Internet Governance Forum 2 Rio de Janeiro, Brazil 14 November 2007 Security Session Note: The following is the output of the real-time captioning taken during the The 2nd Meeting of the IGF. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record. >>YOSHINORI IMAI: Hello, the panelists and discussants, will you take your seats? We are ready to start. We have only one panelist on the stage. And you are the second. Good afternoon, ladies and gentlemen. We now have all the panelists and discussants. Can you see me? I'm a little short. But I decided to stand here in between the panelists and the audience so that I will be able to make it more lively, having the discussion interactive. My name is Imai, Yoshi, please call me if you like. I am a Japanese television presenter. And this is my second time to be at IGF. I have a couple of questions that I may ask myself, too. How many of us feel very safe or secure when we are online every day? And how many of us who are operating organizations, running companies, feel secure about your business? I would say no one can say "yes." We are not safe at all. But we cannot live a day without the Internet. We Internet users are entitled to expect security. Here today, we are turning to the distinguished panelists, stakeholders on the panel, to satisfy our rightful demand, or at least show us convincing determination to take a lead in this war against cybercrimes. Now let me introduce you to the chairman of the session, Mr. Antonio Tavares. Mr. Tavares now sits on the board of the Brazilian Internet Steering Committee. And he is known as one of the first entrepreneurs in Brazil to start, to launch an ISP. And he is also twice a member of the ICANN Nominating Committee. Mr. Tavares, will you give us your opening remarks now. >>ANTONIO TAVARES: Thank you, Imai. Good afternoon, everybody. I will address my speech in my Portuguese. Good afternoon all. Thank you very much for the invitation and for the honor of presiding over a session as important as this one on security, maybe the topic that concerns us most, all of us. I thank you for attending this session. And I would like to panel to be not just the most important, but the one giving us results that will be a very strong contribution for the Internet to be increasingly safe. Even if we know that security is in real life and in virtual life a constant preoccupation, we know there is never such a thing as total security. Throughout times, it has been proven that to improve security is like a race of cats and mice, or as the police say, criminals are always one step ahead of security agents. In virtual life, and especially in the Internet, it could be -- it could not be different. The dream of a world of purity was always just a dream, and we find daily difficulties today which are new and unthinkable that we have to stand up to with courage, creativity, technology, and, above all, with education. Often, several segments of society, or even governments, present solution proposals, unfortunately, not always adequate in a world where the absence of frontiers, freedom and the plurality of points of view, habits, or opinions hardly afford hegemony. This is one of the reasons why very few people believe security problems can be solved with legislation, unless, of course, in what is new, in what proliferates in the network without precedent, like viruses, worms, et cetera, crimes that did not exist before. And this is why they are not provided for in existing legislation in any country. In Brazil, we can identify that more than 95% of crimes carried out on the Internet are provided for in the legislation. We are talking here about the criminal code in Brazil which dates back to 1940 and '41. Obviously, there is complementary legislation covering the evolution of crimes, so much of the crime in the Internet is already covered. Anyway, we understand the Internet as a cooperative action for building and for a new society. And having faith in intense cooperation, we believe we can consolidate strong tools for communication, growth, and integration. Obviously, we must pay attention, because an increasing number of individuals and companies, because threats don't stop. We need a huge effort of education, because it's not enough to provide schools with computers and wideband. We need to prepare educators. No matter how much we want, parental control cannot be efficiently used yet, because the Internet, in a very curious manner, and because it is new, it inverts hierarchy, and very often, children and adolescents know a lot more than their parents. And they learn very quickly how to evade the filters brought in by browsers and parental control. It's not by chance that everywhere in the press, there's an international concern. And the Secretary-General of the United Nations worries about the evolution of criminal organizations in terms of pedophilia and all of these cybercrimes that start now to put together strategies to change places and using fantastic economic resources to attain their goals, which are regrettable. All of us must be aware, we have to take care of the future of our children. Now, this morning, it was said, we were talking about human rights and about privacy. A lot still has to be said about the struggle against child pornography and pedophilia very firmly and with cooperation among all cultures, all languages, all habits, and without any restriction. We cannot make way for crime. Firmly trusting security, we can see technical solutions coming to protect us, such as the DNSSec collaboration among governments and legal authorities are beginning to -- is beginning to intensify. And together with technology, they will help us get to the point we all hope for. Our hope is that the light shed by this panel, with different points of view, different opinions, and different positions will be a great contribution to the development of the Internet, and that this event, that Brazil and the IGF carried out, that this should become a very important historic landmark in the history of mankind. Thank you very much. [ Applause ] >>YOSHINORI IMAI: ...now, for the next two hours, I would like to give you how we are going to proceed with the session. First, we ask each of the six panelists to make their points in four minutes -- in four minutes -- and then we turn to six of the discussants, sitting in the first row on the floor, to challenge the panelists, with only two minutes, though. And in between, we invite the questions from the floor, comments from the floor. So the ladies around will give you papers to question. And with the question, would you identify your name and affiliation. We will collect them here, and then I will come back to you when the time comes. And we will try to make this more interactive, lively session. First, let me introduce the panelists on the stage. From your left, I have the list here, Cristine Hoepers. And next, Huang Chengquing, Ralf Bendrath, and Mr. Tavares and Mr. Kummer. And Ms. Lamia Chaffai, Marco Gercke, and Zahid Jamil. Those are the six panelists today. And I would first like to invite Ralf to make your comments about the security. >>RALF BENDRATH: Thank you very much. I'm not a techie, so I don't know too much about how to technically secure information networks and the Internet. I'm a political scientist. And my background is in security policy analysis. So I will try to give you some ideas of how important it is to make clear what we talk about and in which ways we talk about it. So, first of all, what is security in the first place? What is that? It's a very abstract concept. The most basic definition of security is that it's control over the future. That's by a German sociologist from the '60s in a standard book on security theory. The thing is, the future is always open. You can try to analyze some trends, but you know from the weather forecast that, you know, it's not always 100% clear what happens the next day. So we will never get 100% security because of this. And that means the need for security can never be satisfied to 100%. There will always be insecurities and uncertainties about what will happen tomorrow or next year. So because of that, people who are active in the security field, especially security politicians, have a tendency to ask for more and more and more and more security measures, you know, because there's always some uncertainty around the next corner. So what we have to do, I think, in this course is to deliberately draw a line somewhere and decide when we have done enough for security and when we should focus on other issues. And, of course, one limitation for more and more and more security measures is limitations of resources, like money, personal attention, things like that. Another line for this would be binding norms like human rights or criminal law. So, for example, I cannot do everything I want for my security if it creates problems for the security or the well-being of others, of course. So that's the first thing. Security is never really 100%. And we have to draw a line and think about where it's enough. The second is, then, still what do we mean with security. And here I want to just give you some examples of how the object to be secured can be really, really different. We have the very famous term "national security," security of the nation, of a society, which is actually pretty vague. To some people in civil society, it's actually a scary term, because a lot of things, also human rights infringements and so on, are done under the excuse of national security. But, of course, in the context of Internet governance and security of networks and how also nations nowadays depend on information networks, there could be one potential global governance, global public-policy issue that could be addressed maybe in the future at the IGF or elsewhere that could be arms control in cyberspace, you know. As more nations are entering the virtual arms race and are setting up cyber attack units in their armies and so on, I think there's a need for arms control. We did a big conference on that in Berlin a few years ago. So that's national security. Then, from a totally different perspective, you can speak about the security of networks, of the technical networks. Here, I and a lot of other people would say it might be better and more helpful to talk about reliability instead of security, because it makes much clearer what you actually want. You want the networks to be up and running and the data and the packets to flow. And one global governance aspect -- and this has been addressed here in a couple of workshops -- is more interaction, more cooperation on a global level among the security and emergency response teams and so on, computer emergency response teams. But here also, if you look at global public policy or regional public policy, like the Council of Europe Cybercrime Convention, for example, or how it was transposed into German law recently, the opposite of good is not always bad, but can also be well-intended. If you start criminalizing hacking tools that a lot of system administrators need for testing the security of their networks, then you might actually try to do something for security, but the unintended consequence is that you're less secure in the end. >>YOSHINORI IMAI: Ralf, will you wrap up. >>RALF BENDRATH: Okay. You could talk about the security of the end point, of the computers at the end of the network or security of companies, of businesses. I want to end with the security of the users, the citizens. And this is probably, in the end, what it's all about, but also national security should be about. And here we need to talk about protection against fraud, protection against things like cybercrimes, and so on, but also about the protection of privacy. And we had a couple of very interesting