so even in even in some areas actually you ignore camp to you some the Mexican spyware that was found I think about two years ago and then some the challenges that we have in the United States in this area so it is what it is an aspect where various variations of the Cyrus it's already

framework are starting to permeate you know faster in some ways than the multi-stakeholder model and I think for me that's very troubling and so it's nice to see there are still continuing efforts that are going on and I absolutely keep an eye on watching those but then to the day you how these cyber norms start to evolve and how they permeate and what they actually look like has enormous implications not just for a democracy but I'd say it does especially we will get in 2016 alone and had at least 18 elections were interfere didn't across the globe so it's not just a u.s. issue it has major percussions for conflict instability if you'll get some of the roles of evenness in social

media like a like in Myanmar we didn't dis summative helping instigate some of the genocide that's going on there has huge repercussions in the in those areas as far as what's appropriate for data what what are the role that Act high tech giants to in controlling and censoring which again if you don't get it right you know still you know over course correct to to greater censorship major aspects of national security I think that's sort of a no-brainer here but economic security as well especially think about financial systems and what's what is it you know what is on like what what's within the balance of attacks then getting more to the privacy stay seeing of data

protection how even look at data protection could vary always shaped by these norms the data protection data protection by the government or is a data protection for individuals and that's how you link back to the privacy notion at the end of the day and so you know cyber norms as a whole is a really large umbrella term for so many different aspects but they are very much so interconnected and they have impacts but argue across the road here and so I will leave at that and give a few minutes for questions but thanks so much for everyone for staying and for your time

question up front all right okay so the first question is on you how do we convince you how do we sort of get over the belief that you know our privacy is dead and you know sort of long enough privacy there's nothing we can do about it and so I'm the one here and I you know I think that there is a big core group that think that way and the perhaps are more vocal I think there are still enough people that really you know aren't aren't satisfy was just sitting back and accepting that and that's I'm sorry we we can't accept that like what world do we want to live in and we know

as a community I think can very much so help shape that world that we want to live in through the skill sets that are here as far as for helping preserve you know for data protection probably protect corporations around having their you know IP if their IP stolen and so forth and so I think the more we can actually talk like here's really a little Jimmy like what's online right now or what's at stake hopefully that can just engagement and that that's how a lot of these things can change engaging these discussions as supposed to have just being black and white and you know there are gonna be some aspects of privacy that we are gonna be handed

over there also some aspects if we can that we can regain and should continue to try and save as far as the the security privacy convenience unholy trinity which is basically you can't have all three at once again I would sort of push back that why not I think security has been behind other industries as far as usability and there is you know sort of a push towards more usable security and so if we can make security more accessible to a broader group of people instead of just creating tools for ourselves and I think that's a good way to start looking at the security convenience and privacy that's worth individual level at a higher level

you think about the government the Silicon Valley do you see tech divide between national security and privacy and surveillance yeah no exactly I mean even with that I think the UK Investigatory Powers Act is a good example of where the population saw their government is overreaching and so through you know through public responses and public feedback they're starting to push back and starting to retract on some of those policies and make them more in tune with protecting individual privacy which gets back to again the engagement aspect so it's just not accepting it so it's it's hard that's the end of the day having all three is gonna be very hard which is why I don't think we're there yet but

and something we should not again just assume that can't be done all right all right think that's it well thanks everyone [Applause]