DEPUTY SECRETARY SULLIVAN: Well, good morning, everyone, and thank you for being here. It’s great to see many familiar faces in the room. This is a very important ministerial on advancing responsible state behavior in cyberspace, and I especially want to thank our co-hosts, the Netherlands and Australia, and our distinguished panelists, the foreign ministers of both, for being here. It’s a tremendous honor to be joined today with member-states who share our commitment to the goal of global cyber stability. We are gratified by the support for this event and the joint statement we look forward to releasing at its conclusion.
In the 21st century, all facets of life are being connected through the internet, making cybersecurity critical to protecting our property, our families, and our ways of life. Fostering responsible state behavior in cyberspace is now integral to safeguarding international peace and security.
This is a challenge that must not be left to technical experts alone. Yes, better network defense can make our systems more secure, but security in cyberspace requires broad international engagement. Diplomacy is the tool that the international community has always used to set expectations for how states should behave. We must apply this approach to our discussions about cyberspace. This issue needs the sustained attention of ministers and other senior diplomats. That is why we convened a high-level event on this subject here in New York one year ago, and that is why this meeting today is so important.
The stakes are moving higher as more governments develop offensive cyber programs and as we see more frequent and severe cyber incidents. In 2017, we witnessed the reckless and uncontrolled WannaCry and NotPetya cyber attacks – both carried out by states – that caused billions of dollars of damage across Europe, Asia, and the Americas. It is clear states are increasingly deploying more sophisticated capabilities that threaten our cybersecurity.
We as an international community must come together to mainstream and make universal well-established standards for state behavior in cyberspace and hold accountable those who transgress them.
Today we meet on the first day of the General Assembly’s high-level week because the United Nations is a venue where we have already made great progress in building consensus around responsible state behavior in cyberspace. It is also where we expect to see significant work on this topic unfold over the next two years.
My message today is twofold: First, the United States is prepared to work with all UN members to safeguard the extraordinary benefits of cyberspace; and second, we must redouble our efforts – and not just in New York or in Geneva – to create accountability for state actions in cyberspace.
All of the governments here today share a broad and common vision of the requirements to maintain peace, security, and stability in cyberspace. We have forged this vision over a decade through negotiations at the UN and in regional bodies, through our daily engagements with each other, and through information sharing, coordination of messaging, and other cooperative actions to prevent, mitigate, and respond to significant cyber incidents.
Almost exactly a year ago, the United States reaffirmed its commitment to this vision in our National Cyber Strategy. We are very proud of this strategy, and this meeting today is a fitting way for us to mark the anniversary. In the last year, we have taken steps domestically to protect our supply chains, strengthen our cybersecurity workforce, and improve network defense. The State Department leads in implementing many of the international elements of the strategy, which have direct bearing on our work here at the United Nations.
Pillar III of the National Cyber Strategy is aptly named “Preserve Peace through Strength.” It commits the United States to “promote a framework of responsible state behavior in cyberspace built upon international law, adherence to voluntary non-binding norms of state behavior that apply during peacetime, and the consideration of practical confidence-building measures to reduce the risk of conflict.”
Broad international consensus around these three elements – international law, peacetime norms, and confidence-building measures – is the signature accomplishment of cyber diplomacy in the last decade. The consensus reports of the 2010, 2013, and 2015 Group of Governmental Experts presents the elements of this framework. The UN General Assembly, through 2015, ’16, and ’18 resolutions, reaffirmed that all states should follow the reports’ recommendations. Our National Cyber Strategy commits the United States to preserve and build upon this accomplishment even as certain states appear poised to undermine it.
We believe the time is now to prioritize universalization and implementation of the Framework for Responsible State Behavior, because doing so is in all states’ interests. That’s why cyber capacity-building forms an integral element of our National Cyber Strategy, and I know many of our partners here are particularly committed to this as well. In our interconnected world, we are only as strong as our weakest link. We must work to ensure that states that want to act responsibly in cyberspace have the means to do so, which includes protecting their networks from malicious state and non-state actors. To this end, since 2014, the State Department alone has invested more than $70 million to build cyber capacity and strengthen the fight against cyber crime.
The priorities I have just described will guide our strategy in the coming UN negotiations on international security issues in cyberspace. Over the next two years, we will engage in not one but two negotiation processes: another UN Group of Governmental Experts and a new Open-Ended Working Group. Some expect these parallel processes will create tension. We in the
United States, on the other hand, view them as opportunities, provided that we can hold the line against attempts to rewrite our past consensus achieved here.
