INTRO & INSTRUCTIONS
The BPF Cybersecurity aims to be bottom-up, open and inclusive and therefore invites all interested to comment and contribute on its draft output document.
After each section there's a possibility to leave comments by clicking on 'Add new comment'. Comments are schown in column on the right.
For clarity, footnotes and references are not shown on this review platform. You can find them in the formatted draft .
document structure:
Part I: Framinig the 2017 BPF on Cybersecurity
Part II: Cybersecurity as an Enabler for Development
Part III: Conclusions and Way Forward
The Best Practice Forum (BPF) on Cybersecurity is part of the 2017 intersessional work programme feeding into the 12th annual meeting of the Internet Governance Forum (IGF) held in Geneva, Switzerland from 18 to 21 December 2017.
The BPF aims to both produce a tangible output[1] and provide a broad multistakeholder platform for engagement on cybersecurity policy matters, which increases existing cooperation and builds new synergies amongst cybersecurity initiatives and processes. The BPF Cybersecurity as such fits well under the overall theme of the 2017 IGF, Shape Your Digital Future! .
The BPF on Cybersecurity grew out of the BPF Establishing and supporting Computer Security Incident Response Teams (CSIRTs) for Internet security, and the BPF Regulation and Mitigation of unsolicited Communications, both of which ran during 2014 and 2015.[2]
As an outcome of both groups, it was identified that the topics they had tackled were somewhat limiting, and there was no existing forum within the inter-sessional work to discuss other cybersecurity related challenges and to look more holistically at cybersecurity challenges. In addition, "cybersecurity" as a term was ill defined within our community, and could benefit from deeper investigation and definition[1] .
In 2016, the first Best Practices Forum on Cybersecurity hence started off with discussions enabling participants to understand the wider context of the word "cybersecurity" for each stakeholder group. The BPF made it clear right from the beginning that this work needed to be conceived as a multi-year project. It then worked to:
A set of 10 conclusions were drawn, which broadly echoed multi-stakeholder cooperation as critical, and put particular stress on how stakeholders must understand, respect and trust each other's expertise and competences. The final outcome, including all findings, can be found on the IGF web site[3].
The proposal[4] for the 2017 BPF Cybersecurity was approved by the IGF’s Multistakeholder Advisory Group (MAG) on 11 April 2017[5]. The BPF Cybersecurity reports into the 2017 Main session on cybersecurity at the 12th IGF meeting in Geneva and the BPF document is published as part of the official output of 12th IGF meeting.
The Best Practice Forum on Cybersecurity realized that making Internet access more universal, and thus it supporting the United Nations Sustainable Development Goals (SDGs)[1], has significant cybersecurity implications. Well-developed cybersecurity helps to create an enabling environment for ICTs and Internet Technologies to contribute to meeting the SDGs. Poor cybersecurity can reduce the effectiveness of these technologies, and thus limit the opportunities to help achieve the SDGs.
The 2017 BPF explored how cybersecurity influences the ability of ICTs and Internet Technologies to support the achievement of the SDGs, looked at the roles and responsibilities of the different stakeholder groups and aimed to identify policy mitigations that can help ensure the next billion(s) users can be connected in a safe and reliable manner to fully benefit from existing and future technologies. The BPF collected community views on what critical cybersecurity issues would benefit from a multi-stakeholder approach.
This BPF output is the product of a bottom-up, open and iterative process to which all stakeholders were invited to participate. The main steps and methodology are briefly described in the section below
The approval of the project proposal for BPF Cybersecurity by the 2017 MAG kicked off the BPF’s open and iterative process[1]. The BPF Cybersecurity convened regular virtual meetings open to all interested stakeholders and discussed progress on an open mailing list. Draft versions of the output document were posted for community comment on the IGF website and presented at a dedicated workshop during the 2017 IGF meeting in Geneva.
The BPF Cybersecurity launched a call for contributions[2] to collect substantial community input on the BPF’s subject matter. Drawing primarily from an analysis of the potential cybersecurity implications of the policy suggestions for enabling connectivity and supporting the SDGs formulated by the IGF Policy Options for Connecting and Enabling the Next Billion(s)[3], the BPF invited community input to identify these and additional cybersecurity risks and collect recommendations on how to mitigate them.
In addition to its focus on the SDGs, the BPF asked the community to weigh in on the responsibilities of different stakeholders for mitigating risks, and on what critical cybersecurity issues would benefit from a multistakeholder approach.
