Defending the Cyber Frontlines

Ravi Agrawal, Editor-in-Chief, Foreign Policy Group

Okay. Hi, everyone, my name is Ravi Agrawal. I'm the Editor-in-Chief of Foreign Policy magazine and the host of FP Live. And I want to welcome all of you for joining us here. And also a warm welcome to our livestream audience watching this around the world live and later on demand.

So this is a session titled Defending the Cyber Frontlines.

There are many conflicts, of course, going on around the world right now. And a crucial component of that is the cyber domain, whether it's cyber biothreats, attacks on critical infrastructure, disruptions to supply chains, it's safe to say that we need better rules, we need better systems and safeguards to make sure that for all the advances we're making in connecting the world, it doesn't get out of hand.

Let me quickly introduce our terrific panel here.

Andrius Kubilius is the European Commissioner for Space and Defence. He served as Prime Minister of Lithuania as well.

Mirjana Egger is the President of the ICRC, the Red Cross.

To her left, Joe Kaeser is the Chairman of Siemens Energy.

To his left, Matthew Prince, the CEO of Cloudflare.

And finally, Samir Saran, the President of ORF, a think-tank in India.

Matthew, let me start with you. At Cloudflare, you have a bird's-eye view of how companies operate. Just give us a quick sense of how geopolitics and tensions there are affecting how companies are thinking about security.

Matthew Prince, Co-Founder and CEO, Cloudflare

Absolutely. So Cloudflare, our mission is to help build a better internet. And a big part of that is security. A huge percentage of the internet sits behind Cloudflare, and every day we're stopping over 220 billion attacks against our customers. And so we are absolutely on the front lines of seeing what's going on.

And what I can say is that whenever there is conflict in the political space, whether that's kinetic war or even just conflict within nations, we almost always see cyber conflict follow along with that. And so whatever you're seeing in the pictures on the news know that in cyberspace, a war is raging at the exact same time.

Ravi Agrawal, Editor-in-Chief, Foreign Policy Group

And so global conflict has increased, physical terms of cyber has increased alongside it.

Matthew Prince, Co-Founder and CEO, Cloudflare

That's absolutely correct. And so when we saw in 2022, Russia invade Ukraine, unfortunately, ahead of that, back in December of 2021, we were already seeing the cyber conflicts start where there was probing and other things which we were able to detect and then look at and warn the Ukrainians and fortunately be able to get in front of a lot of their critical infrastructure and protect them, make sure they can stay online.

As we see conflict in Israel and Gaza, similar things happen where both sides are actually launching attacks at each other's infrastructure in order to disable their communication systems and make it so that they can't get their message and their story out to the rest of the world. So cyber is definitely one of the critical aspects of conflict around the world, and we see it go hand in hand with any kinetic conflict which is going on that we might see in the news.

Ravi Agrawal, Editor-in-Chief, Foreign Policy Group

Joe, similarly, you were CEO of Siemens for many years. Now you're Chairman of Siemens Energy. Just sketch out quickly how you see businesses having to change their strategy because of cyberattacks.

Joe Kaeser, Chairman of the Supervisory Board, Siemens Energy

I look at the whole cyberspace is opportunity and threat all together for, for us as a company, all three of them. And then we mean opportunity because our acting critical infrastructure. So that means customers, utilities they come to us and say can you help us protect the grid, can you help us protect turbines and have a supply chain. So there's opportunity to do some business out of that.

But it's a threat because we are obviously supplying critical infrastructure. We are the target because we are very early in the value chain. So we have been stepping up our efforts quite a lot to better help with conflicts like Cloudflare. So it's a constant struggle and I'm afraid we are only at the beginning.

Ravi Agrawal, Editor-in-Chief, Foreign Policy Group

Mirjana, wherever there is conflict, the Red Cross tends to be there. How has cyber changed your operations in the last decade or so?

