This is now a legacy site and could be not up to date. Please move to the new IGF Website at https://www.intgovforum.org

You are here

IGF 2016 - Day 2 - Room 3 - WS152 - Working Together: Collaborative Security

 

The following are the outputs of the real-time captioning taken during the Eleventh Annual Meeting of the Internet Governance Forum (IGF) in Jalisco, Mexico, from 5 to 9 December 2016. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

>> OLAF KOLKMAN:  Let's get started, people.  Welcome.  Welcome, everybody.  We are here at I believe this is workshop 152 according to the schedule.  And we are going to talk about collaborative security.  And asking our self the question how collaborative security or working together actually applies in the local context.  And in order to shine a little light on that we have invited panelists with various backgrounds from all over the world, I may say.  On the left‑hand side of the table right for me and for you is Hiroshi Esaki from the University of Tokyo and also heavily involved in the wide project.  We have got Nick Shorey, the senior advisor international Internet governance department for culture, media and sports, a UK government.  We have Yurie Ito who is the Executive Director of the CyberGreen Institute and we have the (inaudible) of the African union.  These sessions are also remotely attended and I'm happy to say we have Hirofumi Hotta from Japan who will be moderating remote questions and also we have Matt Ford from the Internet society.  I'm going to moderate.  So let's get started with the first slide deck.  Let's pull that up.  Because I want to give you a little bit of a background.  When we talk about collaborative security what does that mean?  So next slide.  Collaborative security is something, is a concept, an approach that we developed that is really about the open Internet.  If you say what is the open Internet again, then next slide, then, you know, I with a technical background really think about the ability to create infrastructure, create applications, to have a lose coupling between the IP layer but that's not that interesting.  What is interesting is that the open Internet is an enabler for all kinds of social and economic opportunities. 

And there are some technical things of the Internet that you would like to maintain in order to bring these opportunities and preserve these opportunities.  And that is on the next slide.  What we did is we tried to capture as the Internet society what are the properties of the Internet that really make the Internet the Internet?  We call those Internet invariants, it's a physics term.  What we think makes the Internet the Internet is it's really a general purpose network.  It's filled with multiple applications in mind.  And actually there's provisionalization which means anybody can create an application on the Internet without having to ask some central authority for permission.  This whole thing has global reach and integrity which means if you put something on the Internet at one side it comes out of the other side and that works with a bunch of building blocks that people piece together and then create this end to end experience.  It's accessible meaning that everybody can connect and expand the Internet.  You can create new ISPs, you can connect to it. 

Interoperability and mutual agreement.  There's a thing about interoperability and having some mutual agreement on how this works.  It's amazing if I send mail from here in Mexico to my wife back in Holland that the ISP's involved don't have bi‑lateral relations.  There's some but the two end notes don't.  There's just a mutual agreement to ship these connections around and that relies on having collaboration there.  But when we talk about all these things there's an aspect we shouldn't forget and that's the security aspect because all these properties that I just mentioned have security issues with them.  The open platform means that it's open for attack and intrusion.  The fact that you have permission means that somebody can just develop malware and do bad things on the network.  The fact that it's global reach means it can wreak havoc on the other side of the planet.  It's hard to mandate security solutions.  There is no security tsar on the Internet.  Usually when people talk about security they deal with inwards risks.  They think about what are the assets I need to protect and what are the things I need to do to deal with those things.  But when you connect it on the Internet you are part of the Internet.  And in fact you're action or inaction might impact the value of the network as a whole.  If you don't have appropriate security on the devices that you ship, then those devices might impact the rest of the Internet and the recent denial of service attack is an example of that.

So next slide. 

The Internet being open interconnected and interdependent network means that we have to create new approaches to security.  And we try to capture those, that approach, by ‑‑ next slide ‑‑ what we call collaborative security.  And it's an approach that is based on a number of values or principals.  We talk about the Internet, we want to maintain confidence, we want to make sure people trust the Internet enough to be able to do their business and have their social interactions.  So fostering confidence and protecting those opportunities that the Internet brings, that's first and foremost the goal.  There's a collective responsibility.  Everybody who is on the Internet is part of the Internet and that comes with a responsibility.  Any security solution is based on evolution and consensus.  We cannot redesign the Internet from scratch and just turn it over one day to another.  Evolution is the way that we go forward.  By having consensus about the solution we actually can implement it.  We have to maintain those fundamental properties of the Internet but also the fundamental values that we all cherish, fundamental values like human rights.  And a very important aspect and that's the aspects that we are going to drill down to in this workshop is what I call subsidiarity.  Taking local actions or actions as close to the problem as possible.  That could be topical, it could be geographical.  So topical, organize yourself around DDS or organize yourself around child abuse issues.  Organize groups of stakeholders and experts around topics.  But also organize yourself in your local communities with the relevant stakeholders around the table.  That's subsidiarity where we say think globally but act locally.  So with that introduction we have a number of ‑‑ we have the panelists who have lived this, who are living the collaborative security approach and who are giving a few examples of that.  And I hope that by this workshop and your interaction, I'm asking for your questions and your feedback and your ideas, that we answer some of these questions.  What are the various aspects of this collaborative security approach?  What works?  What doesn't?  And what does this approach mean for real petitioners, people who have to maintain the networks, maintain the security of the Internet as a whole for everybody who has a role in this. 

