Defending the Cyber Frontlines / Davos 2025

Summary

This panel discussion focused on the challenges and complexities of cybersecurity in an increasingly interconnected world. Experts from various sectors discussed how geopolitical tensions are affecting cyber threats and corporate strategies. They highlighted the rise in cyber attacks coinciding with physical conflicts, noting that cyber warfare often precedes and accompanies kinetic warfare.

The panelists explored the blurring lines between civilian and military targets in cyberspace, raising concerns about the application of international laws and norms. They discussed the challenges of attribution in cyber attacks and the potential for escalation due to misunderstandings or unintended consequences. The concept of cyber deterrence was debated, with some arguing that fear of retaliation has prevented larger-scale attacks.

The discussion touched on the need for better education and skills development to address the cybersecurity talent shortage. Panelists emphasized the importance of public-private partnerships in defending against cyber threats, while also noting the tension between digital sovereignty and collective defense.

There was debate about the role of cultural and political agendas in cybersecurity efforts, with some arguing for a more neutral approach focused solely on protecting digital infrastructure. The panel discussed the existence of international norms for cyberspace and the challenges in enforcing them, with disagreement on whether democracies or authoritarian regimes were more likely to flout these norms.

The discussion concluded with a call for reciprocity in digital spaces as a principle for future cybersecurity efforts, suggesting that equal access and influence in each other’s digital domains could serve as a form of deterrence.

Keypoints

Major discussion points:

– The increasing prevalence of cyber attacks alongside physical conflicts and geopolitical tensions

– The challenges of establishing and enforcing international norms and rules for cyberspace

– The blurring of lines between civilian and military targets in cyber warfare

– The need for public-private partnerships and global cooperation to improve cyber defenses

– Debates over how to balance digital sovereignty with collective defense

Overall purpose:

The goal of this panel discussion was to examine the current state of cyber threats and defenses, explore challenges in establishing norms and rules for cyberspace, and consider potential solutions for improving cybersecurity globally.

Tone:

The discussion began with a serious, concerned tone as panelists outlined cyber threats and challenges. As the conversation progressed, there were moments of tension and disagreement, particularly around topics like the role of democracy and which countries follow or violate norms. By the end, the tone became more constructive as panelists found some common ground on principles like reciprocity. Overall, the tone reflected the complex and sometimes contentious nature of cybersecurity issues on the global stage.

Speakers

– Ravi Agrawal: Editor-in-Chief of Foreign Policy Magazine, host of FP Live

– Samir Saran: President of ORF (think tank in India)

– Matthew Prince: CEO of Cloudflare

– Mirjana Spoljaric Egger: President of the ICRC (Red Cross)

– Andrius Kubilius: European Commissioner for Space and Defense, former Prime Minister of Lithuania

– Joe Kaeser: Chairman of Siemens Energy, former CEO of Siemens

Additional speakers:

– None identified

Cybersecurity in an Interconnected World: Challenges and Complexities

This panel discussion, moderated by Ravi Agrawal, Editor-in-Chief of Foreign Policy Magazine, brought together experts from various sectors to examine the current state of cyber threats and defences, explore challenges in establishing norms and rules for cyberspace, and consider potential solutions for improving cybersecurity globally.

The Current Landscape of Cyber Threats

The panellists began by highlighting the increasing prevalence of cyber attacks alongside physical conflicts and geopolitical tensions. Matthew Prince, CEO of Cloudflare, emphasised that cyber conflicts often accompany political and kinetic conflicts. However, he also noted a surprising lack of massive cyber attacks in recent conflicts, particularly in the Russia-Ukraine war, suggesting a potential shift in cyber warfare trends.

Mirjana Spoljaric Egger, President of the ICRC, expanded on this point by drawing attention to the humanitarian consequences of cyber attacks on civilian infrastructure, including energy, water, hospitals, and communication systems. This insight broadened the conversation to include the real-world effects of cyber attacks on civilian populations.

The discussion also touched upon the evolving nature of cyber threats. Prince highlighted a concerning shift in Chinese cyber tactics, noting that recent attacks like the “salt typhoon” – a series of sophisticated intrusions into U.S. government networks – represent a departure from typical intellectual property theft, with unclear underlying purposes. Samir Saran, President of ORF, raised concerns about the proliferation of cyber weapons and their potential for future use, emphasizing the growing accessibility of these tools to various actors.

Challenges in Establishing Cyber Norms and Defences

A significant portion of the discussion focused on the difficulties in establishing and enforcing international norms and rules for cyberspace. Spoljaric Egger argued that existing international humanitarian laws are applicable but not being effectively applied to cyber conflicts. She drew a parallel to the Geneva Conventions, suggesting that similar frameworks are needed for cyber warfare.

The panellists discussed the tension between digital sovereignty and collective defence. Matthew Prince highlighted the challenges this creates for establishing effective cyber defences, while Joe Kaeser, Chairman of Siemens Energy, pointed out that the extraterritorial nature of cyberspace further complicates traditional notions of defence.

A key challenge emphasized by Prince was the difficulty of attribution in cyberspace. The inability to quickly and accurately identify the perpetrators of cyber attacks hinders the establishment of norms and accountability, making it crucial to improve visibility and attribution capabilities.

The discussion also revealed disagreement on whether democracies or authoritarian regimes are more likely to follow cyber norms. While some panellists suggested that democracies tend to adhere to norms more closely, others argued that democratic countries have shown a willingness to misuse cyber capabilities against adversaries.

