Speech by Minister of State Werner Hoyer at the opening of the Conference on “Challenges in Cybersecurity – Risks, Strategies, and Confidence-Building”, 13 - 14 December 2011, Foreign Office, Berlin, Germany

13.12.2011 - Speech

Speech by Minister of State Werner Hoyer at the Conference on Cybersecurity, 13 - 14 December 2011 at the Federal Foreign Office in Berlin.

-- Translation of advance text --

Ladies and gentlemen,
Distinguished guests,

I am delighted to have the privilege of welcoming you to the Federal Foreign Office. As the huge response this conference has attracted shows, the Internet is now a very important topic on the international agenda.

As a challenge for diplomacy, the Internet has many different aspects.

It has to do with human rights.

It has to do with international trade and economic policy.

It has to do with security policy, too – an aspect that’s becoming increasingly important. On top of that, the Internet is an example of global governance as well. Obviously, global issues cannot be effectively addressed by any one country on its own.

Computer systems have become the nervous system of the modern world. They play an ever greater role in the business of government, in all our private lives and also in the functioning of our market economies – in logistics systems, power generation, the financial markets, you name it. And without Internet access it is hard to imagine how we could manage many aspects of daily life. In the world of the 21st century, protecting the Internet and its infrastructure is therefore a core task for governments, too.

We need to ask ourselves what governments, together with Internet providers, can and must do to guarantee security in cyberspace. This is important not only in the context of transnational cybercrime committed by individuals, but also in the context of dealings between governments.

However, we must not lose sight here of what it is that we want to protect. We need to protect the Internet as a new public space, a space of freedom, economic growth and personal development.

In an open and knowledge-based society, clearly, the Internet is just as essential for our freedom as it is for our prosperity. And it has become a synonym for the opportunities globalization offers. A connected world fosters education, innovation and a market place for new ideas. It boosts trade both inside countries and between countries. Last but not least, the Internet can galvanize economic progress in developing countries.

It can serve as a catalyst, moreover, for the development of free and open societies. It encourages a vibrant civil society. It can make government more transparent and government agencies more efficient. Broad access to the Internet spells greater equality of opportunity, also in contemporary industrial societies.

Democratic participation, access to education, personal contacts, business transactions, professional and above all personal development: the Internet is increasingly the platform where all these activities take place.

A free and global Internet helps foster international understanding and, by the same token, peace. Where free discussion is possible, contact with others around the world is easy, and everyone has access to the same content, people tend to understand other societies better. Everyone can find out for themselves what life in other countries is like. In the digital age governments cannot and must not any longer steer and control opinion.

A connected world accelerates not only the globalization of markets but also the globalization of values. People all over the world can use the Internet to help them exercise their right to freedom of expression.

Take North Africa, for example. The democratic revolution there did not happen because of some technology. It happened because the yearning for freedom triumphed. But the Internet – along with all the mobile phone services we have today – helped the democracy movement really take off. They made people no longer afraid to voice their views and demand their rights.

Cyberspace is a public space which must be preserved and managed. Since it has been a global space right from the start, this is a task requiring international cooperation: intergovernmental cooperation as well as cooperation with the private sector and civil society. That, as you all know, raises a host of issues, which are now under discussion in various international forums.

What rules and rights should there be in cyberspace: for users, for providers, in transnational communication, for access to the Internet? Where and by whom should such rules be laid down? What rules from the offline world must apply also in the online world? And how can they be implemented in a transnational context? What intergovernmental agreements relating to land, air, sea and outer space should we extend to the digital sphere?

Of course freedom in cyberspace would be seriously compromised without crime prevention or safeguards against unauthorized invasions of our privacy, be it by governments or by private individuals. Whether the issue is the individual’s right to determine what happens to their personal data, the limits to privacy in a public space like the Internet or intellectual property rights, the principle of “delete rather than block” or crime prevention: of one thing there can be no doubt. Managing a global network requires international agreements.

We clearly can’t allow the Internet to be outside the law, there have to be rules. So the rule of law must be upheld in cyberspace, too. But it must be done without unduly restricting the freedom of the Internet or the rapid pace of technological advance.

Where, then, is the need for rules and agreements most urgent?

What is important here, in Germany’s view, is, firstly, respect for the right to access to information and for the right to freedom of expression. Secondly, we want to highlight the need for neutral access to the resource Internet, one that does not discriminate between states or Internet users. Thirdly, we view efforts to nationalize the Internet, as it were, by building a series of national networks as counterproductive.