discussions over the last days on how with latest technologies you can actually have better privacy and at the same time better security for the users. >>YOSHINORI IMAI: Thank you, Ralf. >>RALF BENDRATH: Okay. Thank you. >>YOSHINORI IMAI: Now, the second speaker is Huang Chengquing. Please, Mr. Huang. >>HUANG CHENGQUING: Good afternoon, ladies and gentlemen. I better speak in my mother tongue now. My name is Huang Chengquing. I'm from China. I'm the Secretary-General of the Internet Society of China. First and foremost, let me express my thanks to IGF for providing us the opportunity to have an interactive dialogue. (Two languages on audio.) >>YOSHINORI IMAI: Will you just wait -- we are getting two sounds. Yeah. >>HUANG CHENGQUING: Ladies and gentlemen. Good afternoon. Okay? Ladies and gentlemen. Good afternoon. My name is Huang Chengquing -- >>YOSHINORI IMAI: Still mixing. >> Can I be heard? >>HUANG CHENGQUING: Good afternoon. My name is Huang Chengquing. I'm from China. I'm the Secretary-General of the Internet Society of China. First and foremost, I'd like to express my thanks to IGF for providing this opportunity to have interactive dialogue, along with the development and application of the Internet and the work with the antispam and -- become. (Two languages on audio.) Face up to the challenge with regard to the spread of spam. (Two languages on audio.) (Two languages on audio.) In this regard, private companies have civil society -- >> They're having the same problem I am, your voice coming through, and so is the interpreter's. >>YOSHINORI IMAI: Let me just check the system. Are you hearing two voices, two languages? >> Frankly, I'm a little bit baffled. I don't understand the problem. >>YOSHINORI IMAI: What channel for the English? >> English Channel is 1. >>YOSHINORI IMAI: I have 1, but I'm hearing two voices. And you are -- >> Channel 1. >>YOSHINORI IMAI: Okay. And transcribers have the same problem. Will you try once? >>HUANG CHENGQUING: Ladies and gentlemen, good afternoon. My name is Huang Chengquing. I'm from China. I'm the Secretary-General of the Internet Society of China. First, let me express my thanks to IGF for giving me this opportunity to have an interactive dialogue -- >>YOSHINORI IMAI: We cannot understand. The red one. Will you cut it off? >>HUANG CHENGQUING: With the development of Internet and wider use of Internet, the Internet security and the work against spam will be a very important work and challenge, because when the (inaudible) climbs one post, the devil might climb 10. We have to be united to face the challenge. In the face of spread of spam and more and more problems facing security, international commenter is ill-equipped. In this regard, civil society and private sector has made efforts, but the task ahead is tremendous. My suggestion would be the Internet security and the work against spam should be put on the agenda of the social work of all governments. In countering the threat to Internet as well as the spam, I believe there should be a cooperation on two levels globally. First is cooperation at the government level. Mainly, we are talking about administrative and judicial means to (inaudible) in countering crimes, or we can have a fast channel to deal with all the cybercrimes. Another level is private companies and civil societies and cooperation among them. Here, we are talking about the level at operational level. And there we deal with the sharing information on spam as well as emergency measures dealing with security threats to the Internet. In this regard, U.N. and ITU should play an even bigger role. With the development of Internet today, the view that government should keep the hands off of Internet is wrong, because we, indeed -- we have to involve the government, in particular, in handling all spams. Take China as an example. According to the (saying name) company of the U.K., which is an Internet company, the spam in China in 2006 in the first quarter only 2006, amounted to 21% of the global spam. It's listed as the top two. In March 2006, China announced the law on countering spam. And those who send spam will be subjected to certain kind of administrative measures which have won public acclaim. On the other hand, there's the working group on antispam in the Internet Society of China which has conducted effective work. They have conducted more than one million brochures for the public awareness campaign and also played kind of poker cards as to the educational means to counter spam. Private companies also join hands in producing a platform to counter the spam. They have a system of black list and white list. In October, again, this year, the same company from the U.K. announced that China's spam only amounts to 4.9% of the global total, down 16%. According to our own statistics, in the third quarter of 2006, the Spam from China amounted for about 59% of global total. However, by the end of March '07, all Spam have gone down by 4%. However, in terms of the Internet security, like phishing, and also by Trojans, and also the cyber attacks have gone up, far higher than the growth rate of the Internet. From June to July '07, we have an increase of 32% of users, and the stations have gone up by 66% and the mainframes have also gone up in a big number. However, we also have a much bigger increase that is more than 140% of increase of in reporting Spams. And Trojan attacks have also gone up a lot. All those security cases that have gone up that much, 34% of them originate from mainland China, and the rest originate from other parts of the world. So I believe the reason can be found in the hackers. In the past, they used to brag about their techniques, and now they are more have a commercial interest in mind. They have an industrial chain. And in face of that industrial chain, the legislative measures are lacking far behind. So they are not up to the task. Although the companies have done a tremendous amount of work, but international cooperation is not catching up yet. I believe this should deserve the attention of all and you and other bodies should play an even bigger role. That's my opinion. Thank you. >>YOSHINORI IMAI: Thank you very much. I am sorry for the disturbances in the audio. Next, the third speaker, Marco, please. >>MARCO GERCKE: Thank you very much, ladies and gentlemen. It was pointed out in the beginning that it's questionable if legal standards will help us to fight effectively against cyber crime and security. I would nevertheless like to point out the importance of legal standards. We have excellent technical standards. I mean, they were developed for a different purpose but we can use them very well at the moment. And it's fascinating to see that there are people in this room that will very likely not all share the same political ideas and not even using the same kinds of machines. But we are using the same technology. And it's working. It's the basis of our work. If you don't accept the technology, you cannot communicate in that network. We don't have those standards with regard to laws. We don't have single legal standards at the moment, and that is causing a lot of trouble. The chairman pointed out that in most cases, there are sufficient substantive criminal law provisions. And I do agree in many countries we do have sufficient criminal law provisions, but the difficulty that we are facing is the fact that law enforcement agencies do need to cooperate, and that is something that is lacking at the moment. It does not help you if you have sufficient instruments in place if you cannot cooperate with other law enforcement agencies in a very quick level. Currently, we are still using traditional instruments that take weeks and months, and as you know, there's evidence that you might need to trace offenders back might be available for only minutes or hours. So we need to change that, and this is something we need to address. Currently we have only one international convention in place that addresses these difficulties which is the Convention on Cybercrime from the Council of Europe, which was the topic of a number of workshops. And it was very interesting to see how people were dealing with the convention, how far it helped them. This convention is signed by 43 states. And that's for sure not all in the world. And if you look at the signatures, you will realize that it is signed by countries that are well developed, that have very good technical infrastructure, and that realized how important legal basis and international cooperation is for them to protect their e-commerce businesses. So what was achieved by this convention already is that with having countries like the United States to ratify it, those countries that are providing services in the Internet, very important infrastructure services, are on board. And law enforcement agencies from anyplace in the world who have similar legal standards can actually contact them and cooperate with them in a very quick way. What the convention has not yet succeeded is to address more countries from developing countries. More countries in this area. And in since 2005, the number of Internet users in developing countries is larger than the number of Internet users in highly developed countries. So what the plan for the future must be is to protect those users, to protect the potential victims from cyber crime and improve legislation there. And in this context I would like to point out the work of the ITU that is addressing the challenges of developing countries all over the world by providing assistance, what they always did, to try to help them with standardization. And they were pointing out the importance of the convention on cyber crime as one model, and helped those countries to improve the standardization already. We need to continue this. It cannot be the end. We need to continue this in the future and get more people involved in this discussion. So what I see as the main advantage on this convention on cyber crime at the moment is that the convention has a committee where all signature states participate and can continue to develop further legislation in this matter, participate in this very important process of standardization, legal standardization. So I'm very much looking forward to seeing more progress made in the developing countries. ITU is going to have a workshop in Cape Verde in about two weeks for African countries especially. They had one in Vietnam and one in Buenos Aires recently. So I see this on a good way, but there is a very long away ahead of us. Thank you very much. >>YOSHINORI IMAI: Thank you, Marco. Now I would like to introduce Lamia. >>LAMIA CHAFFAI: Thank you, moderator. Allow me to speak French. My name is Lamia Chaffai from the Tunis agency for the Internet. I will talk from a viewpoint of my country and from my region, Africa. Of course, we want to use the opportunities provided to us by the Internet, especially the national -- the digital economy, e-trade, et cetera, and all of this is only possible if we have an environment of trust and confidence to establish these services. And we see today in our region that it's very important to have an awareness and the whole training concerning security. I will mention that Tunisia is the only country with a center to respond to incidents. It is the computer emergency response team, and we would like to see more countries adopt this kind of structure. It is, therefore, essential for us to optimize our resources so as not to become victims, as was said before. Today, if we ignore the risks of security existing in the Internet, we end up being a tool for attacks without intending to. All of this will be exploited by attacks. So it is necessary for the civil society and for the private sector and for regulators to be aware of this and adopt regulations and technical