Mirjana Spoljaric Egger, President, International Committee of the Red Cross (ICRC)

In a very dominating way. There's no conflict where cyber doesn't play an important role. And this is also the reason why we spend so much time with it. There are cyber operations that target civilian infrastructure, and that has a huge impact on the humanitarian fallout that comes with conflict. They attack energy, water, hospitals, health facilities, but they also attack communication systems or sometimes communication systems are disabled to prevent cyberattacks, which has an impact on the protection of civilians because they rely on information to know where their family members are, to know where to evacuate and to know where they can possibly be safe.

So if you deactivate communication, you harm the civilians that are already under threat. And then last, but not least, we are under attack as the International Committee of the Red Cross. We undergo daily cyberattacks that we have to protect ourselves from. And this is why we partner with nonprofit organizations, private sector companies, that help us employ the technology that we need in order to protect our data, our personnel, etc..

Ravi Agrawal, Editor-in-Chief, Foreign Policy Group

So we sketched out the problems. I'm going to push us all towards solutions now. Commissioner Kubilius, let me bring you in here. There are two components really that I want to push you on. One, how do governments improve their defences? And then, two, how do you then build norms and rules that they actually follow?

Andrius Kubilius, Commissioner for Defence and Space, European Commission

Well, thanks a lot. Yes, you know, I have this responsibility, Commissioner for Defence and Space, and it touches also, of course, cybersecurity, not just, you know, military things. I can tell you that in my so-called mission letter, which, you know, all of us as commissioners, we got on the first days, I have a lot of tasks on, on defence, on space, but also I have the task to develop so-called defence projects of common European interest, starting from air defence shield.

And the next one is cyber defence shield. So it means that, you know, on the European Union level and Commission, we understand very well what are, what are the threats. I can tell you now, just cyberattacks since the end of 23 till, you know, 20 during the whole 24 year registered cyber incidents, the number is around 11,000 in the European Union. Next, of course, we see that, you know, there are not only cyberattacks, but also attacks on, on communications and on communication cables, telecommunication cables, internet communication cables like in Baltic Sea and other places. So we are really we, we see all those threats in a very clear picture.

Now what we can do as European Union as Commission, of course we can you know, try to convince member states to be better prepared because of course, cyber defence goes on, on national level. And yes, we are introducing you know standards through our regulations. Standards, both on security, electronic equipment and on security of institutions, how they need to defend themselves. It's symbolic since the first document, which we approved in the new commission was exactly devoted to cybersecurity of hospitals in European Union, because that is what we see as a threat.

Second, of course, what we are trying to do is to, is to create systems of coordination which would allow us to better survey what is happening, to have systems which would allow in the member states and institutions to exchange information on or in order to prevent the spread of some attacks. And the last one, really what we know, what we are attempting to do is to create special, you know, what we call rapid reaction teams, which would help in our member states if they are if they had a threat.

Ravi Agrawal, Editor-in-Chief, Foreign Policy Group

Samir, you know one of the strange things about the world right now is there's a general sense of impunity, you know. Countries feel like they can test the boundaries of international law and get away with it. There's also a sense that, well, you know, everyone has their own double standards, so why do the rules matter anyway? You add in cyber here and it feels like the Wild West. What should we do?

Samir Saran, President, Observer Research Foundation (ORF)

See you know, for example, the Commissioner was in some ways trying to respond to your question about norms and rules. Those norms exist. We have a UNGGE¹ that many years ago agreed that thou shalt not attack critical infrastructure. We should not undermine facilities like you just listed. And yet we worry about them and yet everyone follows them in breach. So in a sense every enterprise for profit, nonprofit, social enterprise, essential enterprise, everything is fair game today. And in some sense, the cyber frontlines are universal.

Everyone, including you and me, are part of that frontline. And we are under threat today and let's be honest about it. There is nothing that the Commissioner can do or you can do or I can do. We are all fair game. Businesses are fair game. In fact, let me just tell you that the day the Americans and Europeans decided to cancel business operations and the media operations and digital operations in Russia, they have in fact ensured that those businesses are seen as adversaries. So in some sense, they are no longer transnational corporations. They are corporations that serve a side, that serve a side to a conflict. And they are all open to attacks and they are all open to being, to being targeted in some sense. So that's a very interesting space we are in.

