Munich is known for many things: tourists gather twice daily for its Glochenspiel, and national security strategists flock to the Munich Security Conference each spring. But for those following cyber issues, Munich is perhaps best known for the Munich Cyber Security Conference (MCSC), a gathering of some of the brightest minds in cybersecurity that began in 2014. Returning this year amid biting February winds and even colder ongoing geopolitical developments, I was expecting the atmospherics to be rather muted. What I experienced I would instead characterize as a roller coaster of diplomatic tension and on-the-ground realities.
Above all, my time in Munich was characterized by deep empathy with the American populace on the one hand, together with a profound distrust of the U.S. government on the other hand. It’s not the first time in my career I have had a front row seat to observe international–especially European–responses to U.S. government technology policy. I witnessed it firsthand while at the Department of Justice, and again at the National Security Council. Nor can these experiences compare to the gravity of events that have taken place in Europe over centuries. Still, this year’s MCSC felt very different in several ways, including the dominant themes of digital sovereignty, decoupling, and the risks and opportunities of AI.
Weighing the security trade-offs of digital sovereignty
Even before the conference began, a European conference-goer at a private dinner said plainly to the U.S. tech companies and other U.S. participants in the room: “We want to work with you, but we don’t trust the U.S. government. As a result, we need to advance digital sovereignty for Europe.” The remark wasn’t an act of aggression, but an empathic lament. After years of collaboration between both sides of the Atlantic, they are now being forced apart by political winds neither can control, and for which both stand to lose.
While U.S. tech companies responded with “we’re listening,” there was also a sense that they were once again talking past each other: some closed their eyes to the problem, while others seemed to simply lack a full understanding of the transatlantic security benefits that technological entanglement has provided over the years. I found myself wondering, do the ends justify the means? Do Europeans collectively agree on their end goal? Is it security on the one hand or a clean, sovereign European tech stack on the other—or something else entirely? And once they do reach collective agreement, have they fully weighed the tradeoffs associated with what it will take to achieve that end?
The same contrast between empathy and distrust persisted throughout the next day, where the Administration’s efforts to share how much it values partnerships and explain its other positions on cyber issues, such as supporting freedom of speech and opposition to surveillance of dissidents online, stood in sharp contrast to its actions at home.
The lows were met with a few high points. A board member at a publicly traded U.S. company shared with me that the work of IST’s Ransomware Task Force helped to guide their response to a major ransomware incident, including recovery of most of the ransom they paid. Similarly, panelists on two separate panels praised the Counter Ransomware Initiative as a productive fora to share experiences and develop common approaches to combating cyber threats. Given that IST is a founding member of the CRI’s Public Sector Advisory Panel, I was glad to hear that our efforts to advance international collaboration to combat ransomware and to raise awareness about preparing, responding to, and deterring ransomware incidents continue to make an impact.
Another high point for me was hearing government officials from the United States, Japan, and several European countries emphasize the importance of continuing to address cyber threats in a manner consistent with democratic values. As articulated by one European government representative on stage, it was also reassuring that none of the panelists suggested that industry should be free to “go it alone.” While industry participants largely shared this perspective, they expressed frustration at the pace of change towards collective action. Panelists observed that while governments have advanced to consistently and proactively share defensive measures, the extent of their reciprocal information sharing remains too limited and the pace of government action to collaborate in disruption activities is too slow. As one industry leader reiterated, we’ve succeeded in making cybersecurity a board room topic and national policy issue, but collectively we’re still failing: cybersecurity still hasn’t shifted from “important” to “urgent.”
Finally, the exponential growth in the capabilities and use of AI over the past year echoed throughout the conference. While the consensus is that AI will favor defenders in the long term, the near-term reality is a state of unease: AI capability and deployment are rapidly escalating, the technology stacks these systems leverage are increasingly complex, and threat actors are adapting their TTPs to exploit these developments, aided in the current term by regulatory ambiguity.
In the face of this ambiguity, it was reassuring to see industry express shared principles by launching the Trusted Tech Alliance on the margins of the Munich Security Conference, whose 16 founding companies agreed to adhere to common commitments of transparency, security, and data protection, including through ethical governance. I couldn’t help but hear similarities to the actions I called for in 2018 in Securing the Modern Economy, Transforming Cybersecurity Through Sustainability, and again in Security Shield, where I outlined a program to label IoT devices that met baseline cybersecurity requirements that an independent third party could verify.
While in Munich, I had the chance to join the in-person audience at Politico’s interview with President Zelenskyy. The conversation reinforced the consequential nature of the issues being discussed at the two conferences–including the goals of digital, political, and territorial sovereignty as elements of national security–and technology’s potential to either advance democratic values, democracy, and the rules-based order, or lead to their erosion.
Departing the Munich Cybersecurity Conference felt much like the experience of stepping off of a roller coaster: a mix of disorientation, a few adrenaline spikes, and a clear-eyed view of the work ahead. My thanks to Peter Moehring and his team for once again putting together a conference that confronted some of the biggest challenges facing the cyber community, stimulated a range of conversations, and left me looking forward to next year’s.