solutions. In the field of transactions, in Tunisia we have legislation on e-trade. We have a certifying agency using the public structure. And we also have an infrastructure forum, public infrastructure forum for Africa. And we hope that all African countries will be able to use e-trade. However, nowadays, in terms of standards to recognize safety, there are two international standards for the recognition of trustworthy individuals. And it is necessary to have standardization and rules in order to have international confidence. It is essential for developing countries and for emerging countries to join in this effort for security. In Tunisia, we work against cyber crime, and this is essential -- it is essential for everyone to work together in this respect. Thank you for your attention [ Applause ] >>YOSHINORI IMAI: Now, Cristine. >>CRISTINE HOEPERS: Good afternoon. As we have all seen this week in the security sessions and in security panels, we are talking about security in several levels and we need policy and we need legislation but we need technical measures. And as I come from a CERT, from an eastern response team, I am going to focus on some of the technical issues that were not talked about here this week that are some of the fundamental causes of several problems we are having today that need to be of concern of governments, of civil society, of operators, of everybody. As an eastern response team we see all the problems during our day-to-day work. We help networks recover, to mitigate, to try to not have a big impact in the day-to-day attacks that we see. And we try to do postmortem analysis and try to see what happened, what caused those problems, why we had this worm and that bot and that vulnerability, why we had that compromise, what is the actual biggest problem causing all of this. And we are training people here to try to deal with this problem but we are actually focusing a lot on training. So we are having people already there, already doing the network and security. But I would like to say that most of the problems we have today, they come -- they are there, out there in our area for more than 20 years now. So we have some basic problems in the software development, we have some basic problems in the implementation of protocols. So these are some of the major problems that we can only solve if we think about how we are going to prepare our next generation ICT professionals. So how are universities today teaching about how to think about security when you are designing a system, how to think about security when you are implementing a system or implementing a protocol, or implementing a standard, because at the end, we can come up with protocols and standards, and a lot of solutions. But if they are poorly implemented, if they have problems and security problems in their coding, and in their design, we will still have problems and we will still have worms and we will have someone trying to exploit the very technology that we are using to protect ourselves. So one of the things that I think we need to think about is how we introduce security mindset, as to speak, or how to have, really, people who are in the engineering schools, computer science schools actually preparing our professionals for ICT, to think about security in the whole process, and not actually thinking about secure coding or secure development or thinking about, okay, I am doing this now, this network, this protocol, this standard, but where is it going to be implemented. There will be someone interested in attacking that. Am I using good practice to implement it? And think that you have people implementing those systems, so they make mistakes and you can still have problems arising from that. But if they are, since the beginning, being taught to be security minded and think about the security problems we may have, we can mitigate. We will not have a perfect world or perfect protocols or Internet, but we will have less problems and maybe we can deal and manage better the problems that we have. So I am not actually talking about critical infrastructures or instant response as a whole, I need -- I think we all need to leverage from the CERTs that are already out there, from the technical operators and the technical community that is already there and doing a lot of work and solving the problems but we also need to think about the future and we have the Internet and we have at the end all those problems migrating from cell phones, from 3G, from next generation of networks. So just to have in mind we need to deal with the problems now and all the attacks but we need to prepare the next generation professionals, too. Thanks. [ Applause ] >>YOSHINORI IMAI: Thank you very much, Cristine. Now let me turn to Jamil. >>ZAHID JAMIL: Honorable chair, Mr. Secretary, I come from Pakistan, I am a lawyer, and in my country, you must have seen in the news the terrorism, money laundering and all these things are an issue and the government is making efforts trying to fight those. I am going to give you a brief as to how cyber crime and the convention on cyber crime and legislation has an impact in developing countries. So bear with me for a moment. The example of Daniel Pearl, the U.S. journalist who was unfortunately kidnapped and murdered in Pakistan, was an example where the only way investigation agencies could really trace down to find out who the kidnappers was to use cyber forensics. At that time, unfortunately, use of certain cyber crimes that were used as part of aiding and abetting this exercise were not crimes at that moment. So we had to come up with new legislation, I drafted the Electronic Transactions ordinance in 2002. But obviously that was not enough, and the government has been now trying to come up with the cyber crime law. We gave them the cyber crime convention as a model, and while this effort was going on, at the same time when I was in Athens, and I am focusing on the enhanced cooperation of the IGF and how important these sorts of meetings are, we were able to get the Council of Europe to get interested and involved in this process. That was excellent. It created capacity building, awareness, and also brought technical knowledge to many of the people. Interestingly enough it wasn't just government. It was business and civil society in Pakistan that were able to sort of talk with some knowledge about this issue and then lobby government. Various aspects about the balancing of openness against security, where is the right balance, looking at issues as liability of ISPs, cost of compliance, copyright infringement. And the most important Article 15 of that convention, procedural safeguards, independent judicial supervision. These are very, very important to us. And this is a process that's still going on. But it was difficult to say, "Look, we are not in government. We're not policymakers, but we are business and civil society." So how did we make it happen? After a lot of lobbying, things still weren't being heard. What we actually did was put a lot of this stuff on YouTube. And the moment it went onto YouTube, a lot of what it means, not just the legal jargon, what it means to the common man, to an artist, to a journalist, to a media person, what does it mean to have this sort of Draconian legislation as it was in that form earlier and not comply with the Council of Europe convention, not comply with safeguards, and not have harmonious definitions. Obviously, that would not assist in the fight against cybercrime, fight against cyber terrorism. Those are the sort of things we came up with. And I think there you saw civil society in APC and ICC/BASIS really cooperate and come together. I think it was an excellent enhanced cooperation idea. As far as this process led to a lot of discussion on compatible legislation, we said, oh, obviously if we're going to have someone -- we spend a lot of money on investigation -- take him to court, and then find that the crime he's being tried for in Pakistan is not the same definition as abroad, but he's tried somewhere else, that man is going to go free. The harmonious definitions are very important. The one thing we need to find is basically harmonious legislation. I want to concentrate on that point as I'm speaking. Because the Council of Europe convention pretty much is the only document we have. And I think that is the first step that we need to focus on. Other aspects, other efforts, I think we need to start realizing this is the key point. We need to all sort of come together and say, this is the first foundation, sure, there are things that can be done in addition to that. Wee seen the western democracies sign the cybercrime. The U.S. ratification was a very important step. It comes to developing countries where these originate from, the other side of the coin. And in that respect, I think the Council of Europe outreach program, the -- going to these countries and to get them to sign up and ratify, will be extremely important. Any other efforts to delay this by creating confusion, by saying "There are several other processes," will only delay the harmonious, effective fight against cyber terrorism and against cybercrimes. I think that is very important. One last point I would like to stress upon is that I don't think it is, in response to a certain point made earlier, it is not the mandate of the ITU to regulate the Internet. And I think that is something that has been stated by the general secretary earlier when he took office. I think that needs to be sort of considered in this whole context as well. Thank you. [ Applause ] >>YOSHINORI IMAI: Yeah, thank you very much, Zahid. We are inviting questions from the floor. I see quite a few people coming in after we started. Will you submit the papers with question, your name, and affiliation. We have already some questions. I would like to invite first a couple of questions. Will you please identify yourself and then if you have a certain person you want to answer, will you please give us the name. First, I would like to have Alun Michael. Oh, yes. Microphone to him, please. >>ALUN MICHAEL: Thank you very much. I just want to make the point that whenever there's a problem, the public demand more laws, more regulation. And the problem is that laws rarely prevent what they forbid. And the speed and penetration of the Internet means that a traditional approach can never keep up. So we must agree, mustn't we, that we need a cleverer approach. Too often, security is an add-on, and that's useless. Security and enterprise development must be developed together, as Cristine Hoepers said in her contribution. So that means that industry has to take the lead in tackling crime and nuisance on the Internet. But they have to do it in partnership with civil society and government. The way I put it is that, being accountable is the price for not having heavy and bureaucratic legislation and regulation. So the answer to Marco Gercke's challenge is not more laws, not legislation, it's cooperative governance. So in the U.K., we're establishing a crime reduction partnership with industry lead, but overseen by the four-part governance of parliamentarians, civil society, that is, NGOs, along with government and industry. And the focus has to be on the needs of citizens, that is, on all users, not just big users, and their concerns. Isn't that the way forward? >>YOSHINORI IMAI: Yeah, Marco. >>MARCO GERCKE: Thank you very much. An excellent comment. And I would like to pick up one of the challenges that law enforcement agencies are actually currently facing to further develop what you just said. Cooperation on a technical level from the industry, as well as law. Take encryption technology. If as an offender, you're using encryption technology and you have a proper password, it is nearly