But second point, I think five years ago, if we were having this conversation and I remember Matthew and we were all in a room some years ago, we were worrying about the weaponization of cyberspace and cyber weapons being vulnerable to two things: the weaponization of the space and the cyber weapons that governments are developing and non-state actors are developing. Those weapons are out there now.

Whereas in the last 40 years, we have seen a spectacular deployment of cyber weapons, in fact, dramatically advertised by blowing up pagers, using the manipulation of systems by, by the Israeli agencies embedded with Hezbollah. We have seen Stuxnet² looks mild. Then the Americans melted the Iranian reactor using, you know, the first big cyber virus that was spread through conventional means. It looks mild compared to what we have seen Ukrainians do in Russia, aided and abetted by Western, sophisticated technologies.

So in many ways, all those cyber weapons that we were worried would come out into the open are out there. And once you have used them against adversity, remember, some of them did not work. And those become prototypes for further development by now, non-state actors and commercial actors to actually build really credible interference tools, and then add AI to it and amateurs with AI are cyber soldiers. Amateurs plus AI is equal to a real cyber soldier. And I think, think about that.

Ravi Agrawal, Editor-in-Chief, Foreign Policy Group

So this always happens at Davos, by the way, when we push towards solutions, we present more problems. So I'm going to hold us to it. But Matthew jump in.

Matthew Prince, Co-Founder and CEO, Cloudflare

I would say, though, that I think the big puzzle of the last three years, you know I was on a panel about three years ago, right as the Ukrainian-Russian conflict was, was exploding. And I predicted that we were going to see a massive increase in cyberattacks. And what surprised me, is it hasn't happened. And the question is why? And I think part of it is that there is a little bit of fear that once you use it, it's gone. And secondly, once you use the weapon, then, then it's very hard to use it again. That's the first thing.

And then the second thing is there's a bit of fear, I think, at least among the Russians, of sort of a old nuclear concern, which is there's a mutually-assured destruction. The Russian infrastructure is every bit, if not more vulnerable, to cyberattacks. And the fear is that, in fact, there's been less attacks against the US than they're having in some much smaller countries in Europe.

And the question again is why? And I think that, again, this fear of mutually-assured destruction, that if, if the Russians launched larger attacks against the US, that the US would be a very capable of coming back and shutting down the Russian infrastructure. I think that's what's helped.

Samir Saran, President, Observer Research Foundation (ORF)

I think that the deterrence effect that's happened here. But look, I was very careful. I said Ukrainian attacks in Russia. I never said Russian attacks on Western targets. It's actually Russia who has been at the receiving end. I'm just worried that when you are throwing weapons at the Russians and you think that, you know, we have kind of pinned them in a cyber corner. They are collecting all those weapons. They are also learning. And what I'm trying to say is you're building, you're building an adversarial arsenal that at some point will be innovated upon and deployed. So I have not we have not seen the end of this, uh...this...

Matthew Prince, Co-Founder and CEO, Cloudflare

I think that the place where the place to look to that is the most worrying is the series of through the typhoon attacks, the Salt Typhoon and other attacks that China has placed, which are the first time I have seen typically Chinese cyberattacks have been about taking intellectual property. These are attacks where it is not clear what the underlying purpose is.

It appears that they are front positioning themselves for something in the future, putting themselves into telecommunications infrastructure in order to, if there has to be a conflict in the future. And again I think that is the most worrying trend that I've seen over the last three years. Whereas I would have predicted it would be much more around what we've seen in the Ukraine, Russia.

Ravi Agrawal, Editor-in-Chief, Foreign Policy Group

I want to pick up on just one part of that, Joe, with you. The point that Samir raised about companies seen as having taken sides. Are you finding that, you know, if you pull out of, let's say, Russia, that you're fair game in a way that you wouldn't have been before?

