1 00:00:05,870 --> 00:00:08,000 [Music] 2 00:00:08,000 --> 00:00:09,599 there's one more 3 00:00:09,599 --> 00:00:12,559 participant possibly two 4 00:00:12,559 --> 00:00:15,559 welcome 5 00:00:16,480 --> 00:00:17,279 but 6 00:00:17,279 --> 00:00:19,439 welcome to everybody uh the few people 7 00:00:19,439 --> 00:00:22,000 that are here they're people online 8 00:00:22,000 --> 00:00:23,680 to this impromptu talk on global 9 00:00:23,680 --> 00:00:26,240 instance response in a fragmented world 10 00:00:26,240 --> 00:00:28,240 this talk is gonna kind of overlap a lot 11 00:00:28,240 --> 00:00:30,880 with the presentation yesterday by my 12 00:00:30,880 --> 00:00:32,800 colleague sheriff hashim it's going to 13 00:00:32,800 --> 00:00:34,960 be about how does the international 14 00:00:34,960 --> 00:00:37,120 community 15 00:00:37,120 --> 00:00:39,280 do 16 00:00:39,440 --> 00:00:41,840 incidence response in a world where 17 00:00:41,840 --> 00:00:42,879 things are getting a little bit 18 00:00:42,879 --> 00:00:45,600 difficult 19 00:00:45,600 --> 00:00:47,840 kind of some time ago there was this 20 00:00:47,840 --> 00:00:49,200 headline where 21 00:00:49,200 --> 00:00:51,120 google security team 22 00:00:51,120 --> 00:00:53,600 patched a zero day that was known to be 23 00:00:53,600 --> 00:00:56,879 used in a nation-state operation 24 00:00:56,879 --> 00:00:58,879 the special thing about this is the 25 00:00:58,879 --> 00:01:01,120 nation-state operation was conducted by 26 00:01:01,120 --> 00:01:04,239 the u.s by the very country where google 27 00:01:04,239 --> 00:01:06,080 engineers were working from and there's 28 00:01:06,080 --> 00:01:08,400 a lot of conversation and 29 00:01:08,400 --> 00:01:10,320 controversy about is this the right 30 00:01:10,320 --> 00:01:11,680 thing to do 31 00:01:11,680 --> 00:01:14,000 google argued and i agree with this 32 00:01:14,000 --> 00:01:15,439 point of view that 33 00:01:15,439 --> 00:01:17,360 security vulnerabilities should not be 34 00:01:17,360 --> 00:01:18,720 used 35 00:01:18,720 --> 00:01:21,119 to the detriment of users globally and 36 00:01:21,119 --> 00:01:23,600 it puts the users of google products in 37 00:01:23,600 --> 00:01:28,000 this case chrome at risk so 38 00:01:28,000 --> 00:01:30,000 but is this 39 00:01:30,000 --> 00:01:32,079 how it works is this how it should be 40 00:01:32,079 --> 00:01:33,600 that's the question a question that's 41 00:01:33,600 --> 00:01:35,119 discussed on the highest level and 42 00:01:35,119 --> 00:01:36,640 that's what i'm going to talk a little 43 00:01:36,640 --> 00:01:38,799 bit about 44 00:01:38,799 --> 00:01:41,840 today policymakers are discussing 45 00:01:41,840 --> 00:01:44,159 on about the rules of engagement about 46 00:01:44,159 --> 00:01:45,759 how 47 00:01:45,759 --> 00:01:48,399 instance response teams but how states 48 00:01:48,399 --> 00:01:50,399 should behave in cyberspace this wasn't 49 00:01:50,399 --> 00:01:51,920 always the case 50 00:01:51,920 --> 00:01:54,320 in 1996 51 00:01:54,320 --> 00:01:57,040 at the world economic forum in in davos 52 00:01:57,040 --> 00:01:58,719 john perry barlow 53 00:01:58,719 --> 00:02:01,439 which some of you may know as the head 54 00:02:01,439 --> 00:02:03,920 behind the band grateful dad 55 00:02:03,920 --> 00:02:05,280 published his declaration of 56 00:02:05,280 --> 00:02:07,119 independence of cyberspace i recommend 57 00:02:07,119 --> 00:02:10,318 you read this it really calls for states 58 00:02:10,318 --> 00:02:12,239 and corporations to stay out of the 59 00:02:12,239 --> 00:02:13,520 internet 60 00:02:13,520 --> 00:02:16,080 these days 61 00:02:16,080 --> 00:02:18,080 are long long gone states have 62 00:02:18,080 --> 00:02:20,239 recognized that the internet is around 63 00:02:20,239 --> 00:02:22,000 and they're conducting operations in the 64 00:02:22,000 --> 00:02:24,480 internet 65 00:02:24,560 --> 00:02:27,360 just to give you a brief overview 66 00:02:27,360 --> 00:02:29,360 the first one that i know of kind of 67 00:02:29,360 --> 00:02:30,959 that's been publicly 68 00:02:30,959 --> 00:02:34,400 made available is titan reign in 2003 69 00:02:34,400 --> 00:02:36,720 nearly 20 years ago 70 00:02:36,720 --> 00:02:37,680 then uh 71 00:02:37,680 --> 00:02:41,519 where a chinese allegedly chinese actor 72 00:02:41,519 --> 00:02:43,599 attacked a u.s defense contractor and 73 00:02:43,599 --> 00:02:45,680 stole a lot of intellectual property 74 00:02:45,680 --> 00:02:49,040 then 2009 for me this was kind of 75 00:02:49,040 --> 00:02:50,640 a shock 76 00:02:50,640 --> 00:02:52,800 aurora ghost net was discovered an 77 00:02:52,800 --> 00:02:55,519 attack again by the chinese on 78 00:02:55,519 --> 00:02:57,840 the diaspora of the dalai lama on civil 79 00:02:57,840 --> 00:03:00,560 society and that for me was kind of a 80 00:03:00,560 --> 00:03:02,840 shocking thing a state attacking 81 00:03:02,840 --> 00:03:06,159 civilians when you go on 2010 we had 82 00:03:06,159 --> 00:03:08,000 stuxnet you see here 83 00:03:08,000 --> 00:03:10,720 the picture of a street sign in iran 84 00:03:10,720 --> 00:03:12,400 natanz where this 85 00:03:12,400 --> 00:03:14,080 iranian uranium 86 00:03:14,080 --> 00:03:17,120 enrichment facility is that stuxnet kind 87 00:03:17,120 --> 00:03:19,440 of tried to slow down or bring down to 88 00:03:19,440 --> 00:03:21,040 its knees 89 00:03:21,040 --> 00:03:22,800 and today we can kind of stop counting 90 00:03:22,800 --> 00:03:24,959 there's so many state of 91 00:03:24,959 --> 00:03:26,239 uh 92 00:03:26,239 --> 00:03:28,080 operations going on 93 00:03:28,080 --> 00:03:30,319 that it's not really worth 94 00:03:30,319 --> 00:03:32,319 counting 95 00:03:32,319 --> 00:03:34,159 should we be doing this should states be 96 00:03:34,159 --> 00:03:37,680 doing this that's a very good question 97 00:03:37,680 --> 00:03:39,519 let's look back and see try to figure 98 00:03:39,519 --> 00:03:41,519 out what is it states actually do in the 99 00:03:41,519 --> 00:03:43,840 internet we read a lot about cyber war 100 00:03:43,840 --> 00:03:46,959 in the news recently the center for 101 00:03:46,959 --> 00:03:48,080 foreign 102 00:03:48,080 --> 00:03:50,640 relations has a website that lists all 103 00:03:50,640 --> 00:03:53,599 the known state operations and makes 104 00:03:53,599 --> 00:03:54,879 these available 105 00:03:54,879 --> 00:03:56,720 actually as a json file so it's pretty 106 00:03:56,720 --> 00:03:59,760 cool you can use this 107 00:03:59,760 --> 00:04:01,760 and