impossible to break the encryption in an adequate time. So there are a number of possibilities how we can address that. We can have technical solutions or we can have legal solutions. And if we're talking about legal solutions, we need a balance. And if I'm very happy that you pointed out the U.K., because the U.K. has just undertaken legal measures that I cannot accept from a civil liberties perspective. What the U.K. has -- with the regulation of investigatory power of the third part has come into place and that allows law enforcement agencies to order anybody who is using encryption technology as the suspect of a crime to hand out the password. And if he refuses to cooperate, even though the law enforcement agencies are not able to prove that he committed a crime, he can be sent to justice by only refusing to cooperate and hand out the password. That's a legal approach where I can fully agree to your position, we don't need those laws. We don't need overregulation. But we need a legal basis. Because take spam. The industry did not effectively fight against spam on their own. So we need at the end, if we are realizing it doesn't work, to prevent it. Then we need at least the law to be able to prosecute those offenders. That's the last step. I don't want overregulation. Let me make this clear. We don't need additional laws if there are laws in place. I don't want the Internet to be more regulated than outside the Internet. But we have criminal laws in place outside the Internet, so I just want the same kind of protection inside the Internet. And last point, within finding this balance, we're in the process. We did not yet find it. When people in 30 years will look back, they might say, "Well, there were challenges, but you did too much. There was too much legislation in place." I don't want this. I want this to find the balance and discuss that. >>YOSHINORI IMAI: Thank you, Marco. One more question I'm picking up is from Gadi Evron. Will you be brief and articulate, please. Yes. >>GADI EVRON: So you know me already. Thank you very much. I see you know me already. Thank you very much. My name is Gadi Evron. And I'm with Afilias. I would like to make two quick points about the process that I have seen in the past few days in the IGF. First of all, thank you all for being on the panel and expressing what you have. And for China, admitting internal problems and showing visibility that we have not seen before, leading the way here. We appreciate it. Thank you. We have two problems. I come from the operational and technical community, people who have basically been cooperating -- sorry, have been cooperating globally nonstop for several years. When we talk about establishing communication, when we talk about information-sharing, when we talk about problems, these already exist. My goal here is to try and find the regulators, the policymakers, and tell them I don't know how to talk to you. We don't know how to talk to you. We have real problems. Our problems are, for example, complete inability to work across borders, being back channels ourselves for law enforcement as well as we lack leadership. We can lead ourselves, but when it comes down to it, we cannot in any way rely on goodwill-based relationships to keep the Internet together for that much longer. And, thankfully, the Internet is not going to die tomorrow. But what I would like to request from the panel is your take on how we can potentially, hopefully, reach a better understanding between the people who actually do this daily, international cooperation on a very large scale, and how can we move what we do to your level? How can we communicate? And a second short part of this is, with the emergence of large-scale attacks, such as in Estonia, and with the impact that these have on economies, how do you see that critical infrastructure changes and how do you believe this can be impacted when the infrastructure used for these attacks is basically the same infrastructure as cybercrime, and so far, we have been far behind and losing? Thank you very much. >>YOSHINORI IMAI: Are you addressing the question to -- okay. Is anyone ready to answer the question? Yes, please. >>ZAHID JAMIL: I'm not exactly an expert in how to fight them. But I would say three basic steps, which I can highlight, and I'm sure other people would add to this. Number one, I think you need to reduce the safe havens that exist globally. And the way to do that -- and I may be repetitive in what I'm saying -- is to bring in harmonized legislation that criminalizes the acts that we're talking about. I think that's the first step. The second would be, because you need to get rid of competitive advantage in being in a different location and, you know, being able to use this crime, because it becomes a financial benefit to the people who do it. The second is awareness. I think that was mentioned on the panel here earlier in the opening remarks. And the third is better technology, encouraging business to be able to handle that. So I think these are the three basic things that need to be done, at least. And one last point. I think it was mentioned in one of the workshops yesterday. You need to train law enforcement, and you need to train your judiciary. I think that in most developing countries, you've got this very serious problem. Sometimes they investigatory authorities are getting funding, et cetera, the interior ministry pays them. In my country, they didn't have a budget there for seven years. Only now maybe they will get it. And that's just an example. But as far as access to justice and training judges is concerned, who actually have to understand this problem, it's just really not even there in most places in my region. So I think that needs to be done. >>YOSHINORI IMAI: Well, other than panelists, we invited six experts of this field who are sitting in the first row. Let me introduce, from -- Izumi Aizu. And Anne Carblanc. And George Greve. Malcolm Harbour, Katitza Rodriguez Pereda. Yes. Five of them are here. And I would like to invite two of the discussants, challengers, first, Izumi, are you -- >>IZUMI AIZU: Okay. >>YOSHINORI IMAI: -- ready to -- >>IZUMI AIZU: My name is Izumi Aizu, and I have been on ICANN's At-Large Advisory Committee for more than four years to bring the individual users' voices to this ICANN process. Having done that, I think I know a little bit about the individual users maybe. But on the security, first of all, how many of you know how many people are killed by traffic accidents every year? There's some official statistics. Vint? >>VINT CERF: At least 150,000 people a year, maybe more. >>IZUMI AIZU: Thank you very much. 1.2 million. Of which 15%, according to some news, is in China. But it's -- So why do we talk about the cybersecurity? At least as far as I know, there is nobody killed on the Internet. Maybe the use, it's getting more serious by the use of the Internet. But at least Internet doesn't directly kill people. But still, we need to work on that. Well, to skip the rationale, my just one comment is, I agree with most of the speakers, that we really need to have a global framework, especially on the policy and the governance side, if not only the operation. Operational side, the CERT guys are doing a great job, although we have only one CERT in Africa and very few in the developing countries. But we really need this multistakeholder approach to be more enhanced into the security policies. And as somebody -- you said about the leadership. I have to -- I haven't really seen the strong initiative to bring all these guys together from north and south, from civil society and experts, law enforcement. They somehow are still in some isolated islands. That's my view. If you have any response to that, I appreciate that. Thank you very much. >>YOSHINORI IMAI: Yeah. Marco. >>MARCO GERCKE: Just a very quick one. The example with traffic accidents is excellent from my point of view. And I'm often relying -- referring to that as well. But I'm going to ask you another question. How many percent of U.S. businesses do you think believe that the costs of the damages caused by cybercrime are more than by traditional crimes? It's 60%. And I'm not a great fan of statistics when it comes to the Internet damages. But if you just have a look at the estimate losses caused by identity theft in the United States or by virus attacks just in the year 2003, which was more than $10 billion U.S., I think we might come to the conclusion that not because only of protecting life and health, we need to ensure that we have sufficient laws in place. But let me just take the life that you mentioned before. We have an expert here from the Council of Europe who was just involved in drafting recommendations for Internet medicine or how you can order into that medicine. There are many people dying because they're ordering medicine on the Internet which turns out to be fake products. So maybe you should include that in the statistics. >>YOSHINORI IMAI: Okay. Anne. It's your turn. Do you have the microphone? >>ANNE CARBLANC: Thank you. Thank you very much. It's a pleasure to be here. Thank you for the panelists for this very interesting discussion. I work for the OECD. That is an intergovernmental organization which works with business, and increasingly, with civil society. We are at the origin of this expression "developing a culture of security." The OECD does not develop binding instruments, especially in this area, but instruments that try to help develop a kind of new mindset so that people, all participants, will have a role in security. The panelists said very interesting things. I noted that there's not 100% security which is possible. But we have security at different levels, which makes things difficult. But there are legal, technical, educational responses. And that cooperation is needed. So I come to my question. Different models for cooperation are possible, top-down, bottom-up, a mix of both, very inclusive, all participants, less inclusive, led by governments, collaborative with governments, business, and civil society. So could the panel tell us what they think the best model would be to ensure security more than today to reduce cyber criminality online and to enhance trust. Thank you. >>YOSHINORI IMAI: Maybe Cristine. Okay. >>CRISTINE HOEPERS: I think if it was easy to have, like, a global international and broad cooperation, we probably would be doing that. But some of the success cases that we see, usually when you see people cooperating, it's among a common problem or some common point that they actually would like to see solved or something like that. One of the things that we see today is that you have some societies that are, like, fighting antiphishing, and then they're doing the same things that some organizations that are fighting spam, and then they are doing the same things that the CERTs are doing. And then we have still other organizations trying to do what the same very organizations are already doing. So one of the things that I would suggest is, someone needs to look out there and to see where is the gap. If we have already a lot of people cooperating into the technical level and cooperating to fight phishing or spam or trying to come up with that, that probably is the gap. And one of the things, I think Gadi said it, we have a lot of people cooperating in the political level and in the technical level, but we need a link between that. And one of the panelists said about awareness. And some of the time it's not only really awareness, but speaking the same language. Because we sometimes are trying to achieve the same goal, but we are not necessarily reaching each other or being in the same place. So I don't think that there is a secret. But we see, especially with CERTs, what we do is we try to cooperate in