Remarks at the Second Ministerial Meeting on Advancing Responsible State Behavior in Cyberspace

Remarks at the Second Ministerial Meeting on Advancing Responsible State Behavior in Cyberspace (State Dept.)

John J. Sullivan, Deputy Secretary Of State
Palace Hotel, New York, NY
September 23, 2019

DEPUTY SECRETARY SULLIVAN: Well, good morning, everyone, and thank you for being here. It’s great to see many familiar faces in the room. This is a very important ministerial on advancing responsible state behavior in cyberspace, and I especially want to thank our co-hosts, the Netherlands and Australia, and our distinguished panelists, the foreign ministers of both, for being here. It’s a tremendous honor to be joined today with member-states who share our commitment to the goal of global cyber stability. We are gratified by the support for this event and the joint statement we look forward to releasing at its conclusion.

In the 21st century, all facets of life are being connected through the internet, making cybersecurity critical to protecting our property, our families, and our ways of life. Fostering responsible state behavior in cyberspace is now integral to safeguarding international peace and security.

This is a challenge that must not be left to technical experts alone. Yes, better network defense can make our systems more secure, but security in cyberspace requires broad international engagement. Diplomacy is the tool that the international community has always used to set expectations for how states should behave. We must apply this approach to our discussions about cyberspace. This issue needs the sustained attention of ministers and other senior diplomats. That is why we convened a high-level event on this subject here in New York one year ago, and that is why this meeting today is so important.

The stakes are moving higher as more governments develop offensive cyber programs and as we see more frequent and severe cyber incidents. In 2017, we witnessed the reckless and uncontrolled WannaCry and NotPetya cyber attacks – both carried out by states – that caused billions of dollars of damage across Europe, Asia, and the Americas. It is clear states are increasingly deploying more sophisticated capabilities that threaten our cybersecurity.

We as an international community must come together to mainstream and make universal well-established standards for state behavior in cyberspace and hold accountable those who transgress them.

Today we meet on the first day of the General Assembly’s high-level week because the United Nations is a venue where we have already made great progress in building consensus around responsible state behavior in cyberspace. It is also where we expect to see significant work on this topic unfold over the next two years.

My message today is twofold: First, the United States is prepared to work with all UN members to safeguard the extraordinary benefits of cyberspace; and second, we must redouble our efforts – and not just in New York or in Geneva – to create accountability for state actions in cyberspace.

All of the governments here today share a broad and common vision of the requirements to maintain peace, security, and stability in cyberspace. We have forged this vision over a decade through negotiations at the UN and in regional bodies, through our daily engagements with each other, and through information sharing, coordination of messaging, and other cooperative actions to prevent, mitigate, and respond to significant cyber incidents.

Almost exactly a year ago, the United States reaffirmed its commitment to this vision in our National Cyber Strategy. We are very proud of this strategy, and this meeting today is a fitting way for us to mark the anniversary. In the last year, we have taken steps domestically to protect our supply chains, strengthen our cybersecurity workforce, and improve network defense. The State Department leads in implementing many of the international elements of the strategy, which have direct bearing on our work here at the United Nations.

Pillar III of the National Cyber Strategy is aptly named “Preserve Peace through Strength.” It commits the United States to “promote a framework of responsible state behavior in cyberspace built upon international law, adherence to voluntary non-binding norms of state behavior that apply during peacetime, and the consideration of practical confidence-building measures to reduce the risk of conflict.”

Broad international consensus around these three elements – international law, peacetime norms, and confidence-building measures – is the signature accomplishment of cyber diplomacy in the last decade. The consensus reports of the 2010, 2013, and 2015 Group of Governmental Experts presents the elements of this framework. The UN General Assembly, through 2015, ’16, and ’18 resolutions, reaffirmed that all states should follow the reports’ recommendations. Our National Cyber Strategy commits the United States to preserve and build upon this accomplishment even as certain states appear poised to undermine it.

We believe the time is now to prioritize universalization and implementation of the Framework for Responsible State Behavior, because doing so is in all states’ interests. That’s why cyber capacity-building forms an integral element of our National Cyber Strategy, and I know many of our partners here are particularly committed to this as well. In our interconnected world, we are only as strong as our weakest link. We must work to ensure that states that want to act responsibly in cyberspace have the means to do so, which includes protecting their networks from malicious state and non-state actors. To this end, since 2014, the State Department alone has invested more than $70 million to build cyber capacity and strengthen the fight against cyber crime.

The priorities I have just described will guide our strategy in the coming UN negotiations on international security issues in cyberspace. Over the next two years, we will engage in not one but two negotiation processes: another UN Group of Governmental Experts and a new Open-Ended Working Group. Some expect these parallel processes will create tension. We in the United States, on the other hand, view them as opportunities, provided that we can hold the line against attempts to rewrite our past consensus achieved here.

We will look to Ambassador Patriota from Brazil and Ambassador Lauber from Sweden[1] to refine critical guidance to states and identify ways to improve capacity across the board. Our hope is to reach consensus in both venues, and we’re prepared to work with all well-intentioned states to achieve this goal.

As we make a concerted effort together to achieve success in the coming negotiations, we also must not lose sight of what matters most to our people: safety and security from malicious cyber activities. To accomplish this, we need all states not only to adopt the Framework for Responsible State Behavior, but most importantly to abide by it.

Sadly, the record has been mixed in recent years. We have seen cyber attacks on critical infrastructure, like the 2017 NotPetya example I cited earlier; cyber-enabled election interference in a number of countries; and state-sponsored theft of trade secrets for commercial gain. While we should be proud of our efforts to identify nonbinding norms for responsible state behavior over the last decade, we have yet to build mechanisms to hold – for holding accountable states that transgress those norms.

We need to work together to do this now.

We need all responsible states to stand together against destructive, disruptive, or otherwise destabling[2], malicious cyber activity carried out by states during peacetime. We must work in concert to ensure that there are consequences for bad behavior in cyberspace, drawing upon all elements of national power, not just cyber capabilities. We need to build cooperation among responsible states to deliver those consequences where appropriate and consistent with international law.

We are encouraged to see a growing number of governments working together to condemn malicious cyber activity. From WannaCry to the APT10 Cloud Hopper incidents, more and more countries are attributing cyber attacks or issuing statements of support to those states that do attribute. But we need to do more.

Today, 26 countries, including the United States, have signed a Joint Statement on Advancing Responsible State Behavior in Cyberspace, and we encourage other countries to join us. We hope those who have not signed will do so today. This statement reflects our shared commitment to work together to continue to advance the framework of responsible state behavior, including through the upcoming UN negotiations, and to work together to ensure accountability for adherence to that framework.

So thank you again for the honor and privilege of speaking with you today. We have a tremendous opportunity before us to advance peace, security, and prosperity in the years to come. And now it’s my honor to introduce my esteemed colleague, Foreign Minister Stef Blok of the Kingdom of the Netherlands. Stef.