The following are the outputs of the real-time captioning taken during the Tenth Annual Meeting of the Internet Governance Forum (IGF) in João Pessoa, Brazil, from 10 to 13 November 2015. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record.
***
>> PATRICK CURRY: Ladies and gentlemen, we are going to wait a little bit of time, a few more minutes to give people a chance after lunch.
Ladies and gentlemen, good afternoon. And welcome to valiant warriors who are here in the interest of Cyber Assurance.
I'm not sure what to take away from this, as to whether privacy without Cyber Assurance or Internet Governance for that Cyber Assurance is not an issue. But we have a panel here, drawn from experts involved across many organisations that are deeply involved in Internet Governance and Cyber Assurance from a practitioner and policy level.
Now, we put these slides together, but actually, there are a lot of notes in the slides and the notes section underneath. You will see the URL on the top, which is to a Dropbox link, and so if you want to take photographs of the screen, that is fine. But that Dropbox link, you can pull down this presentation which contains, because we are going to skip slides as we go, but it will enable you to see the notes which gives you information about supporting policies and documents of governments and standards.
Without any further ado, I would like to introduce the team. And so this is a joint presentation from EU project Mapping, which is focused on Internet Governance, it's halfway through, and Internet Governance fundamental human rights on the Internet and also the protection of intellectual property.
Our colleagues from the Open Group, who are focused on the generation of standards, particularly TOGAF, people are familiar with that, in this case we have also worked together in the context of some of the U.S. centric Cyber Assurance on supply chains.
More of that in a minute.
Myself, Patrick Curry, I have a colleague on my left, Christian Hawellek, and Professor Joseph Cannataci, who is the UN Rapporteur for privacy, and on my right is Andy Purdy from Norway, and Sally Long. We will give you an overview of the situation against these headings, and then we are going to have some questions in the panel. And then after that we will open it up for discussion. And we have got a lot to get through, so I shall go ahead. First of all, from an Internet point of view, that the key point that we are driving in terms of internationally the main driver is digital economies.
We have been very focused in the Internet Governance Forum around societies which is great in its effect, completely agree, but the reality is that the investment in the Internet is driven by the requirements of digital economies and commerce, and the flow of money, and over time, these industries have become dependent on the Internet.
So, nations can be at risk because their digital economies are at risk. This is influencing a lot of Government policy.
To make that work, we already have a lot of payment activities that sit under that. I put examples here of credit cards, but there are many other mechanisms. We are also seeing a lot of social activity that drives activity levels on the Internet, but not necessarily much in the way of business and economics.
Both of these payments and social behaviors are dependent in identity in some form or another, so around the world, nations are implementing electronic particularly identity systems, to help them provide part of a basis for trust in society, in business and economies.
This raises questions around privacy, of course. And the identity piece is only one part in the point of view of trust. We also need interoperability. By that, I'm talking about policy interoperability, protocols, for technical interoperability.
We are seeing new technologies arrive, and I've put up here bitcoin, by implication block chains, which are very important increasingly in many areas, not just for payments, which the basis of which does not necessarily fit well with current legal frameworks or with current governance models. So there are many challenges in those areas also.
At the same time, we are seeing advances in cloud environments, and what is increasingly being called trusted cloud and requirements for interoperability between clouds to support collaborative supply chains. So you don't get locked into one cloud provider to the exclusion of another.
These raises issues from privacy, jurisdiction and so on.
At the same time, we are also seeing new technology coming in particularly in the form of smart phones, and trusted execution environments and trusted user interface, which puts a lot more power in the hand of the user.
And this means that information about user activities will be much harder to see using current monitoring mechanisms.
So, whatever our behaviors are going to be on the Internet, those behaviors need to link to legal frameworks. And we need to ensure that the legal baseline that we have going forward internationally, not necessarily in international law but in national law, is sufficiently up to date and interoperable to enable our digital societies to work. And at that point, I want to hand over to my colleague, to start, Christian, to talk about legal.
>> CHRISTIAN HAWELLEK: Thank you very much, Patrick. My name is Christian Hawellek. I'm from University of Panama, which is in Germany, and we are part of a mapping project, which is why I'm here. And actually when Patrick invited me to join to talk firstly about the legal baseline of it all, I was pretty much excited, because if you talk about Internet and the legal baseline and the global Forum like this one here, this is going to be a very very thin legal baseline, I suppose, for a very easy reason. If we look at the drivers which helped shape the Internet in the last decades, and I mean before it was probably the military and afterwards academia, but in the last three decades it has been technological advance. It has been economic development, and it has been to some extent societal demands, which of course due to languages and society is the consumers, the demand of the consumers drives the economic development, and technological advance also drives economic development and vice versa.
This is the status quo, in my point of view, how Internet is shaped as of 2015. We are seeking to govern a field which has been primarily developed by these three drivers, and in which legislative acts seek to provide checks and controls and remedies, which all of them have shown to that point, but let's say limited effectiveness.
Now why that, really I suppose the law is the law of the Internet is significantly shaped by technical standards, economic needs and business models as society demands, as I mentioned. I tried to visualize it. We have a technology and infrastructure which is relatively homogeneous all over the world. I can use my machine here, I can connect to the Internet as well as I can do that in Germany, Australia or anywhere else in the world. I can use the same browser. I can use the same services. This isn't really a problem.
The only problem by the way which I get is when I try to plot the machine to electricity, because this is the different standard in Brazil and another one in the UK. There it becomes more tricky. But as we stay in the technological field of the Internet itself of the World Wide Web, this is what I tried to visualize here as homogeneous in my point of view. Why is that? Because we have standards and protocols which have a significant influence on the technical shape of the Internet.
Now so far so good. What would be the legal perspective of that on a global level? Practically what it looks like now is not global. We have one here, one there, another one there. Europe has sometimes a different approach as to governing Internet, especially in terms of privacy, than for the U.S., not to speak of Asia, China, Japan and so forth.
If we want to get away from these little dots, singularities, the status quo would look like that, very low resolution and not very precise. That is obviously for political reasons. We are thinking about how to govern that on a legal level since ages, but it's obviously not an easy process.
How could that be overcome? That is something we are thinking about in the Mapping projects. We have the two layers of technology and infrastructure. We understand there are protocols which shape it. Around that, what is needed and should be fostered as interoperable policies, and beyond that we can think about a consistent legal framework.
