29 September 2011 - 01 October 2011

Cyber Security: finding international responses

Chair: Professor Sir David Omand GCB

(In partnership with The EastWest Institute)

The subject of this conference was probably as complex as any Ditchley has dealt with. Even the knowledgeable, talented and diverse group of public and private sector players and thinkers we had assembled struggled at times to distinguish between different layers of the issues, and to find explanations which would cover the spectrum. In the memorable if inelegant words of one of the participants: ‘It’s so big it does my head in.’ Others suggested, only half in jest, that it should be our children, who had grown up in this world, who should be discussing this, not us. We constantly resorted to comparisons with other areas of activity in an attempt to clarify our understanding, with limited success. Nevertheless, under expert guidance from the chair, we did manage to identify areas of agreement and some lines of future approach for the international community to follow. I hope these will inform future discussions, including at the British-convened international conference later this month in London.

We were usefully urged at the outset, and at regular intervals thereafter, to keep in mind that the internet was an extremely positive development, leading to many worthwhile consequences, not least the free global exchange of ideas. Most participants thought it was genuinely transformational of our world, including in ways we could not yet imagine. It was not surprising that we struggled with how to manage it effectively, particularly when the technological possibilities changed almost every week. Our overriding aim should be to preserve the astonishing opportunities it offered, while protecting ourselves from those who wished to misuse it. Too much talk of threats and use of military style language did not help keep this perspective right. In other words we should prevent the internet’s benefits from being regulated or constrained out of existence – we should not kill the goose that we would be relying on to lay golden eggs.

Nevertheless, we needed to be fully aware of our vulnerabilities in the cyber area, as individuals, companies or countries, and of the extent to which attacks of various kinds were now a daily fact of life. Interconnectedness was the huge strength of the internet but also its Achilles’ heel. Fragmentation of the internet (Balkanisation) was a real future possibility, already happening in some areas, and probably inevitable in some military/security fields. Action to reduce the vulnerabilities was urgently needed on a wide front. There was still much too much complacency about the risks, not least in many company boardrooms. It was tempting to think that there should be some general theory about cyber space or cyber security, which we could all understand and embrace. In practice, the reality was too multi-faceted, and changing too fast, for any such theory to be meaningful or useful.

We were constantly bedevilled by questions of definition, including the basic point of whether it made sense to talk of such a thing as cyber space at all. For example, even when we talked about arguably the simplest issue, cyber crime, i.e. the illegal exploitation of the internet by criminals for profit, some argued that this was not a valid concept. The internet was only a medium. The crimes of theft, fraud or whatever remained the same. We did not talk of ‘vehicle crime’ when criminals used cars to rob banks, only when they attacked or stole vehicles themselves.  There was a parallel with cyber: we did not need new laws to deal with most cyber crime, only new and more effective ways of dealing with the huge challenges of gathering evidence across borders, the transient and alterable nature of much of that evidence, and the speed at which data could be transmitted or moved. A lot of work had already been done in this area, and there were international conventions which covered it. The biggest problem was that a significant number of countries had not ratified the main Council of Europe Convention because they did not accept what they regarded as an invasion of their sovereignty which would be involved, eg in virtual hot pursuit of cyber criminals across borders.

Despite such definitional concerns, many participants argued that the search for better international cooperation on cyber issues should concentrate in the cyber crime area in the first place, because clear common interests could be identified. For example all countries accepted the need to deal with child pornography, on the net as well as physically. If better cooperation against criminals in an area like this could be established, that would not only be useful in itself, but also replicable for other categories of crime. Progress here would in turn help to build up the ingredient most lacking for the moment in the international cyber field as a whole, ie trust. Similar thinking had led the East-West Institute, co-sponsoring this conference, to promote work on easier issues between the US and China, where trust was arguably most lacking, for example to tackle spam. The early results were encouraging.