Potential Solutions and Approaches

Despite the challenges, the panellists offered several potential solutions and approaches to improve cybersecurity:

1. Public-Private Partnerships: Prince emphasised the crucial role of collaboration between government and industry in cyber defence, citing Cloudflare’s Athenian Project as an example of private sector initiatives.

2. Education and Skill Development: Kaeser highlighted the need to address the cybersecurity talent shortage through better education and training programmes, emphasizing the difficulty in finding qualified people for cybersecurity roles.

3. Reciprocity in Digital Engagement: Saran proposed that reciprocity should be the guiding principle for digital interactions between countries, potentially serving as a deterrent against cyber aggression.

4. Improved Attribution: Prince argued for better visibility and attribution of cyber attacks as a prerequisite for establishing effective norms.

5. Applying Existing Laws: Spoljaric Egger advocated for the application of existing international humanitarian laws to cyberspace, arguing that these frameworks can be adapted to address cyber threats.

Unintended Consequences and Future Concerns

Joe Kaeser raised an important point about the potential for “friendly fire” in cyber warfare, citing the Stuxnet incident as an example. This highlighted the unintended consequences that can arise from the use of cyber weapons and the need for careful consideration in their deployment.

Conclusion and Future Directions

The panel concluded with a call for reciprocity in digital spaces as a principle for future cybersecurity efforts. However, several unresolved issues remain, including how to effectively enforce international norms in cyberspace, balance digital sovereignty with collective defence, and protect countries without robust cyber deterrence capabilities.

The discussion underscored the need for continued dialogue and cooperation to address the evolving challenges of cybersecurity in an increasingly interconnected world. As cyber threats continue to grow alongside physical conflicts, the development of comprehensive, globally accepted norms and defences remains a critical priority for governments, businesses, and civil society alike.

Ravi Agrawal: Hi, everyone. My name is Ravi Agrawal. I’m the Editor-in-Chief of Foreign Policy Magazine and the host of FP Live, and I want to welcome all of you for joining us here, and also a warm welcome to our livestream audience watching this around the world, live and later on demand. So this is a session titled Defending the Cyber Frontlines. There are many conflicts, of course, going on around the world right now, and a crucial component of that is the cyber domain, whether it’s cyber bio-threats, attacks on critical infrastructure, disruptions to supply chains. It’s safe to say that we need better rules, we need better systems and safeguards to make sure that for all the advances we’re making in connecting the world, it doesn’t get out of hand. Let me quickly introduce our terrific panel here. Andrius Kubilius is the European Commissioner for Space and Defense. He served as Prime Minister of Lithuania as well. Mirjana Egger is the President of the ICRC, the Red Cross. To her left, Joe Kaeser is the Chairman of Siemens Energy. To his left, Matthew Prince, the CEO of Cloudflare. And finally, Samir Saran, the President of ORF, a think tank in India. Matthew, let me start with you. At Cloudflare, you have a bird’s-eye view of how companies operate. Just give us a quick sense of how geopolitics and tensions there are affecting how companies are thinking about security.

Matthew Prince: Absolutely. So Cloudflare’s, our mission is to help build a better internet, and a big part of that is security. A huge percentage of the internet sits behind Cloudflare, and every day we’re stopping over 220 billion attacks against our customers. And so we absolutely are on the front lines of seeing what’s going on. And what I can say is that whenever there is conflict in the political space, whether that’s kinetic war, or even just conflict within nations. we almost always see cyber conflict follow along with that. And so whatever you’re seeing in the pictures on the news, know that in cyberspace, a war is raging at the exact same time.

Ravi Agrawal: And so global conflict has increased, you know, physical terms, so cyber has increased alongside it.

Matthew Prince: That’s absolutely correct. And so when we saw in 2022 Russia invade Ukraine, unfortunately ahead of that, back in December of 2021, we were already seeing the cyber conflict start, where there was probing and other things which we were able to detect and then look at and warn the Ukrainians and fortunately be able to get in front of a lot of their critical infrastructure and protect them, make sure they could stay online. As we see conflict in Israel and Gaza, similar things happen where both sides are actually launching attacks at each other’s infrastructure in order to disable their communication systems and make it so that they can’t get their message and their story out to the rest of the world. So cyber is definitely one of the critical aspects of conflict around the world and we see it go hand in hand with any kinetic conflict which is going on that we might see in the news.

Ravi Agrawal: Joe, similarly, you were CEO of Siemens for many years, now you’re chairman of Siemens Energy. Just sketch out quickly how you see businesses having to change their strategy because of cyber attacks.

Joe Kaeser: Well, look, I mean, you know, the whole cyberspace is opportunity and threat altogether. For us as a company, all three of them. And, I mean, opportunity because we are acting critical infrastructure. So that means, you know, customers, utilities, they come to us and say, can you help us protect the grid? Can you help us protect, you know, the turbines and what have a supply chain? So it’s opportunity to do some business out of that. But it’s a threat because we are obviously, you know, supplying critical infrastructure. We are the target. Because we are very early in the value chain. So we’ve been stepping up our efforts quite a lot, also, you know, by the help of a couple of leagues like Calgary. So it’s a constant struggle and I’m afraid you’re only at the beginning.

Ravi Agrawal: Mariana, wherever there is conflict, the Red Cross tends to be there. How has cyber changed your operations in the last decade or so?

Mirjana Spoljaric Egger: In a very dominating way. There’s no conflict where cyber doesn’t play an important role and this is also the reason why we spend so much time with it. There are cyber operations that target civilian infrastructure and that has a huge impact on the humanitarian fallout that comes with conflict. They attack energy, water, hospitals, health facilities, but they also attack communication systems. Or sometimes communication systems are disabled to prevent cyber attacks, which has an impact on the protection of civilians because they rely on information to know where their family members are, to know where to evacuate and to know where they can possibly be safe. So if you deactivate communication, you harm the civilians that are already under threat. And then last but not least, we are under attack. As the International Committee of the Red Cross, we undergo daily cyber attacks that we have to protect ourselves from and this is why we partner with non-profit organizations, private sector companies that help us employ the technology that we need in order to protect our data, our personnel, etc.

