Podcast: How cyber diplomacy is protecting the world from online threats

TRANSCRIPT: How cyber diplomacy is protecting the world from online threats

Disclosure: The opinions expressed by Eurasia Group analysts in this podcast episode are their own, and may differ from those of Microsoft and its affiliates.

BENEDIKT WECHSLER: We have to be aware that although we are so familiar with the cyber and digital world, it's still a new technology. And I think we don't have that much time to develop these organizations and rules as we had for the maritime or for the airspace.

KAJA CIGLIC: This situation is both terrifying and sort of deteriorating, I would say, at the same time. Part of the reason is because the technology's evolving so fast. Every time there is a new tool put on the market, it can, and someone will try and test it as a weapon.

ALI WYNE: It is hard to overstate just how much we rely on digital technology and connectivity in our daily lives, from the delivery of essential services, including drinking water and electricity, to how we work, pay our bills, get our news. Increasingly, it all depends on an ever-growing cyberspace. But as humanity's digital footprint grows, cyberspace is also growing as a domain of conflict where attacks have the potential to bring down a power grid, where rattle the stock market, or compromise the data and security of millions of people in just moments.

Got your attention? Well, good.

Welcome to the second season of Patching the System, a special podcast from the Global Stage Series, a partnership between GZRO Media and Microsoft. I'm Ali Wyne, a senior analyst with Eurasia Group.

Now, whether you're a policy expert, you're a curious coder, or you're just a listener wondering if your toaster is plotting global domination, this podcast is for you. Throughout this series, we're highlighting the work of the Cybersecurity Technology Accord, a public commitment for more than 150 global technology companies dedicated to creating a safer cyber world for all of us.

Last season, we tackled some of the more practical aspects of cybersecurity, including protecting the Internet of Things and combating hackings and ransomware attacks. This time around, we're going global, talking about peace and security online, talking about how the international system is trying to bring stability and make sense of this new domain of conflict.

Digital transformation is happening at unprecedented speeds: AI, anyone? And policy and regulation need to evolve to keep up with that reality. Meanwhile, there has been widespread use of cyber operations in Russia's invasion of Ukraine, the first large-scale example of hybrid warfare. Well, what are the rules?

Enter the cyber diplomat. An increasing number of nations have them: ambassadors who are assigned not to a country or a region, but instead, assigned to addressing a range of issues online that require international cooperation. Many of these officials are based in Silicon Valley, and the European Union just recently opened a digital diplomacy office in San Francisco.

Meanwhile, the United States named its first Cyber Ambassador, Nathaniel Fick, to the State Department just last year. Here he is at a Council on Foreign Relations event describing the work of his office”

NATHANIEL FICK: Part of the goal here was to bring in not only one person, but a group of people with other perspectives, outside perspectives, in order to build something new inside the department. It's as close to a startup as you're going to get in a large bureaucracy like the Department of State. I think one of our goals again is to is to really restore public private partnership to a substantive term.

ALI WYNE: What do cyber diplomats do? Why do we need them, and how do they interact with private sector companies around the world?

I'm talking about this subject with Benedikt Wechsler, Switzerland's Ambassador for Digitization. And Kaja Ciglic, Senior Director of Digital Diplomacy at Microsoft. Welcome to you both.

BENEDIKT WECHSLER: Pleasure to be here.

KAJA CIGLIC: Thank you for having us.

ALI WYNE: Ambassador, let me begin with you. What does an Ambassador for Digitization do, and why did Switzerland feel that it was necessary as a diplomatic position?

BENEDIKT WECHSLER: Diplomats – or diplomacy - is one of the oldest professions in the world actually. And when our new minister came in four years ago, he wanted to know what is the world going to look like in about eight, 10 years. And there came up a foreign policy vision, which of course stated also that the digital world, the cyberspace will be ever more important. And so an ambassador is sent abroad to promote and protect interests of its citizens, companies, but also promote an international order, which is conducive to serving the best interests to not only his own country but the whole world.

