Punit Renjen

The EastWest Institute is an international, non-partisan, not-for-profit policy organization focused on confronting critical challenges that endanger peace. EWI was established in 1980 as a catalyst to build trust, develop leadership, and promote collaboration for positive change. The institute has offices in New York, Brussels, Moscow and Washington, D.C.

For more information about the EastWest Institute or this publication, please contact:

The EastWest Institute 11 East 26th Street, 20th Floor New York, NY 10010 U.S.A. 1-212-824-4100 [email protected] www.ewi.info SUMMIT CO-SPONSOR

SUMMIT PARTNERS

SUMMIT PRIVATE SECTOR PARTNERS

TIER 1

TIER 2

TIER 3

MEDIA PARTNERS PARTNER

3 Building Trust in Cyberspace

The EastWest Institute is tackling the need to protect Internet users and secure critical infrastructure. From Dallas and London to New Delhi and Silicon Valley, EWI is addressing the challenges triggered by the explosion of new technologies.

Google data center 4 Building Trust in Cyberspace

5 n the span of three years, the global challenge—one that cannot magnitude of the cybersecurity be solved by a single company or problem has grown exponentially. "What we have country on its own. That is why the IEach day brings headlines of new now learned over EastWest Institute launched the breaches, resulting in staggering Worldwide Cybersecurity Initia- losses. Some are purely criminal in the last 10 or 20 tive, bringing together government nature, while others involve far more and corporate partners to protect complex schemes of cyber espio- years, is that you the world’s digital infrastructure. nage and cyber sabotage. We live in Experts from across the globe an age when hundreds of viruses— cannot assume agree that progress in cybersecu- with names like Stuxnet, Flame trust. That is why rity will only be achieved through and Shamoon—are threatening to trust-building among nations and wreak havoc on both the private we’re dealing between the private and public sec- and public sectors across the globe. tors. With a 30-year history of trust- Most fundamentally, such actions with a persistent building that dates back to the Cold are undermining international trust problem of War era, EWI is uniquely positioned at every level. criminality, theft to propel that effort. Former U.S. Secretary of Home- To do so, EWI began hosting annual land Security Michael Chertoff, a of intellectual Worldwide Cybersecurity Summits, member of EWI’s board of directors, property and even kick-starting an ongoing process to summed up the cybersecurity prob- propose solutions to specific problem this way: “What we have now efforts to sabotage lems. The first summit, “Protecting learned over the last 10 or 20 years, the Digital Economy,” took place is that you cannot assume trust. or damage our in 2010 in Dallas where a broad That is why we’re dealing with a per- infrastructure spectrum of experts from the United sistent problem of criminality, theft States, Russia, China, India and of intellectual property and even using the Internet.” other nations discussed the limita- efforts to sabotage or damage our tions of current cyber legislation and infrastructure using the Internet.” identified top priorities for the EWI - Michael Chertoff cybersecurity agenda. The top six All of which underscores the point issues: protecting undersea cable that securing cyberspace is a infrastructure; priority international-

Above, from the top: 6 Dallas 2010, London 2011, New Delhi 2012 ROGUCCI International Global Pathways to Summit, Cybersecurity, 1st Worldwide Dubai Brussels Cybersecurity Summit, Dallas 2009 2010

Global Cyber Deterrence Rights and Responsibilities in Cyberspace: Balancing the Need for Security and Liberty The Cybersecurity Agenda: Mobilizing for International Action Cyber Crime Legal Working Group

Working Towards Rules for Governing Cyber Critical Youth and Conflict: Rendering Terminology Technology Russia, the the Geneva and Foundations Forum on Digital United States, Hague Conventions in Citizenship, NYC and Cyber Cyberspace Diplomacy 2011

Protecting the Digital Economy ROGUCCI Seminars: Beijing, Brussels, Hong Kong, Honolulu, EWI Advises Congressional London, Moscow, New Delhi, Cybersecurity Caucus, Fighting New York, Paris and Washington Washington, D.C. Spam to Build Trust

India and the United States: Pathways Mobilizing for 2nd Worldwide Youth to International International Cybersecurity Congress Collaboration on Action Summit, London on Digital Cybersecurity, Citizenship, New Delhi London

2012

The Internet Mobilizing for Health Model for Cybersecurity International Action

Priority Follow this timeline for a quick International overview of the steps taken by Communications Cyber EWI to strengthen cybersecurity, Detente Between the bringing together private United States and public partners from key and China countries around the world.

3rd Worldwide Cybersecurity Summit, New Delhi

2013 Report titles are in italics. 7 communications; conflict policy and “The Next Billion Netizens Connect” rules of engagement; cybersecurity was the theme of EWI’s third summit breach information sharing; ICT in 2012 in New Delhi, which contin- development/supply chain integrity; Experts from ued this process. This location under- and emergency response coordina- scores India's rapid emergence as a tion capability. across the globe key player on cybersecurity issues.