What we need to bring together is law, policies and standards, and actually the law needs to get away in our assessment from trying to provide tools, but provide strategies and goals which need to interlink with the policies, and then the standards, the needs provide the tools to achieve these goals. Although this might look obvious from a technical point of view, my experience especially in the legal discussion in Germany and Europe in general is that this gets very easily confused. And if we want to get back to the original slide, then it would be the three drivers which I had aligned that should feed into these three goal‑making, tool providing assets and to shape the Internet from there on.
Now, having talked about the baseline, let's look into the Cybercrime threats and threats to privacy. There are many. I tried to visualize the map here with lots of arrows. One of the major issues is that we still have a very significant lack of awareness, especially the citizens, but not only citizens, also decision‑makers in the private sector, also in the political level, with a very limited capacity still in most law enforcement agencies, for financial reasons, for lacking of personnel, sometimes for lacking of expertise.
We have the situation I outlined earlier, we have a global strat versus national enforcement with some national institutions of course, but practically still very nationally focused. We have recently, post Snowden, surveillance discussion, which is not necessarily Cybercrime, but if we talk about legal access to date and legal interception of data, it becomes very blurry at some point.
We have industrial espionage as one of the major threats to economy, which then again closely interlinks to lack of awareness. Social engineering remains one of the most powerful tools to get access to IT systems, whatever the technical security means might be.
What are the remedies, technical remedies? There is a couple; certificates, trust identity management, anti malware, we will hear about that in the discussion here. If we come back to the legal framework, it again becomes blurry. There is this one tool of Cybercrime convention which with all its advantages and possibly disadvantages, I put behind domestic law, national law, a big question mark, because it's very questionable in which respect that can address a global threat, and another question mark behind the future international law for the political reasons I've outlined earlier.
If you look on the impact of Cybercrime over society, there is two major impacts; economy, that causes huge economic damages and that is fundamental rights, access to personal data, etcetera. We are trying to break that link and to encounter that with certain means, especially in law enforcement, surveillance, a bunch of them, which could probably make a presentation by themselves.
The issue here which I want to raise is that we have a strong battling here between the means to fight Cybercrime and again the impact on human rights. We have data retention, decision of the European Court of Justice, for example. We have seen that in the decision of the European Court of Justice. What is needed to be seen is that the issue here is that on the one hand, we try to protect fundamental rights through implementing these tools to fight Cybercrime, and on the other side, we need to protect fundamental human rights by not applying them excessively because that creates an impact. We have done that on a couple of projects, with Joe, that we have looked at what is the citizens' perception of tools. That was a smart project. The key word was atmosphere of fear, the constitutional challenges. For example, this is already homogeneous in Europe by itself. Germany is a dogmatic country as it comes to the relation of constitutional law and statutory law. We have three different fundamental human rights which can be impacted through the measures which are in the red box on the left side, telecommunication privacy, general privacy and confidentiality of IT systems.
This looks different in other European countries, and particularly the UK, which has dogmatically a completely different system. It would look even more different in other countries all over the world. That is the challenge we are facing. Where does it lead to? It is a big question mark. What we do need basically is institutionalized policies, institutionalized technology, to reestablish trust on the Internet, which would be the point where I would like to hand over to Patrick again, actually. Sorry, Patrick, for that.
>> PATRICK CURRY: Thank you very much. The issue that we have going on from that is primarily around access control. My argument would be is that privacy doesn't exist without an acceptance of authentication, and privacy is fundamentally an access control issue in many ways, from a practical point of view.
The reason I say that is if you are not going to expose any information to anyone, then why put it on the Internet? If you are going to put it on the Internet as a sharing mechanism, then you want to be able to control who gets access to that information, even if it's only yourself.
What I'm showing here are the basic components. The first one is how the important thing is to understand in any sharing community is around the nature of the rules of behavior for that community, whether it's two people or 200 people or 5,000 companies. It really doesn't matter.
For that, there is a set of policies and regulations and obviously legislation which comes together in what we would normally call capstone policy, and you need to articulate those in some sort of systemic rule set that can be used repeatedly.
It's deterministic. It also requires that you have data which is under control. If your data is not under control, then you can't apply rules to its protection. Your policies and procedures are not enforceable, and you are at considerable risk.
This means that you need to have some kind of data model or taxonomy or something that means that you describe, manage and use your documents in a consistent way. One of the biggest strategic issues for supply chains is the individual organizations struggle to manage their data in a coherent way.
Into this mix we bring authenticated and authorized users. What do I mean by that? Authenticated user in this case may be an employee, because we are talking about supply chains, and we are talking about customer interactions with that, are people who we know who they are to an adequate level of assurance. More about that in a second. And that they have some kind of access rights and roles associated with access to that kind of information to do their job.
I might be a doctor, I need to access patient records for my patients. I don't need to access all patient records for the whole country.
And there may be a situational awareness component around that, because I need to ensure that, for example, location might be very important. If I move from one country to another, can I still access my information in the same way? So for example, privacy rules and export control rules vary between countries. So the answer may be, I cannot access the information when I travel, which I can access when I'm at home.
So I bring those three primary areas, and there are others, but it's really about policies, it's around data, it's around users. I have a lot of issues on infrastructure as well. I have glossed over that here. But, I have a policy decision point. What does my policy tell me that I need to do? I have a policy enforcement point, which ensures that that policy is executed consistently with regards to access to information in particular circumstances.
It may be that if I'm going to send information to somewhere else, I still want to protect that digital information, and digital rights management has gone a bit out of fashion recently. But we are seeing newer technologies coming in to be able to protect information when it is sent between two parties.
From a legal point of view, we have called that a policy point of view, sorry, we call that controlled information release, and underpinning this needs to be an audit trail with metrics which can be recognized by all parties in the community.
So I'd now like to talk a bit about the who. So this is my busy slide which has been around for a long time. If you look in each corner, you will see at the top left and top right employees. At the bottom left, you will see a different form of identity or a context which is citizen, and the bottom right you will see consumer.
At the top in the center, you have got a box which shows 1, 2, 3, 4. By international standard, those are levels of assurance, and they go from low to high. Sorry, very high.