This led on to a debate about whether all abuses of the internet could be regarded as crime, through their consequences, irrespective of the motives, and dealt with mainly by law enforcement methods. Was it really possible to distinguish ‘simple’ cyber crime from wider threats to cyber security from individual hackers, terrorists, IPR thieves, cyber spies and cyber warfare? There were divided views. While it was true that often such attacks could meet the definition of a crime, and cyber criminals were often mixed up with other kinds of attacks, for example being used by states for their own ends, most saw a difference between acts purely for profit and other attacks, particularly those by states. The difficulties of attribution alone made action based on law enforcement implausible in such areas.

One of our main areas of concentration was how to protect critical infrastructure, not just because increasingly it was networked through the internet itself, but because the control systems for many key services were vulnerable to attack, including by insiders.  Many vital services were now almost wholly dependent on digital networks: telecoms, power grids, energy more widely, finance, transportation, emergency services and health, defence, water and food distribution were identified, but the full list is certainly longer. Criteria for defining priorities in this area included the level of dependence, and how long society could function more or less normally without a particular service. The vulnerabilities and threats were multiple. Many computers were also highly vulnerable to manipulation of their operating systems, and hardware as well as software could contain hidden vulnerabilites.  For the internet itself, the level of dependence on relatively few undersea fibre optic cables was little appreciated and worrying. But the degree of interdependence was very high, and the infrastructure could essentially be regarded as international, even if much of the hardware was concentrated in the US, eg 70% of all server farms.

The critical services which were dependent on the net faced attacks from criminals, individual hackers, activist groups such as Anonymous, terrorists and state actors, as well as the possibility of systems failures.  Criminals and terrorists could be proxies for states. Civilian and military structures were heavily intertwined, and attempts to isolate military structures had only been partially successful so far. There was no doubt that a number of states now had the capability to disrupt or even destroy critical systems in other countries if they so chose, though it was harder to be sure in most cases how long such disruption would last before it could be fixed. Offence seemed to be a good deal easier than defence. Fortunately, while there had been examples of damaging attacks in Estonia and Georgia, presumably state-inspired, and the interesting case of Stuxnet, it was argued that for major countries such as the US, China and Russia there was nothing to be gained from such attacks on each other in the absence of wider conflict, given mutual vulnerability as well as financial and economic interdependence. That perception needed to be encouraged.

Protecting critical services in a particular country was largely a national responsibility.  Several methods for tackling this were available: self-regulation, central government regulation, standard-setting, establishing and aligning incentives for the private sector etc. Some combination of these would usually be necessary. But effective protection was impossible without international cooperation too. This was difficult and little progress had been made so far. National approaches were very different, and levels of resilience varied widely. Unfortunately the level of trust was also low, to say the least, and lack of transparency, plus the problems of attribution, hardly helped. It was clear that many states would want to preserve their offensive capabilities both for espionage and as a complement to more traditional warfare. Such capabilities also helped to inform defensive measures in a field where change was extremely rapid. This made a high level of international cooperation problematic and sensitive.

Nevertheless there was already some international cooperation, for example at the bilateral level, between both governments and companies. This should be built on. Identifying clear common interests, for example in protecting common goods like undersea cables, would be important. Defining standards and norms of behaviour, and establishing codes of conduct, including in areas like open reporting of security breaches, might be the best way forward.  Where certain forms of attack, such as on hospitals, were already prohibited under international humanitarian law that could be regarded as covering attacks using cyber means.  Such conventions could be politically binding, even if not in all cases legally binding, and would again help to create greater trust over time. This could not just be a matter for governments, particularly in those countries where the private sector provided most of the infrastructure concerned. Public-private partnerships would be crucial, as well as action in respective spheres of influence by both private and public actors.

