White House Cybersecurity Coordinator
Howard A. Schmidt delivers the
keynote address at the
first Worldwide Cybersecurity Summit

Overview: Four hundred private and public sector leaders from more than 40 countries gathered in Dallas, TX for the first Worldwide Cybersecurity Summit to catalyze new international policies and agreements in specific areas of information and network security. The summit brought together leaders in intergovernmental and international policy development, those more concerned with national or other domestic jurisdictions, and key private sector actors. 

The goals of the summit were to:

1. launch an international awareness campaign by governments, businesses and individuals about the growing risks to our economic prosperity and security  posed by cyber threats and vulnerabilities;
2. identify specific proposals for concerted action to address these threats and vulnerabilities, with particular emphasis on those of common international concern; 
3. facilitate joint action and new agreements through intensive “breakthrough-group” interaction over the next two to three years in the critical sectors of information and communications technology, financial services, energy, transportation, media, essential government services and national security.

Discussions confirmed that most governments and private sector organizations pay inadequate attention to the international and inter-governmental policy dimensions of cybersecurity. Private discussions and public comment at the summit confirmed that there are large gaps in global arrangements to promote cybersecurity, especially where important countries such as the United States, China, India and Russia are concerned. These gaps are however part of a bigger picture of relatively weak regulation of cyberspace by the international community. The summit saw the tabling of scores of distinct recommendations and follow-up action plans to address vulnerabilities and threats. Participants rated the summit highly for its addressing of unmet, high priority needs, with 81 percent of respondents in a departure poll saying that they intended to participate in the second Worldwide Cybersecurity Summit in London, scheduled for June 2011.

This very brief interim report presents a small selection of highlights from the summit. These are not consensus ideas, nor are they the views of EWI. Rather, they present a sampling. More detailed reports, especially from the breakthrough groups, will be released in coming weeks and months.

Hightlights: A Selection of Points Raised

• Cybersecurity needs a global rethink, and fast.
• Of particular concern are the risk of widespread loss of consumer confidence in the integrity of the Internet and major disruptions arising from attacks on or failure of the undersea digital cable system.
• There is a large, unmet need for greater international policy coordination and a more thorough understanding of the need for security in cyberspace. This has to be addressed through specific avenues of action across many fields in discrete areas, such as cyber crime, cyber espionage, cyber terrorism and cyber warfare.
• Most cybersecurity professionals are unaware of the international policy developments in their field.
• Some key problems policymakers and business leaders are facing today in international approaches to cyberspace are:
  • lack of a commonly-agreed definition of what constitutes reasonable  levels of cybersecurity in different dimensions; and how threats and risks are evaluated and responses framed;
  • ineffective integration of the necessary technical, business, legal, security and international policy competencies;
  • inadequacy (or relative newness) of national-level decision-making arrangements, as well as appropriate domestic legal frameworks on which international cooperation has to be founded;
  • inadequacy of current diplomatic assets assigned to the problem, a situation which reflects a lack of political commitment or awareness at high levels;
  • inadequacy of the commercial drivers for building security into network equipment, software, networks and services, the inadequacy being the result in part of a lack of consumer awareness of the risks they face and a lack of leadership and commitment from those in control;
  • the fact that while states have the right to organize offensive and defensive assets for information operations of a strategic character to affect the intentions of other states, international law does not adequately regulate these assets or activities;
  • lack of regulation of military related information operations is not only important at the political and  strategic level, but also at the tactical level where rules of engagement come into play;
  • national approaches to their online security are often too parochial for collaboration on crafting global cyber regulation; and
  • tensions between protecting national security and ensuring the privacy of individuals.
• International responses to the rapid rise of cyber crime, which includes economic crime and direct threats to critical infrastructure, are piecemeal, with some major governments being quite unresponsive to requests for support from others in criminal investigations in the cyber domain.
• Industry has been content to sell products without embedding adequate security measures into them and without adequate attention to the integrity of the supply chain for components. Many of the technologies we have in place are almost indefensible. So we are constantly patching the cracks and filling the holes.
• Governments and private industry need to work collaboratively to develop the appropriate international framework to secure cyberspace but in a way that keeps our global information systems intact and secure.
• There is a preponderance of evidence that indicates cybercriminals, including terrorists,   could inflict major outages to portions of our critical infrastructure with minimal effort.
• U.S. management of the Internet may need an overhaul in favor of transition to a genuinely multilateral management system that has more global participation on domain management.
• International security policymakers must do more to keep up with the rapid technological advances but the needed international cooperation is not merely a technology problem.
• There are important economic dimensions, especially when it comes to vulnerability, but also social and individual dimensions (the people operating the systems).
• Responses need to enhance security without stifling free speech and innovation.
• Leading cyber countries, such as the United States, Russia and China, have low levels of trust in each other and this is shared in some cases by other significant actors. This mistrust is impeding collaboration needed to improve the cyber defenses that can help to underpin global economic prosperity and stability. The mistrust also plays out in restrictions on the market access of some ICT companies from one country in others.