The BPF made an effort to seek input from National and Regional IGF Initiatives (NRIs) via an NRI-specific questionnaire.
All contributions are collected on the IGF website, a summary can be found in Annexe 1.
Substantial input for this section was generated from the responses to call of contributions, and in particular the questions:
‘How does good cybersecurity contribute to the growth of and trust in ICTs and Internet Technologies, and their ability to support the SDGs?’
‘How does poor cybersecurity hinder the growth of and trust in ICTs and Internet Technologies, and their ability to support the SDGs?’
1.1. Trust and Confidence in ICTs and the Internet
‘The Internet needs a solid foundation in trust for its full potential to be realized.’[1] Well-developed cybersecurity contributes to building trust and feeds the confidence in ICTs and Internet technologies enabling them to become instruments used by people and organisations in pursuing their goals.
‘Civil and political rights are clearly boosted by internet access, but the internet also positively impacts economic development when societies can trust in internet-connected systems and robustly interact, and transact online.’[2] Good cybersecurity stimulates growth in users and usage of Internet technologies, which help to accelerate business, make economies grow and increase the wealth that becomes available for distribution, they contribute to the reduction of transaction costs, increase transparency and accelerate knowledge and information transfer. Good cybersecurity stimulates the use of technologies that have the potential to contribute to achieving the SDGs.[3]
In short, cybersecurity helps to build the confidence needed to motivate the use of ICTs and the Internet, and the SDGs drive that energy towards achieving the goals to end poverty, protect the planet and ensure prosperity for all.[4]
Poor cybersecurity threatens the growth of ICTs and Internet Technologies. Poor cybersecurity exposes organisations and individuals to risks and attacks, and opens doors for ill-meaning parties to spy on actors or meddle with democratic affairs. In a more indirect way, a perception of insecurity creates distrust in ICTs and the Internet and a diminishing adoption of new technologies[1] . Poor cybersecurity will reduce the use and effectiveness of these technologies, and thus limit the opportunities to help achieve the SDGs.[1]
‘Poor cybersecurity hinders growth and trust in ICTs as it leads to lack of confidence in online systems and services, thus discouraging investment and usage. A lack of cyber hygiene increases vulnerability to cyber attacks and reduces the ability to effectively respond to and recover from cyber incidents which in turn promotes a lack of trust in the digital economy.’[2]
Cybersecurity is a broad concept that covers many aspects. A discussion on different definitions of the term ‘cybersecurity’ can be found in the output document of the 2016 BPF Cybersecurity[1].
ICTs and Internet technologies increasingly underpin society, economy, and polity. Cyberspace faces new challenges such as security and stability, infringement on privacy and intellectual property, cyber terrorism and cyber surveillance activities.[2] The submissions to the BPF reflect different expectations, priorities, and perspectives on how cybersecurity can contribute to the growth and trust in ICTs and Internet technologies, and their ability to support achieving the SDGs. This sections aims to give an overview of the different facets of cybersecurity.
Infrastructure
The Internet is a network of networks and the ability to resist cyberattacks is only as strong as its weakest link.[1] Sustainable development of all levels is directly related to the protection of all aspects of this infrastructure, including security.[2]
One contribution introduced the concept of a “public core” which is worthy of protection. This core of the Internet encompasses two elements: ‘(i) a clearly distinguishable “inner core” which consists of the core functionality underpinning the Internet (in particular the forwarding and naming functions and infrastructure of the Internet and those actors responsible for their day to day management), and (ii) a less clearly distinguishable “outer core” of potentially critical functionality, whose impact on the overall stability and security of the Internet as a whole may be uncertain, or which may fluctuate depending on circumstances.’[3]
Trade, commerce, industry and production
‘Good cyber security is a means of achieving and sustaining the credibility of the Internet as a safe environment for businesses to thrive and sustain economic value.’[1] Effective cybersecurity is essential ‘to engage fully in the increasingly cyber-dependant trade and commerce. Robust cybersecurity frameworks enable individuals, companies and nations to realise the full potentials of the cyberspace, without fear or reservation, promoting cross-border delivery of services and free flow of labour in a multilateral trading system.’[2]
Cyber attacks, vulnerabilities and security breaches break trust of businesses online, which directly impacts productivity and economic growth in developing countries where ICTs are more adopted for the delivery of services.[3] Small and medium enterprises (SMEs) face the challenge to secure themselves from cyber attacks and to promote confidence and trust in their online services.[4]
Privacy/Data protection
Good cybersecurity policies, practices and legislation put people and their rights at the centre. They protect individuals, their data, devices and networks, and foster trust, stability and confidence in ICTs. Poor cybersecurity results in vulnerabilities and data breaches, are catastrophic for privacy and undermine trust in digital developments. Many countries have insufficient or no legislation that protects data.[1]
Technology can be an enabler of all SDGs, but must be secure. Relying heavily on ICTs and the Internet to implement large scale development projects without strong cybersecurity in place leaves some of the world’s most vulnerable people vulnerable in a new way, for example when their sensitive personal information such as biometrics or health data is not sufficiently well protected.[2]
Human Rights, Rule-of-law and Democracy
Good cybersecurity contributes to the ‘protection of human rights, democracy and rule of law.’[1] Certain security measures, however, might as well pose a serious threat to these democratic values, in particular where governments are increasingly asserting control over the Internet and stigmatize security measures, such as encryption.[2] ‘Cybersecurity and human rights are complementary, mutually reinforcing and interdependent.’ To avoid that cybersercurity policies have a negative impact, they should incorporate human rights by design[3], states should work together to curb trade of spyware, respecting human rights[4], and actively participate in discussion forums with the other stakeholders[5].