Ravi Agrawal: So we’ve sketched out the problems. I’m going to push us all towards solutions now. Commissioner Kubilius, let me bring you in here. There are two components really that I want to push you on. One, how do governments improve their defenses? And then two, how do you then build norms and rules that they actually follow?

Andrius Kubilius: Well, thanks a lot. Yes, you know, I have this responsibility. Commissioner for Defense and Space, and it touches also, of course, cyber security, not just, you know, military things. I can tell you that in my so-called mission letter, which, you know, all of us as commissioners we got on the first days, I have a lot of tasks on defense, on space, but also I have a task to develop so-called defense projects of common European interest, starting from air defense shield, and the next one is cyber defense shield. So it means that, you know, on European Union level and commission, we understand very well what are the threats. I can tell you, you know, just cyber attacks since the end of 23 till, you know, during the whole 24 year, registered cyber incidents, the number is around 11,000 in European Union. Next, of course, we see that, you know, there are not only cyber attacks, but also attacks on communications, you know, on communication cables, telecommunication cables, internet communication cables, like in Baltic Sea, in other places. So we are really, we are, we see all those threats, you know, in a very clear picture. Now what we can do as European Union, as commission, of course, we can, you know, try to convince member states to be, you know, better prepared, because of course, you know, cyber defense goes on national level, and yes, we are introducing, you know, standards through our regulations, standards both on security of electronic equipment and on security of institutions. solutions, how they need to defend themselves. It’s symbolic that the first document which we approved in the new commission was exactly devoted to cyber security of hospitals in the European Union, because that is what we see as a threat. Second, of course, what we are trying to do is to create systems of coordination which would allow us to better survey what is happening, to have systems which would allow member states and institutions to exchange information in order to prevent the spread of some attacks. And the last one, really, what we are attempting to do is to create special, what we call, rapid reaction teams which would help member states if they are under threat.

Ravi Agrawal: Samir, you know, one of the strange things about the world right now is there’s a general sense of impunity, you know. Countries feel like they can test the boundaries of international law and get away with it. There’s also a sense that, well, you know, everyone has their own double standards, so why do the rules matter anyway? You add in cyber here and it feels like the Wild West. What should we do?

Samir Saran: So, you know, for example, the commissioner was in some ways trying to respond to your question about norms and rules. Those norms exist. We have a UN GGE that many years ago agreed that thou shall not attack critical infrastructure. We shall not undermine facilities like you just listed. And yet we worry about them and yet everyone follows them in breach. So, in a sense, every enterprise, for profit, non-profit, social enterprise, essential enterprise, everything is fair game today. And in some sense, the cyber front lines are universal. Everyone, including you and me, are part of that front line and we are under threat today. And let’s be honest about it. There is nothing that the commissioner can do or you can do or I can do. We are all fair game. Businesses are fair game. In fact, let me just tell you that the day the American and Europeans decided to cancel business operations and media operations and digital operations in Russia, they have in fact ensured that those businesses are seen as adversaries. So in some sense, they are no longer transnational corporations. They are corporations that serve a side, that serve a side to a conflict, and they are all open to attacks, and they are all open to being targeted in some sense. So that’s a very interesting space we are in. But second point, I think five years ago, if we were having this conversation, and I remember Matthew and we were all in a room some years ago, we were worrying about the weaponization of cyberspace and cyber weapons. We were worrying about two things, that weaponization of the space and the cyber weapons that governments are developing and non-state actors are developing. Those weapons are out there now. In the last four years, we have seen a spectacular deployment of cyber weapons. In fact, dramatically advertised by blowing up pagers, using manipulation of systems by the Israel agencies in their Middle East operations. We have seen, you know, Stuxnet looks mild when the Americans melted the Iranian reactor using the first big cyber virus that was spread through conventional means. It looks mild compared to what we have seen Ukrainians do in Russia, aided and abetted by Western sophisticated technologies. So in many ways, all those cyber weapons that we were worried would come out into the open are out there. And once you have used them against an adversary, remember, some of them did not work. And those become prototypes for further development by now non-state actors and commercial actors to actually build really credible interference tools and then add AI to it. And amateurs with AI. are cyber soldiers. Amateurs plus AI is equal to a real cyber soldier, and I think, think about that.

Ravi Agrawal: You know, this always happens at Davos, by the way, when we push towards solutions, we present more problems. So I’m gonna hold us to it, but Matthew, jump in.

Matthew Prince: You know, I would say, though, that I think the big puzzle of the last three years, you know, I was on a panel about three years ago, right as the Ukrainian-Russian conflict was exploding, and I predicted that we were going to see a massive increase in cyber attacks, and what surprised me is it hasn’t happened, and the question is why, and I think part of it is that there is a little bit of fear that once you use it, it’s gone, and secondly, like, once you use the weapon, then it’s very hard to use it again. That’s the first thing, and then the second thing is there’s a bit of fear, I think, at least among the Russians, of sort of a old nuclear concern, which is there’s a mutually assured destruction. The Russian infrastructure is every bit, if not more vulnerable to cyber attacks, and the fear is that, in fact, there’s been less attacks against the U.S. than there have been some much smaller countries in Europe, and the question, again, is why, and I think that, again, this fear of mutually assured destruction, that if the Russians launched larger attacks against the U.S., that the U.S. would be very capable of coming back and shutting down the Russian infrastructure. I think that’s what’s held us.