China

• Internet-related crimes (in China) are showing a steady upward trend. There are big economic losses from hacking and viruses -- around one billion dollars a year. In 2009, Chinese law enforcement authorities investigated about 48,000 cases, a 37 percent increase over 2008.
• China says that it supports international efforts to secure cyberspace but believes each nation’s "Internet sovereignty" must be respected. China sees itself as facing severe cybersecurity threats originating in China and needs international cooperation to safeguard cyberspace.
• There are deep differences between China and other leading cyber powers in their national approaches to these problems. There is a fierce debate and international political contest around the “cultural aspects” of appropriate international cooperation in cybersecurity.
• There is a need for China and the United States to establish more common ground on key issues of cyber crime and cyber warfare.

Cyber Angst: Balancing Insecurity and Risk

• Some participants talked freely of nightmare scenarios, while others cautioned against being too intimidated by vulnerability, suggesting that risk management strategies could reduce inherent vulnerability.
  

Next Steps: Proposals from the Summit

• Since it would take at least ten years to arrive at a global treaty for cybersecurity, and many states are not ready for it, the best approach may be to solve specific concrete problems or address well-bounded vulnerabilities, while “speaking to the big issues”. At the same time, polling of participants indicated strong support for a treaty “now”. 
• The groundwork for international cooperation will have to be laid in a top-down manner.
• New and effective public-public, private-private and public-private cooperation in a wide range of areas are urgently needed.
• The best weapon against the online thieves, spies and vandals who threaten global business and national security will be international coordination of cyberspace. People threatening security in cyberspace will have to realize that since the Internet is an integral part of every country, politically, socially and business-wise, their efforts to breach cybersecurity are like playing with fire. A strong emphasis on instituting severe penalties for serious violations and publicizing those severe penalties was seen as desirable.
• The lack of effective common procedures for attribution is a key weakness in cybersecurity. We need to promote some type of global electronic architecture that allows cyber attacks to be traced back to their sources. Proper response to hostile acts is impossible without such clarity.
• We need to create market incentives to encourage the private sector, which owns and operates most of the world's digital infrastructure, to tackle minor crimes.
• There was strong support for an EWI-led process that creates new opportunities for international policy collaboration, particularly in specific sectors of high economic and commercial interest, such as energy and financial services, or in areas that affect our basic security and way of life, such as essential government services, transportation and social media.     

EWI’S Next Steps

As a result of the Summit, EWI’s interim ideas for further action – subject to discussion with Summit participants and other stakeholders – will pursue five main lines of action:

• Cyber 40 mobilization through Washington DC ambassadors
• Bilateral Track II meetings involving key countries
• Convening up to five follow-on breakthrough  teams to execute specific concrete policy projects (e.g. ROGUCCI) emanating from the Dallas Breakthrough Groups
• A worldwide CEO “council” or “cyber leaders forum’, small at first operating as a pilot, to help drive new private-public partnerships that address cyber vulnerabilities in or threats to the global economy
• Championing specific global solutions, such as a worldwide network of 24/7 points of contact.

EWI will pay close attention to countries and sectors most seriously affected by mistrust across international divides.