Cyber Diplomacy at Kaspersky

Companies’ growing interest in cyber diplomacy is a positive trend, since their expertise, resources and knowledge can be instrumental in coping with the existing challenges and threats.

Private companies have increasingly been interested in cyber diplomacy in recent years, and that includes Kaspersky. What is the reason for the company’s interest in this relatively new mode of diplomacy? Why should there be one negotiation process on information security issues under the auspices of the UN rather than two or three? What are the distinguishing features of operating within the OEWG framework for private companies? Anastasia Kazakova, Senior Public Affairs Manager at Kaspersky, spoke about this and much more in an exclusive interview with Russian International Affairs Council.

Companies’ growing interest in cyber diplomacy is a positive trend, since their expertise, resources and knowledge can be instrumental in coping with the existing challenges and threats.

Private companies have increasingly been interested in cyber diplomacy in recent years, and that includes Kaspersky. What is the reason for the company’s interest in this relatively new mode of diplomacy? Why should there be one negotiation process on information security issues under the auspices of the UN rather than two or three? What are the distinguishing features of operating within the OEWG framework for private companies? Anastasia Kazakova, Senior Public Affairs Manager at Kaspersky, spoke about this and much more in an exclusive interview with Russian International Affairs Council.

Kaspersky has cyber diplomacy as a separate direction and set of activities. How has this come about? And why?

Over the past two years there has been an increasing understanding of what cyber diplomacy is. In particular, non-governmental organizations have demonstrated an upsurge of interest in this field. We have also started to advance our activities in this area further. Why? There are growing threats and challenges in cyberspace, which are impossible to solve at the national level only. These include protection of critical infrastructure (CI), incident response and mitigation in the event of significant cyberattacks affecting critical infrastructure in multiple jurisdictions, and cross-border cybercrime investigations. Without international institutions and cooperation, it’s impossible to address these challenges. Therefore, for us, cyber diplomacy is an opportunity to ensure security and stability in cyberspace through international processes. Growing companies’ interest in cyber diplomacy is a positive trend, because their expertise, resources and knowledge can be instrumental to coping with the existing challenges and threats.

Was the emergence of cyber diplomacy activities at Kaspersky somehow connected with a specific case? For example, did it happen after Kaspersky faced challenges in the U.S., or was it something else?

I guess we were following the developments and trends in our field. However, there would be no platform to get involved in if states themselves had not initiated the negotiation processes in the UN within the OEWG (Open-ended Working Group) and the GGE (Group of Governmental Experts). Before, there was no institutionalized format for the private sector and civil society to take part in and contribute to.

Basically, the OEWG was created precisely to facilitate such engagement. Has it created momentum though?

Yes, it has. When the GGE failed to reach consensus in 2017, there was some ‘respite’ before the OEWG and the new GGE was launched in 2019. At the same time, despite the fact that intergovermental negotiations in the UN were put on hold, threats in cyberspace continued to increase. Most states responded to this unilaterally rather than collectively, which led to greater fragmentation in cyberspace. Since CI relies on technologies, products and services made and supplied from different countries, fragmentation in ensuring CI protection creates risks, and I wrote about this last year. Institutional fragmentation makes CI vulnerable and, as a result, more attractive to threat actors, and this can lead to it becoming less reliable for the economy, society and the country at large.

I work with colleagues from other regions of the world, so I see how the approaches to, say, the protection of critical infrastructure differs from country to country. In this regard, the resumption of negotiations at the UN level is an opportunity for the private sector to participate in and support – and the key word here is support – the UN Member States and their joint efforts for greater security in cyberspace.

How high is this priority for Kaspersky? When, in September 2020, Vladimir Putin made a statement on the comprehensive program of measures for restoring U.S.–Russia cooperation in the field of international information security, Eugene Kaspersky noted this would result in a more effective fight against cybercrime. When talking about cyber diplomacy in general, is it given more priority at the level of management or, rather, at the working level?

Our team is part of the CEO Office. This means that the priorities, values and strategic vision come directly from Eugene Kaspersky, our CEO, and Oleg Abdurashitov, Head of the CEO Office and the Public Affairs team. Besides, as I work at the Russian HQ, being physically closer to the top management, it can be a little easier for me than for my colleagues in other regions to coordinate and make sure that we are moving in the right direction.