Joe Kaeser, Chairman of the Supervisory Board, Siemens Energy

Well, look, yeah it always depends on what the country and the issue is I will come back to something else which goes into the similar direction. Stuxnet. One of the most worrisome topics, I believe, for private sector companies. If you get into friendly fire. If you get into friendly fire. If your products, your services are being used by state actors to do something that they believe is good. Stuxnet, you know, they cracked our source code for the PLC³ and...

Samir Saran, President, Observer Research Foundation (ORF)

Digital controllers were compromised.

Joe Kaeser, Chairman of the Supervisory Board, Siemens Energy

We knew, we knew who it was because we were looking at the map and saw and the actors were starting to try and edit the code. So we saw from the time difference that it was a concerted action between East Coast and some of the Red Sea area. And then the good news was it took them almost four days to crack our source code, so that was good for us because we knew that’s a safe thing to do.

But the issue was, I mean that PLC was not just part of a less critical component in the nuclear power plant. It was also in the cooling system. I think about it. A Siemens device, you know will eventually be reported responsible for a nuclear meltdown. And then I was talking that I was CEO at the time. I was obviously, when we knew sort of what's going on, you never really know.

So I went to that special embassy building and I said look, talk to the ambassador, I said look, this is not going to be a good idea. So next time, would you want to maybe tell us? We'd be happy to help you. But this is a bad idea, and he said, well, we don't know what you're talking about. Is there anything else I can help you with? And I said, okay, thank you very much.

Samir Saran, President, Observer Research Foundation (ORF)

Anyways, the hilarious thing was...

Ravi Agrawal, Editor-in-Chief, Foreign Policy Group

See, this is a real issue this friendly fire.

Samir Saran, President, Observer Research Foundation (ORF)

India and Indonesia were the most affected country by the Stuxnet virus. They were all upgrading their systems post that attack because the Siemens digital controllers, PLCs were being deployed and used extensively in these countries. So I'm just telling you.

Ravi Agrawal, Editor-in-Chief, Foreign Policy Group

Yeah, yeah, yeah. So there's an interesting component here. Just to take the, the idea of deterrence, you know and with sort of with nuclear weapons, you know, the game of deterrence is a game for big players. And that's why it creates a world of haves and have nots. That Mirjana, what about the have nots? I mean, if if you don't have deterrence, then how do you survive in a world where you're not able to stop anyone from acting against you because you have nothing to act back with.

Mirjana Spoljaric Egger, President, International Committee of the Red Cross (ICRC)

Based on the destruction and the experiences and the total destruction that we also saw during the Second World War, states came together and created the so-called Geneva Conventions in 1949, introducing principles like distinction and proportionality, because the majority of states don't have the self-defence potential through weapon systems that only a handful have. So they rely on the universal agreement and all states ratified these agreements that there will be a distinction between private and public and official and unofficial and civilians and weapons bearers.

Now, this comes under threat with the new technologies, because what we see now, especially in the context of Ukraine, Russia, but also in the Middle East, increasingly is the blurring of the lines, the impossibility to apply distinction between civilians and, and armies or defence systems because you have the so-called hackers or you have civilians through app systems to come in support of armies. So are they part of the weapons bearers or are they still civilians enjoying specific protections?

And similarly, what you call friendly fire, we call it a blurring of the lines also for the private sector, because if your services are actively employed and if parts of your company supports certain of these actions conducted by civilians, you de facto also get drawn into a conflict and lose the protective mechanisms that were created and that states still apply to at least to a certain extent. And that's your only guarantee, because there's no world police, there's no superpower going to shield you, unless it’s the law.

Joe Kaeser, Chairman of the Supervisory Board, Siemens Energy

There's not even an understanding that the cyber attack is occurring. And you will probably never get that trained understanding because the state actors are mutually adverse to such a thing. But that should be a general set of rules, you know? Cyber attack is a crime. That would be a good start. Then a set of rules, how we manage that would be another way.