what we can. We try to fill gaps in technical shortage that the teams have. So we try to provide knowledge, we try to share content that we develop. And this is kind of not so formal cooperation, but really works for us to share that kind of information. So maybe one of the things that we should look for is where are the gaps and how to get really more the policymakers and political level to talk with the technical people that are actually already doing a lot of contingency and work on the Internet. Anyone else? >>YOSHINORI IMAI: Yes, Ralf. >>RALF BENDRATH: I would add to that that probably sometimes it's important to have a clear differentiation of the specific functions. I would guess that you rather have a very, very good and global coordination of the technical community and not have too many policymakers mess with your business; right? And probably the other way around. I think that we have to make clear at which level the solutions are appropriate and not if there's a problem anywhere, call for new laws, or call for technical solutions if there's social problems. And another thing is, I would also urge the panel and the audience here to be really clear about what we're talking about. And this got a bit confused here when the example of medicine sold online and people may be dying because of that was brought. I'm not sure if that's really an example of cybercrime. That's an existence of a black market for medicine or fake medicine. That's a completely different problem. The same, I would say, is true for child pornography. The problem with child pornography is that there are children that are exploited, and really, really evil and ugly things happen to them. But it's not because of the Internet, and it's not a specific Internet problem. We had similar discussions in the World Summit negotiations when there was some language introduced on money laundering for terrorist purposes and so on, and we in civil society said this is not really a problem for governance, it's a problem for oversight, and there are already structures for that. So I'm a bit afraid that when crime that's happening offline also that has been around for ages and we never have been able to get rid of that 100%, just because this is also brought to the online world, into the Internet now, that we look at it from a different perspective and try to come up with technical solutions and things like that. >>YOSHINORI IMAI: Thank you, Ralf. Marco. >>MARCO GERCKE: It was my example, so I just wanted to quickly jump in. Absolutely right. I would agree. This is not a cybercrime. It's like I've recently heard somebody saying in the news that it's a cybercrime if you hit somebody with a keyboard. For sure not. What we have to take into consideration is the fact that the Internet enables a number of ways of distribution that we do not have in the real world. So it makes it, for example, possible to hide your identity in a different way. We need different instruments and we need to address those challenges. We don't need new laws in that case. So child pornography, if it covers files as well as printed material, that's absolutely sufficient. But when we talk about medicine, we just have to take into consideration that it is not the regular ways of distribution only, but it is done on the Internet. So we are talking about illegal content. We should just ensure that we are able to address those offenses in the Internet. And some countries, especially those with an old legal tradition, do not have those instruments in place in the moment. They sometimes really focus on tangible items, what we don't have in the Internet. So that is, from my point of view, what we should just ensure. >>YOSHINORI IMAI: Well, with me, I have a question from Emily Taylor concerning the meaning of security. Emily, are you not clear yet? >>EMILY TAYLOR: Thank you. In a multistakeholder preparatory meeting held in London last month, security was identified almost unanimously as the most important of the IGF themes for a U.K. audience. The discussions focused on security as meaning trust and confidence in online commercial transactions. What do the panelists understand the term "security" to mean in the IGF context? >>YOSHINORI IMAI: Whom are you addressing the question? Anybody? Yeah, maybe going down from Zahid. >>ZAHID JAMIL: I think, in my understanding of the IGF forum, I think that is a rather narrow definition of what security might mean. I think for developing countries, and in particular context of IGF, security could mean a whole lot of other things. It's not just that particular aspect. And that is precisely what you see here. So I know the question is a little sort of broad, that's why, what would we mean by that. And I don't want to take it away from other people, but in my view obviously the legislation is an aspect, international, cooperation is an aspect, making sure that you have standards in the business community itself to be able to self-regulate, for instance, as an addition to that. In fact, the structures of NICs in themselves would come into play. But obviously that was not what was identified in London at that point. I will let others follow from this. >>YOSHINORI IMAI: Yes, Lamia. >>LAMIA CHAFFAI: I would like to speak about the concept of security. I think that it's a question of protecting, protecting the system, the networks of a country, or even on the international level. So the infomatic systems, the explanations of governments and banks, so there's also the protection of the networks in the country and also protection of individuals as regards what they have. So, therefore, this is an issue of losses which can come from the attacks that come from the viruses or identity theft in the country versus just recently a question was asked about international cooperation. It is also essential to have a local national strategy. There must be an awareness about the importance of the issue of security, not only government but also in the private sector, civil society. You have three partners together that we will be able to achieve the objective of security. In Tunisia, we work a lot in training security auditors. You must have skills to do the audit of systems and to ensure the health of the networks and applications in order to be sure that we are protecting all of the wealth of information we have. Thank you very much. >>YOSHINORI IMAI: Thank you, LAMIA. The question is how do you understand the term security in the context of IGF? >>HUANG CHENGQING: My understanding is that security is a kind of a balance. I believe that security is relative. Prevention before the event is a necessary condition. It's not sufficient, especially in terms of cyber security. Prevention is very important in adopting technical measures, legal measures. And these are necessary conditions and not sufficient conditions. More importantly, we need to establish when there is an event taking place we should have emergency response, such mechanisms. When such a case happens, how to solve the problem and keep the damage to the minimum. There are two levels. First the prevention before the event and also how to have the solution to solve the problem when the event has taken place. Thank you very much. >>YOSHINORI IMAI: . well, I have three discussants in line. Georg, will you please. >>GEORG GREVE: Thank you very much. Thank you for the invitation for being here. Thank you very much for the interesting presentations, many of which I found extremely interesting, I must say. There are a couple of things that I am tempted to comment upon, including Spam and the question of paper crime versus cyber crime. But having a technical background, allow me to give my personal experience on the issue of security. And that resolves largely around the relationship between security and transparency and control. Ralf said security is control over the future, and in fact I found that rather fitting. And I would also agree with Ms. Hoepers on the educational aspect of technology. In my experience, transparency is one of the ultimate factors to security, because while security through obscurity may seem logical, it is a fundamentally flawed concept. We can show this through mathematics. There is a mathematician (saying name) who has proven that a system that relies on secrecy for its security is inherently less secure. But you can also explain this in normal human speech. Think about a lock and a key. When you have transparency in the technology, in the design, you are discussing in a transparent and open way how to design a lock, how to create a locking mechanism so we can create the best locking mechanism and we can find the flaws it has to fix them. That does not necessarily mean we hand out the key to the lock we put into our houses. And that hooks into the procedural issue, because in order to be able to engage in this process of fixing the mechanism, we must create awareness for this, ultimately from the early start on. We don't want to redo the whole lock after finding out that our design was fundamentally flawed. And the second part is about control, about control of the software we are running, because ultimately, the Internet, every application, our operating systems, all of this is software. If we do not have control over the software, we cannot control our environment. That is why, from my experience, for instance, free software, software that has the fundamental four freedoms to use, study, modify and distribute, that gives it to all users, is the most sustainable choice in the long run because you can never lose the control over the software. So my question to the panelists would be (A), do you have response to this, and, (B), what do you think does this mean for our policies and our procurement choices when we talk about Internet technology? Thank you. >>YOSHINORI IMAI: Is anyone ready to answer? Oh, yes, Zahid. >>ZAHID JAMIL: Yes, this is the open source argument and the argument that open source is the only secure mechanism of having security. First of all, I don't know about the analogy starting with the whole preconceived notion that if something is broken -- I don't know about it being broken at the moment. I think we are evolving. So yes, we need solutions to problems that arise on a daily basis and so how people use the cyber world and the Internet, et cetera. But coming more to your point, I think especially from a developing country point of view, we are, like India, like China and others, approaching a stage where we would like outsourcing to come to our country. We would like to be able to develop software. And so the next stage in the 21st century is not about industries alone. It is going to be about innovation. The countries that innovate are going to be able to grow economically. In order to make that happen, innovation has to be protected as well. The incentives, in my country, for instance, in Pakistan, for a software developer who is not able to take advantage of a software, whose software can be transferred to somebody else, maybe in India, for example, or China, then I think that will have a very major impact. At least it is a vested interest from a developing country. So from are developing country point of view, which is usually not the case when this argument is made, I think it's a very important aspect that the intellectual property rights to software should be protected. I think open source is not the only solution. It can be a solution for certain aspects but not the only solution. And that does not mean we should get rid of proprietary software. So I think that's an area developing countries are going to have to concentrate on for their continuing growth. I know also that there are a lot of policies being developed by governments for open source. But basically what they end up doing is ensuring that