Samir Saran: I think that the deterrence effect that’s happened here, but look, I was very careful. I said Ukrainian attacks on Russia. I never said Russian attacks on Western targets. It’s actually Russia who’s been at the receiving end. I’m just worried that when you are throwing weapons at the Russians, and you think that, you know, we have kind of pinned them in a cyber corner, they are collecting all those weapons. They are also learning, and what I’m trying to say is you’re building an adversarial arsenal that at some point will be innovated upon and deployed. So, I have not, we have not seen the end of this, this, this, uh…

Matthew Prince: Well, I think that the place where, the place to look to that is the most worrying is the series of, uh, sort of the typhoon attacks, the salt typhoon and other attacks that China has placed, which are the first time I have seen, typically Chinese cyber attacks have been about taking intellectual property. These are attacks where it is not clear what the underlying purpose is. It appears that they are front positioning themselves for something in the future, putting themselves into telecommunications infrastructure in order to, if there has to be a conflict in the future. And again, I think that is probably the most worrying trend that I’ve seen over the last three years. Whereas I would have predicted it would be much more around what we’ve seen in the Ukraine rush.

Ravi Agrawal: I want to pick up on just one part of that, Joe, with you. The point that Samir raised about companies, uh, seen as having taken sides, uh, are you finding that, you know, if you pull out of, let’s say Russia, that you’re a fair game in a way that you wouldn’t have been before?

Joe Kaeser: Well, look, yeah, it always depends on what the country and the issue is. I want to come back to something else, which goes into a similar direction, Stuxnet. One of the most worrisome topics, I believe, for private sector companies, if you get into friendly fire, if you get into friendly fire, if your products, your services are being used by state actors to do something what they believe is good, Stuxnet, you know, they cracked our source code for the PLC. And we knew who it was because we were looking at the map and saw when the actors were starting to try to edit the code. So we saw from the time difference that it was a concerted action between East Coast and somewhere. in the Red Sea area. And the good news was it took them almost four days to correct our source code. So that was good for us because we knew that’s the safe thing to do. But the issue was, I mean, that PLC was not just part of a less critical component in the nuclear power plant, it was also on the cooling system. Now think about it, a Siemens device will eventually be reported responsible for a nuclear meltdown.

Ravi Agrawal: Wow.

Joe Kaeser: And then I was talking, then I was here at the time, I was obviously when we knew sort of what’s going on, you know. So I went to that special embassy in Berlin and I said, look, talk to the ambassador, I said, look, it’s not going to be a good idea. So next time, wouldn’t you want to maybe tell us? We’d be happy to help you.

Ravi Agrawal: Right.

Joe Kaeser: But this is a bad idea. And he said, oh, well, we don’t know what you’re talking about. Is there anything else I can help you with? I said, okay, thank you very much.

Samir Saran: Anyways, the hilarious thing was that…

Joe Kaeser: See, this is a real issue, this friendly fire.

Samir Saran: India and Indonesia were the most affected country by the Stuxnet virus. They were all upgrading their systems post that attack because Siemens digital controllers, PLCs, were being deployed and used extensively in these countries. So I’m just telling you…

Ravi Agrawal: Yeah, yeah, yeah. So there’s an interesting component here.

Samir Saran: Everywhere, I mean, yeah.

Ravi Agrawal: Just to take the idea of deterrence, you know, and with sort of, with nuclear weapons, you know, the game of deterrence is a game for big players and that’s why it creates a world of haves and have-nots. But, Mirjana, what about the have-nots? I mean, if you don’t have deterrence, then how do you survive in a world where you’re not able to stop anyone from acting against you because you have nothing to act back with?

Mirjana Spoljaric Egger: Based on the destruction and… The experiences and the total destruction that we also saw during the Second World War, states came together and created the so-called Geneva Conventions in 1949, introducing principles like distinction and proportionality, because the majority of states don’t have that self-defense potential through weapon systems that only a handful have. So they rely on the universal agreement, and all states ratified these agreements, that there will be a distinction between private and public and official and non-official and civilians and weapons bearers. Now this comes under threat with the new technologies, because what we see now, especially in the context of Ukraine, Russia, but also in the Middle East increasingly, is the blurring of the lines, the impossibility to apply distinction between civilians and armies or defense systems, because you have the so-called hackers, or you have civilians through app systems that come in support of armies, so are they part of the weapons bearers, or are they still civilians enjoying the specific protections? And similarly, what you call friendly fire, we call the blurring of the lines also for the private sector, because if your services are actively employed, and if parts of your company support certain of these actions conducted by civilians, you de facto also get drawn into a conflict and lose the protective mechanisms that were created. And that states still apply to, at least to a certain extent, and that’s your only guarantee, because there’s no world police, there’s no superpower going to shield you unless it’s the law.

Joe Kaeser: There’s not even an understanding that a cyber attack is a crime. And you’ll probably never get that true understanding, because the state actors are mutually… adverse to such a thing, but that should be a general set of rules, you know, cyber attack is a crime. That would be a good start, then a set of rules, how we manage that would be another way. And one of the single most relevant topics to us in the private sector is, you know, we don’t find enough good people to help us in that space. I mean, of course, companies, yeah. One of the single biggest issues on the whole cyber topic is to find qualified people to help us defend our company and our customers’ assets. And so therefore, not talking solutions, maybe we need to pimp up, you know, education on that area to help us with more qualified people so that we understand what questions we need to ask for the experts to help us. Because if you don’t give them, you know, what you need to achieve, it’s very hard to find a solution.

