It’s a pleasure to be here today. I want to begin by thanking Georgetown University and Professor Catherine Lotrionte for hosting us. My office has been fortunate to participate in this conference for the last few years, and it is simply remarkable—and a testament to Catherine’s thoughtful leadership—how this annual event has grown since it was first held in 2011.
Last week, my office celebrated its third anniversary. It was an important milestone, and not only for my staff and me personally. When my office was set up three years ago, it was the first of its kind: an office dedicated to cyber diplomacy. The State Department recognized early on that this set of issues constituted a new foreign policy imperative. As we reached out to ask other states and nations to join us in working toward prosperity, security and openness in the cyber realm, the concept of cyber diplomacy was, at first, so new that we had to work hard to find counterparts in foreign governments to engage with.
One indicator of how quickly cyber issues have shot to the forefront of diplomatic agendas is how completely this has changed. Now there are offices dedicated to cyber diplomacy in foreign ministries throughout the world, and new ones being set up every year. Cyber issues are being discussed at every major international forum, and cyber diplomacy is increasingly seen by all states as essential to the conduct of their foreign policy.
A primary goal in the creation of the State Department’s Office of the Coordinator for Cyber Issues was to advance the objectives laid out in the White House International Strategy for Cyberspace, issued in May 2011. The International Strategy, the first of its kind in the world, articulates the U.S. vision of cyberspace as “a place where the norms of responsible, just, and peaceful conduct among states and people have begun to take hold,” and commits to “an international cyberspace policy that empowers the innovation that drives our economy and improves lives here and abroad.” Most important, the International Strategy reflects our conviction that if all the nations and peoples of the world are to reap the tremendous political, economic, and social benefits that cyberspace offers, cyberspace must be open, interoperable, secure, and reliable. This conviction is the basis for all our diplomatic efforts.
Of course, not all states share our vision. Some states see the open Internet as a threat to their stability, and they have sought to assert sovereign rights to inappropriately control content online. And the events of the past year have posed additional challenges. The unauthorized NSA disclosures have led some states to seek changes to the global Internet architecture that could lead to a fragmented “splinternet.” Nonetheless, we think that the same fundamental cyber policy principles that were important before the disclosures remain important now.
Our goal, now as when the International Strategy was released, is to work with that large community of like-minded governments and other stakeholders that support the notion of an open, interoperable, secure, and reliable Internet as the best way to reap the Internet’s economic and social benefits. The State Department is working to promote these principles in six areas:
The first is international security in cyberspace. We continue to work to develop a shared understanding about norms of acceptable state behavior in cyberspace, which will help enhance stability, ground foreign and defense policies, guide international partnerships, and help prevent the misunderstandings that lead to conflict. Even with the challenges of the last year, there have been significant accomplishments in this area:
The 2013 UN Group of Governmental Experts—a group of fifteen countries that included the United States, led by my deputy, Michele Markoff, as well as countries like Russia and China—reached a landmark consensus that the same international legal principles, such as the UN Charter and the law of state responsibility, that have promoted predictability and stability between states during conflict in the kinetic space apply equally in cyberspace. At the next UNGGE beginning in July, we will build on this important agreement and look more closely at how international law applies to state-on-state conduct in cyberspace. We will also seek to build agreement on additional norms of responsible state behavior, grounded in existing international law, that apply to the spectrum of cyber activity that falls below the use-of-force threshold.
The US has also led international efforts to establish practical cyber risk reduction and confidence building measures. We have worked through bilateral engagements toward reaching agreements on CBMS, designed to reduce the risk of escalation due to misunderstanding or miscalculation regarding a cyber incident of national security concern emanating from U.S. or another country’s territory. And in December, at the ministerial of the Organization for Security and Cooperation in Europe, we achieved an agreement among the 57 participating states for the first ever cyber CBMs for a multinational security organization. These measures seek to enhance interstate cooperation, transparency, predictability, and stability. Over the coming year at the OSCE we will work with the participating states to implement these initial CBMs while also developing additional cooperative measures. And we are also leading the development of cyber CBMs in other regional organizations, such as the ASEAN Regional Forum. We envision a future of greater stability and cooperation where all states are connected through these risk-reduction measures.
The second area where we work is Internet Governance. This is the emerging front in the struggle for openness in cyberspace. The United States and many others in the international community support the existing, inclusive multistakeholder model of Internet governance. Other states seek to establish intergovernmental oversight mechanisms for the technical management of Internet resources and operations. The politics of intergovernmental control would upend the currently successful model of governance, leaving non-governmental stakeholders disenfranchised. Any mechanism involving total government control over Internet policy would inevitably enshrine restrictive rules and regulations and help legitimize the kind of censorship and content control exercised by repressive regimes. The United States opposes these efforts to shift Internet governance to a top-down, intergovernmental model. As part of our efforts, we are working to promote more diverse representation by governments and other stakeholders at multi-stakeholder institutions, building multi-stakeholder capacity to participate in the process, and supporting efforts to further internationalize governance functions. We have also successfully opposed efforts to create a top-down, state-driven, UN-style mechanism for Internet management in venues like the ITU.