In the 21st century world, free access to information as well as freedom of expression and of assembly are protected only if they exist also in cyberspace. US Secretary of State Hillary Clinton has called these Internet freedoms “the freedom to connect”.

We therefore welcome all the work going forward at the Council of Europe, the UN Human Rights Council, the OSCE and other bodies with the aim of building consensus internationally on freedom of the media and freedom of expression.

In the context of bilateral discussions of human rights topics, too, we feel it is important to raise the issue of freedom of the media and the Internet.

Another priority is to prevent regimes which brutally oppress their own citizens, as we are seeing right now in Syria, from acquiring technology that could help them spy on, keep tabs on and harass people. This is why we have recently included such technologies in the EU’s sanctions regime vis-à-vis Syria.

We also welcome the principles and agreements formulated by the G8 and OECD on Internet governance, the economic role of the Internet and its potential in promoting development as well as the discussions at the Internet Governance Forum, whose annual meetings bring together governments, business, users and civil society.

The many benefits generated by the Internet are due above all to the fact that it has been from the start a global, open, decentralized yet single network. That is why we should lobby internationally for the clock not to be put back. It cannot be in anyone’s interest to develop a whole series of national walled-off networks.

In my remarks so far I have placed special emphasis on Internet freedom. This is because we in Germany feel the topic of our conference – “Challenges in Cybersecurity” – needs to be seen in a wider context. Cybersecurity must be about protecting freedom in cyberspace, about protecting its openness, availability and integrity as a resource. In this sense freedom and security are inseparable twins. Freedom needs security to flourish; security needs freedom, otherwise it becomes an instrument of oppression.

Since cyberspace is by definition global, international action is needed to protect our international data networks. The rapid rise in cases of abuse of and attacks on data networks – particularly in the form of sophisticated computer worms such as Stuxnet – has driven home to us how dependent we are on international cooperation. Since we cannot protect ourselves completely from such attacks or discover who is behind them, we need something like cyber diplomacy. The primary aim of this kind of diplomacy is to negotiate internationally accepted safeguards, rules of conduct based on legal norms, and standards. Our national Cyber Security Strategy rightly speaks of the need to develop an “international cyber policy” – a whole new challenge for our foreign and security policy.

Four parameters will guide our efforts here:

1. Our approach is incremental and pragmatic. There is no point in looking for a silver bullet. What we want is to explore common ground with a group of like-minded stakeholders and make progress where we can.

2. Cyber diplomacy is already under way in a wide range of international forums and organizations. Given the complexity of the challenge, that is the right approach. We want to see a division of labour between the different forums; it is important to define as clearly as possible who does what.

3. We see maximum transparency and active confidence-building as the best way to guard against offensive – including military – uses of cyberspace.

4. We believe currently applicable international law provides by and large a sufficient basis for developing new norms in the area of cybersecurity. The important thing now is to bring different interpretations and standpoints more closely into line with a view to reaching a common consensus.

Let me now look at these four points in greater detail.

In recent years we have seen a major increase in international efforts to strengthen cybersecurity. The Council of Europe drew up its Convention on Cybercrime (2001) at a very early stage. It is regrettable that the Convention’s broad-based approach, which entails notably some necessary infringement of national sovereignty in connection with the collection of evidence and the tracking down of cybercrime suspects, has prevented many countries from signing up to it.

That is why it makes little sense - at least at the moment - to try to draw up comprehensive conventions and rule books. Here, too, grand strategies tend to be the enemies of progress. For this reason we argue for an incremental approach on the basis of soft law – in other words, politically binding rules of conduct that help to build trust.

That means we should focus on those areas where the desire for international cooperation is strongest. Apart from the fight against crime, I believe there is considerable international interest in agreeing measures to protect critical infrastructure, for example, give hospitals a special security status and enhance the security of submarine cables – which are amazingly few in number – and their network nodal points.

The more we strive in these and other fields to build trust and promote good governance, the more stakeholders will come to trust one another. That lays the groundwork for further advances in international cybersecurity.

Our incremental approach enables us, moreover, in ad hoc coalitions to reach agreements with other governments whose interests and positions we share. In line with our pragmatic approach, we believe some countries could also set an example by agreeing on standards and rules of conduct. Accordingly, the G8’s Deauville Declaration and the results of the London conference in this area could help promote consensus-building and intergovernmental agreements in the field of cybersecurity.

