IGF 2017 - Day 2 - Room XXI - WS34 A Digital Geneva Convention to Project Cyberspace

 

The following are the outputs of the real-time captioning taken during the Twelfth Annual Meeting of the Internet Governance Forum (IGF) in Geneva, Switzerland, from 17 to 21 December 2017. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

 

>> CHAIRMAN:  Good morning, everyone.  We'll get started.  I want to welcome you for the workshop.  I want to begin by thanking Microsoft personally for attending to panel and to work with them on this idea, but more importantly to thank them for the conversation that's been sparked on the digital Geneva convention.  Despite the title, I think our purpose is not simply to debate the merits of DGC as some are calling it, but to elaborate on the context, which is given rise to this proposal.  It is situated within the factual circumstances.  I think it is making the address for the street issue areas.  The status quo, the process question and lessons from pass presence.  FIRST status quo issue.  If I may, a quick show of hands for those of you out there, I would like to see people raise their hands that things are going well and some are affected by cybersecurity and the future looks bright.  Can I see a show of hands?  Okay.  I think that proves the point that we have the status quo where many it looks like everyone in this room agrees that the current state of cybersecurity is I sometimes say the normalization of global insecurity.  The ICT is environment is not secure and we need to figure out a way to change things, which then brings me to the issue.  If we all agree we need change and the status quo is unacceptable, how do we do this?  The conversation has been around norms.  Some of that is legal norms.  Clarifying how existing international law applies to cyberspace and cyber operations and things like that.  And some of it is more political formative process.  Operating on the (?) of the UN's committee.  There is the receipt failure of that report our normative state of play faces challenges just like the status quo on the ground.  I think we see two different sets of informative problems out there.  The issues what we call the interpreted issues.  The external issues and we see, for example, recent details about is sovereignty a rule in cyberspace that violate state and operations.  Should we have the global stability on cyberspace and Global Commission.  Should we have a norm to protect the public or the Internet?  We try to agree on what the norms are and even about we have norms, say prohibiting the use of force through cyber means, we have interpreter problems.  We talk now for more than a decade and you still haven't got closer to what the proper interpretations are.  So that brings us to this idea.  We need change.  We can agree on what the norms for those changes are.  What's the process?  What's the way for?  It is here that the digital Geneva convention offers some answers at least from Microsoft this idea among ITCs and treaty among states and attribution council.  It is not the only possible way for it.  So one of the things we can discuss is what are the alternatives to this idea and how do they compare?  Finally, in discussing future processees, we encounter the past.  We got a call to fire precedence, fire processees.  The reality is cybersecurity is not the global governance problem.  There are past successes fur which you can draw lessons and including and not including the Geneva convention itself.  It may seem daunting to expect states to say walk away from signer capacities they seem to have and acquire at a rapid rate.  Remember we used to live in a world where states do sponsor (inaudible) and plunder.  We are not in that world anymore.  They endorse storms where they walked away from those things and happily for the most part, their practices comply.  The Geneva ancestors and the declaration of 1856.  At the end of the war, 20 states said we're done with privateers.  We are no longer going to take private actors and put them under the state's authority to go out and take things off of vessels and take private property.  Today they have endorsed and it is ensconced in the international law of practice.  It is possible and even if the effort is daunting.  We're hoping it can begin a conversation inspired by and not limited to the proposal for digital Geneva convention.  So how should we do this?  I think we're fortunate to breakthrough for participants.  I would like to begin for three different stakeholder perspectives.  To the reasons for their proposal and the contents.  I am then going to ask Ben hiller to add perspectives from the international organizational view point.  And then I'm going to ask Dr. Konstantinos Komaitis who is the policy director to offer some perspectives from ISOCs vantage point.  I am asking them to take five minutes interventions so we can then have a broader discussion panel around some of the issues I have introduced.  And we'll bring out Yvette Isaar.  Tereza Horejsova and Elina NooR. 