We will look to Ambassador Patriota from Brazil and Ambassador Lauber from Sweden[1] to refine critical guidance to states and identify ways to improve capacity across the board. Our hope is to reach consensus in both venues, and we’re prepared to work with all well-intentioned states to achieve this goal.
As we make a concerted effort together to achieve success in the coming negotiations, we also must not lose sight of what matters most to our people: safety and security from malicious cyber activities. To accomplish this, we need all states not only to adopt the Framework for Responsible State Behavior, but most importantly to abide by it.
Sadly, the record has been mixed in recent years. We have seen cyber attacks on critical infrastructure, like the 2017 NotPetya example I cited earlier; cyber-enabled election interference in a number of countries; and state-sponsored theft of trade secrets for commercial gain. While we should be proud of our efforts to identify nonbinding norms for responsible state behavior over the last decade, we have yet to build mechanisms to hold – for holding accountable states that transgress those norms.
We need to work together to do this now.
We need all responsible states to stand together against destructive, disruptive, or otherwise destabling[2], malicious cyber activity carried out by states during peacetime. We must work in concert to ensure that there are consequences for bad behavior in cyberspace, drawing upon all elements of national power, not just cyber capabilities. We need to build cooperation among responsible states to deliver those consequences where appropriate and consistent with international law.
We are encouraged to see a growing number of governments working together to condemn malicious cyber activity. From WannaCry to the APT10 Cloud Hopper incidents, more and more countries are attributing cyber attacks or issuing statements of support to those states that do attribute. But we need to do more.
Today, 26 countries, including the United States, have signed a Joint Statement on Advancing Responsible State Behavior in Cyberspace, and we encourage other countries to join us. We hope those who have not signed will do so today. This statement reflects our shared commitment to work together to continue to advance the framework of responsible state behavior, including through the upcoming UN negotiations, and to work together to ensure accountability for adherence to that framework.
So thank you again for the honor and privilege of speaking with you today. We have a tremendous opportunity before us to advance peace, security, and prosperity in the years to come. And now it’s my honor to introduce my esteemed colleague, Foreign Minister Stef Blok of the Kingdom of the Netherlands. Stef.
FOREIGN MINISTER BLOK: Well, excellencies, ladies and gentlemen, the joint statement that my colleague John Sullivan and Marise Payne and I are presenting here today underscores our shared commitment to upholding the international rules-based order.
Events over the past decade have demonstrated that if a hard dividing line between cyberspace and the real, physical world has ever existed, it is now fading fast. Interference in democratic processes, cyber operation against national and international institutions, and the hacking of private companies have become commonplace. As such, cyberspace has become inseparable from the rest of our lives. The invisible ties that bind our world ever more closely are largely made up of ones and zeros, and when we talk about a buzzword like connectivity, we must recognize that it’s cyberspace that facilitates most of the connections involved.
Information technology is the flame that powers rapid advances in innovation and productivity, and it facilitates the sharing of ideas beyond borders. It is, however, a Promethean flame. While this fascinating technology has given humanity access to previously unthinkable levels of knowledge and connectedness, it has also given both state and non-state actors a powerful new tool for inflicting harm. And like Prometheus’s fire, it can be used to spread light and warmth where before there was cold and darkness. But it can just as easily be used to spread chaos and despair, crippling the world it was meant to illuminate.
Actions in cyberspace have direct impact in the physical world. When cyber operations are directed against vital infrastructure or government, the artificial barrier between online and offline doesn’t matter anymore. When a distributed denial-of-service attack makes government services unavailable to the public or when a cyber attack cripples the financial infrastructure of a state, the harmful effects will be felt immediately and widely. If such disruption were to occur in the physical world, there would be little doubt about how to respond. There is a clearly established body of international law in place, a framework of rules, norms, and principles that guide states in their actions. And the Netherlands strongly supports this rules-based system. We have even enshrined to duty to protect and advance this system in our constitution.
It’s vital to ensure that the system is applied in all domains, because cyberspace is where domestic politics and international obligations meet. Cyberspace transcends borders. And if we are unable to influence the actions of states that intend to act irresponsibly, the effects will be felt by all of us. That’s why I’m glad we are here today to issue this joint statement. It highlights the importance of applying the international rules-based order in cyberspace, and the Netherlands is of course a strong advocate of this.
In the years ahead, we will work with our partners in the EU and the wider world to structure our continued efforts in this area around three main principles. First, we believe that the international rules-based order applies in cyberspace just as it does in the physical world, and that’s why we are keen to strengthen the normative framework for regulating cyber operations between states through multilateralism and the UN. Second, we believe that in cyber space, like in any other fields, the international community must respond when states transgress the rules of international law, such as sovereignty. And third, we believe in the effectiveness of capacity-building to enlarge the international support base for free, open, and secure internet, a cyberspace where existing international law is followed and norms are respected.