The Dallas summit launched a series agree that prog- Three breakthrough groups were of breakthrough groups—small ress in cyberse- chosen for the New Delhi summit in international groups of experts com- consultation with the Indian govern- mitted to addressing specific cyber- curity will only be ment and private sector leaders: ICT security threats. It also resulted in development/supply chain integrity; new Track 2 bilateral processes with achieved through the role of international companies experts from the United States and trust-building in cloud computing and storage; and Russia to develop “rules of the road” payload security. At the New Delhi for cyber conflicts, and experts among nations summit, leading Indian and Chinese from the United States and China cyber experts declared their com- to produce joint recommendations and between the mitment to increased cooperation for fighting spam and botnets. Such private and pub- between their two countries, particu- processes continue throughout the larly between their Computer Emer- year—culminating at the summits lic sectors. With gency Readiness Teams (CERTs). where the next practical steps are This offered a concrete example of mapped out. a 30-year history the kind of trust-building EWI is work- of trust-building ing to promote. The London summit in 2011, “Mobi- lizing for International Action,” built that dates back to EWI has already begun planning for on the work of the Dallas summit, its fourth summit, to be held in Sili- with meetings of existing break- the Cold War era, con Valley in November 2013. It will through groups and informal op- EWI is uniquely be called the 4th Worldwide Cyberse- portunities for cross-sector collabo- curity Trustbuilding Summit—and will ration. Specific recommendations positioned to pro- bring together innovators with global were advanced for international leaders to address cross-border chal- connectivity and emegency pre- pel that effort. lenges. From Dallas to London to New paredness of the financial services Delhi and Silicon Valley, the search sector. for practical solutions continues.

Above: “Where The Internet Lives," Google data center 8 Delivering Solutions

The chart and select examples below show the progress on EWI’s cybersecurity recommendations to date. The institute considers a recommendation as having entered the implementation stage when the first “required commitments” are made and “next steps” taken. It moves to the “institutionalization” stage when private companies, governments or NGOs have integrated the recommendation into their work to achieve sustainability.

2010-12: Fighting Spam and Botnets In 2010, EWI as- Recommendations sembled a group of Chinese 30 27 produced and American experts to devise recommendations for eliminating spam, still a major source of computer viruses. M3AAWG, a key partner on this project, is in 52% the process of bringing the 14 Implemented two recommendations and 46 best practices to India’s government and Internet service providers to spur transnational cooperation 26% on the issue. 20 7 Institutionalized

Reliability of Global Undersea Communications Cable Infrastructure (ROGUCCI) Undersea communications cables are responsible for carrying over 99 percent of all international Internet traffic. Due in part to EWI’s work in the field, India’s government has committed to achieving best-in-class performance for authorizing the repair of these cables. Under new policies, repair time will be reduced from 12 weeks to a few days. 10

Measuring the Cybersecurity Problem In 2013, EWI will advocate for the establishment of an independent, trusted entity to receive reports on private sector cybersecurity breaches. Once companies have committed to contributing information anonymously, this entity will be able to establish benchmarks, delivering the clearest picture yet of the cybersecurity problem.

* Projection 2010 2011 2012 2013* 9 New Delhi 2012

At the 3rd Worldwide Cybersecurity Summit in New Delhi, more than 300 participants from 22 countries heard from an impressive international line-up of cyber experts and policy strategists from both the private and public sectors.

10 New Delhi 2012

11 he focus of the New Delhi ment of Telecommunications—not summit was on areas where only participated in the summit but international cooperation is "It is no longer also helped frame key issues on the Tvital—and the vulnerabilities a question agenda. In addition, the EastWest pose serious risks. EastWest Insti- Institute partnered with the Na- tute President John Mroz declared: of a nation tional Association of Software and “We are here for a purpose—to build Service Companies (NASSCOM), trust and find solutions together.” He protecting its the Federation of Indian Chambers pointed out that the two previous an- of Commerce and Industry (FICCI) nual summits in Dallas and London own security; and the Data Security Council of have led to the implementation of 52 it’s a question India (DSCI), which sponsored three percent of the 27 recommendations breakthrough groups. The topics that came out of those consulta- of the global were chosen in consultation with the tions. “This is a process, not just a Indian government and private sec- conference,” he added. community tor leaders. protecting The conference’s location was no ac- Kapil Sibal, India’s Minister for cident. “We are all in the room today itself. India Communications and Information because we recognize that India is an Technology, appealed for “a global essential partner on cybersecurity,” pledges to work agreement” on how to protect the said Ross Perot, Jr., chairman of the with the global key infrastructure of the digital EastWest Institute. world. Pointing out that for the first community.” time in human history everyone is High-ranking Indian officials—among operating from the same platform, them, Deputy National Security Sibal declared: “It is no longer a Advisor Latha Reddy and Secretary - Kapil Sibal question of a nation protecting its R. Chandrashekhar of the Depart- own security; it’s a question of the

Above, from left: 12 Kapil Sibal, India's Minister for Communications and IT; EWI Chairman Ross Perot, Jr.; EWI President and CEO John Edwin Mroz; Punit Renjen, Chairman of the Board, Deloitte LLP global community protecting itself.” more metrics in this area,” she said, He called for a new understanding arguing that without such informa- about what constitutes cyber crime tion much of the spending on cyber- and how to combat it, including the security could prove ineffective. idea of empowering “cyber justices” in the future who would adjudicate “EWI has In his concluding keynote address, such cases. “India pledges to work Deloitte’s Indian-born Chairman of with the global community,” he certainly the Board Punit Renjen commended added. EWI’s decision to hold the summit in provided New Delhi. “India has a cyber vision While there were mixed reactions leadership that is grand and it is bold,” he said, to Sibal’s proposals, most partici- pointing to the way the Internet has pants agreed that the rapid pace of by serving lifted millions from poverty. But he technological change has triggered also noted that most of the popula- a corresponding leap in exposure to as a catalyst tion still lacks connectivity, and cyber vulnerabilities that can be exploited for collective crime is already taking a heavy toll, by cyber criminals. But some with an estimated $6 billion in an- proposed solutions have also raised transnational nual losses in India and $400 billion fears about government intrusion worldwide. “Right now it seems that that could threaten privacy and indi- action.” the bad guys are winning,” he said. vidual freedoms. “This is a great, great challenge; Erin Nealy Cox, Executive Managing - Punit Renjen that’s why these summits are so Director at Stroz Friedberg, pointed important,” Renjen continued. “EWI out that companies often lack basic has certainly provided leadership by information on the cybersecurity serving as a catalyst for collective problems they face. “CEOs need transnational action.”