And then finally, this is really important.  I want to make sure we leave 20 to 25 minutes for participation by you in the room and remote participants to ask questions and comment on speaker positions, provide suggestions so that we can have a true dialogue.  I have no particular preference.  We have logistics and challenges and any of you that want to speak who we're government affiliated, if you want to express a governmental view, we are permitting that.  I will try to leave the last five minutes to sum up things.  Paul, I will turn it over to you.

>> PAUL NICHOLAS:  I want to thank you for participating in the exchange of ideas and perspectives.  The multi‑stakeholders in this room and around the globe have contributed in advanced ideas, opportunity and innovation.  That's the power.  You developed protocols and technologies and public policies that could arise to platforms that have in turn changed communication and collaboration and society and profoundly positive ways.  The advances in cyberspace that you developed and that we developed together now face fundamentally different threats.  We all know that everyone in this room is at some point more likely to be a vehicle of cyber crime.  And that cyber crime is growing.  But that's not the risk that we're here to talk about today.  Today I want to talk about strategic cybersecurity framework to protect people in times of peace.  If you look at a attacks in the past year, they have disabled in area hospitals, schools, private companies and institutions of democracies.  What's different about the attacks?  These are attacks that were enabled by government exploits or delivered by governments.  Let's think about that for a moment.  Every modern military is going to play in cyber.  Every developed capabilities will then defund themselves in countries.  But today, we see the rise in governments wanting offensive capabilities.  Talk to national security anywhere in the world and they will tell you that a dollar of offense was (?).  So what does that mean for those of us in this room and beyond?  FIRST I think it means you have to recognize governments don't actually do cyber reference.  They actually exploit protocols applications to the platforms that you make as a form of diligence.  That's a very difficult thing to think about.  Again, a different point where governments are in space.  An interesting thing that occurred in the U.S. recently.  They have the defense authorization.  One of the curious requirements in that Bill is that the pentagon now has to send warnings of what their stock is in cyber guns.  I found that really fascinating.  Number 1, they upon calling out weapons and secondly, we're going to now talk about how those were acquired.  I think that is going to bring a (?) in terms of how actually are those exploits developed and then on top of cyber sector product.  Today, more than 30 governments have offensive capabilities of cybersecurity in the U.S.  (?) (low voice) but the challenge here is that cyberspace is not a physical territory.  The nations do not control it.  The name of private party that ranges from personal devices owned by individuals and enterprises to data centers and infrastructures operated by private technologies around the world.  And the methods of conflict are the products that are for office for creativity and communication.  In other words, nations have militaries offense deliver destruction through private sector products.  I think this is particularly deserving in times like these.  The protractive aggressions raise threshold and toleration among victims over time.  Find a way around this.  States are increasingly (?) of international law.  I think that's a positive.  When are we going to bring peace to this?  How will we tell others?  There's a lot to be done in terms of interpretation of what that means.  But states are facing this problem, what does it mean for us?  Those that rely on cyberspace are making products and services.  Government offensive investments say they will be able to patch to that accessibility.  I wonder if that is true about we have increasing number of governments.  Will that hold?  That is where they need to have a very different kind of dialogue.  Code is powerful and it's wonderful.  And it is imperfect.  Whether it's a Private Sector code or whether it's government code, it's perfect.  And we see over here there are even military (?) (low voice) international cybersecurity is very hard.  Governments have been working on solving this challenge long before.  And I thought they were in that space.  They have fought important and fought battles like agreement for major powers on the agreements of cyberspace.  They are building confidence Americans and disturbing attacks on the critical destruction.  But I think the lack of that creates a risk for all of us.  Sometimes governments come up with really good ideas which we among themselves don't go out into the real world (?) (low voice) cyberspace security policy has any growing into a sustainable international framework is going to have to be developed with public dialogue.  They're not something to stop creating (?) but we should understand (low voice) and we work together to how we're going to do this.  In February of this year, we introduced (low voice) not because we didn't think the international wall wasn't sufficient, but part it was to take us to another level of dialogue and get a broader sense of things that we needed to do to protect cyberspace (low voice).  We raised some ideas and there are lot of ideas brought to the table.  One of the things is simple things and governments should have principle based policy and how they're going to (low voice) why do we think that's a good idea?  It forces government to actually have a special outside of the military (?) and other governments to say is this the right thing and we would benefit more from the things fixed (low voice).  Those are important conversations that go around the world.  Other things that we put on there were ideas around how governments think about exercising the strength and not developing weapons of mass destruction and making sure they will go into precise.  (low voice) it is also important to think about the fact that when you're looking at Matt ICT products and the global platforms.  That's really not a place you want to insert back to yours.  It sounds really cool, but the effects of that, I don't think you really understand the systemic of where it comes from.  There is not enough model in the world to understand that.  There hasn't been original discussions.  They also raise some other ideas in terms of what we are doing together to prevent things like (low voice) how can you make sure that (low voice) (?) I think there are many ideas we can put forward.  The other one was also how do we sort of pull back in the frame (?) (low voice) how do we (low voice) (?)