those proprietary softwares which could be offered to those countries, which are also secure, maybe of a better quality also, sometimes, cannot even participate in those tenders. That's a way of keeping people out. When you keep people out and you keep best practices out from growing economies, what ends up happening is we don't learn from that. And technical assistance and quality doesn't come to those countries sometimes. And I have seen that happen sometimes in my country's bidding. >>YOSHINORI IMAI: Ralf, do you have anything to add? >>RALF BENDRATH: I won't go into the free software debate, but maybe to say something about your first argument, the relationship between security and transparency. You can even take that analogy further. We, from the privacy community are, of course, very afraid of overly intrusive and overly broad surveillance mechanisms, and especially because many of those are not transparent. That's not especially related to cyber crime and Internet security, but of course a lot data collection on individuals and profiling and so on happens because they go to the Internet and do stuff there and leave the data there. And then you sometimes get a higher interest rate for your consumer credit. Some people end up on no-fly lists. Sometimes Spam -- not Spam. I mean sometimes normal, legitimate e-mail gets eaten by Spam filters. And people don't know why this is the case and how they can prevent it, what they can do about it, because a lot of these mechanisms are not transparent and are not open. And that's the asymmetry that's created if you address security problems by earlier surveillance, because most surveillance schemes are not transparent. >>YOSHINORI IMAI: Now let me introduce a question from -- yes. Marco. >>MARCO GERCKE: Very quickly. Thank you so much. I think technical solutions can be a solution for the challenges that we are facing with regard to security. So no question. But I think that open source as the only solution or the one solution is, from my point of view, not right. If we would get somebody from Microsoft to stand here next to you, he would have given us so many good arrangements for keeping those mechanisms secret. I mean, if we're looking at the Internet infrastructure and we look at the servers, I mean, I don't want to offend Microsoft, but I have my doubts that many of them are working with a Microsoft operating system. We're using Linux for them. And nevertheless we are facing difficulties. We're facing challenges. So open software is for sure something we need to discuss. But with regard to security as a main arrangement, I find it pretty difficult. >>YOSHINORI IMAI: Thank you. Let me introduce -- oh, yes. >>LAMIA CHAFFAI: Allow me to add a comment concerning the security of hardware and software products. There is a problem with security related to products delivered to consumers. There are new standards and assessment methodology adopted by several countries in the world. And this allows for an assessment of the level of security of a hardware or software product. Well, the adoption of these methodologies is costly. The country needs to have assessment laboratories according to methodologies that are difficult, especially if we want to have high security. And for developing countries, for instance, it's very difficult nowadays to be able to have the assessment of a product to be recognized and sold at the international level. This is a challenge for us. We have dealt with this issue in Tunisia, and we have installed an assessment laboratory with high criteria, with common criteria, with FIPS, in the United States. This is costly and it is a big challenge for developing countries. >>YOSHINORI IMAI: (no audio). Alexander Ntoko. Yes, please. You are from ITU, I understand, yes? >>ALEXANDER NTOKO: Okay. Thanks for giving me the opportunity. I've heard a lot about, you know, what ITU should do and what ITU shouldn't do. But I think our colleague there from Pakistan should -- as a lawyer, you should know that this is not the venue or the forum to discuss the mandate of ITU. And ITU has never mentioned that it is going to regulate the Internet. So I think maybe you should focus on the areas where you have competence and leave intergovernmental politics to those who can deal with it. Thanks. >>ZAHID JAMIL: Can I respond to that? I think my dear friends -- maybe there's a misunderstanding. There was a comment made earlier today that the ITU should regulate. I don't know if you were -- had your translator on. But that was somebody who made a comment on the panel that ITU should regulate the Internet. This comment was made on the panel. It was up here as well. And I was responding to that saying that the ITU's mandate is not to regulate. This is not something that they've -- actually, I'm agreeing with you and you're agreeing with me. >>YOSHINORI IMAI: I have quite a few questions with me, and also two discussants in line. Malcolm, will you have your comments or question. >>MALCOLM HARBOUR: Thank you, Chairman. Malcolm Harbour. I'm a member of the European parliament. So many of the issues that we've talked about in terms of policy-making do come in my direction. And so I just wanted to make a few observations, I think, about the sort of public-policy priorities and how we move forward. There's been a lot of interesting points made about the real impact of lack of security on consumer confidence, people using the Internet, and on criminal activities. I think that the one thing that we wouldn't dispute that the use of the Internet for certain types of criminal activities has made them easier, but, more importantly, it's moved them onto an international scale in a way that we've never seen before. And, therefore, I agree with a number of the panelists who have talked about issues around having, if you like, some common definition standards and the possibilities to prosecute and deal with people across borders. But the fact remains is, you've got to catch them in the first place. And I think that the area which -- where we need to continue to step up our international collaborative efforts has got to be at the operational level. It's all very well having a harmonized legal system. But if you haven't actually got the information and speedy flows of information to deal and stop criminal activities, no matter how many wonderful legal provisions you have in place, you're never going to catch anybody. And so that, I think, is the most crucial area. And there are a number of initiatives being taken, things like the London agreement, which hasn't been discussed very much here. But it seems to me that the international community needs to step up its operational collaboration, its reporting systems, its computer emergency response teams, some of the things we've talked about here. And those are sort of the imperatives that we at a political level, members of parliament, are entitled to ask for that to be stepped up. But, of course, I think there are broader and more critical issues to be dealt with, because we all know that our societies in all countries, certainly in developed economies more so than others, are becoming entirely reliant on resilient -- and I think that's an important word we haven't heard -- resilient and secure information technology networks. We had a little analogy earlier on, a bit of a debate about how important Internet security is in terms of personal health and welfare. I mean, all I would say is that if somebody determinedly attacked the air traffic control system in any one region and managed to disable it for half an hour, we would be facing an extremely dangerous situation. So the critical security, the critical infrastructure does need to be protected. And that's an area where we also need to step up more international collaboration. Because that is absolutely international. And where do we need the redundancies? Where are the weak spots? And there's a lot of collaboration going on. It's not something that will be done publicly and very transparently because we don't necessarily want people to know about that. But, again, I think we are entitled to ask for that to be stepped up. And those who have studied what went on in Estonia, a member of the European Union, the cyber attack there, will see exactly what sort of damage can potentially be done to an economy unless we have those sort of resilience measures in place. And I would suggest that is a priority that we need to move on and look at. [ Applause ] >>YOSHINORI IMAI: Thank you very much, Malcolm. Let me introduce Katitza Rodriguez. Would you please. >>KATITZA RODRIGUEZ PEREDA: My name is Katitza Rodriguez, I am international policy fellow of the Electronic Privacy Information Center, DiploFoundation fellow. I like the position that everybody -- I will speak Spanish. Sorry. I liked the presentations by the speakers today. And I would like to focus on a special point. I liked what one of the speakers said, that the security cannot exist if there is no privacy. And we need security with privacy. No doubt, with time, the possibility to have personal information is very important. If we add to that statistical analysis and others, and if we have personal information determining our consumption standards or patterns, then a lot of infractions to individual rights can happen. Several systems allow lots of data to be available on individuals. Unfortunately, in Peru, these data banks are in the black market, with our names, addresses, salaries, driving license number, et cetera. So I wonder, wouldn't this allow for identity stealth and shouldn't the states approve data protection laws and take care of the enforcement of the law? And a second question. My computer failed, and I cannot read the questions I had written down. The second question is relative to education and security. This protection is necessary to protect users against privacy invasion. Don't you believe education is important? But governments should also approve data protection laws. I would like to give you an example. In several Latin American countries, the right to communications is a matter of life or death, including journalists can be murdered for giving certain opinions. So these type of tools to protect the privacy of communications are essential. Thank you. >>YOSHINORI IMAI: (No audio). >>ZAHID JAMIL: Thank you. That's very important. As a developing country, I completely agree with you, we need to sort of sophisticate our legislation and our government's role in this. I'll give you an example of this. In my country -- I know your data is on the black market. But in my country, for instance, the national data registration authority actually sells that data to people who would like to buy it. It's a major privacy issue. And, actually, at the moment, I'm working on legislation to deal with these privacy issues. But I know that in our region, this is a major aspect. So I thank you for raising that aspect. That is, I think, linked to security definitely. And I hadn't thought about the journalists that you talked about. I think that's a very important issue. And I just wanted to agree with you there. >>MARCO GERCKE: I would just like to point out the importance of developing countries again. And that was something where I would like to come to your point. I think in Europe, the situation might be different. And we can really start concentrating on other aspects apart from law so we can really start -- when we were talking about Estonia -- to analyze technical issues and try to prevent that. But when it comes to developing countries, the situation is different, because what does it help you if you can technically trace things down if you cannot fight against those offenders based in your country that are actually responsible for that? And the classic example is the Philippines, where