CYBERSEC Washington Leaders’ Foresight 2019 – Key Takeaways

“The United States and the Three Seas together have unique potential to protect the rule-based democratic liberal order” – underlined Izabela Albrycht, President of the CYBERSEC Forum. We are now proud to present to you the Key Takeaways, summarising the most important recommendations from CYBERSEC Washington Leaders’ Foresight 2019. We wish you an inspiring lecture!

As we are in a crucial moment of significant shifts in global economic and military powers, both driven by modern disruptive technologies, the need to cooperate and coordinate with friends and allies is more pressing than ever. No country or community will be able to thrive without technological alliances with like-minded partners. For this reason, CYBERSEC Washington Leaders’ Foresight was held on 19 March 2019, gathering key policy makers and high-level private sector representatives to foster the transatlantic debate on cyber trust and deepen the cybersecurity synergies between the Three Seas Region and the United States.

Countries in Three Seas region should develop strategic understanding to act and think as a like-minded region.

Three Seas countries need to develop farsighted agreements about what technologies they want to embrace and how. They should adopt and implement joint or unified plans to foster investment in key areas.

A regional consensus of 5G is critical. It should determine which technologies to use, how to interconnect national 5G networks and develop common policy framework in order to avoid fragmentation and patchworked network landscape.

The Three Seas countries should incorporate international standards in order to become more tightly woven in the international standardisation and certification processes. Only then will they be able to leverage those processes.

The Three Seas region-wide audit of assets is necessary.

A regional audit of assets will help to understand how governments and companies can work together for better resiliency and redundancy avoidance. Existing gaps in infrastructure should be identified to plan efficient strategic investment in those areas.

An audit of the infrastructure layout in the 12 countries of the Three Seas region will also help determine the existing infrastructure that needs to be interconnected to complete the 3 Seas Digital Highway. The extent of main roadways should limit neither the reach nor the utility of the infrastructure and the connectivity ought to penetrate into more remote areas.

Smaller-scale cross-border infrastructure projects in remote areas should not be overlooked as they can bring ease to communication bottlenecks and contribute to the overall big picture connectivity. The digital infrastructure in the Three Seas Region should be built focusing not only on commercial value but also on strategic value.

The Transatlantic alliance in cyberspace has to be strenghtened.

As Central Eastern Europe emerges as a region of pivotal importance in the global power struggle, the United States has to strengthen its engagement in the Three Seas region to balance the growing political and economic presence of Russia and China. For the last 30 years the US has always kept its edge over its rivals in Central Eastern Europe, but this state of affairs has to be constantly sustained and reinforced to endure.

The United States and other allies that have their military forces deployed in the Three Seas region should coordinate their efforts concerning the cyber defences of the region. The U.S. enhanced cyber resilience posture in the Central Eastern Europe will improve American situational awareness.

The 2018 National Cyber Strategy of the United States underlined the importance of alliances and collective actions in cyberspace, the so-called Cyber Deterrence Initiative. It is vital now to explain, define and operationalise the assumptions and aims of this initiative.

The Three Seas Countries should adopt a common stance and code of conduct in cyberspace with the suport of the United States.

Cooperation and allied conduct in cyber defences leads to greater efficiency and legitimacy. The countries in the Three Seas region are similarly situated, face the same threats and can share their best practices as well as their shortfalls to achieve better overall resiliency.

If they are ever to be respected, laws and rules in cyberspace have to be followed by sanctions for their violations. An accountability mechanism has to be introduced and a wide spectrum of sanctions should be agreed upon by regional governments, as well as the rules on how and when to use them.

Countries in the Three Seas region should act more cohesively and join their allies in attribution. They should also be more active in the European Union’s and NATO’s efforts to develop cyber tools and laws.

Supply chain requires the adoption of strategic long-term perspective.

It is fundamental to adopt a full risk-based approach that includes focus on the technology provenance and the supply chain. The political and legal system of the vendor’s residential country should be taken into consideration while assessing this risk as it affects the reliability and trustworthiness of the vendor.

A full transparency of the software is necessary. It is essential to have a software bill of materials to fully understand what is inside the systems we are depending on and how that can be affected.

The full spectrum of vulnerabilities and their strategic dimension is still to be grasped by the decision-makers. There is a missing understanding of where a country might have critical dependencies that should be addressed by the stakeholders.

Public-private partnerships are key in adressing new threats.

A significant amount of infrastructure is in the hands of the private sector. It is fundamental to ensure that private sector is involved in a truly multi-stakeholder discussions about regulations and about Internet-related policies.

Businesses should share information with each other and with the government as each sector faces a specific type of threats and in its own specific way counteracts the overall vulnerability of a community. The public sector should establish fellowships with the private sector in order to build trust, familiarity and understanding of the full spectrum of resiliency a community needs.

Rather than to think about critical infrastructures as entities, the governments should start to think about the critical functions of these infrastructures that the citizens depend upon. The role of the government in the protection of those functions and services should be redefined.