Broadly speaking, level 1, you have no identity declared. What you have is pseudonymity or repeatability, so Mickey at Microsoft.com would be sufficient. I don't have to know your natural name. Level 2 moderate, focused on the minimum identifying information to meet primarily consumer type requirements where the financial risk is all measured actually and the impacts of failure are measured in financial terms.
Level 3 is for employees, and primarily is what we are seeing on level 4, this is where you don't want things to go wrong and you want people to behave in a way that is consistent with a policy. So you are prepared to spend money to avoid failure.
Level 4 is danger to life, high economic risk, things falling out of the sky, that sort of thing. Those are just guidelines. That is where the markets have gone.
What we have is a situation today, bottom left, is citizens have identity cards or passports or maybe none of these things, and their ability to interoperate across borders is particularly poor. Today we have little federated trust, i.e., the recognition, systemic recognition and interoperability across borders. The bottom right, in the consumer world on the Internet and most of what we have been talking about here, there are the beginnings of mechanisms, particularly open identity exchange, open I.D. connect, but actual adoption and usage is very very limited indeed.
I know Google would comment on this maybe, because they have been behind some of the federation activity. But adoption is very weak, particularly for commercial activity.
However, in supply chains, the big trigger event was 9/11, which you see top left. There were a lot of issues to do with identity, or the failure of it, on 9/11, the results of which was Homeland Security Presidential Directive 12, and eventually some U.S. standards, FIPS 201 on personal identity verification, which gave rise to PIV interoperability which was written by industry to enable industry supply chains to interoperate with each other and with the United States Government and eventually with others. And a lot of that has been taken forward into standards, in particular the ITU X1254 and ISO29115.
They are apart from four words the same.
The adoption of high assurance, federation today, is at scale, particularly in aerospace and defense; your aircraft that you came on, assuming you came on one to come here, maintenance, flight planning, support in the airports, passenger management, all of these in international airports are underpinned by federated trust models at high assurance. These have been adopted in air traffic management, Cesar on the left in Europe, NATO, law enforcement in many countries for sharing information. Borders are just starting. Within industry, aerospace I mentioned, pharmaceuticals, energy, and increasingly the legal community, and the reason why this is scaling up is because we are introducing more and more devices that require to support more and more functions, and this generates the requirement for more credentials and certificates to be able to work in collaborative communities at scale.
On the top right‑hand side, you will see a series of activities and initiatives to help realize these, like the Kantara initiative.
I apologize for having a busy slide. But I think I put a lot of notes underneath which may help explain that further. I'll mention ISO29003, which is a draft on identity proofing for people, organizations, devices and software, and I would highlight to you identity isn't just about people. It is also about devices and it's particularly about organizations, because all entities in cyberspace binds to organizations.
Collaboration is about collaborative risk management. On the slide that you see here, I'm focusing on the left‑hand side here around risk assessment as the start point which were increasingly being driven by requirements from regulations, top left, and on bottom left, international standards to help the implementation of collaborative risk management and risk assessment.
The risk management requirements start with identifying your risks. The boards of organizations and companies have to take control of the risks in their organizations. That has been a strategic failure in most countries in the world. Having assessed that risk, you choose to treat it. Broadly speaking, you have three options. You can mitigate the risk, transfer it, or you can accept it. To mitigate the risk, increasingly standards, and within the EU there has been analysis to reduce down to a core set of standards for cyber controls frameworks, and this includes U.S. frameworks as well as some commercial ones. Broadly speaking, we are now looking at mitigation controls on different levels of assurance, and the assessment tools that can sit on top of that, which allows you to be able to do ultimately some kind of collaborative insurance.
I'm happy to take questions on cyber insurance later. I've already mentioned the federated identity management. Each of these boxes that you see, you can see requirements for assurance. On that, the higher the requirements for assurance, the more the requirement for independent assurance. However, this is trying to prevent things from going wrong and detecting things. The reality is that things will go wrong and governments and institutions require notification to customers, in particular, and to regulators of incidents when they occur. New regulations are set describing what is required.
This means that there is a real push to get collaborative cyber situational awareness. The sharing of threat intelligence information, for example, and the management of incidents themselves, which then links to real world incident management, not just cyber, as well as counter fraud, because we have a lot of insider threat.
I squeeze out my little picture into the top left‑hand corner, and I extended it into other areas, the three primary are around cyber situational awareness. I mentioned most of the components underneath that.
I draw your attention on the counter fraud to two areas on the right, which is register of legal organizations which is a specification for organizational registers for digital economies. No nation has a robust business register that is fit for the Internet age. At least if there is one, I'd be delighted to talk about it.
Within ISO that draft specification exists, and it has been taken by a number of nations.
We have also had major issues with fake documents and credentials, and particularly identity documents, and counter fraud initiative is to ensure that security printers and the products from them like identity documents, like money, like pharmaceutical goods, those cannot be used for fraudulent purposes.
So, just to summarize this, from a collaborative risk management point of view for cyber assurance, the five primary steps, and they exist in most frameworks, is to identify the risk, protect, detect when it goes wrong, because no protection is perfect, and be able to respond in order that you can recover.
That means you have got to have intelligence in advance. You cannot be passive. So there is much work on threat intelligence areas, which again I'm happy to discuss during questions.
What is actually happening in the implementation side of this is, we are seeing a common approach is really starting to develop now in what I described. We are seeing also the fact that these got to adapt, because they are influencing technology change, and that technology change will affect us all. And it will influence our supply chains and markets.
So blockchain is an example. Here are a couple of things that are happening. Network information security directive in Europe, which is based on the requirements for instant notification, event notification, up to regulators, nationally, and then eventually up to the EU. But it is placing requirements on companies to be able to get much greater control over the incidents and the cause of incidents.
Equally in the United States, is developing a federal acquisition regulation for the entire supply chain, for federal supply chains, which includes within it, at least in the discussions in the draft at the moment, a requirement of one hour for contractors to report a cyber event of significance to the authorities per the contract. That is not for everything. But it gives you an indication of how fast that contractors will need to move.
Technology needs to support that, and technology is changing. The technology companies are evolving their capabilities to start to meet these kind of requirements.
That means that we need to have confidence now about how the supply chain picks up the risk from a technology point of view. For that, I'd like to hand over to my colleague Andy Purdy.
