SOP Workshop 202: Cybersecurity: Safeguarding the Global Internet and Emerging Issues/Opportunities for Developing Countries
Sixth Annual Meeting of the Internet Governance Forum
27 -30 September 2011
United Nations Office in Nairobi, Nairobi, Kenya
September 28, 2011 09:00AM
The following is the output of the real-time captioning taken during the Sixth Meeting of the IGF, in Nairobi, Kenya. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
>> LIESYL FRANZ: My name is Liesyl Franz. I focus outside of security and governance. I fine the IGF sort of perfect place to be for many of the conversations that we have.
>> A short, brief concise opening remarks from each of our experts and open up it for discussion. I do think the dialogue that IGF has one of its availabilities and we want to encourage you to engage in that discussion. We do have one for those that are just joining us now. We are trying to achieve one remote panelist to join us. We are in the process of getting technical support for achieving that. If you hear some, ah, dialing in, that will probably be her joining us. So, um, be patient with us. Again, let me turn it over to Hisham to get us started.
>> HISHAM IBRAHIM: Thank you all for showing up for early session. We have a full room and ‑‑ and, um, as we had expected so because this is a very important topic and one of the most debatable and, um, important topics that we want to discuss. Let me introduce myself. I am Hisham. We serve the African community and the Indian ocean by providing them the numbers and cybersecurity is one of the main focuses that we focus on and are keen on having. Without further a due, I would like to introduce our panelists. The top we're talking about cybersecurity and especially the title of the workshop is Safeguarding the global Internet and emerging issues/opportunities for developing countries. However, cybersecurity is an issue for both develop and developing countries. This is why we try to have a diverse panel and, um, I'd let them introduce themselves with respected physicians and the theme of the workshop on what they do have a daily basis. Chris, will you start us up? Short introduction on how this fits into it daily.
>> CHRISTOPHER PAINTER: Well, thank you for being here. I appreciate everyone showing up at this early hour. My name is Chris Painter. I have seen the issue of the threats and the responses to this issue. Currently, I'm the Coordinator for Cyber Issues for the secretary of state is at state department. This is a new position that was created just recently about 6 months ago in recognition of the importance not only cybersecurity, but range of cyber issues which I will address in a moment I think, um, the two things that are clear and it doesn't require 20 years to note is the dependency and all of our societies on cyber space, but also the increasing threats that we face from a whole wide range of actors including organized criminal groups, transnational criminal groups and others around the world. And that creates real vulnerability. I think the other thing that's been clear over the last really few years is that this has become a priority not just in the U.S., but a priority throughout the world and particularly, I think becoming more of a priority from the developing world. In May of 2009, ah, I was privileged to work at the White House to write a ‑‑ help write cyber space policy review with both the U.S.'s cybersecurity policy and made some recommendations and that was followed by a speech by President Obama where he characterized the threat that we face in cyber space as one of the greatest economic and national security threats we face as a country. And that's a pretty dramatic statement if you think about it. First, it was a strong message to have our President give a half hour speech about cybersecurity. That just never happened before and second, I think anywhere, ah, and second to elevate this as a real significant threat that we need to face. Recently in May of this year, the President released an international strategy for cyber space. I should say that international strategy length lines of some of the things discussed in the panel was not just done by the government. We also talked to the private sector. We talked to several privacy groups as we were assembling this. And you cover the full range of cyber activity including Internet freedom, ah, the economic issues, the governance issues, cyber crimes, cybersecurity, that full range of issues because we found that they're so interrelated. You can't really address one in a silo. Cybersecurity is critically important, but you can't look in that. I think that's been seen in the last couple days of this Internet governance form. Our goal in that new national strategy is to create and maintain an open secure and reliable information and communications infrastructure. It's important to look at those words too. Open is what we leave with having an open system, open standards, transparent allowing the free flow of information, but also secure. And those things as I'll talk about the end of my remark, short remark, are not really an opposition. I think all of those have to be looked at together. When this was rolled out, my boss, Secretary Clinton, said that this international strategy which also lists a number of norms in cyber space that we should try to coalesce around is not ‑‑ although it's a U.S. strategy, it's not ‑‑ it is really a call to try to build a consensus of countries around the world, of partnerships. That's really key to the way we look at this. The strategy was laid out in three areas. Diplomacy, defense and development. And development is the key aspect particularly with respect to the developing world in this area, but also with respect to a lot of the rest of the world too. One of the priorities from my new office, ah, is to engage far more than we have in the past with the developing world in this topic. I think one of the key messages that kind of bumper stickers you can take away from all of this is that the time is now right for this, and all countries are understanding the importance of this issue and how, ah, transnational it is and how we really need to cooperate and work to try to solve this issue and that we don't all have necessarily all the answers that we really need to work together. So as laid out the parties in my group as we were work around world, one key element is engaging the developing world and thinking about how we can do capacity building and that's obviously something in the constrained environment for us. But I think it's a very important thing to do. In that vain back just a couple of months ago here in Nairobi, we in conjunction with the government of Kenya held a, ah, a, um, capacity building seminar on, ah, cybersecurity, cybercrime.
We also talked about Internet freedom and issues during that seminal. It's again going back to this idea that these are very strongly linked and we're talking about privacy and that was a very useful three‑day seminar with all of the east African countries. Others were there and a declaration came out of that conference. There will be follow up from that conference too often from the capacity building exercises happen, there's a conference and then people go away and that's it. I think we need to do a better job of following up and making sure there is progress in this area. I thought that was an extraordinary useful event for the folks who were there and also for me to understand what their concerns were and some what of the challenges they face are. When I say I would like to say, I will try to keep brief and my last comment is one of the core things of the national strategies is we lay out values. We talked about Internet freedom and the right for free flow of information and the right to connect as secretary Clinton has said. And that's really important I think it's also important to understand when we look at these issues, security and free flow of information and privacy can call and should all coexist. They should be mutually reinforcing and I think that's an important part of this approach going forward. It's an important part as we reach out to the rest of the world of what the norms in the cyber space should be. I commend you to all take a look at that strategy and get your thoughts. I am always happy to hear from people throughout the world and I with look forward to any questions.
>> Yes. I would like to introduce Susan.
