If you see this dia­gram over here on the mon­i­tors, some­times peo­ple think about cyber­space in a very sim­plis­tic term or way. They think about it as peo­ple and data. 

And sure, cyber­space is about peo­ple and data. But it is also about appli­ca­tions. And devices. And the indi­rect and non-obvious rela­tion­ships between all of this. 

It cre­ates a very com­pli­cat­ed and excit­ing ecosys­tem. One that is capa­ble of dra­mat­ic inno­va­tion, and dra­mat­ic exploita­tion. And we need to under­stand that as we start to think about the next decade ahead. 

This inter­est­ing map of lit­tle squares that you see here is what the world looked like in the year 2005. You all remem­ber the year 2005. That was when Uber was still just a German word and not a glob­al trans­porta­tion app. But if you look at this map you see the size of the squares on the map actu­al­ly rep­re­sent an online pop­u­la­tion of a coun­try. And whether the square is light or whether it’s dark indi­cates the amount of pen­e­tra­tion for broad­band in that coun­try. So you see China, that lit­tle yel­low square with “.cn” on it over there had about a hun­dred mil­lion peo­ple online, or a hun­dred and ten mil­lion online. And that was about 20% of the pop­u­la­tion. So they’re yel­low. The US at this point had about two hun­dred mil­lion peo­ple online. And that was a much more sig­nif­i­cant part of the population.

2005 was an inter­est­ing year. This is the year I some­times think of as the great cyber­crime hook-up, where spam­mers met phish­ers, and we start­ed to have a very diverse, dif­fer­en­ti­at­ed, and dan­ger­ous cyber­crime mar­ket, one that we still feel the effects of ten years later. 

Our world today is much dif­fer­ent. A lot more peo­ple online, when you look at this map. It’s also a lot dark­er green. Today, we have over three 3.4 bil­lion peo­ple online. That’s fan­tas­tic. We also have eighty-five coun­tries pass­ing cyber­se­cu­ri­ty laws and reg­u­la­tions. Wow. That’s a lot. What gets passed in the next three years will prob­a­bly shape cyber­space for the next thir­ty, and we need to think care­ful­ly about that both as the US, and as the inter­na­tion­al com­mu­ni­ty. What is the right approach?

We have about six­ty gov­ern­ments today who are on record for using cyber­space for domes­tic and inter­na­tion­al sur­veil­lance. And we have thir­ty gov­ern­ments with for­mal mil­i­tary plans and pro­grams in place. Forty per­cent of the pop­u­la­tion that you see on this map is cov­ered by an Internet of Things strat­e­gy. You do not live in one of those coun­tries. This is real­ly going to change. 

Today, cloud com­put­ing, which you don’t real­ly see reflect­ed on this map because it’s about con­nec­tiv­i­ty, is grow­ing at a pace that’s hard to match. At Microsoft, our cloud com­put­ing and stor­age capa­bil­i­ties are dou­bling at a rate [of] every six months. That is pow­er, and pow­er that is start­ing to be used by peo­ple and enter­pris­es and gov­ern­ments around the world. 

So, what hap­pens when we spin for­ward the next ten years? This world starts to look incred­i­bly dif­fer­ent. This is a world of over five bil­lion peo­ple online. And I think what’s real­ly dra­mat­ic about it in terms of oppor­tu­ni­ty, in terms of diver­si­ty— Take a look at the glob­al South. Look at the amount of peo­ple com­ing online. Take India, for exam­ple. In the next ten years, there will be 700 mil­lion new broad­band con­nec­tions in India. That is amaz­ing. The same time in Europe, you’ll have 124 mil­lion. So, the pace of change, the use of tech­nol­o­gy, inno­va­tion [is] going to be dra­mat­i­cal­ly dif­fer­ent as we start to move into the future.

How do we build the legal con­structs that allow for free mar­kets and the dig­i­tal solu­tions that enable sov­er­eign­ty for nations? How do we bal­ance that? The pub­lic pol­i­cy debate of the next decade is going to be defined by our abil­i­ty to bal­ance per­son­al free­doms and nation­al security.

I want to talk a lit­tle bit about what some of the dif­fu­sion actu­al­ly means for us as we move for­ward. The dif­fu­sion of pow­er is real­ly phe­nom­e­nal in what it means for indi­vid­u­als. You know, we had that 60s mantra, pow­er to the peo­ple.” Well today, you can go online and cre­ate amaz­ing dis­rup­tions, amaz­ing advances, that gov­ern­ments are real­ly not equipped to deal with. 