And there's a typo in my slide here but anyway, how do you get real consensus?  Real collaboration on national and regional level?  So those are sort of the questions that I would like to bounce around and so without further ado, Hiroshi has a good presentation of how this works in Japan.  Go ahead. 

>> HIROSHI ESAKI:  This is Hiroshi Esaki from Tokyo, Japan.  As Olaf introduced, my global work in Japan more than 25 years, I think.  Then the first slide is the collaborative work in Japan initiated in June and also the collaborated work by the G7 countries, the declaration of the digital economy in 2020 or in the future.  First it's interoperable and secure cyberspace.  We have free information to ensure openness, transparency and freedom of the Internet and fair and equal access.  So digital economy while respecting privacy and data protection of cyber security.  That is a quite important message declared.  And also we commit to promote a stakeholder approach to Internet governance such as cybersecurity.  In the government and private sectors, academia, all of us are sharing and agreeing on those directions. 

Based on that we have internal discussions in Japan.  The first one is the risk of the IoT based on the Internet, fragmentation of the Internet by IoT.  I really hate this PC, that's ten dot one dot ten dot six.  Olaf, that's bad, right?  That's the private IP address.  So the IoT people love to make this kind of implementation without any security consideration.  They tend to provide a trap for the closed network silo, that's basically I always talking with them but that's a bad thing because the Internet is assuming all of device should be connected to the Internet or will be connected in the future. 

The third, platform using the open source forum, that is important message.  Of course there's a quite variety of technology allowed the IoT so we in turn really encourage to have the interoperability among the different platforms so that's basically security by design.  Ideas should be deployed in the IoT people from the beginning.  And also this is yet another example we really experience during the years in a serious earthquake in March 2011.  This is a story about ITS, a connected car in these days though in the past we mentioned Internet cars, collecting data and sharing that for you.  The shared use of data, that is on the automobile around 1997 in Japan.  Though all of the manufacturers say Honda, Toyota, they really hate it to interconnect their database or data, right?  They love proprietary special service with the commerce.  As a technical collaboration with them finally we share the same technology among the different manufacturers. 

Though this system was not integrated.  But we had a quite serious earthquake and asked them please integrate those data in order to provide very accurate detailed traffic information for the disaster case, that's the recovery, that's a mitigation thing.  Because of the same technology we successfully integrate that system but that is the reason why we encourage you all of the players share privacy technologies among them.  And also that important thing is interoperability even though they hate it; they would not connect it to each other at this moment of time.  In the future they would connect to each other.  Also this is yet another discussion we are doing in the Japanese government with academia technological community in 2016 to 2020.  We clearly mentioned the importance of the measures for the infrastructure.  Then we have those four points clearly as described in the document, first is cyber security, need of the cyber security by design organizing on social infrastructure.  That is not only the Internet but also the social infrastructure like transportation or train system or banking system, all of those social infrastructures.  And also establishment of the system and mechanism security operating centre to share cyber security information best practice is required ‑‑ not required, I'm sorry, that is recommended.  Because this is the Japanese government message, it's not recommended, not mandatory though they encourage to implement those kinds of systems.  The last one is community Internet governance conference Japan that is inviting all the stakeholders, tried inviting all the stakeholders from the different industries as well as to the vendors and the users, those ten points are the basic idea for the security for the Internet.  Most of those are covered by Olaf, actually.  That's independent discussion in Japan.  Though eventually that's going to ‑‑ that is a collaboration on the local and global and we are thinking about the local perspective though that's going to be aligned with the global perspective.  Example, you know, sharing the open transference of experience and knowledge of everyone is what is important and protecting and supporting the person who experiences cybersecurity incident as a victim rather than bad guy.  That's quite important.  We have to help them who has security incident in order to share those very variable information to solve the problem among by us.  Thank you.  That's my presentation. 

>> OLAF KOLKMAN:  Nick, your turn.  And you wouldn't be needing slides? 