Final thought, producing the chance to (?) if not something that is sold (?).  (low voice) the security and stability of cyberspace will always depend on stakeholder community.  We need to assert ourselves or written off to enough things.  We should be (?) about how we have the interpretation national law to promote the production strategies and protect people online and behavior of the world.  So with that, I urge you to look at some of these and move forward (low voice) (?).  Look on change and interacting and new ideas (low voice)

>> Great.  Great.  Thank you, Paul.  The story how we got here is what companies have made.  Ben, I wonder if we can turn to you.  The international issue space is the FIRST on the scene to reach an agreement on confidence building measures and played.  So I wonder if you can offer your perspective and provide that.

>> Ben Hiller:  Thank you.  (low voice) this is exactly what we (low voice)

2017, I think it was a tough year.  I believe that the approaches and (?) when it comes to what needs to be done.  (?) Microsoft to contributions and trying to push to go forward and to constitute of what needs to be done to promote (?) (low voice) the OCD has been focusing on this deal for some time now since 2013.  And participants are pretty much spanning in all the hemisphere and the globe and Vancouver.  (low voice) there's a unique set of measures to reduce conflict stemming from the use of urges by states.  Essentially, these are tools to prevent installation (low voice) (?) in the heat of the moment and establishing our participation later between states and allow states to recover, but to truly use beside the means.  So our work is closely related to the (?) in the sense that we are operationalizing.  We are there when laws are broken, international law is broken.  Things are negotiated step by step.  So the sense that through this practice, we are contributing to (?) (low voice)

I think this is a fantastic document that brings out the right questions and maybe some questions that we need to answer.  I think bottom line is the use of ICTs (?) and the most sophisticated sides for processes.  And that makes this audience to clarify to develop rules and principles and responsibilities as well as measures to prevent (low voice) (?) looking at the area we need to the multi‑stakeholder.  The thing I have is A, is there a will on a state level in the discussions and see what happens with these regimes thinking of whatever we try to get FIRST to deliver.  International law is broken every day.  To think that will be any different when it comes to cyber, I think we need to be (?).  You also need to address the question of code.  That is directly to that attribution.  Previous regimes when it comes tod world had mechanisms to verify.  It was quite easy to do so.  When it comes to that, this is something that you are focused on much more.

I guess my best point is they are cracking letters and conditions to such framework.  These are questions in the region in the actions.  It is an array of divisions.  Question will be though that it states (low voice) that is something we need to address not only to key states, but also to (?) states and also to private sector.  But I would also say it is private to Private Sector corporations.  That's why I commend Microsoft.  What we had in the past was very much absolutely (?) stakeholder convention.  Who manages it?  Who are the key participants?  Is everyone going to sit at a table?  Is every company going to sit at a table?  Who are the participants?  (low voice) who syncs it?  There are questions and you want to get meaningful that need to ‑‑ that adjust.  At the same time, you need to not forget that things have been (?).  There was agreement and the problem is how they implemented it, how they understood and can everyone gather around these.  How do you social aspect?  It is mentioned to this as well.  You need to think about (low voice) (?) and classical letter of (?) has not been graded for multi‑stakeholder purposes.  The OC is a state.  Many states feel they are hardly responsible for the security.  Of course with the cyberspace, we are (?) a new domain, but that's not quite true.  How do we feel?  I have to mention we sit at the table and they go through a global framework.  So these are some of the things we need to answer.  We will discuss it and we recirculate (low voice)

>> PAUL NICHOLAS:  We raise two questions.  One is political question of how do you move a process for the states reluctant and the question of affecting violations and what happens when the law is violated?  FIRST I want to give Konstantinos a (?).