So I am proud to announce that the Netherlands will contribute 1 million euros to the World Bank’s Digital Development Partnership trust fund.
While the debate on rules in cyberspace goes on, some states continue to execute offensive cyber operations that are at odds with a rules-based order. And we must act against irresponsible state conduct in the cyber domain, and we must do so through international coalition of likeminded states. We cannot go it alone in a space where – which literally knows no bounds. Only by establishing a strong framework of responsible state behavior in cyberspace can we safeguard our open and secure cyberspace for future generations.
I have one final remark to make. We are gathered here today as an ad hoc coalition of likeminded, responsible nations, representing all corners of the world. And this complements the efforts being made within the European Union where we are working on our ability to attribute attacks and sanction those responsible. The Netherlands aims to further expand this global coalition together with U.S., Australia, and, of course, with all of you gathered here today. The line between cyberspace and the real world is fading fast, and we cannot act as if this is not the case. Rules are rules, regardless of which space you’re in. So let’s make sure this becomes standard practice. Thank you.
MODERATOR: Minister Payne.
FOREIGN MINISTER PAYNE: Thank you. Good morning, excellencies, distinguished guests. And thank you very much to Deputy Secretary Sullivan for your warm welcome and for hosting this event, and my thanks also to our fellow cohost Stef Blok. Excuse me.
We are meeting today in recognition that cyberspace presents one of the most significant opportunities of our time. More than half the world is now online. This connectivity opens up new markets to business and to entrepreneurs, and brings better access to services and education that were previously too expensive or out of reach. Excuse me. However, we also meet today in recognition that maintaining a vibrant cyberspace that drives socioeconomic growth is under significant challenge, like my voice. (Laughter.)
We in this room – in fact, it’s getting worse, not better. We in this room all face persistent cyber threats from a range of malicious actors, whether they are rogue states, serious organized criminals, or extremists. We’re increasingly aware of the potential for the internet to be weaponized as a way to undermine democracy and values that we hold dear. So now more than ever we must recognize that the challenges presented in cyberspace call for greater cooperation between states.
Australia’s vision of an open, free, and secure cyberspace is reflected in the joint statement before us today. An open, a free, a secure internet seeks a balance of opportunity, of rights, and security, to ensure we can all reap the benefits of cyberspace while we are guarding against the risks. Now, Australia is proud to stand with our partners in supporting the joint statement.
As the statement makes clear, cyberspace cannot be lawless. The same rules that apply offline apply online. Existing international law has been negotiated, agreed to, tested over many decades. The question is not whether international law applies in cyberspace, but how.
Two UN bodies have been set up in part to determine how this should be done, and Australia looks forward to being an active and practical member of both. It’s in all of our interests that these groups successfully achieve the mandates set for them by UN members. Cyberspace is now so fundamental to modern life that serious cyber incidents could, if mismanaged, lead to conflict between states. Stability in cyberspace is now just as critical to international peace and security as are efforts to prevent terrorism and counter proliferation of chemical, biological, and nuclear weapons. Never has there been a more important time to be clear about the application of international law and the norms of responsible state behavior to cyberspace.
And to this end, the joint statement makes clear that UN member-states have increasingly coalesced around an evolving framework of responsible state behavior in cyberspace built on international law, on norms and on practical confidence-building measures.
Australia wholeheartedly supports this framework and has already been implementing its content for some years. The rules-based international order must be safeguarded, and we must all hold irresponsible states accountable when they act against it. Consequences we impose must be transparent, consistent with international law.
Australia already takes a strong stand against malicious cyber actors. We have, and we will continue to publicly attribute cyber attacks to their source when it’s in our interests to identify them. We’ve done so in coordination with international partners because when we work together, our message is stronger, and the perpetrators are less able to hide their responsibility through false denials.
In closing, Australia is very pleased to be launching with the U.S. and the Netherlands this joint statement. It’s through partnership and cooperation that we’ll neutralize cyber threats, maintain the rules-based international order, and promote an open, free, and secure internet for the benefit of all.
Thank you, colleagues.
MODERATOR: Thank you, Deputy Secretary Sullivan, Foreign Minister Blok, and Foreign Minister Payne for your comments and your statements. This concludes the open-to-press portion of our discussion today. We’d invite the press to depart at this time. We appreciate you covering our event today.
_____________
[1] Switzerland
[2] destabilizing