We also looked at how commercial uses of the internet could be best protected. The consensus was that the security landscape here was darkening all the time. Attacks were becoming increasingly sophisticated, while many companies were either not aware of the risks they were running and the attacks they were already subject to, or unable/unwilling to do what was necessary to protect themselves. It was not just a case of fraud or theft of data. Attackers could embed themselves in company systems and monitor everything happening over long periods of time without being detected. The lack of effective action to combat all this could be seen as a market failure and thus as a justification for government intervention.  But it was less easy to see who had the responsibility to do what, or to take the lead. Individual consumers, companies and governments alike often seemed overwhelmed by the rapidly evolving challenge and unsure where to start. Corporate executives often seemed too far removed from those responsible for security within their companies, at least until confronted by the reality of what was being done to them. Risk management was still little understood and practiced. Moreover companies, particularly financial institutions, often had incentives to conceal the realities of attacks against themselves for fear of losing customer/public confidence or giving their competitors an advantage. Information-sharing was too often lacking, not only within the private sector, but also between companies and governments, with both sides guilty of hiding the truth from the other.

The reality was that action was needed from all those who could affect the risk equation (risk is the product of likelihood, vulnerability, impact and duration) – hardware and software providers, content providers, individual and corporate consumers, and public authorities. Academia could also make a significant contribution. Each had its own role to play, but so far there was no clear model or framework which defined respective roles and created the right incentives for both action and greater cooperation with each other. There had to be mechanisms for ensuring that key information was not only shared but also acted upon. Quantifying losses and risks would help galvanise action. Requiring insurance against losses would also help to price the risks better and force greater compliance with standards. Companies could also be forced to act by legal compliance obligations. But there was great, and justified, suspicion of heavy-handed regulation which would be always behind the technological game and be process-driven (box-ticking) rather than outcome-focussed.

Most participants saw ideas about grand strategy as unlikely to succeed, and therefore favoured action at different levels and in different combinations, by both public and private sector, as most likely to produce useful effects. Tailored standards, commercial incentives, codes of conduct and some light regulation to set a floor for behaviour were most often mentioned. One dog which had not barked much in this debate so far had been that of product liability, for either software or hardware products. Of course companies had tried to build in security to their products but they did not always succeed. There had been surprisingly few legal challenges or class actions by those whose security had been breached or privacy invaded, although this might change as the threat increased and became better understood.

These debates about protecting critical infrastructure and commercial use of the net led us to the main thrust of the conference: what kind of international cooperation and agreements do we need to promote greater cyber security and how do we go about reaching them? The consensus was that we did not need and should not aim for a single overarching treaty-style agreement.  That would take too long, and would be hard to future proof given the pace of technical change.  Nor was there any appetite among participants for anything which might legitimise control of content or restrict the internet in ways which would inhibit its benefits in promoting the free flow of information and ideas. We noted that there had been a recent Russian proposal for a binding Convention, and China seemed interested in something similar. It was a pity that we did not have around the table those who might have argued the case for such an approach, to fill out the debate. But there was little or no support visible for proposals along these lines. Instead the emphasis was on keeping cyberspace open for all –  the analogy with the legal regime which governed the world’s oceans was drawn – while trying to find agreed ways to stop or limit the activities of those who wanted to abuse the system.

At the same time there was agreement that the risks were now such that doing nothing internationally was not an option. The very rapid development and take-up of ‘cloud’ computing increased the need for this, since it was unclear, to say the least, where information kept in a cloud had its legal base. It was argued that concepts such as property and sovereignty began to lose their usual meaning. Nevertheless, we were not starting with a blank sheet of paper. There was already a lot of cooperation – much more than was generally realised – between companies and regulators and national governments, and through different international institutions such as the International Telecommunication Union (ITU), the Organisation for Security and Co-operation in Europe (OSCE), the European Union (EU), the Internet Governance Forum (IGF) and the Organisation for Economic Co-operation and Development (OECD). This should be encouraged to continue and hopefully increase. Spreading best practice was part of this. Acting effectively in many different areas would help to increase the security of the whole. The analogy was made with draining swamps – you had to start by fencing in some part of it and creating a dry foothold or polder, and then build out from there. While a different analogy, with past disarmament efforts, was by and large rejected, there was acceptance that in parts of this area too, for example in biological weapons, progress had been made gradually by tackling small parts of the problem.  There was not, however, support for trying to rationalise all these different contributions by governance bodies to a single institution such as the ITU.