when you look at what states mostly 108 00:04:01,760 --> 00:04:02,720 do 109 00:04:02,720 --> 00:04:04,480 there's a somewhat of a surprise it's 110 00:04:04,480 --> 00:04:08,000 not cyber war it's espionage 111 00:04:08,000 --> 00:04:10,879 states are spying on each other 112 00:04:10,879 --> 00:04:12,319 that's not something new they've always 113 00:04:12,319 --> 00:04:13,599 been doing this 114 00:04:13,599 --> 00:04:15,519 and why are they doing this because it's 115 00:04:15,519 --> 00:04:17,440 perfectly legal 116 00:04:17,440 --> 00:04:19,600 states are entitled to spy on each other 117 00:04:19,600 --> 00:04:22,639 if you ask representatives of a state 118 00:04:22,639 --> 00:04:24,160 if that should be illegal they all say 119 00:04:24,160 --> 00:04:26,400 no states actually love this because it 120 00:04:26,400 --> 00:04:28,080 gives them intelligence that helps their 121 00:04:28,080 --> 00:04:30,400 policy makers to help their governments 122 00:04:30,400 --> 00:04:33,040 to make decisions about 123 00:04:33,040 --> 00:04:34,960 the capabilities or about the intentions 124 00:04:34,960 --> 00:04:36,320 of other states so they don't want to 125 00:04:36,320 --> 00:04:38,960 give up on this 126 00:04:39,840 --> 00:04:43,199 has it become more well yes it has 127 00:04:43,199 --> 00:04:44,479 clearly 128 00:04:44,479 --> 00:04:46,800 the state operations are growing 129 00:04:46,800 --> 00:04:49,520 now you can argue while espionage i mean 130 00:04:49,520 --> 00:04:51,440 states have always been spying on each 131 00:04:51,440 --> 00:04:52,960 other we know this we all watch james 132 00:04:52,960 --> 00:04:54,560 bond movies 133 00:04:54,560 --> 00:04:56,880 nothing new really is this a problem 134 00:04:56,880 --> 00:04:59,120 hasn't has it been a problem in the past 135 00:04:59,120 --> 00:05:01,039 that states spied on each other it 136 00:05:01,039 --> 00:05:03,360 hasn't in the past 137 00:05:03,360 --> 00:05:05,280 but it has become a problem in my view 138 00:05:05,280 --> 00:05:06,240 today 139 00:05:06,240 --> 00:05:07,919 if you take one of the 140 00:05:07,919 --> 00:05:08,720 big 141 00:05:08,720 --> 00:05:10,960 cyber operations in the past couple of 142 00:05:10,960 --> 00:05:12,080 months 143 00:05:12,080 --> 00:05:13,280 the exploit of the exchange 144 00:05:13,280 --> 00:05:14,960 vulnerability 145 00:05:14,960 --> 00:05:17,120 that has clearly been a state-sponsored 146 00:05:17,120 --> 00:05:18,800 operation has been an espionage 147 00:05:18,800 --> 00:05:20,000 operation because there's mostly 148 00:05:20,000 --> 00:05:21,759 government agencies that are affected by 149 00:05:21,759 --> 00:05:24,400 it 150 00:05:24,400 --> 00:05:27,680 but it has had a huge collateral damage 151 00:05:27,680 --> 00:05:29,840 instance responders people that knew me 152 00:05:29,840 --> 00:05:32,720 had to kind of work overtime to fix the 153 00:05:32,720 --> 00:05:34,000 collaterals 154 00:05:34,000 --> 00:05:36,720 once the vulnerabilities became public 155 00:05:36,720 --> 00:05:38,639 criminals jumped on it especially 156 00:05:38,639 --> 00:05:41,360 ransomware groups creating 157 00:05:41,360 --> 00:05:42,960 huge damages 158 00:05:42,960 --> 00:05:43,680 and 159 00:05:43,680 --> 00:05:45,680 i think that is a game changer just 160 00:05:45,680 --> 00:05:48,000 imagine if one state spies on another 161 00:05:48,000 --> 00:05:50,320 one and blows up in a 162 00:05:50,320 --> 00:05:51,919 kind of a build a garment building to 163 00:05:51,919 --> 00:05:54,400 get access to information 164 00:05:54,400 --> 00:05:56,400 nobody would tolerate this but in an 165 00:05:56,400 --> 00:05:58,160 asian state actually 166 00:05:58,160 --> 00:06:02,160 kind of conducting a an operation that 167 00:06:02,160 --> 00:06:04,160 then leads to so much collateral damage 168 00:06:04,160 --> 00:06:06,000 ransomware groups infecting hospitals 169 00:06:06,000 --> 00:06:07,120 and so on 170 00:06:07,120 --> 00:06:08,880 no one really seems to care and i think 171 00:06:08,880 --> 00:06:11,759 that is a bit of a problem 172 00:06:11,759 --> 00:06:13,120 now 173 00:06:13,120 --> 00:06:14,240 why is 174 00:06:14,240 --> 00:06:16,240 espionage while these cyber operations 175 00:06:16,240 --> 00:06:18,080 in cyberspace 176 00:06:18,080 --> 00:06:21,840 so much different from 177 00:06:21,840 --> 00:06:23,280 from the same thing in the physical 178 00:06:23,280 --> 00:06:25,120 world and that really is because 179 00:06:25,120 --> 00:06:26,960 cyberspace has some things that in my 180 00:06:26,960 --> 00:06:28,240 view 181 00:06:28,240 --> 00:06:30,160 are kind of different 182 00:06:30,160 --> 00:06:32,479 so there's first of all 183 00:06:32,479 --> 00:06:34,080 i used to call this there's no borders 184 00:06:34,080 --> 00:06:36,080 in the internet but that's kind of a i'm 185 00:06:36,080 --> 00:06:37,680 not even sure what the concept of 186 00:06:37,680 --> 00:06:40,000 borders means but what this is about is 187 00:06:40,000 --> 00:06:42,319 that the sovereignty of a state naming 188 00:06:42,319 --> 00:06:44,080 namely that you can do a new state what 189 00:06:44,080 --> 00:06:45,360 you want 190 00:06:45,360 --> 00:06:47,199 is no longer tied 191 00:06:47,199 --> 00:06:49,599 to territoriality so the internet blurs 192 00:06:49,599 --> 00:06:51,840 this in the olden times the spies had to 193 00:06:51,840 --> 00:06:53,280 kind of travel into your country you 194 00:06:53,280 --> 00:06:56,080 could protect it for them there's only a 195 00:06:56,080 --> 00:06:58,800 certain number of spies that could go in 196 00:06:58,800 --> 00:07:00,720 and that is a big challenge 197 00:07:00,720 --> 00:07:02,560 that sovereignty versus territoriality 198 00:07:02,560 --> 00:07:06,080 thing is a really big problem it affects 199 00:07:06,080 --> 00:07:07,919 other parts of 200 00:07:07,919 --> 00:07:10,240 cyberspace cloud act for example is 201 00:07:10,240 --> 00:07:12,400 something that has to do with that where 202 00:07:12,400 --> 00:07:14,639 the u.s tries to get information it's 203 00:07:14,639 --> 00:07:16,160 actually not physically stored on their 204 00:07:16,160 --> 00:07:17,360 territory 205 00:07:17,360 --> 00:07:19,440 it's a big thing then attribution is 206 00:07:19,440 --> 00:07:20,560 hard 207 00:07:20,560 --> 00:07:22,319 really that is still one of the biggest 208 00:07:22,319 --> 00:07:24,479 challenges how can you have rules if you 209 00:07:24,479 --> 00:07:27,680 uh if you don't know who 210 00:07:27,680 --> 00:07:31,039 who the