Keynote Address at the Singapore International Cyber Week

Remarks
Christopher Painter
Coordinator for Cyber Issues 
Suntec Singapore Convention & Exhibition Centre
Singapore, Singapore
October 10, 2016


As prepared

Good morning! Thank you to Prime Minister Lee and the Government of Singapore for inviting me to speak at this the inaugural Singapore International Cyber Week. It is also worth noting that this event is happening during the 25th anniversary of GovernmentWare conference, which is recognized as one of the premier global conferences. Therefore I am honored to have the opportunity to speak with you today.

I am equally happy to be here in Singapore again. This amazing city wows me each time I visit. My first visit was as a speaker at the International Association of Prosecutors conference many years ago. I saw then how much potential this nation and its people possessed, so it is truly a pleasure to return and witness the incredible advances that Singapore has made.

I also greatly appreciate the opportunity to engage with key partners on cyber issues – many of whom are represented in this room. As with our other partners, the United States works closely with Singapore on a range of issues, including cybersecurity. The inclusion of cyber commitments in President Obama and Prime Minister Lee’s Official Joint Statement this summer and the cybersecurity memorandum of understanding we signed underscore the growing importance of cyber cooperation between our two countries.

We also work with the Association for Southeast Asian Nations and other global partners to promote the social and economic benefits inherent to cyberspace. At the U.S.-ASEAN Summits at Sunnylands and in Vientiane this year, our nations affirmed a shared commitment to promote security and stability in cyberspace consistent with norms of responsible state behavior. These are just a few examples of how we and our partners are working to promote an open, interoperable, secure, and reliable cyberspace.

In reviewing the theme for this week – Building a Secure and Resilient Digital Future through Partnership- I was glad to see the emphasis placed on building international partnerships in cyberspace. This has been one of the key priorities for my office at the U.S. Department of State since its founding in 2011. While five years doesn’t seem that long ago, some might be surprised to know that mine was the first office dedicated to cyber policy within a Foreign Ministry. With a small staff and a large mission, we set out to develop key global partnerships that would support us in enhancing our nation’s cybersecurity. Since then, about twenty-five other nations have created similar offices in response to the shifting landscape that has accompanied the growth and expansion of the Internet.

Many of those nations are represented in this room; therefore I know that many of you will agree that cyber issues are cross cutting issues. In other words, our economic, political, and social welfare cannot thrive if we fail to protect the information infrastructure that has become so vital to daily life. Our businesses and citizens have come to depend on an Internet that is open, interoperable, secure, and reliable. It allows them to create and innovate in ways that we could not have dreamed of a decade ago. U.S. Secretary of State John Kerry put it this way, “…the internet revolution that we are living today will literally define the kinds of opportunities that young people all over the world are hoping for today – help strengthen governments; provide opportunity; make us safer; bring us together; and in effect, define the future of this century.” If we acknowledge just how vital digital technology and connectivity are to our present and future, then we must also recognize that there are, and will continue to be, malicious actors who seek to take advantage of our digital reality.

This brings me to a question that I am regularly asked by the media. How do we deal with the growing number of threats to networks and infrastructure? I’m sure that some of you are also being asked that question. I also know you are all keenly aware of the variety of the threats we face in cyberspace.

There are operational threats to our cyber networks that, whether state-sponsored or criminal in nature, can potentially harm our security and do substantial damage to our infrastructure and economic interests. There are also threats from large-scale cyber intruders for purposes of stealing intellectual property, trade secrets, proprietary technology and sensitive business information from the private sector for commercial gain. Threats come in a wide range of malicious cyber activities, like ransomware, which is used to extort a single individual or hold hostage sensitive information, like the medical records of every patient in an entire hospital system. Cyber threats are not contained within geo-political borders and it is clear to me that no nation is immune and no system is impenetrable.