13 “I think we’re entering an age of interdependence. More and more, nations of the world are becoming dependent on each other, with economies, with security, with opportunities. An industrial age has moved into an information age, and now we’re going into an interdependence age. Not one country or one company can solve the issues of cybersecurity alone.”

Harry D. Raduege, Jr. “We like to use the term that we Lt. General (Ret.), Chairman, ‘leapfrogged’ in technology, because Deloitte Center for Cyber in a sense our whole industrial Innovation revolution has been compressed into 60 years, what other countries took 100, 200, 250 years to do. We started off with almost no industry when we became independent in 1947, except for a textile industry, which had actually been driven into the ground by the introduction of a lot of imported textiles. So we really had to start from scratch. Particularly with the IT technology, cyber technology, we did leapfrog.”

Latha Reddy Deputy National Security Advisor, India

14 “Just imagine how the world and society would function if every three to five minutes, our cell phones would ring. Today, we are aware of spam whenever we open our mailbox; a good 30 to 40 percent is spam, despite the special filters that are applied. Imagine what could happen if it were to occur on the voice side: we’d all go mad.”

J. Satyanarayana Secretary, Department of Electronics and IT, Ministry of Communications and IT, India

“We had very good talks with Dr. Rai on how to improve “The more you frighten people, the cooperation between less people will use technology that China and India's computer drives the economy forward.” emergency response teams. We can help each other to John Suffolk stop the threats.” Global Cyber Security Officer, Huawei Zhou Yonglin Director, Internet Society of China

15 "Cyberspace is not a lawless space, but a space where laws do apply and where there are constraints on state behavior. That’s one part of “We have to act it. The second part is the practical fast to catch up to things we can do to build better the development of confidence, better transparency, hacking technology.” better cooperation and, ultimately, better stability. The point here is to Toru Nakaya avoid conflict and to make sure that Director-General, conflict doesn’t benefit any state." Institute for Information and Communications Christopher Painter Policy (IICP), Ministry Coordinator for Cyber Issues, U.S. of Internal Affairs and Department of State Communications, Japan

“I think private sector CEOs need more metrics in this area. One would agree that a CEO would not be making a sound decision if he just went on his own sense of whether he was making profits, or he felt like his return on investment was good. He’s going to want to rely on solid metrics, and I think in the area of cybersecurity and risk, we ought to expect metrics as well.”

Erin Nealy Cox Executive Managing Director, Stroz Friedberg

16 “I do believe that apart from having closed communication networks, which connect key people, it is important to be able to have a layer of priority communication in the public network.”

R. Chandrashekhar Secretary, Department of Telecommunications, Ministry of Communications and IT, India

“Will we become a rogue nation or will we become a cybersecurity superpower is really the question.”

Pradeep Gupta Chairman & Managing Director, Cyber Media (India) Ltd.

“Today’s cyber world calls for vigilance. It also demands that we move with urgency, because the challenges we’re facing are growing with both strength and velocity.”

Punit Renjen Chairman of the Board, Deloitte LLP

17 “We’ve seen considerable work moving forward in botnet mitigation and in helping to understand the issues involved in undersea cables, yet we still have a lot more to do. The other outcome that I want to highlight is the commitment to coming to the table. Having these vigorous conversations helps to drive awareness and will move the ball forward.”

Angela McKay Principal Security Strategist, Microsoft

"They say, ‘The more you sweat in peace the less you bleed in war.’ And cybersecurity is war. The point is how often have you rehearsed and practiced your incident response to be ready for combat? You’ve got to put all three contours of preventive, detective and corrective action across the domains of people, processes and technology."

Burgess Cooper Vice President & Chief Technology Security Officer, Vodafone India

“In order to achieve international cooperation we need to first focus on local efforts, awareness and local cooperation.”

Vartan Sarkissian CEO, Knightsbridge Cybersystems

18 Troubling Numbers Every year during the summit we poll our international participants about the current situation in cyberspace and what 93% needs to be done. Here are some of the results. THINK THAT THE CYBERSECURITY RISK IS HIGHER THAN ONE YEAR AGO

19 33% FEEL PROTECTED ONLINE

41% THINK THEIR ONLINE PRIVACY IS NOT SUFFICIENTLY PROTECTED

20 “We’re not looking for sudden, simple, single solutions. This has got to be incremental. I think we’ve got to avoid the seduction of that pursuit of the single but rather unattainable solution. So we need to build on existing legislation, recognizing the regional differences.”

Mike St. John-Green Former Deputy Director, Office of Cyber Security AND INFORMATION ASSURANCE, U.K.

"The second big driver for what we’re doing is how do we create a payment system which allows the government to accurately credit money or goods to people’s accounts in an unambiguously verifiable way. That’s all about making the use of public funds more efficient, more effective and more equitable."

