Subscribe
Share
Share
Embed
Threat Talks is your cybersecurity knowledge hub. Unpack the latest threats and explore industry trends with top experts as they break down the complexities of cyber threats.
We make complex cybersecurity topics accessible and engaging for everyone, from IT professionals to every day internet users by providing in-depth and first-hand experiences from leading cybersecurity professionals.
Join us for monthly deep dives into the dynamic world of cybersecurity, so you can stay informed, and stay secure!
The importance of cyber diplomacy.
Welcome to Threat Talks. My name is Lieuwe
Jan Koning and the subject of today
is all about the role of diplomacy
and especially cyber
diplomacy in the world.
Let's get on to it.
Welcome to Threat Talks.
Let's delve deep into the dynamic world
of cybersecurity.
Let me introduce my guest of the day
and I'm really thrilled he is here.
His name is Ernst Noorman.
And this current position is,
and I have to use my card for this,
The Ambassador at Large for Cyber Affairs
on behalf of the Kingdom of the Netherlands.
That's a lot.
And it is a lot.
And we’ll get into that in a minute.
Ernst has a long career in
international affairs, in diplomacy.
I mean, he's been in India, in Tanzania.
He played a crucial role in the
introduction of the euro currency.
That's a big feat.
And he's been the ambassador on behalf
of the Kingdom of the Netherlands
for Burkina Faso, Surinam, Colombia
and even Afghanistan during wartime.
And that is a tough job
being away from your family.
We can all imagine a little bit
how that must be.
So who else to talk to
if we want to know
the value of diplomacy and
what it brings to the world.
Ernst.
Welcome.
Thank you, Lieuwe.
This sounds like a very international job.
So how many countries
have you been traveling to this year?
This year so far, maybe,
well, around ten countries.
I went to Nigeria, India, United States,
and of course, Geneva, Paris,
Brussels, Berlin.
Just around.
And I will go tonight to Tokyo
and next week to Seoul.
And I can assure you that those
will not be my last trips this year.
I can imagine, yeah.
So you must have a strategy
that I want to learn about,
on how to cope with jet lag, then.
Yeah.
I mean, I just ignore it actually, that's
more or less what I do, just arrive
and do as if it's the normal time
and don't think too much about jet lag,
because then you start feeling very tired,
and, just ignore it.
That's my recipe, but I cannot give it
as a recipe to all of us.
Jet lag is an emotion and you can control
your emotions, right?
Some it bothers more than others.
Yeah, yeah.
Okay, so, you are the ambassador at large,
and that means that it's
not just one country,
that you are the ambassador of...
I mean, it's not like
you are in Afghanistan currently
and dealing with that country alone,
but it's with all the countries, but
on a specific subject.
Could you please explain what
the role of a cyber ambassador is?
Well, we have as a Ministry of Foreign Affairs,
which is actually Dutch government,
an international cyber strategy,
which has been formulated
together with all ministries
and the so-called stakeholder
community in the Netherlands,
to see what are our priorities.
And just very briefly,
I can say the first one is how to keep
the Netherlands safe, on cyber.
And we’ll go deeper into that by a part.
The second one
is how to protect our values
on the internet, like human
rights, democratic values.
And the third pillar is, how to
ensure good internet governance,
the basic layers of the internet,
and how to work together also there
with the multistakeholder community
and how to create and build capacity
on these subjects
in countries who do not have
a similar capacity as we have.
So that’s just in a nutshell, our policy.
That’s a lot. Yeah.
Before we dive into the specifics
of this role, I mentioned in the introduction,
you have a long history of diplomacy.
So you know very well
what the value of it is.
And, I think it's often overlooked.
If there was no diplomacy,
we would probably live
in a completely different world.
Could you, from your perspective,
tell us a little bit more about
what diplomacy achieves in general?
Diplomacy is basically connecting,
connecting countries, connecting people,
and also influencing.
We do not have diplomacy
to be amongst friends only.
I mean, that's very nice, to have meetings
with diplomats where you all agree.
No, it's also just with the countries
which you do not agree with, to connect,
to have exchanges of opinions
and to try to influence the others.
It's a lot of negotiations
also at the international level.
I just said, you know, how to keep
the Netherlands safe, on cyber.
So we have been negotiating
over the past years, the norms
on responsible state behavior
in cyberspace.
Now, those are very difficult negotiations
with different interests.
How to come to a consensus on that one?
And that's not just in the European Union or
with the United States and
Canada or so, but would involve
like China, maybe, maybe Russia,
and maybe... that's what you mean.
You know, we negotiate,
for instance, on the norms
on responsible state behavior
within the UN context.
So that means with all countries of
the UN, all member states, 193 countries.
So that includes China, Russia,
and other countries
which we normally do not sit
together with often or agree with.
So it's a unique forum.