It seems that representation in different regions helps you better understand the differences in approaches and feel the need to somehow bring them together at the global level?

Yes, that’s right. For instance, the analysis of legislation and States’ policies is part of my job. We draw parallels between governments’ approaches, systems, and bills so that we can better track the differences, as well as the opportunities and risks, for the private sector and our company, in particular.

At the same time, Kaspersky sees itself as a global rather than as a Russian company. How would you explain this?

Oleg Shakirov:
Broad Cyber-Consensus

Kaspersky is a global company. We have a large staff from different countries and, along with the Russian HQ, we have 33 more offices in more than 30 countries around the world. Research and development is in Russia; however, cybersecurity expertise, research teams and many other functions are located across the globe. We feel this ‘global nature’ even through our everyday tasks. For instance, we are currently working to create game-based cyber capacity training on technical attribution for cyber diplomats. And I work on that with colleagues from France, Portugal and Switzerland, while the project can also be discussed with colleagues from the United States, Singapore, China, Australia, etc.

By the way, our global presence also allows us literally feel and see the growing fragmentation in cyberspace. There is, of course, positive dynamics: once states draft laws, strategies and policies, some of them ask the opinion of the private sector. For instance, there was a unique case in Australia where the government launched a public consultation before finalizing its national position on the implementation of 2015 GGE cyber norms. Several vendors and NGOs participated, and once all written positions were made online, the Australian government organized virtual briefings and anyone could speak. As a result, the Australian delegation to the UN collected key input from these non-governmental organizations, including Kaspersky, and sent them in writing to the OEWG, which allowed other delegations to learn more about industry and civil society’s proposals for best practice norm implementation. I think such practices are important and necessary because they help decision-makers better understand opportunities, challenges and the field as a whole.

Can your participation in such consultations be regarded as mediation between different countries and as an element of cyber diplomacy?

You could say so. However, cyber diplomacy for us is still about intergovernmental negotiations, where companies’ role is to support and provide advice. We are ready to share – and we do share – our expertise and knowledge. At the same time, the UN is an important platform, but not the only one. We also participate in the processes of regional organizations (the OSCE, ASEAN), other UN bodies (in particular, UNIDIR) and multistakeholder initiatives (such as the Geneva Dialogue or the Paris Call for Trust and Security in Cyberspace).

There have also been cases when states and non-state actors participate. In November last year, together with delegations from Australia, Egypt, Canada, France and a number of other nations, our company, in cooperation with others, held a series of Let’s Talk Cyber sessions, and we co-hosted the regular institutional dialogue session.

Additionally, we organized our own projects. From late 2020 to May 2021, we hosted Community Talks on Cyber Diplomacy, a series of five podcast-like discussions. It was a really cool experience. We brought together diplomats, technical experts, representatives of Europol and INTERPOL and academia. Apparently, they share one goal, which is to increase stability and security in cyberspace. The range of tasks, challenges and the level of expertise, however, are so different that achieving a common goal is impossible without cooperation.

As you have noted earlier, there are other companies with a significant global footprint. It turns out that there are now quite a few companies that, due to their size and global presence, first, understand the importance of such diplomatic functions, and second, can afford it. Please elaborate on this private sector community of cyber diplomats?

In my opinion, only few people have a clear understanding of what cyber diplomacy is, while I am still not that sure there is a universal understanding of the difference between cyber diplomacy and digital diplomacy (the use of digital technologies and social media platforms to help achieve diplomatic objectives). I remember a series of discussions with national delegations last year when we talked about what we do as a company. And there was a very good question from an Italian diplomat: “What do you understand by cyber diplomacy as a company and why do you need all this?”

Throughout the past year, our understanding, vision and strategy eventually matured. I think the same can be applied to many states. This area is actively developing. A year ago, there were five or six countries that had a cyber diplomacy team. Now, many states either have departments and teams on information security (IS) issues in their Foreign Ministries, or an ambassador-at-large. Of course, this is not the case everywhere, as states have different capacities.