But we didn't have a structure who deals with the digital world because there are new partners, there are new power centers, there's new actors, but the same interests and values were at stake. So we decided to set up a division for digitalization, which means exactly to promote interests for the citizens, Swiss companies, values, and human rights as well in that new field and develop that with new partners. So that is our key mission.

ALI WYNE: When most other folks hear the word ambassador, we are thinking about an ambassador to country X. I think it's really exciting that we now have an ambassadorial position for this critical priority. So, run us through some of the most pressing problems that you're tackling in this new role for a very new remit.

BENEDIKT WECHSLER: Normally, we always have a little tendency to fix our ideas on problems and security and risks. So that, of course, is the underlying most important issue. This digital space, cyberspace, has to be a safe space, otherwise, people don't want to engage in such a space. That's also a change from the sort of physical world to the digital world. I just recently read a report that in, Denmark, there has been no bank robbery anymore because there's no more banks where you can get money out. But, of course, they moved to cyberspace.

ALI WYNE: Right. Right.

BENEDIKT WECHSLER: Another little parallel what we're trying to do is - back to the age of their railways, there was a problem that train coaches were moving from one country to another, but they didn't have a means to lock or unlock these train coaches. So a group of experts sat together in Bern and devised a special key, which is still in function today, which was able to lock and unlock these wagons and make train connections safer. So that is exactly what we now have to do in the cyberspace: to find these key of Bern or the key of Geneva or the keys of wherever to make the digital cyberspace safe and workable.

ALI WYNE: Kaja, I want to come to you next, and just building off of the ambassador's remarks. You've said previously that cyber diplomacy is different from other traditional forms of diplomacy because it's multi-stakeholder. What do you mean by multi-stakeholder in this particular context and explain why Microsoft has what it calls a digital diplomacy team?

KAJA CIGLIC: So if you think about our origins of the internet, the internet has always been, from the onset, governed and set up by groups that are not always government. It includes governments, but includes academia, includes the private sector, includes various representatives of the civil society. And as the internet grew and became an ever-present part of our lives, it has meant that its governance structures grew with it.

Of course, governments, states, are there to determine what the regulations are. But because it is global, because it's a little bit like the ambassador was saying about the railways. We need to find ways for the trains not to just safely unlock and unload but to go from one country to another on the same tracks is also something that had to be figured out. I think that is where we are in the online space at the moment.

And currently, the vast majority of it is run and operated by the private sector. And that's why we say it has to be a different conversation that includes all these other stakeholders - hence the word multi-stakeholders - not just governments, which is more where traditional diplomatic conversations have been.

And Microsoft has identified this area as an area of interest and an area of a priority, almost 10 years ago now, when we first started talking about, "Okay, we need clear rules, particularly for safety and security online." Because as all aspects of our life are moving online, we need to make sure that they can continue operating more or less unthreatened.

ALI WYNE: And we talked a lot about this subject last season. We're going to be talking a lot again about this subject this season. Tell us what the Cybersecurity Tech Accord is and tell us how it fits into this conversation?

KAJA CIGLIC: Yeah, the Cybersecurity Tech Accord is a group of companies that effectively came together in 2018. At that point, at the onset, it was just above 30, and now it's just over 150 companies from all sizes from everywhere around the world that all agree that we need to be having this conversation, and we need to be making advances on how to secure peace and stability online not just now but for future generations.

And so the group came together around four fundamental principles that all the companies are committed to strong defense of their customers. All companies are committed to not conducting offensive operations in cyberspace. All companies are committed to capacity building. So sharing knowledge and understanding and that all companies are committed to working with each other and also with others in the community, not just the private sector companies. But like I said earlier, civil society groups, academia, governments to try and advance these values and goals.

