Paranoia 2019

Check against delivery

Ladies and gentlemen,

Thank you so much for inviting me to open Paranoia 2019.

The internet has changed our way of life.

It has become part of the essential infrastructure of our societies.

It connects nations.

It connects people across the globe.

The internet creates and eliminates jobs, it directs traffic and reduces the need for travel, it changes trade routes and creates new businesses.

To mention just a little of its impact on modern life.

The internet provides opportunities and possibilities we could never have imagined 20 years ago.

However, the flip side of connectivity is vulnerability.

The flip side of commerce is crime.

Cybersecurity is of vital importance in this new dimension of human life.

And cybersecurity is dependent on technical knowledge and capacity.

 

Eric Schmidt, the former Chairman of Google, has been quoted as saying:

‘The Internet is the first thing that humanity has built that humanity doesn't understand.’

I am not sure that I agree.

I think we often do not fully understand the implications of new technology.

Neither its full potential – nor the challenges it poses.

Gutenberg did not foresee the printing of Mein Kampf or Das Kapital.

When Ernest Rutherford first split an atom and saw the potential of atomic energy, he did not imagine Hiroshima.

No more than Tim Berners-Lee anticipated the devastating NotPetya cyberattack when he invented the internet.

The threats are transnational and stem from both state and non-state actors.

Sometimes it is difficult to know which is which.

Sometimes the distinction between them has been deliberately blurred.

This all means that broad international cooperation is essential.

Cooperation between states and international organisations, as well as businesses and other non-governmental partners.

 

Ladies and gentlemen,

The Norwegian Government takes cyber threats seriously.

Norway’s first international cyber strategy was launched in 2017.

Our main strategic priority is to promote international cybersecurity collaboration.

Our aim is to combat organised cybercrime and other serious crimes committed through cyberspace.

And to ensure that cyberspace is open, secure, robust and free.

To achieve this, we must strengthen and uphold the rules-based international order.

Cyberspace should not be seen as lawless territory where fundamental human rights no longer apply.

It is crucial that states behave responsibly and comply with agreed norms and rules.

The UN member states have agreed that international law applies in cyberspace, just as it does everywhere else.

Some people have suggested that we need a new legal framework to govern cyberspace.

We disagree.

A new legal framework could undermine the existing rules.

Rather, we as states must set an example through our actions.

We must make our voices heard.

And show that there are rules in place already.

The UN will soon resume discussions on responsible state behaviour in cyberspace.

Norway will take an active role.

For the first time, we will participate in the UN Group of Governmental Experts on advancing responsible state behaviour in cyberspace.

This group is the principal arena for discussing cyberspace in the context of international security.

Representatives from 25 countries, including the five permanent members of the Security Council, have been selected to participate in the group.

Our participation will give us a stronger voice in the global debate.

But it will also give us greater responsibility.

We will be dependent on receiving input from our non-governmental partners to inform our positions.

You – as representatives of the industry – have vital perspectives that we must bring to the table. 

 

Ladies and gentlemen,

Earlier this year, my Government launched a new strategy to strengthen national cyber security.

The strategy addresses challenges that arise as a result of the digitalisation of society.

Because, as we all know, Norway is a highly digitalised country.

Private individuals and companies have confidence in national security.

And there is a high level of trust that the population’s welfare and democratic rights will be safeguarded.

The strategy gives particular emphasis to strengthening public-private partnership, civilian-military collaboration, and international cooperation.

For instance, you – the business community – have highly relevant skills and resources.

You are a driving force for digitalisation and innovation.

You therefore have a key role to play in finding solutions.

The strategy forms the basis for the Government’s work on cyber security.

It also makes it easier for business actors, academics and members of the public to pull in the same direction.

We have recently seen an increase in cyberattacks.

Both public agencies and private companies are being targeted.

Cyberattacks can be difficult to detect.

In a worst-case scenario, they could constitute a threat to national interests.

Cyberattacks can have severe consequences for those affected.

For instance, Norsk Hydro was recently the target of a cyberattack affecting the entire global organisation.

The financial cost of the attack has been estimated at 400 million Norwegian kroner.

 

Ladies and gentlemen,

This brings me to the flip side of cybersecurity, the issue of cybercrime.

And when it comes to cybercrime, the crime scene is truly global.

It takes just seconds to connect with a cyber offender, attacker or radicaliser. 

Even if they are on the other side of the world.

The mobile phone or the tablet that we reach for first thing in the morning also serves as a playground for would-be attackers.

Crime and terrorism are moving into the dark alleys of the digital world.

Technology has now become part of the toolkit of criminal actors.

And criminal activities are increasingly taking place on the internet.

This creates enormous challenges for law enforcement agencies that are limited to working within national borders.

Law enforcement techniques and capabilities to handle the new challenges have not yet been fully developed.

We must scale up our efforts in response to the growing threats.

Nationally, as well as internationally, we need to ensure that we have sufficient capacity and technical ability to deal with new and constantly evolving forms of crime.

It is important that we – governments and policy makers – fully understand what cybercrime is.

Cybercrime is not an isolated type of crime.

It is a cross-cutting element in many forms of crime, including transnational organised crime and terrorism.

There are also close links between cybercrime and the financing of terrorism.

These links take different forms in different regions.

In Europe, for example, there are connections between people smugglers and foreign terrorist fighters.

Terrorist groups such as ISIL and their affiliates engage in a broad spectrum of illicit activities, including extortion, robbery, smuggling of oil and drugs, human trafficking, and kidnapping for ransom.

These activities help them to fund their organisations, recruit foreign fighters, and spread propaganda.