actor was and 211 00:07:31,520 --> 00:07:33,360 furthermore then you have what i call 212 00:07:33,360 --> 00:07:35,440 class breaks 213 00:07:35,440 --> 00:07:37,840 if you want to kind of rob a bank or spy 214 00:07:37,840 --> 00:07:39,919 on a garment all style you have to go 215 00:07:39,919 --> 00:07:41,440 there you can do 216 00:07:41,440 --> 00:07:44,720 one garment agency at a time by kind of 217 00:07:44,720 --> 00:07:47,599 getting us by a mole in and you can do 218 00:07:47,599 --> 00:07:49,360 hundreds of them at the time we saw this 219 00:07:49,360 --> 00:07:51,360 in these recent big attacks there were 220 00:07:51,360 --> 00:07:53,120 thousands of government agencies 221 00:07:53,120 --> 00:07:55,599 affected 222 00:07:55,599 --> 00:07:57,199 and it's a lot easier because the rate 223 00:07:57,199 --> 00:07:59,199 of innovation in cyberspace in the 224 00:07:59,199 --> 00:08:01,759 internet is so high 225 00:08:01,759 --> 00:08:03,919 this barely a week where not something 226 00:08:03,919 --> 00:08:05,759 new comes out that that you have to 227 00:08:05,759 --> 00:08:07,280 learn that you as a defender have to 228 00:08:07,280 --> 00:08:09,280 understand how it works and so you can 229 00:08:09,280 --> 00:08:11,360 protect it now we have the internet of 230 00:08:11,360 --> 00:08:12,960 things where we seem to repeat all the 231 00:08:12,960 --> 00:08:14,879 same mistakes we've done 20 years ago in 232 00:08:14,879 --> 00:08:16,240 server software 233 00:08:16,240 --> 00:08:18,240 and so on that makes it a lot harder 234 00:08:18,240 --> 00:08:19,840 there hasn't really been much progress 235 00:08:19,840 --> 00:08:21,039 in kind of 236 00:08:21,039 --> 00:08:24,240 securing physical buildings and 237 00:08:24,240 --> 00:08:26,400 we know how to do this 238 00:08:26,400 --> 00:08:28,080 then there's the asymmetric capabilities 239 00:08:28,080 --> 00:08:31,759 a few people can attack thousands of uh 240 00:08:31,759 --> 00:08:34,479 of victims and vice versa a bunch of 241 00:08:34,479 --> 00:08:36,159 teenagers can actually take a garment 242 00:08:36,159 --> 00:08:37,360 down 243 00:08:37,360 --> 00:08:39,360 and that doesn't make things easier 244 00:08:39,360 --> 00:08:40,958 again that doesn't exist in the physical 245 00:08:40,958 --> 00:08:43,039 group and last but not least there's no 246 00:08:43,039 --> 00:08:44,560 global authority there's no one that 247 00:08:44,560 --> 00:08:46,399 really can go there and say 248 00:08:46,399 --> 00:08:48,240 you did something wrong 249 00:08:48,240 --> 00:08:51,600 you're going to get your finger slapped 250 00:08:51,600 --> 00:08:52,399 now 251 00:08:52,399 --> 00:08:55,120 how do states uh 252 00:08:55,120 --> 00:08:57,279 react to that well states actually have 253 00:08:57,279 --> 00:09:00,640 been recognizing this problem 254 00:09:00,640 --> 00:09:01,440 and 255 00:09:01,440 --> 00:09:03,360 currently there's two groups 256 00:09:03,360 --> 00:09:04,880 at the united nations level that are 257 00:09:04,880 --> 00:09:06,800 active in this one of the oldest one is 258 00:09:06,800 --> 00:09:08,640 the united nations garmental group of 259 00:09:08,640 --> 00:09:11,040 experts i wrote down the full title this 260 00:09:11,040 --> 00:09:12,720 is really government speech i'm not even 261 00:09:12,720 --> 00:09:13,680 gonna 262 00:09:13,680 --> 00:09:15,279 try to start 263 00:09:15,279 --> 00:09:17,440 reading this out 264 00:09:17,440 --> 00:09:19,839 typically these are two-year groups um 265 00:09:19,839 --> 00:09:23,600 they started in 2004 266 00:09:23,600 --> 00:09:25,200 and 267 00:09:25,200 --> 00:09:26,880 were kind of 268 00:09:26,880 --> 00:09:28,399 these hand-picked 269 00:09:28,399 --> 00:09:30,480 states in the beginning 2004 is really 270 00:09:30,480 --> 00:09:32,560 very few states it showed an interest so 271 00:09:32,560 --> 00:09:34,959 it wasn't really a problem the last one 272 00:09:34,959 --> 00:09:37,519 there was quite kind of a 273 00:09:37,519 --> 00:09:39,120 demand and a lot of states wanted to get 274 00:09:39,120 --> 00:09:40,720 into it was quite a competition to get 275 00:09:40,720 --> 00:09:41,920 into 276 00:09:41,920 --> 00:09:44,560 but it is what it is so 277 00:09:44,560 --> 00:09:46,800 the highlights of the united of this 278 00:09:46,800 --> 00:09:51,440 ungge it was 2013 so 2013 nine years 279 00:09:51,440 --> 00:09:53,519 after they started 280 00:09:53,519 --> 00:09:55,360 they came up with a report saying hey 281 00:09:55,360 --> 00:09:57,279 actually we think international law 282 00:09:57,279 --> 00:09:59,920 should halt in cyberspace so 283 00:09:59,920 --> 00:10:01,600 states are regulated by international 284 00:10:01,600 --> 00:10:03,680 laws that's what you can do for example 285 00:10:03,680 --> 00:10:06,240 you you must never attack 286 00:10:06,240 --> 00:10:07,839 another country unless you have a 287 00:10:07,839 --> 00:10:10,160 mandate from the security council or you 288 00:10:10,160 --> 00:10:12,240 do it in self defense these type of 289 00:10:12,240 --> 00:10:15,120 things hold in cyberspace 290 00:10:15,120 --> 00:10:16,800 but what does that mean we'll come to 291 00:10:16,800 --> 00:10:17,680 that 292 00:10:17,680 --> 00:10:20,880 2015 the next group actually came out 293 00:10:20,880 --> 00:10:22,880 with 11 what's called norms and i'm 294 00:10:22,880 --> 00:10:25,200 going to explain you what norms are 295 00:10:25,200 --> 00:10:27,279 of responsible state behavior in 296 00:10:27,279 --> 00:10:29,440 cyberspace 297 00:10:29,440 --> 00:10:31,519 so that was actually 298 00:10:31,519 --> 00:10:36,079 probably the two most successful unggs 299 00:10:36,240 --> 00:10:37,279 then 300 00:10:37,279 --> 00:10:40,000 in 2019 301 00:10:40,000 --> 00:10:41,760 people some people felt it's actually 302 00:10:41,760 --> 00:10:43,600 not okay that we 303 00:10:43,600 --> 00:10:45,839 we only have 25 states that talk about 304 00:10:45,839 --> 00:10:47,600 this because the internet is becoming a 305 00:10:47,600 --> 00:10:50,399 global infrastructure so they started 306 00:10:50,399 --> 00:10:52,160 what's called the open-ended working 307 00:10:52,160 --> 00:10:54,399 group 308 00:10:54,880 --> 00:10:56,800 which included every country that wanted 309 00:10:56,800 --> 00:10:58,839 to participate 310 00:10:58,839 --> 00:11:00,640 um 311 00:11:00,640 --> 00:11:04,079 that group was restarted actually uh 312 00:11:04,079 --> 00:11:06,800 last year with a five-year mandate 313 00:11:06,800 --> 00:11:08,399 the last group