Ulaanbaatar – Thanks for the invitation to be on this plenary panel. The topic is an important one, and it makes sense for the FOC to be encouraging this likeminded community to think about how we will promote a free and secure internet in the years ahead.
When then Secretary Clinton created my position in 2011, I was one of the first, if not the first, cyber diplomat. One of the most common messages I heard as I met with other governments was the challenges of getting the proper attention and getting people to understand the issue.
A lot has changed since 2011. Many governments have established cyber diplomacy positions and offices because many countries are coming to the realization that we did, that cyber is a foreign policy imperative. But, of course, the technology is changing quickly and we need to keep one eye on the future even as we manage the current day challenges.
The evolving nature of the technology will create legal and policy challenges for all of us in the room. Speaking from the government perspective, we have some principles to guide us. The environment that we seek
- rewards innovation and empowers entrepreneurs;
- connects individuals and strengthens communities;
- builds better governments and expands accountability; it safeguards fundamental freedoms and enhances personal privacy;
- builds understanding, clarifies norms of behavior, and enhances national and international security.
As we navigate those goals, our bedrock principles for the technology remain the same. It should be:
- Open to innovation
- Interoperable the world over
- Secure enough to earn people’s trust
- Reliable enough to support their work
One central issue we will grapple with is the increasing complexity of the cyber environment. The number of Internet connected devices per person is increasing which will drive an exponential growth rate for total connected devices. And of course, a growing percentage of these devices will be mobile (on person or in-vehicle), so devices will increasingly travel between jurisdictions, etc.
Just scaling the technology will be its own challenge, but we will need to ensure that as it scales we continue to think about how to maintain security and privacy. As a further complication, the services and data sets provisioned to these devices will be cross-sector (Financial, Health, Social, Personal etc.) and have a diverse set of security requirements and administrative domains.
Another challenge is the so-called Internet of things. There are many benefits to our consumer goods being connected. However, the product lifecycle can vary dramatically, up to decades for household appliances. Maintaining security over that timescale is daunting — will we be expected to do frequent security patches to our refrigerator? Our thermostats and lightbulbs?
One final issue to note, that of implanted devices. Sensors and chips implanted in our bodies sounds very futuristic, but it’s becoming more commonplace. And, to be most useful, they need to connect to the outside world in some capacity. We will need to think carefully about how we manage and estimate security risks for devices that are located near vital organs, etc.
Of course, it bears repeating that, as we consider future challenges, our values don’t shift with changing technology. We will still be committed to protecting freedom of expression online. We will still look to promote a secure Internet. New technology might force us to think about how we do those things, but we won’t be starting from square one.
I’d also like to address the impact of how evolving technologies might affect state to state interactions.
The United States is among many states now giving thoughtful consideration to what national and international strategies hold the most promise to effectively manage these diverse threats such that the international community can enjoy the full benefit of stable, reliable, globally-connected networks.
The nature of the technology is such that is it difficult to control. And the rapidly changing nature of the technology means that such difficulties are likely to persist. So, a better approach than attempting to control the technology is to forge consensus and promote active international collaboration on a series of mutually reinforcing cooperative strategies that together address the transnational nature of the various threats to networked information systems.
I also should mention one way that we’re attempting to tackle these issues is to begin to create a framework of principles of expected state behavior. One important piece of this is the applicability of international law to cyberspace, including human rights law. This fact is the basis for much of the FOC’s work. All states should affirm this basic reality.
We are also exploring potential voluntary measures that states could adopt to restrain themselves in cyberspace, with the goal of promoting a more stable cyberspace that makes us all safer. The trick here is developing enduring principles that are ‘future proofed’ for rapidly developing technology.
So, those are some perspectives on the challenges I’m paying attention to, and how states might work to address future challenges. But, I’m not a technologist. I’d like to hear from this community what direction you think the technology is going and what we should be focused on.