>> ANDY PURDY: Thank you, Patrick. I want to build on the theme of international collaboration. There has been some important progress, but some of that progress has to be leveraged, and there needs to be additional collaboration. There are things we agree on and perhaps things we might disagree on down the line. Networks and systems are vulnerable to attack. That is pretty widely recognized. We need agreements on standards, best practices and norms of conducts, while with other companies partnered with the Open Group, the trusted technology Forum to provide the trusted technology standard that Sally will talk about. Leveraging that, how we can make that be used is very important. And we will talk about an additional higher level framework that is very important for us to drive progress where nobody is really in charge.
The products that exist out there, so many of them are so vulnerable. We are all part of a global supply chain. We have to comprehensively address the risk as Patrick was talking about in a global way, involving key global stakeholders.
What we are seeing is, from time to time, country specific regulations are coming up, that some accuse of being trade barriers. There are legitimate risks, so how can countries address those risks in a way that makes sense? Now, to help prevent the use of country specific requirements, that aren't based on true risk, and to encourage alignment of specific requirements that enable the global deployment of secure ICT products and services, we need two things. On the left, we need a supply solution. Identify widely recognized standards, best practices and conformance criteria. That is part of what Sally will talk about. Also we have to use the demand side.
We have to develop criteria that ICT buyers can use to buy products and services; and none of this can really be required, at least not on a global basis.
Now, so what's happened is a number of companies have participated and joined forces with the East/West Institute, and there is a flier on the table, and on the end of this table, the East/West Institute is trying to come up with a framework on how to approach supply chain risk. By supply chain, I'm talking not just traditional supply chain, but how do you trust providers.
So the two aspects, the buyers side and the suppliers side, there needs to be a framework that includes principles for a fact‑based risk informed level playing field.
Those principles are now the subject of a survey. And there is a link referenced in that document, that folks can go in and fill out the anonymous survey for the East/West Institute. Give me your card and I'll send it to you, so I can E‑mail you the link. But the idea is that providers need an open market for innovation and competition. There needs to be a level playing field, regardless of locale where products are developed, where they are assembled and so forth. Broader use of standards and best practices that make sense, getting buyers to use risk informed transparent requirements, streamlined and scalable approaches to conformance.
Commitment by governments and providers to avoid behavior that undermines trust, buyers need tools and approaches to assess risk. We need to understand the life cycle costs for ICT so they make decisions based on overall value, not just price.
To use risk informed procurement requirements, and we need a set of providers, the users and buyers of ICT need a set of providers recognized as conforming to standards and best practices for product and service integrity.
The East/West Institute is working to enable the transparent availability and use of secure ICT products and services. Governments and companies can join in that effort, and there is a link at the bottom to the survey.
Now, part of the challenge in the world is that we need to get motivators and incentives for companies and governments to do the right thing, on the supply side and the buyer side.
One of the motivators is often statutory and regulatory requirements. Also customer requirements, customer contractual provisions can perhaps be the greatest incentive of all for the providers of services and products to raise the bar.
We need to do a better job of clarifying the due diligence requirements of Boards of Directors and C level executives. They have to own the risk. They don't need to be experts in it, but they need to own it, and it needs to be part of their enterprise risk management framework, the approach Patrick talked about. In the United States you see the NIST Cybersecurity framework that provides an analytic tool that can reference standards from around the world, so folks who run organizations and those who are watching organizations can see whether they are addressing the requirements.
Insurance can be a factor, that can create incentives. Companies and organizations desire to maintain performance compared to competitors. Some of the critical success factors are the organization needs to be committed to security and privacy. There needs to be a risk‑based strategy, clear governments roles and responsibilities to cut across the entire organization from HR into business group and legal, etcetera, not just IT and not just Cybersecurity. There need to be specific requirements in each organization for assurance that are appropriate to that particular organization. There need to be consistent and repeatable processes which are continuously updated. There need to be robust verification compliance based on separation of duties, and there need to be openness and transparency.
So, Sally is going to talk about the supply side. I'll talk briefly about the demand side.
Suppliers of venues will increase securities if buyers require it. Buyers need to be more informed, consistent in organizing requirements. Buyers need to identify security questions to ask of or require from their suppliers, and each vendor must work with their suppliers to adopt best practice approaches.
I'll turn it over to Sally.
>> SALLY LONG: Hi, folks. I'm Sally Long, with the Open Group, I have been for probably 23 years, and I've been the director of the Open Group Trusted Technology Forum for about six years.
Our Forum is focused on best practices for managing product integrity and supply chain security in COTS ICT. One of the things, well, our tag line is build with integrity, so that customers can buy with confidence. Let me talk just ‑‑ here, I can't do two things at once (chuckles).
Let me talk briefly about what the Open Group does. We are a membership organization, and we do standards and certification and have for the last 25 years. We have members in multiple countries, and multiple members over 500,000.
Let's talk now ‑‑ 500. Let's talk now about the problem space we are working in. I want to talk about the types of products we are dealing with and the types of threats we are dealing with. We are dealing with COTS ICT commercial off‑the‑shelf information and communication technology. Those are the same products that the Internet runs on, that connect to the Internet, that are in your governments, your infrastructure, your homes, your businesses, and your pockets.
They are all, how do I say this, they all have the same Cybersecurity threats. Some of those threats, we deal with two major ones, counterfeit and tainted. You all know what counterfeit is, right? Component parts or products that are not originals, but passed off as originals.
Tainted is really about compromised hardware and software, and in particular, the major threat that we see from taint is in malware, malware enabled products or components, malware capable products or components.
So where these bad things come from can come from inside, in a provider's development organization, or it can come from outsourcing, when they have open source that they are bringing in, or they are outsourcing their chips or their manufacturing in different parts of the world, so then you can have it not only from internal but also from your supply chain.
This slide really just talks about the fact that it comes from upstream and downstream. I'd like to talk a little bit here about the supply chain. As I mentioned, those component parts come from all over the world. Products are manufactured all over the world. They are distributed all over the world.
So as one of our major participants, Mary Ann Davidson, who is the chief security officer from Oracle, says only God created something from nothing; everything else in the world has a supply chain.
It's just kind of one of our laughable principles, but it is very very true. What we used to have was products certification.
The products that were brought into mission critical environments were evaluated for their security, but mostly for their functionality and their performance levels. That is not enough anymore, because as I've said, these products are built throughout the world, and you need to make sure that the best practices that those providers are using daily for each product they build, that they are following those best practices.
