Moderator: Good morning everyone. Thank you for joining us. And thank you, a particular thank you to Deputy Assistant Secretary for Cyber and International Communications and Information Policy Robert Strayer. He will talk about U.S. perspectives on cyber security in regional and global policy, particularly news worthy given the overnight roll-out of the U.S. cyber strategy. Deputy Assistant Secretary Strayer is in Singapore to participate in the third ASEAN Ministerial Conference on Cyber Security and other events associated with Singapore International Cyber Week. And with that I’d like to turn it over to the Deputy Assistant Secretary.
Deputy Assistant Secretary Strayer: Thank you very much for those words of welcome. So I’m here, as Mary said in Singapore for the ASEAN ministerial cyber conference as well as for the Singapore International Cyber Week. One of the reasons that we place such a high importance in participating in conferences like this is that we want to share the U.S. vision for cyberspace and talk about how we can better coordinate on international security issues in cyber space as well work with countries directly on cyber capacity building and on confidence building measures in cyber space so that we can avoid the risk of escalation of a conflict that might have occur if there are misunderstandings in cyberspace.
There is tremendous economic growth from digital technologies that we’ve seen around the world in recent decades. Really it’s just three decades since the World Wide Web was officially rolled out, it has brought increased amounts of prosperity to people around the world. You know we’re only at about 3.8 billion users and there is probably another 4 billion users to come online. But we’ll going to continue to see tremendous amounts of economic growth because of the digital economy. In many ways the digital economy is the economy.
It’s hard to imagine any truly important national interests or business interests that are not in some way enabled or affected by digital technology. So we continue to see businesses using the Internet to either market goods or for monitoring their supply chains. And that goes not just for big businesses but to small and medium sized enterprises and to women-owned businesses and people at the lower end of the economic ladder. They are getting online and being able to participate in a digital economy. We also seen a tremendous amounts of opportunity created by the Internet from learning to the sharing of ideas to being able to participate in one’s democracy and governance. And as well as being able to share ideas — importantly as part of exercising fundamental human rights – to facilitating peaceful assembly and interacting with those that one wants to interact with.
So with that huge value of the Internet, we’re very concerned that there is an increasing persistent and disruptive cyberattacks occurring around the globe from a wide range of cyber actors. And I would say that in our international component of our recently rolled out National Cyber Strategy, the United States focuses on how we can strengthen cyber space to counter those malicious cyber actors, including nation states that we’ve seen acting in very irresponsible ways in the last couple of years in particular. We seek to work with other nations to coordinate a framework that will establish what are norms of responsible state behavior so it is understood what is responsible and what is irresponsible in cyberspace. In other words, what are the rules of the road. But we know that those rules themselves are not self-enforcing. And that some nation states may still seek to act outside of those norms to pursue interests in cyberspace that run counter to the rest of like-minded nations’ interests. Therefore we understand that we need to deter malicious behavior and we will seek to do so by joining with other countries in attribution and the imposition of consequences.
As part of those efforts we know that we know we need to coordinate closely with other governments. That is for two reasons really. We coordinate with others because it truly strengthens the message that we want to deliver about malicious cyber activity if we have others joining us in making that same attribution and same claim about malicious behavior. And secondly when we do seek to impose consequences on a malicious activity, a state acting in malicious ways, we amplify the consequences if more nations join in that consequences being delivered.
If I just may turn to ASEAN in particular, it is estimated in a recent study that over the next decade that there is likely to be $1 trillion dollars of additional gross domestic product growth attributable just to digital economic, digital technologies. But of course cyber, malicious cyber activities, and cyber attacks threaten that growth. And it’s also estimated in a similar study that 75 percent of those trillion dollars of gains could be put in jeopardy if cyber security threats are not addressed.
We came here to Singapore to talk with our partner countries in the region, the ten ASEAN countries. We are a Dialogue Partner to their efforts in ASEAN and the ASEAN ministerial – that I participated in and got to speak at – endorsed in principle 11 norms of responsible state behavior that we the United States, and a number of other countries, had advocated for a few of years.
These particular 11 norms for responsible state behavior include one that says nations should not attack critical infrastructure providing services to the public. We think it’s very important that that nation states recognize these rules of the road. So we are complimentary of the work of Singapore in leading the discussion here and in the work of those ASEAN states. So with those opening comments, I would be pleased to take any questions you might have.
ATT: Thank you ladies and gentlemen if you’d like to ask a question please press star then one of your touchtone phone. If you’re using a speaker phone please press the handset before pressing their numbers. Again star one if you’d like to ask a question.
Moderator: And Deputy Assistant Secretary Strayer we actually have our first question from a Cambodian press outlet Thmey Thmey. He would like to ask, “how do you view the current stage of ASEAN members capability in countering cyber security threats. What are your opinions on their abilities to counter those threats as well as what initiatives and actions is the U.S. administration undertaking to help ASEAN nations bolster their capacity to cope with cyber security challenges.”
Deputy Assistant Secretary Strayer: That’s a great question. All of us, including nations that have been on the Internet and have been working in the cyber field for many years and thinking about our cyber capabilities, can all improve our cyber security game. And unlike other areas and challenges that governments face, our adversaries in cyber space are learning from the responsive measures, protective measures that we take. So we constantly have to be on our toes in responding to the latest threats. We all need to think about cyber security and how we can share information about threats. We are very active in the United States in sharing threat information with other governments.