Cities today are tak­ing on pow­er that they haven’t had since the ancient world. The UN projects that we will have around forty-nine megac­i­ties over ten mil­lion by the year 2030. These will be cities will mak­ing be mak­ing deci­sions for their pop­u­la­tions sim­i­lar to that of gov­ern­ments, in terms of tech­nol­o­gy and use. We’ll also be in a world where multi-stakeholderism will be how we real­ly make deci­sions, main­ly because of technology. 

I men­tion the dif­fu­sion of inse­cu­ri­ty. This is some­thing we need to take a real hard look at and under­stand. When I talk about the dif­fu­sion of inse­cu­ri­ty, I don’t mean that things will be less secure. I mean peo­ple will feel less secure. You think about dis­rup­tive tech­nolo­gies, which is some­thing the tech indus­try loves to talk about. We’re break­ing down bar­ri­ers. We’re chang­ing things.” That is tremen­dous­ly excit­ing. But it also means that jobs change. Old jobs go away. How do you pre­pare for the new jobs? What are the new skill sets that need to be developed?

When you look ahead to the year 2020 or 2026, we have some real edu­ca­tion gaps to over­come. The devel­oped world will be cre­at­ing around six mil­lion sci­ence, tech­nol­o­gy, engi­neer­ing, and math grad­u­ates. And the emerg­ing economies will be pro­duc­ing around twen­ty mil­lion. How are we going to com­pete for those resources? How are we going to get the right skill sets? You know, what’s hap­pen­ing today when you think about the future of threats is that tech­nolo­gies are not aim­ing at things like oper­at­ing sys­tems and apps, they’re going down into stealthy places like hard­ware and BIOS and mem­o­ry and dif­fer­ent places. 

And they’re also con­tem­plat­ing integri­ty attacks. As you move to a world where more and more of your life is being con­vert­ed to dig­i­tal cap­i­tal, integri­ty takes on a whole new risk. And that’s some­thing I would say we’re not real­ly well-invested in as a pol­i­cy and tech­nol­o­gy com­mu­ni­ty to under­stand what that means.

The oth­er area is what I call sur­veil­lance soci­eties. We’re going through this real­ly inter­est­ing phase where we’re putting sen­sors on every­thing, and it’s super cool. You can under­stand things now at a lev­el with big data and ana­lyt­ics that you could nev­er under­stand before. But how do we make sure that the same things that we’re doing for effi­cien­cy and man­age­abil­i­ty don’t get trans­lat­ed into things that become sur­veil­lance plat­forms? What is the pub­lic pol­i­cy bal­ance in that space?

There’s also the chal­lenge of cyber­se­cu­ri­ty norms. Cybersecurity norms kin­da went main­stream in 2015. The gov­ern­men­t’s start­ing to talk about what is the appro­pri­ate role of a gov­ern­ment in cyber­space when it comes to mil­i­tary actions or attacks. And what is the role of the pri­vate sec­tor in this space? I think you will see great move­ment in this space over the next decade, and it is some­thing that we as a pol­i­cy and tech­nol­o­gy com­mu­ni­ty have to learn to talk to each oth­er about.

The recent expe­ri­ence with the Wassenaar Arrangement was a key exam­ple of that. Governments did some­thing that seemed real­ly appro­pri­ate. Hey, I’m doing some­thing to lim­it dual-use tech­nol­o­gy. Something to pro­tect peo­ple.” And it turns out it was real­ly not a good idea, because it actu­al­ly made peo­ple less secure because it pre­vent­ed the move­ment of secu­ri­ty tech­nolo­gies, some­times even with­in a com­pa­ny. So, we need a bet­ter com­mu­ni­ty, a bet­ter way to deal with inse­cu­ri­ty. Platforms to be able to talk about these issues. 