>> KONSTANTINOS KOMAITIS:  ISOC is an organization that for the past four years it is for Internet that is open and secure for everyone.  So this is that cybersecurity that is one of those areas that we focus on.  I think before I start, I also personally would like to thank Microsoft for bringing this conversation.  I think for the past two years, cybersecurity conversations in particular were reserved perhaps in between us, but right now, my mother talks about cybersecurity and problems that are there. 

Of course there are issues that are very complex and you have a big proposal.  I would like to take you to where Microsoft is and just elevate it and you will be in three elements that are, however, in the proposal.  You will have retribution and also the (inaudible) anonymity and for some key points.  So, this phase we talk about multi‑stakeholder and I think the multi‑stakeholder model and I don't we're apart there talking and the application from other models with the conference.  They're complex and very slow and ultimately, they have them behind closed doors and they just present the results that they ‑‑ we are asked to follow and the rules we are asked to provide them by.  So it would be very impactful especially when we're talking about cyberspace.  They really tolerated the input especially the Technical Community that is already working in identifying solutions to the security challenges that we're facing in cyberspace.  More importantly, we have seen and I think it was a common thing made by colleagues, but can willing processees also do not seem (?).  We saw at the level that things sort of stopped.  The government seemed to have gone as far as they could go and that is a good indication and positive question of why ‑‑ what would be the difference in this case to see (?) and see the results that we want.  From where we're sitting, we believe that we need to give an opportunity to more inclusive processes like the TCSC, but to come up with norms that are able to answer a lot of the questions and solve the problems that apparently we are facing as an international community in cyberspace.  They just came up out with a (?) and we need to provide them space and time to start developing that and start developing more (?) and see how we can move to the enforcement of those various stakeholders.

In terms of attribution, I fell along (?) the community with some people and attribution we need to have some.  The reason you have them is you need to know who is behind those attacks, but there are two elements.  There is the critical element of pure technical element and there are some ‑‑ if you want to (?) especially the technical attribution, I'm not sure how much we have taken.  For example, we don't always know who is behind the top.  We might be able to identify the network that the attack originated from, but we do not know behind who is actually behind this attack.  And there is sharing here whether we will see private network sharing that information.  We need to ‑‑ this network has surveys and we are not there and sure we'll see this more times to share that information from that else.  Last but not least, when it comes to the (?), I think this is a very good thing to come together and actually come up with things that are able to answer to answer a lot of the questions and bring everyone together.  But I would make a suggestion in the technical organizations out there.  They are having to locate on fixing and answering that progress.  So including that and making that comparison is that conversation.

>> PAUL NICHOLAS:  Thank you, Konstantinos.  It is not that there haven't been treaties in the past.  You have to look through (?) and sponsor and go through Civil Society and then we state the action.  It doesn't have to be states.  I would like to turn the next half hour or so to bringing in Ben and Maria and Elina and we pose four questions.  The FIRST is how have governments been using the cyber capabilities and what are the drivers and enablers behind the use of the cyber weapons.  More simply put, what is the effects and what is increasingly militarized signer space.  So ‑‑ cyberspace.  So I open that up for those of you who haven't spoken to frame the status quo at the onset.  Why we feel I couldn't get a single hand raised in this room that says you're happy with the state of cybersecurity.

>> (low voice) we have developed 20 countries (?) cyber capabilities of many natures.  They come from (?) for policies.  My FIRST point to the action and question is you need to develop (low voice)

>> (low voice) the world is profound and you can access (?) you can attack and impact (?) (low voice) based on code and even install enterprises today.  There's this new ability and then secondly, things that are comments from the NSA director that is spring (?) (low voice) emerging cyber powers and they would all contact (?) FIRST strike options.  That may actually (low voice) we need to do a lot more research in this space.  Look around.  (?)