Nandan Nilekani Chairman of the Unique Identification Authority of India

“Now that we’re on this train, I don’t think it’s possible to get off. The Internet is becoming so integrated into everybody’s life that I just don’t think escape or a return to a pre-Internet age is possible.”

John M. Howell Executive Director, IEEE Communications Society

21 “At the end of the day, most of the corporate leaders dramatically underestimate the threat and they don’t know what to do with that. In some cases the regulation is not there; in some cases they are basically squeezed between their budgets and balance sheets. In many cases, they think that whatever their CTOs are doing for the companies is more than enough.”

Armen Sarkissian Vice-Chairman, EastWest Institute; former prime minister of armenia

“There are four aspects “The challenge is to go from that are now shaping the individual personal relationships entire cyberspace. One is to a process that allows connectivity; the second for a continuous exchange is mobility; the third is the of important information social media, and the fourth as opposed to exceptional is consumerization.” exchange of information.”

Gulshan Rai Greg Shannon Director General, CERT India, Chief Scientist, CERT Program, Dept of Electronics & IT, India Carnegie Mellon University

“Insecurity in the cyber world comes in all forms and is perpetrated by all kinds of players.”

Maria Livanos Cattaui Former Secretary General, International Chamber of Commerce; Member, Board of Directors, EastWest Institute

22 50% THINK THAT CORPORATE BOARDS GROSSLY UNDERESTIMATE THE CYBERSECURITY PROBLEM

17% THINK THAT THEY ARE TOO CONFUSED

23 62% SAY THAT THEIR GOVERNMENTS ARE IN THE EARLY STAGES OF UNDERSTANDING THE CYBERSECURITY PROBLEM AND COMMITTING TO INTERNATIONAL COOPERATION

24 “If any issue consistently emerged from the cyber summit in Dallas, the summit in London and yesterday's outstanding summit activities, it’s the criticality of strong international cooperation, public and private, to drive the policy changes, the business process changes and multilateral agreements to improve cybersecurity.”

Bob Campbell CEO, Campbell Global Services; Member, Board of Directors, EastWest Institute

“Some of the points we have reflected in our Information “This summit process has proven Technology Act could effective in developing innovative actually become a global recommendations, seeing these yardstick or a point or recommendations implemented base on which all of the by major companies and international diplomacy governments, and then seeing their on cybersecurity can go recommendations institutionalized forward.” by long-term sustainable changes.” Subimal Vijay Bhargava Bhattacharjee President, IEEE Communications Country Head, Society General Dynamics

25 “One of our prominent speakers told me privately that his major worry is that one day we will cross a really difficult divide, and will confront a situation when people will die as a result of a cybersecurity attack. That could be a game changer of the worst type.”

John Edwin Mroz President and CEO, EastWest Institute

“If we knew better “Submarine cables are often overlooked, what cybersecurity but they are very critical and form part was and had a of the critical infrastructure. I think if you handle on it, then look at cybersecurity, if that’s the virtual I think we might gatekeeper of cyberspace, then the see that our submarine cable network is the physical understandings of it media that connects all that. Without would converge.” the submarine cable network, you don’t have the Internet and you don’t have Stuart cyberspace.” Goldman Chair (fmr), Dean Veverka ATIS Network Chairman, International Cable Protection Interoperability Committee (ICPC); Director Networks and Forum; Bell Labs Vice President Operations, Southern Cross Fellow (ret.) Cables Limited

26 55% DOUBT THAT THEIR COUNTRY CAN DEFEND ITSELF AGAINST SOPHISTICATED CYBER ATTACKS

27 WHAT KIND OF RULES SHOULD APPLY IN CYBERSPACE?

Is cyberspace a truly new society that deserves its own rules or an extension of the real world—and should most or all of its rules apply?

26% ALL NEW 40% RULES SOME NEW RULES 30% OLD RULES

28 “We really are operating in concentric circles. First, companies need to protect the data of their customers and themselves, and then around that is industry and, third, at a country-level. But these three circles are not enough, and the world has moved farther. I think global concentricity, where we are intersecting with what happens across the world, becomes even more important.”

“Technologically, Som Mittal cyberspace is without President, National Association of boundaries but the Software and Service Companies privacy issues are country- (NASSCOM) specific. The issues which may be very acceptable “In the area of theft of intellectual for open discussion in property and espionage, there’s been the U.S. may have their very little progress, and maybe it’s the own sensitivities in India. nature of that challenge. That there So the whole question is, isn’t likely to be very much progress how do you address all internationally because there are some these issues so that the strikingly different incentives that different stakeholders— operate across the globe.” government, regulators, service providers, civil Michael Chertoff society, the media— Chairman and Co-Founder, Chertoff have some common Group; Former U.S. Secretary of Homeland acceptance of Security; Member, Board of Directors, EWI cybersecurity?”

Arbind Prasad Director General, Federation of Indian Chambers of Commerce and Industry (FICCI)

29 Working Together

The institute's summit process is oriented around ongoing breakthrough groups, diverse collections of experts assigned to devise solutions to major cybersecurity challenges.