Poor cybersecurity and information breaches might, for example, have an impact on the ability of civil society to campaign against political decisions or weaken the voice of activists.[6]
The IGF work on Policy Options for Connecting and Enabling the Next Billion(s) (CENB) is a multi year work programme aiming to develop comprehensive sets of policy recommendations based on broad consultations, bottom up crowdsourcing and cross-engaging the work of the different intersessional work tracks and IGF initiatives.
The first phase in 2015 (CENB I)[1] focussed on infrastructure, increasing usability, enabling users, entering affordability and enabling environments. The subsequent phase (CENB II)[2] discussed how ICTs can help reach the United Nations SDGs. The ongoing CENB III[3] in 2017 narrowed its scope to focus on a limited number of SDGs impacted by ICTs.
The 2017 BPF Cybersecurity builds upon the community work of CENB I and II, and expects to establish cross-fertilisation with CENB III, in particular the CENB discussions related to SDG Goal 9 (Build resilient infrastructure, promote sustainable industrialization and foster innovation).
The BPF performed a cybersecurity assessment of the CENB output documents to identify potential risks and security challenges emerging from the CENB policy recommendations. The BPF focused in particular on the CENB II recommendations, which are directly linked to the SDGs.
The BPF came up with a list of 10 identified threats and cybersecurity challenges:
The detailed analysis of the CENB cybersecurity implications can be found in annexe 2. The CENB II analysis dives deeper into the connection between risks and the SDGs.
The BPF identified a list of 10 cybersecurity challenges originating from the CENB policy options (see 2.1.2) and discussed ways to mitigate the risks. This led to a list of policy suggestions to help address each of the challenges.
Substantial input for this section was generated from the feedback on the call for contributions, and in particular from the responses to the question ‘Do you see particular policy options to help address CENB risks?’. This delivered a long list of suggestions that were subsequently discussed by the BPF and consolidated in 10 sets of policy recommendations. A number of additional concerns and challenges that came up during the BPF discussion are listed in section 2.1.4.
In addition to the cybersecurity challenges related to the CENB policy options, the BPF identified a number of additional cybersecurity concerns that could impact the potential contribution of ICTs and Internet Technologies to achieving the SDGs.
After its analysis of the cybersecurity risks and challenges originating from the CENB policy options and formulation of its own recommendations to address and mitigate them, the BPF discussed responsibilities of the different stakeholder groups and looked for opportunities for stakeholders cooperation.
Substantial input for this section was generated from the feedback on the call for contributions, and in particular from the responses to the question ‘Where do you think lies the responsibility of each stakeholder community in helping ensure cybersecurity does not hinder future Internet development?’