>> (low voice) I would also say that my design is actually some level of restraint meaning that (low voice)

>> PAUL NICHOLAS:  It does seem to bare.  I would like to shift then to the second questions we had.  Taking the point that we probably need to keep an eye on both how we research and think about the status quo on the facts on the ground so to speak or the facts of the virtual ground and the way to characterize the threats.  What about the norm of the conversation?  Where are we in term of how is the conversation involved and when I say norms, I am including legal norms and those based on international law as well as maybe what we call political ones.  Those that are found and accepted by states or other state holders.  I am kind of interested to get a view from all of you.  How we're reflective on those normative trends in terms of governing this case and offensive capabilities that we talked about the broader threats.  I would invite comments from the group on this potential.  Do we see gaps in the informative environment for the (?).  It would be interesting to get.

>> I am looking at (low voice) and I would like to offer a (?).  I would also like to throw out three words for your consideration.  These words and the ideas behind them are put around.  You see that I am seeing a lot of conversations and concerns around these discussions on capabilities (?).  Those words are (?).  What we often here is not easy and it is a space.  Certainly we need rules that guide in cyberspace and perhaps there's room in court that comes from the sector that might (?).  Isn't it a question that often gets moved because the less rules get changed.  It is being challenged somehow.  Those rules will (low voice) in the next five years.  That's an informative consideration.  (low voice) it gets me to the point of (?).  In smaller countries, they're very aware that it is strongly what they will in the past.  So there is discussions on cyberspace.  The rules that we talk about are being shaped by capabilities and countries like in Asia too and quite responsive use exploits for national security purposes.  They compromise (?) because you can argue (low voice) the third one is values.  We often hear from our (?) talk about things (?).  It is south east Asia and the association is not Asian nations.  It can be many different government systems and ideals.  We respect that governance.  It is question of taking the ideals and any kind of report or an enormous discussion.  That's the'(?).

>> (low voice)

>> I would like to point (?) (low voice) national (?) policies and I think that's this scenario.  International law would protect (?) because that's one thing we took the snap shot.  It is national security and the military and these people would hold other systems in the conversation with licensing and responses elaborate and we do not have (?).  But in terms of (low voice) and inspire to be with anyone saying it is liable.  (?) and I think we hide it too long that we should start now.  We should pull up and get to work.  We receive (inaudible)

>> Let me follow up on comments.  (low voice)

>> Thanks.  Very briefly.  There's a panel and there are still valid questions that we need to answer them.  Going back to your original question, I think that by now we realize international law is there is as challenges.  In five years, we can be finding challenges in the international law, but there are really valid questions that we go back and see and identify the gaps and see whether we can fill the gaps with the international law framework.  What constitutes the cyber threat or an attack and who should afford it in that case.  International law is something we do not have an answer yet and I know that the commission is one of the things that the commission is talking about.  Also, we seem to try out the idea of the type of operations of international law.  This is necessarily the case.  For example, cyber operations must comply with existing law.  You know that.  So there we have a case where international law can provide some answers.  Technical expertise that is coming in from organizations, technical organization is important because it informs assessments with the potential return cost of cyber operations and the need for new (?).  All the discussions are answering those questions whether there are areas of law for protection and whether they are.  This is what we need to focus in dealing in those areas instead of going with the frameworks.  We do not know which way we will go.

>> (low voice) I agree that in the long run, a document is desired.  I wonder in the current alignment whether it is confusing to come up with a document that (low voice)

>> And in particular, are there parallels about we have seen other examples of treaties and enormous institutions that suggest to us global governance can work.  So I am curious to know if there are any precedence that we might want to talk about and then also views from the round table before I close this portion out on the concrete idea of a treaty going forward and then I will open it up.  Maybe ‑‑ maybe I'll let you weigh in.