And one of the single most relevant topics to us in the private sector is, you know, we don't find enough good people to help us in that space. I mean of course, we’ve got companies. Yeah, it’s one of the single biggest issues on the whole cyber topic, is how to find qualified people to help us defend our company and our customers assets. And so therefore we’re talking solutions.

Maybe we need to pep up education on that area to help us with more qualified people so that we understand what questions we need to ask for the experts to help us. Because if you don't give them, you know what you need to achieve, it's very hard to find a solution.

Ravi Agrawal, Editor-in-Chief, Foreign Policy Group

Well for everyone on livestream Joe Kaeser is hiring. Commissioner. This blurring of lines...

Joe Kaeser, Chairman of the Supervisory Board, Siemens Energy

15,000 people...

Ravi Agrawal, Editor-in-Chief, Foreign Policy Group

50,000 people? Ok!

Joe Kaeser, Chairman of the Supervisory Board, Siemens Energy

15

Samir Saran, President, Observer Research Foundation (ORF)

Cyber warriors!

Joe Kaeser, Chairman of the Supervisory Board, Siemens Energy

Next three years old. Not all on cyber warriors.

Ravi Agrawal, Editor-in-Chief, Foreign Policy Group

This is WEF meets LinkedIn. Commissioner, this deblurring, the blurring of the lines that, that Mirjana was pointing out, how do you reimpose the lines? And you're again, in a world where even in physical wars, the lines are blurred, and we know where they are in conflicts everywhere.

Andrius Kubilius, Commissioner for Defence and Space, European Commission

Well, first of all, really skills are, as we understand, the big challenge everywhere you know. I hear, you know, from common complaints from defence industry, from space industry, that you know there is lack of, of qualified people. And that's why, you know, Commission President Ursula von der Leyen created Vice-President position for skills, because that is in Europe, it looks like it's becoming a big problem. Now on, on blurring the lines. I think that, you know, still well, I am Defence Commissioner and I'm, I'm looking into, you know, some kind of defence logic.

But I see really an issue for us at least, you know, my generation, maybe, you know, my sons and my grandkids, they understand in a different way. But still, we are living when we are talking about defence in some way in the 20^th century, you know, understanding defence means, you know, you need to have tanks, artillery and so on, and so on, which is really not the case anymore. I don't know how much you were following, you know, developments and discussions about among experts of defence since Crimea occupation.

At that time, it was very popular to speak about so-called Gerasimov Doctrine, Russian military offensive doctrine, which was created by the, you know, top General, and which speaks about very simple things that, you know, in 21^st century the war and offensive will be, you know in some way, what we can call total. I mean, it starts from very simple things, from propaganda, from you know, influence on social media. Then, you know, all the sabotage acts, cyberattacks. And it ends, you know, with real military things. So for, for Russians in their, you know, at least what I understand for them, there is no difference in between of different tools which they're using now in this what is called new generation warfare.

So my point is very simple. If there is, you know, new generation warfare, we need to have new generation defence. Which means that, again, we need to take every thing, you know, into account. Sometimes I'm complaining that, you know, well, maybe our education from 20th century, makes us you know, to look into... for us, it's easier to see how we can defend ourselves against conventional war when we are talking about, you know, either cyberattacks or propaganda attacks.

You know, it's much more difficult to see what instruments, you know, we can use in order to defend ourselves. That's, that's an issue. That's an issue what we’re talking here and I, I agree absolutely, you know, that really deterrence is crucial. The question is, you know, what kind of means we can have for deterrence. And the here again, you know, the benefit is to try to look for solutions in a collective way.

Ravi Agrawal, Editor-in-Chief, Foreign Policy Group

So on that, I just yeah, I'm going to take us away from the cyber domain for one minute and then we'll come back to cyber. You know, Europeans often talk about alliances and partnerships. You just did. The United States is always the elephant in the room, and this week especially so. What happens if Trump actually tries to invade Greenland? I mean, what happens to that relationship? This is exactly your domain. So how would you respond?