>> NICK SHOREY:  No slides.  Okay.  My name is Nick.  I come from the department for culture, media and sports in the UK and I work on global Internet governance.  I was really pleased to be invited to join this panel which is sort of focusing around these collaborative security documents.  The UK government fundamental sports a free Internet and through multistakeholder mechanisms and we agree with the principals of reserving opportunities and building confidence, collective responsibility and thinking globally and acting locally.  I think there are some direct correlations between this and the approach that is outlined in the UK government's national cybersecurity strategy which we published on the first of November.  And I would sort of recommend everyone to go and take a look at that.  This is our second national cybersecurity strategy.  And we will cover the next five years up until 2021.  And it seeks to build on the objectives, the achievements and some of the judgments of the first five years strategy which invests 860 million pounds over that period.  It achieved a lot, it built strong foundations.  And it's helped to we think establish the UK as a real leading player in cybersecurity.  However the persistence and the ingenuity of actors and the prevalence of certain vulnerables and gaps need we need to do more, go further, work harder to really try and make the UK one of the most resilient and secure places to do business and for people to have trust and confidence in an online world.  So we really strongly feel that a comprehensive approach, inclusive approach to cybersecurity is really what we need.  So we are framing our work in the next five years around three areas, defend deter, develop.  So I'll speak briefly about some of those.  So one of the headlines for our national strategy was the creation of the national cybersecurity centre, the NCSC.  We love acronyms.  So the NCSC was launched in October and it was a unique opportunity to build partnerships and bring in some of the varied departments and agencies within the UK government to try and build a one‑stop shop in an authoritative voice on cybersecurity.  So the NCSC seeks to provide a unified source of advice and information assurance, and be that strong public face of the government's action against cyber threats working hand in hand alongside academia and industry as well.  It's also going to be a public face in organization with reach back into to draw on the necessary secret intelligence and expertise we require in this space to ensure cyberspace is secure.  A key part is increasing the awareness and collaborative work between the different sectors so I think what I would like to talk about today is just some of the maybe tangible actions that have been taken and looking to take in the UK that might help and support ideas and foster ideas in other places that people can take on board and look at them as opportunities to increase security activity in other areas.  One of them is the cybersecurity information sharing partnership.  Now this is a joint industry and government initiative set up to exchange cyber threat information in real time in a secure trusted manner and that notion of trust is really important to help increase the situational awareness amongst both government and different industry players to help us sort of improve and increase our real-time response to security threats.  That's how we are trying to work with industry.  We have also got a campaign for the general public called cyber Aware, it was known as Cyber Street Wise.  Cyber Aware is currently supported by 128 cross sets of partners including police, retailers.  They were more likely to take up security behaviors as a campaign that we were trying to push out.  And all of these elements we are looking to target sort of different sectors because a full approach to cybersecurity involves everyone and as Olaf mentioned in his opening remarks, taken a technical view of how the Internet is structured sometimes those that don't know the details and history of it but it's a useful approach of figuring out what we need to do in terms of security.  Another is cyber central.  This was a scheme for organizations against the low level common threats.  When we talk about trust in security, that's really, really important.  I think you were mentioning about sort of IoT and silos and I think often cybersecurity debate is a key feature of it is this notion that governments need to take direct control.  It's born out of fear and sort of maybe a gap in trust that the network may be on itself.  I kind of disagree.  I think actually it's when we have a decentralized network it's far more security.  You don't have a single point of failure that is much more cumbersome to sort of address.  So but it's kind of these low level threats that often hit the headlines.  You're talking a piece of malware.  Those are always the new stories I read on the BBC but those low level threats really but their impact is almost disproportionate to the technical competency of such an attack.  So cyber essentials is set up to show businesses and companies how to protect themselves against these threats to five technical controls, access control, boundary firewalls, gateways, malware protection, those best practices using what we have within government departments to try and help businesses across the sets of large and small and particularly the smaller businesses where they don't of the nature resources to outsource to private security firm to sort it out for them.  To really try and make the UK fundamentally more resilient to a lot of these threats and overall increase our security.  And I think just to finish up my points all of this stuff in the UK is great we are seeking to achieve but this is a global network and the UK has sort of data interests and we all use services based oversees so the UK is only as resilient as the weakest part of a network in many respects so we put in a lot ‑‑ we are increasing the amount of effort and work and funding we put into our international capacity building.  And it great that we sat next to each other, the work we have been doing is a really great initiative on over the next five years we are looking to collaborate and tackle common threats and try and develop a common understanding of responsibility state behavior and develop the capabilities of our partners through sort of training, funding, workshops all this sort of stuff.  And also the work that I ultimately do within the Internet governance space, making sure it's working effectively under pins this global trust. 

>> OLAF KOLKMAN:  Thank you.  And you made the bridge to the CyberGreen initiative which I think speaks to that special little sauce of externalized risks that the Internet has.  Yurie, go ahead. 

There's a slide deck that comes with this. 

>> YURIE ITO:  Thank you.  Do I have a switcher to remote?  Okay.  Great.

>> OLAF KOLKMAN:  Do you want to do yourself? 

>> YURIE ITO:  I probably should do it.  All right.  Can I close your lap‑top?  Thank you.

>> OLAF KOLKMAN:  Cyber security collaboration in practice. 