didn't really have a 314 00:11:08,399 --> 00:11:11,120 substantial output it could reaffirm 315 00:11:11,120 --> 00:11:13,440 what ungg 316 00:11:13,440 --> 00:11:15,040 did 317 00:11:15,040 --> 00:11:16,880 but nothing more than that and we could 318 00:11:16,880 --> 00:11:18,240 go into the details if you're into 319 00:11:18,240 --> 00:11:19,760 political science you can spend a lot of 320 00:11:19,760 --> 00:11:22,160 time arguing about this it was good that 321 00:11:22,160 --> 00:11:25,600 people talk but not really much came out 322 00:11:25,600 --> 00:11:29,120 now why am i telling you this 323 00:11:29,120 --> 00:11:31,760 the reason is 324 00:11:31,760 --> 00:11:34,959 that states start making the rules 325 00:11:34,959 --> 00:11:36,720 on how we engage in the internet and 326 00:11:36,720 --> 00:11:40,480 this has a direct effect on us so first 327 00:11:40,480 --> 00:11:41,680 feeling that 328 00:11:41,680 --> 00:11:43,680 we are part of the internet we are part 329 00:11:43,680 --> 00:11:44,959 of the people that actually make the 330 00:11:44,959 --> 00:11:47,120 internet run 331 00:11:47,120 --> 00:11:48,959 should play a role 332 00:11:48,959 --> 00:11:52,320 un recognizes this and understands 333 00:11:52,320 --> 00:11:55,200 that the internet is not current and 334 00:11:55,200 --> 00:11:58,000 owned or operated by states and it uses 335 00:11:58,000 --> 00:11:59,680 what it calls a multi-stakeholder 336 00:11:59,680 --> 00:12:01,680 process so if you if you kind of hang 337 00:12:01,680 --> 00:12:04,399 out in international organizations you 338 00:12:04,399 --> 00:12:06,639 hear this word multi-stakeholder 339 00:12:06,639 --> 00:12:08,480 all the time what it really means is you 340 00:12:08,480 --> 00:12:10,560 should not only listen to states but all 341 00:12:10,560 --> 00:12:12,560 the other important players and we were 342 00:12:12,560 --> 00:12:14,240 really lucky to be actually one of these 343 00:12:14,240 --> 00:12:16,160 players first 344 00:12:16,160 --> 00:12:18,800 several times now presented at united 345 00:12:18,800 --> 00:12:21,600 nations to the delegates of all these 346 00:12:21,600 --> 00:12:25,639 states discussing these things 347 00:12:26,320 --> 00:12:28,959 just on a side remark 348 00:12:28,959 --> 00:12:30,000 there's 349 00:12:30,000 --> 00:12:31,680 a third group at the united nations it's 350 00:12:31,680 --> 00:12:33,760 called the attack committee on cyber 351 00:12:33,760 --> 00:12:35,920 crime in short where people talk about 352 00:12:35,920 --> 00:12:39,040 the new cyber crime convention 353 00:12:39,040 --> 00:12:41,920 interestingly enough cybersecurity 354 00:12:41,920 --> 00:12:44,320 and cybercrime at the un level are two 355 00:12:44,320 --> 00:12:46,160 totally different things 356 00:12:46,160 --> 00:12:47,839 the cybersecurity stuff is in what's 357 00:12:47,839 --> 00:12:49,440 called the first committee the part of 358 00:12:49,440 --> 00:12:52,959 the u.n that talks about weapons of mass 359 00:12:52,959 --> 00:12:55,440 destruction so i guess it's kind of an 360 00:12:55,440 --> 00:12:57,200 honor to be in that part 361 00:12:57,200 --> 00:12:58,880 whereas this one is more kind of on the 362 00:12:58,880 --> 00:13:00,160 uh 363 00:13:00,160 --> 00:13:04,480 with the organization of a drug and 364 00:13:04,839 --> 00:13:09,279 crime so yeah i just said that 365 00:13:10,240 --> 00:13:11,760 what all these bodies do is they're 366 00:13:11,760 --> 00:13:13,360 going to come out with norms they're 367 00:13:13,360 --> 00:13:14,959 going to come out with recommendations 368 00:13:14,959 --> 00:13:15,600 and 369 00:13:15,600 --> 00:13:17,680 that's just the un level there's many 370 00:13:17,680 --> 00:13:19,519 more organizations that come out with 371 00:13:19,519 --> 00:13:21,200 these you may have heard of the paris 372 00:13:21,200 --> 00:13:24,560 call i had a couple of years 373 00:13:24,560 --> 00:13:27,680 done in by president macron in france 374 00:13:27,680 --> 00:13:29,680 who said this is how we should behave in 375 00:13:29,680 --> 00:13:31,519 cyberspace 376 00:13:31,519 --> 00:13:33,200 the best practices forum has put them 377 00:13:33,200 --> 00:13:34,959 together there is a 378 00:13:34,959 --> 00:13:37,200 hundreds of norms 379 00:13:37,200 --> 00:13:39,600 out there now i've used that word quite 380 00:13:39,600 --> 00:13:42,240 a bit what are norms 381 00:13:42,240 --> 00:13:43,199 today 382 00:13:43,199 --> 00:13:45,199 it's pretty hard to get new 383 00:13:45,199 --> 00:13:47,440 international law down international law 384 00:13:47,440 --> 00:13:49,760 is binding you can in principle sue 385 00:13:49,760 --> 00:13:53,519 another state for violating this 386 00:13:53,519 --> 00:13:55,360 but everybody agrees we're not going to 387 00:13:55,360 --> 00:13:59,279 get this working right now people just 388 00:13:59,279 --> 00:14:00,959 the atmosphere is too poisoned for that 389 00:14:00,959 --> 00:14:02,959 to happen the next best thing you can do 390 00:14:02,959 --> 00:14:04,959 is norms norms are things 391 00:14:04,959 --> 00:14:07,519 that are not technically illegal but you 392 00:14:07,519 --> 00:14:10,399 just don't do it if you've ever tried 393 00:14:10,399 --> 00:14:12,000 to kind of 394 00:14:12,000 --> 00:14:15,199 catch a bus or so in in london 395 00:14:15,199 --> 00:14:17,839 uk and i guess in ireland you'll notice 396 00:14:17,839 --> 00:14:20,079 that people queue up there's no law that 397 00:14:20,079 --> 00:14:22,000 says you have to queue up it's just 398 00:14:22,000 --> 00:14:24,000 something people do and if you if you 399 00:14:24,000 --> 00:14:24,959 kind of 400 00:14:24,959 --> 00:14:27,040 walk the queue and try to get in first 401 00:14:27,040 --> 00:14:28,240 people aren't going to give you a hard 402 00:14:28,240 --> 00:14:29,760 time but the police is not going to show 403 00:14:29,760 --> 00:14:31,120 up that's what the norm is it's a 404 00:14:31,120 --> 00:14:33,199 voluntary kind of agreement hey yes we 405 00:14:33,199 --> 00:14:35,199 all stick to the same rules often not 406 00:14:35,199 --> 00:14:36,480 written down 407 00:14:36,480 --> 00:14:39,760 interestingly most of international law 408 00:14:39,760 --> 00:14:42,399 is what's called 409 00:14:42,839 --> 00:14:45,839 um now words are slipped 410 00:14:45,839 --> 00:14:48,000 it's norms it's stuff it's customary 411 00:14:48,000 --> 00:14:50,240 international law it's not written down 412 00:14:50,240 --> 00:14:51,920 and it's things people have always been 