we've just had a conference two weeks ago, and those national experts pointed out again, we were technically able to trace them back, but we were not able to prosecute them. So the legal point is, from my point, essential as well. And I think we have to be very aware of the special situation of developing countries. There were some books on the market -- brought on the market in the last years that were trying to focus on the developing countries and explain their special situation. I think not absolutely sufficient. So the ITU is trying this approach again. And I'm highly appreciating their approach to address the specific problems of developing countries, with cybersecurity guides as well as cybercrime guides. So the educational aspect is, especially in those countries, very important. They're legislative. And then we can finally come to the technical solutions. >>YOSHINORI IMAI: Thank you. I have several questions with me right now. I would like to have three questions, and then give you some time to think over in answer to the questions. First, Elena Batueva. Oh, yes, in the middle. >> ELENA BATUEVA: We spoke a lot about information. And I would like to make a comment on the international security of information. >>Could you start from the beginning, please? >> ELENA BATUEVA: I would like to introduce myself. I am Elena Batueva from the Ministry of External Relations of the Russian Federation. Today we spoke about the various levels of information security, and I would like to elaborate on this a little, talking about the international security. Obviously, nowadays, there is a threat to security which is not just a cybernetic crime. States and users of the Internet need security. Since we are talking about states and acts of aggression, we have to consider national and international security as well as stability. The importance of this international security was confirmed in the 62nd session of the general assembly when there was a unanimous vote on a proposal by Russia as to how to have security for information at international level. And this confirms that international security and Internet security, which is a very important part of it, they have a technical aspect and a political and military aspect. The whole thing has to be considered en bloc. And we have to underline in this respect the importance of the group of government experts of the United Nations. And they have a mandate to continue the studies on the existing and potential threats in the field of information security. The preparation of an international approach in the field of security for information will allow us to simplify the work of international organisms that don't exist right now and should exist. And there should be international agreements on the subject. Thank you. >>YOSHINORI IMAI: (No audio).... Two more questions coming in. Mr. Tomohiko Yamakawa, and then Mr. Pierre Dandjinou will follow. Please, Mr. Yamakawa. >>TOMOHIKO YAMAKAWA: Okay, thank you very much. Okay. Thank you very much. My name is Yamakawa, from NTT Data, representing Japan Business Federation, Nippon Keidanren. As everybody knows, Nippon Keidanren is the biggest Japanese business organization, consists of more than hundreds of companies, all kind of businesses. On this May, Keidanren has hosted an IGF regional meeting in Tokyo, inviting the Secretary and other important persons to have a discussion. Even at this discussion, this issue, security, is recognized as a most important issue. From the perspective of business companies, as Dr. Marco Gercke has pointed out, that over-regulation is the most biggest point. And my question is to Mister -- Dr. Marco Gercke, one is how shall we, business organizations or business companies, will be involved in the international cooperation? If any good examples, please advise. The second one is over-regulation. We, Keidanren, consist of all kinds of companies. For example, financial services, telecom operators. Most of them are appointed as critical infrastructures. In such a case, our compliance is matched with cooperation in cyber security. However, not companies feature not appointed as critical infrastructures. For example, simple manufacturers and service providers. They have an obligation of compliance or self-regulation of information security. How shall we co-exist to the requirement in (inaudible)? Even with not just a business judgment. If any good rule or some international guidance, please advise. Thank you very much. >>YOSHINORI IMAI: Next, Pierre Dandjinou. We have about 15 minutes to go and we have to be a little bit more effective. Yes, you are in the back. >>PIERRE DANDJINOU: Hello. Thank you very much, at least one African country is well-known as an originator of spamming attacks has put in place a structure and a strategy, actually, to fight against this sort of criminality. However, results are still not yet there. So my question here to our panelists would be what form of sort of international collaboration we could put together to assist such a country? And also, to which extent this IGF process could actually facilitate this. And also, briefly, on Tunisia, and that's for Lamia. Lamia, I am surprised, in fact, that one single African country made this implementation. I would like to know what Tunisia did, and I would like you to tell us how we could enlarge this movement you started at continent level. We have to insist on the role of the various players. For instance, regulators. Do they take part in this? Thank you. >>YOSHINORI IMAI: Thank you very much. (No audio). Okay. And then you may join. Ralf please. >>RALF BENDRATH: I would like to reply to Katitza and then two other comments here. And I think we had that discussion before, the issue of identity theft. And someone earlier also mentioned that the United States especially has a big problem with identity theft. And you mentioned Peru. I think there is a clear correlation if you look at the landscape of identity theft as one important cyber crime and the privacy legislation. In countries where there's strong privacy legislation the problem of identity theft is much, much smaller. That's a very easy solution, and as much as people here promote the spread of cyber crime legislation around the world, I would say if you want to do something against identity theft, you need to spread privacy regulation and legislation around the world. And there's also no global mechanism, no global institution for this. And this is maybe a problem. The other one is the lady from the Russian Federation and also Mr. Harbour. You mentioned the potential danger of international security, you mentioned the possibility of people hacking into air traffic control systems and so on. And that discussion has been around for quite a while. It was a bit overhyped in the '90s with lots of stories about electronic Pearl Harbor and hackers having more power at their fingertips than the nuclear bomb being command and so on. You have to be a bit sober about this, but I would say that the approach to make sure that hacking and other problems we have on the Internet in terms of security, that that doesn't spill over into the real world, in electricity systems and traffic control systems, in water supply systems and so on. The only solution to do that is to not connect these systems to the Internet. I don't want these systems to be Internet connected and controlled systems. And that basically means I don't want them to have -- I don't want to have to discuss them here at the Internet Governance Forum. There might be other forums for this. But once you connect these kind of systems or even power plants and so on to the Internet, you are in trouble. >>YOSHINORI IMAI: Marco. >>MARCO GERCKE: Sorry, I have immediately to react to that, because take a virus attack. If you are successful in sending out a virus and that affects the computer system of the check-in at an airport, you can maybe disconnect the tower from the Internet. But it can affect the computers at check-in and that means you cannot check in anymore. We have seen while analyzing virus and worm attacks that it affected an infrastructure. So it might be that virus attacks are not that much focused, that they cannot really focus on one target as well as other attacks would be, but it is a great danger. So I think we should have instruments in place apart from disconnecting part of our infrastructure from the Internet to secure it. But I would like to concentrate on another issue raised by our colleague from Japan. And that's how, in general, industry should act in this difficult field. And I am currently co-chairing a working group from the Council of Europe on the question how should the industry and law enforcement agencies cooperate. How should they deal with each other. And I can tell you you are in a terrible difficult situation. So from my point of view, soft laws recommendations are the one thing. But, on the other hand, side, I would like to have hard laws that are protecting service providers from responsibility where they simply cannot be made responsible. And I think it is a fundamental decision that we have to make. I mean, in the past the decision was made in a number of countries that simply said we have to exclude certain service providers, certain infrastructure providers from responsibility. From a technical point of view, the situation might have changed. So maybe today they have the possibility of controlling. But the question that we now have to raise is not only do they have the capacity of controlling and can we make them responsible for that? But is the question do we want them to control. So we will have to enter into this discussion again and have to find solutions. But I would prefer to have hard solutions because what I am realizing is we're criminalizing preparatory acts. We are criminalizing the production, for example, of devices that can be used to commit a crime. We are not waiting until the crime is committed anymore. We say we start earlier and that is something I find very dangerous. We should not go this any further. We should try to limit us in that way and try to concentrate against crime that has already happened. So they have a responsibility as well. >>YOSHINORI IMAI: Lamia and then Huang. >>LAMIA CHAFFAI: Thank you very much. I will reply to the question that I was asked concerning Tunisia. The role of regulators in the field of security. First of all, at the level of Tunisia, we adopted legislation. There were laws on e-trade and the creation of an agency for the accreditation of reliable suppliers and the authentication and the authenticity of transactions was assured. At the level of information security, there is also a law allowing for a certain level of security for large applications, and there is mandatory audit as well in government applications and at the level of institutions such as the banking sector. The national agency for infomatic security has the role of the CERT, computer emergency response team. And they help. They work in cooperation with the private sector and the civil society for training in the field of security. We also work to train certified auditors to guarantee national security, national level security. So there is collaboration among regulators, but also with the private sector and civil society which allows us to spread information on security. Thank you. >>YOSHINORI IMAI: Huang, please. >>HUANG CHENGQING: I would like to make some comments on this issue. Just now a few of you mentioned cyber security, especially the security of the critical structure of net. I think there are two levels of security to handle. First of all, those critical infrastructures will adopt some measures to prevent such crime. Due to the openness of the net, some cyber threats cannot be handled by them. Therefore, the