>> YURIE ITO:  Thank you.  Hi, good afternoon.  High name is Yurie Ito.  Thank you, Nick, for smooth introduction.  That was really good.  So we hear about we heart this national level of multistakeholder and collaborative approach.  What I like to talk about is focusing on a global level of collaborative approach and to promote that sort of collaborative and sustainable cyber security approach CyberGreen, my organization is a small nonprofit organization 501(c)(3) in the United States.  It suggests we should switch cyber security approaches to more environmental type of approach and I'll tell you what it is.  So tradition cyber security is identifying your assets, what you want to protect.  And you draw a border in the rest of the world and trying to protect your asset from outside of the border.  What you do is measuring the risks against you, measuring and trying to understand the threat against you, but what we are suggesting is switch that mind set and then thinking already what type of risk conditions you have in your ecosystem that is posing to the risks to the others.  So in a way it is a very ‑‑ flipping that perspective.  What we are trying to say is trying to identify systemic risk conditions that you have that are opposing risks to others and identifying that, you know, we try to remediate those pro-actively, we can collaboratively reduce the global level of cybersecurity risks.  So that's the concept of CyberGreen.  In a way measuring the risks that you are posing to the others it's a very much public health care approach.  So for example the global public healthcare community trying to respond to the malaria threat or malaria problem, not just focusing on curing the symptoms.  But they're trying to understand what is the underlining environmental problem measuring untreated swamp water in your ecosystem and trying to clean up or train that untreated water so that global level of the malaria risk is going to reduce and that's a very collaborative approach globally.  You can identify where is the risk condition which is causing root problems and then collaboratively remediate it.  So just to give you a little bit of what we were doing I'm going to show some of what we were doing.  The CyberGreen is again a small nonprofit organization.  What we measure is the risks to others and why we focus on the measurements is the metrics based really drives the motivation to do something or drawing the right attention to the policy makers.  Really need a good transparency so we focus developing the right scientifically right metrics, working with a lot of statisticians, data scientist, not only with cybersecurity experts but working with statisticians and data scientists to develop replicative metrics.  And this is who we are.  You probably recognize them, the names, our CEO of the board chair is Dr. Paul Toomey, and used to be the former president.  Security approach here as Olaf and you mentioned as well.  And in the traditional cyber security sometimes approach in a sensitive balance.  And we are going to have to be careful about not just throwing the border and building the walls in front of you.  And it's not really working.  Cyber security is one of the domains that most invested at the moment or developed countries and financial institutions and everywhere but still we see a huge risk at the horizon and we are not managing it.  We have to change that mindset that you can pro he text yourself, your asset on a cyberspace by yourself.  You cannot secure up your organization or your internal network by yourself.  We are going to have to work together to make the global network interconnected to be utilized by those malicious attackers.  What we measure, the risk conditions.  What is a risk condition to the healthy Internet?  We collect the data, the services throughout the global network and then based on the metrics we are generating the health.  This is the website.  If you go to the website you would find all these statistics.  I will give you a quick example.  What we are measuring right now is sort of the risk conditions for the global (inaudible) those are the potential risk conditions that are being utilized.  And we have been seeing that this year a lot.  So not just you're facing too the risks that anybody with face an attack against your organization but at the same time the other risks that you have is your ecosystem, your devices and network resources are going to be used by attackers to be a part of the attack infrastructure, to be a part of the problem, that's your reputation risk as well.  We try to raise that risk and helping the AS and ISP's and those devices deployers, how to remediate it.  So global look of the recursive servers by last month.  The darker red is showing the higher presence of the risk conditions.  It's actually the Asia has a lot of open recursive services.  And following after.  But naturally where there's a large number of the (inaudible) there are a higher presence of the risk conditions.  Now the regional look.  We are providing the country level of the risks as well.  So if you go to that website you will see Japan, the risk profiles like that, how many number of those services are in the ecosystem going down into the AS level who is the distribution of those servers, where are those?  So as mitigators you can go to those specific AS owners and help them to mitigate.  Why do we need to mitigate those services?  Every reduction of vulnerable services reduces the position by 1,700 gigabit.  It's really expressing the power that your ecosystem is posing to with or without intention.  That's something when you reduce those mitigating, remediating those risks you are reducing those to the others as well.

So by doing that type of proactive remediation it is not just for yourself but it is great for global good.  So that is our approach.  And we are providing mitigation help and capacity building and it's been really fortunate to have Japanese governments and UK government and Singapore government is supporting this type of for a global context.  Not just nor yourself but for a global common good.  We are trying to advocate this type of approach and using ‑‑

>> OLAF KOLKMAN:  Thank you, Youri.  The African perspective. 

>> NII QUAYNOR:  Thank you.  Her slides will confer what I will say.  The African story is very simple.  We are still at the level of really building that kind of intimate infrastructure to be protected.  As you're aware of the level growing very fast.  We in Africa in collaboration with some institution have recently accessioned the status of cyber security in Africa and fortunately we have seen that threats coming into and out of Africa are actually not as important as what is happening in the other regions of the world.  However, things are actually moving very fast until recently 1 or 2 years ago most of African countries did not even have an Internet exchange point systems and in collaboration with ISOC we have implemented in 33 countries 30 Internet change points at the national level and we will go further for regional and continental regional.  This is why you wouldn't see an example of cybersecurity collaborative kind of scheme that is actually happening however we haven't seen what is actually going and happening in Africa.  The African union has taken the lead with most of our economic commission to make sure that we are putting in place in advance all certain eco system that will allow collaboration in a matter of cyber security.  This is why having looked at what is happening in the world in general specifically in the global North if I may say that, we have decided first to have to put some kind of legislation that will encourage regional collaboration not only at the level have Africa but regional to make sure you are collaborating at the international level in cybersecurity. 