I would also say there’s a huge oppor­tu­ni­ty com­ing in the next decade. An oppor­tu­ni­ty with cyber to do things that we’ve nev­er thought about before. The first and prob­a­bly the most obvi­ous one I think is eco­nom­ic inclu­sion. As Anne-Marie talked about before in terms of try­ing to under­stand diver­si­ty and bring­ing more peo­ple into the field, when you look at that map of the year 2025 and you see mas­sive amounts of peo­ple com­ing online, to me that’s excit­ing. That means peo­ple are going to use tech­nol­o­gy in ways you and I haven’t thought about, because they’ll use them in dif­fer­ent con­straints, dif­fer­ent band­width, dif­fer­ent reli­a­bil­i­ty sit­u­a­tions, and new things will come out of that.

How are we mak­ing the right invest­ments in that space? Is it all going to come from Silicon Valley? Is it all going to come from a New York, or where the ven­ture cap­i­tal lives? Are we going to go find the next amaz­ing tech­nol­o­gy, the next amaz­ing com­pa­ny? It may not come from here. And how do we deal with that and try to fig­ure out how to inno­vate in that space?

The oth­er area I would high­light is the domain of secu­ri­ty and con­trol­la­bil­i­ty. We’re mov­ing into a world where we are more and more reliant on things like cloud com­put­ing. And as I’ve said before, that is a tremen­dous­ly excit­ing tech­nol­o­gy with huge capac­i­ties for inno­va­tion. But, we have to under­stand secu­ri­ty and con­trol­la­bil­i­ty, and pro­vide trans­paren­cy for peo­ple to under­stand what that means. And what that means, in many ways, is we have to rethink our risk man­age­ment strate­gies and frame­works that we have used in the tra­di­tion­al world, and find new ways of deal­ing with them when it comes to cyber.

The oth­er area I would high­light is resilient and sus­tain­able tech­nolo­gies. There is a lot of work going on around the world today to try to under­stand resilience. What is resilience? It is about readi­ness. It’s about respon­sive­ness. And it is about rein­ven­tion. Today, I think we live in a world that’s real­ly focused on risk man­age­ment. And that’s good. You need that. That’s impor­tant. And we have a world that sort of thinks about reli­a­bil­i­ty in terms of, I can turn things back on.” But how do you real­ly start to pri­or­i­tize around learn­ing, so that you thrive in the face of attacks or adver­si­ty, and you keep grow­ing? That is a dimen­sion of tech­nol­o­gy and of cul­ture that we have to grow and incu­bate. That is going to be core in the next decade.

I also think that these same tech­nolo­gies will pro­vide a huge oppor­tu­ni­ty for us from an envi­ron­men­tal sus­tain­abil­i­ty per­spec­tive. We’re doing work today with a group called 100 Resilient Cities, where cities around the world are try­ing to under­stand the dimen­sions of resilience. And it is fas­ci­nat­ing to watch them real­ize the core role that things like cyber­space actu­al­ly plays in a city when they start to think about resilience long term. Because it is not just, Hey, I have a smart city and I get a dash­board of how my trash oper­a­tions are going, or my water oper­a­tions, or traf­fic.” But it’s about social cohe­sion. It’s about job growth. It’s about inno­va­tion and the future of the city and where that goes. And again, this is going to be a dimen­sion of cyber­space that we haven’t real­ly thought about that much, and I think we real­ly need to put a lot more empha­sis on.

I think it’s impor­tant to kind of look at the tra­jec­to­ry that we’ve been on in cyber­space pol­i­cy. If you go back to the year 2000 and sort of say hey, this is when we start­ed to look at risk, we start­ed to move up from a nation­al per­spec­tive and look at crit­i­cal infra­struc­ture pro­tec­tion. And some­where between 2010 and 2015, cyber became an inter­na­tion­al issue. Whether that was ten­sions around Internet gov­er­nance. Whether it was around cyber­se­cu­ri­ty norms and the appro­pri­ate role of gov­ern­ments in cyberspace.

And now, more and more our cyber pol­i­cy is going to be dri­ven by what we do in the inter­na­tion­al space. What we do for har­mo­niz­ing these eighty five dif­fer­ent laws to ensure that tech­nolo­gies we make can still be export­ed to the rest of the world? Or that we can con­sume the lat­est tech­nolo­gies from oth­er parts of the world? And how togeth­er are we going to start to build a more resilient cyber­space, capa­ble of with­stand­ing the next gen­er­a­tion of attacks, the next gen­er­a­tion of threats, and more impor­tant­ly a cyber­space that will sup­port and build the next gen­er­a­tion of oppor­tu­ni­ty and inclu­sion. Thank you very much.