It's a difficult forum.
Sometimes you have the feeling you do
one step forward and two steps back.
But it's a unique forum where we can sit
together and we work together within the
EU also to try to find common positions, to strengthen
our position during negotiations at the UN level.
We also involve, you know,
the views of the private sector,
academia, in getting our positions,
preparing our positions.
So it's not a position only of governments.
We, especially in the cyber world,
we wanted to do it as multistakeholder
as possible.
Yeah, you represent the whole
country, not just a bit of it.
And, you know,
cyber is especially a topic,
you as head of ON2IT, you know it
more even than I, it's not
only for the private sector.
It's not only academia, government,
but it's the whole of society.
How do we make sure we are safe?
Yeah. Yeah.
And diplomacy plays a crucial role,
in negotiating, in connecting,
making sure the other side understands
and you understand the other side.
I mean, it's a crucial part of negotiation
and try to influence the other side.
So it's sound a bit like there's
this personal connection
that you have with other countries
that are in a way, unique
and also maybe first point of entry.
So, if governments talk to each other...
Is the diplomacy... For whatever reason,
I mean, of course, we all see
when we are at the UN and the world
leaders are there, but they're only
there for a day or maybe two,
and they can never negotiate
among them all...
There has to be a lot of preparation.
Is that also part of the
diplomacy you think,
that you know each other's
points of view, so you can find
some kind of common ground?
Is that...?
Diplomacy is a continuous process.
I may go just for a few days
to New York, for instance.
But we have a permanent mission there,
and we have all our ambassadors
from the different countries
who meet each other continuously,
on the different subjects.
So it's not a just come in and then
leave again and see each
other months later again.
We try to also with cyber diplomats
around the world, we have 34
cyber diplomats, of course, the specialists also
in New York, but also one in Washington.
Now we have a new one in San Francisco.
So we work at different levels,
different platforms, try to influence
and make sure that others understand
our position in cyber diplomacy.
Yeah. Nobody knows.
Well, it's a reiterative process-
I'm sure that if I go to a birthday party
and I ask hey, how many people
are involved in cyber diplomacy
between the Netherlands
and the United States, for example,
not many people can tell.
Of course-
It's a lot, if I hear you.
Yes, we do have quite a bit of capacity.
We were actually one of also very early
adopters in cyber diplomacy.
We started, we had a big conference
on cyber in 2015.
You may remember that one.
It was, actually, still a lot of people
who attended that conference,
it was one of its first kind.
Still a lot of people talk about that.
And then we also started
the Foreign Affairs
with creating a task force on cyber,
having a cyber ambassador.
I'm the third one.
So we were quite early, at that stage.
And now you see lots of countries
having cyber ambassadors
or other names, cyber
envoy or whatever.
So because that means we can discuss it
to a higher level with each other
on these important topics, how to protect
ourselves against cyber attacks,
how to ensure that the cyber
space will remain
a secure space also for human rights
and democratic values.
And the fact that so many
countries are actually investing in
it, shows that it's actually
very useful, then, yeah.
The Netherlands
has historically been
one of the pioneers, as I understand
it, in the cyber diplomacy.
And what about the United States?
I think they've caught up quite well.
Oh, yeah. Yeah.
I mean, they were very active too, they created
a strong cyber bureau within the State Department.
And of course, it also has,
the State Department,
like we, we do not work in
isolation within the country.
They work with the National Security
Council with their intelligence,
like we do that the same here
as with our intelligence services,
with private sector companies,
academia, they do the same thing.
We were very much working together.
And at this moment, we are just watching
what's happening at the State Department
because they took apart, actually,
the Cyber Bureau and created new structures.
So the dust still has to settle
to really know
how our counterparts,
who are counterparts will be again.
Yeah, that's for the United States.
But, you see it all over the world,
in Asia for example.
They also work together, correct?
For us the Asian countries and India,
for instance, are extremely important partners.
In the Singapore International Cyber Week,
also very important for the private sector.
It's a great opportunity for me to meet
lots of countries from the region, to meet,
I'll have meetings with China also,
but also with Singapore, with
other Asian countries,
to discuss their priorities.
And also for us, for instance, to give
an example, attribution after a cyber
attack. We do that. We just actually
did it last week again with Salt
Typhoon, you may have seen that.
For other countries, that's a very tricky
issue, especially in the Asian region.
They don't want to be too open
about a cyber attack.
While they feel the threat,
they feel the threat.
They love to talk about cyber crime.
But a state actor, to address that,
to attribute that, is very difficult.
So we help- You mean, it's difficult for
a country to accuse another country,
because it's always really hard to prove.
It is very hard to prove.
I mean, just the one I
mentioned, Salt Typhoon,
and last year we did attribution, also again
to China with so-called COATHANGER.
It took a long time for
our intelligence, really,
to write the advisory,
to really detail what the ...
How the attack took place and
what you have to do against it.
But even if you have
that as an Asian country,
I mean, if China is your big neighbor,
you are very reluctant to do it.
So we help them say, well,
you can also do it in a technical way,
at least show that you have been attacked
and how it has harmed you.
So we have discussions on
how do we address
this issue on a diplomatic level,
but also a technical level.
But what's the value of this then?
That you can speak out
and what would it bring the Asian
countries or United States or Europe,
if you do that?
Well, first of all, we
agreed on the norms,
we have agreed on 11 different
norms at the UN level.
And that means that's also
China, Russia, North Korea,
they all agreed on these norms.
What are they about?
They are three ‘don't’s:
don't attack each other's critical infrastructure.
And eight ‘do’s’. Where it
also tells you to help other countries
if they request assistance
in solving a cyber attack,
you have to help them.
You have to protect your
own critical infrastructure.
You have to, human rights
online should be protected.
So those are 11 different norms.
Those are amazing things.
If the whole UN actually underwrites
those, that's amazing, right?
If you don't attack critical infrastructure,
I mean, apart from what actually happens
in the real world, we’ll probably talk about that
a little bit later, also, but it's, at least to agree on...
It sounds a bit like other parts
of international law that we have,
like the Geneva Convention or like the,
the treaties where you don't use cluster
bombs in warfare, it's feels like
you're trying to establish
like a baseline, like rules that
everybody should abide by.
Absolutely. And quite successfully then,
because not attacking each other's
core infrastructure sounds great if
we could pull it off on a world wide scale.
I must say it's very successful
in that we agreed on it.
Actually, we just finalized negotiations
in a working group, a so-called open-
ended working group in July.
We agreed on the final report.
And one of the important parts
of the international law,
that's agreed on, international laws
applicable also in cyberspace.
So international, offline
and online, applicable.
And all countries agreed on that.
It doesn't mean, as we all know, that there
are no attacks breaching these norms.
But at least you had then a basis also
to start a discussion with other countries.
Why are you doing it?
And then when we get back
to the example earlier
that an Asian country
is being attacked by China,
and they don't want to accuse them of it,
because they are so dependent on them,
that actually helps, because, hey, China,
you underwrote this thing:
what are you doing?
You're violating our agreement.
And attribution doesn't
always have to be publicly.
We also have indoor attribution.
You sit down and, you know, ‘we have
seen this’. Could also be for
criminal, cybercrime and that's
also a responsibility of a country:
they have to stop cybercrime.
Now if you see acts of cybercrime
in a country, you can do it also in
closed door sessions and also discuss
how can we assist you
in stopping the cybercrime?
I mean, it sounds all beautiful.
And I know a lot of people will be cynical.
Yeah, but all the cyber attacks continue.
But you never know what happened
if we didn't do the diplomacy.
If you didn't do it, and then you wouldn't have
a basis anyway to discuss it with each other.
And that we all.... Because in the end, everyone
also knows, we need the digital environment.
We created such a wide digital,
the whole trade system is also depending
on the digital environment.
If you deal with your customers,
it goes all through the internet
and you want to do it in a safe way.
And that applies also
to Chinese enterprises.
And for American and European enterprises.
So how can we protect our IP,
intellectual property?
How can we do it in a safe way?
Business with other countries,
without being attacked with ransomware?
Which is, of course, affecting all of us.
So, you create a basis for a negotiation
and talks with other countries.
What's the... I understand.
So you have this basic rule that we
all abide by, that we agree upon,
but then someone violates it,
and then let's say some Asian country
being attacked by China
then comes forward to China.
What's the effect of that?
It's impossible to measure, probably an
impossible question. But with all your years of
diplomacy, you must have a feel for what...
there must be a positive effect,
otherwise we wouldn't do all this, right?
Put all this effort in. Can you, is there
maybe an example to show, that
when you say to China, in this case,
hey, you attacked, Asian country,
foei, you shouldn’t do it.
Does it then mean that the next time,
or they apologize,
or the next time they
do it less or so,
is that; because that must be the goal.
That's in the end, the goal.
But right now, of course,
you still see attacks going on.
But you also see that China
doesn't like attributions.
So that's, you know, when we come up,
with attribution there’s always a reaction
and they say, you know, we are attacked,
we are actually a victim ourselves.
That's often their reaction that they say,
you know, we are being attacked
and we are a victim.
So at least, you know, you touch
a certain button, in the negotiations.
And, we also invited them in the past,
if you're attacked, please give us an advisory. Yeah.
We haven't received one. It would be nice.
We haven't received one.
But that's, of course, also...
With Russia, you see,
of course, we've been sanctioning also,
also cyber criminals.
That's really affecting cyber criminals.
They don't like these sanctions
where their funds are being blocked
outside Russia.
Ah, yeah, so if you violate the rules we all abide
by, that can be a ground for sanctions?
It can be a ground for sanctions.
And we all know that sanctions,
I mean, of course, we all want the sanction
to be much more effective, always.
Yeah. But they are really effective, right?
If there were no sanctions in the world,
the world would be a different place.
I think so, and that's why we discuss
also, you know, what kind of sanctions
could be effective.
We are doing that towards individuals.
That's, y’know, individuals don't like
to be sanctioned, because this limits
the possibility to travel,
that could freeze their bank accounts,
and especially with cyber criminals,
we have seen, also our partners
in Australia have seen,
that it really hurts these
cyber criminals, also because
then other cyber criminals
or criminals know that these
criminals have been very successful.
Yeah. Yeah.
So what you are working on is
laying out the foundation at least.
And then further down the line,
we will reap the benefits.
And it wouldn't be possible
without all these efforts.
Now, that's of course, our goal.
Our goal is to do it,
to try to influence
the other side and,
try to agree that we should create
a safe space in the digital domain.
But, you know, we’ve seen with conflicts
around the world, in the real world, it doesn't
mean that all international
is effective. As online,
there are limitations, but it doesn't mean
we should stand back or step back
from the rule based order, which we all,
you know, have been working on so hard
after the Second World War.
That was when we created
all this international law,
international humanitarian law
for countries to adhere to,
and if they don't, you know, it's been
discussed in the Security Council,
it's discussed at other levels
to try to correct countries.
Yeah, yeah. At least. Yeah. So then,
and it brought us years of prosperity,
at least in the rest of the world, right?
That there’s no wars,
I mean, wars are always expensive,
it’s on a grander scale a
stupid thing to do anyway.
And all these, the rules, whether it’s
on cyber or indeed on, the use of weapons or,
it really plays a positive role in this.
And that's what we're trying
to extend to cyber now.
Yeah.
I mean, just, you mentioned
since the Second World
War, of course, now we have the
conflict within Europe with Ukraine.
And our assistance on cyber
is also very big to
helping Ukraine to be more resilient
against all the cyber attacks.
And that's also an effort
not only of countries
but together with the private sector.
How can we protect the cyberspace-
Could that collaboration
exist without diplomacy?
So, Ukraine gets a lot of
intel from America,
from certain European National Security bodies,
could that exist without diplomacy?
I don't think so.
I mean, what we do is, as
diplomats, we've created
also the so-called Tallinn mechanism,
together with Ukraine.
Now 11 countries, helping Ukraine,
on the civilian side.
And there's a different mechanism
on the military cyberspace.
And there was an effort
from diplomats to help
to create a mechanism to help Ukraine
and the fact that Ukraine is still able
to pay the salaries, for instance,
through the banks- It’s thanks to that.
Yeah.
Throughout the conflict, that's still,
you know, with all the attacks,
we are still able to do that.
So it says - You’ve clearly answered
how important diplomacy is.
But still we haven't touched everything.
We talked about cyber a little.
But there's also the matter
of disinformation, for example,
that's also part of what you said
in the beginning.
What are the efforts there?
It's a big challenge.
We talk a lot about hybrid conflicts.
So, you know, the gray area,
you don't have a kinetic conflict,
a lot of sabotage.
It's not something new, that has
been happening all over again.
But also, you see a lot of
activity in the cyberspace.
Disinformation campaigns
to influence elections.
How can we address that?
It has been effecting-
[ ] I don’t know.
No, it's a challenge.
And that's why we launched
also an initiative
not only to look at disinformation,
how to debunk, because always
we talk about how to debunk
disinformation, but also how to protect
information integrity, because governments
also want to inform the citizens.
But how do you ensure that information
you spread then is received
by the citizen as true information.
And without [ ] alteration,
you sign the official facts.
So that's, I mean, that's a big discussion
right now with AI, of course.
And also, how do we know
it's not generated by AI, but still
true, the true source, which
tried to convey a message
to in this case, like I said, citizens,
but it would also be for companies.
They want to make sure
that if they have a certain information
campaign [that] is true, that's received.
So that's, we took initiative
with Canada and it’s now,
being discussed with the OECD,
the European
[Organization for Economic
Co-Operation and Development],
how to implement these agreements.
There are now 34 countries
working together, trying to
strengthen information
integrity, between citizens
and to citizens.
How then?
Because I think that’s an amazing
task to... Absolutely.
And that's why we don't sit
there as diplomats only together.
There was also last year visits then
especially to Silicon Valley to discuss
with the big tech companies;
how can you help us with this?
And you all, you know,
it's a very difficult discussion.
Also, you know, with
the present administration
in the United States, it’s not an easy
discussion, because they see the DSA,
for instance, the Digital Services Act,
as a threat to the big tech.
While we say, no, it's also
to protect the citizens.
And the big tech has an important role
to play in making sure
that the information on their
platforms is not false
and is not creating hatred.
Do Google and Facebook
have an ambassador at large
for these kind of things, that there's
a counterpart for you then?
It sounds like it's not just countries.
It’s then also the powerful companies.
You can say it’s certain companies,
Google and Meta, Microsoft especially they
have big government policy departments or
government affairs departments.
Everyone has different name for that
because they want to really be involved
with these discussions in conferences.
You see them, very often
also actively involved.
We have discussions with them.
You know, part of that is
also lobbying in Brussels,
to make sure that the different
regulations are not contradicting
their commercial interests,
but at same time,
they also want to make sure
that they can, y’know,
Microsoft is a big supplier of services
to European governments.
And they do their level best.
We see that also, to try to adhere
to the European regulations.
And the same time, there’s a
tension with American regulation.
So how to deal with that.
And they have more or less diplomats,
sometimes former diplomats
who are then employed by
these big tech companies.
We see often colleagues, former colleagues
now working for them on the other side.
Yeah. Yeah.
And then the idea there is to
get a common understanding,
you’re defending the
general rights of citizens,
they are defending their commercial
interests and somehow
it needs to be some kind of middle ground
to get the best possible outcome.
And if that conversation
wouldn't happen, yeah,
then there's nothing in the way to let
the algorithms of the social networks...
Yeah. Make it impossible to find facts.
That’s what...
That’s, you know,
we sit down with the companies to convince
them of the responsibility they have.
And they play such an important role
now in society.
So, I mean, ...
But do they act on this then?
Because why would they then?
A good example is GDPR,
the data protection regulation.
It is a European regulation,
but now actually world standard.
It was adopted early on
also in California,
after the European Union, then you
see other countries moving.
And then the big tech said, well,
I mean, we're not going to create
different standards,
for different countries.
We just apply the GDPR,
across the board, to all countries.
Yeah, indeed.
Can you please make sure that the regulations
are the same in all the countries?
That’s our effort, but often it’s also called
by some writers, the Brussels effect.
But then you see a very
positive effect. Right now
with the AI Act, you see
countries all come to Brussels.
Can you help us?
Can you tell us more about
how to implement these
AI Acts, we also want to look at it.
With countries you mean outside the European Union
and outside the United States probably.
Yeah.
Well, even I wouldn't say outside the
United States, because even the United States,
you have the federal government there,
and many states are very interested to work
closely together with the European Union.
Like I gave the example of GDPR, but
it also applies to other regulations
that they’re interested to see,
okay, could be of interest to us,
maybe partly or, you know,
just it's not going to be
a copy paste to them,
but they want to learn how to implement it
and what parts could be interesting.
And that's the role of diplomats
also, explaining and explaining,
and trying to see how we can find
a middle ground on that.
Yeah.
Because I can imagine that
we are talking about
getting the big tech on board,
those are U.S based companies,
indeed Google, Meta and those,
and you could see this as a
geopolitical thing because it's
America versus Europe in a way.
But from America’s perspective,
it's probably the people versus
the big tech as well.
It's the same battle or same concern
or however you would label it.
And what you're saying is
that certain states
recognize this and
want the same thing.
They want, I mean, there's right now
a big discussion in the United States,
I mean, also, to what extent they should have
full freedom to develop their products,
especially with regard to AI or should
there be a stronger governance?
That's a strong discussion right now
in the United States.
But even within those companies,
you see different points of views.
It's not all of them that say, y’know,
we want to have an unregulated
playing field and just do what we want.
They have children too.
They have children too, they see
also the threats they could do if you
do not create a good governance.
It's interesting also discussion with China.
China also is looking for AI governance,
to create safe AI applications,
because they want to have
a stable society.
And the same, so they also, you know,
discussing worldwide, when we had
the conferences on AI safety
in London and later on in India and
Paris, China was at the table as well.
They wanted to be there to discuss, okay,
what kind of governance do we need?
How do we discuss it?
And at UN level there
you see the same discussions.
Okay. How do we forward, discuss,
now with a scientific panel,
how do we look at the risks,
for instance with AI?
Sounds like there's much
more common ground
that we worldwide feel when
we talk about this subject,
than it's being looked at by the media.
Yeah, but there’s common ground on
many topics, at the same time,
there's a commercial drive of companies
and they want to make sure that’s first.
Yeah.
So that is where governments have to step in,
in our view, as a European view, also to
control companies in creating unsafe-
And then there’s a level
playing field, so they don't,
right now if you make your algorithms
best, you will win commercially.
But if everybody has to abide
by the same rules,
then you can all abide by them because
nobody has an unfair advantage anymore.
And our view is also that
innovation still can continue.
We look at the car automotive industry,
there’s a lot of innovation...
Highly regulated.
Highly, highly regulated.
Okay. In a minute, I want to ask you
about the limits of this diplomacy,
because I'm not fully convinced that
if we talk to Russia, for example,
about things, that actually work.
But before we do that, there's a
treasure hunt, of course, to our viewers.
And I'm going to name, mention a code.
And if you send that to code@threat-talks.com,
you can actually win a very cool Threat Talks
T-shirt, for the first 200 that
send us that, we’ll get that shipped.
So pay attention. The number is 251202.
Good luck.
So we've talked about the benefits
of diplomacy, but, there's always this...
You mentioned this as well,
this kind of skepticism
in my mind because, yes, we talk to Russia
and in the UN and all that.
But we have also agreed that we
do not use certain weapons,
and they do. They say
‘Yes, I will do it’,
and then the next day,
their behavior is different.
If you talk to Russians and say, listen,
we have attributed this to you
and they don't care, or they don't
even respond. So what is the use of it?
Why would we talk to them?
I mean, shouldn’t we simply
talk to those countries
who we do at least have
certain common ground with?
I can understand your question.
You know, diplomacy is hard work
and often frustrating.
The people involved in
endless conflicts...
You know, I admire them
also for being able to
continue to tirelessly try
to find possible solutions.
For the conflict with
Russia and Ukraine.
We need diplomacy.
We need to get people at the table.
We need to sit down with
them to find solutions.
Otherwise the conflict will go endlessly.
So diplomacy is not something new.
Is one of the oldest, you could say,
the oldest job, one of the oldest jobs.
Not thé oldest, one of
the oldest jobs in the world
is just trying to bring people
together and stop a conflict.
You always see at a
certain point a conflict,
whether it's a cyber conflict
or a real world conflict.
People are getting tired in doing it
and want to find solutions.
So it's also in the cyber space;
we want to make sure that Russia
understands that their behavior
is totally unacceptable, not only for us,
but also for other countries.
It's not only that we are affected
by Russian aggression
in the cyber space, but you see
it’s also countries in Africa,
in Asia, and they just want it to stop.
They want to have a safe cyberspace.
So the only way is to keep on negotiating
and talking and finding,
trying to find solutions.
And it means a lot of endurance.
You have to have as a diplomat,
as a diplomatic community,
to keep on bringing the subject up.
And you see, even we
had the Pact for the Future
last year, negotiations,
at the UN level
also for the future digital domain.
It was the so-called digital compact.
And it was Russia, till the
last moment, trying to block it.
But then the African Union
stepped in and said it's enough.
This is so important for us
because there's a lot of capacity
building in this and we need that.
And so they stepped back
and agreed on it.
Oh yeah.
So although our efforts towards
Russia may directly not
lead to any effects
since we are all talking,
are all at the table, there is someone
else who has actually a more,
is more intertwined with the interests
of Russia, then can make the difference.
So it’s the power of the network then?
The power of the network.
We all know that Russia tries
to seek influence within Africa,
so they don't want to
have Africa against them.
And we also tried, with tools,
we have a beautiful women
in cyber program, at the UN level
where we have been training now
about 50 women, together
with some other countries, from countries
who were not actively at the table before
and to ensure more female
voices at negotiations,
because the digital domain
affects all of us, men and women.
So we should also involve more
women at the negotiations.
Highly successful.
But it also means that
you hit a network of
around 50 countries who were
otherwise not actively involved.
They understand the subjects
who have been trained also by us.
They can take their own independent positions,
but they understand our position.
And I always say it’s the highest
successful program, very simple program.
But it helps also to create more agreement
on the important topics
not only within Europe but in Africa, in South America
and Asia, where they all came from.
Understood. In a later episode,
we have Bart Groothuis here.
He is in the European Parliament and,
talking about cyber and
data sovereignty as well.
He wants to make sure that Europe
has an infrastructure of their own.
So, and that's part of,
I can't imagine why,
I mean, we do the same
with food, for example.
But say we succeed in that,
that means we get to
kind of a splinternet,
Like, in a way, the internet of China is different
from the one in Europe and America,
in the Middle East they have
a separate version of it.
But how realistic is this?
I mean, like you mentioned, payment is
internationally and shipping and everything...
Everything is connected.
You mentioned a couple of times.
Will the role of diplomacy
then go less if we all do our own stuff
or will it become even more important?
I think the important part
of what he tries to
advocate is to make sure
that we have more sovereignty.
Right now we depend highly
on American infrastructure.
And now as Europe, also as
the Netherlands’ government,
we say we have to create
at the digital stack
more, you know, we are
highly influential with ASML,
but at all levels, we should
create more autonomy.
It's ridiculous that we're so dependent
on US companies for our data.
So there we degrade sovereignty,
but the internet still, is
you know, it is a connection
of about 80,000 networks.
And the internet is crucial for the private
sector to do business, for diplomats
to communicate, for all governments
at all levels, the health sector...
That will not stop.
You mention splinternet.
I mean, I of course, I know the term.
I always give the example of Netflix,
in the Netherlands, you receive
something different than if you would see
Netflix in Singapore or the United States.
So even in those platforms, you see
already a difference within one platform.
Yeah. But that doesn't mean,
you cannot [ ] my movie that I
downloaded at home while I'm abroad.
Yeah.
And I still, I believe that, you know,
we should continue to find
connectivity with the world.
There will not be a possibility
for all African, Asian, Pacific countries
to have their own sovereignty.
So we should be there also to help them,
to have choice, at least, that they have choice,
also, where they have the connectivity.
But as Europe, as such big market,
we are as a Europe,
as a whole, you know, one of the
biggest markets in the world.
We should be more, autonomous
in our services, in our digital services.
Yeah.
Like, lots of our production is in China, and it's
both for Europe and for United States true.
You might want to look at
how dependent you are,
especially if it's like medicines, for example.
This whole different topic of ...
in a similar way.
Okay. I mean, one remark with China.
I mean, a lot of Chinese
products come this way.
We have now also the Cyber Resilience Act
going to be implemented.
Yeah.
And that's, I think, a crucial act
to make sure that all products are
safe in use, that their design
is already security by design,
and not just an add on.
And ‘oh, yeah, we have to make sure
that it complies with some regulations’.
And I think that's crucial.
I always compare it, if a car
would be the same quality
as lots of software and hardware,
it would be off the road in 20 minutes.
Yeah.
There’s this famous comparison that
Bill Gates one day, it was in the 90s or so,
where Bill Gates said: if the car industry
would be as innovative as the
IT industry, then we would have cars
that go like 1,000,000km to the gallon,
and they would go super fast and
super safe, no deaths and everything.
And then the response of General Motors
was, oh, if that was the case, then
the car would stop for no reason,
and we would have to press
weird buttons to reboot,
and we would somehow,
simply accept all this.
Exactly. Yes. Okay.
I also want to talk to you about..
You are everywhere in the world, and
you see a lot of initiatives that work
well, and so you see so much.
Is there anything that we can also tell
to our viewers, think of this thing,
maybe we should invest more in
offensive capability, maybe we should
test whatever more.
You must have some...
Let me mention two,
one we’re really working on
within the government cyber space,
also is to be more proactive
and we try to create coalitions with that.
And that means that we're not sitting back
and waiting till we are attacked,
and then, you know, trying to, where does it
come from and write the advisory etc,
but really being able together
with our intelligence services,
with our Minister of Defense,
but maybe later on with the police
and our NCSC; to analyze what's happening,
what kind of behavior do we see?
Do we see campaigns being organized
to prepare an operation
and then how to disturb that?
So be more proactive and not
wait till we are attacked.
And we see possibilities doing that
together with other countries.
Now, that's one. Another-
Can I just ask a question to
to make that clear to me?
So what, does that mean, if a certain
country is being attacked or
a company or some kind of government
body is being attacked that you share
what you see and somehow dissect
how you're being attacked
and share that knowledge so others
can put measures in place to ...
So like threat intel sharing
is that the kind of thing
you mention? No, that's reactive already,
but that's, y’know, last year
in February when we published
Coathanger, and it was a
very detailed advisory,
it was published through
a national NCSC.
So for everyone to read, even the
Chinese could take a copy of it.
They could read how they
should do better.
Yeah. Possibly.
But no, we do share.
And that's maybe, already a message
also to the CISOs and to companies.
You know, you have to be
open on your [ ].
You have to inform
our NCSC and, you know,
they also depend on
getting information together
if we are fed by the whole private
academic sector, etc..
But what I said, being proactive is,
you know, be there already before being
attacked, to see already campaigns
being prepared, because a cyber attack
is not something someone just decides on
one day, let's attack tomorrow.
It's the last day of a lengthy process.
Yeah, it's a lengthy process.
Very detailed, well prepared process often.
And that you can be, you can try
to prevent and disturb that process.
Another example is, just organized
by the United States last year
and it ended in August,
is the AI Cyber Challenge.
It was organized by DARPA together
with the big tech companies,
and it was actually meant to invite teams
to attack using AI and to attack systems.
And try to see if, using AI,
how to get into networks.
And just one thing with this,
also been discussing our National Cyber
Security Council, where I’m a member of,
that we do not have enough knowledge
as Europe on offensive
cyber operation using AI and being able,
better able to defend yourself,
you need to also know the offensive side.
So there are thoughts now
being developed.
Is it possible to do that similar
a challenge also in Europe
with the European teams,
European cybersecurity
companies taking part as sponsors,
maybe for ON2IT it would be of interest.
So that's the kind of initiative
I think would also be very interesting
to look at. Okay. Clear.
Lastly, if I am a CISO or a CEO of
a company, there’s probably a lot that
I think you can learn from how diplomacy
works and what are the success factors.
So in the very unlikely event that you would
do a career change and become a CISO
of a financial institution, say,
what would you change or add or
what advice would you give to a CEO to do?
First of all, I do have a
lot of contact with CISOs
already when I just started,
just contacted my own CISO
from the ministry and he
wasn't aware, you know,
I mean, there was, you see
that there's a disconnect.
And now we very well
connected with the
CISO and our policy side,
but also the National CISO Day.
I always try to attend,
I have good contact
with Dimitri van Zantvliet,
the CISO of...
Dutch Railway. Dutch Railways, who's
also heading the CISO platform.
And for me, it's crucial that CISOs are
not only looking at their own company
and not only being inward looking and say,
well, as long as, everything is good,
well here inside, then we are safe,
because tomorrow it can be different.
So you have to be open.
You have to communicate.
Like I try to be in contact with CISOs.
CISOs can also be actively outward
looking, be in contact with our NCSC,
I mean, if they could be in contact with me,
for instance, y’know, I need those experiences,
this hardcore experience from companies
for, you know, what are your challenges?
What are you up against?
Because that helps me
and that helps me also
being better in protecting the Netherlands
and protect the companies who are
being the target of many attacks today.
I once had a meeting with
200 entrepreneurs and
I asked them, okay, who was being attacked
last year? I saw three little fingers going up.
I said, you know, you have to be open.
I mean, it's important
to share amongst yourselves.
You know, there's so many attacks today.
But people are still reluctant
to acknowledge that-
Yeah. And if you would
do ‘CISO diplomacy’,
where you would learn from each other
at first informally
and then understand each other position,
and then collectively, you would be more
feel more free maybe to share this
for everybody's benefit because
I mean to cyber criminals, let's face it,
they do work together very well.
They have a whole ecosystem
in the dark web and everything.
We have different episodes of Threat Talks
that do detail precisely that.
And you see it with a big response
with companies
like ASML, like the banks,
they look at their whole supply chain
and how to improve the cybersecurity
and the whole supply chain.
But that also means for small to
medium sized companies,
they have a responsibility to make
sure their cybersecurity is in order,
that they have the cyber hygiene
in order, which is I mean,
cyber attackers still use known vulnerabilities,
which could have been patched.
You know, you could have
been updated, but it's,
just, two way verification, very simple
things are still not being applied.
And making organizations vulnerable.
Yeah, and talking CISO
from within the supply chain from CISO to
CISO talk about this and share intelligence,
that actually helps strengthen your chain then
and as we all know, if your supplier
suffers from a breach, there's not much
you can do, especially after the fact.
And even before you can do very little.
But in a way, CISO diplomacy,
if I may coin that term,
that may help there.
Yeah.
And, you know, also with the different
conferences, you've been to the RSA,
and there you see
also the CISOs, for instance,
the government CISOs go there,
but also CISOs from companies.
They are there also to learn a lot
on the threat intelligence.
What's happening and where
do I have to be prepared for.
And then you- The RSA Conference
is not about the conference itself,
but about meeting all the people that go
there. Cos we’re all there, so.
But getting also a lot of information
and making contacts
and that's where you see diplomats
and entrepreneurs together.
Great. Thank you very much.
It's a lot of insights.
I think it's become quite clear
what the value of diplomacy in
general is, and cyber diplomacy.
To me, it's a whole new world,
that embodies much more,
than you would initially think.
It's great that it’s here.
Thank you very much.
And the rule based international order
that you mentioned as a basis
is that, I didn't realize it's that
important for, to build everything else upon
to thrive for less breaches, which is
our common goal in the industry.
I would say. Thank you very much.
Even the international law
is underwritten by Russia.
I didn't know that.
It's a good start.
Thank you so much.
And, well, you're leaving for Japan, Seoul.
Good luck.
And keep it up. Thank you very much.
Thank you very much, Lieuwe,
it was a pleasure to be here.
Pleasure as well.
And to our viewers, thank you very much
for tuning in this time.
If you liked what you saw
today, please like it,
because that helps us
spread the word further.
And if you liked it very much,
then also press the subscribe button
if you didn't already do so,
because that means you will have
the next episodes in your inbox as well.
I say goodbye to you one more time.
See you next time.
Thank you for listening to Threat Talks,
a podcast by ON2IT
cybersecurity and AMS-IX.
Did you like what you heard?
Do you want to learn more?
Follow Threat Talks to stay up to date
on the topic of cybersecurity.