In order to effectively address these challenges, it is vitally important to foster a whole-of-government approach. At the State Department, we work closely with our interagency partners to ensure that our foreign policy positions on cross-cutting cyber issues are fully synchronized. For this reason, President Obama recently approved Presidential Policy Directive 41 on U.S. Cyber Incident Coordination. This Directive marks a major milestone in codifying the policy that governs the U.S. federal government’s response to significant cyber incidents and assists in facilitating cooperation on incident response across the interagency.

To prevent cyber incidents before they take place, we recognize that it is crucial to elevate cyber issues throughout international engagements to promote global cooperation, and to ensure that states take the threats seriously. It is equally important to build consensus on voluntary peacetime norms of responsible state conduct in cyberspace that enhance international security; and to address malicious activities at every level. These steps are part of how the United States supports a strategic framework of international cyber stability, designed to achieve and maintain a peaceful cyberspace environment where all states are able to fully realize its benefits. A cyberspace where there are advantages to cooperating against common threats and avoiding conflict; and where there is little incentive for states to engage in disruptive behavior or attack one another. This strategic framework has three key pillars:

  1. Global affirmation of the applicability of international law to state behavior in cyberspace;
  2. The development of international consensus on certain voluntary norms of responsible state behavior in cyberspace that apply during peacetime; and
  3. The development and implementation of practical confidence-building measures (CBMs) that can help ensure stability in cyberspace by reducing the risk of misperception and escalation.

We have forged a growing international consensus on this framework, and will continue to promote a broad consensus on international cyber stability wherever possible. Expanding on this consensus is a core diplomatic priority for the United States. To that end, we have raised and will continue raising these issues at a high level in key bilateral and multilateral engagements with countries around the globe.

We are pleased that Singapore and many of the countries represented here have joined us in this effort. The first and most fundamental pillar of our framework for international cyber stability is the applicability of existing international law to state behavior in cyberspace. The report of the 2013 United Nations Group of Governmental Experts, or GGE as it’s known, was a landmark achievement that affirmed the applicability of existing international law, including the UN Charter, to state conduct in cyberspace. Two years later the 2015 GGE report made a significant achievement with its recommendations for voluntary norms of state behavior in cyberspace in peacetime, which included concepts championed by the United States. G20 leaders furthered this work when, at their November 2015 meeting, they issued a strong statement affirming that all states should be guided in their use of information and communications technologies by the 2015 report. The 2013 and 2015 reports underscored that states must act in cyberspace under the established international obligations and commitments that have guided their actions for decades – in peacetime and during conflict – and must meet their international obligations regarding internationally wrongful acts attributable to them.

Within the Asia Pacific region, there is a lot of potential to strengthen cooperation on practical transparency and confidence-building measures. These measures can build trust and competence to reduce the risk of misperception and instability. They can be defined in three categories:

  1. transparency measures that give greater predictability and clarity to state behavior;
  2. cooperative measures that would allow like-minded states to work together against common non-state threats, even to address specific cyber problems of concern, such as: bot-nets, zero day exploits, and threats to critical civilian cyber-controlled infrastructures; and
  3. confidence- and security-building measures.

Similar measures have been used for decades to address issues of political-military concern between states and they can do the same in cyberspace.

While establishing a framework for international security is imperative, building on the consensus achieved to date with respect to international law and voluntary peacetime norms is necessary, and strengthening transparency and confidence is vital; it is also important to build capacity and raise awareness on cyber issues.

That is why throughout October – U.S. Cybersecurity Awareness Month – the United States is partnering with key organizations like the Global Forum on Cyber Expertise and supporting national awareness campaigns – like our national Stop Think Connect campaign. This campaign empowers businesses, governments, and individuals to adopt safer and more secure practices online. I encourage each of you to join with us in this effort by going to Stop Think Connect [dot] org and becoming a partner.

As the theme for this week highlights, our digital future will depend on partnership – and through partnership we can make a difference in the world of online safety and cybersecurity. Thank you again to our Singaporean hosts and I look forward to engaging with everyone over the next few days.