ALI WYNE: Ambassador, I feel like, every week now, we learn about some state-sponsored hacking or cyber-attacks. You think about air, land, sea - we at least have some clear rules for state behavior based on principles such as recognized borders, sovereign airspace, international waters. Do we have similar international expectations and/or obligations to be respected in cyberspace?

BENEDIKT WECHSLER: Sometimes, I think it's really, we have to be aware that although we are so familiar with the cyber and digital world, it's still a new technology. And when you look at air to sea, this has been decades. And also, there, the governance and all the rules and norms have evolved over time, over decades and years. And I think we don't have that much time to develop these organizations and rules as we had for the maritime or for the airspace. But I think we have to - as Kaja said, it's a new specific and especially multi-stakeholder world and space, and we have to take that into account.

So we cannot just set up a new organization like we did in the old days, and then we think, "Well, we'll sit together among states, and we will negotiate something, and then we'll have a good glass of wine, and then we hope that everybody is going to abide by these rules." No, I think we have to have a whole toolbox or maybe a Swiss army knife with all sort of adapted tools for the difference today. So for instance, we negotiated a classical cybercrime convention in Vienna. There's a process of the Open-Ended Working Group at the UN about responsible behavior in cyberspace where all these norms are being developed and where we have also civil society and companies, the private sector being involved.

Then we have dialogues, for instance, the Sino-European Cyber Dialogue with China and the European states. We have it also with the United States. And there we are sort of defining, "Okay, international humanitarian law, what is protection of basic infrastructure?" So we're getting there. And I think also very importantly is that we engage very closely with the private sector because there's the knowledge, there's the innovation, so that we can really develop smart rules.

And then, lastly, I think we have to embrace much more also, the scientific world, because in science, there's so much progress and innovation and foresight that we have to take into account because this is going to happen much faster that this will become a reality. We cannot see where AI is going without also involving the scientific world.

ALI WYNE: This is the second season of Patching the System, and it's amazing. When I look back on the episodes that we recorded last year, it's extraordinary how much science has progressed, how much technology has progressed. And I suspect that the rate of that scientific and technological innovation, it's only going to grow with each year, but just an observation to say how rapidly these scientific and technological domains are…

BENEDIKT WECHSLER: You're right, and I think everybody was surprised. It's amazing.

ALI WYNE: I posed this question to Kaja earlier that we think about cyber diplomacy as being different from what we might call more “traditional” forms of diplomacy. But, in traditional diplomacy, ambassador, we often think of governments in aligned groups. So we think, for example, of the NATO alliance for security or we think of countries that support free markets and free speech versus those that support more state control. Are there similar alignments when it comes to matters of cyber diplomacy?

BENEDIKT WECHSLER: Yes, definitely. I mean, that is no secret. I think you have like-minded countries also in the tech and the digital space because we want to see technology being an enabler for better reaching sustainable development goals, expanding freedom, strengthening human rights, and not undermining human rights. And of course, there are countries in the world who have a contrary view and position.

On the other hand, I think it's interesting to see in mankind and international relations, there have always been antagonistic situations. But still, there was always some agreement consensus on certain things that, as humanity, we have to stick together. And even, I mean, in the coldest times of the Cold War, there was collaboration in space between the U.S. and the Soviet Union.

And I think we also feel a little bit that with this digital world, the internet, nobody has really cut itself off this world because they know it's just too important. And we have to build on this common heritage and common base that other countries are pursuing other ways and using this technology. There are things in warfare that we decided we shouldn't do, and we should keep and stick to this and maybe develop it where needed, but especially keeping the commitments also in the online cyber world.

ALI WYNE: Kaja I want to bring you back into the conversation. So from Microsoft's point of view, what is your overall sense of the trend line when it comes to nation-state activity online? Are we moving more towards order? Are we moving more towards chaos? And what can industry, including companies such as Microsoft, what can industry do to support the kind of diplomacy that the ambassador has described to advance what you might call a rules-based international order as it were online?