Andrius Kubilius, Commissioner for Defence and Space, European Commission

Yeah. Well, you know, how do you say... *laughing*

Samir Saran, President, Observer Research Foundation (ORF)

Is there an Article five?

Andrius Kubilius, Commissioner for Defence and Space, European Commission

I will ask the Commissioner to answer that question. We still did not discuss some kind of those issues. But, well, first of all, of course, we are following, you know, and Denmark is part of European Union. Of course, you know, as we understand, they have some kind of conversations. And, you know, we should support always Denmark.

No, that's not the case because you know what, we really what we need to see in a real way, not like Greenland you know, issue, when we're talking about, you know, defence, we need to see two timeframes. One is urgent, which is related with Russia, Russian war against Ukraine and what can come. And and there are a lot of predictions that, you know, Russia can be ready.

Ravi Agrawal, Editor-in-Chief, Foreign Policy Group

Respectfully you are dodging the question, but are you taking it seriously, the threat?

Samir Saran, President, Observer Research Foundation (ORF)

Out of the syllabus Ravi.

Ravi Agrawal, Editor-in-Chief, Foreign Policy Group

Out of the syllabus, but are you taking the threat seriously?

Andrius Kubilius, Commissioner for Defence and Space, European Commission

Threat? Which one?

Ravi Agrawal, Editor-in-Chief, Foreign Policy Group

Trump’s (issue).

Andrius Kubilius, Commissioner for Defence and Space, European Commission

No, I see Trump, for example, his recent statements on Russia, as very important and very strong. So, you know, I don't know how he'll play.

Joe Kaeser, Chairman of the Supervisory Board, Siemens Energy

But the argument of Greenland is also very strong, so...

Ravi Agrawal, Editor-in-Chief, Foreign Policy Group

Thank you for saying that.

Andrius Kubilius, Commissioner for Defence and Space, European Commission

Let's, you know, let's wait for actions.

Ravi Agrawal, Editor-in-Chief, Foreign Policy Group

Okay. Okay. Let's bring us back to cyber, as promised. Matthew, when you hear there's a skills gap, there is on the government side a real sense of, you know, call for new tools to be able to combat what's coming at them, how do you fill those gaps?

Matthew Prince, Co-Founder and CEO, Cloudflare

So, so I think the first thing is and we've always thought this is important, that public-private partnerships make a ton of sense. We have the people with the skills to be able to defend, and that's why we provide our services at no cost to organizations like the Red Cross. We provide our services at no cost through what we call the Athenian Project to protect democracies, both in the United States and increasingly around the rest of the world. And we think that, that's actually part of our mission.

One of the things I think is, is a challenge for us is there's a real tension between sort of the idea of digital sovereignty and the idea of a collective defence. So, for instance, a lot of countries around the world are saying, we want to be able to defend ourselves. We don't want to rely on anyone else. And I'll give an example in the US, which is the US has a series of requirements that if you're protecting government, that the machines, the physical hardware that protects the government has to be resident inside the United States, has to be managed by US citizens.

On the surface, that makes some sense. But I sat down and I said, okay so we get a giant denial of service attack, gets launched out of China. You want me to import that into the United States before I stop it, as opposed to stopping it out at the edge of the network, stopping out where we are. And to the US’s credit, they're like, yeah, you're right, that doesn't make a lot of sense. But as I see around the world, more and more countries say we're going to go our own way. We're only going to use our own national systems.

That makes cyber defence much harder because at the, at the end of the day, whoever has the most data, whoever has the most information, is the one who wins in these conflicts. And so, cooperation, cross global, between public and private organizations is absolutely critical if we're going to defeat the enemies here.

Ravi Agrawal, Editor-in-Chief, Foreign Policy Group

But of course, we're more fragmented than we've been in decades globally. Samir, just pushing us towards some solutions in the last few minutes we have, you know, if you were to recommend countries and, you know, the corporate sector as well to adopt a few steps to, to be better prepared for cyberattacks, what would they be?