Our focus mainly now is about building the right capacity in each and every country to make sure that at the national level you would have national cyber strategy, national cyber security and the creation in each and every country connected with a regional set that will be created in each of the five African regions so this is what we are in the process of developing to make sure you are setting the ground and the ecosystem that will allow a very good collaboration in the matter of cybersecurity.  The recent report we have had in workshops and cyber security have had with state department, United States state department, many of the cyber security workshops have been organizing with ISOC, with China.  We do have with very good cooperation because of the equipment being provided in Africa is mainly coming from China and it's very important to see how the matter of cyber security from that point of view is being implemented and to make sure that security is being taken.  So this is what we do have at this point of time in Africa and I'll be glad to answer any further question from the panel and from the floor.  Thank you, very much. 

>> OLAF KOLKMAN:  A few different ‑‑ I woke you up now.  This is the benefit of having a post lunch, you all get some sleep.  No.  Seriously, I actually what I found something fascinating actually is that the culture of sharing does not only increase security in the cyberspace but also in the physical space.  I think you gave a beautiful example of that in this culture of sharing creating better responses in cases of earthquakes and I find that somewhat fascinating that that culture that we are trying to get incorporated for addressing cyber issues also has impact on the space where we humans sort of walk around in. 

I also think that I heard different approaches, approaches from national governments working with the private sector or the private sector actually working with the national governments completely sort of private initiative Youri and then a regional body that says maybe we should get the nation states up to par so that we can actually start to build capacity.  So various approaches.  Is there something you would like to respond to on that observation?

>> I think each country has a different background, different situation so that not a single solution would be applied here.  So we have to find out the best solution or better solution based on our best practices.  Some of the experience could apply, some of them could not.  So sharing that idea, trying to implement feedback is quite important thing.  That is the DNA of the Internet.  We really respect running code.  We really hate presenting meaning predefined medicine we could not use.  We always think about running system and then feedback and best effort accountability of positive feedback in order to improve the quality, improve the function, improve the innovation, that's also important for the cyber security as well.

>> From African point of view sharing is a must.  We share everything.  The other part is giving the level of development of the private sector specifically the cyber security, the power somehow to lead the situation and specifically from the point of view of government whereby the cyber security matter is on them.  However, it is very important that they adopt the right strategy in terms of addressing cyber security matter.  Because if you don't get the right one, if cyber security is shutting down as a measure, it's not viable.  We need to make sure that the governments understand their responsibility properly in securing the critical infrastructure without getting into that radical solution about shutting down everything.

>> OLAF KOLKMAN:  So another question to you.  It's a bit of a leading question because I think I know the answer to it.  The African union created a cyber convention in 2014.  Now there are already a number of initiatives globally and regionally in other parts of the world like work done by others.  Why didn't you just copy that?  That's a very leading question of course.

>> It's a very good question.  People say why do you have the African union convention on cyber security at this convention.  My answer is very, very simple.  The Budapest convention address only matters related to cyber with international development.  All the members of the big western world have specific ‑‑ our convention not only covered that cyber part but also the electronic transaction specifically the personal data protection.  Because personal data protection in each and every country has their own specifics.  What is valid in terms of definition of personal data protection which is valued somewhere in the western world is not valid automatically in Africa.  We do have our social specificities.  If those special specificities, mind you, for instance, that 1/3 of the Africans do not have identity at all.  Imagine tomorrow we are moving to eight identities.  Imaging in the very complex social stratifications you use your data and abuse them, what is going happen?  Those are not being measured.

>> That's not directly related, but I'm working around smart city now.  The cyber domain helping the physical domain.  Basically cyber physical systems.  So because of the computation power is going up, now meaning exactly the same definition of the physical domain could be defined in the cyber domain the next step we are going to do is cyber domain defines physical domain might be cyber domain defined first and the physical domain is output of the cyber domain.  That could be in the cyber domain.  Cyber domain is also the global as well as physical domain so those two domains could be working to each other.  From that point of view the cyber security is what is critically important to the global infrastructure point of view.  Also people flying around the world, you came from Africa, Europe, now your mobility is going to increase a lot because of the airplane.  The cyber domain also have the global mobilities so that is a really important because of the collaborated security collaborated work for the global because of us.

>> OLAF KOLKMAN:  So I want to get a little bit back to the practical matters around how you get to implementing these measures.  And Youri, I think you gave a beautiful example of something practical providing transparency and by providing transparency hopefully inspiring people to take action.  It is a private initiative if I may say that and I wonder how you maintain sustainability of such an initiative.  In essence you're doing something for the public good but somebody has to pay your bread.  How does that work? 