Ravi Agrawal: Well, for everyone on live stream, Joe Kaiser is hiring. Commissioner, this blurring of the… 50,000 people. 50,000 people, okay. Cyber warriors. There you go. Next three years, not all on cyber. This is WEF meets LinkedIn. Commissioner, this de-blurring of the lines that Mariana was pointing out, how do you reimpose the lines? And, you know, again, in a world where even in physical wars, the lines are blurred, and we know where they are in conflicts everywhere.

Andrius Kubilius: Well, first of all, really, skills are, as we understand, big challenge everywhere, you know. I hear, you know, from complaints from defense industry, from space industry that, you know, there is lack of qualified people, and that’s why, you know, Commission President Ursula von der Leyen created vice president position for skills, you know. Because that is, in Europe, it looks like it’s becoming big problem. On blurring the lines, I think that, you know, still when, well, I’m defense commissioner, you know, I’m looking into, you know, some kind of this defense logic. But I see really an issue for us, at least, you know, my generation, maybe my, you know, sons and my grandkids, they understand in a different way. But still we are living when we are talking about defense in some way in the 20th century, you know, understanding. Defense means, you know, you need to have tanks, artillery, and so on and so on, which is really not the case anymore. I don’t know how much we’re following, you know, developments and discussions among experts of defense since Crimean occupation. At that time, it was very popular to speak about so-called Gerasimov doctrine, Russian military offensive doctrine, which was created by the, you know, top general, and which speaks about very simple things that, you know, in 21st century, the war and offensive will be, you know, in some way what we can call total. I mean, it starts from very simple things, from propaganda, from, you know, influence on social media, then, you know, all the sabotage acts, cyber attacks, and it ends, you know, with real military things. So for Russians in there, you know, at least what I understand, for them there is no difference in between of different tools which they are using, you know, in this what is called new generation warfare. So my point is very simple. If there is, you know, new generation warfare, we need to have new generation defense, which means that, again, we need to take everything, you know, into account. Sometimes I am complaining that, you know, well, maybe our education from 20th century makes us, you know, to look into, for us it’s easier to see how we can defend ourselves against conventional war. When we’re talking about, you know, either cyber attacks or propaganda attacks, you know, it’s much more difficult to see what instruments, you know, we can use in order to defend ourselves. That’s an issue. That’s an issue what we’re talking here and I agree absolutely, you know, that really deterrence is crucial. The question is, you know, what kind of means we can have for deterrence. And here again, you know, the benefit is to try to look for solutions in a collective way.

Ravi Agrawal: So on that, I’m going to take us away from the cyber domain for one minute and then we’ll come back to cyber. You know, Europeans often talk about alliances and partnerships. You just did. The United States is always the elephant in the room and this week especially so. What happens if Trump actually tries to invade Greenland? I mean, what happens to that relationship? This is exactly your domain. So how would you respond?

Andrius Kubilius: Yeah, well, you know, how do you say it?

Samir Saran: Is there an Article 5?

Andrius Kubilius: I will ask the Commission to answer that question. We still did not discuss some kind of those issues, but well, first of all, of course, we are following, you know, and Denmark is part of the European Union and of course, you know, as we understand, they have some kind of conversations and, you know, we should support always Denmark. That’s not the case because, you know, what we really, what we need to see in a real way, not like Greenland, you know, issue, but when we’re talking about, you know, defence, we need to see two timeframes. One is urgent, which is related with Russia, Russian war against Ukraine and what can come. And there are a lot of predictions that Russia can be ready.

Ravi Agrawal: Respectfully, you’re dodging the question, but are you taking it seriously, the threat? Out of the syllabus, but are you taking the threat seriously?

Andrius Kubilius: Threat which one?

Ravi Agrawal: Trump’s.

Andrius Kubilius: No, I see Trump, for example, his recent statements on Russia as very important and very strong. So, you know, I don’t know how he’ll play.

Joe Kaeser: But the argument of Greenland was also very strong.

Ravi Agrawal: Thank you for saying that.

Andrius Kubilius: Let’s wait for actions.

Ravi Agrawal: Okay. Okay. Let’s bring us back to cyber, I promise. Matthew, when you hear there’s a skills gap, there is on the government side a real sense of, you know, a call for new tools to be able to combat what’s coming at them, how do you fill those gaps?

Matthew Prince: So I think the first thing is, and we’ve always thought this is important, that public-private partnership makes a ton of sense. We have the people with the skills to be able to defend, and that’s why we provide our services at no cost to organizations like the Red Cross. We provide our services at no cost through what we call the Athenian Project to protect democracies, both in the United States and increasingly around the rest of the world. And we think that that’s actually part of our mission. One of the things I think is a challenge for us is there’s a real tension between sort of the idea of digital sovereignty and the idea of a collective defense. So for instance, a lot of countries around the world are saying, we want to be able to defend ourselves, we don’t want to rely on anyone else. And I’ll give an example in the U.S., which is the U.S. has a series of requirements that if you’re protecting government, that the machines, the physical hardware that protects the government has to be resident inside the United States, has to be managed by U.S. citizens. On the surface, that makes some sense, but I sat down and I said, okay, so we get a giant denial of service attack, gets launched out of China. You want me to import that into the United States before I stop it, as opposed to stopping it out at the edge of the network, stopping it out where we are. And to US’s credit, they’re like, yeah, you’re right, that doesn’t make a lot of sense. But as I see around the world, more and more countries say, we’re gonna go our own way, we’re only gonna use our own national systems. That makes cyber defense much harder because at the end of the day, whoever has the most data, whoever has the most information is the one who wins in these conflicts. And so cooperation, cross-global, between public and private organizations is absolutely critical if we’re gonna defeat the enemies here.

