There are not many events out there gathering high-level politicians, policy makers and technologists. This is why it was such a pleasure to be a participant in the Cyber Security Summit (CSS) in 2018 held in Tallinn, Estonia - organized by Munich Security Conference (and then followed by attendance of CyCon, conference on cyber conflict).
Rather than providing a full account and a report that can be found elsewhere (e.g. here: "The weaponization of cyber space"), I’ll instead provide a number of observations, based on what was there and my own input.
Bridging technology and policy
Meetings bringing together policy makers and technology folks have a clear value. The most important here is that both worlds can understand each other better. It’s not only about the conveyed information, but also the line of reasoning, structuring thoughts.
I have participated in the CSS Roundtable on technology. That was a very broad discussion, including an important aspect: how to structure a research agency in Europe. The US DARPA may be an ultimate blueprint, but it is worth to consider if directly transferring this format in Europe (for example) may work in practice. It’s about the practical and political challenges posed by 28 distinct parts, instead of a single one (US).
Events and “atmosphere” caused by cyber is accelerating policy and tech changes
“Cyber” accelerates everything on all the sides: both in technology (additional incentives), as well as in policy (need to catch up although this is seldom within reach). Notably, “cyber” creates a domain of technology policy where competences in technology and policy are the key ones. These days it is nearly impossible to be up to date on all developments in security from the technology point of view. It’s tempting to conclude policy is not affected by this, as it is a high-level overview. This view is not correct because in policy one still must have account of developments on all of the fronts.
To fully grasp the implications of “cyber” by policy circles, but most prominently - be able to keep up with change, understanding technology, on varying levels of deepness - is an asset.
On the other hand, technology circles are increasingly finding that their areas are either being subject of regulations (think Waasenaar, GDPR, NIS, and others in many other countries around the world) in ways often not previously seen. This is also accelerating.
The catchy issue of International norms
“Cyber” is the gray area of conflict portrayed as yet not widely and well understood, and no specific and binding rules exist in this area. The pace of development creates additional challenges. Things change fast. Cyberattacks happen. Responses are made outside of cyber, such as sanctions. Some, such as the former president of Estonia Toomas Hendrik Ilves even say that the limitations of the currently established norms, rules, and modes of operations are even a threat to liberal democracies - and call for specialized response, such as for example the establishment of new structures meeting the current times (such as the Digital Defence Alliance).
But while it is true (as T.H. Ilves said) that Uruguay has never occupied Estonia - highlighting the geostrategic shift where the traditional physical national borders are no longer the only boundaries - forming such structures on the premises of a single issue may not be as easy as it sounds. It will be fascinating to observe this sphere.
The technical possibility of misusing internet platforms to spread disinformation industrially were known and discussed for years in specialized circles. But in order to bring the attention of the broad community, a high-impact event had to happen.
In general, in policy as seen historically, it is often that “something” needs to happen to create a motivation or motion to act. I am not wondering how such an actual motivator could look like in “cyber”.