Speech minister Koenders at Munchner Sicherheitskonferenz

Speech by minister Koenders at international security conference in Munich (12 February 2016).

Dear ambassador Isschinger, dear president Ilves, your excellencies, ladies and gentlemen,

Thank you for inviting me at this cyber round table.

Last year I was here to speak about the Global Conference on Cyber Space and our vision of a free, open and secure internet as the basis for global economic and social growth.

I spoke about the importance of a multistakeholder approach; otherwise we won't be succesfull [glad to see a multistakeholder group at this round table]

I underlined the need to defend digital rights, promote innovation and improve cyber security.

I stressed the need to upgrade our defenses and to build an international concensus to protect critical infrastructure, like energy, telecom and banking as well the internet itself. Cyber seems to be the Wild West, but is created by servers, routers, cables and data centers located in states to which international law applies.

Unfortunately these challenges have not changed. Rather, they have increased. What seemed to be a distant possibility then, is a reality now: the actual deployment of cyber operations for political purposes.

Therefore I am glad that MSC has put cyber prominently on the agenda. Rightfully so. It is an issue that's increasingly part of the fabric of our daily lives. It is an issue that concerns us all!

As our societies become more and more dependent on cyber infrastructure the opportunities for growth and innovation seem endless and promissing. But so too, let's face it, does our vulnerability to cyber incidents and attacks.

The threat is real and it is growing – fast. Until recently, the deployment of highly disruptive or even destructive cyber operations was only seen as a theoretical possibility. But in the last few years there have been more and more attacks against civilian infrastructure. For example:

- the hack against Sony;

- or the hack against TV5 in France.

We also know that terrorist groups are actively seeking to develop cyber capabilities.

What worries me most is that many of these cyber operations appear to be at least state-sponsored, if not state-driven. So it’s safe to assume that these operations are being used, in existing political conflicts, as a way to coerce opponents. Most recently, Ukraine’s electricity grid was hit by a coordinated cyber operation that disrupted services for hours. Cyber operations are a powerful tool, because their effects directly impact key civilian functions in society.

So far we have been fortunate that these cyber operations have only achieved a fraction of their destructive potential.

Cyber operations have already become a ‘weapon of mass disruption’, which is being deployed in existing conflicts as part of hybrid-warfare campaigns.

Our response needs to be decisive and firm. It must leave no room for doubt that the international community will confront these new challenges boldly.

First of all, we need to strengthen our cyber defences and our resolve to use the instruments at our disposal to deter cyber operations.

- The Netherlands is taking measures to strengthen cybersecurity in our own networks. For instance, we are creating a Defence Cyber Command to ensure we can legitimately defend ourselves, just as we do in other domains.

- NATO is discussing its role in collective security in the cyber domain. This discussion started in Cardiff. And the next steps will be taken in Warsaw, where the NATO Summit takes place.

- As holder of the EU Presidency, the Netherlands will not only support ongoing work like the EU Cybersecurity Strategy and the Network and Information Security Directive; we will also launch additional initiatives in various fields. It is our obligation to do so.

However, we must realise that the asymmetry between attacker and defender is very large in cyberspace. Raising our defences and creating deterrents should – firstly - be our top priority, but unfortunately, it won’t be enough.

The key variable is therefore not the level of defence, but the intention (!) of the attacker. It is that intention and the underlying cost/benefit analyses that we must seek to influence. And to do that, and to maintain international stability we need diplomacy!

So Defense, Develop a normative framework and Diplomacy: a new 3D approach!

Normative framework

We need modern and active diplomacy to build a common normative framework that regulates state behaviour in cyberspace.

The UN has played a crucial role in the past few years in determining that existing international law applies in cyberspace. In its last report the UN Group of Governmental Experts – or GGE – agreed several norms that define more clearly what states should and should not do, for example:

- states are responsible for cyber threats emanating from their territory;

- states have a responsibility to assist states that are under attack;

- states should not attack each other’s digital fire brigades, the CSIRTs [spreek uit: siesirts];

- and states should not interfere with the civilian critical infrastructure of other countries.

But given the escalating threat level, states will have to accelerate talks on normative frameworks for the digital domain. The Netherlands will try to stimulate these discussions in very concrete terms, in the good spirit of combining its realist and idealist traditions.

Not only because we have a tradition to uphold in setting standards on international law. Not only because we have a compelling self-interest in safeguarding key IT infrastructure, like the Amsterdam Internet Exchange. But also – and above all – because we cannot afford to wait for a ‘cyber 9/11’ before we start taking this seriously. Right now, the global community still has the opportunity to get on top of this problem and prevent further escalation. If we want to be able to deal with non-state actors, we as states need to improve our ability to deal with cyber risk and instability.

With this in mind we have taken a number of initiatives:

• We are a candidate for the next UN Group of Governmental Experts, the pivotal platform for negotiations

• We are in favour of a norm that states should refrain for undertaking actions that undermine the stability of the internet.

• We are promoting a globally inclusive debate on clarifying the application of international law to cyber operations. Question like: What are the obligations of states is cyber? What actions should states refrain from? How does international humanitarian law apply in cyber?

• We do this, for instance through projects with the United Nations Institute for Disarmament Research. We have also started the The Hague Process, which is a series of consultation meetings between over 50 states and the authors of the Tallinn Manual 2.0 on peacetime international law.

• We are initiating a Cyber Norms Platform with Estonia to discuss input for the GGE on international law

• Finally, we are supporting the creation of a Global Commission on the Stability of Cyberspace

Global Commission

We believe the time is ripe to support the global debate on international stability through this type of research and advocacy initiative, in much the same way that the Bildt Commission on Internet Governance advanced the debate in that domain.

The threat of coercive cyber operations has become such a pressing security concern that we need all the extra support and encouragement we can get.

The Global Commission is also an opportunity to broaden the discussion beyond states, so that it includes the private sector and the tech community as well. The latter two actors embody the hybrid character of cyber warfare. They are targets in themselves. Their networks are the vectors, and their products are the weapons and delivery mechanisms of cyberattacks.

In a multi-stakeholder setting like this, the Global Commission should not only clearly articulate to a large audience why cyber operations are such a problem, but also generate new ideas for how the problem can be solved.

I invite you all to get on board and support the Commission with your expertise. The internet does not belong to individual states or private companies. We have a joint responsibility to protect it against misuse and safeguard it for future generations.

The Commission could address the issue of cyber stability in a number ways:

- One is by concentrating on the stability of international relations between states and other actors in cyberspace, either multilaterally or bilaterally.

- But there’s also the stability of the cyber ecosystem as a whole to consider, especially the internet backbone. The most alarming scenarios involve the possible undermining of the stable and secure operations of the internet’s ‘public core’.

We believe the Global Commission can help generate new ideas and broaden the circle of parties involved: it’s not meant to be a talking shop but rather a group of dedicated professionals from across the cyber spectrum with a mission and a deadline.

Ministry responsible