>> YURIE ITO:  Thank you for that question. 

>> OLAF KOLKMAN:  We did preparation of course of the panel before. 

(Laughter)

>> YURIE ITO:  Oh you revealed that secret.  Oh.  So you're very right about this transparency is really the motivation, drives the motivation.  When organizations do good behavior, nobody knows it at the moment.  So what we are trying to do is trying to raise that transparency now, sustainability matter.  It is challenging what we are trying to do is motivating operators to do remediation which is a resource; you need a lot of resources to do that.  And the impact is not only for yourself but impact is more for others, more for the global risk reduction.  And to make them convinced and participate in this CyberGreen approach is a challenging thing.  Now to running this type of approach and metrics generating statistics and keep our activities sustainable, I think it's a common challenge for not only CyberGreen but any global nonprofit operations trying to do the common good for the Internet is of course the funding.  Not a lot of governments or organizations have a leading mindset that invests something good for common good.  A lot of them are still thinking about how to security up your organization, your security but not a lot of advanced leading Champions standing up.  Proactively making the Internet more resilient and safer place.  And we need more understanding those and those leaderships to support this type of common good approaches.  So that's one funding is a really big challenge for us.  It needs a lot of resources.  We are working with about 16 technical people, statisticians, data sourcing people, data scientists, developers, analysts.  We need a lot of good, really good full‑time resources.  Of course the infrastructure cost as well.

>> Her organization is working together.  Actually one of the good words by Japanese ancestor was economy without moral is crime.  Moral without economy is silly talk.  By so that is the DNA of the Internet.

>> OLAF KOLKMAN:  Can somebody tweet the please?

>> Economy without moral is crime.  Moral without economy is silly talk.  But that is the famous Japanese old guy saying the structure of the local government.

Anyway, this is the DNA of the Internet also we show the practical fact, we are fine.  Then that's going to be applied to the other area.  DNA improvement doesn't have a lot of money request by the government.  Very small.  Collaborative investment by the ISP's, operators, or academia, we are fine. 

>> YURIE ITO:  I want to respond to that.  The incentives to being a good citizen and doing the good behavior for the global good, those are something that needs to be acknowledged and encouraged.  There's nobody acknowledging that and that's a problem at the moment.  We need to acknowledge and encourage those good behaviors for common good.

>> Right.

>> YURIE ITO:  And branding power probably.

>> OLAF KOLKMAN:  And transparency ‑‑

>> YURIE ITO:  And give economic incentives to doing good.

>> OLAF KOLKMAN:  I want to turn discussion completely open and my idea is to get 2 or 3 questions from the floor so that the panel can respond to those.  If you have a question, please raise your hand so the kind moderator over there can...

>> AUDIENCE:  My name is (inaudible) I'm here at this time as an L IGF delegate holding a workshop tomorrow on the same topic as this but wouldn't go into that here.  The four people in the panel the differences between the context where you start collaboration already so big so how do you actually go to get that bridge that starts with the comment saying we don't have 1/3 of the people in Africa have online identity, how do you match that with the rest of the world?  Where do we start gapping this bridge that we have that I see in front of myself and this panel?  Thank you. 

>> OLAF KOLKMAN:  Other questions?  Please raise your hand if you have one.  If you don't, then we turn to the panel immediately.  Oh, I see a question over here. 

>> AUDIENCE:  I would like to ask you in the case of Thailand the fundamental problem is coming from the government.  Normally to have the website like we have 70,000 schools with very poor infrastructure on the websites and they become a source of the cyber security problems and several local registration, 80,000 of them sending a report already about how the government becomes part of the problems or how the CyberGreen's move into this aspect with the governments and how to fix that issue.  Thank you. 

>> OLAF KOLKMAN:  So in that specific example is that a capacity problem?  You would think?  It's awareness.  Awareness, I heard that.  Yeah.  Okay.  Any other questions before we turn to the panel?  Ms. Bennett.

>> Louise Bennett.  In your talk you mentioned the need for security for design in the Internet of Things and we are seeing many attacks that come from D dos using the Internet of Things.  As someone who comes from the physical security industry before I was involved in the (microphone feedback) in the online industry, in fact most Internet of Things that are connected, the imperative for the person producing them is to produce them as cheaply as possible.  That means essentially without any security.  So how are you going to deal globally with that vulnerability?

>> (Away from microphone).

>> OLAF KOLKMAN:  The panelists now.  Three questions, how to bridge the difference in I would say capacity, how to bridge the awareness, how do you share ‑‑ you think that's sort of a summary of the question.  And at the fundamental, how do you deal with that awareness among say government public actors who have websites that are broken, infrastructure that is not well, perhaps even well‑intended actors.  And then in the case where the economic incentives are completely not there because the speed of the market and there might be awareness but speed of the market is more important, how do you deal with global problems around IoT?  This is all the last question is almost a workshop of a week, I think.  But let's hear the opinion of the panelists.  You can take anywhere of the questions if you like.