30 Working Together

31 he success of EWI's World- new vulnerabilities. While there is wide Cybersecurity Initiative much work underway (e.g., IEEE, is measured in part by the Cloud Security Alliance) to optimize Tpolicy breakthroughs made security within the constraints of in the interactive working sessions, distributed processing and storage, both during the summit meeting and fundamental issues at the core of in the follow-up activities throughout Agreements, the discussion remain unresolved. the year. Which policies apply to the data of standards, country A when managed by country The objective for each of the break- B? Will country A know if country X through groups is to have actionable policies and has its data? How? These and other recommendations for industry and recommendations questions have made many uneasy. government that, if implemented, Equally urgent are concerns about will have significant impact in mak- need to catch governments overreacting with ing cyberspace and the real world regulations that could stifle innova- safer, more stable and more secure. up to already tion or otherwise restrict freedoms. As in London and Dallas, the format introduced of the New Delhi summit included The answers to these and other new and continuing breakthrough innovative questions directly impact the safety, groups, immersing participants in security and integrity of phenomena interactive sessions with profes- services that like social networking, information sional peers from around the world. have befuddled leak posting, personal broadcasting Following consultation with the In- and tracking and profiling the online dian government and private sector government, behavior of netizens. Agreements, leaders, three new issues, discussed standards, policies and recommen- below, emerged as central areas of legal and social dations need to catch up to already focus at the New Delhi summit. paradigms. introduced innovative services that have befuddled government, legal Globally Distributed and social paradigms. Processing and Data This group builds on work that be- Storage (the "Cloud”) gan as an India-U.S. Track 2 bilateral, which put forth voluntary principles The transition to so-called “cloud” that multi-national companies style design and management should subscribe to when designing brings both new efficiencies and and operating “cloud” applications.

32 ICT Development/ Payload Security Supply Chain Integrity In a perfect world, the government Governments and businesses are can access the critical informa- unable to determine the integrity tion it needs in a timely manner of the hardware and software on to ensure national security and which they vitally depend for the As essential public welfare, while citizens and reliability and security of their criti- data now often private sector enterprises can enjoy cal operations. Major initiatives are cyberspace with safety, security and underway by national governments traverses privacy – i.e. freedom from being to improve their oversight of the needlessly observed or interrupted. technology responsible for national international Private sector network operators critical infrastructure as well as vital borders, and service providers should meet national security operations. The both needs in an efficient, reliable overwhelming majority of expertise the lack of and collaborative manner. However, and experience resides in the private neither government nor private sec- sector, where much of the hardware a common tor objectives are met adequately, and software design, development, understanding making the present state acceptable deployment and operation occur. to neither. Thus governments are typically at of the a substantial disadvantage, forced As essential data now often travers- to rely on the private sector for appropriate es international borders, the lack insights. That said, private sector rigor for its of a common understanding of the insight can be biased as a result of appropriate rigor for its protection commercial objectives hinging on protection and and access is a major obstacle for status quo approaches. everyone. This group builds on work access is a underway within India-U.S. Track 2 This group builds on work underway major obstacle bilateral talks to address gaps in within an India-U.S. Track 2 bilateral international policies affecting moni- and is working toward articulat- for everyone. toring and privacy. ing international principles for the integrity of ICT development/supply chains that may be otherwise overlooked or underemphasized within national initiatives.

33 Additional proposed by EWI’s report Priority as hospitals in cyberspace; this International Communications group seeks to devise means of ad- Breakthrough Groups (PIC): Staying Connected in Times dressing this potentially dangerous of Crisis. problem. Pursuing World Class Performance for International Emergency Preparedness Measuring the Connectivity: Timely Outage for the Financial Service Cybersecurity Problem Repairs for Global Undersea Sector in Cyberspace Producing the first worldwide, stan- Communications Cable Collaboration in the international dardized, high-level benchmarks for Infrastructure (GUCCI) financial services sector is impera- cybersecurity compromises is vital Applying the International Cable tive to prepare for future crises, in a world of increased complexity, Protection Committee’s best prac- such as sophisticated attacks that connectivity and criticality. tices for timely outage repairs of could occur in cyberspace. undersea cables is essential to both Stopping Cyberspace Pollution: maintaining stable international Dealing with the New Power International Cooperation on connectivity and restoring service Structure of Non-State Actors Fighing Spam and Botnets as soon as possible in the event of in Cyberspace Botnet creators and spammers an outage. Proactive measures are needed to have made their identities extreme- promote constructive cooperation ly difficult to uncover, their spam Harmonizing Legal Frameworks with non-state actors in cyber- messages more difficult to recog- Advancing non-partisan, objective space, and assure that the existing nize and needed countermeasures recommendations for potential prescribed instruction and training more difficult to apply. International new legal mechanisms is critical to regarding the Geneva and Hague cooperation and policy is crucial to combating cyber crime and cyber protections for civilians are suffi- effectively addressing the problem. attacks. cient in the event of cyber conflict. Implementing Public Health Priority International International Aspects of Critical Models for the Internet Communications: Strategy Infrastructure Protection In the face of mounting cyber for Implementation Despite relevant stipulations in the threats, international cooperation This breakthrough topic explores Geneva and Hague conventions, based on a global public health the steps the international com- there are currently no distinctive, model can improve device health munity must take towards imple- clearly visible markers for pro- and reduce security risks. menting the four recommendations tected humanitarian entities such

Above, from left: Dean Veverka, Chairman, International Cable Protection Committee (ICPC); Director Networks and Vice President 34 Operations, Southern Cross Cables Limited; Michael O’Reirdan, Chairman, M3AAWG; Distinguished Engineer, Comcast; Karl Frederick Rauscher, Chief Technology Officer and Distinguished Fellow, EastWest Institute; Stuart Goldman, Chair (fmr), ATIS Network Interoperability Forum; Bell Labs Fellow (ret.); Angela McKay, Principal Security Strategist, Microsoft New Ideas

The 3rd Worldwide Cybersecurity Summit provided an excellent opportunity for experts, stakeholders and decision-makers from industry, government and academia to review papers on the international policy-related aspects of cybersecurity.