The third area is promoting Internet Freedom. In the past years, threats to internet freedom have grown, as a look at some of the independent reports out there, like those written by Freedom House or Reporters without Borders, clearly show. In fact, according to data from the OpenNet Initiative, 960 million Internet users live in countries that impose illegitimate restrictions on content—that’s 47% of all Internet users. For this reason, it is more important than ever that the U.S. Government continues work to ensure the ability of individuals worldwide to exercise their fundamental freedoms online. This involves: (1) promoting the existing consensus that international human rights obligations and commitments apply to online activity; (2) providing support for individuals facing repression online and bolstering civil society roles in Internet policymaking processes; and (3) encouraging companies to adopt practices and policies that respect human rights online. I am happy to say that we have had some important successes in recent years.
We were part of the core group of supporters of the 2012 UN Human Rights Council resolution 20/8, which affirmed that the rights that people have offline also apply online. The resolution was adopted by consensus and is now the clearest statement from the world’s governments in support of Internet freedom.
In addition, we were instrumental in the launch of the Freedom Online Coalition in 2011. This is a group of governments committed to taking concrete action in support of Internet freedom. The group has organized annual conferences to discuss pressing issues, and it also serves as a vehicle for coordinating efforts at international venues where there might be Internet Freedom implications. And the group is continuing to grow; since its launch it has expanded to include 21 governments, from all regions of the world.
The fourth area is combating the serious threat posed by the explosion in cybercrime, a topic near and dear to me from my previous life as a criminal prosecutor with the Department of Justice. Cybercrime is a metastasizing transnational scourge that has cost the global economy, by some estimates, billions of dollars, and has reduced public trust in the Internet. Some states believe that the answer to the cybercrime phenomena is to promote a new UN treaty, which would take years to negotiate, be unlikely to result in anything of greater utility than the Budapest Cybercrime Convention to which the U.S. and forty other countries are parties, and potentially sideline many ongoing and effective efforts to build international capacity to tackle high-tech crime. We believe the Budapest Convention provides a strong basis for our fight against cybercrime, while also protecting fundamental human rights. It identifies the three elements needed for effective cybercrime legislation, namely: (1) strong and harmonious substantive cybercrime laws; (2) comprehensive investigative tools for addressing high-tech crime and conducting digital forensics; and (3) effective mechanisms for both formal and informal international cooperation, like the G-8 24/7 Network.
Diplomatically, promoting accession to the Budapest Convention and participation in the G-8 24/7 Network is a key priority for the U.S. We are heartened to see regionally diverse countries like Japan, Australia, the Dominican Republic and Mauritius becoming parties to the Convention in the last two years, with many more countries – including Senegal, Colombia, Costa Rica, Morocco and Israel in the process of joining.
But we also recognize that many countries need help with this fight, and so we are strongly supporting capacity building efforts to enhance states’ ability to fight cybercrime and address the exponential growth in digital evidence in all criminal investigations. The State Department is working with our interagency partners such as the Departments of Justice and Commerce, as well as the private sector and key international partners and institutions to eliminate cybercrime havens wherever they may exist.
We firmly believe that the battle against transnational cybercrime is one we can and will win.
The fifth area is ensuring that nations perform their cybersecurity due diligence. Here, working closely with DHS as well as the rest of the interagency, we are strengthening relationships with other countries as we cooperate on cybersecurity issues of mutual concern. This includes efforts to enhance collaboration on network defense, incident management and recovery, and supporting the development of those capabilities where needed. It also involves enhancing participation in and strengthening of existing regional and global cybersecurity fora.
For example, the U.S. Government has provided a number of regional capacity building trainings to countries in eastern and western Africa in the last few years, and we plan to do more such trainings in the future.
We use our diplomatic engagements and other channels to emphasize the importance of good cybersecurity due diligence in our shared goals of a more secure and reliable cyberspace. The State Department has been a big supporter of greater international CERT-to-CERT cooperation and CERT experts are often a part of our international delegations. We also use our diplomatic channels to support DHS information sharing efforts, helping to draw the attention of foreign policy makers to the need for cooperation on specific cybersecurity threats of serious concern.
The final area is State’s work to promote the Internet, and cyberspace more generally, as an engine of economic growth. The Internet has proven to be a major catalyst for economic development around the world. The State Department is supporting efforts to bridge the digital divide so that an open, interoperable, secure and reliable Internet can be an engine for growth in even the poorest regions of the world. The State Department has provided support both through its diplomatic efforts and its support for the Alliance for Affordable Internet, a coordinated public-private-civil society voice advocating policy and regulatory best practices for expanding affordable access to the Internet. Moreover, USAID has also taken a lead in providing technical assistance and capacity building through its Global Broadband and Innovation Program and through its Mobile Solutions team in the Global Development Lab.
So, as I look back on the last three busy and at times challenging years, I feel comfortable that the U.S. Government is promoting the right vision for the future of cyber issues—one that like-minded countries around the world agree with, and one that will make the benefits of cyberspace—as we in the U.S. are fortunate enough to enjoy them right now—available to more and more of the people of the world. As we tackle the many opportunities that lie ahead, our commitment to the principles laid out in the International Strategy is one constant. The other constant is also articulated in the International Strategy, which notes that “international collaboration is more than a best practice; it is a first principle.”