national backbone network and the critical infrastructure should be separated, like the prevention of disease just should be an emergency response team to deal with that. As the Internet is an open network, it has no boundaries. Therefore, we need cooperation to those terminal network events which are a set of market mechanism to solve them. Therefore, two mechanism. One is to rely on the industry. The interest at stake of the enterprise. The other is the backbone infrastructure. The government should include them in their public service so as to guarantee their security. When the cyber crimes occur, laws should be in place to attack them. If there is no final defense line, or efforts will be in vain. I have mentioned that the work of the government is a necessary condition, but is not a comprehensive measure. Therefore, whenever the crimes occur, there should be legal measures in place to attack them. This is my view. Thank you. >>YOSHINORI IMAI: Thank you. Cristine. >>CRISTINE HOEPERS: I would like to comment on the questions about international cooperation and especially the African countries that are starting to build their own instant response teams and their own infrastructures. I was talking this morning to some countries in Africa, and I was extending them an invitation that one of the best ways would be to actually look for countries, to look for information how other countries managed to create the CERTs how they interact with their own private sectors, their own public sectors. And one of the things that the Internet Steering Committee is already doing is to share and help some African countries with the top-level domain name, registrations. And we would be happy to help some people to help start their CERTs or to share information and share the experience on how we got from the point that we had no the CERT and to the point where we have an operational team interacting with teams inside the country. So it's really typical, in Brazil we started under the umbrella of the Internet Steering Committee that is a multistakeholder organization. So we can talk to all the sectors and we can actually receive feedback from the sectors. But each company needs to look for other countries and try to find out what would be the best model. And we would be happy to help people understand how we work in Brazil and to help you to establish your teams also. So this is really the start of a cooperation, so cooperating in how to establish your capabilities and then further cooperate in how to actually deal with the incidents and solve incidents. So start slowly but start cooperating and sharing information at least on how to establish your own capabilities. >>YOSHINORI IMAI: Well, I only have one minute before closing debate. Zahid. >>ZAHID JAMIL: I promise to make it short. Responding to Russia's comment. There was a comment that was very good which said there was a need for international security and basically the ending was there should be international agreements. And I think that is a great suggestion from Russia. I think it's time that Russia, therefore, joined in and signed the Council of Europe convention on cyber crimes because a lot of work has already been done and so I completely agree with you. >>YOSHINORI IMAI: I have some five, ten questions at my hands. I'm sorry I couldn't introduce this. And I couldn't even pick up from the remote audience. It's about time to close. Mr. Chairman, Mr. Tavares. Mr. Secretary. >>YOSHINORI IMAI: I have some five, ten questions in my hands. I'm sorry I couldn't introduce this. And I couldn't even pick up from the remote audience. It's about time to close. Mr. Chairman, Mister -- Mr. Secretary, yes. >>MARKUS KUMMER: Yes. Thank you, Yoshi. Our division of labor is that the chairman can give his personal conclusions, whereas I was tasked with trying to attempt to summarize the discussion. I would call it, rather, my reading of the discussion. Again, I think we had a very rich discussion, but also a very complicated and complex discussion. So I don't think my task is a very easy one. And I bear your forgiveness if I will not give a very clear -- if I am not able to give a very clear reading of this discussion. But, again, we saw in the access discussion that access is normally seen as the single most important issue by many countries, of course, by those, in particular, who don't have access, whereas countries where access is not an issue anymore, then security takes first place, as we heard from yourself, Mr. Moderator, and also a discussant who came in and mentioned the example of the United Kingdom. The issue certainly is a multidimensional issue. And, again, multistakeholder involvement and multistakeholder cooperation seem to be essential ingredients if you are trying to find a solution. One of the problems, it seems, is that we don't actually have an agreement what we mean when we talk about security in the IGF context. We have, I think, a vague notion. And I think it is a fairly broad approach, but several speakers tried to give their own definition. One speaker referred to the control over the future and said that this was never 100% possible, as we don't know what the future will bring. Several elements were mentioned -- national security, network security, the reliability of networks, also the issue of preventing before the event, and finding solutions after the event, also the resilient and secure networks were mentioned as key in this debate. An important part of the discussion evolved around the legal dimension. I think here we had agreement that online and offline should not be treated differently. A crime is a crime. And I think our chairman mentioned at the beginning that 95% of the crimes committed online were covered by existing legislation. But several speakers pointed out that while legislation may exist, that the problem, the borderless nature of the Internet, made cooperation among law enforcement extremely difficult. And law enforcement, therefore, was an issue that needs to be looked at. There are different approaches to this between hard law and soft law. There was a strong call for harmonizing legislation and also for bringing in new legal instruments that apply in particular to the online world, and there the Council of Europe Convention on Cybercrime was mentioned. But there was also a warning against overregulation. While everybody agrees that there needs to be some kind of legal basis, many speakers pointed out that we should not overregulate, and collaborative efforts of cooperation below the level of regulation could be sufficient. Echoing this morning's discussion on openness, it was pointed out the role of the ISPs as a very crucial element. One speaker called for laws to protect them. I think the liability of the ISPs seems to be an issue that needs to be considered further. In terms of soft law solution, the representative of the OECD pointed to the OECD guidelines in these various fields. As regards the technical dimension, there, I think one of the questions asked what we should look at the source of the problem, raising awareness, human resource development, training people to handle the problem, part of the solutions, and also the need to think about security when designing and implementing, and to think about security also in the whole process. As the OECD representative pointed out, the culture of cybersecurity is relevant in this context. There was a discussion on what type of software was best suited. And there were clearly different views held. It was mentioned that transparency should be a key factor and that security through obscurity would be -- is a flawed concept and that open systems and designs that can be audited are more secure. However, other speakers held different views. And one speaker pointed out that, from a developing country perspective, where designers were interested in developing a new system, we should think of protecting the intellectual property rights, and therefore proprietary solutions were equally valid. And that was echoed also by another speaker, who said it was not clear whether nonproprietary or proprietary systems were better suited to tackle the problem. It was also pointed out that in the search for collaboration, international collaboration, there were also problems related to financial limitations and to the -- I think it was pointed out the training of law enforcement and also of judiciary. The connection, of course, was also made between security issues and human rights and privacy. And the point was made that developing privacy laws was actually a contribution to enhancing security. Now, with this haphazard summary, I give back to you, Mr. Moderator. Thank you. >>YOSHINORI IMAI: Thank you very much, Mr. Kummer. Now, Mr. Tavares, your closing remarks, please. >>ANTONIO TAVARES: Thank you, Markus. Thank you, Mr. Imai. I will finish my intervention in Portuguese in order to be more clear with my ideas. We started the presentation of panel members with a comment in the sense that security is control over the future. Control over what future? Are we talking about the future of mankind? The future of technology? The specific future of the Internet? And what can the Internet do without human beings? We need to bear in mind that capacity for countries, cultures, habits, and people to relate in order to attain a future where we should really be in harmony. As I said in the beginning, we can see here different opinions. We have spoken about crimes against children, cyber pornography, all the way to the kidnapping of journalists, political subjects, and very sensitive subjects for mankind. We certainly need to continue these discussions, because they will help us to take care of human rights and of -- in terms of human rights or security, take care of human beings in the field of communication. And the issue of the Internet, besides the stability, integrity, and reliability of its content and protection of users, combating cybercrime, and adopting legislation, all of this is essential for the building of an information society centered on people, on human beings, because they are the most important element in this network. We have to recognize that all these issues are interrelated in a democratic context. The combat against cybercrime must take into account the required respect for individual rights and right to privacy. Counting on the support of the civil society and of the industry, the governments have a fundamental role to establish the Internet as a safe space for human interaction, giving adequate reliability to communications, to e-trade, and to service provision over the net. In view of the transnational nature of cybercrime, technical cooperation, as well as legal, police, and administrative cooperations, are essential for the harmonization of international norms on Internet safety. And this has to take into account the features of each country and of the developing and the developed world. In terms of security, the dynamic nature of the Internet requires agile tools and the constant updating of methods, as well as intense cooperation and the adoption of preventive steps, without losing sight of each country, each culture, each nation. The multiplicity of aspects raised here by the speakers, the discussants, and the public show that this topic deserves priority attention. I would like to conclude by thanking all of you for attending this session to discuss a topic we could discuss for days and weeks, a topic that will still be very much discussed, but that we must discuss centered on human beings. Thank you very much. [ Applause ] >>YOSHINORI IMAI: Thank you (No audio) -- this concludes the session on security. I thank all the panelists, the discussants, and all of you in the hall. Thank you very much. [ Applause ] (6:11 p.m.)