Thirteen papers were presented and discussed on topics such as: the worldwide response to a cyber crises (e.g., priority international communications and trusted information sharing); global awareness and education (e.g., protecting youth, spam, and the private-public partnerships needed to secure the global economy); and worldwide governance, frameworks and protocols for day-to-day behavior in cyberspace, and responses to cyber conflict. All of the authors presented their papers at the Poster Session of the summit.

For a full list of presented papers visit the summit website at www.cybersummit2012.com. 35 “India's importance In the News in this domain can The 3rd Worldwide Cybersecurity Summit be judged from the made it to the front pages of major fact that, after the newspapers in India and attracted wide previous two editions media interest abroad. Here are some in London and Dallas, headlines and soundbites from the summit. Delhi will play host to the Third Worldwide Cybersecurity “Now, there are no bangs, no Summit.” explosions and no declarations of war, but cyber crimes can inflict just as much damage. Experts from the U.S. and India are meeting at a summit “'We have 1.2 billion people and will in Delhi to discuss vital be the largest in terms of population cybersecurity areas.” in the world in years to come. Cyber crime affects us perhaps much more than any other country in the world,' Telecom and IT Minister Kapil Sibal said on the sidelines of the 3rd Worldwide Cybersecurity Summit.” “'If we can figure this out here, it’s a massive business opportunity across the world,' Mr. Perot told India Real Time on the sidelines “John Suffolk, [Huawei]'s global of the EastWest Institute’s cybersecurity chief, told Reuters cyber security summit in at a cybersecurity conference in New Delhi Tuesday. The New Delhi that he was sending a EastWest Institute is a New team of engineers to talk to German York-based think tank that security researcher Felix Lindner, who focuses on issues of global has exposed vulnerabilities in the security and is chaired by company's routers, from its $100 home Mr. Perot.” Internet devices to multi-million dollar equipment.”

36 “Union Telecom Minister Kapil Sibal New Publications on Tuesday called for a global effort Two new EWI reports were released to coincide to fortify cyber security. Interacting with the convening of the New Delhi Summit. with reporters at the third Worldwide Cybersecurity Summit here, Sibal Priority International Communications said that such security is necessary During recent tragedies like Japan’s tsunami and nuclear melt- as online space doesn't have a down in 2011, the London bombings in 2005, and the 2008 boundary and information could Mumbai and 9/11 terrorist attacks, some critical communications failed to make it through congested networks. Priority In- travel miles, affecting or influencing ternational Communications (PIC) capability is needed to help prevent the loss of lives and property in such crisis situations. sensitive matters.” Based on inputs from leading telecommunications industry experts, this publication sets forth straightforward steps needed to set up an international capability for both government officials and private sector leaders. As emerging networks’ technologies and services continue to demand greater and greater bandwidth, these congestion scenarios will likely occur more frequently. “The global summit sought to bring Priority International Communications: Staying Connected in more stability and safety into the Times of Crises presents four actionable recommendations global cyberspace by identifying that, if implemented, would allow government-authorized users to communicate even when networks are jammed. These critical security areas and ways to authorized users include public or private sector individuals with critical roles in times of crises. They are critical infrastruc- address them.” ture operators (communications, energy, financial services and transportations); public safety officials (health care, local government, emergency management) and individuals with national security responsibilities.

Cyber Detente Between "While governments fear the United States and China crippling cyber-attacks on critical It’s no secret that the United States and China have a conten- tious relationship when it comes to their cyber capabilities infrastructures such as nuclear power and intentions. But according to Cyber Detente Between the United States and China: Shaping the Agenda, these two coun- plants and banking systems, citizens tries have common cyber concerns that could bring them to have smaller risks like identity theft the table to lay the groundwork for diplomatic exchanges and solutions, avoiding an escalation of aggressive strategies from and credit card fraud to grapple with. either country.

The recently concluded Worldwide The authors point out that through Track 2 processes some Cybersecurity Summit, held in Delhi, very useful preparatory work has already taken place. However, they argue that the diplomacy—both official and unofficial— has done well to throw some light needs to be more intense, to cover more concrete problems and to involve a larger number of people on both on the enormity of the challenge of sides, especially from the fighting this menace." military and private sector. The paper calls for a fresh appraisal of the impact of both countries’ military cyber policies.

37 Silicon Valley 2013

After holding its last two summits in London and New Delhi, the EastWest Institute will bring its cybersecurity summit series back to the United States in 2013 (November 4-6). Located at the epicenter of technology innovation, the Silicon Valley summit will drive intense, focused work on vital cybersecurity issues. As its new name indicates, the summit will feature a renewed emphasis on building trust among key players. This means bringing together private and public sector representatives of nations that normally are wary of each others’ cyber capabilities, planning and ambitions.

