Speech by Minister of Foreign Affairs Stef Blok on securing cyberspace at Korea University in Seoul

Speech by the Minister of Foreign Affairs, Stef Blok, on securing cyberspace at the Korea University in Seoul, 21 November 2019

Ladies and gentlemen,

In 1907 the Korean judge and diplomat Yi Jun came to the Netherlands. The Korean emperor had sent him with two other diplomats to the Second Hague Peace Conference, to call attention to the illegality of the Japanese occupation of Korea. But Korea had not been officially invited, and the delegates were not admitted.

Nonetheless, Yi Jun and his delegation stayed in The Hague to plea the Korean cause. After a few days, he was found dead in his hotel room. The cause of his death will probably never be known. But Yi Jun lives on in the hearts of many Koreans as a man who fought for freedom and justice. And his memory is enshrined in The Hague’s Yi Jun Peace Museum.

Today, Yi Jun’s fight for freedom and justice is being fought on other fronts. If he were alive today, he might devote himself to cybersecurity – because that is the greatest challenge for peace and security in our time.

Over the course of just a few decades, the world has entered a digital age. People from all over the planet are connected online. By way of comparison: in 1996, only 36 million people used the internet, about one per cent of the world’s population. By the beginning of 2017, that figure had risen to 3.7 billion, nearly half the world’s population. That’s good news.

But the boundless opportunities of digitalisation come with serious challenges: digital development without cybersecurity is not sustainable. You cannot rely on a tool that is not secure and cannot be trusted. And digital development cannot flourish when lack of support for the norms of responsible behaviour is undermining global stability.

With the Fourth Industrial Revolution shifting into high gear, the threat of malicious cyber activities is keeping pace with the opportunities presented by AI and quantum computing.

To counter these threats, a cyber-stability framework is more crucial now than ever. Cyberspace can be seen as a new domain, a global commons. Not unlike the high seas.  It took centuries before we agreed the UN Convention on the Law of the Sea (UNCLOS), which introduced rules on sea-bed mining and the laying of cables. And that agreement didn’t enter into force until 1994.

Cyber technology can also be seen as a weapon. And in that regard it’s useful to look at the evolution of arms control in the 20th century that started with the Hague Conventions. Chemical weapons were still considered acceptable in the First World War, and the mass bombing of population centres was a common strategy in the Second. But nowadays international norms prohibit such brutal tactics.

In 2017, at the Munich Security Conference, we launched the Global Commission on the Security of Cyberspace in order to make cyberspace more secure. Two weeks ago this commission released a report, compiled by a group of Commissioners from all over the globe. It speaks to many audiences, but one of its clear aims is to inform the two parallel processes under way in the United Nations on cyber norms, the Open-Ended Working Group (OEWG) and the Group of Governmental Experts (GGE). Let me highlight two important notions contained in that report.

First, there should be no tampering with the public core of the internet. Internet infrastructure should be regarded as the backbone of modern society. Undersea cables and other vital elements should be off limits.

Second, election infrastructure should not be tampered with. Democratic processes are the ultimate symbol of sovereignty. A people’s ability to express their will on who should govern them is the cornerstone of everything we stand for in the free world.

The Global Commission has rightly identified these areas as sacrosanct. Let me offer a few thoughts on what I think should come next. Cyberspace cannot be an ungoverned space where the bad guys can simply do as they please with impunity. Irresponsible states, criminals and terrorists must not have a place to hide. The international rules-based order should extend into cyberspace.

The Netherlands, like the Republic of Korea, agrees with the vast majority of nations that international law applies in cyberspace. Nations must recognise that they are always bound by international law, in both the physical and virtual worlds. But there has been a lot of discussion about how these laws can be enforced.

I recently sent a letter to the Dutch parliament outlining my views. It examines several key issues in detail. In this letter I stated that sovereignty applies in full online, and that it entails not only rights but also obligations.

For example, the obligation to respect and protect human rights online. And equally, a commitment to the principle of due diligence, which requires states to take action when cyber activities carried out on their territory violate the rights of another state.

There is a growing group of nations, including both our countries, that are seeking to work together to impose consequences on those who violate the rules of cyberspace. If we don’t build a solid system of collective action against malicious state behaviour, we’re essentially condoning lawlessness.

At the UN General Assembly last September, I launched an initiative, together with my American and Australian colleagues, to foster collaboration against unacceptable state behaviour. Our joint statement has so far been signed by 29 nations, including the Republic of Korea, and it is still open for others to join. But we can do more.

For example, we need to get better at attribution, at gathering evidence that shows who the perpetrators are. Only then we can mount a confident response, through diplomatic channels or through sanctions.

With this in mind we need to get better at sharing the information and knowledge we have about cyberattacks. Not only with other countries, but also with the private sector, cybersecurity firms, tech companies and NGOs. There is a clear accountability gap, and we urgently need to close it. That is why I have instructed my cyber ambassador to forge alliances between governments, tech and cybersecurity firms, and NGOs. This will be a joint effort by all parties that work with this type of information, including the recently established CyberPeace Institute in Geneva. This will make us better at interpreting and identifying attacks and agreeing on standards for cyber forensics. Joining forces will make us more effective at gathering evidence.

Don’t misunderstand me. Deciding what is done with that evidence will remain a sovereign decision. The Netherlands has no intention of relinquishing that power. But I’m convinced that more teamwork in evidence-gathering will result in more joint measures. Measures like EU sanctions. Or ‘naming and shaming’ by ad hoc coalitions.

Cyber threats don’t respect national borders. They are as transnational as, say, climate change.

So it’s not enough to address threats solely at national level, or in a single regional organisation. A stable cyber domain contributes to a more stable society, a more stable democracy, and a more stable business environment.

This needs to be a global effort, led at political level. Next year – which marks the 75th anniversary of the United Nations – I hope we can adopt a universal ‘cyber pledge’. One that recognises today’s needs, reaffirms some norms and principles such as respect for human rights, and fosters investment in capacity-building.  And I strongly believe that we can further enhance cyber stability with initiatives like the Freedom Online Coalition, which promotes respect for human rights online.

And of course, cyber capacity-building is one of the indispensable instruments at our disposal. Fewer than half of states worldwide have adopted a national security strategy. Even fewer have an effective Computer Emergency Response Team protecting critical infrastructure.

That’s why the Netherlands initiated the Global Forum on Cyber Expertise (GFCE), the global public-private capacity building platform to fully reap the benefits of digitalisation.  With more than 100 members and partners, this public-private platform not only promotes primary cyber resilience, but also helps members implement the UN norms that lay the foundations for a rules-based order in cyberspace. We are proud to note that Korea has has been a member of the GFCE from day one.

In conclusion, ladies and gentlemen, the name of the game is international, multi-stakeholder partnerships. Working together to boost resilience, set the rules of the road, improve the attribution of malicious acts, and hold those responsible to account.

To serve the cause of freedom and justice. Just like Yi Jun.

Thank you.