So, the challenges, so securing our global supply chain, full life cycle approach, need to make sure that the standards are for every constituent in the IT supply chain, need accreditation to help assure that the providers are following those best practices, public registry so you can identify those providers that are following the best practices, and really importantly, and Andy mentioned this, as did Patrick, you need to have customers who are going to award those conforming good trusted providers by procurement.
So, when I say we created the standard, I think this is an important slide, because those are the members of the Forum who have been working over six years to come up with a consensus‑based standard. What they did was pulled their good practices, and bubbled them up to be a set of best of breed best practices, which they made a standard out of and an accreditation program.
Again, this was by consensus, not by majority, but by consensus. We not only have the technical folks from these companies, but we also have the COs and DPs and CTOs, because they know how important Cybersecurity is for their reputations to get it right.
So the standard, I'm very proud to say that the Forum actually got approval from ISO to take our standard and turn it into an ISO standard. It is technically equivalent and it's 20243.
The standard covers all the way from design through disposal. And you can see those different colored areas. Technology development is done mostly inside, in‑house. Supply chain of course is where you outsource, and where you have all your supply chain constituents. But no one product is the same.
So, no one provider is the same. A provider may have one product that they outsource all of it, another product they might only outsource 10 percent.
So that kind of accounts for the shading.
Then I'm not going to talk about these. There is a link to the standard at the end of the slides set. But these are the areas that the standard focuses on, product development and engineering requirements which are basic hygiene and secure development engineering practices, and our supply chain practices.
So a little bit about the accreditation program that was created. It's based on a warranty from the ICT provider. It's also based on a conformance assessment from third‑party labs, who are accredited by ISO.
So, the program is administered by the Open Group. We create the legal document between the applicant and the Open Group that they must comply with the standard or they are taken off of the registry. It's also open to component suppliers, hardware and software distributors, value added resalers and OEMs.
When you apply for this program, you can choose your scope. You can say I want to warrant and represent that I'm compliant for following the best practices in one product, or in one product line, or in one, or in your entire organization.
You get assessed. The third‑party assessors upload the assessment report to the Open Group, and you get a certificate and get placed on the registry.
The real beauty of this concept is the wholistic effect that it has. Not only can customers demand that their system integrators or their OEMs get accredited, but the OEMs and product integrators can demand that their component suppliers get accredited.
Really, it's important from a business driver perspective, if again that most important piece of customers and business partners providers being the business partner of component suppliers demand that accreditation.
So, I'm going to end my piece there. You have heard from a lot of folks up here on legal framework, access control, what you need to ask your suppliers; so a lot of really important pieces that need to come together in order to address this problem. I'm going to turn it back over to Patrick and Andy, and they are going to talk about the benefits for working on the problem.
>> PATRICK CURRY: Sally, thanks very much indeed.
So, there is no point doing all of this activity if there aren't some benefits that one can identify.
What we have seen over time is significant shifts in behavior by governments and industry organizations in many areas as well of the world and sectors, and there is real value, monetary and societal value attached to this. Unfortunately, if it's left untended, it also opens opportunities for misuse and abuse, some of which we touched on today.
The two key concepts that are really coming out are around trust, that enables relationships to develop, business relationships, and it's also around reuse. It's that ability to reuse trusted mechanisms, policies, procedures and mechanisms, that provide business opportunities for agility, in particular, so I can compete faster and more effectively with my various customers.
And it also provides efficiencies because it gives you affordability. No small organization, small to medium enterprise, can afford to do 57 different ways of doing something to satisfy different customers. It's just not possible.
And the amount of risk involved is huge. Consequent, aerospace, deliberately working together with other major players, Lockheed, BA systems and other countries, companies around the world, have really driven the use of standards down the supply chain, so ultimately we can fly not only safely but affordably on any aircraft that we get on.
The navigation systems that wrap around that, passenger management systems, all of those are now becoming much more interoperable and secure.
We are seeing the same behaviors moving into banking, particularly after the last financial crash. And there have been dramatic improvements in banking infrastructures, particularly as we move into more secure payment mechanisms, which ultimately benefit the consumer, particularly as we see some of these payment mechanisms not only go into things like block chains which we mentioned, but also new types of smart phones.
This helps us collectively and individually reduce risk and reduce the amount of fraud and particularly identity‑based fraud, which is the top enabler of crime according to Interpol and Europol. It also helps us to identify cyber threats, and to share information about threats more effectively, and we can discuss cyber information sharing as you wish.
Costs drop. You waste far less time, and this means that you need less resources in your organization, or indeed if you are going to outsource, particularly if you are moving to cloud, you can have greater confidence in those cloud services than you might have done before.
But none of this would happen without a lot of supporting information and standards. And so we have included a slide here on resources. And this is just a fraction of the top of the iceberg of standards and guidance that is available. And I will be pleased, my colleagues will be pleased to help you if you are looking for information and standards so that you too can be interoperable. As we draw to a close, I'd like to hand over to the one person who hasn't spoken yet, my colleague Joseph Cannataci, to provide a higher level comment. Joe.
>> JOSEPH CANNATACI: Thank you. I'd like to make it clear that while I am the UN Special Rapporteur on privacy, I am not appearing on this panel in this capacity.
I had a life before that. Perhaps hopefully I still have a life now. But in my previous life and my other life, I still am coordinator for the Mapping project. I'd like to take advantage of this session in order to put what Patrick and Christian and Sally have been saying, and put it into the context of overall governance and Internet Governance and why it's important.
You will see that in the slide which has been put up, there is also reference to respect, smart and other projects. All of these projects are actually multi million Euro projects which have been supported by EU funding to considerable extent, anything between 75 percent and a hundred percent from there.
Let me take a minute to try to describe to you what Mapping does. Patrick introduced himself as, and Christian, to my right, as being here as part of the EU Mapping project. In Mapping, mapping is actually a science and society project. Its job is precisely to get people together and get them to explore better ways in which to tackle three major themes.
These themes are, one, Internet Governance, which is of course one of the main focuses of IGF 2015 here in Brazil; secondly, to tackle privacy on the Internet, and in the context of Internet Governance; and thirdly, to tackle intellectual property rights once again, in the context of Internet and linked to both privacy and Internet Governance. These tie in directly to the discussion on trust, which we have had this afternoon.