he United States, China, The Stanford Institute for Eco- Social Networking India, Russia, Israel and nomic Policy and Risks (SIEPR) is Policy Envelope many other countries will also set to host a special plenary The Internet’s future is now Tbe represented as the session and dinner on the second being envisioned and designed summit appoints three break- day of the summit at Stanford by innovators in Silicon Valley through groups, composed of University, providing a vibrant aca- and elsewhere, raising a whole government and private sector demic setting for the proceedings. host of new policy issues at the experts, to address: global level. How can existing and In addition to the breakthrough future policy gaps be addressed International Critical groups, the summit will feature in such a way that they will be Infrastructure Protection plenary sessions to address “future-proof”? And what will be As the global economy is vitally aspects of cybersecurity critically the role of the private sector and dependent on international critical hindered by distrust. They are: individual netizens in that future? infrastructures, what steps can be taken to secure their safe and Political Action Promoting In- When it comes to cybersecurity, resilient operation? ternational Cybersecurity policy continues to lag far behind Failure to pass effective cyberse- the pace of technological innova- Acts of Aggression curity legislation and the uproar tion. By bringing together repre- in Cyberspace over international bodies’ at- sentatives from the world’s great Viruses like Stuxnet and Flame tempts to regulate cyberspace are cyber powers to address these cracked open the door to new just some of the challenges facing critical issues, the EastWest Insti- possibilities for both state and policy makers today. tute is taking the lead in bridging non-state actors alike. How do that gap. these actions fit the paradigms of Industrial Espionage traditional conflict? Private sector firms are regu- Keep an eye on www.ewi.info to larly the victims of cyber crime. learn more about summit pro- Multinational Company Data However, concrete data on these gramming and registration. Handling Expectations breaches are largely absent, mak- How should policy gaps that arise ing it extremely difficult to devise from the misalignments of expec- effective solutions. tations from conflicting national Sign up laws, variations in procedures, etc. for summit be addressed? updates

38 SILICON 4th Worldwide Cybersecurity Silicon Valley 2013 VALLEY Trustbuilding 2013 Summit

“See something or say something," Eric Fischer Orange dots are locations of Flickr pictures, blue dots are locations of Twitter tweets. 39 White dots are locations that have been posted to both. EWI Board of Directors

OFFICE OF THE OFFICERS MEMBERS CHAIRMEN John Edwin Mroz (U.S.) Martti Ahtisaari (Finland) Ross Perot, Jr. (U.S.) President, Co-Founder & CEO Former Chairman Chairman EastWest Institute EastWest Institute EastWest Institute 2008 Nobel Peace Prize Laureate Chairman Mark Maletz (U.S.) Former President of Finland Hillwood Development Co. LLC Chair of the Executive Committee Board of Directors EastWest Institute Tewodros Ashenafi (Ethiopia) Dell Inc. Senior Fellow Chairman & CEO Harvard Business School Southwest Energy (HK) Ltd. Armen Sarkissian (Armenia) Vice Chairman R. William Ide III (U.S.) Jerald T. Baldridge (U.S.) EastWest Institute Counsel & Secretary Chairman President EastWest Institute Republic Energy Inc. Eurasia House International Partner Former Prime Minister of McKenna Long & Aldridge LLP Sir Peter Bonfield (U.K.) Armenia Chairman Leo Schenker (U.S.) NXP Semiconductors Treasurer EastWest Institute Matt Bross (U.S.) Senior Executive Vice President CEO Central National-Gottesman Inc. WBE Hong Kong

Robert N. Campbell III (U.S.) Vice Chairman (Retired) Deloitte LLP

Peter Castenfelt (U.K.) Chairman Archipelago Enterprises Ltd.

Maria Livanos Cattaui (Switzerland) Former Secretary-General International Chamber of Commerce

Mark Chandler (U.S.) Chairman & CEO Biophysical

40 EWI Board of Directors

Angela Chen (U.S.) Wolfgang Ischinger (Germany) Tsuneo Nishida (Japan) Founder and Managing Director Chairman Ambassador; Global Alliance Associates Munich Security Conference Permanent Representative Partner Global Head of of Japan to the U.N. Epoch Fund Governmental Affairs Allianz SE Ronald P. O’Hanley (U.S.) Michael Chertoff (U.S.) President,Asset Management Co-founder & Managing Principal Anurag Jain (India) and Corporate Services Chertoff Group Chairman Fidelity Invesments Laurus Edutech Pvt. Ltd. David Cohen (U.K.) Yousef Al Otaiba (U.A.E.) Chairman James L. Jones (U.S.) Ambassador F&C REIT Property Management Former U.S. National Security Embassy of the United Arab Advisor Emirates in Washington Joel Cowan (U.S.) Professor Haifa Al Kaylani (U.K.) Admiral (ret) William A. Owens Georgia Institute of Technology Founder & Chairperson (U.S.) Arab International Women’s Forum Chairman Addison Fischer (U.S.) AEA Holdings Asia Chairman & Co-Founder Zuhal Kurt (Turkey) Former Vice Chairman Planet Heritage Foundation CEO U.S. Joint Chiefs of Staff Kurt Enterprises Adel Ghazzawi (U.A.E.) Sarah Perot (U.S.) Founder Kevin McGovern (U.S.) Director & Co-Chair for CONEKTAS Chairman Development The Water Initiative Dallas Center for Performing Arts Stephen B. Heintz (U.S.) Co-Founder President SOBE Beverages Louise Richardson (U.S.) Rockefeller Brothers Fund Principal General (ret) T. Michael University of St. Andrews Emil Hubinak (Slovak Republic) Moseley (U.S.) Chairman & CEO Moseley and Associates, LLC John Rogers (U.S.) Logomotion Former Chief of Staff Managing Director United States Air Force Goldman Sachs & Co. John Hurley (U.S.) Managing Partner F. Francis Najafi (U.S.) Cavalry Asset Management CEO Pivotal Group

