Keynote by HE Mr. Stef Blok MA, Minister of Foreign Affairs1
When I took office a little over three months ago, I saw in my calendar that I’d be delivering a speech on the first ‘birthday’ of… a manual. A first birthday is a special occasion, as any parent will agree. You know how new parents are – they love to celebrate every little milestone: baby’s first smile, baby’s first steps… All very understandable – for a child. But for a manual?
It makes me think of the booklet you get when you buy a new appliance or some flat-pack furniture. Not exactly a page-turner. And yet: very handy, if you want to get the most out of your expensive purchase. Or put together a piece of furniture that actually looks like the picture. In a sense, a manual can be the difference between a job well done and a disaster - as you will know, if you’ve ever tried to get by without it. The same is true of the Tallinn Manual - our set of instructions for state behaviour in cyberspace. It’s more than just a user’s guide. And this first birthday is more than just an anniversary; it’s an occasion to take stock of an issue of vital interest to us all.
The internet enriches our society and economy. It allows for big efficiency gains. The benefits can be very concrete. In that sense, cyberspace has come down from ‘the cloud’ and entered the reality of our daily lives. Consider, for example, the ultra-short supply lines for supermarkets: information about stock levels is communicated in real time. Stocks can then be replenished as needed.
But of course, this dependence comes with a risk. If the Web goes down, the supermarket may soon find itself with empty shelves. The impact of an unreliable internet can be highly concrete. And then the damage is not virtual, but painfully tangible. And quite substantial, too. We’ve unfortunately seen some real-world examples of that too. The WannaCry attack – untargeted but destructive – cost companies an estimated $592.5 million. The NotPetya attack was even worse: it cost companies an estimated $892.5 million in lost revenue.
Important battle
So, the Tallinn Manual is part of an important battle. A battle being waged by many, to defend the interests of many. Relevant not only to supermarkets, but to every domain of our daily lives. From parking garages to the port of Rotterdam, from power plants to public services like healthcare. Just an example. The WannaCry virus shut down computers in more than 80 National Health Service organisations in England alone. The result: almost 20,000 cancelled appointments, 600 family doctors’ practices having to resort to pen and paper, and five hospitals diverting ambulances, unable to handle any more emergency cases. So cyberspace is definitely no longer this elusive, distant dimension. There is no longer anything abstract or virtual about it. It is material, here and now, for all of us. Just look at the Netherlands. Our digital economy has been growing at an astonishing pace. We’re now one of the world’s most digitally advanced countries. Our digital economy accounts for 7.7 per cent of our total economy, a figure which is increasing all the time. IT plays an essential part in the daily work of 1.5 million Dutch workers. This digitally dependent workforce created €182 billion in added value in 2016 – around 30% of total GDP. And digital growth still hasn’t reached its peak. So it’s no surprise that the Netherlands is at the forefront of efforts to advance the debate on keeping cyberspace stable and safe.
Complex challenge
The challenge is a complex one. The internet belongs to everyone, and to no one. We have to work on many different tracks simultaneously: public and private, national and international. For example, in the Global Conference on Cyberspace (GCCS) and in the Global Commission on the Stability of Cyberspace (GCSC).
Domestically, the Netherlands is also investing heavily in this area.
The government has decided to set aside €95 million, with a special focus on setting standards for ‘Internet of Things’ – devices; establishing software liability; enhancing the National Cyber Security Centre; and improving public information campaigns. As a part of that investment, as of 2019, Dutch diplomacy will be further strengthened. As I also indicated in the Integrated International Security Strategy I recently presented: the diplomatic response to cyberattacks is essential. Of course, my ministry acts in concert with other ministries, including the Ministry of Defence – as Minister Bijleveld will confirm later today. Starting this year, cyber diplomats will be deployed at crucial bilateral missions, like Washington, Beijing and Moscow, and also at multilateral missions, like Brussels and Geneva. Other missions will be actively supported by a special cyber task force team.
What’s more, we are investing another 3 million euros in projects to deepen our knowledge about cyber issues, both in The Hague and in our network of missions abroad. This way, my ministry can continue to work effectively for the Netherlands, around the world – including in cyberspace.
International law
In our cyber-policy, one of the tracks we invest in heavily is the international law dimension. This should be no surprise in the country of Hugo Grotius, a country with a strong tradition in international law, and here in The Hague – city of peace and justice. The key to success lies in clear rules, which apply to everyone equally. This principle is no different for cyberspace: it’s not the technology that sets the rules; it’s us: the users. We take the position that there’s no need to develop a new system of international law for this purpose. On the contrary, making clear that existing laws apply equally in cyberspace is our best guarantee of a future with an open, free and stable internet.
Tallinn Manual
The question before us then is of course: ‘How?’.
This was the point of departure for the Tallinn Manual. Here, the Tallinn Manual gives clear guidance. On questions like, for instance: How should international law respond to cyberattacks? The Manual provides a framework. When can a state be held accountable? The roadmap is right there - in the Manual. What can we do in response, are countermeasures possible? The Manual describes the conditions and limitations clearly. Of course, the Tallinn Manual doesn’t provide all the answers. It’s not an official document, and the Netherlands doesn’t necessarily agree with everything in it. In fact, in some cases, the manual describes more than one possible interpretation. Nor is it simple. Issues like state responsibility are complicated enough in the ‘real’ world, let alone the ‘virtual’ world. In no small part, because there they represent uncharted legal territory. But the Tallinn Manual is the first document to address these questions. It is our first and only guide for this new world. And one year after its birth, our need for this guide has only grown. Because, in the meantime – as we must sadly note – the number of malicious attacks is on the rise. These are no longer isolated incidents. Rather, they are carefully planned attempts to trigger social disruption. So on this first birthday we must not only celebrate and eat cake. We must recognise that there is still reluctance to take action in the face of a cyberattack, to hold the perpetrators accountable. This reluctance is understandable. But over the long term it has a destabilising effect. Because in practice, failing to enforce the rules in cyberspace means: yielding to the law of the jungle. We can’t afford to let this happen. We can no longer live without the internet. It’s everywhere, and it lies at the foundation of everything: our ports and power grids; our hospitals and houses, our financial systems and supermarkets. So what are we all waiting for?
Second year
So in closing, I would like to say this. The Manual is now entering its second year. At this point, like the new parents, we cannot imagine our lives without this new arrival.
But now, the Manual needs to mature. It’s here to stay, and for our part, we have to start taking it seriously. If there ever was a time for governments to start applying this Manual, it is now.
This is the only way we can impose a price on bad behaviour.
This is the only way we can put an end to the growing impunity in cyberspace.
This is the only way we can keep the structure we call the internet stable and safe over the long term.
We will remain committed to that goal. Please, join us – here, and in cyberspace.