I think you will reflect on the number of times that you have been in sessions during this week at IGF here in Brazil and heard the word "trust, trust, trust, trust." Yet on the other hand, there were not too many sessions which like this one were looking at technical standards, frameworks, realistic and tested frameworks to create trust.
This is that dimension which we wish to bring even into the Mapping project in a number of ways. I'm very pleased that today we have had the opportunity to present to you joint work with colleagues outside the Mapping project, but joint work which deals with standards and international standards, which enable people to have trust with all the benefits that Patrick has just pointed out in the previous slide.
Yet, this is not the only dimension of what we should be looking at in trust, and it's not the only dimension on what we are looking at in the Mapping projects.
In Mapping, we are specifically looking at two other ways of, at least two other ways, many other ways in fact, but two at least, two other ways of engendering trust.
One is through a better legal framework. And that is something which folds directly into what we call work package 4 in Mapping. But also, within that particular work package, and under my responsibility, we have, we are having a look at technical options, technical alternatives. And these technical alternatives deal with something which we discussed in another panel yesterday, which dealt with alternative platforms, alternative technical solutions, which some of us have called parallel universes. You might find other names for it.
The whole idea there is to try to find technical solutions such as overlay software solutions, sometimes hardware solutions, but which would permit the creation of spaces on the Internet which can be trusted. This I think is once again the key word.
What do most normal citizens want to have when they are on the Internet? They want to be in a safe place, basically. They want to trust that if the place is safe, then they can do things, and say things, without being profiled in a manner which is excessive, without being surveilled in a manner which is disproportionate, and also in a way which is commercially safe. Let's not forget that one of the primary uses we have also developed for the Internet is not only that of a place to access information, gain knowledge and also socialize online, but also it's a marketplace. It's a huge marketplace very often without borders.
That marketplace requires trust. If trust in that marketplace breaks down, you are looking at a cost to society of in excess of several hundred billion per year, and in excess actually now in trillions.
When we are looking at the notion of trust, if trust breaks down in the Internet because we feel we are being watched too much, because we fear we are being surveilled too much, because we fear that the companies which are operating in the Internet, some of them may be concerned with our privacy, but others are actually profiling users and tracking them for monetization of their personal data, in a way which is possibly not appropriate in some cases, a way which is equally disproportionate in other cases.
And I think that when we look at the overall structure and go back to this short, happily, five‑letter word, trust, it's one which it's a concept and a reality which people have been moving towards without thinking too much. According to some of the research we had in some of our other projects, they were pretty shocked to find out what was happening in the post‑Snowden revelations.
I happened to be in a focus group, we are organizing, before Snowden was, and this is in the smart project before Snowden was announced, and another after the Snowden results were announced. The results were, I wouldn't say mind‑blowing, but they were pretty staggering. This whole approach to trust is one where we continue to encourage a combination of technical safeguards, of procedural safeguards also, such as those described by my colleagues on this panel, but also legal safeguards which also need to be improved and increased.
I think Patrick, I'll stop here for now with these few reflections about trust and how we are looking at it within the Mapping projects. And if the participants from the floor wish to comment and ask questions, either of you or of myself, I'll be very happy to come back. Thank you.
>> PATRICK CURRY: Thanks indeed. Before we open it up to the floor, I thought I would fire a couple of questions to my colleagues, to get us going as it were.
Christian, you are mentioning the need to interlink standards and legal frameworks more closely. How do you think law has recognized standards in the past?
>> CHRISTIAN HAWELLEK: That is a very good question because there is a major issue in the legal culture, because legal culture, at least in Germany, I suppose also in Europe, has been ignorant to the existence of standards actually.
For quite a long time, compliance with standards would not have any legal implication, except for contractual compliance between companies of course, but not in the sense of, for example, a mission control and so forth. It was only through environmental law in the 1990s basically where we understood in the legal community that it would be important to fill the gap which the law leaves with what standards are providing.
But that being said, this is still something which is happening relatively rarely and certainly not so much in the technical field.
This is the one thing. The other thing is something that my understanding is that to this day in the committees who are responsible for developing the standards, this is very much a technical community. It is not very strongly interlinked with the legal world, on the other hand. I still perceive a very significant gap between the world of making standards and the world of making law, and also jurisdiction; also the courts have been pretty ignorant to the existence of technical standards and their implications on law.
What I think needs to be done is, from my academic point of view, possibly also a research perspective on how to more closely interlink that practically, but also on the practical level, to open up the gates between these two worlds and to enable law to interlink also on a legislative, ever more closely with standards, and to enable standardization to react more flexible to law in a way of primarily including policymakers and decision‑makers on the legislative level into a standardization as a more state‑of‑the‑art process in my point of view. Thank you.
>> PATRICK CURRY: I find that interesting. Last year, the broad assessment ‑‑ I'm happy to talk about where these numbers come from ‑‑ last year, the estimate on Cybercrime was between 6 and $7 trillion worldwide. The lion's share by far is the theft of intellectual property, and also the theft of customer data, which is, any of which is sold for malicious gain and financial gain.
So, that begs the question, yes, we have the Cybercrime convention, but given what you have just said, we have that as a legal framework, that might have been useful. But what else would we need to do to do more than the Cybercrime convention, do you think? Or we need to add to the Cybercrime convention to make these frameworks more useful?
>> First of all, it's important to make the statement that the cyber convention was a major step towards, on the trans‑national level, harmonize the legal framework. What I think it does, to say something positive in the beginning, is did standardize some of the most important legal provisions on the substantive side of law, so what actually is a Cybercrime and what is not a Cybercrime possibly, but especially what is a Cybercrime.
In that respect, for example, it is one of the first legal frameworks or pretty much the only one on the international level that recognizes that a confidentiality and integrity of IT systems is something which needs to be legally protected across borders.
What it does not do so much is providing information on jurisdiction. We still have a huge problem with enforcement, not so much on the substantive side but procedure side of law, how to enforce a law that is already in force, and also I think fails, and Joe might agree there, to address the fundamental human rights issue of Cybercrime appropriately.
I think it's a very good start to that direction, but it's also a very first step. We need to diversify what we have begun in the Cybercrime convention, and also enhance a subscription to the Cybercrime convention beyond the Council of Europe. There are a couple states not in the Council of Europe who have subscribed to the cyber crimes convention, but it should be probably more I suppose.