‘All stakeholders have a positive role to play in nurturing a trusted and open Internet. We need to work to secure core aspects of Internet infrastructure, to protect the confidentiality and integrity of data that flows over it, and to ensure the right policies are in place to support the technologies, networks and actors that make the Internet work. We do this through collective responsibility and collaboration.’[1]
Each stakeholder community has a responsibility in helping to ensure that cybersecurity does not hinder future internet development. New technologies may be insufficiently secure and cause harm when deployed, while stringent security requirements may prevent the development, deployment, or widespread use of technologies that would generate unforeseen benefits. Stakeholders have the responsibility to foster open inter-stakeholder collaboration and trust relationships, and to infuse a culture of cybersecurity among all stakeholder groups.[2]
Complexity is the reason why multistakeholder efforts are important.[3] There is no one-size fits all solution, and pro-internet policies can take many different shapes.[4] A multi-stakeholder approach to develop future policies on the strengthening of the rule of law in cyberspace, should involve the relevant stakeholders, so that future policies will represent commonly accepted solutions to make the cyberspace more secure.[5] To succeed, it may be necessary to develop strategies to actively reach out to stakeholders and involve them in discussions on common issues.[6]
From the way internet was constituted and works, it follows that ‘each party needs to take a collaborative security approach to foster confidence and protect opportunities. Since every stakeholder has different incentives and different economic interests and different logics (regarding security/privacy/DP), only a good multistakeholder process would bridge these differences.’[7] Cybersecurity is a collective responsibility, and a culture of cybersecurity should be encouraged. [8] “Cybersecurity should be considered a ‘public good’, which promotes collective responsibility for shared benefit.”[9]
On the topic of multistakeholder cooperation on cybersecurity the Internet Society published Principles of collaborative security[10] and a Policy framework for an open and trusted internet[11], and the Commonwealth Telecommunications Organisation (CTO) developed the Commonwealth cybergovernance model[12].
Disclaimer - recognising responsibilities is not advocating siloed actions
Cyber issues have become increasingly complex and impact across society and economy. This reality will only aggravate, e.g. with the further development of IoT, making siloed responses an increasingly inadequate answer to mediate cybersecurity issues. Only reinforced cross-stakeholder group cooperation and multistakeholder approaches will be able to confront and withstand future challenges.
Against this background, it is important that stakeholders are also aware of their cybersecurity and cyberhygiene responsibilities, assume them correctly, and have a good understanding of the responsibilities that arise from the activities and competences of the other stakeholder groups. Such insight will be helpful to identify opportunities for multistakeholder cooperation and joint action, and avoid that initiatives by different stakeholders work counterproductive and fail to contribute to an increase of the overall level of security.
The BPF Cybersecurity called upon the community to help identify the responsibilities of the different stakeholder groups. Substantial input for this section was generated from the responses to the question ‘Where do you think lies the responsibility of each stakeholder community in helping ensure cybersecurity does not hinder future Internet development?’.
Governments (and International organisations)
The governments should take ‘a leading role in driving a national and international cybersecurity agenda and setting regulatory and policy priorities’.[1] ‘They play a fundamental role in developing policy and legal frameworks for a secure cyberspace, data protection, protecting critical information infrastructure and enforcing the law against cybercrime, online abuse and gender based violence.’[2] Governments play an essential role in protecting critical infrastructure and prosecuting cybercriminals,[3] and should support and cooperate with banks, credit card companies, insurance companies cell phone companies and other businesses vulnerable to fraud. Governments can facilitate, initiate and/or (financially) support processes that lead to a better cybersecurity environment. E.g. through initiating (discussions on) ISACs, anti-abuse mechanisms, anti-ddos facilities, etc., that industry can then take the lead in.
Nations must become serious about putting in place a robust risk management system, driven by a common cybersecurity strategy. A country-wide vulnerability management strategy is needed. Policies should be in place to ensure stakeholder transparency and accountability in ISP, DNS and IXP communities.[4] Governments could take initiatives for business, SMEs and entrepreneurs to inform about cybersecurity risks and support by sharing advise and best practice examples.[5]
In terms of policy, governments must encourage solid technology practices such as bug bounties[6], and not exacerbate the problem by hoarding vulnerabilities, or creating backdoors in secure communications tech. Governments must regulate private sector through data protection laws, and other consumer protection. They must pursue policies or treaty options that compel signatories to abide by international principles, norms and standards that ensure cybersecurity and national security measures that employ digital technology are necessary and proportionate. Governments and private sector should cooperate in private sector-government partnerships to improve transparency and to protect disclosures.[7]
The fact that often different government branches are responsible for ICTs, intelligence and national security, and sustainable development poses an extra challenge.[8] When taking on their role, governments should be cautious not to ‘undermine the collaborative approaches and the role of the technical community and industry in identifying risks, providing security of networks and customers, and the role of civil society in safeguarding transparency, accountability, due process and human rights. They should not ‘fuel competition for creating insecurity (...) and not undermine user’s data protection,’[9] for example by stimulating offensive security research to expose vulnerabilities without an intent to fix.