As we see it, regional organizations and forums concerned with security issues are going to play an increasingly important role here. Experience with transparency-building and confidence-building mechanisms in the area of conventional arms control is a good basis for attempts to develop similar measures for cyberspace. Germany has consistently supported the efforts of the OSCE to achieve tangible results in the area of confidence-building measures. To this end we have put forward concrete proposals on, for example:

- early warning;

- transparency through information-sharing on cybersecurity policy and strategy;

- establishing national focal points;

- setting up dedicated communication channels for use in the event of a crisis;

- developing technical recommendations, and assistance with capacity-building.

We should not allow ourselves to be discouraged by the failure last week of the OSCE Ministerial Council to take any decision in this regard. It underlined once again how difficult it is for countries with different standpoints to agree on a common approach.

We commend what the OSCE is doing in this field and hope successful confidence-building under the auspices of regional organizations can be a model for similar endeavours at UN level.

Digitization has not only had a profound impact on the way military operations are conducted, how weapons are used and what military personnel actually experience on the ground. It also means that data networks used by the military are far more vulnerable now than they ever were in the past. In many of today’s armed forces what began as efforts to protect their data networks from cyber attacks has now expanded into actual cyber commands with a remit to safeguard their country’s capacity to conduct the full spectrum of military operations.

Nevertheless, I do not share the hysteria about a looming cyberwar fuelled by those such as journalists or security firms with a vested interest in boosting sales. In the foreseeable future we are unlikely to see anything of that kind.

However, we do need to confront the threats arising from the military use of cyberspace. That such use is, in the case of a number of countries, now an integral part of their national defence strategies reinforces the impression elsewhere that offensive capabilities are being developed in this area, from which other countries must protect themselves. This may set off a dangerous spiral, which along with martial rhetoric could fuel serious tensions and ultimately even lead to an outbreak of cyber hostilities.

The difficulty of identifying the source of any cyber attack obviously makes such scenarios even more dangerous. When there is no reliable way to identify the attacker or gauge the motives behind the attack, speculation, conjecture and suspicion have free rein. By means of subterfuge and deception, a really high-tech cyber attack can make an attack appear to come from a country that has nothing at all to do with it – which may then find itself the target of a reprisal attack.

Under such circumstances the doctrine of deterrence, which in the nuclear context has functioned well to date, is simply obsolete. We need to realize that here we have to do with a completely new type of asymmetry. Whether brilliant hackers, cyber mercenaries acting at others’ behest or countries with weak data network infrastructure: all of them are capable of launching successful cyber attacks, without fear of reprisals, on countries with advanced data networks.

In the light of such risks as well as the danger of escalation I have outlined, there are three priorities the international community should focus on above all else.

- Firstly, we need to tone down the rhetoric.

- Secondly, we need transparency with regard to national defence strategies in the area of cyberspace.

- Thirdly, we need an internationally recognized rule book which lays down when and how the target country of a cyber attack may respond.

If we want to strengthen international cybersecurity, we cannot do this without bringing international law into play. In Germany’s view the provisions of the UN Charter apply in principle also to cyber attacks. Humanitarian international law is by and large, we believe, all that is needed as a basis here. We are not looking for any new codifications in this area. As we see it, in the context of cyber attacks launched by private individuals, international law principles regarding state responsibility unfortunately do not currently entail any obligation on states to ensure cybersecurity. That is why Germany is in favour of creating a new obligation on states to ensure cybersecurity.

I am aware there are a number of contentious points regarding the interpretation, derivation and application of international law norms in the area of cyberwarfare and cybersecurity. Here, too, international efforts are needed to develop a common understanding of how such norms apply to the area of cybersecurity.

I am sure the conference that is starting today will make a valuable contribution, not only in the section devoted to international law, to clarifying the issues at stake and bringing positions on the points of contention more closely into line. Our conference has the advantage that – except for the opening session – it is being held under Chatham House Rules, so the high-calibre experts participating can discuss all these matters very candidly with representatives of industry and government. I hope this will help us make real headway in formulating what steps are needed to enhance international cybersecurity. What was just yesterday a niche topic is now one of the major new challenges which the international community needs to address.

On this note I wish all participants a stimulating and productive conference.

Related content

Top of page