At the same time, states discuss cyber issues in the First and Third UN Committees, which have different mandates, agendas and processes approved by the General Assembly. I was once told by one diplomat: “We work in the First Committee [Disarmament & International Security], while other colleagues work in the Third Committee [cybercrime issues], and we cannot comment on this.” The industry needs to take this into account, although these issues are closely related for us. It can be difficult for a person not involved in these nuanced processes and protocol. Perhaps that’s why big companies like Apple or Google are not in these discussions at all, which is very interesting. Microsoft would be a unique case, as the company has a huge team, an official representation, and an office at the UN. And the company is also associated with several other NGOs as a sponsor or a partner.

Like the CyberPeace Institute?

That’s right. At the same time, among such cybersecurity vendors as Kaspersky, there is no one else involved in these international processes.

Do you mean among the companies that offer cybersecurity solutions?

Right, it’s just Microsoft and us on all platforms—the companies that actually have the expertise in cybersecurity research. I haven’t seen the rest yet, but I think it’s a matter of time and soon everything will change.

Along with diplomats and industry, there is a third group of people who do not speak officially or directly with states and companies but influence the decision-making of both. I call them ‘influencers’ (laughs). This is, for example, the European Union Institute for Security Studies (EUISS), funded by the European Commission. There are some researchers who may be affiliated with several institutions from different European countries at the same time. They make regular posts on Twitter, publish articles, speak out. They do not hold government positions but they can influence the understanding, and its maturity of both states and industry.

Now let’s move on to the OEWG. Why didn’t Kaspersky join this platform from its very inception?

Our team is not big; there are only seven people working on public affairs. Although we do plenty of amazing projects all over the world, our resources are limited. When the OEWG was launched, everyone was busy with existing projects and regions, and there was no person to be assigned for this. Once we got an additional colleague on our team, I suggested to the head of our team to develop a cyber diplomacy direction. He said, “Let’s try.” Since then, we have become actively involved in OEWG–related multi-stakeholder processes. This happened just when the pandemic began.

It then turns out that Kaspersky was not present at first and, in fact, the only in-person meeting for consultations with non-state stakeholders that took place in New York in late 2019, as you joined when everything was already on lockdown?

We weren’t, right. Perhaps, the only positive thing about the lockdown is that literally everyone, without exception, could participate for the first time. Previously, it was necessary to go through a cumbersome bureaucratic procedure to get accreditation. We know how dissatisfied many organizations were because they were disallowed to participate. When the pandemic hit, though, everyone switched to the flexible format of participation. The OEWG Chair published a pre-draft of the report on the official website, and everyone was invited to share their opinion through a public consultation. This is how we started working: our first comments were prepared in the spring of 2020, then another package—in the summer. In September, I thought: “Why don’t we submit our suggestions and share our expertise, statistics and trends on the threat landscape?” We wrote to the OEWG Support Team to ask if this was possible. As a result, in September 2020 we prepared technical suggestions for best-practice implementation of some of the previously agreed 2015 UN GGE norms. This is an example of how we participated proactively. When the final draft of the OEWG report was published, we analyzed it thoroughly to prepare our comments and suggestions once again.

Is the OEWG Support Team part of the Secretariat that operates the OEWG?

Daniel Stauffacher:
Time to Create a Single Negotiating Cyber Forum under the UN General Assembly First Committee

Yes, it is. I had the email of a person who dealt with organizational issues. I should also add that there has been a lot of interest from cybersecurity researchers and technical experts within our company to what states are doing at the UN level in general. I am talking about my colleagues from GReAT (Global Research and Analysis Team)—world-class leading analysts and professionals who study all kinds of cyberthreats to create advanced security technologies. That was really unexpected. I tended to think that researchers are not at all interested in the issues of global politics and international relations. And then two colleagues sent drafts of their articles saying: “We want to publish texts about cyber conflicts and how this should all develop.” Ever since, we often work together with them to develop the company’s position. I send them drafts, and they help us with technical expertise, assessing how real and adequate certain proposals are.

Were their texts designed as comments on some draft report?