413 00:14:51,920 --> 00:14:53,760 doing in the past 414 00:14:53,760 --> 00:14:55,360 norms have become customary 415 00:14:55,360 --> 00:14:57,199 international law and after certain time 416 00:14:57,199 --> 00:14:59,040 so if states stick to this stuff for 10 417 00:14:59,040 --> 00:15:01,279 years 20 years it actually becomes 418 00:15:01,279 --> 00:15:03,440 binding they can't go back and say okay 419 00:15:03,440 --> 00:15:05,680 but we never agreed to this because an 420 00:15:05,680 --> 00:15:07,519 international court would say 421 00:15:07,519 --> 00:15:09,440 but you stuck to it for the past 20 422 00:15:09,440 --> 00:15:10,720 years 423 00:15:10,720 --> 00:15:13,120 now i mentioned these 15 norms that the 424 00:15:13,120 --> 00:15:15,680 ungg came out with and i don't want to 425 00:15:15,680 --> 00:15:16,399 go 426 00:15:16,399 --> 00:15:18,320 through all of them in detail 427 00:15:18,320 --> 00:15:20,000 let's just point out 428 00:15:20,000 --> 00:15:22,000 a couple of things and the good news 429 00:15:22,000 --> 00:15:24,480 really is is we are in cesar zorin 430 00:15:24,480 --> 00:15:26,399 there's this norm k that essentially 431 00:15:26,399 --> 00:15:27,279 says 432 00:15:27,279 --> 00:15:29,360 states 433 00:15:29,360 --> 00:15:31,920 should not attack each other's instance 434 00:15:31,920 --> 00:15:34,560 response teams 435 00:15:34,560 --> 00:15:37,040 c-series are the only group explicitly 436 00:15:37,040 --> 00:15:39,440 mentioned several times in this u.n 437 00:15:39,440 --> 00:15:41,440 negotiations and that gives us kind of a 438 00:15:41,440 --> 00:15:44,880 special role states it seems recognize 439 00:15:44,880 --> 00:15:46,639 the value of the work we do as people 440 00:15:46,639 --> 00:15:48,320 who defend the internet who keep the 441 00:15:48,320 --> 00:15:50,880 internet running who defend the users 442 00:15:50,880 --> 00:15:52,720 and there's a prize for that it also 443 00:15:52,720 --> 00:15:54,800 means we should not be offensive we 444 00:15:54,800 --> 00:15:58,399 should not be part of attacks 445 00:15:58,399 --> 00:16:02,320 in 2021 the ungg also said 446 00:16:02,320 --> 00:16:05,839 states please stop politicizing c-suits 447 00:16:05,839 --> 00:16:08,480 do not kind of use t-shirts 448 00:16:08,480 --> 00:16:10,800 as an instrument to play politics and 449 00:16:10,800 --> 00:16:12,560 again this is a very very strong 450 00:16:12,560 --> 00:16:14,399 statement i feel 451 00:16:14,399 --> 00:16:15,839 it's not law 452 00:16:15,839 --> 00:16:17,920 but it is a something that states are 453 00:16:17,920 --> 00:16:19,680 encouraged to do 454 00:16:19,680 --> 00:16:22,079 now so you may say welp does this really 455 00:16:22,079 --> 00:16:24,000 kind of affect us i mean 456 00:16:24,000 --> 00:16:25,600 it's all good and right what states do 457 00:16:25,600 --> 00:16:27,839 it doesn't really affect me i mean 458 00:16:27,839 --> 00:16:29,440 it's never ever a president has shown up 459 00:16:29,440 --> 00:16:30,320 at 460 00:16:30,320 --> 00:16:31,440 my office 461 00:16:31,440 --> 00:16:32,959 so what then and i'll give you an 462 00:16:32,959 --> 00:16:35,120 example there's another norm that states 463 00:16:35,120 --> 00:16:37,120 should actually 464 00:16:37,120 --> 00:16:39,120 handle vulnerabilities 465 00:16:39,120 --> 00:16:41,519 uh responsibly we just saw they don't do 466 00:16:41,519 --> 00:16:43,199 this 467 00:16:43,199 --> 00:16:45,199 no one really reported this exchange 468 00:16:45,199 --> 00:16:46,880 vulnerabilities another example is the 469 00:16:46,880 --> 00:16:49,199 log4j which i think is a very 470 00:16:49,199 --> 00:16:50,639 interesting example because it was 471 00:16:50,639 --> 00:16:54,240 discovered by alibaba a chinese company 472 00:16:54,240 --> 00:16:56,079 alibaba did what it was supposed to do 473 00:16:56,079 --> 00:16:58,639 what we expected to do it reported this 474 00:16:58,639 --> 00:17:00,720 to the developers 475 00:17:00,720 --> 00:17:02,079 told them hey there is an issue the 476 00:17:02,079 --> 00:17:04,959 developers put out an update and 477 00:17:04,959 --> 00:17:07,280 gave us time to fix this 478 00:17:07,280 --> 00:17:09,039 turns out the chinese government was 479 00:17:09,039 --> 00:17:11,599 very very unhappy with alibaba they lost 480 00:17:11,599 --> 00:17:14,160 the big contract because china argued 481 00:17:14,160 --> 00:17:16,160 well you should have told us about this 482 00:17:16,160 --> 00:17:18,480 vulnerability first before it is closing 483 00:17:18,480 --> 00:17:20,160 it 484 00:17:20,160 --> 00:17:22,319 that's not really unique to china 485 00:17:22,319 --> 00:17:24,079 the u.s and the uk in particular have 486 00:17:24,079 --> 00:17:25,439 what's called a 487 00:17:25,439 --> 00:17:27,439 vulnerability equity process that 488 00:17:27,439 --> 00:17:29,679 describes how they decide 489 00:17:29,679 --> 00:17:30,960 when to keep 490 00:17:30,960 --> 00:17:33,919 a vulnerability secret or not 491 00:17:33,919 --> 00:17:35,760 the us obviously did keep a couple of 492 00:17:35,760 --> 00:17:37,679 vulnerabilities 493 00:17:37,679 --> 00:17:40,640 secret we saw this with the first slide 494 00:17:40,640 --> 00:17:42,240 and google actually found out about the 495 00:17:42,240 --> 00:17:44,559 vulnerability in chrome 496 00:17:44,559 --> 00:17:46,960 and patched it 497 00:17:46,960 --> 00:17:49,200 so 498 00:17:49,679 --> 00:17:51,440 but again what does that mean for us 499 00:17:51,440 --> 00:17:54,080 it's all states it's just states 500 00:17:54,080 --> 00:17:56,320 what are the obligations for private 501 00:17:56,320 --> 00:17:58,480 industry what are the obligations for 502 00:17:58,480 --> 00:18:00,799 software vendors and 503 00:18:00,799 --> 00:18:02,400 that is a very good question to ask and 504 00:18:02,400 --> 00:18:05,360 no one really knows what this is 505 00:18:05,360 --> 00:18:06,400 um 506 00:18:06,400 --> 00:18:08,000 the swiss garment started a process 507 00:18:08,000 --> 00:18:09,520 called the geneva dialogue where it 508 00:18:09,520 --> 00:18:13,120 tries to bring together people from 509 00:18:13,120 --> 00:18:15,120 software development companies to try to 510 00:18:15,120 --> 00:18:16,720 figure out what does it mean what does 511 00:18:16,720 --> 00:18:19,039 it mean to do responsible vulnerability 512 00:18:19,039 --> 00:18:20,720 disclosure how can we do this why 513 00:18:20,720 --> 00:18:22,320 doesn't it really work 514 00:18:22,320 --> 00:18:23,600 and 515 00:18:23,600 --> 00:18:25,919 