Samir Saran, President, Observer Research Foundation (ORF)

I think Matthew's got it right. I would just have one variation. You're not defending democracy. Let's try and let's not try and mix 50 things into a very simple task in front of us, which is to protect our digital infrastructure and digital society. So it doesn't matter what kind of community you come from, everyone is entitled to the same standard of protection. That's what the Geneva Convention says. It doesn't matter whether you're a communist country or a democratic country, you're entitled to the same.

So what we really need is to first remove our cultural agendas from a from, a from a safety and security agenda. Otherwise, you lose people. Right? Because you use that Athenian Project to also interfere in your fellow democracy. Elon Musk wants to change the government of Germany today because he doesn't like the German democracy as it exists today. So let's not mix culture with the strategic objective of securing our digital future. So I think, first of all, let’s...

Matthew Prince, Co-Founder and CEO, Cloudflare

So, let me just be totally clear. We were happy to protect any, any organization that's out there. The Athenian Project is specifically set up because when you do have voting, you have to actually be able to trust the voting.

Samir Saran, President, Observer Research Foundation (ORF)

I am following that project, I get it.

Matthew Prince, Co-Founder and CEO, Cloudflare

So, this isn't a philosophical case.

Samir Saran, President, Observer Research Foundation (ORF)

All I'm saying, all I’m saying is that the political establishment of all regimes should be respected. So if you want your elections not to be interfered with, then don’t call for revolutions in ten other parts of the world, in Latin America and Europe. My point here is if you want political respect for your systems, you have to respect other political systems as well. You're not the wisest people in the world. Let others decide their own political outcomes.

Let's look at the functional element of protecting digital spaces and therefore, then norms work. The problem with getting a global agreement on norms and rules for cyberspace was that you always infused it with cultural and political agendas, which was not useful. And therefore we should look at, I'm not saying we should not defend democracy.

Ravi Agrawal, Editor-in-Chief, Foreign Policy Group

Yeah, I think that's a very valid intervention.

Samir Saran, President, Observer Research Foundation (ORF)

Defending democracy is a separate topic. But again, I agree with Matthew, don't let it enter your country. I mean, look, you can stop TikTok. Do you understand what I’m trying to say? You can ban TikTok. We banned TikTok, we’re not poorer. We are as crazy as before. You know, we never lost, we didn’t lose our craziness.

Ravi Agrawal, Editor-in-Chief, Foreign Policy Group

That’s right, India banned TikTok in 22.

Samir Saran, President, Observer Research Foundation (ORF)

We love reels! And we are as crazy on reels as you are on TikTok! But you know, my point here is that at least the Chinese are not gaining our system and they're not publishing certain content during our elections, versus other content. So what I’m trying to say is we can defend democracy differently. Now let's look at the critical infrastructure that needs to be protected. And all countries need equal guarantees.

Joe Kaeser, Chairman of the Supervisory Board, Siemens Energy

But that isn't exactly the issue which we are talking about. Come back to what you said earlier with the generational topic. If you, you know, if tanks are going into a territory, it will be noticed quickly, yeah? Because of the territorial nature. The whole cyberspace is extraterritorial in nature. It doesn't really matter, you know, from what place you're going to do this. So it's extraterritorial. It's outside the boundary of what humans, you know, human history has actually defined the integrity of borders. So it's not above it. That makes it too complicated.

So at the end of the day, how, how would you tackle that? You would tackle it in a way that you've got a global agreement, you know, a set of rules, everybody adheres to it. Ha ha! Right? And that's impossible because there are different interests of different territorial players. And that's a real issue. That's not just cyber, it's a whole matter of propaganda and impacting people and impacting democracies, extraterritorial in nature.