>> I would like to thank (?) for the opportunity to be on this panel.  My background is an international lawyer.  I studied with generation of norms.  So I find this ‑‑ um, I think what has been said by other members of the panel is more research needed to be done only in terms and not only in terms of what they mentioned of what the gaps were, but also who should be involved.  And how because the they're important ownership questions and ownership of norms have been in greater compliance.  In terms of the effectiveness of a digital Geneva convention and the treaty coming from outside of this opportunity framework, I'm convinced there is a single solution on regulating the problem of cyber tool.  I think we will look at the global where of measures and safety net of sort.  There are different levels and different actors.  And solutions are going to need to range from formal to informal and volunteering to finding and domestic to international.  I think you said before this.  This is a big challenge, but that doesn't mean we can't move and there are examples of initiatives and I'm going to talk about initiatives in two distinct fields of international law.  And second, business and human rights multi‑stakeholder initiatives and both of these areas attached on specific challenges of the problems with cybersecurity issue sort of manifest kind of involved in both of these areas.  We have seen in the past different initiatives that have involved different kinds of processes and we have made progress on it.  Some of them have been more effective than others.  I think this whole discussion and the question of the treaty already looked for mechanisms and a whole series of questions, which you will have to answer before you decide what mechanisms are important.  For example, what do you want to control?  Tools, software, malware, actors, capabilities and answer those questions to determine the mechanisms that are appropriate.  Are we looking at establishing basic rules and behavior?  If so, for what actors?  If it's nonproliferation between who is state to state, non‑state objector and also then what kinds of norms?  Where are different processes that they'll be using regulatory norms.  By regulatory, behavior that is sanctioned or condoned, respective norms and which prescribed behavior you should take.  Constituting a new attribution.  So I'll just say before I start speaking if I can.  Instead of thinking only about multilateral agreements, we shouldn't forget the role of bilateral and regional agreement.  And also the role of soft (?) processees.  In the field of disarmament, I will give you examples of process that I think this discussion would learn from.  When in the early ‑‑ late '90s, early 2000s, there was a discussion of issues in the arms control perspective and humanitarian perspective which allowed actors to shift the frame of the discussion.  Family Civil Society can really be involved in the public sector to be engaged and public opinion was normalized and different people were in rooms talking about arms control but we were talking to different actors within the administration.  And as a result of this reframing, I am giving a very brief overview.  I have seen people who have been involved and excuse me for the proceed.  As a result of this reframing, the international community got range of treaties.  Starting with the 1997 mind treaty, going on to the convention, arms treaty, which regulated the conventional weapons and then everyone saw what we were thinking about the noble.  Those treaties have a rage of features that I think might be for your discussion.  They include restrictions that are quite (?) in some cases.  You're talking about restrictions and use.  There are production transfers and destruction of capabilities.  They also include provisions to clear contamination, to engage in this reduction.  Many set up support units on clarification bodies.  They are also victim assistance and capacitating assistance.  Some of the treaties, in particular the mind bend treaty have been accompanied by the processes.  So they happened in 1997 and then in 2000 and NGO decided to take out the problem not only by faith, but my non‑state actors.  They have been parallelled to prohibit the use.  Those are interesting processes you can learn from.  I will try to ‑‑ I will speak a little bit also about the human right side.  So basically in the late 'nights, early 2000s there was recognition that there were problems in terms of how the interaction between states government and private citizens were happening with regards to human rights protection forcing ‑‑ protection of human right for people who have been impacted by business.  It wasn't clear what the regime was.  And through a whole bunch of processes, we came up in 2011 with the ‑‑ I'm sorry.  I have a whole bunch of examples.  With the U.N. in guidance and human rights, these are a result of an incredibly long consulting process that was multi‑stakeholder and the principles are not binding.  They will clarify what those are.  They make their way into other finding documents.  So they found their way into ISO standard OCD document.  And that's another way to move forward.  They're looking towards a treaty that there are other ways that might happen faster and that would translate into more formal processees.