kind of me being the naive guys at first 516 00:18:25,919 --> 00:18:27,600 has all these 517 00:18:27,600 --> 00:18:29,360 has all these guidelines out so what 518 00:18:29,360 --> 00:18:31,360 you're talking about but it's really 519 00:18:31,360 --> 00:18:33,039 important that states start to 520 00:18:33,039 --> 00:18:34,240 understand 521 00:18:34,240 --> 00:18:36,720 what this implies and start to kind of 522 00:18:36,720 --> 00:18:39,200 um create processes if you look at 523 00:18:39,200 --> 00:18:40,960 switzerland switzerland has decided to 524 00:18:40,960 --> 00:18:43,600 not stockpile vulnerabilities so that's 525 00:18:43,600 --> 00:18:46,640 the swiss position that's published 526 00:18:46,640 --> 00:18:49,200 the uk and the u.s haven't and 527 00:18:49,200 --> 00:18:51,120 no water state so far to my knowledge 528 00:18:51,120 --> 00:18:53,120 has actually made a statement on how 529 00:18:53,120 --> 00:18:54,559 they treat this 530 00:18:54,559 --> 00:18:56,960 but even if states like the us and uk 531 00:18:56,960 --> 00:18:59,360 say we actually keep vulnerabilities in 532 00:18:59,360 --> 00:19:01,760 certain cases 533 00:19:01,760 --> 00:19:03,679 them admitting this is a really good 534 00:19:03,679 --> 00:19:06,000 important thing because it actually 535 00:19:06,000 --> 00:19:08,240 tells you where they stand and you may 536 00:19:08,240 --> 00:19:10,799 have a problem there 537 00:19:10,799 --> 00:19:12,480 it hasn't really solved 538 00:19:12,480 --> 00:19:14,640 the dilemma that google as a us entity 539 00:19:14,640 --> 00:19:17,039 is in if it finds something if it finds 540 00:19:17,039 --> 00:19:19,280 another vulnerability that is used by 541 00:19:19,280 --> 00:19:21,360 its own government and that is something 542 00:19:21,360 --> 00:19:23,280 we have to figure out 543 00:19:23,280 --> 00:19:25,760 now 544 00:19:25,760 --> 00:19:28,400 i mentioned you to you that first is a 545 00:19:28,400 --> 00:19:31,120 has done several kind of inputs at the 546 00:19:31,120 --> 00:19:33,919 united nations by what is first position 547 00:19:33,919 --> 00:19:36,240 our position really is is that it's 548 00:19:36,240 --> 00:19:39,039 really important that whatever norms and 549 00:19:39,039 --> 00:19:41,760 laws states decide on they should make 550 00:19:41,760 --> 00:19:44,000 sure that instance responders can keep 551 00:19:44,000 --> 00:19:46,559 working the way they used to that means 552 00:19:46,559 --> 00:19:48,480 you should not criminalize the tools we 553 00:19:48,480 --> 00:19:50,320 have 554 00:19:50,320 --> 00:19:52,799 tcp dump is not a hacker tool a 555 00:19:52,799 --> 00:19:55,600 malicious hacker tool it also means we 556 00:19:55,600 --> 00:19:58,080 need to be able to uh 557 00:19:58,080 --> 00:20:00,160 to talk to each other right now we're 558 00:20:00,160 --> 00:20:02,400 not there's several countries that are 559 00:20:02,400 --> 00:20:07,039 under sanctions that we cannot talk to 560 00:20:07,039 --> 00:20:09,200 that's a very important thing and 561 00:20:09,200 --> 00:20:11,360 that we say um 562 00:20:11,360 --> 00:20:13,840 we also feel that when states make 563 00:20:13,840 --> 00:20:16,000 decisions about what kind of con 564 00:20:16,000 --> 00:20:18,000 operations they conduct they should 565 00:20:18,000 --> 00:20:20,159 always take the good of all internet's 566 00:20:20,159 --> 00:20:22,960 users into account so it should not be 567 00:20:22,960 --> 00:20:24,799 the intelligence services that decide 568 00:20:24,799 --> 00:20:27,679 hey we have a great opportunity 569 00:20:27,679 --> 00:20:29,600 to catch some fish here 570 00:20:29,600 --> 00:20:30,880 and we don't really care about the 571 00:20:30,880 --> 00:20:34,000 damage it creates to the rest of society 572 00:20:34,000 --> 00:20:35,600 it's very important for us that our 573 00:20:35,600 --> 00:20:37,120 users are actually at the end of the day 574 00:20:37,120 --> 00:20:39,760 safe and secure 575 00:20:39,760 --> 00:20:41,679 we also feel very strongly that the core 576 00:20:41,679 --> 00:20:43,679 of the internet the part the 577 00:20:43,679 --> 00:20:45,679 infrastructure 578 00:20:45,679 --> 00:20:47,200 deepsea cables 579 00:20:47,200 --> 00:20:48,799 internet exchanges 580 00:20:48,799 --> 00:20:50,720 all of this stuff should be off limits 581 00:20:50,720 --> 00:20:53,039 they should not be part 582 00:20:53,039 --> 00:20:54,159 of a 583 00:20:54,159 --> 00:20:56,000 of a malicious cyberactive 584 00:20:56,000 --> 00:20:57,919 cyber operation and should not be 585 00:20:57,919 --> 00:20:59,840 targeted even if you could make a great 586 00:20:59,840 --> 00:21:01,679 gain 587 00:21:01,679 --> 00:21:04,080 and last but not least the open-ended 588 00:21:04,080 --> 00:21:06,080 working group has starting has been 589 00:21:06,080 --> 00:21:08,720 starting to emphasize 590 00:21:08,720 --> 00:21:10,640 capacity building so all states are 591 00:21:10,640 --> 00:21:13,120 encouraged to build capacity because 592 00:21:13,120 --> 00:21:14,480 they've realized actually we need 593 00:21:14,480 --> 00:21:16,880 c-suits we need security staff we don't 594 00:21:16,880 --> 00:21:17,760 have it 595 00:21:17,760 --> 00:21:19,919 but first says is well it's not good 596 00:21:19,919 --> 00:21:21,919 enough to just deliver yet another 597 00:21:21,919 --> 00:21:24,720 c-cert 101 training but rather that we 598 00:21:24,720 --> 00:21:26,720 should start building up communities 599 00:21:26,720 --> 00:21:28,559 where c-suits learn to work together 600 00:21:28,559 --> 00:21:30,240 with all the stakeholders all stuff 601 00:21:30,240 --> 00:21:32,559 that's really obvious to us but not so 602 00:21:32,559 --> 00:21:34,880 obvious to states 603 00:21:34,880 --> 00:21:36,320 and that is a position we keep on 604 00:21:36,320 --> 00:21:38,080 reiterating 605 00:21:38,080 --> 00:21:39,520 and i think 606 00:21:39,520 --> 00:21:41,919 with good results at least 607 00:21:41,919 --> 00:21:45,520 states agree to these statements all the 608 00:21:45,520 --> 00:21:47,919 these norms i've actually shown you have 609 00:21:47,919 --> 00:21:50,640 been agreed upon by all members of the 610 00:21:50,640 --> 00:21:52,960 channel the u.n general assembly so in 611 00:21:52,960 --> 00:21:54,400 principle you can say you all said yes 612 00:21:54,400 --> 00:21:57,280 to that so aren't you sticking to this 613 00:21:57,280 --> 00:21:58,559 they are not 614 00:21:58,559 --> 00:22:00,320 of course there is a couple of problems 615 00:22:00,320 --> 