We discussed the relevance of deterrence to cyber security. The knowledge that retaliation was possible, and indeed in relation to attacks affecting vital national interests was to be expected, was clearly an important disincentive to irresponsible state action eg attacking the critical infrastructure of another state – a modern version of mutually assured destruction in the nuclear age. Retaliation need not be confined to the cyber domain.  But the ability of non-State actors to launch cyber attacks, and lack of transparency and ability to count the ‘weapons’ of the other meant this comparison with stable nuclear deterrence could only be taken so far. Moreover highly damaging action need not involve obvious attacks on infrastructure. Cyber espionage, particularly targeting commercial companies’ IPR, could over time undermine a national economy. This was arguably already happening but there seemed no easy way to stop it, given the attribution problems. It was suggested in this context that an analogy could be drawn with another cold war feature, namely more traditional espionage. When the UK had publicly expelled 104 Soviet diplomats/spies in the 1980s, for example, this had sent a message that espionage had reached an unacceptable level that could no longer be tolerated. It had not stopped espionage continuing, by either side, but had helped circumscribe it such that the risk could be managed. Perhaps an exposure operation of a similar kind would be helpful now, to establish some sort of parameters for what could and could not be tolerated. We certainly needed a broad, shared, realistic political understanding about what was unacceptable behaviour.

Discussion of which international institutions might provide the best forum for progress or agreements did not lead to easy consensus. Most participants thought that the only way forward was a ‘horses for courses’ strategy, in other words using particular institutions for particular purposes for which they were best suited. There then had to be cooperation and information-sharing between these institutions on a much more systematic basis than hitherto. Again the building of trust was crucial. Confidence building measures to help this were urgently needed, but it was easier to say this than to identify what such measures would look like. For the moment the level of dialogue between the main country players was wholly inadequate.

One way forward which had significant appeal for some participants was enhanced cooperation between like-minded governments, particularly across the Atlantic between traditional allies. Some saw a greater role for NATO. An approach based on the Proliferation Security Initiative (PSI) in the non-proliferation field might be a good start. Others suggested that this would not help the bigger picture. In the end, if international cooperation and agreements were to mean anything, all countries would need to be involved. The counter-argument was that we had to start somewhere, and then involve others as circumstances allowed. The same ‘coalitions of the willing’ approach could be used by companies facing common threats

In all this we kept coming back to the difficulty of understanding the size and nature of the issue. The problem was that interconnectedness broke down the borders which defined our understanding of the world. It created a global village, but at the same time reinforced anonymity in a space without policemen. We had freedom of navigation in this new cyber sea, and wanted to keep it, but it was increasingly infested with pirates. Friend and foe, individual and company, state and non-state, spammers and scammers were all mixed up  together behind our screens. Facebook, critical hospital functions and military control structures were all using the same network. It was no longer possible to guarantee that the millions of lines of software in complex systems were free from malware.  In practice chunks of software code had to be reused by programmers and what defined code as malicious was often not its function but  the context in which it was invoked by a programme.   Insiders with a grudge and access to the system represented as much of a vulnerability as hacking from outside.  A few key strokes could do more damage than huge military machines. The internet gave asymmetry a whole new meaning. Public and private were also intertwined in a completely different way from any other sphere. Nation states, still our basic international building block, were ill-equipped to deal with the new challenges, but unwilling to give up their prerogatives.

