IGF 2016 - Day 4 - Room 3 - WS115: How do Cybersecurity, Development and Governance interact?

 

The following are the outputs of the real-time captioning taken during the Eleventh Annual Meeting of the Internet Governance Forum (IGF) in Jalisco, Mexico, from 5 to 9 December 2016. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

>> CAROLIN WIESSER:  Good morning, it's the last day of the IGF.  Thank you for coming so early and we have a very interesting discussion today about a very interesting topic.  My name is Carolin Wiesser.  With me on the panel is Carolyn Nguyen, and we have two participants from the ‑‑ from the World Bank for going to participate from their perspective.  We don't have video participation but they're going to speak and you're going to hear the comments.  I just would like to start shortly about the work we are doing in Oxford.  We have developed a cyber security maturity model.  It's a model which ‑‑ can you ‑‑ which looks at national cyber security capacity from various dimensions.  Look at from five different dimensions policy ‑‑ cyber education training and skills, cyber legislation and technologies and standards. 

So we have developed this model in cooperation with experts from various fields.  And have implemented this model over the last one half years in more than 40 countries.  A regional study and strategic partners, World Bank, and several governments including the Dutch government as part of the initiatives we have used this model across the globe.  The idea behind this ‑‑ the reporting process to give policy makers and governments and organizations those who do development projects and also do make decision on infrastructure, et cetera, to make informed decisions about capacity building and also by doing this actually do a capacity building in itself.  Because we are very convinced that this is a topic which is a very ‑‑ it touches every part of society, economy, and is very crucial for any kind of socioeconomic development. 

So this model has been used ‑‑ we went through a process earlier this year and we continue to use this model across the globe.  And we are very happy to ‑‑ also have already impact in terms of the countries use the recommendations they get from the report which is submitted after this process.  It can make really informed decisions.  They can make decision about the next steps.  They can start new collaboration.  So we are fostering this kind of exercise.  We are fostering this kind of processes.  And we foster collaboration among all the stakeholders across the world.  We will talk about how to use modern how they integrate cyber security capacity.  Carolyn? 

>> CAROLYN NGUYEN:  Good morning.  Thank you very much, Carolin, and thank you for inviting me to participate in this forum. 

So one of the things that when we first started thinking about the workshop proposal, what we thought was that cyber security is very, very much an integral and a central part of the WSIS conversation.  So during the review last year, for any of you who are familiar with the outcome document that was the resolution from the UN general assembly, cyber security was a part of that outcome document.  Having participated in that process what become clear cyber threat was an integral part but there was also a lot of fear from government, developing country as well as other governments around what should be done.  And also there was a lack of understanding of the role and the value of the multistakeholder process in enabling this conversation.  As well as what's already been done through multistakeholder partnerships in various different parts of the world. 

So this workshop was really proposed to address some of those shortcomings.  So we know that governments around the world are very concerned around cyber security threats, and therefore are developing strategies, guidelines and regulations and national standards.  But as these things are being done individually by different governments in different countries, for example, more than 85 countries are developing policies.  What's happening is that the differences in the approach are creating compliance frameworks that are fragmenting the Internet, which then gets at sort of if the idea of cyber security approaches is trying to enable connectivity, to enable society as well as of sustainable development goals and what's happening in reality is counter to those goals. 

So for Microsoft, starting for a few years now, we've been advocating really the establishment of some sort of cybersecurity norms or some sort of guidelines.  And we're starting to see this happen within the last couple of years.  So, for example, in March 2016, in March of this year, G‑7 released principles and actions on cyber which really pulls together the conversation around openness and reliability and security of the Internet as fundamental to achieving the digital economy and in particular the sustainable development goals.  And it puts forward things like we affirm the importance of respect in promoting privacy, data protection and cybersecurity and at the end of the document proposes concerted actions. 

In October this year, the G7 followed that up with guidelines for the financial sector.  So in terms of trying to make in order for us to really achieve the goals of WSS and the SDGs what we would like to talk about in this session is how can we all work to cooperate in developed harmonized security and baseline security approaches that leverages for example risk‑based best practices such as cyber security framework.  Because what happens, if there can be a common framework, then there could be a common set of vocabulary approaches, this is very much a holistic discussion and having a common set of vocabulary to people who are not necessarily cyber security experts can really broaden the conversation, because this is an important conversation that will take everyone, it does take everyone to try to make this work. 

Secondly, what we think should be is that such guideline work should really focus on outcome‑based requirements. 

Thirdly, really participate in the development of an international standards and security baselines.  So look at something potentially like starting with the new cyber security framework and then really open this conversation up to all the stakeholders here.  Make this really an integral part of the Internet governance conversation, and the SDG because that's really what it will take in order for us to achieve the goals that were laid out there.  Thank you. 