00:22:03,039 like attribution is one um 616 00:22:03,039 --> 00:22:05,360 it's not really clear who plays what 617 00:22:05,360 --> 00:22:07,360 role in attribution first view here 618 00:22:07,360 --> 00:22:09,520 really is that c suits should stay out 619 00:22:09,520 --> 00:22:11,760 of attribution because it kind of puts 620 00:22:11,760 --> 00:22:13,039 us part 621 00:22:13,039 --> 00:22:14,720 into part of a conflict attribution 622 00:22:14,720 --> 00:22:16,320 inherently is a political process it's 623 00:22:16,320 --> 00:22:17,600 one country 624 00:22:17,600 --> 00:22:19,760 blaming another one we don't want to be 625 00:22:19,760 --> 00:22:21,760 part of the blaming game we actually 626 00:22:21,760 --> 00:22:23,520 want to be part of the 627 00:22:23,520 --> 00:22:25,600 we protect our users we often compare 628 00:22:25,600 --> 00:22:28,000 ourselves to firefighters 629 00:22:28,000 --> 00:22:29,520 firefighters are not in the game of 630 00:22:29,520 --> 00:22:31,679 arresting arsonists during the game of 631 00:22:31,679 --> 00:22:32,799 uh 632 00:22:32,799 --> 00:22:34,799 extinguishing fires obviously they work 633 00:22:34,799 --> 00:22:36,480 with law enforcement to say we found 634 00:22:36,480 --> 00:22:37,520 this kind of 635 00:22:37,520 --> 00:22:39,360 bottle of gasoline here so maybe you 636 00:22:39,360 --> 00:22:41,200 want to have a look at this sure we do 637 00:22:41,200 --> 00:22:43,039 that but we're not the ones that do 638 00:22:43,039 --> 00:22:45,039 attribution 639 00:22:45,039 --> 00:22:47,679 it could be completely second talk about 640 00:22:47,679 --> 00:22:49,360 attribution it's a really 641 00:22:49,360 --> 00:22:51,200 tricky topic and if you talk to people 642 00:22:51,200 --> 00:22:52,080 in 643 00:22:52,080 --> 00:22:53,840 that represent states it becomes even 644 00:22:53,840 --> 00:22:56,000 trickier 645 00:22:56,000 --> 00:22:57,600 at the end of the day we start to kind 646 00:22:57,600 --> 00:22:59,280 of wonder 647 00:22:59,280 --> 00:23:00,799 at first how 648 00:23:00,799 --> 00:23:02,480 how should all of this work together for 649 00:23:02,480 --> 00:23:04,960 us what does this really mean and that's 650 00:23:04,960 --> 00:23:07,919 kind of a little pr session for our own 651 00:23:07,919 --> 00:23:09,840 code of ethics ethics first that there 652 00:23:09,840 --> 00:23:12,880 is a signatixic at first that started 653 00:23:12,880 --> 00:23:14,080 talking about 654 00:23:14,080 --> 00:23:15,520 what does this do 655 00:23:15,520 --> 00:23:17,280 it's really based on 656 00:23:17,280 --> 00:23:18,080 the 657 00:23:18,080 --> 00:23:20,159 fairly old universal declaration of 658 00:23:20,159 --> 00:23:22,080 human rights 659 00:23:22,080 --> 00:23:23,919 and what we actually feel is that what 660 00:23:23,919 --> 00:23:25,919 we do as instance response we protect 661 00:23:25,919 --> 00:23:27,919 users we really protect this during 662 00:23:27,919 --> 00:23:30,320 their basic rights 663 00:23:30,320 --> 00:23:32,559 the code of ethics is not very much into 664 00:23:32,559 --> 00:23:34,159 human rights it just says that in one 665 00:23:34,159 --> 00:23:36,000 sentence but what it delivers you is 666 00:23:36,000 --> 00:23:38,720 kind of duties for example the duty to 667 00:23:38,720 --> 00:23:40,640 reply to a request 668 00:23:40,640 --> 00:23:43,440 duty to be trustworthy and so on and we 669 00:23:43,440 --> 00:23:45,120 acknowledge that there is often dilemmas 670 00:23:45,120 --> 00:23:47,120 because what the work we do is not 671 00:23:47,120 --> 00:23:49,600 always easy are we gonna kind of 672 00:23:49,600 --> 00:23:51,279 publish something a vulnerability that 673 00:23:51,279 --> 00:23:53,520 then can be abused by someone or are we 674 00:23:53,520 --> 00:23:55,600 gonna keep it secret just tell it to 675 00:23:55,600 --> 00:23:57,760 some small group these are difficult 676 00:23:57,760 --> 00:23:59,840 questions and the code of ethics 677 00:23:59,840 --> 00:24:02,400 tries to kind of 678 00:24:02,400 --> 00:24:04,640 give you advice on that and guidance on 679 00:24:04,640 --> 00:24:06,559 how to find a solution that really fits 680 00:24:06,559 --> 00:24:08,720 to you 681 00:24:08,720 --> 00:24:10,320 that already brings me to the end of the 682 00:24:10,320 --> 00:24:12,880 talk and i think why do i give these 683 00:24:12,880 --> 00:24:14,960 non-technical talks while i talk about 684 00:24:14,960 --> 00:24:16,240 this 685 00:24:16,240 --> 00:24:18,640 it's because i really feel as much as 686 00:24:18,640 --> 00:24:20,400 policy makers need to learn how the 687 00:24:20,400 --> 00:24:22,320 internet works and how 688 00:24:22,320 --> 00:24:24,159 instance responders work 689 00:24:24,159 --> 00:24:26,559 we need to understand 690 00:24:26,559 --> 00:24:27,919 that we're not the only ones in the 691 00:24:27,919 --> 00:24:29,679 internet anymore that there is policy 692 00:24:29,679 --> 00:24:32,080 makers that there is states and 693 00:24:32,080 --> 00:24:34,559 authorities that use and abuse and 694 00:24:34,559 --> 00:24:36,799 regulate the internet 695 00:24:36,799 --> 00:24:37,600 and 696 00:24:37,600 --> 00:24:39,360 we all together need to work on a way to 697 00:24:39,360 --> 00:24:40,880 make internet a better place for our 698 00:24:40,880 --> 00:24:41,840 users 699 00:24:41,840 --> 00:24:44,080 and for mankind it's more than half the 700 00:24:44,080 --> 00:24:45,840 population of this planet now is on the 701 00:24:45,840 --> 00:24:46,880 internet 702 00:24:46,880 --> 00:24:49,120 for some people 703 00:24:49,120 --> 00:24:50,080 it uh 704 00:24:50,080 --> 00:24:52,000 is very much on it 705 00:24:52,000 --> 00:24:54,400 it's very much kind of their entire life 706 00:24:54,400 --> 00:24:56,720 surrounding if you go to certain 707 00:24:56,720 --> 00:24:58,799 nations in africa 708 00:24:58,799 --> 00:25:01,120 the lives and the goods people own are 709 00:25:01,120 --> 00:25:02,640 all tied to a mobile phone if that's 710 00:25:02,640 --> 00:25:04,720 compromised we have a problem they have 711 00:25:04,720 --> 00:25:06,159 a problem and that's what we try to 712 00:25:06,159 --> 00:25:07,520 solve 713 00:25:07,520 --> 00:25:09,039 that's it for my side 714 00:25:09,039 --> 00:25:12,360 any questions 715 00:25:34,799 --> 00:25:37,360 sorry thank you for that talk 716 00:25:37,360 --> 00:25:39,200 this is not really a question but can 717 00:25:39,200 --> 00:25:41,039 you elaborate a bit on 718 00:25:41,039 --> 00:25:43,840 how do you interpret borders on the 719 00:25:43,840 --> 00:25:45,360 internet 720 00:25:45,360 --> 00:25:46,880 in terms that most of the infrastructure 721 00:25:46,880 --> 00:25:48,720 is owned by private entities which are 722 00:25:48,720 --> 00:25:50,400 then governed by 723 00:25:50,400 --> 00:25:53,279 state entities 724 00:25:54,320 --> 00:25:57,679 and how that falls into this 725 00:25:57,679 --> 00:25:59,440 that is indeed a very good question and 726 00:25:59,440 --> 00:26:00,880 and i know there's a couple of 727 00:26:00,880 --> 00:26:02,400 international lawyers that are hard at 728 00:26:02,400 --> 00:26:04,400 working trying to exactly figure this 729 00:26:04,400 --> 00:26:05,520 about now 730 00:26:05,520 --> 00:26:06,720 i would argue 731 00:26:06,720 --> 00:26:08,400 the concept of 732 00:26:08,400 --> 00:26:10,880 binary borders where two entities touch 733 00:26:10,880 --> 00:26:12,240 on each other 734 00:26:12,240 --> 00:26:13,200 they have 735 00:26:13,200 --> 00:26:16,400 they're gone so when we look at at cloud 736 00:26:16,400 --> 00:26:18,559 services we have the location of the 737 00:26:18,559 --> 00:26:20,559 data center that potentially gives the 738 00:26:20,559 --> 00:26:23,760 state where this data center is located 739 00:26:23,760 --> 00:26:24,480 in 740 00:26:24,480 --> 00:26:25,200 access to 741 00:26:25,200 --> 00:26:26,960 [Music] 742 00:26:26,960 --> 00:26:28,720 to all the information in that data set 743 00:26:28,720 --> 00:26:30,559 then we have the customer who may be in 744 00:26:30,559 --> 00:26:32,720 in a different country 745 00:26:32,720 --> 00:26:34,640 and we have the service provider who's 746 00:26:34,640 --> 00:26:36,320 going to be yet in another country so 747 00:26:36,320 --> 00:26:38,960 there's at least three entities in there 748 00:26:38,960 --> 00:26:41,120 and i think what it will have to come 749 00:26:41,120 --> 00:26:43,360 down to is that states 750 00:26:43,360 --> 00:26:45,520 need to start to come to agreements and 751 00:26:45,520 --> 00:26:48,080 and how they treat this the us cloud act 752 00:26:48,080 --> 00:26:50,480 is one attempt to do so if you study the 753 00:26:50,480 --> 00:26:54,000 cloud it actually tells 754 00:26:54,000 --> 00:26:56,400 says what what cloud providers or u.s 755 00:26:56,400 --> 00:26:58,880 cloud providers are obliged to do if the 756 00:26:58,880 --> 00:27:01,520 us government comes but it also says 757 00:27:01,520 --> 00:27:03,360 countries are free to have specific 758 00:27:03,360 --> 00:27:06,000 agreements with the united states to 759 00:27:06,000 --> 00:27:08,240 change these rules a little bit 760 00:27:08,240 --> 00:27:09,600 so i think at the end of the day sooner 761 00:27:09,600 --> 00:27:10,960 or later we will have to come to grips 762 00:27:10,960 --> 00:27:12,640 with how how are we going to deal with 763 00:27:12,640 --> 00:27:15,520 this territoriality thing can we can we 764 00:27:15,520 --> 00:27:17,279 kind of come up with internet 765 00:27:17,279 --> 00:27:20,159 territoriality or jurisdiction but right 766 00:27:20,159 --> 00:27:21,679 now that's an unsolved problem no one 767 00:27:21,679 --> 00:27:23,279 really knows 768 00:27:23,279 --> 00:27:26,600 great question 769 00:27:36,640 --> 00:27:40,080 hey sirs uh was asn hijacking part of 770 00:27:40,080 --> 00:27:42,880 the conversation at all 771 00:27:42,880 --> 00:27:45,440 sorry asn hijacking so they're basically 772 00:27:45,440 --> 00:27:48,399 hijacking by telecoms communicators of 773 00:27:48,399 --> 00:27:50,080 uh 774 00:27:50,080 --> 00:27:51,520 data packs was that part of the 775 00:27:51,520 --> 00:27:54,480 conversation at all 776 00:27:59,679 --> 00:28:01,840 i guess you it's a it's a good question 777 00:28:01,840 --> 00:28:04,799 so i guess it's it's talking about 778 00:28:04,799 --> 00:28:06,240 like what happened that china for 779 00:28:06,240 --> 00:28:08,159 example started to attract certain 780 00:28:08,159 --> 00:28:09,760 traffic to route it through its own 781 00:28:09,760 --> 00:28:12,480 system so we can spy on it uh you can 782 00:28:12,480 --> 00:28:14,720 have this asked a similar question is it 783 00:28:14,720 --> 00:28:17,440 okay to actually 784 00:28:17,440 --> 00:28:19,840 kind of listen snoop into deep sea 785 00:28:19,840 --> 00:28:22,240 cables and uh 786 00:28:22,240 --> 00:28:24,159 that hasn't really been part of 787 00:28:24,159 --> 00:28:25,919 of the conversation you could argue that 788 00:28:25,919 --> 00:28:28,159 when when people say hey you should not 789 00:28:28,159 --> 00:28:29,520 you should leave the core of the 790 00:28:29,520 --> 00:28:31,279 internet alone and not fiddle around 791 00:28:31,279 --> 00:28:32,320 with this 792 00:28:32,320 --> 00:28:33,200 that 793 00:28:33,200 --> 00:28:34,799 should kind of be a message you 794 00:28:34,799 --> 00:28:36,399 shouldn't really fiddle around with the 795 00:28:36,399 --> 00:28:38,480 global routing tables 796 00:28:38,480 --> 00:28:40,720 as for c cables it's actually totally 797 00:28:40,720 --> 00:28:41,760 legal 798 00:28:41,760 --> 00:28:43,440 to intercept these 799 00:28:43,440 --> 00:28:46,320 everything outside the 200 mile zone 800 00:28:46,320 --> 00:28:47,840 is open for grabs and you can do with 801 00:28:47,840 --> 00:28:50,159 this stuff whatever you want to 802 00:28:50,159 --> 00:28:51,440 so 803 00:28:51,440 --> 00:28:53,279 that was kind of like first time i 804 00:28:53,279 --> 00:28:54,720 talked to an international lawyer and he 805 00:28:54,720 --> 00:28:56,720 asked me is the law of the seas relevant 806 00:28:56,720 --> 00:28:58,480 to the internet yes it is because it 807 00:28:58,480 --> 00:28:59,600 permits you 808 00:28:59,600 --> 00:29:03,199 to listen into deep sea cables 809 00:29:11,279 --> 00:29:14,240 any more questions 810 00:29:15,279 --> 00:29:18,380 thank you serge thank you for coming and 811 00:29:18,380 --> 00:29:22,919 [Applause] 812 00:29:22,960 --> 00:29:25,279 for stepping in in a short notice yes 813 00:29:25,279 --> 00:29:27,120 and thanks everybody 814 00:29:27,120 --> 00:29:29,279 for rushing from the dessert to my talk 815 00:29:29,279 --> 00:29:32,159 much appreciated 816 00:29:32,559 --> 00:29:35,840 next the talk is at the three o'clock 817 00:29:35,840 --> 00:29:37,919 here in the this room 818 00:29:37,919 --> 00:29:41,200 fill out the survey recognizing search 819 00:29:41,200 --> 00:29:42,559 for stepping in 820 00:29:42,559 --> 00:29:45,440 and yeah that's a short break next 821 00:29:45,440 --> 00:29:49,080 speaker thanks