>> Yeah.  So thank you very much.  I do think that the principles offers an alternative path of multi‑stakeholder setting working towards some norms and I think that the role of Civil Society and the tail whether it's the land mines convention or (inaudible) to noble peace prizes have been awarded not to the states, but those in civil sort and elsewhere that push states to say this is not acceptable.  You need to move this.  Are we yet at that point where there should be pressure on states or should suggests more room to give among themselves what their views are.  Those of you in the room have been remarkably patient.  I will ask you to be patient for one minute more.  I want to see if we have any views from the remote participants and I think the FIRST question to the remote participants.

>> Thank you.  There were a couple of comments on Twitter and in the room.  So I will take two and then we have another one for later probably.  The FIRST to is to Michael in his introduction.  Dunk an made analogies to end slavery and bad predators.  The Geneva convention is more like disarmament treaties.  And the hashtag was didn't stop Hitler.  And then the question from the room is by Sonia.  She said following Mr. Hiller's comment that there needs to be a political will.  How realistic is it that we can see a cyber treaty any time soon?  One is on effectiveness and one on reality.  One is on substance, but I will save it for later.

>> CHAIRMAN:  I take the point about the what's the right analogy for this.  I would say beyond the band treaty war fare is one of the most malign,bi there's been receipt work called the internationalists.  That suggests we look ‑‑ the world has changed.  In the 19th century, states use when to war is a matter of course.  They government have to think about it.  If your country, your nationals were owed debts, you send in the Marines and the like.  If you want to use force today, you will have to articulate a rationale for authorization or in some framework self‑defense.  So as much as we like to malign the ineffectiveness of law, we might also say that the glass is half full rather than half empty and we do live in a different world where states are in some sense constrained about their use of force.  So I do think that's the international (inaudible) and to respond, I do think the question is always an easy one for the critics of the law throwing the law.  Law is not a perfect (?) and doesn't solve all problems.  We look at the law today and find any problems with it.  I don't know if others have response to that question or the other question from the remote participants.

>> On a timeline, I do think it is going to take quite a long time for the dialogue and discussion being done in the states.

>> PAUL NICHOLAS:  I see folks in the room.  And please remember to introduce yourself.  In the interest of time, if you have a comment or question, there are a lot of spaces being used.

>> (low voice) (?)

>> PAUL NICHOLAS:  Thank you.  You have constructively advanced the conversation and certainly we should all be careful what we wish for.  I do think it is an interesting question and so thank you.  Yes.  Again, there's a bunch of people seeking in the room.

>> I am fascinated by what appears to be a blind spot.  But it is a reflection and no one has mentioned anything to that.  Some of you here in the room (?) he just published an article and actually, we had a dream (?)

>> We think it is or it isn't.  (low voice) (?) we have lots of examples in size.  The Civil Society represented and I'm wondering whether you include it in there.

>> (low voice) it includes (?) products and services.  There are two major cyber attacks made throughout the years.  What is (?) (low voice)

>> So let me clarify on the comment.  I said a dollar offense.  It was dollar offense.  That is something that national security leaders believe because of the attack that it is to defend.  What I mean by that is (inaudible) a product that is systemic and systematic (?).  It is almost impossible to have (?).  I think what was surprising of, you know, (?) a series of immobilities that the government held on to.  What we have is a competition.  So FIRST products, we work with security researchers and try to understand the vulnerability and something happened with the product and people look at these.  The part that concerns me is more time governments are investing a lot of money in learning.  So before the (?) happened, we have looked at alls companies that bring out all the passions at one time rather significant, but I think what is (?) you have a perfect swarm of people who were on operating systems that we had dedicated.  You were on XP.  Oh, my God.  The threat landscape of XP totally different.  We made fundamental changes.  Some of those things you can't go back and fix.  And so that's number 1 that.  You will play and have to stay up to date.  The second part about that was you had a vulnerability that was ‑‑ that had been an exploit company that fell through.  One of these years it was like essentially taking a Ferrari engine.  It was going so fast and so quick and had such (?) that caused great questions (low voice) (?) and the market place uses to disclose responsibly.  They can do this and that one(?).  To your point.  As we send a lot of money, but the question is whether the government can (?)