No, these were separate ideas and thoughts. In the end, we worked for about two weeks, made several iterations, and published two articles: Researchers call for a determined path to cybersecurity and The Future of Cyber Conflicts.

Do you mean that Kaspersky’s participation was not limited to the GR/Public Affairs team and it was an extended collaborative process that welcomed technical experts? And your comments for the OEWG had a strong technical basis, right?

Absolutely. From the very beginning we said our company had expertise in cybersecurity research. And that’s it. We cannot talk about international law: neither I, nor anyone else in the company has this expertise. We cannot talk about whether and how international law or international humanitarian law applies to cyberspace. This is the prerogative of states. But we can, for example, bring up some ideas or share our experience on how some norms are already implemented or could be implemented. We believe that the contribution of non-state actors like us is important for implementing norms and confidence-building measures (CBMs). We can also engage in cyber capacity building efforts. The last item in the UN cyber-stability framework is regular institutional dialogue (RID). Our possible engagement here is limited: we can only repeat that we are in favor of it in every possible way. The clearer, more transparent, open and structured the dialogue, the more effective and possible the overall success.

This year in March, the OEWG successfully concluded its work, with the report of the group adopted. If we go two years back, though, you will remember that many observers had the feeling that the agenda was bifurcated between the OEWG and the GGE, which probably meant that the states would not be likely to adopt anything at all. Did you have any concerns that the report might not be adopted? And was reaching consensus an encouraging sign?

There were probably some minor concerns, but on the whole there was a feeling that some basic document would be adopted anyway. It’s great that the sessions were broadcast live right before the adoption of the final document. And one could observe the dynamics in the negotiations between states. For example, Andrey Krutskikh, head of the Russian delegation, suggested adopting the report, while publishing part [on which there was no consensus reached] as a separate document on behalf of the Chair of the OEWG. After his speech, it was possible to see which delegations supported this idea. In the end, all sensitive issues were taken beyond the framework of the report but still remained in the so-called Chair’s Summary, and this still allowed the global community to learn about the entire range of issues discussed by the delegations.

Some say that diplomats are working too slowly and that the world needs a new convention and needs it fast, where terms would be clearly defined and the issue would be thus closed. However, cyberspace is, in my opinion, an extremely complicated and multi-faceted domain. It is unclear where cyber ends, and the range of issues for discussion is colossal. Diplomats need to be competent in several areas at once; as well as need to be open to dialogue with a large number of stakeholders: industry, NGOs, academia, legal experts, the technical community. And each group has its own interest, its own position; therefore, everyone will have their own agenda in this process. Cyber diplomats are the key to achieving a stable and secure cyberspace, and I have recently written a post about it.

The adoption of the consensus report did not give us much progress in terms of content—we didn’t see new norms. But the report is a very important step and a great success for diplomats, and, in particular, for the Russian delegation, on whose initiative the OEWG was originally created. For the first time, all countries have endorsed many of the previous agreements, for example, one stipulating that international law is applicable to cyberspace.

Reaching consensus amid growing confrontation among states is a huge success and a positive signal to the global community.

The report as such covers a broad range of issues. Different participants in the negotiations highlighted the paragraphs they considered most important for themselves. What issues does Kaspersky consider important?

First of all, the implementation of the existing norms, confidence-building measures, and capacity building efforts is critical. This presumes, in particular, further enhancing the protection of CIP through developing more concrete tools (such as baseline security requirements) and ensuring their interoperability. Ensuring the security and integrity of ICT supply chains is important as well. We also call for the development of a global incident response mechanism in case significant cyber-attacks and cyber emergency.

This could be, in particular, based on the national points of contact recommended by the OEWG and GGE reports, as well as on closer cooperation of Computer Emergency Response Teams (CERTs). Imagine that a hospital that is classified as a CI in country ‘A’ was attacked by ransomware, and some hospitals’ important systems ultimately became inaccessible to both doctors and patients. The hospital does not know what to do, so the first thing would be to decide whom to contact first and where to get help. It may become apparent later that, for mitigation of the attack, it is necessary to get in touch with the manufacturer of the software (hit by the ransomware) which is located in country ‘B’, as well as with an incident response company from a country ‘C’. The question is: if there has been an attack on CI, how will states cooperate and exchange information, given the cross-border nature of the incident? The lack of global cooperation structures to respond to such incidents poses an additional risk to stability in cyberspace. Therefore, one of our pragmatic proposals is to establish some kind of mechanism at the global level for exchange of information among states, CERTs and companies, where needed. The recommended national Points of Contact seem a good starting point.