KAJA CIGLIC: I would probably say it's a bit of both. This situation is both terrifying and sort of deteriorating, I would say, at the same time. Part of the reason is because the technology's evolving so fast.

ALI WYNE: Right.

KAJA CIGLIC: And so, as a result, it means that every time there is a new tool put on the market, so to say, it can, and someone will try and test it as a weapon. So I think that's the reality of human nature. And we are seeing that the deteriorating situation is also reflecting what's going on in the offline world, right. I think, at the moment, in terms of geopolitics, we're not in the best place that we have ever been, and that's reflected online. At the same time, I would say not everything is super bleak. As the ambassador was saying, we do have rules. We have international law. We have human rights commitments. We have International Humanitarian Law, and while we do see these being breached, they're not being breached by the vast majority of countries.

They're being breached by a very small minority of countries. And I think, increasingly, we're seeing states that believe in the values of international law, that believe in these commitments that have been made in other domains over the past hundreds of years as important to reinforce and support in the online world. And as a result, they’re calling out bad behavior, they're calling out breaches of international law, and that's a very positive development.

But that doesn't mean that we should be complacent, right. I think, increasingly, states are seeing cyber as the conflict. Increasingly, we're seeing the private sector developing tools and weapons that are being used for offensive purposes.

Cyber mercenaries are effectively a new market that has emerged over the past five or so years and is booming because there is such an appetite for those type of technologies by governments. And I think to your last question in terms of how the industry can help and support - some of it is just we can share what we see. The big companies, in particular, we are often the vector through which the other governments or the targets get attacked. They use Microsoft systems. They operate on a cloud platform. So we see both the actors, we see the trends, and we see the emerging new techniques. And I think that's important for sort of the foreign policy experts around the world to be aware of, understand, and be able to act upon.

ALI WYNE: Ambassador, I want to come back to you. How do you think that the tech sector, in particular, should engage with the work of cyber diplomats such as yourself?

BENEDIKT WECHSLER: I think one important aspect is that we are dealing here with an infrastructure issue. It's not just a tool or a product. It's an infrastructure and a vital infrastructure. And I think that also implies then how the tech companies should and could be part of that. So I think they should build this infrastructure together. And we, at the same time, can learn a lot from the tech companies. Also, internally, for instance, before I took up this position, I never heard of the expression red teaming. But I mean, that's a whole way of working and making products safe, like how you check a car before you put it on the market.

And I think if we work together and adapt these red teaming processes so that we also involve human rights aspects and other safety aspects so that the products that really will come to the market are already in a state developed that they are not being able to use for some malign purposes. And I think we also have to think of new forms of governance where the tech sector is really a responsible constituting part of a governance and not just looking at an issue in terms of maybe a lobby perspective or how can we influence regulation in that or that sense, but to really build the whole house together.

ALI WYNE: Kaja, I think that we often talk about cyber operations in peacetime, and it's an entirely separate matter, different matter when we're talking about cyber operations being used in armed conflict, and Microsoft has been doing a lot of work reporting on Russia's use of cyber attacks in Ukraine. What has it looked like to integrate cyber operations in war - I think really, for the first time - what has the impact been?

KAJA CIGLIC: I think, definitely, for the first time at this scale where we're talking about use of cyber in a conflict, the impact has, in effect, been tremendous. As we look at even just before the war began, the Russians have effectively either prepositioned for espionage purposes or began doing destructive operations in Ukraine that supported their military goals. Over the past year and a half now, we've seen a level of coordination between attacks that are conducted online, so cyber attacks, including on civilian infrastructure, not just as part of the military operations and attacks that were then conducted by traditional military means - so effectively bombs.

And so we've seen definitely a level of similar targets attacked in a similar time period in a specific part of the country. So the alignment between cyber and kinetic operations in war has been, to that extent, something we've never, I think, seen not just Microsoft, but I think in general. The other thing to think about and consider is frequently the Russians have used foreign influence operations, so disinformation, as part of their war effort, often time in connection with cyber operations as well.