While it was tempting to throw up our hands faced with this giant conundrum – and the word cyber did not help, with its connotations of mystery and dark forces – we were all agreed that this was not an option, given the dangers. International cooperation was essential. We had to start somewhere. What follows is an attempt to sum up some of the more practical ways forward identified during the conference, in no particular order:

  • Work more intensively on cooperation against crime committed via the internet, concentrating in the first place on the most universally acknowledged crimes in order to build trust;
  • Educate consumers and companies much more about the risks, provide more facts, and quantify the losses wherever possible;
  • Make a further attempt to put together an agreed lexicon or glossary of terms, so that we are more often talking about the same thing;
  • Insist on much greater transparency about attacks, and effective information-sharing on them, to increase awareness of the size of the risks and promote collective solutions to identified weaknesses; greater cooperation and partnerships between government, the IT security industry and the private sector were being developed and should be encouraged;
  • Seek agreement on cooperation to protect the integrity of the internet as a whole, which can be presented as a common good. Better protection of the crucial physical elements of the system, for example the undersea cable network, would be a good place to start;
  • Work to increase the number and diversity of pathways, physical and otherwise, in the system, to increase resilience;
  • Identify behaviour which all could agree to outlaw, as a start and again a way to build trust, based on common interests, for example DDOS attacks;
  • Seek agreements on basic standards of internet hygiene, and on minimum security standards for PCs and basic software package;
  • Take concerted action against common threats, eg botnets;
  • Share best practices more systematically;
  • Focus on risk management techniques to increase resilience rather than looking for zero risk;
  • Encourage insurance to raise awareness of risks and begin to try to price them;
  • Expose particularly unacceptable examples of cyber espionage, commercial or otherwise, to raise the cost of certain kinds of attack;
  • Reflect further on what deterrence might mean in this area;
  • Bring like-minded countries together to agree on specific actions against identifiable abuses and abusers, on the PSI model, with a view to widening the circles of involved states wherever possible;
  • Map more systematically the points of failure in critical infrastructure, and carry out regular crisis exercises to test responses to failures, fully involving the private sector;
  • Introduce the cyber equivalent of ‘red crosses’ on hospitals to protect vital humanitarian systems;
  • Focus on norms, standards and codes of conduct in the search for international agreements, rather than legally binding texts;
  • The big powers to start some real private conversations about the issues, however difficult, as happened at times during the Cold War.

Overall we took the view that the search for a grand strategy could be the enemy of progress. As had been concluded in another huge cross-cutting global issue, climate change, after the Copenhagen failure, there was no one international agreement or instrument which could capture all the issues, even if such a thing were negotiable. Time should not be wasted looking for one. Rather we should think bottom-up. Simply put, we needed to do three things: protect the integrity of the internet itself, protect the ability of people to operate in it, and stop those trying to abuse it. There was a need for incremental steps in a wide range of areas which, taken together, would help to improve security all round and reduce the vulnerabilities of the system as a whole, of the many critical services which depended on it, and of the security and privacy of commercial and individual users. These steps were the responsibility of many actors, including individuals, but governments and the private sector providers of the hardware and software had particular responsibilities. Governments could not and should not seek to control everything or dictate solutions, or put undue restrictions on content or exchanges, but equally the private sector could not solve the problems without some kind of regulatory, standard-setting framework which only governments and international cooperation could provide. Effective partnerships, and constant readiness to adapt quickly, would be the keys to future success.

This Note reflects the Director’s personal impressions of the conference.  No participant is in any way committed to its content or expression.


Chair: Professor Sir David Omand GCB
Visiting Professor, Department of War Studies, King's College London; Author, Securing the State (2010).  Formerly:  A Governor, the Ditchley Foundation (2006-11); Security and Intelligence Co-ordinator and Permanent Secretary, Cabinet Office (2001-05); Permanent Under Secretary of State, Home Office (1998-2001).  Author.

Dr Greg Austin

Vice President, Program Development and Rapid Response, EastWest Institute; Founding Chair, Asian Century Institute, London.  Formerly: Director of Research, Foreign Policy Centre, London (2004-06).

Mr Ken Taylor

Vice President, Consulting Services, Cyber Security, CGI, Ottawa. Formerly: Director, Global Stealth Solutions, Unisys Inc.

Ms Alessandra Falcinelli

Legal Officer, Internet; Network and Information Security Unit, Information Society and Media Directorate General, European Commission.