>> PATRICK CURRY: That intrigues me, that Cybercrime and indeed the terrorism piece, the insurance for that is done by something called pull re, this provides pulled insurance of the claims. One of the discussions at the moment is how you set up another re ‑‑ R‑E, not R‑A‑Y ‑‑ specifically to support the effects of Cybercrime and Cybersecurity issues. And of course, this means that those kinds of legal tools and the multi‑jurisdictionality that you are talking about, we need more coherence for that. But that needs to play, to make sure there is a, what I describe as a level playing field for ICT, as Andy was talking about.
It begs the question in my mind, which is how can that be a level playing field, as far as ICT is concerned, in a crossborder situation, how from an international collaboration point of view can we do that and be flexible and meaningful.
>> I think that is the beauty of what the East/West Institute is trying to do. No one is stepping up to address the problem globally. They are stepping up until somebody else kicks them aside, to do something that is not going to be prescriptive. It is going to be to identify, and invite folks to participate in the anonymous survey, folks to identify the key principles for a risk informed playing field and not to be prescriptive, subject to input from others, things like there needs to be open opportunities for companies and providers to meet whatever the security requirements are.
Security requirements would be based on real security requirements. There should be transparency, so those who buy should, and seek to buy from providers, they should make clear that they are going to allow competition, they should make clear what their security requirements are. This isn't going to say, you are this prescriptive set. It's three things. It's principles, coming up with a compendium of best practices that give the buyers, could be governments, it could be individual, private organizations, give the suppliers an idea of what are the standards that make sense, what are security related standards.
And, it gives guidance to buyers, to help use their greater purchasing power. It can be done in a risk informed way. For high risk projects, I'm sure many of you saw the note a week ago, IBM announced they will be willing to provide their source code to the Chinese Government. But the critical thing about that, that can work in the international community, in a risk informed basis, they are not giving it to the Chinese Government to do whatever they want. They are going to give them access to it in a secure third‑party facility.
Then a third party can do whatever testing is necessary on the IBM product or any other product. Huawei does the same thing in the UK and other places. The idea of saying let's have principles for openness and transparency, allow folks to participate, and then follow some of the guidance that we are talking about for suppliers and guidance for buyers.
That gives you flexibility, and it encourages competition and innovation and it addresses real security risks.
>> PATRICK CURRY: Thank you. Realizing that is a huge challenge, what do you see as the sort of critical, couple of the most critical success factors that would come out of that?
>> I think when we look at the challenges of trying to get users and providers to raise the bar, and for organizations to think, as you were talking about earlier, Patrick, about the importance of risk management, it's absolutely critical for organizations to have a commitment to security and privacy.
That is one of the most important factors, and they need to have at least internal verification and compliance to make sure that the different components that their organization needs to do to address Cybersecurity and privacy are being met. Because unless you are able to take seriously making sure that what you say you are going to do, you are in fact going to do, you are not going to address risk in a reasonable way. Those are two of the most important factors.
>> PATRICK CURRY: In the fine detail in the terms of what we have been talking about from an Open Group point of view, Sally, what do you see in terms of the reasons for addressing product integrity and supply chain security? If you were speaking to an executive, what are the points that you want to get across around the production of ICT with regards to integrity and supply chain security?
>> SALLY LONG: So, I think the way I like to put it is that ICTs and your trusted technology providers are your first line of defense. So it's about bringing into your business operation, your mission critical operation, your financial enterprise, whatever type of organization you are bringing those ICT in, you need to make sure that when they are brought in, they are already as malware‑free as possible, and do not have any taint or counterfeit components in them, because if you have a tainted component, then that is when the malware can get in there, and we all know what malware can do.
It can take down your business, take down your critical infrastructure, can steal your IP. So, even though it may ‑‑ there is a cost to working with trusted technology providers, because if they are conformant, they will pass some of the Cybersecurity best practice work that they have had to do back on to the CEOs.
However, the potential for the decrease in damage that it could cause to your organization or your critical infrastructure is important. We have to start moving away from cost as the criteria, and start moving toward Cybersecurity as a higher level criteria for products.
>> PATRICK CURRY: Is there a comment on that, building on what Andy was saying, it could enhance governments' abilities to trust technology which has come from abroad.
>> SALLY LONG: Yeah, I think that is a really important issue, because we have seen in the recent past, two or three years, that both the U.S. and China, and likely other countries, are moving into a sort of isolationist, there is some factions in those countries moving into an isolationist perspective and saying let's just buy and produce our products locally.
So, that is a really bad move in my opinion. It's a very big step backward. It will lead to interoperability issues, and it will lead to lack of innovation, and you are not going to get the security products that you would in an open market.
So, and it's a huge cost. If governments are making their own requirements, and making requirements for you to operate in their countries, then that is a big cost to the vendors who are producing the products, because they have to comply with multiple requirements, and it in effect could set up trade barriers that we just don't want.
>> PATRICK CURRY: Many thanks. We have lost a couple of people, I'm sad to say. But we still have a few people in the room. I'd like to open the floor, please, for questions. Invite any questions that you may have. It's gone very quiet. I'm going to ask you a question.
First off, I'm putting the point that today that Internet Governance Forum is not yet creating the kind of activities for the practical implementations of what is happening on the Internet. We are talking a lot about higher level governance activities, but we are actually missing a lot of things.
We had this discussion yesterday in the blockchain session, which lasted one hour, and there is another session on Friday for the 30 minutes, and that's it, something that is transforming what is happening on the business use of the Internet.
We today have laid out the requirements for assurance for trust in using the Internet, and if from a business and a personal point of view you want to use the Internet, and just trust it because it is, then Darwin says that your future is not a good one.
My suggestion, my request to you is, what would you ‑‑ I'll rephrase that. Do you think that the points that we made today, were they valuable for you? Is this new for you? Or are these things that you feel in your countries or your companies are already well understood? Or is my English too difficult? Please step up and use the microphone.
>> AUDIENCE: I'm afraid I cannot talk about my Government, but I can talk about my opinion as I work for the Government. But I think Brazil is still not very aware of the risk in the supply chain. So for many organizations, they will all think that this framework are just more bureaucracy that we would have to put.
But I think we are missing, really, a chance to improve our security. A comment I would like to make is that I think we still lack technologies to assure integrity in our devices. I think we need to improve also the technology and way to test things, because I've heard about using golden models or testing samples, that I think these techniques are very far from assuring, something that I brought from another country from China or somewhere else, ensuring these devices are really trusted. This is just my comment.