>> Thank you.  My name is Ed Sullivan.  I don't speak for anyone.  But (low voice).  I'm not a policy expert or anything like that, but one of the things that troubles me a little bit in this discussion is we keep coming to the ability to understand how you will apply and even the rules that have been adopted.  Not all in favor of the governance or anybody else for that matter saying they will play nice ons Internet will be great.  But I'm deeply puzzled by the idea that we're going to be able to say oh, this was state action and this one wasn't.  You know, when the attack happened on the network of my employer a little over a year ago, it happened and the enormous numbers of speculation.  I read accounts by people on what happened on my network and I'm sure they're wrong.  And I think that this is a serious problem in the discussion.  We have a lot of capability in the hands of people sometimes more juveniles.  We have offers of those pleading guilty.  This is too sophisticated and they must be state actors, but rather what are the correct behaviors for producers of software and operators of networks and people who are using these things.  I think it would be great if governments wanted to come together and confirm what was the (?).  But I really caution the people against the belief that if you just got a treaty, then you have something that would help because I don't believe that's going to ‑‑ that that's going to address anything of the feeling of the insecurity in the session.  Feeling of the insecurity that you ask in the beginning of the session is because we have a system here on which there are all seriously dependent now and it's not designed to (?) in the hostile world.  It is a basic technical design.  That will need to be fixed by protocol.  It can't be fixed by (?) (low voice) thanks.

>> Thank you.

>> (low voice)

>> A couple key points.  There isn't this idea of having some sort of framework is not going to create easy protection.  Part of it is there are things that have to be done (?) of some products.  What we see is nothing compared to the (?) and security challenges (low voice) the other thing we have to realize is not sometimes (?).  Part of the challenge is going to a market place where people are literally selling (low voice) and trying collaboratively working to try to invest those things.  Now you can (?) with other people (low voice) there is an added dimension and the other part brings up a great point.  We are super (?) of (?).  This is a powerful, powerful (?).  But that was for 20 countries that participated.  How do you scale that to something that's increasing this?  How do you start to think that?  I think at some point as you get into the future, you will need something.  We did just that.  Talk about what the future might look like and what might help.  Certainly you have to (?) (low voice) but at some point, you may need something else.  You have all of the caution.

>> Well, I was and I'm going to make an apology for the remote participants, but we only have three minutes left.  I would like to try and pause and get together some threads.  We can have offline conversations.  For those of you in the room who participated.  I think we started at a point of consensus at least in the room.  I didn't see anyone standing up and saying we're good enough where we are.  We don't need to do more.  I think that's a positive that we're all starting in a similar point.  I am also hearing a remarkable sense that there is no single solution to the current problems and there has to be both focus on the norms, but also implementation.  There has to be a conversation about political will and effectiveness and there has to be a conversation about the industry itself and how we can deal with the rapid (?).  I do think one of the challenges whether it's a treaty and norms is how quickly things change.  I use the example of privateering.  It took a century to ban slavery.  It took us decades to deal with nuclear war.  The technology moves so fast and it's a challenge to think about how we're going to regulate it.  So I think part of the nature of this panel, this workshop has been to provoke and suggest ways you might think about going forward using the digital Geneva convention to think about what a world would look like if technology companies will or will not do to improve our user at users cybersecurity and what the world would look like if we had an attribution council that will take the current environment.  I do believe there are a dozen or more actors who combine it with secondary intelligence so they can at least know and state to know A and B is engaged, but the rest of us are left in the dark.  What a world would look like if we can have some trust and mechanism that we can get beyond competition to be the FIRST to claim who did it.  And finally, I think it is an interesting question of where do we go from states and who is involved in the conversation about what states will or will not do.  We had it on state senate because it is a security matter or do we want to include multiple stakeholders like the IGF as formulated for some time now bringing in voices from the academy and Civil Society and else where to have a conversation about the way we want this.  This is open free and secure cyberspace that we have.  We can question whether each of those are valid now, but certainly they're under threat.  So the question as we go forward in the space we share is where do we go from here and what do the future norms look like.  I will stop there and invite you.  Round of applause for everyone at the table.

[APPLAUSE]