Mr Eric Freyssinet

Head, Cybercrime Division, Gendarmerie Nationale, Paris.
Mr Christophe-Alexandre Paillard
Director, Legal, International and Technological Affairs, CNIL –  National Commission for Information Technology and Freedoms (2011-); Adviser, Defence Economic Council. Formerly: Technical Adviser, Cabinet of the Secretary of State for European Affairs, Ministry of Foreign and European Affairs, Paris (2009-11). Author.

Dr Constanze Stelzenmüller

Senior Transatlantic Fellow (2009-), formerly Director, Berlin Office (2005-09), German Marshall Fund of the United States.  Formerly: Die Zeit: Defence and International Security Editor (1998-2005). A Governor, the Ditchley Foundation.

Mr Anton La Guardia

Bureau Chief and Author of Charlemagne column, The Economist, Brussels (2010-); Formerly: Defence and Security Correspondent, The Economist (2006-10); The Daily Telegraph: Diplomatic Editor (2000-06), Africa Correspondent (1998-2000), Middle East Correspondent (1991-98). Author. 

Dr Lee Koung

Senior Research Fellow, Korea Internet and Security Agency, Seoul.

Mr Manuel Pedrosa de Barros

Director, Communication Security Directorate, ICP-Anacom, Lisbon (1997-); Bureau Member, OECD/WPISP.  Formerly: Invited Assistant Professor, Universidade Autónoma, Instituto Superior Técnico, Universidade Independente, Instituto Superior de Linguas e Administração (1987-2008).

Dr Vladimir Ivanov

Director, Moscow Office, EastWest Institute (2006-); Associate Professor, Journalism Department, Moscow State Institute of International Relations (MGIMO) (1982-).  Formerly: Director, Fiscal Transparency Program, EastWest Institute (2001-05); Editor, Vremya Novostej (2000-01).
Ms Elena Zinovieva 
Senior Lecturer, Political Science Department, Moscow State Institute of International Relations.

Professor Paul Cornish

Professor of International Security, University of Bath (2011-).  Formerly: Carrington Professor of International Security, Chatham House (2005-11); Director, Centre for Defence Studies, King's College London (2002-05).
Mr Timothy Dowse CMG 
HM Diplomatic Service (1978-); Director Cyber Policy, Foreign and Commonwealth Office (FCO).  Formerly: Director Intelligence and National Security, FCO (2009-11); Chief of the Assessments Staff, Cabinet Office (2003-09).
Mr James Elder 
Programme and Research Director, Cityforum Ltd (2011-).  Formerly: Assistant Director, Department for Business, Innovation and Skills (2009-10); Director, Jefferson Communications Ltd (2008-09); Executive Secretary, Sir Edward Heath Charitable Foundation (2005-07); Secretary, EuroDéfense UK.
Mr Misha Glenny 
Writer and Broadcaster.  Formerly: BBC Central Europe Correspondent.
Mr Rakesh Gohil 
Senior Vice President for IT, LF Europe, Li & Fung (2007-).  Formerly: European IT Manager, Sensient Technologies, Milwaukee (2002-07) then Milan (2003-07); Director of ERP, ZDNet and CNet networks (2000-02).
Mr John Lyons
Chief Executive, International Cyber Security Protection Alliance.
The Rt Hon Baroness Neville-Jones of Hutton Roof 
Special Representative to Business on Cyber Security, House of Lords.  Formerly: Minister of State for Security and Counter Terrorism (2010-11); Shadow Minister for Security and National Security Adviser to the Leader of the Opposition (2007-2010). A Governor, the Ditchley Foundation.
Mr James Quinault CBE 
Director, Office of Cyber Security and Information Assurance, Cabinet Office.  Formerly: Head, Defence, Diplomacy and Intelligence Team, HM Treasury.