The things that we really emphasize or that we want governments to think about are how they can establish a Computer Emergency Response Team. Those are entities within governments – and some in the ASEAN have started to set those up – that can take threat information or see an incident that is happening and then take responsive measures. We also think is important to create a national cyber strategy, a strategy that can guide government efforts to prioritize action and then to set forth legal and technical policies that can nest under a cyber-strategy and to empower and make transformational changes to the cyber security posture within a country. And here it’s important that it not just be the government taking these steps but the government work with the private sector. As you may know, probably 90 percent of the infrastructure involved in the digital ecosystem is private-sector owned and operated so it’s important government work very closely with the private sector.
The United States has sought to empower regional organizations to do a lot of capacity building, in addition to the bilateral efforts that we do on cyber capacity building. I would just mention that we’ve started – with Singapore – what we call a Third-Country Training Program that actually covers other issue areas but in the last couple years we’ve been focusing on cybercrime, cyber security, and digital economy issues. Through that program we’ve trained many officials in ASEAN countries’ governments on those issue areas so we think that has been important outreach.
The other thing I wanted to mention is that on July 30 Secretary of State Pompeo announced that we are initiating a digital connectivity and cyber security partnership with an initial focus on the Indo-Pacific region. And while that program is just getting off the ground and we’ve only announced, we’ve initially announced 25 million dollars for that effort, the general notion is that we want to be able to work with governments to get more people online but we also want to ensure that as that infrastructure is rolled out that we’re ensuring that there’s good cybersecurity practices being put in place. And that there is good methodologies in place so that down the road there will be resiliency to their digital ecosystem in their countries. There are a number of ways we’re able to work with governments including as I mentioned regionally as well as bilaterally. We’re bringing officials to United States for training in some cases. We seek to share our best practices. And the amount of information sharing that’s occurring is much better than what it used to be and that’s an important thing that we continue to do.
The last thing I would mention is that there is a tremendous importance to deterring bad actors through enforcing criminal laws. So cyber-crime education is very important so countries developing prosecution and laws that they can get at the bad actors and then coordinating with other governments to go after them. You know a malicious actor can be anywhere in the world with their laptop or whatever device and seek to cause harm in another country. So it really is a shared risk around the world that we all need to be working together to address.
Moderator: Thank you so much and just a quick reminder please press star one on your phone if you would like to ask a question directly. Deputy Assistant Secretary the next question we have it comes from a German financial daily based in the region and he asked about “in Japan and South Korea we saw several hacks of crypto currency exchanges. Do you know why or do you have any thoughts on why crypto currency hacking is becoming popular particularly what happened in those two countries and who might be behind those activities.”
Deputy Assistant Secretary Strayer: Well I’m unfortunately not in a position to attribute those particular crypto currency hacks.
But I will say this separately that the United States is very concerned about the activity of IT workers from the DPRK. The DPRK’s cyber program has sought to take advantage of our worldwide financial system. We know they were behind the Bangladesh Central Bank heist where they derived $81 million dollars from Bangladesh.
We also know that IT workers in countries outside of the DPRK, that are DPRK citizens, can be complicit in that malicious cyber activity. So we are encouraging our partners, allies and others around the world to expel IT workers and close any joint information technology ventures with DPRK companies. I would add that anywhere there is a financial opportunity, a target of opportunity, there is a potential target of the DPRK because of the serious and substantial financial sanctions and other sanctions that we placed on them.
Moderator: And just a reminder again star one if you have any questions you’d like to ask. We have one more question in writing which is “what do you think, looking ahead, what do you think are the challenges that countries are not prepared for currently. What do you think is the next set of challenges on the cyber security front?”
Deputy Assistant Secretary Strayer: Great question. I think there’s a lot of debate out there. So let me just offer just one thought and that is as we continue to see evolving threats online we need to make sure that we’re truly sharing the best information with one another and able to take advantage of that information in a real time sense. That there’s not a delay in responding to those malicious activities.
From our Cyber Strategy that we’re releasing, released today, we highlight the threats we see from nation states to malicious state actors. So for in this region Wannacry, which was a malware North Korea deployed on the world that interrupted hospital operations in the United Kingdom and had debilitating effects around the world. So we also saw with the Russians with their NotPetya malware originally started with deployment in Ukraine but it quickly spread around the world attacking critical infrastructure, shipping, and drug production and other manufacturing, causing billions of dollars of damage. So the extent that we, we as the international community are not sending a clear message that that is unacceptable behavior, there is a real threat that it will continue. And we will continue to see disruptive attacks of that magnitude and concerning nature coming from other nation states. And so we need to work together in a collaborative fashion to articulate what we view as the norms of responsible state behavior and then to work together on imposing consequences on nations that act in contravention of those norms.
Moderator: Thank you so much. That is the last question I have in writing. Again star one on your phone if you’d like to ask a question directly. And if we don’t get any questions we’ll begin to wrap up. Deputy Assistant Secretary Strayer thank you so much for your time. Any if there are any final things you’d like to highlight from your time in Singapore. I know you said you had a lot of meetings on the agenda. And please go ahead. The floor is yours.
Deputy Assistant Secretary Strayer: Thank you. And thank you for all the reporters who stayed on the call for this twenty minutes or so.
Just to start where I began a little on the economic side of this. You know, we can, one takeaway I have from having met with so many governments here is the incredible importance they are placing on the digital economy, on facilitating Internet connectivity and preserving that Internet connectivity, the value and the viability of the Internet for current generations and future generations as a top national priority. In the United States we similarly have that view that we need to make it a top national priority to preserve the value of the Internet, not let it be degraded by nefarious actors. So we want to keep working with other governments in recognition of the fact that cyber threats can emanate anywhere in the world and instantly be within our own borders. We need to have collaborative processes and engagement in order to counter those cyber-attacks.
Moderator: Well I know you have to get back to meetings. Thank you so much for joining us today. We really appreciate the time and we hope you’ll maybe when you’re back in D.C. and as things develop on regional cooperation talk to reporters around the region again.