Ravi Agrawal: But of course, we’re more fragmented than we’ve been in decades globally. Samir, just pushing us towards some solutions in the last few minutes we have, if you were to recommend countries and the corporate sector as well to adopt a few steps to be better prepared for cyber attacks, what would they be?

Samir Saran: I think Matthew’s got it right. I would just have one variation. We’re not defending democracy. You know, let’s not try and mix 50 things into a very simple task in front of us, which is to protect our digital infrastructure and digital society. So it doesn’t matter what kind of community you come from, everyone is entitled to the same standard of protection. That’s what the Geneva Convention says. It doesn’t matter whether you’re a communist country or a democratic country, you’re entitled to the same protection. So what we really need is to first remove our cultural agendas from a safety and security agenda. Otherwise, you lose people, right? Because you use that Athenian project to also interfere in your fellow democracies. Elon Musk wants to change the government of Germany today because he doesn’t like the German democracy as it exists today. So let’s not mix culture with the strategic objective of securing our digital future. So I think first of all, let’s-

Matthew Prince: So let me just be totally clear. We were happy to protect any organization that’s out there. The Athenian project is specifically set up because when you do have voting, you have to actually be-

Samir Saran: I’m following that project. I get it.

Matthew Prince: This isn’t a philosophical-

Samir Saran: But all I’m saying is the- is the political establishment of all regimes should be respected. If you want your elections not to be interfered with, then don’t call colour revolutions in ten other parts of the world, in Latin America and Europe. My point here is, if you want political respect for your systems, you have to respect other political systems as well. You are not the wisest people in the world. Let others decide their own political outcomes. Let’s look at the functional element of protecting digital spaces and therefore, then norms work. The problem with getting a global agreement on norms and rules for cyberspace was that you always infused it with cultural and political agendas, which was not useful. I’m not saying we should not defend democracy. I think that’s a very valid argument. Defending democracy is a separate topic. Again, I agree with Matthew. Don’t let it enter your country. Look, you can stop TikTok. Do you understand what I’m trying to say? You can ban TikTok. We ban TikTok. We are not poorer. We are as crazy as before. We didn’t lose our craziness. That’s right. We banned TikTok in 2022. We banned TikTok. We love Reels. We are as crazy on Reels as you are on TikTok. But my point here is that at least the Chinese are not gaming our system and they are not privileging certain content during our elections versus other content. So what I’m trying to say is we can defend democracy in different ways. Now let’s look at the critical infrastructure that needs to be protected and all countries need equal guarantees. That’s the point.

Joe Kaeser: Isn’t that exactly the issue which we are talking about? Come back to what you said earlier with the generational topic. If tanks are going into a territory, it will be noticed quickly because it’s a territorial nature. The whole cyberspace is extraterritorial in nature. It doesn’t really matter from what place you’re going to do this. So it’s extraterritorial. It’s outside the boundary of what human history has actually defined, the integrity of borders. So it’s not so perfect. And that makes it so complicated. So at the end of the day, how do you defend democracy? How would you tackle that? You would tackle it in a way that you’ve got a global agreement, a set of rules everybody adheres to. Ha, ha. And that’s impossible, because there are different interests of different territorial players. And that’s a real issue. That’s not just cyber. It’s the whole matter of propaganda and impacting people and impacting democracies extraterritorially in nature.

Matthew Prince: And again, I think norms are incredibly important, and agreements are incredibly important. But in order for them to happen, you have to have visibility first. And the fact that we don’t know what’s going on clearly, that attribution is hard, that the North Koreans pretend to be the Iranians or the Iranians pretend to be the Russians, that makes it extremely difficult for us to get there. So I think step one is get visibility. And after you have visibility, then norms are more important.

Ravi Agrawal: The norms exist. Yes.

Mirjana Spoljaric Egger: The norms exist.

Ravi Agrawal: They’re just not being followed.

Mirjana Spoljaric Egger: Don’t pretend that they’re not possible, even for cyber. Because international humanitarian law enshrines the principles that are valid in all religions, societies, everywhere. It’s the minimum standard in warfare. They apply 100% to the cyberspace. They exist. They just need to be applied. Now, there are areas where you have to look into developing additional norms, because they don’t fulfill your protection needs. And that’s an area that we can discuss, but don’t have the time for. It’s autonomous weapon systems. But anything below, anything that concerns cyber attacks, even on your country, is covered by international law. You just need to apply it.

Ravi Agrawal: Commissioner, how do you do that?

Andrius Kubilius: You know, we see very clearly the situation. Norms are followed by, let’s say, normal democracies. But norms are not followed by some aggressive countries or some groups and so on and so on.

Samir Saran: So I disagree completely. Democratic countries have shown absolute entrepreneurial energy to use them against adversaries. adversaries and better, and they are better at misusing it.

Ravi Agrawal: I think Samir is making the point I was going to make.

Samir Saran: Let’s be honest here. I’m coming from the most vibrant one, and I’m telling you, if we have the ability to use it, we will. So I do not defend democracies as being some virtuous saints here. We have seen democracies flout norms and the United States and Europe have been champions in it.

Andrius Kubilius: Yeah, okay, good. We’re jumping into another topic. But, well, I am not so sure that when we’re talking about the norms and the ability for us to convince everybody to follow the norms, that this is not exactly a solution. Of course, that would be an ideal solution, that we’re writing the norms and then everybody is following them. We are facing different development. We need to understand. We have freedoms, like information freedom, like communication freedom, like election freedom, you know. Some guys, bad guys, are using our freedoms for very bad purposes. That’s the reality.

Samir Saran: Completely.

Andrius Kubilius: And that’s why you continue my topic, that one thing is territorial occupation, but we see very clearly that with all that, what I call new generation warfare, which goes from propaganda to real war, adversaries are trying, first of all, to occupy the hearts and minds of our people. And this is much more difficult to defend.

Samir Saran: I agree. Yeah, that’s it. Commissioner, we have agreement. We have to defend democracy by using a simple principle of reciprocity. If the Chinese don’t allow us to post on their social media, they should not be allowed to post on ours. Reciprocity should be the principle of the digital future. If we allow their embassies in our country, we should be allowed our embassies in theirs. The same is true for the digital spaces. If they prevail in ours, we must prevail in theirs. And that is the deterrence without which it will be a perverse and asymmetric field.

Ravi Agrawal: You know, and with that, we’re out of time. It’s kind of magical that we have disagreement and then agreement, but such… You know, that’s what happens when you bring a good panel together. Thank you to all of you for joining us. Thanks for watching wherever you are. We’ll see you later.

Agreement Points

Cyber attacks increase alongside physical conflicts

speakers

– Matthew Prince
– Mirjana Spoljaric Egger

arguments

Cyber attacks increase alongside physical conflicts

Critical infrastructure and communication systems are targeted

summary

Both speakers agree that cyber attacks are closely linked to physical conflicts and often target critical infrastructure and communication systems.

Existing norms and laws for cyberspace

speakers

– Mirjana Spoljaric Egger
– Samir Saran

arguments

Existing norms and laws are not being followed

Cultural and political agendas interfere with security objectives

summary

Both speakers acknowledge the existence of norms and laws for cyberspace but highlight the challenges in their application and enforcement.

Similar Viewpoints

Both speakers emphasize the importance of collaboration and the need for skilled professionals in cybersecurity.

speakers

– Matthew Prince
– Joe Kaeser

arguments

Public-private partnerships are crucial for cyber defense

There’s a lack of qualified people to defend against cyber threats

Both speakers highlight the challenges in defending against modern cyber threats due to their complex and borderless nature.

speakers

– Andrius Kubilius
– Joe Kaeser

arguments

Need for new generation defense to counter new generation warfare

Extraterritorial nature of cyberspace complicates defense

Unexpected Consensus

Reciprocity in digital engagement

speakers

– Samir Saran
– Andrius Kubilius

arguments

Reciprocity should be the principle for digital engagement between countries

Need for new generation defense to counter new generation warfare

explanation

Despite their different perspectives, both speakers ultimately agree on the need for a new approach to digital engagement and defense, with Saran proposing reciprocity and Kubilius advocating for a new generation of defense strategies.

Overall Assessment

Summary

The speakers generally agree on the increasing importance of cybersecurity in relation to physical conflicts, the need for skilled professionals, and the challenges in applying existing norms and laws. There is also a shared recognition of the need for new approaches to cyber defense and digital engagement.

Consensus level

Moderate consensus with some diverging views on specific solutions. This level of agreement suggests a common understanding of the challenges but indicates that further discussion and collaboration are needed to develop comprehensive solutions to cybersecurity issues.

Different Viewpoints

Effectiveness of existing norms and laws

speakers

– Mirjana Spoljaric Egger
– Andrius Kubilius

arguments

Existing norms and laws are not being followed

Norms are followed by, let’s say, normal democracies. But norms are not followed by some aggressive countries or some groups and so on and so on.

summary

Egger argues that existing international laws are sufficient but not being applied, while Kubilius suggests that some countries, particularly aggressive ones, do not follow these norms.

Approach to cybersecurity and democracy

speakers

– Matthew Prince
– Samir Saran

arguments

Public-private partnerships are crucial for cyber defense

Cultural and political agendas interfere with security objectives

summary

Prince advocates for public-private partnerships in cybersecurity, including protecting democracies, while Saran argues against mixing cultural and political agendas with cybersecurity efforts.

Unexpected Differences

Role of democracies in cyber conflicts

speakers

– Andrius Kubilius
– Samir Saran

arguments

Norms are followed by, let’s say, normal democracies. But norms are not followed by some aggressive countries or some groups and so on and so on.

Democratic countries have shown absolute entrepreneurial energy to use them against adversaries and better, and they are better at misusing it.

explanation

Unexpectedly, while Kubilius suggests democracies follow norms, Saran argues that democracies have been at the forefront of misusing and flouting these norms, challenging the common perception of democracies as more rule-abiding in cyberspace.

Overall Assessment

summary

The main areas of disagreement revolve around the effectiveness of existing norms, the role of cultural and political agendas in cybersecurity, and the behavior of democracies in cyberspace.

difference_level

The level of disagreement is moderate to high, with significant implications for international cooperation in cybersecurity. These differences highlight the complexity of establishing global norms and effective defenses in cyberspace, potentially hindering coordinated efforts to address cyber threats.

Partial Agreements

Both agree on the need for better rules and systems in cyberspace, but differ on the approach. Prince emphasizes visibility and attribution, while Saran advocates for reciprocity between countries.

speakers

– Matthew Prince
– Samir Saran

arguments

Better visibility and attribution of attacks is needed before establishing norms

Reciprocity should be the principle for digital engagement between countries

Similar Viewpoints

Both speakers emphasize the importance of collaboration and the need for skilled professionals in cybersecurity.

speakers

– Matthew Prince
– Joe Kaeser

arguments

Public-private partnerships are crucial for cyber defense

There’s a lack of qualified people to defend against cyber threats

Both speakers highlight the challenges in defending against modern cyber threats due to their complex and borderless nature.

speakers

– Andrius Kubilius
– Joe Kaeser

arguments

Need for new generation defense to counter new generation warfare

Extraterritorial nature of cyberspace complicates defense

Key Takeaways

Cyber attacks are increasing alongside physical conflicts, with critical infrastructure and communication systems as key targets

There is a lack of qualified cybersecurity professionals to defend against growing threats

Existing international norms and laws for cyberspace exist but are not being followed consistently

Public-private partnerships are crucial for effective cyber defense

The extraterritorial nature of cyberspace complicates traditional notions of defense and sovereignty

Resolutions and Action Items

Develop more education and training programs to address the cybersecurity skills gap

Apply existing international humanitarian laws to cyberspace

Improve visibility and attribution of cyber attacks

Unresolved Issues

How to effectively enforce international norms in cyberspace

Balancing digital sovereignty with the need for collective defense

Addressing the use of cyber weapons by both state and non-state actors

How to protect ‘have-not’ countries without cyber deterrence capabilities

Suggested Compromises

Implement reciprocity principles for digital engagement between countries

Focus on protecting critical digital infrastructure regardless of a country’s political system

Balance national cybersecurity measures with international cooperation and information sharing

Whenever there is conflict in the political space, whether that’s kinetic war, or even just conflict within nations, we almost always see cyber conflict follow along with that. And so whatever you’re seeing in the pictures on the news, know that in cyberspace, a war is raging at the exact same time.

speaker

Matthew Prince

reason

This comment establishes a clear link between physical conflicts and cyber warfare, highlighting the often unseen digital dimension of modern conflicts.

impact

It set the tone for the discussion by emphasizing the pervasiveness and significance of cyber conflicts in today’s geopolitical landscape.

There are cyber operations that target civilian infrastructure and that has a huge impact on the humanitarian fallout that comes with conflict. They attack energy, water, hospitals, health facilities, but they also attack communication systems.

speaker

Mirjana Spoljaric Egger

reason

This insight brings attention to the humanitarian consequences of cyber attacks, expanding the discussion beyond just military or economic impacts.

impact

It broadened the conversation to include humanitarian concerns and the real-world effects of cyber attacks on civilian populations.

I think that the place to look to that is the most worrying is the series of, uh, sort of the typhoon attacks, the salt typhoon and other attacks that China has placed, which are the first time I have seen, typically Chinese cyber attacks have been about taking intellectual property. These are attacks where it is not clear what the underlying purpose is.

speaker

Matthew Prince

reason

This comment introduces a new dimension to the discussion by highlighting a shift in Chinese cyber tactics, suggesting a more strategic and potentially more dangerous approach.

impact

It shifted the focus of the conversation to emerging threats and the evolving nature of cyber warfare strategies employed by major powers.

Based on the destruction and… The experiences and the total destruction that we also saw during the Second World War, states came together and created the so-called Geneva Conventions in 1949, introducing principles like distinction and proportionality, because the majority of states don’t have that self-defense potential through weapon systems that only a handful have.

speaker

Mirjana Spoljaric Egger

reason

This comment provides historical context and draws a parallel between conventional warfare regulations and the need for similar frameworks in cyber warfare.

impact

It prompted a discussion about the applicability of existing international laws to cyber conflicts and the challenges in enforcing such regulations.

We’re not defending democracy. You know, let’s not try and mix 50 things into a very simple task in front of us, which is to protect our digital infrastructure and digital society. So it doesn’t matter what kind of community you come from, everyone is entitled to the same standard of protection.

speaker

Samir Saran

reason

This comment challenges the framing of cyber security as a democracy issue, arguing for a more universal approach to digital protection.

impact

It sparked a debate about the politicization of cyber security and the need for a more inclusive, global approach to digital protection.

Overall Assessment

These key comments shaped the discussion by broadening its scope from a purely technical or political issue to one that encompasses humanitarian, strategic, and ethical dimensions. They highlighted the complexity of cyber warfare, its connection to physical conflicts, and the challenges in establishing and enforcing international norms in this domain. The discussion evolved from identifying threats to debating solutions, with a particular focus on the tension between national interests and the need for global cooperation in cyber security.

How can we create effective global norms and rules for cybersecurity that countries actually follow?

speaker

Ravi Agrawal

explanation

This is crucial for establishing a framework to govern cyber activities and reduce conflicts in cyberspace.

How can we address the skills gap in cybersecurity and find enough qualified people to defend against cyber threats?

speaker

Joe Kaeser

explanation

Addressing this shortage is critical for improving cybersecurity capabilities in both private and public sectors.

How can we balance digital sovereignty with the need for collective defense in cybersecurity?

speaker

Matthew Prince

explanation

This balance is important for effective global cybersecurity while respecting national interests.

How can we improve visibility and attribution in cyberspace to better enforce norms and agreements?

speaker

Matthew Prince

explanation

Better visibility is necessary to understand cyber threats and hold actors accountable.

How can we apply existing international humanitarian law principles to cyberspace effectively?

speaker

Mirjana Spoljaric Egger

explanation

Applying these principles to cyber conflicts is crucial for maintaining ethical standards in warfare.

How can we protect critical infrastructure and digital society without mixing in cultural and political agendas?

speaker

Samir Saran

explanation

This approach could lead to more universal protection standards and better international cooperation.

How can we implement the principle of reciprocity in digital spaces to create a more balanced and secure cyber environment?

speaker

Samir Saran

explanation

This could be a potential deterrent against cyber aggression and promote fair digital practices globally.