In Paris last week, I met with other heads of state and government and representatives of major tech companies to sign the Christchurch Call to Action.

This is a declaration aimed at strengthening efforts to hinder terrorist and violent extremist content online.

In addition to being an extra burden for those who have been bereaved as a result of terrorist attacks, violent extremist content contributes to spreading terrorist propaganda and may inspire others to carry out attacks.

A broad approach is needed to combat terrorist networks.

Our efforts must also be supported by regional and multilateral organisations, such as the UN Security Council.

Global instruments like the UN Convention against Transnational Organized Crime also have a role to play.

Identifying and stopping illicit financial flows is important in this context.

Measures to combat the laundering of the proceeds of crime can be very effective when combined with measures targeting financial flows to terrorists.

 

Ladies and gentlemen,

Let me draw your attention to the proposed Second Additional Protocol to the Budapest Convention, which is being developed in the Council of Europe.

The aim is to enable the more effective exchange of electronic evidence in criminal cases.

Norway ratified the Budapest Convention on cybercrime in 2006.

The exchange of electronic evidence must of course be in keeping with data protection requirements and in accordance with human rights.

Norway is taking part in an expert group that is seeking to find good solutions to the challenges in this area.

The reason we need a Second Additional Protocol is that electronic evidence has become far more important than before.

Today, people leave digital traces everywhere, just by engaging in their daily activities.

The amount of electronic evidence is increasing.

We have examples of criminal cases where the amount of such evidence is overwhelming. 

For instance, in one case the investigation is focusing on 22 000 unique videos, 377 000 unique images and over 1000 written reports.

In almost all cases of traditional crime or cybercrime, electronic evidence is now a key issue.

And, of course, clear evidence is needed in order to convict an offender.

But using electronic evidence in investigations is time-consuming and expensive, and it requires a high level of expertise.

Let me mention some of the dilemmas that can arise when one or more offenders have committed crimes against several hundred victims.

What do the prosecuting authorities do when more than enough evidence has already been collected to sentence the perpetrator to the highest penalty?

Can courts reduce the scope of these cases to limit the time and expenses involved?

And how do we safeguard the needs of the victims if they don’t get to testify in court?

These are some of many questions we have to consider and find solutions to in the immediate future.

The legislators may need to find new tools for the prosecuting authorities and the courts so that they can handle these cases more effectively.

 

Let me now draw your attention to another challenge we face:

When electronic evidence is stored in a cloud, this raises a great many questions.

The same is the case if electronic evidence is stored on a server in another country, or held by service providers located in other countries.

A cross-border situation can even occur when all other elements of a criminal case are located in the investigating country. 

The Supreme Court of Norway recently dismissed an appeal from Tidal in a case of this kind.

Tidal is, as you know, a music and video streaming service.

It has established offices in Norway.

The Norwegian prosecuting authority wanted to search Tidal’s data terminals following allegations of possible fraud.

To cut a long story short, Tidal opposed any seizure of downloaded data from the company’s terminals in Norway.

It argued that its data was stored on servers abroad.

The Supreme Court concluded that under Norwegian domestic law, there was nothing to prevent the search from being conducted.

Nor were there any treaty provisions or any customs under international law to prevent it.

Furthermore, a search in this case would not violate the jurisdiction of any other states.

One of the arguments given by the court was that the search would only involve accessing data that the company itself had stored and could freely retrieve from the storage place abroad.

The data would remain on the foreign server and no changes would be made to the information stored.

This example proves my point:

The development of cybercrime and the growing importance of electronic evidence have made criminal investigation and prosecution processes far more complex.

 

Ladies and gentlemen,

Let me elaborate on some of the measures we have adopted so far to combat cybercrime in Norway.

In 2015, a computer crime strategy was launched for the police. 

One of the main points set out in this strategy was the need to prevent and avert cybercrime.

In addition, a key goal of the strategy was to increase competence in the field of cybercrime.

In January 2019, we opened the National Cybercrime Centre in Norway – called NC3 for short.

NC3 is based at the National Criminal Investigation Service (Kripos).

We see that many other countries have established similar centres.

In addition, EUROPOL has set up the European Cybercrime Centre, or EC3.

In Norway, NC3 will serve as an expert body that can help the police in their work to prevent and combat cybercrime.

NC3 is the point of contact for international cooperation on cybercrime.

It also assists the local police and other police units.

If your business suffers a cyberattack or is affected by some other form of cybercrime, it is vital that you report the incident to the police.

Many of you have in-house experts of your own.

Even so, it is important that you register the crime and provide the necessary evidence.

Each individual case can become part of a bigger investigation in the future – at NC3 in Norway or abroad.

By working together and gathering evidence from a range of different cases, we should be in a better position to put a complete stop to criminal activity in this area. 

 

An online police presence is important in our efforts to prevent and combat cybercrime.

For instance – an online police presence among those who use file sharing networks to spread material showing the sexual abuse of children.

As part of the European campaign ‘Police 2 Peer’, Kripos uploads 20 000 files to networks of this kind every day to inform and deter the users.  

On a more general level, the Norwegian police offers advice on issues relating to cybercrime and internet safety on Facebook.

By the end of 2019, all 12 police districts in Norway will have an online presence.

 

Ladies and gentlemen,

To sum up,

Digitalisation creates new opportunities, but it also poses challenges.

The existing international legal framework applies in cyberspace, too.

However, ensuring compliance with international law in cyberspace can be difficult, as the example of electronic evidence shows.

It is vital that we cooperate with you on building more capacity and expertise in this area.

Only by working together can we ensure that cyberspace is open, safe, robust and free.

I am counting on your support.

I wish you a successful conference.

Thank you.