This is a tool, a technique that the Russians have used in the past as well. If you look at sort of their traditional foreign influence operation, just not online, in the 70s and the 80s, and that has transposed over to the hack and leak world, and they've used it to both weaken the Ukrainian resolve as well as to undermine their support abroad, particularly, in Europe but elsewhere as well.

And the only reason I would say neither of those have been nearly as successful as perhaps has been expected is the unexpected but wonderful ability for both Western governments and the private sector sort of across the board, irrespective of companies being competitors or anything like that, to come to Ukrainians’ defense.

We think that a lot of the attacks have been blunted also because the Ukrainian government very quickly, at the beginning of the war, decided to migrate a lot of the government data to the cloud, again, with Microsoft but also with competitors, and were thus able to effectively protect and continue operating the government normally, but from abroad.

ALI WYNE: So cyber offenses and cyber defenses it seems are increasing in parallel. So we have this kind of tit-for-tat game. Ambassador, considering this example of hybrid warfare in Ukraine, what are the lessons of the diplomatic community moving forward? And assuming that future armed conflicts will also have similar cyber elements to them, how should the international system prepare?

BENEDIKT WECHSLER: I mean, there's a component of probably the classic disarmament processes. Normally, I think you can expect every sort of nation or state would like to have a position of superiority just to feel safe and to be smarter and more capable than the others so that an attacker wouldn't dare to attack them.

But we arrived in the nuclear arms race to a stage where we had to say this is MAD - it's Mutually Assured Destruction – and although we still have an edge probably, I think, in the cyber world, we can almost, if they really want, we can sort of kill ourselves mutually. So that understanding comes to leads you to a point where probably also states will accept, "Okay, but let's not kill each other totally."

ALI WYNE: That's a good starting point.

BENEDIKT WECHSLER: Yeah.

KAJA CIGLIC: That would be good, yeah.

BENEDIKT WECHSLER: So we'll have to ban some things. Okay. Maybe some thing we just have to sit together, "Well, we should outright ban this." And then we have other things where we cannot ban it, but we have to reduce the negative impact on civilians, on critical infrastructure, on vulnerable persons, and so forth. And so then we come into the story of the International Committee of the Red Cross, the Geneva Conventions. If we can't ban or eliminate war, let's see, at least that we can make it as least impactful for everybody. And of course, now we are coming into totally new terrains with AI as well, the autonomous lethal weapons systems with the drones.

And also, I mean, when you think of the satellites issue, which when you think of a company like Starlink who can more or less decide, "Well, now we can't give you coverage anymore,” so then basically your operation will stop because you don't have the infrastructure anymore to launch an attack. But I think it's something that we have to tackle in the logic of the disarmament on banning or mitigating or limiting effects, but also on very specific items. So we had the Landmines Convention. We had the issue of certain ammunitions that we wanted to be banned. So I think it's going to be very hard, thorny work of diplomats to try to limit this to a maximum possible extent.

ALI WYNE: Even beyond the weaponization of cyberspace, I mean just technology itself is constantly evolving. I mean, just this year alone, we've seen a real explosion in generative AI. As a result, a rush from both governments and the private sector to find a framework, some kind of regulatory framework. How do you view this new factor in terms of cyber diplomacy? How does this new factor affect the work that you're doing on a daily basis?

BENEDIKT WECHSLER: Well, I heard from somebody saying, "AI is the new digital." And, of course, we are also trying to see how can we develop tools based on AI to make diplomacy more efficient, also to make it a tool to provide more consensus on issues because you can probably gather more information, more data to show, "Well, we have a common interest here." And we launched a project. We call it the Swiss Call on Trust and Transparency in AI, where we are not looking into new regulations but rather what kind of formats of collaboration, what kind of platforms that we need to build up in order to get more trust and transparency.