Matthew Prince, Co-Founder and CEO, Cloudflare

And it's and again, I think norms are incredibly important and agreements are incredibly important. But in order for them to happen, you have to have visibility first. And the fact that we don't know what's going on, clearly, that attribution is hard, that it, that the North Koreans pretend to be the Iranians or the Iranians pretend to be the Russians like that, that makes it extremely difficult for us to get there. So I think step one is get visibility and after you have visibility, then norms are more important.

Mirjana Spoljaric Egger, President, International Committee of the Red Cross (ICRC)

The norms exist. The norms exist!

Ravi Agrawal, Editor-in-Chief, Foreign Policy Group

They’re just not being followed.

Mirjana Spoljaric Egger, President, International Committee of the Red Cross (ICRC)

Don’t pretend they’re not possible even for cyber, because international humanitarian law enshrines the principles that are valid in all religions, societies, everywhere. It's the minimum standard in warfare. They apply 100% to the cyberspace. They exist. They just need to be applied. Now, there are areas where you have to look into developing additional norms because they don't fulfill your protection needs.

And that's an area that we can discuss but don't have the time for, it’s autonomous weapons system. But anything below, anything that concerns cyberattacks, even on your companies, is covered by international conventions. You just need to apply it.

Ravi Agrawal, Editor-in-Chief, Foreign Policy Group

Commissioner, how do you do that?

Andrius Kubilius, Commissioner for Defence and Space, European Commission

You know, we see very clearly the situation. Norms are followed by, let's say, normal democracies. But norms are not followed by some, you know, aggressive countries or, you know, some groups and so on and so on.

Samir Saran, President, Observer Research Foundation (ORF)

I disagree completely. Democratic countries have shown absolute entrepreneurial energy to use them against adversities and better. And they are better at misusing it.

Ravi Agrawal, Editor-in-Chief, Foreign Policy Group

I think Samir is making the point I’m going to make.

Samir Saran, President, Observer Research Foundation (ORF)

I mean, let’s be honest here. I'm coming from the most vibrant one. And I'm telling you, if we have the ability to, to use it, we will. So I do not defend democracies as being some virtual saints here. We have seen democracies flout norms often. And the United States and Europe have been champions in it.

Andrius Kubilius, Commissioner for Defence and Space, European Commission

Yeah, okay, good. By the way, we're jumping into another you know, topic, but well, I am not so sure that, you know, when we're talking about the norms and the ability for us to know to convince everybody to follow the norms that this isn't exactly a solution, which of course that would be ideal solution. That we’re writing the norms and then everybody is following them.

You know, we are facing different, you know, development. We need to understand, we have freedoms, like information freedom, like communication freedom, like election freedom, you know. Some guys, bad guys are using our freedoms for, you know, for very bad purposes. That's, that's a reality, you know, and, and that's what's, you know, you continue with my, my, my topics that you know one thing is territorial occupation.

But we see very clearly that with all that, you know, what I called new generation warfare, which goes from propaganda to real war. You know, adversaries are trying, first of all, to occupy the hearts and minds of our people. And this is much more difficult to defend if you are, yeah, that’s the issue.

Samir Saran, President, Observer Research Foundation (ORF)

Make sure, we have agreement. We have to defend democracy by using the simple principle of reciprocity. If the Chinese don't allow us to post on their social media, they should not be allowed to post on ours. Reciprocity should be the principle of the digital future.

If we allow their embassies in our country, we should be allowed our embassies in theirs. The same is true for the digital spaces. If they prevail in ours, we must prevail in theirs, and that is to the deterrence, without which it will be a perverse and asymmetric field.

Ravi Agrawal, Editor-in-Chief, Foreign Policy Group

You know, and with that, we're out of time. It's kind of magical that we have disagreement and then agreement, but such, you know, that's what happens when you bring a good panel together. Thank you to all of you for joining us. Thanks for watching wherever you are. We'll see you later.

--------------------------------

Footnotes

1 – United Nations Group of Governmental Experts on Information Security (UNGGE).

2 – Stuxnet, a malicious computer worm first uncovered in 2010.

3 – Programmable Logic Controller (PLC).