Also, if you can give a brief of how cybersecurity interacts with you ‑‑ or you act with cybersecurity on a daily basis.
>> SUSAN MORGAN: I am Susan Morgan. Executive Director of the global network directive. We have companies and human rights groups invest as academics to really focus on how to protect freedom of friction and privacy in the ICT sector. The principal work that we do is we developed a set of principals and guide whines for companies to really help guide company decision making when they receive requests from governments that might lead to, um, a restriction of, um, information being available on the Internet through things like censorship or web locking and then also things like the, ah, requests that companies receive from governments to hand over information on there data about the uses. So we've created a, um, as I said, a principals and guidelines really to help companies operationalize and think through, ah the potential freedom of expression and privacy implications of the work that they're doing. So that's from, um, the technology that they're developing the products and services they're selling and the markets they operate in. And in terms of just to answer your question, you said of how cybersecurity fits in, we're just about to do some research looking at how do you find the balance point between freedom of expression privacy, national security and law enforcements. So we're about to start that research. I think we've heard a lot in certainly the ad ministerial meeting earlier in the week and yesterday in the opening session really about cybersecurity and the fact that, um, issues are increasing and the nature of the threats are changing and also heard a little bit about sort of what needs to be done and particularly the relationship and the potential for corporation between government and business. I think I would like to spend a few moments on, ah, three points really looking at the sort of protection of fundamental rights and freedom switches are one of the things in the conference. I hope my leads will lead directly from Chris' really it is about ‑‑ there doesn't need to be an inherent attention of the freedom of expression of privacy and achievement of security. I think there's no necessarily inherent tension between those two things. I think in terms of thinking about things from a fundamental rights perspective, um, there's a real sense that, you know, indivisible and achievements of one can help advance the achievement of others. With that said, I think what's important in terms of policy making is that, um, the policy make or outside securities don't in the context of thinking about ‑‑ thinking about nose fundamental rights such as freedom of expression. I think the second thing that I'd like to focus on is really the role of business. So, as we all know, um, Internet is become more central to people's social economic and political lives. And I think with that, what we're see signature role of private companies that run the networks and provide the services of become really more important and I think putting company in the spotlight. And I just offer a reflection that this is happening at the very time that a lot of intergovernmental institutions are really look at the relationship between business and human rights. So, for example, the U.N. protect and recommend remedy framework that's been set over the last couple of years and really look at the intersection between business and human rights and responsibilities of business. These principals are now being widely adopted in the revisions to the OECD guidelines and so they now include those in a specific reference to Internet freedom within those OECD guidelines. I think in this broad of context, the decision companies are making and in terms of how they engage with governments are critically important in a broader context and obviously they're also incredible important for the rights of users around the world. And I think finally the final point to make is really about accountable and transparency. So, I think probably historically that hasn't been a lot of information the public domain about the relationship between the companies in this sector and the relationship with governance. I think what we're likely to see in the coming year is a real growing sort of need for both users and the broader public to understand the relationships and the corporations that exists between governments and companies. Thanks.
>> Thank you for that Jimson, I would like to you tell us what type of security fits with the international perspective of your country and the regional perspective as well.
>> JIMSON OLUFUYE: Thank you. My name is Jimson Olufuye. I am the President of the information technology industry association of Nigeria. That's a decision of ICT companies, the hardware/software services and communication sector. Also happen to be the vice chairman for the world information technology and services alliance. I am responsible for [INAUDIBLE] in Africa. And I finally I've had the privilege of being one of the five business representatives, the CSTD working groups through IGF. If you look around this editorial, you see about 75 to 85 percentage of developing nation representation. And these two code the fact that [INAUDIBLE] is very important in our region. In the face of wick leak attacked of this network supposedly hide net works that bring great concern in the developing world when you got to ‑‑ his data, is the infrastructure saved to this new environment, are we saved? Looking at statistics in terms of penetration, Africa has the lowest Internet demonstration. You copy it to the rest of the world and maybe around about 6%. Within Africa itself, we have about 11 to 15% penetration and we also know [INAUDIBLE] outcomes and WITSAs protections that is for everybody to be connected, excuse to be connected, hospitals will be connected. Government will be connected. Our services to [INAUDIBLE] online. So it's a great opportunity that, ah, we see as Africa to be able to develop rapidly and, ah, [INAUDIBLE] develop rapidly, but to achieve [INAUDIBLE] in terms of, you know, cheetah is the fast design now. So cheetah [INAUDIBLE] for only good this fact. So, we want to really [INAUDIBLE], but this is a great concern. So how do we tackle it and we feel strongly that we need to find solutions to security challenges because we know it would be in our benefit if we develop faster. We have already seen it evident all across Africa in terms of [INAUDIBLE] and we need to do a lot about it. So, um, I won't say that it's real delight to see a lot of my colleagues from developing nation here. I would like to really emphasize that perhaps this points we wanted to take home. There's need for us to invest in cybersecurity as such especially we got to ‑‑ how can we secure our network. But then we move our resource online. For example, Nigeria, I just recognized we need to move rapidly and create more jobs and search this brand new ministry of technology and you want to really blast off seriously. So there's need for us to invest in the cybersecurity of the Internet. Because a lot of people have asked if you put this in, we need to say it. So we have to go into the stated of assuring that is going to be saved is going to be saved. So invest on cybersecurity and such and then also on ‑‑ out for Africa, perhaps maybe one or two