Toespraak minister Koenders op Münchner Sicherheitskonferenz

Toespraak | 07-02-2015

Excellencies, ladies and gentlemen,

Thank you for your kind invitation to share a few thoughts with you regarding this most important topic. I feel humbled to do so in the presence of a man like president Toomas Ilves, the man who singlehandedly wired and networked an entire country, so much so that - I am told - they call it E-stonia nowadays. I must warn you in advance: unlike president Ilves I have a complicated relationship with modern technology, my staff can vouch for that.

When I was a teenager, cyber was something my friends and I associated with science fiction. The British TV series Dr Who comes to mind. Back in 1975 - 40 years ago - he had to engage in battle with the cybermen. They are a fictional race of cyborgs: humanoids with mechanic and electronic parts, who are among the most persistent enemies of the good Doctor. 

Have you ever noticed how interesting things always happen at the same time?

These TV series were broadcast almost in parallel with the introduction of the the first truly usable microprocessor, the INTEL 8080. The 8080 changed how computers were created. Its introduction stands at the base of the way in which computer technology made the world that we live in nowadays. Again, as a teenager, I was most impressed by the arcade games that were built around the 8080-technology, Space Invaders perhaps being the most popular one.

Forty years on and here we find ourselves today, discussing cyber in a completely changed environment. Cyber is not about aliens invading the earth. It is the key emerging topic that defines our security.

It is something that concerns all of us, in whatever capacity: citizens who might download ransomware which could hold their computers hostage for money; private sector CEOs who might see their corporate email accounts hacked, witness the recent Sony hack; and government leaders, who are confronted with multiple security threats via the internet. E-stonia learnt that lesson the hard way, back in 2007, when government networks were harassed by a denial of service attack ‘by unknown foreign intruders’, as the NATO website puts it.

I don’t think that I have to expand on the importance of cyber security. It is clear to all that of all ICT developments in the past decades, the internet is the most successful. It has become a critical resource for citizens, companies and governments alike. Cyber security will determine success and failure in tomorrow’s world. 

And in order to fully realize its enormous potential for further growth and innovation governments and private sector need to work together. They have to ensure that the internet remains free, open and secure.

Free and open for it to remain the force for innovation and economic growth it unmistakably is. Openness is what spurred the internet’s phenomenal growth in the first place.

Secure because the trust of its users depends on their confidence that what we do online is safe, secure and protected by the same rule of law that applies offline. Security presumes governance, one way or another.

It is like the banking system or passenger air travel. We invest in safety, not to restrain usage, but rather to promote it. We invest in security in order for legitimate users to benefit and for criminals to think twice about robbing the bank or hijacking a plane. We set standards and reporting obligations not to hamper business, but to promote a stable and reliable business environment. Security is not just the flip side of the coin. It is the coin itself, which we need in order to pay and to be paid with. It is what is needed to keep the banking system, air travel and - by extension - the internet in existence.

It is clear that we have to increase resilience to protect interests in the cyber domain. We are living in a complicated security environment, both physically and virtually. In the hybrid warfare that we face today all kinds of distinctions are blurred. Conventional warfare, irregular warfare and cyber warfare are blended. Regular military forces are faced with guerrilla groups, terrorists and outright common criminals. In such an environment it is difficult to tell apart friend from foe, ally from enemy. Even cyborgs are active, as it was the name given to Ukrainian troops that put up the defence of Donetsk airport. 

What to do?

I see three lines of action: build our defences; set rules of the road; invest in coalitions. 

First: Building our defences:

We must increase the cyber resilience of our societies, by strengthening our systems and our response capabilities. We must pay specific attention to the protection of critical infrastructure protection. If that doesn’t work as it should, the impact on society and the economy can be disastrous.

Invest in public – private partnerships: in the Netherlands more than 90% of internet infrastructure is in private hands. It is clear that we need to work together to tackle this issue. Sharing of information is key; as soon as an attack is discovered, knowledge about it should be shared.

We should work hand in glove with the private sector, but always keep our different roles in mind: government has special responsibilities, for instance when it comes to national security. 

Second: Rules of the road - also known as: governance:

To some cyber seems to be like the Wild West; but cyber is not a global commons, a lawless area, it is created by servers, cables, switches and datacentres that are based in sovereign states.

States have to take their responsibilities in taking action against threats coming from their territory. Furthermore agreement on certain norms of behaviour could structure the actions and behaviour of states in cyber.

We should consider zones of neutrality: what elements of cyber should be off limits and so that they cannot be attacked, for instance the nuclear industry, hydro-electric dams or even the backbone of the net?

And another issue to consider would be the level of assistance one could provide to other countries in case of a cyber attack.

And then there is the issue of the protection of human rights online: the freedom of expression and of association, the right to privacy. How to make the internet accessible to the poor and underdeveloped parts of the world, to name just a few questions in this respect.

Governance is an issue that pops up in all kinds of discussions regarding the cyber sphere: president Ilves has been very active in this field, having chaired the Panel on Global Internet Cooperation and Governance Mechanisms, bringing together many stakeholders. He will be better qualified to reflect on this matter. 

And third: Invest in coalitions:

Cyber is by nature cross border; we are targeted by cyber criminals that operate from foreign jurisdictions. They can use our servers for attacks directed towards third countries.

Our response needs to reflect this reality: we should invest in capacities in third countries in order for them to benefit from the growth potential of the internet, and to protect our citizens from challenges emanating from overseas.

We could do so not just by exchanging best practices, but also by increasing the capacity of Computer Emergency Response Teams (CERTs). They are the first responders of the cyber domain. Legal frameworks must be in place to fight cyber crime and law enforcement officials should be trained in cyber issues.

Actions in these three fields do not only promote the vision of a free, open and secure internet. In doing so we will actually make it a reality. 

These areas and efforts are exactly the ones that will be on the agenda during the upcoming Global Conference on CyberSpace in The Hague on 16 and 17 April 2015. This conference will be thé platform for discussions about these issues between the different stakeholders in the cyber domain.

It will put the vision of a free, open and secure Internet at the centre of our discussions as an open invitation for all to join this vision.

We will have a multi-stakeholder top level participation to discuss the challenges of the cyber domain like cyber security maturity, privacy protection, international law and norms of behaviour.

We will have concrete deliverables for public and private sector participants to take home.

One of the key sessions will focus on creating safe ways to do business using the Internet, covering the topics we will discuss today.

We will launch a large new initiative for capacity building in cyber, open to states and private companies in order to assist countries to create sufficient capacity to improve cyber security and prevent cyber crime.

And finally, last but not least: we will put the issue of international norms of behaviour on the international agenda as a key issue for peace, security and stability in the cyber domain. This is the first step towards a future cyber arms control regime.

Conclusion

Trust in a free, open and secure Internet will be a key determinant of success in tomorrow’s world; we need to step up our efforts to realize this vision of the net.

I hope that our meeting today will help us to draw a better map of the risks to cyber security; it will help us in preparing the Global Conference and I hope to welcome many of you in The Hague in April.