41 CO-FOUNDER DIRECTORS EMERITI

George F. Russell, Jr. (U.S.) Ira D. Wallach* (U.S.) Jan Krzysztof Bielecki (Poland) Former Chairman Former Chairman CEO EastWest Institute Central National-Gottesman Inc. Bank Polska Kasa Opieki S.A. Chairman Emeritus Co-Founder Former Prime Minister of Poland Russell Investment Group EastWest Institute Founder Emil Constantinescu (Romania) Russell 20-20 President CHAIRMEN EMERITI Institute for Regional Cooperation Ramzi H. Sanbar (U.K.) and Conflict Prevention (INCOR) Chairman Berthold Beitz (Germany) Former President of Romania SDC Group Inc. President Alfried Krupp von Bohlen William D. Dearstyne (U.S.) Ikram ul-Majeed Sehgal und Halbach-Stiftung Former Company Group Chairman (Pakistan) Johnson & Johnson Chairman Ivan T. Berend (Hungary) Security & Management Professor John W. Kluge* (U.S.) Services Ltd. University of California, Los Angeles Former Chairman of the Board Metromedia International Group Kanwal Sibal (India) Francis Finlay (U.K.) Former Foreign Secretary of India Former Chairman Maria-Pia Kothbauer Clay Finlay LLC (Liechtenstein) Henry J. Smith (U.S.) Ambassador CEO Hans-Dietrich Genscher Embassy of Liechtenstein to Bud Smith Organization Inc. (Germany) Austria, OSCE and the UN in Vienna Former Vice Chancellor & Minister Pierre Vimont (France) of Foreign Affairs William E. Murray* (U.S.) Executive Secretary General Former Chairman European External Action Service Donald M. Kendall (U.S.) The Samuel Freeman Trust Former Ambassador Former Chairman & CEO Embassy of the Republic of France PepsiCo. Inc. John J. Roberts (U.S.) in Washington, D.C. Senior Advisor Whitney MacMillan (U.S.) American International Group (AIG) Alexander Voloshin (Russia) Former Chairman & CEO Chairman of the Board Cargill Inc. Daniel Rose (U.S.) OJSC Uralkali Chairman Rose Associates Inc. Zhou Wenzhong (China) Secretary-General Mitchell I. Sonkin (U.S.) Boao Forum for Asia Managing Director MBIA Insurance Corporation

NON-BOARD COMMITTEE Thorvald Stoltenberg (Norway) MEMBERS President Norwegian Red Cross Laurent Roux (U.S.) Founder Liener Temerlin (U.S.) Gallatin Wealth Mangement, LLC Chairman Temerlin Consulting Hilton Smith, Jr. (U.S.) President & CEO John C. Whitehead (U.S.) East Bay Co., LTD Former Co-Chairman Goldman Sachs Former U.S. Deputy Secretary of State

* Deceased 42 India Summit Committee

Kapil Sibal Minister of Union for Communications and Information Technology Committee Chairman

PUBLIC SECTOR PRIVATE SECTOR

Sachin Pilot Virat Bhatia Minister of State for Communications and IT Chairman, FICCI Communications & Digital Economy Committee Milind Deora Minister of State for Communications and IT Anurag Jain Chairman, Laurus Edutech Pvt. Ltd. R. Chandrashekhar Secretary of the Department of Telecommunications, Sanjay Kapoor Ministry of Communications and IT CEO India & South Asia, Bharti Airtel

J. Satyanarayana Marten Pieters Secretary of the Department of Electronics and IT, CEO, Vodafone India Ministry of Communications and IT C.S. Rao B. K. Gairola President, Corporate Affairs and Regulatory Director General, National Informatics Centre (NIC) Reliance Communications Ltd.

Gulshan Rai Udayan Sen Director General, CERT India CEO and Managing Partner Deloitte Haskins & Sells Som Mittal President, National Association of Software and Service Companies (NASSCOM)

Nandan Nilekani Chairman, Unique Identification Authority of India (UIDAI) Head, Technology Advisory Group for Unique Projects (TAGUP)

Arbind Prasad Director General, Federation of Indian Chambers of Commerce and Industry (FICCI)

Kamlesh Bajaj CEO, Data Security Council of India (DSCI)

Dilip Chenoy CEO, National Skills Development Corporation

43 Founded in 1980, the EastWest Institute is a global, action-oriented think-and-do tank. EWI tackles the toughest international problems by:

Convening for discreet conversations representatives of institutions and nations that do not normally cooperate. EWI serves as a trusted global hub for back-channel “Track 2” diplomacy, and also organizes public forums to address peace and security issues.

Reframing issues to look for win-win solutions. Based on our special relations with Russia, China, the United States, Europe and other powers, EWI brings together disparate viewpoints to promote collaboration for positive change.

Mobilizing networks of key individuals from both the public and private sectors. EWI leverages its access to intellectual entrepreneurs and business and policy leaders around the world to defuse current conflicts and prevent future flare-ups.

The EastWest Institute is a non-partisan, 501(c)(3) nonprofit organization with offices in New York, Brussels and Moscow. Our fiercely guarded independence is ensured by the diversity of our international board of directors and our supporters.

EWI New York Center EWI Brussels Center 11 East 26th St. Rue de Trèves, 59-61 20th Floor Brussels 1040 New York, NY 10010 32-2-743-4610 1-212-824-4100

EWI Moscow Center EWI Washington Office Bolshaya Dmitrovka St. 7/5, 1069 Thomas Jefferson St. NW Building 1, 6th Floor Washington, DC 20007 Moscow 125009 1-202-492-0181 7-495-2347797 www.ewi.info