MSC: Are we prepared for larger-scale cyber attacks on critical infrastructures? Which sectors are most vulnerable, and how are they currently being protected? What can we learn from past attacks, such as the hack against Ukraine’s power grid last year?

Munter: Two elements comprise the necessary preparation for attacks like the successful takedown of parts of the Ukraine power grid. The first is to understand the threat—that is, both the capability and the intent—of the various actors, and to recognize that cyber attacks will usually occur as part of a broader campaign of aggression. In other words, understand the context, and pay attention to what’s going on in the world. Second, preparation means being ready to continue to operate and deliver services in a degraded environment when an attack is successful. In Ukraine, manual processes helped restore power in some areas while repairs were made. These scenarios must be exercised by critical infrastructure operators. Large finance and communications firms are ready. In other sectors, much more work is needed to increase resilience.

How can the private and public sector settle the encryption debate? How far should data privacy be compromised for effective intelligence work, and vice versa?

The debate is actually more complicated. On the one hand, business data confidentiality can be as important as individual data privacy. And on the other, lawful access to information by law enforcement authorities to investigate and prosecute serious crimes can be as important as intelligence gathering. Moreover, the solutions are not binary. Encryption is hard to do well. There is no absolute protection and, conversely, no magic way of giving access to the authorities without increasing risk. Finally, the public sector’s interests include protecting the data of firms and citizens, while the private sector cares about order and security in society. The solution will be complex and nuanced, not a cartoon. A problem set like this one requires thoughtful policymakers, technologists, civil society, and business getting together and working hard over a longer period to balance the various interests. 

What role can non-state actors such as multinational ICT companies and NGOs play in advancing cyber diplomacy?

Because cyberspace is a public-private partnership, global ICT companies are working with NGOs to step up to the responsibility that comes with their great power in cyberspace. For example, at a recent EastWest Institute event, Microsoft issued a set of norms of industry behavior that global ICT companies should follow in their business practices. These norms complement norms of state behavior under development by a group of experts at the United Nations. Examples of the kinds of norms that companies should consider adopting include:

• Creating more secure products and services.
• Not enabling states to weaken the security of commercial, mass-market ICT products and services.
• Practicing responsible vulnerability disclosure.
• Collaborating to defend their customers against and recover from serious cyber attacks.
• Providing product security updates to protect their customers, no matter where the customer is located.