The end of May in Tallinn became the setting for the Cyber-Woodstock in Europe hosting at the same time CyCon, the Munich Security Conference’s Cyber Security Summit as well as the Tallinn e-Governance Conference. CyCon – the annual conference organized by the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn – brings every year together hundreds of stakeholders. This year’s focus was Maximising Effects, which attracted over 700 participants and offered a comprehensive program approaching current topics from legal, technology and strategical perspectives. In the following, this blog article intents to shed some light on raised issues and evaluate discussed topics.
Due to the different perspectives offered by the conference, CyCon continues to be a unique opportunity for technical, legal, policy experts from academia, governments and military to engage with each other and understand different perspectives as well as identify pressing issues in the field. This is especially valuable as most topics in the field of cyber security require a holistic approach. As CyCon started out as a conference focusing on cyber conflict, its strong affiliation with the military sector can be felt. The terminology used during the conference often reinforced the idea of cyberspace as a domain for warfare. However, this year, a slight shift could be noticed as an emphasis was placed on the human factor besides conflict and technology. This was shown elaborately especially by Luc Dandurand’s (Guardtime) presentation. He pointed out that while protection is 95% technology and only 5% the human aspect, a response to an incident and its management is 95% human factor and only 5% reliant on technology. Another language specificity of this year was the emergence of using “cyber” as a noun rather than a prefix. If this trend continues, it will give rise to interesting intents of conceptualization.
The need for a new approach to study the (meta)discipline of cyber security was topic of a novel workshop on cyber education portraying cyber security as a team sport of various disciplines. Panelists called for a more comprehensive approach, however they did not agree on whether it should be a multi- or interdisciplinary approach. Even though the panelists explained some of the challenges for such an approach, practical guidance on how to overcome those was missing in the presentation. The education workshop emphasized the importance of cyber security capacity building with non-like-minded states beyond the comfort zone of aligned states. The idealistic approach of cooperation among all was contrasted by a plea for focusing on partnerships and cooperation amongst liberal democracies instead of wider partnerships. The call for a Cyber NATO, not bound by geography, was presented by the former Estonian president Toomas Hendrik Ilves in a keynote speech. Such polarizing thoughts (us v. them), however, might rather prove harmful to the effort of finding some form of understanding to the governance of cyberspace – a space hardly responding to national borders.
Artificial Intelligence and emerging new technologies were identified as some of the pressing current and future topics, which will require a lot of consideration from policy makers as well as legal scholars. The focus on information security and the CIA triad will also require some shift in thinking, as confidentiality concerns take the back stage, whilst the trend shows that attacks against the availability and especially integrity will prove to be more devastating.
In the backdrop of the recent events, the role of social media, especially Facebook, was discussed in depth, i.e. the ability of social media giants to police and limit the spreading of fake news through their platforms. It was emphasized that Facebook does not make content-judgments per se but bases its protection policy on investigating location of users and interaction between users. Those practices give rise to questions regarding the legitimacy of policing practices by non-state actors, especially because private actors play a crucial role in providing access to information. These concerns were to a certain extent addressed within a panel on human rights. By accepting the role of policing and censoring content, those companies may however, assume a role in which they infringe rights of free expression.
Finally, a panel was held on the debate on international norms for cyberspace. The panelists were united in emphasizing the importance to continue with the effort to agree on international norms. However, due to the difficulty of finding agreement, it was proposed to instead look at the domestic level and focus rather on bottom-up approaches, such as capacity building or confidence-building measures. Interestingly, the definition of norms, which was adopted by some of the presenters, seemed to not match with the concept then applied in the presentations. This goes to show that there is still some uncertainty as to what are the norms that the international community is talking about. For example, according to the often used definition stemming from sociology, norms can indeed be built bottom up. Therefore, to agree on norms in international negotiations (top-down) is only one approach. Thus, clarification on what norms are might contribute to the discussion, bridge the gap between different suggestions and lead to a more holistic approach in academia as well as on a policy-making level.
In conclusion, many interesting and important issues were raised by all disciplines represented in Tallinn. The panel discussions and presentations could use more diligence and clarity regarding concepts and definitions used. This is especially necessary if engaging in interdisciplinary research and striving towards a holistic approach to cyber security. Last but not least, another somewhat anecdotal experience from the conference – there were no toilet lines for the ladies – points towards another crucial and worrying aspect of the field of cyber security: only 11% of the global workforce in the field are women.