countries that have room for sat that is [INAUDIBLE] response team. In Nigeria, we had a workshop last year to stick with us about SAT, but we have yet to really move fast. We want to invest in developing imaginations where we have linked to the global [INAUDIBLE]. It is not something we left in developing. Develop nation needs to collaborate about developing nation to really do something about the weakest link in the web. And the top point of our nation is what we could do is clearly business to manage all the challenges that would be better. You have secure [INAUDIBLE] and defense department. So, we need to do more management. We need to find a way of, ah, damage control more effectively and do more about the 50 of the Internet done about a weakness of the Internet and also increase collaboration as Susan mentioned across all sectors. In developing nations, I've seen using Nigeria and does much collaboration between the private sector and public sector. So there's need for a developing nation to really come to a table, same table and to discuss this issue collaboration especially with the private sector that has the greatest investment. It will number the infrastructure. And also consigning a law. Most developing nation do not have cybersecurity law. We ‑‑ there's need for that to be in place for business to invest in the infrastructure. Perhaps there isn't concern ‑‑ when you got to this, it's because of load capacity. Load capacity in terms of know how about issues about security. I noticed because of my interaction with officials. They do work they're talking about. We're just trying to come up with having e‑mail number. E‑mail address, not e‑mail number. So, it's small like capacity. We need to view capacity in the area of security law and developing nation. And, ah, also, ah, an ID awareness, governance awareness. You got a special from a developing nations and IGF. So we need to do more. We need to involve more and this I would like to [INAUDIBLE] colleagues focusing on beautiful events together. So, ah, we need to involve more in the IGF awareness and participation. And also, comments ‑‑ we need to increase entire intranet government collaboration. Ah, government within the [INAUDIBLE] will collaborate more. We got to share the resources and put common defense against cyber trench. As I said, the parliaments have no understanding of the issues. So we need to get a parliament involved strongly. We missed some efforts to get all of the parliaments to be here, but settle down. So it has been challenges in getting them up here. Program from developing nations, we need to take this message home. We need to begin to bring the parliamentarian because they're the ones that bring about the law and not have the appropriate law enforcement then finally, there's need for, ah, cybersecurity tax forces in our nations. We need to have cybersecurity task forces across states, across region so that we can increase understanding and collaboration and ability to control just what hand. You have robust in this area and then you will not sleep. So we have to find a way to tackle the minutes. So the same thing on the space. On the Cbus, there's a reward where you have people that don't like the way we are. So we need to come together just as we have come together to find common solution to the challenge. I lessen to this material and the opening session yesterday and I was quite pleased with some efforts being made concern security and also from the security and build confidence on the Internet. We have a way to really experience what we desire and put into the WITSAs and then we can ‑‑ by 2015, all Africa fill connected and, ah, been in the dream with desire. Thank you.
>> Thank you. Burt, I think once you introduce your affiliation, people will know and to answer my question. But how much time does cybersecurity take of your daily process?
>> BURT KALISKI: Thank you very much for the opportunity. I am Burt Kaliski. Clearly as a provider of a registry and network performance services we think continual be the threats against the services that we provide as part of the global Internet infrastructure that we support. Threats happen continually and they occur both at an Internet level and, ah, and are more conventional lives. I think about my, ah, journey here and many of you have traveled various distance. The number of security checks that I went through. So, ah, I think I've lost track of how many times I presented credentials, passports, visa, boarding passes, registration forms upon entering this wonderful conflicts and badges as we come in having bags checked and having gone through security and so forth. And maybe that's the case where we're looking at the leap frog type of activities. I am impressed by the speakers comments about the cheetah povault. When we're thinking of internet governance and the threats and the counter measures, we need to think at a different level. In contrast to my experience of multiple, physical security checks and the things that many of us have had in our journeys from place to place, when I went online, ah, I used the wireless network that was provided here at IGF. I suppose there was some initial check. I don't know that there's necessarily a password at that point. But my mobile device could authenticate itself to the computer network at my company to be able to access e‑mail and each of us may have done that in a different way. In that sense, I've move Friday physical world to the Cloud, if you will. You can dahl a virtual world with logical experience. But let's use Cloud because that's the popular term at this point. In the Cloud, we are looking at the cheetah povaults. It's a different kind of environment. The threats that we encounter come from all over the world. But so do the counter measures to those threats. And what is encouraging to consider as we build this connected digital world is that even though attackers are everywhere, so are the defenders and the defenders against those attacks can be in any country. Those defenders can be the fault leaders. Together, we're stronger and by collaborating which previous speak verse point to as well, this transparency and this openness and so forth would have the greatest of advantages. So, I see cybersecurity as fundamentally an interaction among those who want to connect, who want to do business and to bring value to pull their resources. Just to give one example, ah, if cybersecurity is concerned with deniable service attacks with large volumes of attack coming from different parts of the world to take down a particular system, the defenses can also be distributed because after all, any of the connections that are being made from the attackers against the resources are going through the Cloud. And in the Cloud, there is opportunity for intermediation. In other words, opportunities for the Cloud itself to be resilient for our communications and our Internet infrastructure to find other ways of absorbing that threat as it goes from all over the world to the place of attack. If that absorption is something we do collaboratively.
>> Thank you very much, Burt. And I'd like to introduce Ashok as well. Ashok, if you can mention in your field of expertise how do you see a lot of the presenters before you touched on the regional cooperation and the global cooperation? Do you see that in your field of expertise.