Modern methods of attack may require tackling of cybercrime internationally through aligning legislative initiatives,[10] and International organisations should ensure ‘that all governments do adopt conventions and agreements’[11], at the same time and at the same level.
Governments have the responsibility to reach out and engage with other stakeholders in seeking multistakeholder solutions to cybersecurity challenges as noted and recommended in the prior section on multistakeholder approaches.
Civil Society
While governments usually take the lead in setting policy and regulatory priorities, the role of civil society is important in monitoring accountability and transparency, and safeguarding due process and human rights.[1]
NGOs have a critical role in raising awareness, and promoting responsible behaviour and safety online.[2] Their activities are fundamental for pressing governments to abide by their obligations to respect rights such as privacy and freedom of expression, for increasing awareness over rights in the digital age, for promoting responsible behavior, and for spreading best practices.[3] NGOs have been important hubs for expanding access policies in developing countries, often being closer to the everyday challenges faced by users than other actors.[4]
Technical community
It is the responsibility of the technical community and industry to identify risks, provide security of networks, devices and people.[1]
It is important to support efforts to mitigate DoS and other attacks at the technology level, rather than with policy such as criminalisation. Proactive solutions to find, mitigate and disclose vulnerabilities are key to addressing reliability and access. The technical community must develop protocols to prevent their use for exploits such as DDoS[1] .[2]
Technical organisations, such as the IETF, should consider broadening their membership to include all stakeholders, and involve NGOs and stakeholders in their discussions before designing the technical solutions.[3]
Multistakeholder cooperation within the IETF and other standardising bodies could on the one hand focus on swift implementation of standards developed with the technical community as to ensure a safer environment based on the offered solutions, on the other on identifying urgent issues together.
Private sector
The private sector should adopt the principle that the best security is the one that is not noticed by the secured. The private sector plays a core role in developing secure technology, secure products and services, as well as in sharing knowledge and best practices[1] with governments and non-governmental organizations.[2]
The private sector must use due diligence to protect human rights, and avoid adverse impact. They have to ensure the correct implementation of protocols and best practices. They must create readable ToS for users, and proactively inform users of software updates.[3] In addition, it must evaluate its approach from the users’ perspective, taking into account user groups with special needs, e.g. elderly or disabled people, for who information and awareness alone might not be effective.[4]
Academia
The Academics’ main responsibility is to guide with scientific research.[1] To avoid a knowledge gap, There’s a considerable lack of knowledge of what is really going,[1] [2] which is seen by some as problematic. Therefore it is important that also the most recently developed and adopted technologies are included in academic curriculums and research programmes.[2] Academics and security experts should monitor[3] best practices implementation.[4] Policy protections must exist for researchers that seek out vulnerabilities in technology.
While the 2017 BPF Cybersecurity was inevitably limited in its own scope, it identified areas and issues that would benefit from a multistakeholder approach. Some of the issue are already been dealt with by one or more stakeholder groups in specific forums. There are great opportunities for dialogue and cooperation among forums. Interested stakeholders are advised to consider joining the existing forums and so further develop multistakeholder dialogue on the issue at stake. Substantial input for this section was generated from the responses to the question ‘‘What is the most critical cybersecurity issue that needs solving and would benefit from a multistakeholder approach?’ and further discussed and consolidated by the BPF.
Existing forums: UNIDIR[1]
Existing forums: UNGGE, GCSC
Existing forums:
Existing forums: Meridian, GFCE, ISACs
Existing forums:
Existing forums: NANOG, FIRST, RIPE, APNIC, AFRINIC, LACNIC, NAWAS of the NBIP
Existing forums: Europol, Interpol, UNODC, Council of Europe
Existing forums: OSCE, UN
Existing forums: No More Ransom
Existing forums:
Existing forums: GCCS, Council of Europe
Existing forums:
Existing forums: GSMA
Existing forums: Eurojust
Existing forums:
17. Asymmetric use and access to the Internet
Do cyber threats of different natures pose a greater threat to open societies than to closed ones? From organised crime to democracy undermining activities. Do governments undertake enough or the right activities to protect their respective citizens, institutions and companies?
Existing Forums:
18. Anti-abuse initiatives
Around the world there are organisation fighting abuse through the setting of Internet standards or direct actions against the use of abuse sources.