And that builds a lot also on what has been done in the area of cybersecurity, on actions against ransomware. And again, what also Kaja said, it's about that the companies and diplomats or the governments are working together and sharing expertise because it's not a question of competition between private sector, but again, because building an infrastructure, a building that has to be solid and then within that infrastructure we can compete again.

ALI WYNE: Kaja, I want to bring you back into the conversation, and let's just zero in particular on the implications of artificial intelligence for security. How does Microsoft think that AI will play into concerns around escalating cyber conflict? And will AI, I mean, effectively just pour gasoline on the fire?

KAJA CIGLIC: I really don't think so. I think we actually have great opportunity to gain a little bit of an asymmetric advantage as defenders in this space. The reason is, while obviously malicious actors will abuse AI and probably are abusing AI today, we are using AI already, and we'll continue to use it to defend.

In Ukraine, we're using AI to help our defenders on cybersecurity. Microsoft gets 65 trillion - I think, it's some absurd number - signals on Microsoft platforms daily of what's going on online. Obviously, humans can't go through all of that to identify anomalies and neutralize threats. Technology can and technology is, right. So the AIs understand what's wrong - and this has happened already, but this will improve it even further - are looking at, "Oh, okay, this malware attack looks similar to something that has happened before. So I will preemptively stop it independently” right? I think that will actually help us in terms of cybersecurity.

ALI WYNE: Tell us one concrete step that you would like to see taken to get us somewhat closer to a sustainable diplomatic framework for cyber. Kaja, let's start with you, and then we'll bring the ambassador to close this out.

KAJA CIGLIC: I think it'd be really important for the UN to recognize this as a real issue. I think there is a bunch of working groups. We've seen the Secretary General make statements about and call on states to the war. But a permanent body effectively within the United Nations that would discuss some of these issues would be very welcome. At the moment, there's a lot of working groups or group of governmental experts that kind of get renewed for every five or so years, and there's not a dedicated effort necessarily focused on some of these issues.

And then, of course, we would love to find a way for the industry, but the multi-stakeholder community writ large to be able to participate and share their insights and knowledge in this area. Like I was saying at the beginning, there are opportunities. I would say Microsoft and many other private sector groups get blocked a fair amount by certain states. And I get it's a political decision at some level, but it's something that we'd really, really like to see institutionalized - both a process and the multi-stakeholder inclusion.

BENEDIKT WECHSLER: I see sort of a historic window of opportunity opening up with the works on the Global Digital Compact. We have the Summit For The Future next year, the Common Agenda. So a little bit like with the SDGs that we as the world community are coming together and say, "Okay, this is really too important. We are all in this together." Maybe also movies like Oppenheimer are reminding us of some things in the past.

And I'd like to close with Albert Einstein, who said in the 30s of last century that, "Technology advances could have made human life carefree and happy if the development of the organizing power of men, back then and women, I would say today, had been able to keep step with its technical advances. Instead, the hardly bought achievements of the machine age in the hands of our generation are as dangerous as a razor in the hands of a three-year-old child." So I hope that we see this urgency, but also this huge opportunity that we had already once as a humanity, but that we don't fully grasp it this time.

ALI WYNE: KAJA CIGLIC, Senior Director of Digital Diplomacy at Microsoft, Ambassador BENEDIKT WECHSLER, Switzerland's Ambassador for Digitization. Thank you so much for taking the time to speak with me. Thank you so much for taking the time to enlighten our audience. It's been a real pleasure.

KAJA CIGLIC: Thank you. This was a great conversation.

BENEDIKT WECHSLER: Thank you. It was a privilege to be with you.

ALI WYNE: And that's it for this episode of Patching the System. There are more to come. So follow Ian Bremmer's GZERO World feed anywhere you get your podcast to hear the rest of this new season. I'm Ali Wyne. Thanks very much for listening.

Subscribe to the GZERO World Podcast on Apple Podcasts, Spotify, Stitcher, or your preferred podcast platform, to receive new episodes as soon as they're published.