>> ASHOK RADHAKISSOON: Thank you. Good morning, everybody. I am the Legal Advisor. And I would like for us to say that my go panelists have in fact made an overview of the problem we're confronted with from different perspectives and they are not new issues, but they're growing issues and this is why it should be issues of the highest concern to all of us. Being from the legal background, my input is from the policy make aspect and before doing that, I would like to say that AfriNIC we have in fact led some initiatives. We have two meetings every year, policy meetings we call them and in one of them, I think two sessions back we started the AfriNIC CERT initiative we have the group of experts and knowledgeable people in the secretary domain who are there creating this CERT unit where we invite colleagues from other continent as to join. We make CERTs a reality. We make people understand that CERT need to be put in place and this Africa CERT initiative is something which we rely upon you to kick it forward. We're not going [INAUDIBLE], but still we wish to take it forward. And the second thing we help in doing out something else because later on they press that issue. We have got one initiative for the African government working with the initiative where we try to interface with government because there are many issues which we discuss at a technical level, but when it comes to it's usability aspect, we need to put policy in place. We need get government to understand what is it the technical is happening so that these technical advancement or improvement could be put into the mainstream use so that networks could be secure so that best practices ‑‑ (no sound) they are not the young kids in the dark room trying to experience and get a kick out of T. now it's business. Now it's profit. Now it's well organized businesses and we need to focus on that. I know you think this is only a national issue. It is a continental issue. It is a universal issue. And I feel that one of the things that governments need to focus on about the advantage working with the government and policy make. Though we advocate policy making in the field of cybersecurity, we need a field in the internet and into the governance from a different perspective. Once you make policies, which is going to load the system in such a way that what we have good about the Internet is open and it's privacy aspect. It is transparent aspect and accessibility. We don't load it with too much legislation. We don't load it with too much regulation. So that we start feeling more [INAUDIBLE] about the load concerning the Internet than about the security we need to have in using it. So, policy making in this context, I would advocate. It means [INAUDIBLE] opening up. It is to embark consultation governance where the different fields and consultation coming from government, they are normally since we put the consult. That must be proactive consultation with government on the one hand and the people who run the infrastructure, the company and the private sector because these infrastructures, most of it is in the hands of private sector and more important, end users also. So this is sort of effective and productive consultation. Must be put into place nationally first. It will come to terms with what is involved in getting a secure cyber space. We can't say we're not going to use the Internet; however, problem prone it is. We need to find ways and means to get a better place and a more second place for people to do access and work. And government is an important role to play. But I don't think it's the only party which is really going to come to terms with the policy. The policy needs to be policies with steak into stock and growing Internet economy. It was steak into stock and brewing illegally with stakes into stock and they're sort of ‑‑ not innocent use, but more or less wreckless use of the Internet. Maybe I'll end by telling you that why is it [INAUDIBLE] we have an insurance policy? And this insurance policy is important to government. If you don't have an insurance policy, it becomes a criminal offense. Why is it in the use of a machine of our equipment? We'll just use it like that and everything else and when we're connected to other machines in our town, you know, in our country, in the whole world. Shouldn't we think about putting more responsibility on the end user for educating them, but then you have good in some ways to be on some sort of user representative [INAUDIBLE] just like we need to access to be on safe use for the road. What do we put the end user on when they use the cyber space and use the network? They're at risk and risk others and in this development worked, I think government needs to come together with cyber society, together with the appropriate sector in the street to find a way and make it foam and this sort of [INAUDIBLE] reflection on what kind of policy we need to secure the Internet at national level and end anyway this should be sure sue on the international level. There must be the continuum with the national initiative and we go into the international, ah, forum. So that varies no place with cyber criminals when they finally say they come and settle and they do good business and do good money. Thank you.
>> Thank you very much. I would like to ask, has the remote panelists showed?
>> Not that I'm aware.
>> Please just mention your name, affiliation and if you're addressing a certain panelist with your question, please mention him.
>> Alex from south A46A. I am an independent researcher. I am just make a point. So I'm not addressing anyone. I think that, um, there tends to be sometimes be a state and corporate centric inside cybersecurity as we are trying to integrate civil society and it's been mentioned. I congratulate that. But I also ‑‑ I think that a phrase that's important here is people need to keep their own house in order when it comes to cybersecurity and we really need to addressed it from the individual in the group level and we're getting it from the bottom half. Something that shocked me I really ‑‑ it still boggles my mind. If you registered for the IGF online, you sent your ID number, your passport number, your home address which then can be monitored at any point along where it travels on the Internet. So, if someone is coming from a repressive regime and someone doesn't want someone else to know they're attending governance forum or if someone doesn't want anyone at any point to be able to read the home address and ID number, then this is a grave, grave cybersecurity fail. Yeah. I think that this needs to be investigated. Thank you.
>> Thank you, Alex. I think that's an interesting observation given that we are here to talk about that issue particularly. I'm not sure who to take that up, but perhaps we could do so. Um, I know we do ‑‑ if we ‑‑ Jim, do we still have a question from the remote participants?
>> Yeah. But they had to reboot machine.
>> Okay. So, um, in the second row here in the back.
>> Right. Thanks. My name is Nimna and I'm an ordinary user and very end‑user. And, um, I'm impressed bite panels and the panelists seated there. In my order life, I used to be a legal person, but now I'm civil society, but today I'm just a user. So I'm asking a users question. Ashok was addressing more responsibility on the user and my question is will you give responsibility to someone who has not been educated about the issue and the other side of the question will be how do we share responsibility across all actors in the Internet security existence? Who has the greater responsibility? It is the government? It is the service provider? How do we share responsibility? Thanks.
>> Who would like it take that first on shared responsibility?
>> Yeah. It's not just ‑‑ I think every party has to have responsibility in this and I think one of the themes last year of our cybersecurity awareness month, which we have every year in October and it's coming up again, um, was that cybersecurity was a shared responsibility and a big part of that is as you say education. I think awareness raising education is something we needed to do a lot more work on particularly with end users, but also with businesses and governance too. I think there's a lot of work to be done there. I think you're right. It is unfair to put responsibility on someone who has no understanding and very complex‑type technology at end of the day. So I think awful us have a role to play in make the technology safer and educating the end user and working with ISBs and working with the companies and working with governments so they can all take the role.
>> Yes. Thank you. We need educate first and then put responsibility on the end user, but when we talk about shared responsibility like this is something we have been raising for some time, but unless as [INAUDIBLE] and until nationally in our own country each one of us realize that the Internet infrastructure needs to be protected. [INAUDIBLE] from the perspective of the end user ‑‑ (no sound) so if we take actions and there is no respect with any practical sort of putting it into what we practice with people using it, investors using it or industry using it, there's no point. So we talk about shared responsibility. The responsibility has to be marked out in some sort of a document and local sort of document with to which hold sectors are following what I said about proactive and considering what each party brings in. Its own interests in the matter. It's not a government thing is. Neither is it a business thing. It is a thing with the responsibility must be shared, but responsibility must be taken by each party to come to the end user to get to the question. Once the end user knows what sort of field he or she is in, then that end‑user becomes responsible with the use of his own machine. And if you don't do that, then you open the whole VRS to risk. So shared responsibility doesn't mean only educating people to tell them this is good. This is bad. It is where you should pay attention, but there must be some form of a discussion [INAUDIBLE] what is the problem. How they want to be responsible. Comes first responsibility, but people must come and find that they are responsible. In many field, this haps for the environment and people become responsible. It is easier to be done there and my question is: Why is it that we are taking so much time to become responsible in the cyber space where we're facing it with so much and if we don't react, maybe then if we lose trust in the system, then the system is worthless. So nothing and people [INAUDIBLE] responsible as they trust the system and the system would be some what put into place that it b trustworthy. Maybe I'll have remarks again later.