Existing Forums: M3AAWG, AbuseHUB, Signal Spam, APWG, Stop Think Connect
Well-developed cybersecurity helps contribute to meeting the SDGs. Poor cybersecurity can reduce the effectiveness of these technologies, and thus limit the opportunities to achieve the SDGs.
[ text for Part III to be based on discussion at the BPF Cybersecurity workshop at the IGF]
Non-exhaustive list of regular contributors to the BPF discussions
[to be added]
[ cleaned up version Matrix + questionnaires ]
Analysis contributed by Andrew Cormack
Notes on how cyber-security can affect the achievement of the Sustainable Development Goals (SDGs). Derived from the IGG Policy Options for Connecting and Enabling the Next Billion(s): Phase II. Many of the cyber-security issues affect several SDGs: the connections selected here are chosen as perhaps the best examples of these dependencies.
SDG1 (No Poverty) depends on individuals being able to access information over the Internet. Thus it can be disrupted by weaknesses in, and attacks on, the availability of information services and the networks that individuals use in connecting to them. Issues such as denial of service attacks and services that can act as amplifiers for them could therefore affect progress towards this goal. Similar issues arise in SDGs 4 (Quality Education), 10 (Reduced Inequalities), 14 (Life below water) & 15 (Life on Land), and the overall aim of providing “meaningful access”.
SDG2 (Zero Hunger) includes farmers seeking information, reporting on local conditions, applying for grants etc. Since such activities may involve implicit or explicit criticism of public authorities, they will be hindered by any perception that those authorities are engaged in surveillance of internet usage.
SDG3 (Good Health) includes telemedicine, disease monitoring and the storage of patient data. Developed countries have already experienced setbacks in these areas as a result of incidents affecting the confidentiality and availability of sensitive information held by medical and health services.
SDG5 (Gender Equality) is harmed by individuals or organisations using communications technologies to engage in online abuse and gender-based violence.
SDG6 (Clean Water) involves using communications technologies for the remote monitoring and control of treatment and pumping equipment. Vulnerabilities in SCADA (Supervisory Control and Data Acquisition) equipment that is connected to shared networks are a major concern that can turn such automation from a benefit into a serious pollution and health threat.
SDG7 (Affordable and Clean Energy) depends on the widespread acceptance of smart meters and smart grids. Loss of trust in these systems can easily be caused if monitoring equipment and systems do not keep information confidential, or if information is used for inappropriate purposes.
SDG8 (Decent Work and Economic Growth) highlights the importance of mobile payment systems, which are critically dependent on the security of mobile devices such as phones and tablets.
SDG9 (Industry, Innovation and Infrastructure) suggests that developing countries may find opportunities to develop disruptive industries in the area of IoT (Internet of Things). However lack of secure development processes are already causing concerns for IoT and any industry based on them could be severely damaged by a security failure in its products.
SDG11 (Sustainable Cities and Communities). Many of the technical tools suggested as supporting this aim can also become serious threats to individuals and communities if they are not secure. Criminals, neighbours, governments or even family members with unauthorised access to internet-monitored home security, traffic monitoring or CCTV systems can cause serious privacy, material, physical or emotional harm.
SDG16 (Peace and Justice) concerns citizen engagement in government, but also notes that these tools can be used for repression and the spread of prejudice. Either will strongly discourage engagement. Systems used to hold authorities to account must be protected from abuse by those authorities.
Analysis contributed by Maarten Van Horenbeeck
The 2017 Best Practices Forum on Cybersecurity is reviewing the cybersecurity implications of policy recommendations made as part of “Policy Options for Connecting and Enabling the Next Billion(s): Phase II”. The outcome of this work will help inform policy makers of the important cybersecurity implications of implementing or evaluating a specific policy option.
In order to ensure a comprehensive review, these notes describe a review of the cybersecurity implications of policy options identified as part of “Policy Options for Connecting and Enabling the Next Billion(s): Phase I”. While that document did not align with the Sustainable Development Goals, and thus will not be our line of inquiry in approaching the Phase II review, this review is intended to ensure our guidance is comprehensive.