Mr Vartan Sarkissian 
CEO, Knightsbridge Cybersystems, London; Senior Adviser to the President, EastWest Institute.  Formerly: Founding Director, Worldwide Cybersecurity Initiative, EastWest Institute; Founder and CEO of two Internet and software companies.
Dr Bryan James Saunders 
Head of International Relations, GCHQ.
Major General Jonathan Shaw CBE
Assistant Chief of Defence Staff (Global Issues) (2011-), Ministry of Defence.
Mr Mike StJohn Green 
Deputy Director, Office of Cyber Security and Information Assurance, Cabinet Office. 
Mr Simon Webb CBE 
Executive Director, The Nichols Group, London (2010-).  Formerly: Lessons of Crises Study, Cabinet Office (2009-10); Chairman, International Transport Forum (2006-09).  A Director, Major Projects Association.   A Governor, the Ditchley Foundation.
Mr John Weston CBE
A Director: Torotrak (2011-); MB Aerospace Holdings Ltd (2007-), University for Industry Learn-Direct Ltd (2004-), Acra Controls Ltd (2003-); Lo-Q plc (2011-); Vice-President, Royal United Services Institute.  Formerly: Chief Executive, BAE SYSTEMS (1998-2002); Chairman and Managing Director, British Aerospace Defence Ltd (1992-99). A Governor and member of the Council of Management, the Ditchley Foundation.

The Honorable JD Crouch II 

President, Technology Solutions Group, QinetiQ North America (2009-).  Formerly: Executive Vice President for Strategic Development, QinetiQ North America (2007-09); Assistant to the President and Deputy National Security Advisor (2005-07); Ambassador to Romania (2004-05).
Colonel David Fahrenkrug PhD 
US Air Force (1988-); Office of the Secretary of Defence (2011-).  Formerly: Director, Chief of Staff of the Air Force Strategic Studies Group; Commander, 379th Expeditionary Operations Support Squadron, Al Udeid Air Base, Qatar; Chief of Strategy, Eighth Air Force, Louisiana.
Mr Sean Kanuck
National Intelligence Officer for Cyber Issues, National Intelligence Council (2011-).
Mr Joel Molinoff 
Assistant Director, President's Intelligence Advisory Board, Executive Office of the President, The White House.
Mr George Newcombe 
Simpson Thacher & Bartlett LLP (1975-): Litigation Partner (1983-) and Head of Palo Alto office (1999-); Member: Board of Visitors, School of Law, Columbia University; The Association of the Bar of the City of New York; The American Bar Association; Federal Circuit Bar Association; Director, Legal Aid Society - Employment Law Center.  A Director, the American Ditchley Foundation.
Mr Paul Nicholas  
Head, Global Security Strategy and Diplomacy Team, Microsoft.  Co-Founder, Software Assurance Forum for Excellence in Code; White House Director of Cybersecurity and Critical Infrastructure Protection (2002-04); Senior Policy Advisor for US Senator Robert F Bennett.

Ms Harriet Pearson 
Vice President, Security Counsel and Chief Privacy Officer, IBM Corporation (1993-).  Formerly: Lecturer, Georgetown University Communication Culture and Technology Program (2007-10); Member: Open Group Trusted Technology Forum, Center for Strategic and International Studies' Commission on Cybersecurity.
Mr Justin Rattner
Corporate Vice President and Chief Technology Officer, Intel Corporation; Intel Senior Fellow and Head of Intel Labs; Member, US Department of Defense/Department of Homeland Security Enduring Security Framework and Operations Group.
Mr Karl Rauscher
Chief Technology Officer and Distinguished Fellow, EastWest Institute; Founder and President, Wireless Emergency Response Team.  Formerly: Executive Director, Bell Labs Network Reliability and Security Office, Alcatel-Lucent; Vice Chair, US President's National Security Telecommunications Advisory Committee Industry Executive Committee.


Mr Francis Finlay
Co-Chairman, EastWest Institute, New York (2009-); Trustee, British Museum   (2005-); Oxford Martin School Advisory Council, University of Oxford (2005-).  A Governor and member of the Council of Management, the Ditchley Foundation.  A Director, the American Ditchley Foundation.