>> Thank you very much for being so early.  I know it's the last day.  It's a pleasure to ‑‑ for us it's a pleasure to sponsor to organize these.  With our strategic partners, Microsoft which we have an excellent relationship.  The World Bank and the world economic forum, one representative of our member states.  This actually represents the importance of having different actors on the same table. 

Another topic is how development of Internet governance interact but it's actually important and this is something we have seen.  One thing is cyber security from having cyber security with a development perspective, kind of I don't want to, but I will use sell cyber security from a development perspective and actually the interaction of the cyber security and the development world.  Which are maybe two different things and two challenging things for us at least in the international organization's perspective.  From the cyber security program, we have been trying to do five main things.  One is promotion of national strategies, the development and coordination of computer ‑‑ the provision of training, crisis management exercises and a new language which is research and expertise. 

In all of these we have been trying be more inclusive, to include private sector, academia, actors of a civil society.  Actually we with the purpose of provide us economic perspective.  We recollect flies that the traditional security ‑‑ recognize that the traditional security speech might be really difficult.  One of the things that we have recognized is that security, in terms of indicators, it's really difficult to quantify.  You can have many qualitative indicators by when you want to go to the ‑‑ are really difficult to measure.  That's why when we are talking about indicators and how to bring that to the attention of the policy and the decision‑makers and to the ones who actually will assign budgets and assign priorities in our countries.  And, actually, in companies and institutions, and different organizations, we approach organizations such as the World Bank with the last one with Oxford University for a period of two years we prepare this report but yeah on April 2016. 

And, actually, we got a lot of support initially from Microsoft on the availability of these indicators.  And we partner with Oxford on this.  And we identify 49 lines or 49 priorities of countries.  We who doesn't seem to have go online to cyber security ‑‑ and you will see all the 49 indicators of 32 Latin American and Caribbean countries.  We find out that in the five different areas that Carolin was mentioning, Latin American and Caribbean is not totally prepared to face cyber threats.  We recognize that this should be actually not use the traditional security, not should be the traditional security speech.  Actually it should have development and socioeconomic focus.  That way it will be much easier to engage the private sector and the society in general in all the national projects. 

One of the things we have been trying and maybe one of the lines of action that we were the most right now is the development of national strategies or national policies or national action plans, we leave that to the countries to decide how they want to have the approach.  It's ‑‑ well, first to Volvo all ‑‑ all national actors.  And to highlight as they are investing a huge amount of resources on the traditional development projects, the most linked to the cyber security will be broadband access but it's not the only one. 

If you think on transportation, energy, finance sector, on different projects, they are very, very linked to cyber security.  We tell them, look.  All your investments, all your billions of dollars will be at risk because you didn't invest maybe one or two or three or .5% that you could to cyber security.  There are studies or the UN could say that for each thousands of ‑‑ should have at least 3 to 6 security forces.  We say forces but invest at least that amount to indicate those development projects to people, to officials, that protect cyberspace.  It is not just law enforcement.  It means actually people that come protect their citizens rights and can make sure that cyberspace is totally secure. 

Again, this is for us it's a learning process.  We recognize that.  That this is still disconnection between the development and the cyber security world. 

A couple of years ago there was an activity and this is something we have actually discussed in several locations with other development organizations.  For us it will be ideal that the on the development projects as they include safeguards on human rights, on gender, on different issues, actually they push to include a safeguard on cyber issues that will change the way on how development or investment projects are conceived and that will help us a lot in all our cyber security initiatives.  Because it will not be use the traditional organizations pushing for this, it will be actually the beneficiaries and it will be the investors, the ones who will be responsible for making sure that all the cyber space is protected.  And at the end this is a shared responsibility.  And when we say ‑‑ and we hope that when we say such a responsibility, it's more than we say, we actually mean it and we are committed with it. 

>> Thank you, so much for allowing me to ‑‑ inviting me to join this panel.  This is a very interesting topic.  I will ask if I can have the presentation please.  The one that starts with Colombia.  Meanwhile as you know there are ‑‑ something happens with the tech.  Okay. 

So as you know we have ‑‑ yes, there is a problem with the fonts.  That always happens.  No problem.  Let's move to the first one, please. 

>> Next one? 

>> Yes. 