>> From my point of view with regard to the first question is as Youri said we need to change our mind set.  Cybersecurity is not local, not national, not international.  It's a global issue because of the boundary and mobility that is coming with that.  Personally and this is what you are operating for in Africa we need to set the rules in terms of international, regional and national cooperation.  We need to exchange our mutual experience.  Because the network tells us that the network is as weak as its ‑‑ as strong as its weakest link so we don't think that probably I have protected myself well but I still protect it.  The cyber security strategy has to go beyond your own infrastructure and reach all those who are actually could be a source of threat for you.  So exchanging experience, building mutual capacity, is actually the motto we have to go with.

>> Regarding the first question I think show them the system first.  Then they realize they don't have capabilities or capacity.  Encourage them, that is a good situation.  You can solve the problem.  Then we provide them with enough information and opportunity to share in that thing.  That reason why the during the G7 ICT Summit we encourage of the very high speed national education research network in global way, that the purpose is you people who are working the University are sharing state of arts, Internet technology, while operating by them self.  Important thing is operating by them self.  They realize real practical security issue by them self.  So that is same as the second question.  Students could realize very bad environment, right?  So unfortunately Japanese students didn't have such experience, doesn't have such experience, meaning they are spoiled.  They never think about security.  They assume Internet is safe.  Though in your country younger people on Internet is now not safe.  That is the quite important capacity building, experiencing those things is quite an opportunity to include everything but the same thing applied to the IoT security part.  The thing I you know let people or industry people think about security was show them hacking in front of them.  Actually I go into the state of arts famous complex in Tokyo, our colleague went there.  In about 20 minutes they hacked all of the system in front of the vice president.  They controlled the lights and HVAC.  After that they changed their minds, they have to tackle with cyber security in their own buildings.  But that is the important thing.  Show them the truth and go.

>> OLAF KOLKMAN:  I'm going to push back a little bit because that is higher education in a ‑‑ I would say hyper developed economy.  The situation that was just described in Thailand is low education in I think we can qualify Thailand is not a hybrid developed economy.

>> Though even in the elementary school some children can hack, have the skill.  We can find those. 

>> OLAF KOLKMAN:  Do you have any ideas about this?  Use the microphone.

>> As you were saying, we plan as part of that guideline is to make sure that we are introducing the issue of cyber security right at the level of even pre‑school.  That is a plan.  And I think this is the advantage that Africa has over a lot of regions because we are starting fresh in everything we want to introduce, we will be developing the curricula at the school but specifically there will be design programmes for policy makers to make sure those issues will be addressed properly.  We need to have a cyber culture, cyber education. 

>> OLAF KOLKMAN:  Education being a part of this and building a culture around this.  I do want to touch on Louise Bennett's question.  How does this apply to IoT?  I think that's sorts of the question much perhaps you have ideas yourself, Louise.  Some, we will get back to you because I would like to make this a little bit interactive.  Nick, please.

>> NICK SHOREY:  I've got a couple points on the previous one so I'll take them in order.  How do we bridge that gap?  Well, as I sort of mentioned earlier, the UK recognizing that our own interests are predicated on the security of the global Internet.  There are many factors external to the specific debate that we will sort of impact and influence sort of development of Internet in this country.  When I look at it I see a real opportunity.  In the UK we have a developed digital economy and infrastructure around for years and years.  But at the same time a lot of that infrastructure is quite old and there are some core vulnerables that are more difficult to address because it costs a lot to sort them out.  And actually I think there's a real opportunity for us to share the lessons that we have learned in that best practice with the developing nations and as they come online they kind of skip one of those evolutionary cycles.  So there are real opportunities to learn the lessons from more developed countries like the UK and we feel that's really important, that's why we are investing millions of pounds in capacity building and trying to build that education, build that awareness, understanding how you need to utilize IXPs for real benefits.  I do see real opportunities as do you that.  It's a difficult and complex thing.  In terms of the second question talking about the government security, it's a massive issue.  UK government, we are targeted constantly from sort of actors of all backgrounds.  I work quite closely with HMRC, they're our revenue and tax department.  They bring in the tax that allows the government to work so they're kind of important but they're constantly under attack under threat.  We have identified this is a real issue and so that's why it's part of the defend strategy.  We are going to be implementing this thing called active cyber defense where we are going to work hard to take specific measures to increase the security of UK sort of government infrastructure.  As we are moving to increasingly digital government sort of set up, we would be happy to talk with you offline and share sort of a about it more detail about what we are doing and there might be opportunities for to you take some ideas back home.  And the last point about IoT.  Really, really fascinating.  We had a workshop in government just last week looking at this issue and I believe the U.S. government recently published stuff on IoT as well.  How do you address the vulnerabilities?  It's going to be hugely challenging because you're absolutely right.  Increase the devices; get them to market as quickly and cheaply as possible.  One of the concerns I have is the same time you have an increased sort of device on connected to network.  The rates of obsoletion of the devices is going to happen as well.  As the next latest things come on board and how we adjust our thinking to take account of sort of even more devices that are still connected to network that aren't going to be serviced by the company because they have moved on to the next model, that's going to be a real challenge so I think that's something we need to consider there as well.  I think maybe the answer is stepping back and making sure that we get everyone involved around the table, so that's network operators, that's sort of application developers, hardware, and take that sort of approach because when you think about IT devices what is the best addressing network addressing sort of approach to use for IoT?  Some are more secure and less secure.  Some might be easier, some more difficult.  But we need to take that full discussion there and make sure that security is that absolutely fundamental part in developing that.  But I think it going to be a real challenge, not just that again but divisive market to say how you managed the lifecycle of that product both while it's in use and after it's finished it's commercial time but it's still connected.