In Appendix A, a set of reviewed policy recommendations, extracted from the Phase I CENB document is listed. Reviewing those, I identified a set of high-level criteria which came up, in many cases repeatedly. I noted some brief security implications of each:
1. Promoting improved and extended broadband infrastructure:
2. Promoting spectrum increases and promoting increased reliance on wireless modes of operation:
3. Promoting increased power grid capacity:
4. Promoting the development of Internet Exchange Points:
5. Promoting user awareness education:
6. Deploying government services using an Open Data model:
7. Addressing unsolicited e-mail and other forms of spam:
8. Promoting the increase of locally relevant content and local language support:
9. Promoting national domain name infrastructure:
10. Promoting sharing of passive infrastructure:
11. Addressing minority and gender-based online harassment:
12. Strengthen telecommunications infrastructure through public private partnerships:
13. Enabling initiating economic opportunities, such as starting a company online:
14. Make internet devices more affordable
Appendix A: Policy options identified from the Phase I document
1. Deploying infrastructure
a. Physical, interconnection layers and enabling technologies
b. Mobile
c. Funding sources: Universal service funds, Public Private partnerships
d. Deployment
2. Increasing usability
a. Applications
b. Services
c. Local Content, Multilingualism
d. Media
e. Accessibility
3. Enabling users
a. Human Rights
1. Establish mechanisms to promote, monitor and popularize African Declaration on Internet Rights and Freedoms and UNESCO’s concept of internet universality
2. Self regulatory, independent objective oversight and sanctioning mechanisms
3. Meaningful access to ICT includes control over ICTs as a key resource towards advancing status of women and girls and their human rights
4. Address emerging issue of violence against women
b. Inclusiveness (Gender, Youth)
c. User literacy
d. Digital Citizenship
e. Entrepreneurship
4. Ensuring affordability
a. Digital divide
b. Costs of Access per Capita
5. Creating an enabling environment
a. Government, Regulatory Authorities and IGO frameworks, laws and regulations
b. Private sector-led initiatives and market strategies
1. Liberalized market with open, competitive environment
2. Nurture healthy market competition
3. Streamline licensing process with no barriers to market entry
4. Ensure competitive market structure, with no govt ownership of end user providers
5. Available access at market rates to international gateway or cable
6. Transparent disclosure of pricing and service options
7. Permit pre-paid and tiered pricing
8. Remove barriers to crossing national borders with infrastructure or traffic
1. Open and competitive markets, fair, investment-friendly, comparable regulatory intervention for all actors
2. Strong reliance on voluntary commercial arrangements
3. Policies that promote efficiency through engineering-driven design (creation of IXPs)
4. Policies that promote growth of products and services provided over broadband
c. Non-profit, Public-Private partnerships and Other initiatives
1. Foster private-public partnerships to invest in telecom infrastructure to reach out to disadvantaged areas
2. Establish national and local dialogues on benefits of internet and how it improves economic situation of individuals
3. Develop policies and regulations that cater for competitive access-price strategy, macro-level affordability
4. Engage with CSOs to reinforce their role in mobilizing communities they work with
1. Promote access for persons with disabilities
2. Make terminal devices and telecom services more affordable and better quality to ensure widespread access
3. Strengthen telecoms infrastructure by encouraging public-private partnerships
4. Encourage campaigns for skills building
5. Encourage multi-stakeholder governance
1. Reduce the cost of internet access, such as supporting innovative business arrangements like free basics
2. Promote free and open internet
a. Do not permit fast lanes, blocking, throttling
b. Do not introduce laws inhibiting innovation
c. Innovative practices such as zero-rating can give more people access to content
3. Expand connectivity infrastructure
a. Streamline local licensing processes
b. Reduce legal barriers to entry
c. Promote sharing of passive infrastructure (dig once, build once)
d. Tax incentives can accelerate development
1. ICT appropriation linked to access is important to increase impact of government initiatives and reducing digital divide
2. Promote production of software and local content with social focus
3. Encourage public internet access strategies, and do not neglect them in favor of mobile access. Public access links vulnerable communities.
4. Expand community wireless networks and connection of schools and libraries to rural areas
5. Reduce or eliminate taxes related to internet access and devices
6. Reduce gender gap and ICTs
1. Prioritize supply and demand-side policies to full range of broadband infrastructure, applications and services
2. Initiate and prioritize broadband planning process
3. Invest in ICTs and digital skills as engine of growth
4. Review and update regulatory frameworks to take into account evolving models
1. Openness to dialogue across partners institutions and organizations
2. Inclusiveness of local actors aware of local needs
3. Enabling environment for joint planning and execution
4. Identification of socio-economic development opportunities and priorities
5. Application of successful models across disciplines
Address unsolicited e-mail
To be added.
Paragraph: