1 Baroness Pauline Neville-Jones’ Speech to Commonwealth Telecommunications

Organisation Cyber Security Conference, 17 June 2010

‘International Co-operation in Cyber Space’

[Deputy Secretary General,] Honourable Ministers, ladies and gentlemen…

It is a great pleasure to deliver this keynote address to the Commonwealth Telecommunications Organisation’s first conference on cyber security. Many of you will be aware of the importance the Conservative Party attached to the Commonwealth in opposition. We called for Britain to adopt a more assertive, energetic and enthusiastic attitude towards this strong and diverse group of countries. And we called for the Commonwealth itself to look forward. To draw on its traditional strengths of commonality in values, education, legal and financial institutions to help tackle the risks that face us all in the twenty-first century - by extending its influence and areas of work; by acting as a prime forum for tackling issues which cross divides and national boundaries; and by doing so, to continue to contribute to what Secretary General Kamalesh has called the ‘great global good’.

So this afternoon I am pleased to mark the British government’s commitment to reinvigorating its relationship with the Commonwealth. And I can think of no better example of the Commonwealth- and institutions associated with it like the Commonwealth Telecommunications Organisation - keeping apace of the international agenda and contributing to the global good, than by tackling the important challenge of cyber insecurity.

Vision for cyber space

Implicit throughout this conference is a vision for cyber space - a vision which I know is shared between the UK and countries represented here.

We want our countries - and indeed the international community - to have a world class cyber domain that is capable of helping deliver government policy effectively and efficiently, and capable of helping secure our prosperity. The opportunity and potential is vast. Extending access to digital technology is not a magic bullet but it can boost the economic and social prospects of millions of vulnerable or excluded people; it can strengthen the ties that bind society together by breaking down barriers between communities; and it can encourage business investment and economic expansion.

But these characteristics of cyber space which present us with so much opportunity can also be exploited by malicious actors - terrorists, organised criminals and hostile states who do not share the values of liberty, democracy and good governance. The Commonwealth has always taken a strong stand against these actors. As these criminals shift online to exploit the vulnerabilities of cyber space, for the purposes of theft, espionage and gradual degradation of essential services, so it is our duty to tackle them in their new manifestations - to show them that they cannot escape legitimate authority.

2

Imperatives for international co-operation

The imperatives for this at a national level are clear. In the UK, the annual loss as a result of cyber crime is in the order of £10 billion. That is 0.5% of GDP and likely to be an underestimate. In the context of the financial crisis we all face, I do not need to explain how helpful stemming those losses would be. That figure also does not capture the harm caused by cyber crime to individuals. And looking ahead, as all public services migrate online, reducing vulnerability becomes increasingly vital to ensuring the success of government and the functioning of society.

This situation will be shared by all of you - it is not peculiar to the UK. There are of course steps that government can take by themselves to try to improve this situation. But let us be clear. Criminals exploit the ability to reach into one country from another. They exploit the fact that there is no clear jurisdiction in cyber space. And cyber space is a common good; it underpins our critical infrastructure which transcends borders. A cursory glance over events of the past year remind us of the power and reach of the global forces that are now in operation, the tight interdependence between our nations, and the pace with which challenges can surface in one country and transmit to another. We are all interdependent and vulnerability in one part means vulnerability for us all. Cyber is no different.

Addressing vulnerability is also, of course, not a task just for governments. What characterises the cyber domain is the convergence of the public and private sectors and the convergence of governments and citizens. That is why it is particularly useful that the CTO is a partnership between Commonwealth and non-Commonwealth governments, business and civil society organisations. And it is why I am pleased that this conference is supported by the UK’s Office of Cyber Security and Department for Business, Innovation and Skills. We want to further international co-operation, awareness and education at all levels of society.

Priorities for international co-operation

In this context, what should the priorities for international co-operation be? Where can organisations like CTO, its members and partners make a useful contribution?