In reality, everything turns out quite ad hoc...

Super ad hoc. If the protection of CI is attacked and we don’t know whom to contact, then many CI operators will probably call their cybersecurity vendor first. Someone might call the police. Someone may choose their national cybersecurity agency. And someone could decide not to call anyone at all to avoid reputational and financial risks.

And what if this infrastructure is located on the territory of several states at once? By the way, the Singapore delegation wrote a comment about this, and used the term ‘supranational critical information infrastructure’. This term was rejected later, as it was not clear, from a legal perspective, what this would include. All delegations emphasized that it is the prerogative of each individual state to determine what CI is and to identify specific CI sectors.

You also had the idea that there should be a common consensus on the definitions involved. Can you explain why this is important, and has the consensus been reached yet?

There is no common terminology yet. We ran a series of Community Talks, and the speakers themselves, that is, cyber diplomats, admitted that we do not now have a consensus understanding of what cybercrime and cyberterrorism means.

Of course, it is still possible to work and collaborate without consensus lexicon, but when it comes to details and legal nuances, common understanding is important, as it makes communication and collaboration easier and more efficient.

The OEWG was unique in nature. First, never before have the negotiations on information security been conducted by such a large number of states. Second, the mandate of the group suggested more or less formalized participation of non-governmental players, including businesses, which provided for a multi-stakeholder approach. How can companies be further involved in this process?

It would be great if states agreed to have a single process under the First Committee of the General Assembly instead of many processes at once. There were two of them at that point, the OEWG and the GGE. It is rumored that the Programme of Action (PoA) for advancing responsible state behavior in cyberspace, proposed by France and Egypt, will become a third process, not related to the existing ones.

They namely said that the Programme of Action, on the contrary, should unite the agenda, but we can’t rule out the possibility that this could become Process 3.0 or 2.5.

Steve Crown:
Microsoft Cybersecurity Initiatives

Right, and it is difficult for us as representatives of industry to understand how they relate to each other, which is more important in terms of priority, given that our resources – not just to participate but to meaningfully contribute to and create value – are limited. Ideally, it would be great to have regular institutional dialogue, one on which states have agreed, and perhaps with thematic tracks on specific issues with the participation of a multi-stakeholder community. The clearer the framework for interaction and the clearer the boundaries for non-state actors are, the more effective such interaction will be.

At the same time, there remains one open question. I said that the pandemic allowed almost everyone to participate, and that was a huge advantage indeed. However, during the pandemic, some OEWG sessions were classified as ‘informal’ because UN sessions cannot be officially held via Webex. If a hybrid regime is not at least available after the pandemic, the number of non-state actors and states will drastically narrow down, I guess. Therefore, still open is the question of how the work of cyber diplomats will – or will not – be adapted in line with the UN Charter and protocol.

At the end of April, Andrey Krutskikh, Special Representative of the President of the Russian Federation for International Cooperation in the Field of Information Security, spoke at the Gorchakov Foundation, and said that Russia would like to see a working group that includes business representatives in the new OEWG. The OEWG starts in June; how does Kaspersky plan to continue its work in it?

On June 1 and 2, organizational meetings were held and the new Chair was elected. The first session will take place only in December. To be honest, there is very little information and it is still unclear how the work of the OEWG will be organized or in what format the Programme of Action will be launched.

We are ready to participate further and to provide support. I’d like to hope this will be possible.

Although we agreed that Kaspersky is a global company, nevertheless, in the OEWG, you were, in fact, the only non-governmental participant with Russian roots. Russia’s Ministry of Foreign Affairs calls for a more active participation of Russian businesses in this negotiation process. Is there a need for a larger number of Russian stakeholders to participate in the discussions within the OEWG?