>> Is there anyone else that would like to address the issue? The question of shared responsibility?
>> Yes. As a matter of fact, I remember having awareness and, ah, just to address the point of last week, we were conditioning the user. In most cases when the user has a big transaction, is it okay to this disagreement, read disagreement and click. Many don't read. They just click. Okay. Cool. So please as you read, know the contract is going and not to responsibility. And then also, ah, it likes more, I think, with the government law enforcement. Because law enforcement suspect very important. We know about the put up convention on cyber crime. I don't know if [INAUDIBLE] in the African countries that is rat feed that. So that kind of convection that would help in cyber crimes is very important. They first maintain small responsibilities and the part of the government. All the business. So we're in the business because we have always taken practice tip coming up with solution and coming up with new innovation. So business to ‑‑ we have a lost responsibility to insure that we keep track and insure that the system is safe.
>> If I could ‑‑
>> Do you want to make a comment? Susan, I think you do too.
>> I mentioned the term resilience earlier. Resilience is a concept that says it can survive accidents and attacks and while users or system managers may bear some responsibility, the system survives even if they fail to fulfill those responsibilities. A good usable system should not place too much burden on individual users. They should let users do what's natural to them. In fact, put the drivers license if I am in my car, I should be properly qualified. When I flew here on an airplane, I have to know,000 fly one. In different case, they have different responsibilities and in that case, I just needed to stay in my seat. So making iter as for you will increase the benefits of the Internet resilience as let the system recover from the damages that might occur to any individual users so that's right users can continue to do their work.
>> SUSAN MORGAN: Just a quick point coming back to the issue of shared responsibility. I think given the kind of complexity of the issues and the challenges, um, there's no one stakeholders that will be able to solve the issue. That's one of the critical reasons it is important to have responsibility across the stakeholder agreements.
>> Okay. Let's move on to the next question over here by the window. If you can identify ‑‑ do you need to get near a mic? Great. Thank you.
>> My name is Ben. I work with the sustainable development. I think that there is a social two points I need to make that there is a social and a cultural side on this debate that would perhaps be considered. We have all thought that dealing with cyber crime has to do with a legal side. I would say a political side angle to it. And the economical angle to this debate. A second point I want to make is that digital literacy is a component of this whole process. And we have assumed that digital literacy is a capacity building issue. In most cases, it is not necessarily one and that it cuts across a whole and a broad side of society right from a primary school level when we talk to a 6‑year‑old child about cyber crime and cyber bullying online right up to the business level when people secure their networks. And that brought sector society needs to understand identity for the issues online. And I think we have not been in that detention in terms of the approaches that we should be taking and dealing with cyber crime issues. I want to know what you guys think about those two points.
>> Do you want ‑‑ I think perhaps maybe we can take another question and then combine response. In the back of the room over there and then this lady. If we have a remote participant, I would like to include as well. Great. Thanks, Jim.
>> My name is Adrian. I am the Executive Director. It's a network of internet hotlines which provide reporting facilities for members of the public to report their concerns to of content they find on the Internet. Primarily the hotline still with images of child sexual abuse or child pornography, but also dealing with other areas where people report whatever offenses or possible offenses they're concerned about. They provide a great toll for general society to report to. They're a very good intimate [INAUDIBLE] between law enforcement and industry. In fact, in order to be a member of the no home association, you have to have full support government, law enforcement and industry because of the sort of content that they can be dealing with. And they're referring to child pornography. But many of the hotlines and we have a network now of 40 hotlines around the world. The first hotline here in Africa is the film publication board in South Africa which is developing into a very successful hotline. They provide say this reporting interface. It's very similar to something like crime stoppers where people can report anonymously and they report their concerns of any content. In most cases, the hotlines do with any content of the Internet and that could include offenses such as fishing and various fences that you've been talking about here and directing the reporter on to the relevant authority or [INAUDIBLE] relevant authority or relevant body of this particular crime or allocation. So therefore, I think what we're talking about here is, ah, very good, but what we need is that interface between the general user, the public, and the industry and the law enforcement to connect the whole chain. And that, um, is very much where the national hotline fit. As an interface for everybody to use that. So, I would ‑‑ I recommend if anybody has any interest in setting up a hotline in their country, certainly visit our website inhope.org or [INAUDIBLE] into a meeting. Thank you.
>> Thank you for sharing that example with us. I think it captures the shared responsibility or at least another word we heard I lot about is shared empowerment giving a way for users whether of any nature to, um, to take some control over their own environment. I'd like to get back to the question of, um, the digital literacy and perhaps the education component of that. I don't know if, ah, Chris, you want to refer back to awareness month and perhaps some. Things that are happening in the U.S. and would like to add on.
>> CHRISTOPHER PAINTER: Yeah. So, first of all, on the cyber crime issue generally, ah, that is a core component of this that having strong laws in place, but also having trained law enforcement is important and, ah, as, ah, my co‑panelists mentioned, the Budapest convention is an important part of that deed, the training session, the capacity session we talked a let about that instrument and how that might work and it also talked about how you cooperated and how you have networks of cooperated law enforcement net works. That's important too. So all of those aspect go together. I also agree that it's not just a government function however. There is, ah, people, ah, businesses and individuals in society and have to be aware of what is appropriate online and what's not and partly having good cyber laws helps you socialize with that. What is central and what is not and there are consequence if you do bad things, that helps and that helps get that out. There so it's not solely as one. Questions that said a government perspective. And there are economic aspects as well as you mentioned of having those kind of strong laws in place like the Budapest convention actually then helps spur economic development as well. So, there is not just a security element of this. There is an economic growth element to it which is very important. I also want to comment a little bit on the hotlines issue, a number of countries around the world doing that and I think that's very important. I think that's been in development in terms of helping people report issues to law enforcement in the U.S. There are a number of systems that operate that way so that people even if they have smaller incidents online they're dealing w when they're having problems that they can often those can be aggregated into allergy events where the actors are hitting many different people at once. I think that's important. I go book it what Lyesel said. It is having better awareness in industry and businesses and government that help you understand again why it's important to have these laws in place and important to have wide trained law enforcement and good international cooperation and why did is important to list businesses and society generally in this effort.
>> We had a question here and then perhaps a remote participant. Sneak thank you. Please. Go ahead.