>> So as you know, in terms of we have we're talking about development, we have two pillars coming from the United Nations agenda.  The first one is economic development, social inclusion and protection of the environment.  So there is impossible to conceive how to do this without ICTs.  So all the ICTs become catalyzers.  And at the national level, each country has its own priority.  In this I'm trying to show you this graph, but I don't know the people in the background have their TV.  So it could be fine.  We have we prioritize in our national plan of development for the country that this every person has proposed their plan.  We prioritize some these kind of objectives in our national agenda.  ‑‑ and we have consolation of the social rule of law.  And good governance as six of our priorities in terms of our national development plan.  So we realize and we put it on the law that ICTs are a huge opportunity to achieve these strategies so we make what we define a national ICT plan we call live digital.  Or digital live.  So with this plan we want to have more and better infrastructure to access to the people to ICTs, because we aren't ‑‑ we are, we really follow the rule that more Internet, less property.  So that's an equation that we really think on it. 

So, finally, we went to reduce the digital divide in the country.  And we want really to move as a digital economy player.  So we are trying to have things like internship using SDGs and to move from traditional development business and projects to another one that comes from digital economy.  Or comes with digital economy

So the conclusion here in our national digital agenda is that Colombia can get the best out of the opportunities, the ICTs offer.  If citizens or business do enough trust on it.  So that's why cyber security is so important.  Because the cyber security gives the confidence to the people and business to use the digital environment.  The next one, please. 

And so we design in our national policy, we define can you please move five times?  We define in our policy five dimensions.  The first one is the regulatory framework.  We need to move forward not only to provide framework to provide a safer Internet and using ICTs, we also need to have our regulatory framework to gain the best from the digital environment in each sector of the economy.  You know, the uberization of the technology of the business has a big challenge for the whole sectors of the economy.  So the second one is that the governance.  We put it together in the policy.  So we realize that governance is very important because we need to involve with the support of the OES and EOCD, we obtain by 2014 several recommendations about how to improve the governance because they found that one of the problems we have in Colombia.  We have some institutions working on this, but we were lack of ordinance to bring more things together.  So we define some actions, for example.  We define national digital security agenda as one of the actions we will do next year to improve this kind of topics in our country. 

So to build this agenda we will have the participation of all the stakeholders coming from cyber society, coming from academia, coming from the sector, and of course from the government.  The management approach so we define for instance we will have a model, a national digital risk security model that we will we want to have as a model that we used not only the public sector but also the private sector in this multimillion dollar business and also for the public in general.  And the fourth one is the digital security culture.  We were talking yesterday we talk about how to improve cyber security and that's not new that the citizens has a huge responsibility regarding cyber security.  So we need to improve the culture and also in the business.  And the last one is the capacity building on digital security risk management.  Because of course we need to ‑‑ we need to improve the capabilities and capacity of our national police and our attorneys and the attorney, the judges, all the people that will do investigations and that we find that the people that fights against cybercrime need to have more capabilities, but also in terms of cyber defense and of course in terms of how to use in the best way ICTs. 

So this is like I'll wrap‑up very fast.  Wrap up expressions about what we do in our ‑‑ what we did in our national digital security, but I want to highlight the most important thing we do is that the former to help us to build in 2011, we started to define, okay, we need institutions.  We need to engage authorities about this.  We need some laws.  We need to work on our legal framework and we started with that.  But now we realize that this is not a technical issue.  Colombia pointed out that this is now a strategic issue and we need to move it to the top of our national president agenda and that's why we define a new national digital security policy that comes all things together, development, cybersecurity, and also governance.  Because we need to bring it together. 

>> MODERATOR:  I would like now to go to our first remote speaker.  Danil, can you hear us?  Hello, Natalia. 

[Indiscernible].

>> NATALIA:  Down in this area there is huge ongoing project right now.  Now we are turning our attention more to connecting the rural communities right where we see a clear market failure.  The private sector is not coming there and there is a lot of population leading in those rural areas.  Disconnected.  People are lacking capacity.  People are lacking understanding on how this infrastructure can ease and bring them more opportunities.  So we want them to know more about that.  We talk about the ICT and digital skills building.  But along with that is absolutely necessary to talk about the safe of Internet, about cyber security online.  And we talk about the population which is having lower development skills.  So we are talking about a specific cyber capacity building to the population which is not you know a technologically savvy youngsters.  We talk about the population with lower skills.  We talk about the population with low English proficiency. 

So we are talking about a design of the cyber security capacity programs for those people.  Making sure that they are able to use Internet and that they are also using it safely.  So emergence of those programs and integration of those programs in our rural development projects is something that is really starting to emerge as a developing constitution.  We are looking very much around to incorporate on those issues.  We see currently lack of those curriculas of understanding of how to do it, what could be the result.  We would like to see some pilots, something very important for us.  To give you an example, we are now starting to implement a program in Georgia on national innovation system and it looks into the innovation development around the reason.  And, of course, innovation go hand in hand with ICT adoption as well. 