I cannot speak for the OEWG. On my own behalf, though, I can add that the more Russian experts and experts from Africa, Latin America, and Asia who speak English well, who follow the developments in this field and who can share their expertise, the better. Quite often we may see experts commenting on other states’ policies – for example, experts from Europe or the United States comment on the foreign policy of Australia, India, Russia, China, Brazil. Global issues are often discussed, but there are not enough primary sources and experts from these countries who can understand the domestic politics and dynamics much better and, therefore, relay important information to others, sharing how certain practices work in their countries.

In this regard, one of the challenges for cyber diplomats will be the search for reliable information as well as points of convergence among states, which essentially requires a sustained expert dialogue and exchange of practices.

I can share a recent example. We were invited to speak at UNIDIR, which organized a closed meeting for government officials and cyber diplomats in order to engage the industry in the discussion on how cooperation among states could work in the event of a cyber incident and how, in particular, the principle of due diligence works. The discussion was very interesting for two reasons. First, it was the first time I saw such a large number of attendees and experts on international law from Russia who actively participated in this virtual meeting. It was interesting to understand Russia’s approach to this issue as well. Second, the speakers included diplomats from different countries, and it literally became clear during the discussion that the approaches and interpretations of this principle differ among states. The position of the European Union or Australia was more or less clear (because their representatives speak at almost all events); however, it was very helpful to understand the approaches of the UK, China, Mexico and others.

I would also like to ask about your personal experience. You have a degree in International Relations, but you are now working in cybersecurity. You have already said that many people who are engaged in this on the part of the state did not necessarily have experience in this area. This is usually not something they teach you at an International Relations school, although courses on this topic are now becoming available. Why might people with such a background be interested in doing this, and how can they get into cybersecurity?

I gain key technical cybersecurity expertise through projects in the company with colleagues from different departments. I am lucky to work with very cool colleagues and, I would even say, real legends in the field of cybersecurity. For example, a bill comes out in country ‘A’. Our task is to understand the risks and opportunities for our company, as well as to formulate a position. We go to our colleagues (analysts, researchers, product teams) and ask what works and what fails, where the opportunities and the challenges lie and what would change or worsen the situation in the industry and so on. Thus, our main primary source is the people who have been working in this field for the past 20 years every day.

I also need to say a huge thank you to our Global Transparency Initiative (GTI), as it allowed me to participate in large R&D projects. Over the past 3.5 years since the initiative was launched, I have learned a lot about our processes, products, and how everything works in practice in the industry. As part of the GTI, we have opened several Transparency Centers, conducted audits of our engineering practices and data management practices, built new infrastructure for data processing and storage in Switzerland, launched our own training to address ICT supply chain risks (Cyber Capacity Building Program) for governments, academia, including universities, and companies, and also launched a Bug Bounty program, where we pay a reward to researchers who find vulnerabilities in our software and report them to us in a responsible way. Working with GTI is a huge opportunity for me and an upgrade of hard skills.

So, I guess the best option for learning is, of course, practice, and ideally you should start as early as possible. At the same time, it is important to invest in your network, get to know what the key people in your field are doing, start communicating with them, and exchange opinions. People are usually very open.

Please tell us a few final words about why cybersecurity is important for everyone and for young people especially? I liked your scenario of a cyberattack on a hospital, as it shows how it already affects different aspects of life.

Cyber is not what it looked like in science fiction books some 30–40 years ago. This is reality, and the border between cyberspace and the physical world sometimes becomes virtually invisible. Understanding how cyberspace works is important to better assess the opportunities and risks for yourself, better know your rights and better protect them. Especially when it comes to personal data or protecting your financial data.

Cybersecurity is critical, and its strategic role will be on the rise in all countries as the digital transformation is rapidly increasing, and without cybersecurity there will be no sustainable digital development. So both technical specialists and lawyers, diplomats and all those who took on the burden of keeping cyberspace global, open and stable are very important. I guess the global, open nature of the cyber environment is one of the most important achievements of mankind, and it would be a big mistake to lose it.

Oleg Shakirov, Senior Expert at the Center for Advanced Governance, Consultant at PIR Center, RIAC Expert.