>> OLAF KOLKMAN:  So I want to sort of look into that.  I see some examples where people trying to have that conversation with multiple people around the table or in the standardization world their ideas innovations that might help.  A recent example is the MTIA starting a multi stakeholder approach which what is Nick just talked about.  Of course there are people who call for regulation, ban these things from the shelf type of thing.  There are ‑‑ I think this is a debate that we will see spin up even more as it is now and I think by having the people that actually can make the impact around the table there might be something that we can do.  And those people might for instance be the retailers that sell these devices and retailers might have a role in saying we take our responsibility here with respect to that global network.  So that was with my moderator's hat off.  Yurie and then Hiroshi. 

>> YURIE ITO:  My answer for that bridging the gap and also the IoT probably have a common answer from my perspective.  I think we should start looking and analyzing who has a greater power of the greater power or greater ability to mitigate the risks.  Right now when we talk about cyber security it's really about the devices deployer or user's perspective.  I think we should shift that responsibility to the vendors a little bit or device's vendor.  They have a greater power to mitigate it.  After the device has been shipped and deployed it's really difficult, it's tough to have end users or our grandparents to fix the devices.  We are at the ISP level even.  It is a costly thing.  Now think about that IoT device.  The new devices or any type of devices.  If the devices are shipped in a relatively safe configuration that helps and that's something we should understand in bringing them to this type of table and discuss about and how to improve that.  We are thinking actually to start building the metrics to measure that device and the vendor's behavior, vender's risk posing metrics so that's one of the approaches.  And I see the community is moving into that direction as well. 

>> HIROSHI:  Very shortly with that important thing is procurement process.  Good example would be in the U.S., NISD, GAO and department of finance they're working together to use attacks effectively regarding the procurement process.  Procurement process defined the technical specification requirement which should include security function and everything will be changed.  Reason why when I work with building people, key person is landlord.  Who is making procurement?  They don't have enough knowledge to specify which particular technical requirement procurement should have.  That is quickly changing the floor of the system of procurement as we are given.  Regarding the regulation part, transparency is an important thing.  In order to evaluate technical specification we may get them to show the fact precisely and transparently that would be regulation could help to determine such a technical situation by the same owners. 

>> OLAF KOLKMAN:  So we have about five more minutes.  And I would like to ask the panelists for a few words, let's say maximum 1 or 2 sentences, sort of summarizing what their next step is going to be in securing the Internet.

>> For Africa is capacity building, capacity building and capacity building. 

>> OLAF KOLKMAN:  Clear.  Yurie. 

>> YURIE ITO:  Back to what you said, act locally and think global. 

>> OLAF KOLKMAN:  Nick. 

>> NICK SHOREY:  I think the big challenge we are going to face in the coming years is making sure we are all on the same page and I kind of refer not to the people in this room because I suspect if you're hear you probably believe in the multistakeholder model.  I think the challenge we face is recognizing the benefits of collaborative security, identifying ways to articulate those in a variety of mediums and a variety of channels and then working together to make sure that is understood to ensure that collaborative security and open Internet continues to be the core basis by which we work.

>> HIROSHI ESAKI:  When you come home, back please ask every single IoT business player what is going to happen when your device is going to be connected to the Internet?  What is going to happen to your device when it's going to interconnect with the other system?  Please ask them very clearly. 

>> OLAF KOLKMAN:  So with that I think we have several perspectives from people who put their money where their mouth is, I would say.  Who put this in practice?  And I hope that this is inspiring and I hope because I think what Nick said is a little bit true.  We are talking a little bit inside our bubble.  I hope you would take this message back home, take your own action and show how your action increases security and pull people along with this model.  I think that is sort of what I heard as a call from the panelists.  With that I would like to thank the panelists and thank you for listening along and for the good questions.  Thank you. 

(Applause)

(Session concluded at 16:25)

Contact Information

United Nations
Secretariat of the Internet Governance Forum (IGF)

Villa Le Bocage
Palais des Nations,
CH-1211 Geneva 10
Switzerland

igf [at] un [dot] org
+41 (0) 229 173 411