>> Thank you. I am [INAUDIBLE] of AfriNIC. I have a question to the panel. One comment I will ‑‑ I want to make is the importance of collaboration. As my colleague mention before, we have launched two years ago this initiative of the government work group, which has two aspects. There is one more political aspect, which is government getting together and talking about what we do as registry and we have the law enforcement aspect as well where we have, um, have three workshops for law enforcement agency in Africa with the contribution of the FDA, of course. Where we discuss those issues about cybersecurity, about the importance of, um, bring law enforcement into the debate about cyber security and what is interesting to see is there is a new policy being pro pieced by law enforcement in Africa alone, which is a positive thing in the way of translating cybersecurity issue into [INAUDIBLE] policy. The cooperation between end users, governments and industries and loan is critical. In our region, we don't see that much not because we don't want, but just because the Internet is really take up now in Africa. We have seen more and more people connected to the Internet. We have seen more and more capacity in the region, which bring the real issue. Right? So people start thinking about this and I think there are many initiatives trying to tackle this issue from different angles. And that's where my key question comes in. How do we try to bring all those efforts together so that we can have a clear picture and know where we're going? Originally generally and share more experiences and learn from each other and try to bring a framework that can bring the internet safe place. We don't have to reinvent wheel. We can learn from others. We can adapt what has been done. There are a lot of [INAUDIBLE] in Europe and America which are working. How can we apply that. I think it is something that I would like the panelists to talk about how we can, um, better organize and developing country to tackle this cybersecurity issue.
>> Maybe other people want to comment too. One thing I think it's important that we've learned in our country too is that it's also important to organize within government. So, ah, I would say a few years ago that the various different agencies within our government probably weren't coordinated as well as they are now. And that's true of every government in the world. There is not one country where all of the agencies are talking to each other and know what is going on. It is not just a law enforcement issue. It is not just an economic issue. It is really cross cutting. So you have to have a lost government agencies working with the private sector and working with civil society and working with technical experts. Part of it is within the country and I think regional forms like east African, the DAC and others are good to socialize these issues. You're right. There are? Good things out there like Budapest convention that can be used as a basis and are open frankly for countries in Africa to be involved in. One last thing I say is I think there's really good a collaboration between the technical community and the government, the law enforcement community. That's become much more over the last five years. It used to be that the law enforcement community would look at technical community and say we don't really understand what those guys do and then the technical community would look at law enforcement and say they just want to break down doors and fake all our serves are. We don't want to deal with them. I know there's a much better collaboration and I think that helps everyone.
>> Thank you, Chris. Susan?
>> SUSAN MORGAN: I was going to say this little creating mechanisms are used in existing mechanisms. I think one of the core challenges is there's a real tension between the time it takes to create those mechanisms and create trusted relationships that enable collaborations and the speed at which technology develops. I'd laugh to say I had an answer to that, but I think it is something we need to be aware of. Jimson, you want to tackle that one?
>> JIMSON OLUFUYE: Really been [INAUDIBLE] the other time concerning [INAUDIBLE] aspect to the issue. And I agree with him. I think a solution to that would be like developing the bottom of east framework and also incorporate in Latin America from the [INAUDIBLE] to the great. How do we collaborate [INAUDIBLE] to bring together. I see a change in Nigeria recently. Before now, you have all the agencies and the [INAUDIBLE] concerned with ICT or issues in other areas. So now they're not focusing. The government decided to take off all those issues. So perhaps that's the way to go. We need to [INAUDIBLE] and we need to establish a mechanism to view discussion and exchange of ideas within the administration and then bring in all the technical community, the business community, the civil society, bring everybody together to discuss those issues. Surely in most of our nations, developing nations, I think we have the government to take that initiative. The government does not move, it does not move. So the government need to move and we find out all of that as follows. But that's what the government needs to do. They need to move so that others can move. Thank you.
>> Ashok, and then we'll go to our remote participant.
>> I would like to respond to those remarks about how do we get all of the individuals sort of local base initiative. We try to federate them and try to bring an African perspective. You might say. So, in this respect, I think you will recall when we started with the WITSAs initiative in 2003. They were in Africa a different sort of regional or pre‑[INAUDIBLE] meetings which were held there. Wait a minute, Mali. There was in the east part of Africa where people came together and tried to get issues on board which could be taken up to the [INAUDIBLE] eventually to ‑‑ this can go in some way to address a point raised and trying to get all the different sectors, which are thinking reflecting on our best we can grapple with the issue maybe. We can start relooking at those initiatives and maybe have more local ones and national ones and regional once. But then for Africas, you are aware there's a if funding. There's a question of getting people to come to meeting. This is one of the biggest drawbacks that Africa faces, but something has to be thought on this line. But to finish, I like the [INAUDIBLE] remark about the digital sort of literacy. I think maybe this is one question we must go to the [INAUDIBLE] which we have to pay somewhere so that people can start to learn about the nitty gritty right from the time they're in the school. The signs in the environment has been done. I think at this time, it could get the people a specialist in it to address the issue.
>> Thank you all. As you might have noticed, we have our remote panelist online. Do we? Did we lose her?
>> I'm not quite sure. This just went dead. Before we do, that I want to get two related questions out and then we'll go to the panelists.
>> The first one was from Yong Gudsen directed to Chris Painter. And then related to that, we have from the Australia National University to the panel of general what thing the prospects of such a U.N. treaty or cybersecurity are. So, with that, getting those out there for people to think about why don't we go to our remote panelist and see if this works.
>> Thank you, Jim. And I ‑‑ I was missing and introducing the remote moderator Jim from the strategy group. Thank you very much, Jim, for hanging in there with us. Okay. So are we ‑‑ we have ‑‑ nice to see you. We actually see you in the room. Can you hear us? Okay. We can't hear you. So give us one moment. Okay. While we're working on, that shall we go ahead and answer the question? Why don't we ‑‑ before we do, that why don't we take the question I've been mix over here and then maybe you can get all the questions answered together since I'm rung out of time and since [INAUDIBLE] is almost joining us and perhaps we can wrap those together. Please go ahead and then we'll ‑‑
>> Thank you. I program New York and my question is also for the department of state. So I noticed that ‑‑ as we all know the theme of today's everything in developing countries and my question is because of the department of studies here today what it is you have been doing regarding this in developing countries? Can you giver us concrete examples of initiatives in developing countries whether African or south American. Thank you.
>> Could I ask each of you ‑‑ Chris, I know strut line share of the answers here, but to try to answer the three that have been put forward in one go. Is that all right? And briefly, Sean is reminding you.
>> On the first two questions, I think we have been clear that we think that a global treaty on security is not reality approach that we should be taking right now. We do have the Budapest convention dealing with cyber crime. There's a lot of things we need to discuss and our approach is laid out very clearly and our international strategy when we talk about norms and cyber space. We talk about socializing those norms and how we're going to reach some global consensus. That's a lot of global things and we don't have consensus on all those other issues. There's a conference of hey, having in London and they'll be discussing these issues and what are the norms in cyber space and what are the things that countries can start coalizing around I think that's where the real shared work is. On the issue, some of the capacity building. I mention the Nairobi conference. We have done a number of signer crime and cybersecurity related both in the primary, but also in building CERTs in various places. It's not just us alone because we're very resource limited. U.S. GTI is developing a distance learning approach on signer sure the that will allow people to more cost effectively get training in this area. The counsel that I see over here in the corner has done a lost legislative and other training around the world. So there's a lot of efforts not just bite U.S. government, but we will try to step those up. I think it's important we do those and the resources allowing.
>> Others would like to address the global question of global action.
>> It just strikes me from what I see at moment, this proliferation of sort of stunned and principals and [INAUDIBLE] coming out at a whole range of organizations. So, um, I think that's probably the stage that we're at and were likely to be at some stage. Internet essential is coming out of the EU. I think there's a set of principals. The OECD and the principals that they're looking as aspects of cybersecurity, trust, Internet freedom, all these things being looked at the moment in many, many different places.
>> Do we have, um, just one moment do. We have audio yet? Ashok, if you want to take that.
>> ASHOK RADHAKISSOON: Briefly on the global treaty initiative. I for one believe that things we are in the Mali state holder environment which hasn't really shown it cannot cope with these coming in terms of Internet development good or bad. And we don't know how far the treaty is going to preserve the very essential nature of the AfriNIC or the Internet Eco system. So I think we'll have to be very, very cautious about embarking on an international treaty without really take stock of what we already have and the way we proceed in the Internet Eco system. Thank you.
>> BURT KALISKI: Technology make such a difference when you understand what problem you are trying to address. Now, the challenge we have is the problems continue to evolve as the applications of the Internet grow. So starting with a problem statement, ah, with the user perspective, and then with collaboration and innovation we're more effective at targeting those technologies which from a technical leadership perspective puts a good deal of the opportunity within technical collaborative forms, standard setting bodies and so forth provided they're properly informed with those needs.
>> Thank you. Do we have another question? Do we have [INAUDIBLE] online?
>> I think they're still working on video.
>> Go ahead and we have one in the back. Go ahead and why don't you give us that, Jim, and perhaps they can collectively answer.
>> Jim: Sure. It's a common infrastructure that we all share, but we also all own and particularly our Internet protocol such as DNS, BGP common pool resources that need is to be protected by all.
>> Okay. And there's a question in the back over here. Would you like to go ahead? We'll ask our panelists to address them.
>> It's actually not my place. It's a question from [INAUDIBLE] from those following on Twitter. And the question was between the national, international and global fight against cyber crime. Which one should we put more emphasis on because it appears that we may have global conventions, but action is still most strategic and more result yielded at national level. And one young person just said to pass the message that his life is too short to spend time reading M user licenses. Thank you.
>> Thank you very much for being our twitter ambassador. Burt, do you want to take the first question first?
>> BURT KALISKI: On the ownership and protocols, it is such a complicated subject. I will take the position. We all have a stake in the things that we depend on so much. As the most common side of protocols for Internet communications, TCP, IP, SSL, whatever they maybe, let's share that stake in make these protocols better and understanding how to implement them in collective improvements and so forth. And again, from our earlier point, they are well established standard setting processees with open transparent mechanisms that all ten contribute to.
>> Jimson, did you want to cover that at all?
>> JIMSON OLUFUYE: When we started reading the user manuals and contracting [INAUDIBLE], I get more enlightened. So, I just ‑‑ I think it's good as well for many to read those things. And besides, when we're going to contract our relationship maybe necessary to put in all the details. They got data. They got resources in their own line to protect us. And, um, also we could maybe at national level something like data insurance that will help in securing the resources if it is ‑‑ if the [INAUDIBLE] provide the [INAUDIBLE]. They will take good care of it. [INAUDIBLE] has sufficient measures and then, um, the insurance people schedule those questions. Most people ask those questions to put out secured data. So in national law to make that possible, to make the assurance ‑‑ we'll bring the insurance before the data security spectrum who respect. That is to address a point still. It comes down to the national level because by law, by jurisdiction, the national has that control, but the issue of IG and the securities across that [INAUDIBLE] and I think internationally, we want to discuss this beautiful [INAUDIBLE] for the past five years. We made use for progress and we made good progress and we need to continue in this form to discuss the ram fixation of security challenges. And, ah, the example of Budapest convention and cyber crime, I think that's a good case study that is possible for all of us to walk together for the common [INAUDIBLE]. It's one wall. And one Internet.
>> So very quickly on the question about international versus domestic. You have to have both. Strong laws, strong capacity. Strained law enforcement. They need to have that in order to actually fight this issue, these crimes and in order to also be effective participants in international participation. They go hand in glove. It is important to have the Budapest conventions so the countries can get their law to a consistent point and they have training for their law enforcement officers, but then they also have to make sure they're pasts ever things like a 24/7 network and they have very close international reasons. They work with industry and ISPs and others. All of that is really of a piece.
You can't have one without the other. I think one is important. I don't think you can choose one or the. But if you don't have a strong domestic structure first, it is almost impossible to cooperate national.
>> On that note, I would like to address a question before the crowd S. is there any especially with emphasizing and Emerging economies and developing countries. Is there any cybersecurity either nationally or regionally happening in your ‑‑ where you live or where you reside that you would like to report on. A very brief reporting, less than one minute report.
>> [INAUDIBLE] I am in the Caribbean of Packer Clearing House. We have recently undertaken throughout establishment of the Caribbean group with building capacity of cybersecurity and I've also been throughout Caribbean working with the governments to insure some of these issues have been brought to their attention one and two, they move beyond IT or IT basis and government puts stake holders including the legal and security services? Those countries. Thank you.
>> Thank you. I believe we are now up online with our remote participant. Is that correct? No. Oh. We are so close. We ‑‑ do we have you? Can you say something? She's there, but ‑‑ I'd like for her to answer the question because I know she has one. I am hoping we can hear her in the last couple minutes here.
>> We do not get audio from your side.
>> Okay. Okay. You can hear me? Is that a yes? You can nod? Perhaps if you could type a response to the question about things that are happening nationally on cybersecurity that perhaps Jim could read for us. That would be great.
>> You can try now, please?
>> So close. Okay. Um, go ahead. If you want to send in a couple sentences that we can share with the group, Jim would be happy to read it. In the mean time, I think there were a couple other people that wanted to share their examples in the back over here.
>> Two people right there?
>> Thanks. I think the African union has a protocol right away that has been circulated on cybersecurity. In west Africa, the economic community of west African states also has an act that has been circulated among its nation states on electronic transactions in the west African region. [INAUDIBLE] we have a cybersecurity act in the country and we also have a national IG initiative that has been propelled by the regulator with an affected President that goes as children's parliament. That is it. Thank you.
>> Perhaps they have given their examples and provide some links that we can include in our session summary. I think that would be very helpful. One more in the back.
>> Thank you very much. My name is Michael. I am from Nairobi Kenya. We [INAUDIBLE] into the capacity building that is mentioned. In the quest to do this, a problem has been found and understand the same area. The vision is that by some time in March, you will hold a trend targeting the private sector. I would‑like it to be affected so much by cyber crime and the like. So my interest is from this panel that if we could get people with expertise in that area, that will definitely help us so much to move to what was next.
>> Thank you. Do we have any questions from our remote panelists?
>> Jim: We're still attempting.
>> Well, I hate to ‑‑ we're so close, to um, accomplishing the impossible. Um, but, ah, perhaps if we can't get in before everybody leaves the room for the next session, then we can include whatever we can in our summary report. Might I ask our panelists if they want to give two or three sentence in closing remarks to capture their impressions from the discussion we had today. Jimson, you want to start?
>> JIMSON OLUFUYE: Thank you. Ah, it really has been a great discussion. We meet for action, follow within ‑‑ with the developing nations. Last year we had an event and they want to do a [INAUDIBLE] structure and they want to do that with the absence of law. And the appropriate law is kind of hinderance. So I want to advise at least from [INAUDIBLE] to the issue of it is very serious.
>> I think we have a voice from Afar.
>> Put your headset back on. Yes, we can hear you. That's good. We can hear and you we can see you.
>> Do you mind if ‑‑
>> Go ahead and speak.
>> People, if you have to go somewhere, we don't mind.
>> You can go ahead and speak.
>> You can go ahead.
>> Yes. We can hear you. Could we type in to her to make her know that we can hear.
>> We can hear you. Please go ahead. We can hear you. Please go ahead.
>> Hello? I'm from Turkey.
>> Yes. We can hear you.
>> Okay. I'm from Turkey. I was actually sharing our experiences and, ah, in coordination with another item to come back to that type of security exercise. Okay? And I was actually sharing experiences about that. Some of my friends talked about sharing responsibilities and issues. They want to talk about the sharing responsibilities and issues or government and/or end users. And [INAUDIBLE] the government has a great responsibility from cybersecurity about increasing the awareness or educating the end users about private security. And, ah, last year we decided to come back in our exercise for the one project and proud institution. It was, ah, very big exercise since there were agencies from many sectors like this. Finance sector has or educational sectors or other institutions. And that went over 200 parts of representatives from the parts accessory organization. Those were extra mainly and the others were legal experts or TI experts. And in this exercise, we increasingly aimed to check the entire organization or enter organization of cape ability of the organizations about cybersecurity. In the exercise, we ‑‑ in the exercise, we, ah, ask some questions about cybersecurity issues to do the Oh, such as realtime scenarios and we ask them if there is ‑‑ if there's a malicious insider in your organization and he is still your critical data. What should you do? Or if your organization receives attacks, what should you do? Another question we ask is that there isn't ‑‑ regarding your questions about cyber security we try to take ‑‑ Sharon the awareness on the inside of the organization of cybersecurity coordination and interorganizational capabilities and the up. And there are responsibilities to apply to the securities about their cybersecurity problems. For instance, if that were bigger and law enforcement enforces in the exercise and the organizations when they encounter with a scenario about the attached. They apply to this law enforcement agencies and they test that he has an attack from the such and such IPs on incoming organizations. And, ah, they declare that this is a crime and do what you can do and that becomes to the law enforcement part the authorities take the crime declarations and they, ah, they do what they should do. At end of the exercise, neigh are citizens, ah, awareness and education level about cybersecurity was increased and the interest of the press was interest of the press was very ‑‑ very satisfactory for us. And we thought that we should be able to do. Soon be advised of coming back to the exercises to increase their events of their citizens about cybersecurity and we think back this is a responsibility. In the next year, is there a problem?
>> No, but we are transitioning the room. So, if you just want to wrap up.
>> May I continue? In the next few or so, we in Turkey we attempt to ‑‑
>> We're cutting off? Is that what we're doing? We have to end this session now. If you want to ‑‑ unfortunately, we'll have to stop, but we ask be in touch if you have any concluding remarks you want to share with me for our session report. Okay? Thank you so much for hanging in with us. Really.
>> Thank you so much.
>> My remark are in Turkey and come back regional or entire regional cybersecurity in the next year. We will have close contact with the countries who, ah, who would like to join us or who would like to contribute our studies.
>> Great. Thank you.
>> Thank you.
>> Thank you very much and thanks for hanging with us. And I can't believe we did it. Thanks, everybody. Thanks, everybody, for hanging with us on the cybersecurity panel. I guess next panel in here will start at 11:00, if I'm not mistaken.
(End of session)
- Parent Category: IGF 2011