September 29, 2009
Summary of the breakout conversation "Cyber-Defense, National Security and International Cooperation" at the 2009 Annual Members' Conference.

PARTICIPANTS:

Chaired by Hon. Franklin D. Kramer,* Former Assistant Secretary of Defense; Vice Chair, Atlantic Council; Member, Atlantic Council Strategic Advisors Group
Lt. Gen. Kenneth Minihan, USAF (Ret.), Former Director of the NSA and DIA
Mr. Brian James Saunders, Counselor, Embassy of the United Kingdom
Hon. Walter Slocombe,* Former Under Secretary of Defense for Policy; Vice Chair, Atlantic Council; Member, Atlantic Council Strategic Advisors Group
Dr. Paul Twomey,* Senior President, ICANN

SUMMARY:

This session was held under Atlantic Council Rules, defined by President and CEO Frederick Kempe as "Chatham House Rules with military enforcement."  Below is a general summary of the topics discussed.

Cyber security has rapidly emerged as a growing threat both governments and business. Despite its rising stature and attention, heavy classification of the threat limits the possibilities for cooperation among nations and between business and government.
    
Cyber security is a complex challenge because it cuts across many spheres. The networked nature of the internet makes cyber security a distinctly international challenge. The heavy concentration of cyber infrastructure in the hands of the private sector means that cyber security threats are challenges to both the public and the private sectors. The growing reliance of individuals on the internet also means that cyber security also touches upon the balance between national security and individual liberties.   
    
The Internet is exploding in popularity, making cyber security a growing challenge. Nevertheless, despite its 1.6 billion users today – expected to grow to 3 billion users in 2011 - no one is in charge of the internet.
    
This lack of control and security has resulted in three major challenges of cyber war, cyber espionage, and cyber crime. While these threats come from different attackers and are directed against specific users, they all operate on the same internet network and can having catastrophic effect against a broad array of internet users.
    
Faced with these growing risks and the impossible nature of ensuring complete cyber security, the key for the public and private sector is to enhance resiliency. The shared threat between the public and private sector offers strong opportunities for a collaborative shared approach. Two major challenges limit this cooperation. First, the private sector fears the involvement of the government and worries about its privacy and the protection of proprietary information. Second, government so heavily classifies its cyber capabilities that it cannot work in a meaningful way with the private sector without divulging sensitive information. Some believe this heavy classification harms cybersecurity by cutting off the private sector and encourage governments to stop treating cyber issues as a ‘security’ threat to secure the private sector’s cooperation.
    
Enhanced regulation will be necessary to better secure cyberspace, but there are disagreements as to what type of regulation would be best. Some advocate standardization and voluntary certification among private users while others believe that a more tailored regulatory approach is needed to level the playing field among actors in the private sector.
    
The international nature of the cyber threat begs the question of how various international organizations can best meet the growing challenge. NATO has struggled to define whether or not a cyber attack should be considered an Article 5 threat, and some argue that treaties need to be updated to reflect the new reality of cyber security. Many agree that a NATO cyber exercise would be useful in raising the issue’s profile and demonstrating the threats, while others suggest that the EU is unlikely to play a major role as an international cyber actor.
    
The technical community that helped create the internet could be a useful tool for governments as they seek to enhance cyber security. They remain deeply committed to its security and well-being, and would be willing to help provide solutions with governments, if they know governments will respect their unique culture of operation.
    
For sure, no one government is capable of meeting the cyber challenge alone, and even governments working together cannot succeed without the extensive engagement and participation of the private sector. It remains to be seen if business and government can overcome their mutual suspicions to achieve common goals and combat a shared threat.

- Summary by Jeff Lightfoot, Assistant Director, International Security Program