And we're thinking about designing of those programs to bring masses on the Internet.  We need to have a critical mass of people everywhere.  You know, using this.  This is when the digital dividends will start to give real benefits.  This is something that we as the World Bank look at very seriously and this is something we would like to cooperate more with everybody.  And we think that the a workshop like this one is useful to bring everybody together and to debate who does what, what is the best way to go forward.  And we think this is the way to go.  So thank you very much for allowing us to present our position here and we wish you very fruitful discussions.  Look forward to participate there.  Thank you. 

>> MODERATOR:  Thank you very much.  I hope time for questions later if there are any questions in the World Bank I would like now to give the mic to our next speaker.  If he's available.  Danil? 

>> Good morning, can you hear me? 

>> MODERATOR:  We can hear you.  Hello, Danil.  We only have some from you.  But please, you have the floor. 

>> DANIL KERIMI:  I'm delighted to connect remotely.  I sadly had to be elsewhere this week but it ‑‑ [ indiscernible ] I'm also I feel there is a lot of echo. 

The topic close to my heart and I think everybody who is in my room on the last day of the gathering because indeed we have to be traditional and very good at connecting the dots.  The various organizations and governments and businesses are doing tremendous job in connecting identifying critical ‑‑ so in the past we have energy nexus where we try to ‑‑ to think about it ‑‑ in order to each problem in each ‑‑ and increasingly as we move ‑‑ as we became completely dependent on cyber space Internet and cyber space border, demonstrates our business life and other ‑‑

[Audio cutting out]

World Bank and others working with our partners primarily business community issues that are they're facing.  And all of your institutions have been in this effort. 

In the past we try to work directly with business leaderships and also leaders ‑‑ and to sensitize them.  And when we heard that work a few years back, it was hard, we had to did a lot of selling, we had to do a lot of sensitizing, people have different priorities.  But increasing we find that people come to us without any effort. 

I'm not sure who is there this week, but Belgium for example created an integrative ministry digital development and questions all in one.  And we increasingly think that this will be a way forward.  What Natalia has just mentioned is music to my ears ‑‑ thinking into their traditional work.  What we notice in the past is very hard to bring cyber security questions into conversations around infrastructure development.  But now as we moved beyond into smart infrastructure.

[Breaking up]

>> MODERATOR:  Thank you, Danil.  Thank you very much for I think it's a very good different perspective how important it is to bring everybody on board and to see cyber security capacity building as a multistakeholder effort and as an international effort, which is not can be think sort of on a national level nor one of the tech policy level or infrastructure level.  A question to the panel these are a lot of top‑down approaches.  When you said earlier you feel some disconnection to certain spheres.  How could you create this connection?  Are there any ways to also kind of link it to button‑up approaches? 

>> DANIL KERIMI:  Connection? 

>> MODERATOR:  How to create this kind of connection. 

>> DANIL KERIMI:  Well, we have panelists trying to make these connections in the different forums.  Every time we go to a country we try to engage with the multiple stakeholders.  We try to like the metro to open the doors all the time.  But of course it's challenging.  And the thing is there are few people of course in the government world that are people that actually handle these project that have these powers that they need to actually consider the need to include cyber security as part of their agendas.  While Danil was talking, actually came back to my mind a concept from the WEF, and now everyone is talking about the revolution and it says we're going to lose jobs and everything is moving or everything is already our digital lives and you know we are not protecting our digital world.  We are still not realizing important of security environment.  We are still carrying too much and taking too much about the physical world, but we have not still realized that our lives, all the dependency that we have on the ICTs.  We just need to change the way that we think and you know, and work together.  Because it's not just different.  It's something that needs to be interconnected.  Again, as an agenda issue, as a human rights issue, cyber security should be a component of all these development projects. 

>> MODERATOR:  Thank you. 

>> CAROLYN NGUYEN:  I think that as I said ‑‑ it is important to have this and like put out the conversation from the technical side.  The most important thing we did was in fact because we were as you know Colombia is going to be ‑‑ we are in the ‑‑ to become member of the OCD.  We working very close to them and with the support of the OES and then after that because of the expedition or when the OECD issued their new data security risk management recommendations last September, we find it like an opportunity to bring this to the president level agenda.  Because the person is so interested in becoming part of the ‑‑ it's one of his goals.  So and priorities, yes.  And so when from the ‑‑ ask us to fill all the committee recommendations and service and all this kind of stuff, we realize that we have a lot of work to do to adopt that kind of recommendations.  But so we move forward to adopt the recommendations in our national digital security. 

So, in fact, it was like a good coincidence to be part of this road map and being in the moment to for doing the actions to be part of the OECD and the end of the previous policy that we have in this matter, because the policy coming from 2011, finally ends December of 2015.  So we needed to have a new one.  So it was a good coincidence to have that kind of recommendation, to have the support of the OES, that was so important.  We have 20 countries of the world working with us and telling us how to improve our policy.  So I think very good and we got the message and we did it.  That's important thing.

>> MODERATOR:  Thank you Carolyn for bringing up that question because I think that in any ‑‑ when you start to look at the online initiative, I think a critical component of it is that people need to feel that they are safe online at the end of the day.  I think that you had brought up before the importance of trustworthiness of the system.  People need to feel empowered and they also need to feel safe.  They also need to feel that there is a place for them to go to in case something happens. 

So let me give you an example of something we at Microsoft did in order to address some of these issues.  In 2003, a detective with the Toronto police department came to us and said look, we have a digital strategy but however this is this issue in terms of online photos of young girls, sexual abuse type of photos.  They said as a technology company, can you help us with this, what can you do for the average person online.  So Microsoft went to work together with Dartmouth, Microsoft research and we also established a unit called the digital crime unit that in 2009 in partner with the national center for missing and exploited children to start to put these tools out there so that not everyone can use these ‑‑ now everyone can use these tools. 

So in 2012 we made photo DNA available to law enforcement worldwide at no charge.  And then in 2015 we made this available to qualified organization essentially as a free cloud service.  I think that these kinds of tools are absolutely critical to complement the top‑down approach.  Because then people feel there are tools, there are resources that I can go to.  And this brings up an additional, another point that perhaps I want to put it out there, which is that as we start to look at connectivity projects such as was described by the World Bank, et cetera, I wonder if there's an opportunity to also put together a tool kit. 

So, for example, as Oxford is implementing the capacity model, putting this out there, just to be practical, here are a set of tools that everyone can use.  And I think that's our thinking when we start to think about how do you ensure online security and safety.  What are some of the tools, what are some of the one, two, three, because that's how you get people online.  Another related question to this also, and this was something that was really dressed by the broader IGF community which is people need to know what they'll get when they get online.  Why should they get online as well.  I think that's another question that's being addressed by some of the work in terms of digital literacy or information literacy.  This is why we're all making the point that this conversation around cyber security safety really needs to be hand in hand with all of the other dimensions of the conversation as well. 

>> Thank you very much.  It's very important to emphasize.  Kind of like also getting these different fears together and not ‑‑ and also be aware that there is also knowledge and expertise from the button to inform policies. 

I would like to open the floor to questions for Danil because he has to leave a little bit earlier.  Any questions or also to the other speakers?  Please raise your hand.  We will collect two or three questions and the panelists will answer.

>> AUDIENCE:  I represent the mobile operators of India.  I would just like to reinforce what the lady from Microsoft said from the ground level up when we talk, I don't think it's necessary at least to convince anymore about security and governance and we need to connect the 1 billion.  All of that is accepted.  I think we're now in the stage where we want to know the how‑to.  This is becoming increasingly important.  What is a common criteria set that we can look at.  What should a IT act or a government act look like in terms of inclusion in critical comments and phrases and requirements that meets a good model. 

For example, when we talk about businesses, the greatest issue in terms of security is what consumers themselves do when they say I agree.  Nobody reads the 1,000 requirements.  So when you want to get on you say that's obviously giving it away.  The access to very personal information, what are we doing in terms of making sure that the legal language in these applications are constrained and there's a model set of here's not the fine print but the large print before you say I agree.  So some of these practical aspects would be helpful for us to implement, to have to deal with the logistics of getting this done at the ground level.  Thank you. 

>> AUDIENCE:  Thank you.  I'm from Google Mexico public policy and I was going to mention the importance of prevention in cyber crime in helping the new users to know all the tips to cyber security and particularly with young people, right?  So it's very important for them to not only to know how to do a good pass word or a pass phrase, but the decision but I think that's a very important part of it.  But also as Carolin mentioned, all this cooperation, for instance, the photo DNA that you mentioned, we worked with Microsoft as well to develop after Washington, D.C. the DNA for videos to detect.  People to have this tool kit for cyber security and security online and we have a huge advantage because we speak Spanish so it will be easy to have a standard of the minimum issues for cyber security to take place.  Thank you so much. 

>> AUDIENCE:  Hi.  I want to embrace the points about con.  You don't understand the properties of a system and I think that's a core tension.  How do you deliver trust while at the same time admitting that things will go wrong and there are real risks.  It's communication challenge.

>> I would like to comment on the Indian gentleman.  I think being aware of ‑‑ being cyber aware of how we can protect ourselves, being aware of what the risk that is already empowering note that the Internet itself but also knowing these are my rights I have the same rights online which I have in real life.  I think the other dimensions we're looking at which are all in particular for coming online now these are knowledge that they can trust it and if something happens to them they can actually go somewhere and they know they have those rights and that's very crucial. 

>> I want to comment on a number of things.  To identify ‑‑ there's a huge risk when we talk about models because and I'm not talking about particular institution, but there's some institutions or some country that would like just to copy and paste.  There is importance to recognize that every institution is unique.  Want to improve it in the next year or so in order to continue updating our countries on this. 

On the ‑‑ that's why yesterday we actually organized another panel with Microsoft Oxford actually Colombia, I national alliance.  We prepare a tool kit OE8 cyber in Spanish and English and how to develop an awareness campaign.  One of the things that we have found out is that countries in Latin‑America and the Caribbean probably around the world, we don't have awareness campaign.  So there is not a common message to all ICT users. 

A proposal is something ‑‑ try to do next year.  Is organize a series of working groups with citizen of countries to try to raise the level of awareness and try to specific countries our campaigns activities involving different actors.  We truly believe there is a huge opportunity for private sector, academia in a civil society to engage in this awareness area as happened in other countries like the U.S. and Canada. 

For the comment about the trust and the communication challenge, I think that reality that we need to face but like we need to act.  It's like you know, in every session, the trust issue, it's there.  But you know, we leave the session and we still talking about trust, it's a trust problem.  And it's not just IGF.  It's about every workshop area we attend.  It's how to tackle trust.  The best way to tackle trust is working together.  Talking to each other.  Break dividers that's the best way to work together.  It's not just between governments all the different actors.  Otherwise the information will be there ‑‑ everything will be like a snowball.  It start small and get really big. 

>> I want to highlight about the topic of prevention and awareness.  That and we talk about that.

We have a campaign called in ICT I trust.  We have another campaign focused on pornography and that is called I protect you.  So that kind of names are not a coincidence.  We want to have short names for all the campaigns that make sense for the people and that give some kind of feeling because we need to connect with the people.  The privacy is not important for the youngest people and we realize that because we did surveys and we found it.  So we need to rise that kind of conscious in the people.  So we need to have on the characteristics on each sector of people.  And that's when one of the conclusions we have. 

>> MODERATOR:  I was trying to see whether it's included.  Did a quick search, didn't find the information.  So I think back to something really practical, there's a lot of really, really amazing work going on out there.  But I think that you know if we look back at the IGF as a global platform for assuring, I'll use the word policy options instead of best practices, then let's make sure that information is integrated into the intercessional work here as well.  Because I think there's a lot of great work and I think to your point, it feels like if we could put it to, if there's a tool kit, there's various versions of it.  If you feel this is a policy option that really should be shared with the other regions, make sure the information gets out there as part of the intercessional work.  Or the BPF work because it really needs to be there.  And it gets back to how does the IGF help to realize the SDGs. 

I want to go back to the comment around trust needs to be achieved through skepticism and many others have said yes we need to do that.  But I think another part of the IGF is that a stakeholder comes here to understand a little bit better about what they need to do in order to be a part of that whole conversation because that's the only way to establish trust amongst all the stakeholders.  And a multistakeholder model cannot work unless there's trust.  So because you know what we're seeing, I talked a little about some of the cyber crime regulations that's been passed that's causing fragmentation.  That's because there's no trust.  And government feels the need to act because they feel like they're the only one, they're the back stop. 

So, therefore, you get these ‑‑ let me use the term draconian regulations.  Because they don't feel that anyone else will come to the table whereas from a business perspective, we put out guidelines, we say okay here are the things that we will do in terms of security, privacy, transparency, but no one believes us.  And so the civil society comes in and says yeah you put all of that out there but let's look at the corporate social responsibility index where you're not doing things.  That's why we come to the IGF and to share what we're doing, how we can all improve to kind of address the skepticism.  So thanks for asking the question.  That's a great question. 

>> AUDIENCE:  Can someone from the remote participants have a question.  Hello?  We would also like to react to the questions, if that's all right.  The remote panelists.  Thank you. 

>> So you know, there was touched an issue of the awareness campaigns.  And the best way to organize them and that we are lacking them and we are lacking coordination and so on and so forth.  I think it's very important that this issue would be going from top to down this means we do not talk only on the federal, on the government level about these issues, but we also for instance for future will be bringing local guys local municipalities, local communities.  So unless this goes down there, this issue of building the awareness.  And really addressing the cyber security capacity of the real people on you know in real small towns around, you know this can be done only collaborating with those bodies.  Local bodies.  Municipalities, associations of municipalities, Internet service providers, small ones delivering Internet there to those people. 

And I think this is the way to go forward with this capacity building.  Because pretty much on the national level and on the international level there is a consensus already built.  We all agree on everything.  Now we just need to do it and to do it efficiently to bring it down all this consensus there and start implementing those campaigns.  I think this is the most important moving forward.  So I really think that also the discussions on the IGF should shift to more experience sharing and to more awareness building among those.  You know?  They should be taking part in those events as well.  They should be listening the same things we do because we are sort of boiling in our own juices for a number of years here and a number of those participants is not increasing.  People just don't know what we are talking here sometimes. 

And I think it's important that we bring this and build this bridge there to rural remote as we call them and as we start talking to real people whose capacity we want to build.  That's the key, just wanted to make this point.  Thank you.  Work in the bank is something that is the biggest challenge.  I think as another project in this sector, this is the biggest challenge as well.  Thank you. 

>> MODERATOR:  Okay.  Carolyn? 

>> CAROLYN NGUYEN:  Yeah.  I just want to make a comment regarding the notion at the international level there's no more work needed to build in terms of consensus.  I think there's still a lot of work that needs to be done to build out the consensus.  Hence the notion of some sort of a harmonized set of cyber security guidelines.  So think there's still a lot of work to be done there. 

So I just wanted to ‑‑

[ Laughter ]

There's a lot of work to be done everywhere. 

>> MODERATOR:  Okay.  Now I would like to ‑‑ yeah, please, there were two questions ‑‑ yeah.  Maybe take three more questions.  ‑‑ questions from three more people and we collect those. 

>> AUDIENCE:  Hi, my name is Alex from privacy international.  I wanted to get the perspective of the different stakeholder groups represented on the panel today to see how the discussions we're having around cyber security relate to what we're seeing in terms of the expansion of surveillance policies and practices across the world including in some of the governments that are leading the discussion on cyber security, which includes an expansion in the legal level what powers the government has in particular when it relates to cyber security around the expansion on a technical level compelling our creators to install on their own infrastructure so governments can access and conduct surveillance but it also includes undermining encryption through the use of back doors also governments having direct access to the systems, communications and infrastructures.  So I'm finding it very difficult to see how the efforts that are being put forward in the discussions today relate to some of the policies that we're seeing on the other level and how can we work to try and reconcile those two, because they are happening in parallel.  But in a way if we're doing one then we're kind of failing at the other as well. 

>> AUDIENCE:  Hi, good morning.  I'm from local government, a municipality near from here.  I want to share two experiences.  I have work for security system for 911 system here in the state government.  I think there is a big challenge in the governments, state level and municipality level, to make the IT people inside to understand the advantage of their technology, not only in the surveillance and the surveillance area, but in the community creation area we have ‑‑ we as a team have been developing social media security system for awareness around cataclysm, like emergency.  But nobody in the local IT departments knows how to use it.  And there is important to make a big ‑‑ there is no need of big bucks to do big things.  There is a lot of initiatives, there is a lot of opportunities, but the people in the local IT government doesn't know how to use it for anything else. 

Also I work for the municipal police department.  We created some really interesting prevention crime prevention softwares that they never know how to do that.  They never know how to implement that in the reality.  How we can make that awareness that cultural, we can attack that cultural issue that the people always say oh, if I want to do big things, I need big bucks.  No.  That is not need of that.  If you want to do big things, you need big creativity and big intelligence.  That's all. 

>> MODERATOR:  One more question.  The gentleman in the corner? 

>> AUDIENCE:  Good morning.  I am from the government of Algeria.  My question is in addition to the role of governments and should play ‑‑ the cyber security dimension in that development and governance, I would like to know ‑‑ the question is addressed to representative of Microsoft.  How do private sector could help governments in order to take into account the cyber security dimensions agenda, thank you.  Specifically the development countries context.  Thank you. 

>> MODERATOR:  Should we start with the last question? 

>> For the last question, the gentleman, I'm not sure I understand the question.  Can you repeat that? 

>> MODERATOR:  Could you repeat your question, please? 

>> AUDIENCE:  My question is how the private sector could contribute to the inclusion of the cyber security dimension in the development and governance of the governments.  And do you have specific ‑‑ could you tell us if you have specific projects in developing countries.  Thank you. 

>> CAROLYN NGUYEN:  Great, thank you so much for the question.  So at Microsoft, as you know, cyber security and security is a really important issue for us.  In fact we just released a set of policy recommendations, 78 to be exact on cloud for global good and a large part of that addresses the surveillance issue.  And also if you're interested in the details in terms of implementing secure cloud, et cetera, happy to talk to you afterwards on that.  But I want to go back to the surveillance question a little bit to answer some of the questions.  For Microsoft we've made it very clear, sort of what our position is on privacy and protection of privacy and responding to law enforcement requests for information due to national security.  So first of all we encrypt everything end to end.  Everything that's in our cloud is encrypted end to end. 

We've also advocated very strongly for the rule of law and for clear legal framework in terms of when information needs to be sent over.  In fact, we've sued the U.S. governments quite a few times on this.  So one of the cases has to do with the fact that the U.S. government came to us to ask for information which reside in our data center in Ireland.  And what we've asked them to do is to say well, there is an M lot process that should be used to ensure that there is trust from our consumers and customers with respect to the data that we have responsibility for.  So that's why we took the U.S. government to court. 

Now, to use another example, which is unfortunately during the Paris attacks, law enforcement also came to us having gone through and gotten the appropriate warrant information and we turn around the information that was requested within 30 minutes.  And this was at 5:30 a.m.  So I think that that legal framework really needs to be established and really needs to be clear.  And that's a really big part of addressing this question between privacy and surveillance. 

>> Okay.  Just to connect with is that our colleague from Mexico said, regarding the privacy issue.  I think that we need to put it, this topic in the highest level of discretion in our national policies and strategies.  For instance, in Colombia we take this into account and we define some principles as part of our national security policy.  So we define some principles.  And one of the principles are to safeguard the human rights and the fundamental values in Colombia.  This includes something like freedom of expression, free flow information and communications and personal information and privacy protection.  As well as the fundamental principles that we consecrate, we include in the Colombian political constitution.  And we discussed this with the cyber society and organizations.  And they ask all of the feedback, in case of the limitation of these rights, according to constitution, applicable international standards.  This mission must be proportional, necessary and between a local framework.  That's a result of working together.  I think this is a very good example of how if we open the box and we go with this discretion, further than the government institutions, we will find that feedback, we can achieve a better document and policy for us.  And only to ‑‑

>> First of all, about the the expansion of these responsibilities and local issues, from the OAS perspective, we have a general secretary and we have autonomous bodies and ‑‑ the committee against terrorism where the cyber security program is located and there is another body of the OAS, which is the inter‑American commission of human rights, ICHR.  And actually my secretary ‑‑ sorry it's important in terms of operation, because integral organizations actually operate the same way. 

My program actually when we go to a country ‑‑ you're right, my right, we promote the or we respond to the mandate and to request and we say let's work together on cyber issues.  We support on establishment or development of the ‑‑ or we provide assistance security policy or whatever they might need on cyber issues on cording of course to our capacities.  Of course I believe any intergovernmental organization or anyone working on cyber capacity building would like that the capacity that we are building will be used against the population.  Will be against the final users.  And it's like Peter Parker. 

With great power comes great responsibility.  And you can have all these capacities for good or for bad.  At the UN it's very important that we have a strong civil society and a strong private sector and a strong community and a strong academia also, because tomorrow there will be the ones that will defend this.  When the unfortunate incidents or actions against population happens at the inter‑American level, the citizens can bring this to the attention of the inter‑American commission on human rights. 

We submit it to the government but I wanted to try to be resize on this very important issue. 

About the gentleman from ‑‑ it's very difficult I'm sorry.  Beautiful town we recommend ‑‑ it's a really good restaurant.  In many other countries in the hemisphere and the world, the states have their own way to do things.  It's very difficult sometimes to do things at the federal level.  We need to recognize and to work with.  But that doesn't mean that from the state side you cannot promote for example state policy on cyber issues or you cannot promote decoration of state commuter emergency response team or a state coordination mechanism.  That's the importance of what he was saying of saying the institutional frameworks.  Because if you don't have that institutional base, if you don't start with the basic of the institutional base, everyone will continue working on silos and with dyscoordination and you will not have the high political support that will say you know, actually, we need to use these technological tools in order to send ‑‑ these are open source tools that don't cost anything and that will provide like a really good benefit to population.  So it's really important to have framework on cyber issues. 

>> MODERATOR:  You want to add something to that? 

>> Only one point from Mexico.  Thank you for this awesome place. 

So one of my responsibilities in Colombia is to provide to municipalities for the central government in terms of IT management inside the government.  So we decide to provide by decree like all the agency must fulfill these guidelines over the country.  But that's not important.  You need to have use an appropriation strategy to ensure that you will have that ‑‑ that these ‑‑ on a day‑to‑day basis ‑‑ I don't know if there's another experience in the region, but we can share that with you because we have all these points.

>> MODERATOR:  We are at the end of our session.  Thank you so much to all the speakers here and to the remote speakers.  It was great to hear different perspectives.  I think a lot of things are already done.  I think we still have to work on these efforts.  We'll be around for a bit more if there are any more questions, please approach the person.  Thank you very much. 

[ Applause ]

[ Session concluded at 10:32 ]