I don't see very often here in Brazil people worrying about regulation or certification or checking certification of devices.
>> PATRICK CURRY: So you buy equipment. Do you have the same approach for health?
>> AUDIENCE: I think health area is more mature in this regard. But for the technology, I think we just are still far from the ideal scenario, in my opinion.
>> PATRICK CURRY: Thank you. Joe.
>> JOSEPH CANNATACI: Thank you, Patrick. Could I perhaps offer another dimension on trust, and because I think part of the answer to your question lies in trust.
And if you permit me, I will use the analogy of the motor car here. When, how often is it, Patrick, that you go somewhere, and out of a hundred people, you will find 85 or 90 excited about the fact that their favorite motor car manufacturer has bought this switch from a trusted supplier in the supply chain?
And in real life, that doesn't happen. They don't care that they have bought it, that Ford has bought this switch from Merit in Malta. They only care if their Honda has got air bags and it's normally failure that makes them use. What I'm trying to say is that customers generally like to trust.
They trust a brand. They trust the supplier is buying things well, and from a legal point of view, since you are asking us about legal standards, what happens is this is why in fact in many countries, we have had development of the doctrine of strict liability.
In other words, since it recognizes that nobody in this room, probably most of the people out there listening to us on the webcast, none of us have parity of arms. None of us are in a position where I can go to Ford or Honda or Chrysler or whoever, and negotiate with them on an equal basis.
So therefore, there is, there has developed this expectation and the fact at law that there is a duty on the supplier, on the provider, to make the product safe to use, and leave the customers, just to say, oh, how comfortable the seats are, I want leather seats. But that is where most clients get to.
And to a certain extent, I think the Internet is treated in the same way by consumers, that is a nice to use, is it easy to use, is it convenient, a word which we have used a lot in the respect project, is it convenient technology. But then most, most customers out there, most users of the Internet out there don't care about how the Internet works on the inside.
What they do care is that they can pull out their device and use it, right? I think that that is instructive, or should be instructive to those of us who are also interested in the nuts and bolts of the Internet, because one of the problems we have, even from the privacy point of view, is that the vast amount, the vast number of people who use the Internet are not aware of the way the Internet works in depth, and therefore, do not understand the consequences for their own privacy.
And here, for example, I point out the difference between content data and transaction information, transaction data. Most people would say, oh, yes, perhaps I should be careful of what I put on Facebook, or what I say there. And that's content that they put themselves.
But, it's only a minority of people who realize the full extent of the way that their transactions are being monitored, that every keystroke, every visit that they make to a Web site, everything they purchase online, every search they make, every E‑mail they write, right? And so it, the fact that they don't realize that that is happening makes it easier for companies to track that data collected, and get others to pay for it for advertising reasons.
And this is, I think, a part of what we need to fix, because what is happening is, that people on the Internet, people who use the Internet, are slowly waking up to the fact that this is happening. There is a growing number of people, but very few of them realize the full extent. And then, you have another part of the culture which is they have got so used to taking things apparently on their face value for free, that the costs of the business models that we are seeing, which are not apparent to them either, and that brings something that, am I prepared to pay for this, you know? Some people are prepared to pay for this.
But a majority at this moment in time are not. So, when you are talking about trust over here, I personally would be surprised if a majority of people who come to IGF would be interested in the nuts and bolts of what is going on.
I think it will always be a minority. There will be those of us who are tasked with creating trust and trustworthy mechanisms. But basically, there are a few engineers, a few other people. But then the rest of the people at IGF I suspect will often speak only when inconvenienced, or when upset. And when are they inconvenienced and upset? It's when they perceive their privacy to be infringed. It's when they perceive their fundamental human right of freedom of expression to be somehow curtailed, and it's then that they speak up.
That is why they will get emotive about that and hold banners and posters and so on and so forth. But when it comes to trusted supply chain, frankly, Patrick, you could be speaking the simplest of English, the most fluent of Portuguese, most poetic of Spanish. It's not the language, not semantics. It's the subject matter.
>> PATRICK CURRY: I take your point. Thank you. I think that is a reflection on, that IGF does not attract people who are involved in the digital economies of this planet, that creates the wealth that drives the shape of the Internet for society, that economics of this is, if you look at the number of companies that are involved in relying on, sorry, delivering services to the Internet, those that deliver services to support other industries far outnumber those that provide services that support the individual consumer.
The reason for that is simply that the money exists in the supply chains to create economic wealth.
So, I think we have a challenge going forward, I would suggest, and it's evidenced in this room today. We could be in the World Economic Forum or the Global Forum and there is a much greater understanding there of the economics of how these things work, both for economies, but also the economics, that drives organized crime. And we need to find a way to bring these other aspects into this debate, so we have an inclusive debate.
And at this stage, I think the sadness is that we keep coming back to a privacy lens, which is really important, with fundamental human rights, but we are not balancing it with what happens in daily operations. I think your point was a really good one. There is an assumption that other countries that provide, those countries that provide the technology which other countries use, those countries just accept what is happening because there is no choice. And Neelie Kroes, who was the senior Vice President or a senior Vice President for the EU, made the point that we have to be able to link technology to democracy going forward, and that is in the full spectrum of Democratic growth in society and economies, and in doing so we need to make sure that we have the dialogues necessary to make sure that the technologies that we use, even though we don't make them, in some countries, will meet our society's requirements, and that we are not forced to accept the societal requirements of other countries simply because we buy technology from those countries.
So there are some very strategic challenges here, and it would be good if IGF were to embrace some of those.
So, Sally.
>> SALLY LONG: Yes, thanks, Joe. That was a good observation. And it is, I'll have to agree with Patrick's sentiment, I think. It's a little bit frustrating, because, and there is a challenge to broaden the constituency in IGF, because it's very difficult to make policy if you don't have people at the table who are policy about technology on the Internet, if you don't have people at the table who are making the technology, and to know the risks for the technology.
So I think somehow, the two do need to come together.
>> PATRICK CURRY: Can I invite any other last observations? At that point I'd like to thank my colleagues on the panel, and also thank you for being here and for your involvement. And show some appreciation to my colleagues on the panel. Thank you very much, guys.
(applause).
(end of session at 3:30 p.m.)