The CTO is not the only multinational organisation developing a cyber security agenda. The Organisation for Security and Cooperation in Europe, parts of the United Nations like the International Telecommunications Union and IMPACT, and various parts of the European Commission have all become engaged in these matters over the past year or two. We must be realistic and not think that Commonwealth and its organisations can take over the functions of other international institutions. But, as I have said, they do provide a unique perspective. So they must plug into other organisations working on the cyber agenda to ensure consistency in approach and to contribute to debate.

This point is, of course, closely related to the topic of governance in the cyber domain.

3

I know some countries are naturally suspicious of the perceived US dominance of Internet Governance, given America’s responsibility for top-level domain name services. But to some extent the systems is understandable, given that it is where the internet was developed and from where it has since evolved. Nonetheless, the US has recently gone very far in making the Internet Corporation for Assigned Names and Numbers much more democratic and accountable. The UK supports these steps and also ongoing debates through the UN’s Internet Governance Forum initiative, which have given real voice to developing nations to ensure their concerns are being heard while still maintaining the resilience and worldwide availability of the internet architecture.

Similarly, one of the key roles for cyber governance is the setting of common security standards. As new technology is developed, it is important that these standards are embedded from the outset. The work of the International Telecommunications Union in this area is crucial to the sound and equitable development of the internet. The type of technical standards debated and formulated in the ITU should make it easier and more reliable to exchange information in the future. We must all work together to ensure that developments which favour particular countries to the detriment of others are not encouraged. The involvement of developing countries in the ITU is crucial to this.

It is in this vein that I would also regard proposals for an international cyber ‘arms limitation’ treaty as a distraction. Quite apart from the malign intentions of some of the countries putting forward this proposal and the practical difficulties there would be in enforcing it - for illustration, look at how hard it is to enforce the Non-Proliferation Treaty which is about something quite tangible, whereas cyber is nebulous - there are five steps we can take together now which will have a really tangible and positive effect.

First, we can harmonise national laws for the criminal investigation of cyber crimes and develop frameworks for mutual legal assistance. The UK has signed up to - and will soon ratify - the Council of Europe’s Convention on Cybercrime. We need to ensure the Convention keeps pace with technological change, but it is an example of best practice and I would encourage other countries to think hard about signing up it or modelling their laws and approach on it.

Secondly, and in line with the need for common legal frameworks, there are key gaps worldwide in the capabilities and skills needed to deal with cyber threats. Can we build common resources in areas like digital forensics? Can there be common training for law enforcement personnel? These options, which could both upskill and achieve value for money, should be explored.

Thirdly, capacity building is an important task both before and after events. Even if a government is not directly responsible, states have an obligation to take steps to prevent their territory being used for cyber attacks. But many do not have the capacity to control such exploitation of their sovereignty. Similarly, many do not have the capacity to restore and reconstitute systems after attacks. This points to the need for increased technical help and capacity building by alliances and multilateral organisations.

Fourthly, multilateral organisations should be used to share best practice and knowledge about how cyber threats are evolving between different states and also with international companies. Shared situational awareness is absolutely vital for the effective reduction of vulnerability and for the construction of effective cyber security strategies and defences. Finally, we can look to develop norms of behaviour internationally. To quote Howard Schmidt, President Obama's Cyber Security Co-ordinator, there is 'no win-lose in the cyber realm today' As he says, cyber space 'affects everybody; it affects businesses, it affects government, so number one, there's no value in having [a cyber war]'. If countries are more transparent about what would be regarded as a real threat, this would not only lead to the development of greater certainty about how cyber space is used but over time could also lead to the development of certain norms which if ignored could justify some form of punitive action.

Conclusion

Let me conclude. Just as cyber space is unparalleled in its ability to reach across barriers - whether geographical, cultural or otherwise - so our dialogue and engagement must also reflect this characteristic. That is why I am delighted to be here this afternoon and why the UK Government is supporting this event - so that we can engage with such a wide variety of nations, organisations and the private sector, all under one roof. This is a unique opportunity and I hope you all make the most of it. I hope I have explained why there is a shared agenda when it comes to cyber security and what actions we can take forward together to secure the domain and exploit the opportunities it provides. Cyber space does not represent a zero sum game.